History. Attacks on Availability (1) Attacks on Availability (2) Securing Availability



Similar documents
Denial of Service. Tom Chen SMU

Firewalls and Intrusion Detection

A S B

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

CS 356 Lecture 16 Denial of Service. Spring 2013

Modern Denial of Service Protection

Announcements. No question session this week

Protecting Web Servers from DoS/DDoS Flooding Attacks A Technical Overview. Noureldien A. Noureldien College of Technological Sciences Omdurman, Sudan

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Adaptive Response System for Distributed Denial-of-Service Attacks

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Frequent Denial of Service Attacks

A Novel Packet Marketing Method in DDoS Attack Detection

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

Seminar Computer Security

Denial of Service Attacks

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Denial of Service (DoS)

Networks: IP and TCP. Internet Protocol

Denial Of Service. Types of attacks

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa

Denial of Service Attacks, What They are and How to Combat Them

Chapter 8 Security Pt 2

Security vulnerabilities in the Internet and possible solutions

Secure Software Programming and Vulnerability Analysis

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

Distributed Denial of Service (DDoS)

CloudFlare advanced DDoS protection

SECURITY FLAWS IN INTERNET VOTING SYSTEM

TRAFFIC REDIRECTION ATTACK PROTECTION SYSTEM (TRAPS)

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

DDoS Protection Technology White Paper

Acquia Cloud Edge Protect Powered by CloudFlare

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS

Tackling Congestion to Address Distributed Denial of Service: A Push-Forward Mechanism

Port Hopping for Resilient Networks

An Efficient Filter for Denial-of-Service Bandwidth Attacks

Detection and prevention from denial of service attacks (DoS) and distributed denial of service attacks (DDoS)

How To Protect A Dns Authority Server From A Flood Attack

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Strategies to Protect Against Distributed Denial of Service (DD

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

How Cisco IT Protects Against Distributed Denial of Service Attacks

Content Distribution Networks (CDN)

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

SECURING APACHE : DOS & DDOS ATTACKS - I

How To Understand A Network Attack

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

DDoS Overview and Incident Response Guide. July 2014

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Packet-Marking Scheme for DDoS Attack Prevention

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

CSCE 465 Computer & Network Security

Security: Attack and Defense

Game-based Analysis of Denial-of- Service Prevention Protocols. Ajay Mahimkar Class Project: CS 395T

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Gaurav Gupta CMSC 681

Abstract. Introduction. Section I. What is Denial of Service Attack?

Denial of Service (DoS) Technical Primer

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

A Defense Framework for Flooding-based DDoS Attacks

Depth-in-Defense Approach against DDoS

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Analysis of Automated Model against DDoS Attacks

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Online Identification of Multi-Attribute High-Volume Traffic Aggregates Through Sampling

SECURING APACHE : DOS & DDOS ATTACKS - II

How To Classify A Dnet Attack

A Survey of IP Traceback Mechanisms to overcome Denial-of-Service Attacks

dfence: Transparent Network-based Denial of Service Mitigation

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Locating Network Domain Entry and Exit point/path for DDoS Attack Traffic

International Journal of Emerging Technologies in Computational and Applied Sciences (IJETCAS)

A Brief Discussion of Network Denial of Service Attacks. by Eben Schaeffer SE 4C03 Winter 2004 Last Revised: Thursday, March 31

Proceedings of the UGC Sponsored National Conference on Advanced Networking and Applications, 27 th March 2015

DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM

How To Stop A Ddos Attack On A Website From Being Successful

CS5008: Internet Computing

Analysis and Detection of DDoS Attacks in the Internet Backbone using Netflow Logs

Filtering Based Techniques for DDOS Mitigation

Transcription:

History Securing Availability Distributed Denial of Service (DDoS) Attacks Mitigation Techniques Prevention Detection Response Case Study on TRAPS Summer 1999, new breed of attack on availability developed Distributed Denial of Service First tool developed was Trinoo Trinoo network of at least 227 systems used on August 17, 1999 to flood a single system at University of Minnessota Swamped the target network with an approximate capacity of 90 Mbps rendering it unusable for over 2 days Securing Availability Vrizlynn Thing 2 Attacks on Availability (1) Attacks on Availability (2) Recent years, high profile attacks over the Internet focused on disrupting availability. Feb 2000, Yahoo down for 3 hrs (losses: ~US$500k); Amazon 10 hrs (losses: US$600k); Buy.com availability dropped to 9.4%; Zdnet.com and E*Trade.com virtually unreachable July 2001, Code Red worm infected > 250k systems in 9 hrs and carried out flooding attacks Oct 2002, attack on the 13 DNS root servers (7 down and 2 badly crippled ) - Feb. 2004, Hacker threats to bookies probed, BBC Technology News - Mar. 2005, Duo charged over DDoS for hire scam, The Register - Mar. 2005, Dutch hackers sentenced for attack on government sites, The Register - Apr. 2005, Rootkit Web sites fall to DDoS attack, IDG News Service - May 2005, Extortion via DDoS on the rise, Network World - Sept. 2005, Hackers Admit to Wave of Attacks, Wired - Dec. 2005, Man admits to ebay DDoS attack, The Register - Jan. 2006, Blackmailers try to black out Million Dollar Homepage, CNET News - Jan. 2006, 'Botmaster' pleads guilty to computer crimes, Reuters - Mar. 2006, VeriSign reports a new DDoS attack, The Inquirer Securing Availability Vrizlynn Thing 3 Securing Availability Vrizlynn Thing 4

