Denial of service attacks

CSCI 262 Fall 2013

25/11/2018
 Outline
1. Denial of service 4. Reflector and amplifier attacks
 Introduction, attack trees  Reflection attacks
 Classic DoS attacks  Amplification attacks
 Source address spoofing  Dns amplification attacks
 SYN spoofing 5. Defensse against DoS
2. Flooding attacks 6. Responding to Dos
 ICMP flooding
 UDP flooding
 TCP SYN flooding
3. DDoS
Attack Trees

1. Represent the
attacks and
countermeasures as a
tree structure
2. Root node is the goal
of the attack
3. Leaf nodes are
attacks

25/11/2018
1. OR nodes represent Attack Trees
different ways in
achieving the same goal.
To open a safe you can:
 Pick the lock
 Learn the combination
 Cut the safe open
 Take advantage of an
improperly installed
safe
2. And nodes represent
different steps or actions
needed in achieve a goal
To eavesdrop on someone saying the conversation
 You must listen to the conversation
 Get the safe owner to say the combination
25/11/2018
 Denial of Service (DoS)
 Action that prevents or impairs the authorized
use of networks, systems, or applications by
exhausting resources such as :
a) Central processing units (CPU),
b) Memory ,
c) Bandwidth ,
d) and disk space
 Denial of Service (DoS)
Attack targets:
1. Network bandwidth
 relates to the capacity of the network links connecting a
server to the wider Internet
2. System resources
 typically aims to overload or crash its network handling
software (SYN flood, poison packet, teardrop, ping of death)
 http://www.oxid.it/downloads/apr-intro.swf
3. Application resources
 aim to overload the capabilities of a server and limit its ability
to respond to requests from other users (Cyberslam)
Network bandwidth
 DoS on system resources: Poison packet

http://www.oxid.it/downloads/apr-intro.swf

http://chrissanders.org/2008/04/using-arp-cache-poisoning-for-packet-analysis/
 Attack on system resources:
Teardrop attack

 http://www.youtube.com/watch?v=FzuFYdDUjsQ
 More info:
 http://www.physnet.uni-
hamburg.de/physnet/security/vulnerability/teardrop.html

23/10/2011
 Attack on system resources: Teardrop attack
1. Exploits the vulnerability in the reassembling of data packets.
2. When data is sent over the Internet,
1. it is first broken down into smaller fragments at the source system
2. and then put together at the destination system.
3. With a teardrop attack, the hacker will confuse the target making it unable to put
together the correct sequence of data packets.
3. When these packets are divided up they have an OFFSET field in their TCP
header part which will determine which date packet that each fragment is
carrying.
4. By disrupting the series of data packets by overlapping their Offset field
values, the target system becomes unable to piece them together and forced to
crash, hang or reboot.

http://hackanonymous.com/tutorials/dos-attacks--denial-of-services.html
 DoS Attack on applications: Cyberslam
 Alyssa Hacker subverts tens of thousands of machines by using a
worm
 Alyssa uses these zombies to mount a distributed denial of service
attack on a Web server.
 Alyssa’s zombies do not launch a SYN flood or issue dummy
packets that will only congest the Web server’s access link.
 Instead, the zombies fetch files or query search engine databases at
the Web server.
 From the Web server’s perspective, these zombie requests look
exactly like legitimate requests, so the server ends up spending a lot
of its time serving the zombies, causing legitimate users to be denied
service.

25/11/2018
 Cyberslam- 4 reasons
1. Large botnets exist. Over IRC channels They use zombie machines
-machines compromised by worms, viruses,
2. Cuyberslam mimics the browsing patterns of legitimate users. It
avoids detection by standard filters and intrusion detection boxes that
routinely identify and block anomalous traffic.
3. This is especially important for organized DDoS mafia, because for
them the botnet is a re-usable resource that they would like to
protect.
4. Finally, in CyberSlam an attacker is doing little while the server
does a lot.
5. By sending a single HTTP packet containing a small request, the
attacker can make the server reserve sockets, TCP buffers, and an
application process, and do significant database processing or
congest some other server bottleneck.
25/11/2018
 Real world case
 a Massachusetts businessman hired professionals to DDoS his
competitor’s Web site [1]. http://www.securityfocus.com/news/9411
 Like any other online business, the competitor had a search engine
back end.
 So the professionals used a large botnet to flood the competitor’s site
with a massive number of queries, bringing it down for almost a
week.
 Several extortion attempts at online gaming and gambling sites used
similar attacks [2].

