Network Security: Denial of Service (DoS),

Anonymity

Tuomas Aura

2

OutlineDenial of Service1. DoS principles2. Packet-flooding attacks on the Internet3. Distributed denial of service (DDoS)4. Filtering defenses5. Most effective attack strategies6. Infrastructural defenses7. DoS-resistant protocol designAnonymity1. Anonymity and privacy2. High-latency anonymous routing3. Low-latency anonymous routing — Tor

DoS principles

3

4

Denial of service (DoS)

Goal of denial-of-service (DoS) attacks is to prevent authorized users from accessing a resource, or to reduce the quality of service (QoS) that authorized users receive

Several kinds of DoS attacks:

Destroy the resource

Disable the resource with misconfiguration or by inducing an invalid state

Exhaust the resource or reduce its capacity

5

Resource destruction or disabling

Examples:

Cutting cables, bombing telephone exchanges

Formatting the hard disk

Crashing a gateway router

These attacks often exploit a software bug, e.g.

Unchecked buffer overflows

Teardrop attack: overlapping large IP fragments caused Windows and Linux crashes

Can be prevented by proper design and implementation

6

Resource exhaustion attacks

Attacker overloads a system to exhaust its capacity → never possible to prevent completely

Examples: Flooding a web server with requests

Filling the mailbox with spam

It is difficult to tell the difference between attack and legitimate overload (e.g. Slashdotting, flash crowds)

For highly scalable services, may need to try

Some resource in the system under attack becomes a bottleneck i.e. runs out first → Attacks can exploit a limited bottleneck resource:

SYN flooding and fixed-size kernel tables

Public-key cryptography on slow processors

Packet-flooding attacks on the Internet

7

8

Internet characteristics

Open network: anyone can join, no central controlEnd to end connectivity: anyone can send packets to anyoneNo global authentication or accountabilityFlat-rate chargingUnreliable best-effort routing; congestion causes packet lossQ: Could these be changed?

Internet1.2.3.4

5.6.7.8

1.2.3.0/24

5.6.7.0/24

Gateway

router

Gateway

routersrc 1.2.3.4

dst 5.6.7.8

data

9

Packet-flooding attack

Ping flooding: attacker sends a flood of ping packets (ICMP echo request) to the target

Unix command ping -f can be used to send the packets

Any IP packets can be used for flooding, not just ping

Packets can be sent with a spoofed source IP address

Q: Where is the bottleneck resource that fails first?

Typically, packet-flooding exhausts the ISP link bandwidth, in which case the router before the congested link will drop packets

Other potential bottlenecks: processing capacity of the gateway router , processing capacity of the IP stack at the target host

10

Traffic amplification

Example: Smurf attack in the late 90s used IP broadcast addresses for traffic amplificationAny protocol or service that can be used for DoS amplification is dangerous! → Non-amplification is a key design requirement

Internet1.2.3.4

5.6.7.8

Echo request

src 5.6.7.8

dst 3.4.5.255

3.4.5.0/24

Echo resp

onse

src 3.4.5.

10

dst 5.6.7.

8Echo

response

src 3.4.5.

10

dst 5.6.7.

8Echo

response

src 3.4.5.

10

dst 5.6.7.

8Echo

response

src 3.4.5.

10

dst 5.6.7.

8Echo

response

src 3.4.5.

10

dst 5.6.7.

8

11

Traffic amplification

Example: Smurf attack in the late 90s used link-broadcast for traffic amplification:

1. Attacker sends an ICMP Echo Request (ping) to a broadcast address of a network (e.g. 1.2.3.255)

2. Attacker spoofs the source IP address of the ping

3. Router at the destination broadcasts the ping to the LAN

4. Many nodes in the network respond to the ping

5. The target at the spoofed address is flooded by the responses

12

Traffic reflection

Reflection attack: get others to send packets to the targetHides attacker IP address:

Confuses IP tracebackSome forms get around topological filtering and amplify traffic

Example: Attacker pings various hosts, sets the source address of the ICMP Echo Request to the attack-target address

Internet1.2.3.4

5.6.7.8

Echo resp

onse

src 3.4.5.

6

dst 5.6.7.

8

Echo request

src 5.6.7.8dst 3.4.5.6

3.4.5.6

Honest

client

ServerAttacker

Honest

packet rate

HR

Attack

packet rate

AR

Bottleneck

link capacity

C

13

Attack impact

When HR+AR < C, some packets dropped by router

With FIFO or RED queuing discipline at router, dropped packets are selected randomly

Packet loss = (HR+AR-C)/(HR+AR) if HR+AR > C; 0 otherwise

When HR

14

Attack impact

Packet loss = (HR+AR-C)/(HR+AR) if HR+AR > C; 0 otherwise

When HR

Distributed denial of service (DDoS)

15

Botnet and DDoS

Attacker controls thousands of compromised computers and launches a coordinated packet-flooding attack

Cloud

Target

Bots

Attacker

Control network

17

BotnetsBots (also called zombies) are home or office computers infected with virus, Trojan, rootkit etc.