Attacks on Availability (3) What is Denial-of-Service By extortionists and business rivals On websites of banking and financial companies, online gambling firms, web retailers, government, etc. Worldwide ISP survey by Arbor Networks, in 2005, shows DDoS is most significant operational security concern of 36 worldwide ISPs CSI/FBI survey, in 2004, shows virus and DDoS are the most costly cyber-crime Availability ensure that resources can be accessed by people who should have access Denial-of-Service (DoS) attack attacks launched to disrupt and deprive legitimate access to resources Internet Target Securing Availability Vrizlynn Thing 5 Securing Availability Vrizlynn Thing 6 Distributed Denial-of-Service Attack DDoS Attack Models (1) Multiple compromised machines, Zombies Coordinated attack More powerful More difficult to mitigate Zombie 1 Zombie 2 Zombie 3 Target...... Zombie N 1 Handler 1 Handler 2 Target...... Handler 3...... 2 3 4 5...... Handler M N-1 N - Handler Attack Model s communicate with attack network through handlers s are compromised system to carry out attack Securing Availability Vrizlynn Thing 7 Securing Availability Vrizlynn Thing 8

DDoS Attack Models (2) Classifications of DDoS Attacks...... IRC Network 1 2 3 4 5...... N-1 N Target IRC-Based Attack Model s communicate with attack network through IRC channels Advantages: Legitimate port no. and large volume of IRC traffic allow camouflaging Resources Directed at end target/victim Routes to resources Indirect, disrupts paths to end target/victim Network layer Targets design or implementation flaws of protocols Network link Bandwidth depletion on end target/victim s link/s End-Host Targets victim s system resources Securing Availability Vrizlynn Thing 9 Securing Availability Vrizlynn Thing 10 TCP SYN Flood Zombie Client A SYN A SYN B + ACK A ACK B X Server B TCP 3-Way Handshake Exploit TCP handshaking procedure Attack hosts Zombies spoof source IP addresses Server s resources tied up while waiting for ACK packet +1 +1 Securing Availability Vrizlynn Thing 11 UDP Flood User Datagram Protocol Connectionless Attack by sending large number of UDP packets to random ports of target Spoof source IP addresses in attack packets For each packet, target checks what services is listening on the destination port If nothing, returns message notifying destination unreachable How to prevent and mitigate attack? Securing Availability Vrizlynn Thing 12

ICMP Flood Reflection attack (1) Internet Control Message Protocol ICMP Echo Request Message = ping packet Send large number of them to target Spoof source IP addresses Target handles requests by sending replies Overwhelm processing and bandwidth resources Prevention? Mitigation? Spoofed addresses + replies = further exploit? Make use of request/reply protocols Spoof victim s source IP address in legitimate requests to servers (e.g. TCP SYN or DNS) Overwhelm victim with replies Securing Availability Vrizlynn Thing 13 Securing Availability Vrizlynn Thing 14 Reflection attack (2) DNS attack Domain Name System Distributed database system for mapping hostnames to IP addresses Attack involves sending bogus requests to flood servers In Oct. 2002, DNS attack against all 13 root servers Lasted for an hour bringing down 7 Diagram source from www.grc.com Securing Availability Vrizlynn Thing 15 Securing Availability Vrizlynn Thing 16