25/11/2018
 Classic Denial of Service Attacks
 Can use simple
flooding ping
 From higher
capacity link to lower
 Causing loss of
traffic
 BUT
 Source of flood
traffic easily
identified
 Attack is reflected
back at the source
 Source Address Spoofing

 Use forged source addresses

o given sufficient privilege to “raw sockets”
o easy to create
 Generate large volumes of packets
 Directed at target with different, random, source addresses
 Cause same congestion
 Responses are scattered across Internet, no reflection back
 Real source is much harder to identify- why?
o Packet header is not enough to ID its source
o Knowledge of the flow of packets through routers is needed
Detecting source address spoofing- any solution?

Can we ensure that the source address correspond to the

system where the packet originated?
No
Any prevention solution?
Use filtering of addresses

23/10/2011
Filtering of source spoofed address

In the core?
At the source? At the target?

At the ISP?
X
 SYN Spoofing
1. Other common attack
2. attacks ability of a server to respond to future connection
requests
3. overflowing tables used to manage them
4. hence an attack on system resource
 Syn flood attack

23/10/2011
TCP
Connection
Handshake
TCP SYN
Spoofing
Attack
 SYN Spoofing Attack
 attacker often uses either
o random source addresses
o or that of an overloaded server to block return of (most) reset packets
 has much lower traffic volume
o attacker can be on a much lower capacity link
 Types of Flooding Attacks
Aims
Overload the network capacity on some link to a server
Overload the server ability to handle traffic
Result:
Due to congestion, server will drop packets
 Flooding Attacks

 classified based on network protocol used

 intent is to overload the network capacity on some link to a server
 virtually any type of network packet can be used

• ping flood using ICMP echo request packets

ICMP flood • traditionally network administrators allow such packets into their
networks because ping is a useful network diagnostic tool

• uses UDP packets directed to some port number on the target

UDP flood system

TCP SYN • sends TCP packets to the target system

• total volume of packets is the aim of the attack rather than the
flood system code
 ICMP flood
 Internet Control Message Protocol (ICMP) packets are designed for
network management features such as locating network equipment
and determining the number of hops or round-trip-time to get from
the source location to the destination.
 For example, ICMP_ECHO_REPLY packets (“ping”) allow the user
to send a request to a destination system and receive a response with
the roundtrip time.
 A DDoS ICMP flood attack occurs when the zombies send large
volumes of ICMP_ECHO_REPLY packets to the victim system.
 These packets signal the victim system to reply and the combination
of traffic saturates the bandwidth of the victim’s network
connection

23/10/2011
 UDP(User datagram protocol) Flood

UDP: connectionless protocol.

o no handshaking required between sender and receiver,
o and the receiving system will just receive packets it
must process.
A large number of UDP packets sent to a victim system
can saturate the network, depleting the bandwidth available
for legitimate service requests to the victim system.
UDP flood attacks attack random victim ports.

23/10/2011
 UDP Flood
 Causes The victim system to process the incoming data to try to
determine which applications have requested data.
 Often, the attacking DDoS tool will also spoof the source IP address
of the attacking packets.
 This helps hide the identity of the secondary victims and it insures
that return packets from the victim system are not sent back to the
zombies, but to another computer with the spoofed address.
 UDP flood attacks may also fill the bandwidth of connections
located around the victim system
 This can sometimes cause systems connected to a network near a
victim system to experience problems with their connectivity

23/10/2011
 Case of Juniper systems
 Similar to the ICMP flood, UDP flooding occurs when an attacker
sends IP packets containing UDP datagrams with the purpose of
slowing down the victim to the point that the victim can no longer
handle valid connections.
 After enabling the UDP flood protection feature,
 you can set a threshold that, once exceeded, invokes the UDP flood
attack protection feature. (The default threshold value is 1000
packets per second.)
 If the number of UDP datagrams from one or more sources to a
single destination exceeds this threshold,
 JUNOS software ignores further UDP datagrams to that destination
for the remainder of that second plus the next second as well.

