Denial of Service Attacks: Detection and Reaction Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on

Denial of Service Attacks:Denial of Service Attacks:Detection and ReactionDetection and Reaction

Georgios Koutepas, Basil MaglarisNational Technical University of Athens,

Greece

Cyprus Conference on Information Security Cyprus Conference on Information Security 20022002

October 12, 2002

DoS Attacks: Detection and Reaction. CSC, October 12, 2002DoS Attacks: Detection and Reaction. CSC, October 12, 2002

What is "What is "Denial of ServiceDenial of Service"?"?

• An attack to suspend the availability of a service• Until recently the "bad guys" tried to enter our

systems. Now it’s:

""If not us, then NobodyIf not us, then Nobody""• No break-in attempts, no information stealing,

although they can be combined with other attacks to confuse Intrusion Detection Systems.

• No easy solutions! DoS still mostly a research issue


Main Characteristics of DoSMain Characteristics of DoS

• Variable targets: – Single hosts or whole domains– Computer systems or networks– ImportantImportant: Active network components (e.g.

routers) also vulnerable and possible targets!• Variable uses & effects:

– Hacker "turf" wars– High profile commercial targets (or just

competitors…).– Useful in cyber-warfare, terrorism etc…


Brief HistoryBrief History

First Phase (starting in the '90s): DoS• Started as bug/vulnerability exploitation• Single hosts - single services were the first targets• Single malicious packetsSecond Phase (1996-2000)• Resource consuming requests from many sources• Internet infrastructure used for attack amplificationThird Phase (after 2000): Distributed DoS• Bandwidth of network connections is the main target• Use of many pirated machines, possibly many attack

stages, escalation effect to saturate the victims


Brief History (cont.)Brief History (cont.)

Important Events:• February 7-11 2000: Big commercial sites (CNN,

Yahoo, E-Bay) are taken down by flooding of their networks.– The attacks capture the attention of the media– The US President assembles emergency council

members of Internet, e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security

• January 2002: The British ISP CloudNine suspends operations because of continuous interruption in Internet connectivity.


Host DoS AttacksHost DoS Attacks

• Usually one attacker - one target• Methods used are derivatives of ones used for

unauthorized access:Buffer Overflows on wrongly designed input

fields can overwrite parts of the memory stack. The results: open doors or failure of the service/system

Ambiguities in network protocols and their implementations. Specially designed packets can halt the protocol stack or the whole system


Examples of Host DoS AttacksExamples of Host DoS Attacks

– Land IP DoS attack: Special SYN packets with same source and destination

– Teardrop attack: It sends IP fragments to a network-connected machine. It exploits an overlapping IP fragment bug present in various TCP/IP implementations.


Host Resource DoS AttacksHost Resource DoS Attacks

• Target continues (most of the times) operation but cannot offer any useful services.

• Resource exhaustion through legitimate requests to the target host

– SYN Flooding attack– Ping Flooding attack– Smurf attack: the ping flow is "amplified" by

being first sent to a number of network broadcast addresses with the victim’s return address in the packets


Example of a "Example of a "SmurfSmurf " Attack " Attack

Attacker

Unsecured LAN

ICMP Echo requestDestination: LAN broadcastSource: victim.host

AdminProblem: Router allows Ping to LAN

broadcast

Target (web Server)

victim.hostICMP Echo replyDestination:victim.hostICMP Echo replyDestination:victim.hostICMP Echo replyDestination:victim.host


Admin Problem 1:Active "zombies"

Admin Problem 2:The network allows outgoingpackets with wrong sourceaddresses

1. Taking Control

2. Commandingthe attack

Network Attacks: Distributed DoSNetwork Attacks: Distributed DoS

Target

domain

"zombies"

Pirated machines

Domain A

Pirated machines

Domain B

Attacker

X


Main Characteristics of DDoSMain Characteristics of DDoS

• Some hundred of persistent flows are enough to knock a large network off the Internet

• Incoming traffic has to be controlled, outside the victim’s domain, at the upstream providers

• Usually source IPs spoofed on attack packets• Offending systems may be controlled without their

users suspecting it• Possible many levels of command & control:

– Attacker-Manager-Agents

– Examples of automatic tools for such attacks: "Trinoo", "Stacheldraht", and "TFN2K", also called rootkits


Multi-tier attackMulti-tier attack

Admin Problem:No detection of malicious activities

Target

domain

"zombies"Attack Agents

Attacker

X

AttackMaster

AttackMaster


Reflection DDoS AttackReflection DDoS Attack

Target

domain

"zombies"

Attacker

X

AttackMaster

Routers

Web or otherservers

Legitimate TCP SYNrequests

TCP SYN-ACKanswers

PART IIPART II What Can We DoWhat Can We Do


DetectionDetection

• Host DoS attacks:– Border Defenses must be kept up to date– Host and Network based Intrusion Detection

Systems– Investigate suspicious activity indications


Detection (cont.)Detection (cont.)