Border Gateway Protocol (BGP) Inter-autonomous system routing protocol (e.g. for ISPs) Apr. 1997, AS7007 incident Misconfigured router flooded Internet with incorrect advertisements announcing AS7007 as origin of best route to essentially the entire Internet AS7007 becomes major traffic sink, disrupted reachability to many networks for hours Similar events in Apr. 1998 and Apr. 2001 DoS but not attack? How easy is it to compromise a BGP router? And BGP session hijacking? DDoS Mitigation Prevention Guard against attacks from having any effect on the target Detection Trigger alarm for an on-going attack Response Take actions to alleviate damaging effects caused by attack and identify attackers to institute accountability Securing Availability Vrizlynn Thing 17 Securing Availability Vrizlynn Thing 18 DDoS Prevention (1) DDoS Prevention (2) Egress filtering: Prevent source address spoofing by filtering on traffic from Internet to customer sites with illegitimate source addresses Ingress filtering: Removes any traffic from customer sites to Internet with invalid source addresses Foolproof? Proposed in year 2000 but study by MIT last year shows spoofing remains a serious security concern. Why? Block access to all non-service ports (e.g. unallocated port numbers, services deemed potentially harmful or not used) Examples: ICMP echoes, ports used for propagation by known attacks, etc. Securing Availability Vrizlynn Thing 19 Securing Availability Vrizlynn Thing 20

DDoS Prevention (3) SYN cookies Server returns SYN/ACK packet with sequence number, n, computed as follows: First 5 bits: t mod 32 (t is a counter incremented every 64 secs) Next 3 bits: encoded value representing m (m is the Maximum segment size value stored by the server in the SYN queue entry) Final 24 bits: s, result of secret cryptographic function computed over server IP address and port, client IP address and port and t Server reconstructs needed information from client s ACK sequence number, n+1, to establish connection Securing Availability Vrizlynn Thing 21 DDoS Detection (1) TCP SYN Flood Detection Based on protocol behavior of TCP SYN-FIN (RST) pairs Anomaly detected when abrupt rise occurs between the difference in counts of SYN and FIN/RST packets Diagram source from Detecting SYN Flooding Attacks paper by H. Wang et. Al. Securing Availability Vrizlynn Thing 22 DDoS Detection (2) D-WARD Detect outgoing DDoS attacks Source end deployment Per-destination and per-connection statistics gathering at exit routers of own network Observe and detect non-responsive foreign hosts (aggressive sending rate coupled with low response rate) Define thresholds for TCP, ICMP and UDP applications Attack detected if threshold exceeded DDoS Detection (3) MULTOPS Monitors disproportional packet rates to or from hosts and subnets Uses tree-shaped data structure to collect statistics 4-level (256 entries per table) tree to cover entire IPv4 address space Each entry contains 3 fields (to rate, from rate and pointer to node in next level of tree) Securing Availability Vrizlynn Thing 23 Securing Availability Vrizlynn Thing 24

DDoS Detection (4) MULTOPS Diagram source from MULTOPS: a data-structure for bandwidth attack detection paper by Thomer M. Gil et. al. Securing Availability Vrizlynn Thing 25 Responses to DDoS (1) Traceback 2 addresses in IP packets: Source and Destination Destination address: used by routing architecture to deliver packet Source address: used by destination to determine from whom the packet is from Problem: No entity responsible for verifying correctness of source address (similar to postal service) Securing Availability Vrizlynn Thing 26 Responses to DDoS (2) Traceback: IP Marking Traceback IP Marking Intermediate routers mark IP packets with information on path they traverse Probabilistic approach Uses 16-bit IP Identification field Encode path information using hashing schemes Target of attack collects information and compute to identify source of attack by decoding Disadvantages? Attack Path Encoding path information in identification field Diagram source from Practical network support for IP Traceback paper by Stefan Savage et. al. Securing Availability Vrizlynn Thing 27 Securing Availability Vrizlynn Thing 28

Traceback: IP Marking Traceback: IP Marking Each router computes a 32-bit hash of its address 64-bit Bit-Interleave : odd = original, even = hash With a probability, a router marks a packet with a fragment and set distance to 0 Next router, xor its corresponding fragment to the edge id field if distance is 0, and increment distance Diagram source from Practical network support for IP Traceback paper by Stefan Savage et. al. Securing Availability Vrizlynn Thing 29 Securing Availability Vrizlynn Thing 30 Traceback: IP Marking Example R3 (IP address is 211.126.2.59, and hash address is 136.41.5.89) decides to mark the packet with its 3 rd fragment 211.126.2.59 = 11010011.01111110.00000010.00111011 136.41.5.89 = 10001000.00101001.00000101.01011001 Bit-interleave = 11100010.01001010.00101110.11101001. 00000000.00011001.00011011.11001011 R3 s 3 rd fragment is 00101110 R3 writes 010.00000.00101110 into ID field Assuming R2 s 3 rd fragment is 11101111, R2 changes the ID field to 010.00001.11000001 If R1 decides not to mark, it would just increment distance Victim sees ID field as 010.00010.11000001 Traceback: IP Marking Victim collect all the fragments for the edges Edge ID with 0 distance away carries R1 s address Performs hash of odd bits of edge id and compare with even bits to check marking info was not corrupted XOR the edge id with the next uplink s to get the previous router s address Securing Availability Vrizlynn Thing 31 Securing Availability Vrizlynn Thing 32