23/10/2011
 UDP flood
countermeasure

23/10/2011
 Land attacks
Combining a SYN attack with IP spoofing, a land attack
occurs when an attacker sends spoofed SYN packets
containing the IP address of the victim as both the
destination and source IP address
The receiving system responds by sending the SYN-ACK
packet to itself,
creating an empty connection that lasts until the idle
timeout value is reached.
 Flooding a system with such empty connections can
overwhelm the system, causing a denial of service.

23/10/2011
 Land attack

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-
security/land-attacks-understanding.html#land-attacks-understanding
23/10/2011
Distributed Denial of Service Attacks
DoS attacks: Have limited volume if single
source used
Multiple systems allow much higher traffic
volumes to form a Distributed Denial of Service
(DDoS) Attack
often compromised PC’s / workstations
o zombies with backdoor programs installed
o forming a botnet
e.g. Tribe Flood Network (TFN), TFN2K
 DDOS attacks

23/10/2011
DDoS Control Hierarchy
 Tribe Flood Network
TFN, distributed tool used to launch coordinated denial of
service attacks from many sources against one or more
targets.
Can generate UDP flood attacks,
Can also generate TCP SYN flood, ICMP echo request
flood, and ICMP directed broadcast (e.g., smurf) denial of
service attacks.
TFN has the capability to generate packets with spoofed
source IP addresses.

23/10/2011
Application-based
bandwidth attacks

23/10/2011
Session Initiation
Protocol (SIP) Flood

 standard protocol for

VoIP telephony

 text-based protocol
with a syntax similar
to that of HTTP

 two types of SIP

messages: requests
and responses
 Hypertext Transfer Protocol (HTTP) Based
Attacks
HTTP flood
 attack that bombards Web
servers with HTTP requests
 consumes considerable
resources
 spidering
 bots starting from a given
HTTP link and following
all links on the provided
Web site in a recursive
way
Slowloris
 attempts to monopolize all the
available request-handling
threads by sending HTTP
requests that never complete
 eventually consumes Web
server’s connection capacity
 utilizes legitimate HTTP traffic
 existing intrusion detection and
prevention solutions that rely on
signatures to detect attacks will
generally not recognize Slowloris
 Slowloris attack
Attacker establishes multiple connections to the web server
On each connection, an incomplete request is sent ( not
including the blank line).
Attacker sends periodically additional header information
just to keep the line alive
Web server keeps connection open waiting for more
information to complete the request.
Attacks continues, more connections are established, web
resources get consumed till depletion
Web server no longer able to respond to legitimate requests
23/10/2011
 More about Slowloris
1. Slowloris takes advantage of HTTP procol
2. HTTP protocol states that a blank line must be
used to indicate the end of a request header
3. Once the entire request is received, the web server
can then respond to the request.

23/10/2011
 Slowloris = countermeasures
1. Limiting the rate of incoming connections from a particular host
2. Varying the time-out on connections as a function of the number of
connections
3. Delay binding:
 Performed by laod-balancing software
 Load balancer checks whether the header of the request is
complete or not.
 No request will be sent by the load-balnacer to the appropriate
server unless the two carriage returns and line feeds are sent by
the HTTP client.

23/10/2011
 Reflection Attacks
 Do not use compromised systems
 Use normal behavior of network
 attacker sends packet with spoofed source address being that
of target to a server
 server response is directed at target (spoofed address)
 if send many requests to multiple servers, response can flood
target
 various protocols e.g. UDP or TCP/SYN
 ideally want response larger than request
 prevent if block source spoofed packets
 reflector attack

host sends many requests with a spoofed source

address to a service on an intermediate host.
The service used is typically User Datagram
Protocol (UDP) based, which makes it easier to
spoof the source address successfully.
Attackers often use spoofed source addresses
because they hide the actual source of the attack

23/10/2011
 reflector attack
 That host generates a reply to each request and sends these replies
to the spoofed address.
 Because the intermediate host unwittingly performs the attack, that
host is known as a reflector.
 During a reflector attack, a DoS could occur to the host at the:
o spoofed address,
o the reflector itself,
o or both hosts.
 Examples of commonly used reflector services include echo (port 7),
chargen (port 19), DNS (port 53), Simple Network Management
Protocol (SNMP) (port 161) and Internet Security Association and
Key Management Protocol (ISAKMP) (port 500).