• Distributed DoS attacks - on the Network– Offensive flows must be identified quickly

• Tip: set generalized Pass filters on the border routers and see what they catch (high number of matches: attack)

• Use Netflow or other monitoring tool

– Follow router indications• Tip: Check router load for abnormal signs

• Distributed DoS attacks - in the Domain– Perform often security audits for hidden

malicious code ("zombies") or attack rootkits– Install an anti-virus package


Reaction to DDoSReaction to DDoS

• The malicious flows have to be determined. Timely reaction is critical!

• The attack characteristics have to be communicated (in any way possible) upstream. This usually has to be done manually and is an uncertain and time-consuming procedure.

• Filters that will block attack traffic must be set up and maintained. The effectiveness of the actions must be verified.

• The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks on the attack path


Reaction to DDoS (cont.)Reaction to DDoS (cont.)

• Another possible solution (helps the ISP): stop all traffic to the target. Direct it to a central point and discard it. Completes the attack!

• Trace-back efforts:– Following the routing (if sources not spoofed)– Step by step through ISPs. Difficult to convince

them if not concerned about the bandwidth penalty

• The conclusion: not a matter of a single site


Prevention - PreperationPrevention - Preperation

• Good administrative practices: a must– Backup!– Have a recovery plan, possibly a stand-by system– Train your personnel, have someone aware of

security issues available at all times– Have emergency contact points with your ISPs and

CERTs, know beforehand whom to call and have clear service policies on what they are obliged to do

• Care for the rest of the world– Prevent spoofed traffic from exiting your network– Filter pings to broadcast addresses (smurf

amplifier)

PART IIIPART III Research DirectionsResearch Directions


Main DoS Research ProblemsMain DoS Research Problems

• DoS– Is mostly an Intusion Detection / Prevention

Problem– Not many things possible since a single packet can

do all the damage– Some efforts to have an "Immune System" type of

detection for anomalous system call sequenses.

• DDoS– Timely attack detection– Source tracing– Traffic flow control and attack suppression– Intrusion Detection Systems not very helpful


CenterTrackCenterTrack

• R Stone, "CenterTrack: An IP Overlay Network for Tracking DoS Floods", 9th USENIX Security Symposium, Denver Col., USA, August 2000

Target

domain

X


PushBackPushBack

• J. Ioannidis and S. Bellovin, "Pushback: Router-Based Defense Against DDoS Attacks", NDSS, February 2002

Target

domain

1. Aggregatecharacteristicsdetermined2. Incoming

traffic I/f determined

3. Containment filter set locally

X

4. Continue to the next router in the attack path using the Pushback protocol


PanoptisPanoptis

• C. Kotsokalis, D.Kalogeras, and B. Maglaris, "Router-Based Detection of DoS and DDoS Attacks", HP OpenView University association (HPOVUA) Conference '01, Berlin, Ger-many, June 2001

Target

domain

X

NetFlowBorder Routers

Panoptis Analysis Engine

1. Aggregatecharacteristicsdetermined2. Traffic I/fsdetermined

3. Automatic filterconfiguration


Trans-Domain Cooperative IDS Trans-Domain Cooperative IDS EntitiesEntities

• G. Koutepas, F. Stamatelopoulos, B. Maglaris "A Trans-Domain Framework Against Denial of Service Attacks", Submitted to the 10th Annual Network and Distributed System Security Symposium, San Diego, California, February 2003

Cooperative IDSEntity

Non-participatingDomain

ParticipatingDomain

NotificationPropagation(Multicast)

Activation offilters and reactionaccordingto local Policies

Questions and AnswersQuestions and Answers

Documents

Denial of Service Attacks: Detection and Reaction Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on