Responses to DDoS (3) Traceback: ICMP Traceback New ICMP message type, ICMP Traceback ITrace Out-of-band messaging (no modification to original data packets) Probabilistic generation of ITrace message for data packets at intermediate routers ITrace messages sent to the target of the attack (i.e. victim) Responses to DDoS (5) Traceback: ICMP Traceback Contents of ITrace message include information of the back and forward links of the intermediate router and signature of the original data packet Victim reconstructs attack path based on the ITrace messages received Disadvantages? Securing Availability Vrizlynn Thing 33 Securing Availability Vrizlynn Thing 34 Responses to DDoS (6) Responses to DDoS (7) Filtering Drop all attack packets Used when it is possible to differentiate between attack and legitimate packets Else will result in self-inflicted DoS Rate Limiting Decrease traffic suspected to be malicious to prevent victim from being totally overwhelmed Ease the impact of damage Client Puzzles Client Service request R O.K. Server Buffer Securing Availability Vrizlynn Thing 35 Diagram source from Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks by A. Juels et. al. Securing Availability Vrizlynn Thing 36

Responses to DDoS (8) Client Puzzles Server assigns unique client puzzles to each client making a connection request Resources allocated to clients with correctly solved puzzles only forced to commit considerable resources Constructing puzzles? Case Study Traffic Redirection Attack Protection System (TRAPS) Attack detection based on resource usage pattern monitoring with threshold levels to indicate severity Suspicious traffic rate limited based on current attack severity level Victim performs virtual relocation and informs suspicious users (i.e. virtually moves to a new address) Diagram source from Client Puzzles as a Defense Against Network Denial of Service by Deanna Koike Securing Availability Vrizlynn Thing 37 Securing Availability Vrizlynn Thing 38 TRAPS TRAPS s using spoofed source addresses to attack Victim 2. At Gateways (GWs, i.e. entrance points to network) and intermediate Routers, filter off incoming packets with no knowledge of victim s new configuration. s GWs Routers Victim Legitimate Clients 1. Reconfigure at Victim. Since traffic is coming from clients, inform them to send subsequent traffic based on Victim s new configuration. Traffic Redirection Attack Protection System (TRAPS) No changes to Internet infrastructure due to usage of IP mobility protocols Zero false positive when using filtering Ensure ability to handle services for legitimate users during attacks Guarantee communication of signals required for mitigation during attacks Ability to mitigate brute-force flooding attacks Securing Availability Vrizlynn Thing 39 Securing Availability Vrizlynn Thing 40

TRAPS Summary A51 - A100 N1 - N25 A1 - A50 R1 N26 N50 R2 R5 R6 R8 R9 V R3 A101 - A150 R7 R 10 R4 N51 N75 Attack traffic redirected to and filtered off at proxy A151 - A200 N76 - N100 Attacks on availability escalate to become one of the most serious and expensive network security problems of today Main reasons due to flaws in protocol and software designs and implementations, wide spread availability of attack tools, and monetary gains for extortionists and business rivals Successful attack mitigation requires efficient and effective prevention, detection and response techniques Securing Availability Vrizlynn Thing 41 Securing Availability Vrizlynn Thing 42 References Haining Wang, Danlu Zhang, and Kang G. Shin, "Detecting SYN flooding attacks", IEEE INFOCOMM, 2002. Jelena Mirkovic, "D-WARD: DDoS Network Attack Recognition and Defence", PhD Thesis, Computer Science Department, University of California, Los Angeles, Jun. 2003. Thomer M. Gil and Massimiliano Poletto, "MULTOPS: a data-structure for bandwidth attack detection", 10th USENIX Security Symposium, Feb. 2001. Stefan Savage, et al., "Practical Network Support for IP Traceback", ACM Sigcomm, Aug. 2000. Steve Bellovin, Marcus Leech, and Tom Taylor, "ICMP Traceback Messages", IETF Internet Draft, Version 4, Feb. 2003 (Work in progress). Ari Juels and John Brainard, "Client puzzles: A cryptographic countermeasure against connection depletion attacks", Networks and Distributed Security Systems, Feb. 1999. Vrizlynn L. L. Thing, Henry C. J. Lee, and Morris Sloman, "Traffic Redirection Attack Protection System (TRAPS)", IFIP International Information Security Conference (SEC), May 2005, Makuhari-Messe, Chiba, Japan, Springer-Kluwer. Securing Availability Vrizlynn Thing 43

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information