23/10/2011
 Reflector Attack Using a DNS Server
Attacker uses port 7- associated
with echo- a reflector service

If attacker is offering an echo

service, reflection

1792 UDP
port of the
client

23/10/2011
23/10/2011
 Reflection Attacks

 further variation creates a self-contained loop between

intermediary and target
 fairly easy to filter and block
 Amplifier attacks

Like reflector attacks, it Involves sending requests

with a spoofed source address for the target system
to an intermediate host.
But , an amplifier attack does not use a single
intermediate host
Instead, its goal is to use a whole network of
intermediate hosts.

23/10/2011
 Amplifier attacks

Sends an ICMP or UDP request to an expected

broadcast address,
hoping that many hosts will receive the broadcast
and respond to it.
Because the attacker’s request uses a spoofed
source address,
the responses are all sent to the spoofed address,
which may cause a DoS for that host or the host’s
network.
23/10/2011
 Amplifier attacks

Most environments block amplifier attacks by

configuring border routers to not forward
directed broadcasts,
But some still permit them.

23/10/2011
Amplification Attacks
 DNS Amplification Attacks
use DNS requests with spoofed source address
being the target
exploit DNS behavior to convert a small request
to a much larger response
o 60 byte request to 512 - 4000 byte response
attacker sends requests to multiple well
connected DNS servers, which flood target
o need only moderate flow of request packets
o DNS servers will also be loaded
Using high capacity well connected DNS servers
Attackers will avoid overloading the intermediate
systems
Giving more chances for the attack to succeed.

23/10/2011
 Resolver
When a host needs to perform an address mapping
or a name mapping

Host calls a DNS client

DNS Client calls closest DNS server

YES NO
IF server has the information

it send the information Asks other servers for the

to the client information
 Recursive resolution

Iterative resolution
 Typical DNS resolution process
 Several potential “attack points” exist for disrupting the
resolution process:
1. the stub resolver host (stub resolvers, the most common form of
DNS clients)
 construct DNS queries,
 send them to name servers for recursive resolution, and resend the queries
if timeouts occur);
2. communication between the stub resolver and the first hop name
server for recursive name resolution;
3. the first-hop name server;
4. communication between the first-hop name server and the other
name servers, if needed, for iterative name resolution; and
5. other name servers
 Recursive resolution

Iterative resolution
Resolver configuration files include information
about the DNS servers used for name resolution.
 Attacking the resolver hosts via
1. Exploiting the DNS resolvers vulnerabilities
 Attacking DNS resolvers by exploiting their vulnerabilities
such as with abuffer overflow attack
(www.isc.org/index.pl?/sw/bind/bind-security.php).
2. Corrupting resolver configuration settings
 Replacing the name servers’ IP addresses in a resolver
configuration file with bogus ones could cause denial of
service.
 Changing other directives in the resolver configuration files
can also affect the name resolution process —for example, an
adversary could configure a resolver to incorrectly perform
“name completion” by appending certain suffixes to an
“incomplete” domain name (that is, a not fully qualified
domain name).
 Disabling DNS name resolution or forcing the resolver host
to consult a local host table
 Attacking the resolver hosts via
3. Attacking resolver host’s TCP/IP stack and affect its view
regarding the first-hop name servers’ identity or availability—
 Examples-
1. An adversary can send (ICMP) unreachable messages to the
resolver host, causing it to quit sending DNS requests to name
servers.
2. If the adversary can access the local area network in which
the resolver host lives, he or she can launch other attacks such
as Address Resolution Protocol (ARP) spoofing,6 which can
change the name servers’ mapping of IP addresses to
incorrect MAC addresses.
3. Some hosts use (DHCP) to obtain dynamic IP addresses and
DNS server information—thus, an attack against the DHCP
could also prevent a host from obtaining DNS service.
Disrupting communications
1. Packet flooding
 A brute-force approach involves flooding the name servers with
packets.
 If the network routers at the servers’ locations or their upstream
ISPs can’t handle the traffic, routers must drop certain packets.
 Distinguishing legitimate network traffic from attack traffic can
be difficult, both types of traffic can be dropped during such an
attack.
 Depending on the number and network bandwidth of the
attacking machines, a DoS attack like this prevents most normal
DNS queries from reaching the name servers.
 Disrupting communication
 Packet flooding
 An adversary can also leverage other hosts on the Internet to
increase the attack’s power by using those hosts as “bandwidth
amplifiers” and directing the resultant network traffic to the name
servers.
 A smurf attack, 7 for example, sends ICMP echo request messages
(with a forged source address) to broadcast addresses, thus
generating many more ICMP echo reply messages directed at the
target;
 alternatively, an adversary can take advantage of the difference in
size between DNS queries and responses and send forged DNS
queries to other name servers, thus flooding the target name
servers with large DNS responses.8
 Recursive name servers can be induced to participate in DDoS
attacks in a number of ways.
 A network of computers distributed on the Internet in a construct
such as a Botnet, can send spoofedaddress queries to an Open
Resolver (or resolvers) causing it to send responses to the spoofed-
address target.
 Thereby, the resolver unwittingly participates in an attack on
spoofed addresses.
 DoS Attack Defenses

High traffic volumes may be legitimate

o result of high publicity, e.g. “slash-dotted”
o or to a very popular site, e.g. Olympics etc
or legitimate traffic created by an attacker
Four lines of defense against (D)DoS:
1.Attack prevention and preemption
2.Attack detection and filtering
3.Attack source traceback and identification
4.Attack reaction
 Attack Prevention

block spoofed source addresses

o on routers as close to source as possible
o still far too rarely implemented
rate controls in upstream distribution nets
o on specific packets types
o e.g. some ICMP, some UDP, TCP/SYN
use modified TCP connection handling
o use SYN cookies when table full
o or selective or random drop when table full
 Attack Prevention

block IP directed broadcasts

block suspicious services & combinations
manage application attacks with “puzzles” to
distinguish legitimate human requests
good general system security practices
use mirrored and replicated servers when high-
performance and reliability required
 Responding to Attacks

need good incident response plan

o with contacts for ISP
o needed to impose traffic filtering upstream
o details of response process
have standard filters
ideally have network monitors and IDS
o to detect and notify abnormal traffic patterns
 Responding to Attacks

identify type of attack

o capture and analyze packets
o design filters to block attack traffic upstream
o or identify and correct system/application bug
have ISP trace packet flow back to source
o may be difficult and time consuming
o necessary if legal action desired
implement contingency plan
update incident response plan
 Summary

 introduced denial of service (DoS) attacks

 classic flooding and SYN spoofing attacks
 ICMP, UDP, TCP SYN floods
 distributed denial of service (DDoS) attacks
 reflection and amplification attacks
 defenses against DoS attacks
 responding to DoS attacks
 www.lasr.cs.ucla.edu/classes/239_1.fall10/
 Where To Defend?
In the core?
At the source? At the target?

+ Drops junk early

+ Cost paid close to + Scales nicely + Good knowledge of situation
attacker + Works with moderate + Strong motivation to deploy
+ May be easy to deployment + OK to do what’s needed
distinguish packets
- Low per packet budget - Easy to overwhelm
- Poor deployment incentive possible - Often limited defense
- Requires wide deployment - Poor deployment resources
- May be subject to influenceincentive
- Against end-to-end
philosophy
 http://www.lasr.cs.ucla.edu/classes/239_1.fall10/
 Agenda/Topics to Be Covered
 Mission Statement/Goals
 Who’s Who
 Classroom Policies
 Special Projects
 Grading
 Parent Conferences
 Summary

25/11/2018
 Mission Statement/Goals

 Provide school’s mission statement

 Outline specific academic goals by subject

Note: This may take more than one slide.

25/11/2018
 Who’s Who

 List key school staff (principal, librarian, etc.)

 Include organization chart

25/11/2018
 Classroom Policies

 Highlight most important policies

 Review school hours and daily schedule
 Talk about homework expectations
 Explain your classroom management plan

Note: This may take more than one slide.

25/11/2018
 Special Projects
 List special projects including field trips,
organized by the school year calendar

25/11/2018
 Grading
 Discuss purpose of grades
 Review report card format
 Outline grading process and timetable
 Discuss any other means of evaluation

25/11/2018
 Parent Conferences
 Review conference schedule
 Distribute sign up sheet
 Review expectations for parent conferences
 Explain how you can be reached to discuss
concerns

25/11/2018
 Q&A
 Invite questions from parents/students

25/11/2018
 Summary
 Discuss topics covered
 Reiterate welcome
 Wrap-up
 http://www.juniper.net/techpubs/software/junos-
security/junos-security95/junos-security-swconfig-
security/junos-security-swconfig-security-TOC.html
 http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-
61rev1.pdf

25/11/2018