Controlled and coordinated by attacker, e.g. over IRC, P2PHackers initially attacked each other; now used by criminals

Examples:MyDoom worm, HTTP GET flooding against www.sco.comStorm botnet, commercially available DDoS service Conficker >10M hosts

Dangers:Overwhelming flooding capacity of botnets can exhaust any link; no need to find special weaknesses in the targetNo need to spoof IP address ; filtering by source IP is hard

Q: Are criminals interested in DDoS if they can make money from spam and phishing? What about politically motivated attacks or rogue governments?

Filtering defenses

18

19

Filtering DoS attacks

Filtering near the target is the main defense mechanisms against DoS attacks

Protect yourself → immediate benefit

Configure firewall to drop anything not necessary:Drop protocols and ports no used in the local network

Drop “unnecessary” protocols such as ping or all ICMP, UDP etc.

Stateful firewall can drop packets received at the wrong state e.g. TCP packets for non-existing connections

Application-level firewall could filter at application level; probably too slow

Filter dynamically based on ICMP destination-unreachable messages

(Q: Are there side effects?)

20

Flooding detection and response

Filter probable attack traffic

Network or host-based intrusion detection to separate attacks from normal traffic based on traffic characteristics

Limitations:

IP spoofing → source IP address not reliable for individual packets

Attacker can evade detection by varying attack patterns and mimicking legitimate traffic

(Q: Which attributes are difficult to mimic?)

21

Preventing source spoofing

How to prevent spoofing of the source IP address?

Ingress and egress filtering: Gateway router checks that packets routed from a local network to the ISP have a local source address

Generalization: reverse path forwarding

Deployment slow: selfless defense without immediate payoff

IP traceback Mechanisms for tracing IP packets to their source

Limited utility: take-down thought legal channels is slow; automatic blacklisting of attackers can be misused

SYN cookies (we’ll come back to this)

Most effective attack strategies

22

23

SYN flooding

Attackers goal: make filtering ineffective → honest and attack packets dropped with equal probability

Target destination ports that are open to the Internet, e.g. HTTP (port 80), SMTP (port 25)

Send initial packets → looks like a new honest client

SYN flooding:TCP SYN is the first packet of TCP handshake

Sent by web/email/ftp/etc. clients to start communication with a server

Flooding target or firewall cannot know which SYN packets are legitimate and which attack traffic → has to treat all SYN packets equally

24

DNS flooding

DNS query is sent to UDP port 53 on a DNS server

Attack amplification using DNS:

Most firewalls allow DNS responses through

Amplification: craft a DNS record for which 60-byte query can produce 4000-byte responses (fragmented)

Botnet queries the record via open recursive DNS serversthat cache the response → traffic amplification happens at the recursive server

Queries are sent with a spoofed source IP address, the target address → DNS response goes to the target

Infrastructural defenses

25

26

Over-provisioning

Increase bottleneck resource capacity to cope with attacks

Recall:Packet loss = (HR+AR-C)/(HR+AR) if HR+AR > C; 0 otherwise

When HR

27

QoS routingQoS routing mechanisms can guarantee service quality to some important clients and servicesResource reservation, e.g. Intserv, RSVP Traffic classes, e.g. Diffserv, 802.1Q

Protect important clients and connections by giving them a higher traffic class Protect intranet traffic by giving packets from Internet a lower class

Prioritizing existing connectionsAfter TCP handshake or after authentication

Potential problems:How to take into account new honest clients? Cannot trust traffic class of packets from untrusted sourcesPolitical opposition to Diffserv (net neutrality lobby)

Some research proposals

IP traceback to prevent IP spoofing

Pushback for scalable filtering

Capabilities, e.g. SIFF, for prioritizing authorized connections at routers

New Internet routing architectures:

Overlay routing (e.g. Pastry, i3), publish-subscribe models

Claimed DoS resistance remains to be fully proven

DoS-resistant protocol design

29

Protocol design goals

Process attack packets quickly at the end host

Prevent attacker from creating excessive state data at the target

Avoid doing expensive cryptographic computation

Make it easy for a firewall or proxy to do filter traffic

31

Stateless handshake (IKEv2)

HDR(A,0), SAi1, KEi, Ni

HDR(A,0), N(COOKIE), SAi1, KEi, Ni

HDR(A,0), N(COOKIE)

HDR(A,B), SAr1, KEr, Nr, [CERTREQ]

Initiator i

Responder r

HDR(A,B), SK{ IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr }

...HDR(A,B), ESK (IDr, [CERT,] AUTH, SAr2, TSi, TSr)

Store state

Kr

Responder stores per-client state only after it has received valid cookie:COOKIE = hash(Kr , initiator and responder IP addresses)

where Kr is a periodically changing key known only by responder→ initiator cannot spoof its IP addressNo state-management problems caused by spoofed initial messages

32

TCP SYN Cookies

Random initial sequence numbers in TCP protect against IP spoofing: client must receive msg 2 to send a valid msg 3SYN cookie: stateless implementation of the handshake;

y = hash(Kserver, client addr, port, server addr, port)where Kserver is a key known only to the server.Server does not store any state before receiving and verifying the cookie value in msg 2Sending the cookie as the initial sequence number; in new protocols, a separate field would be used for the cookie

SYN, seq=x, 0

ACK, seq=x+1, ack=y+1

SYN|ACK, seq=y, ack=x+1

...

data

Client Server

Store state

33

Client puzzle (HIP)

Client “pays” for server resources by solving a puzzle firstPuzzle is brute-force reversal of a K-bit cryptographic hash; puzzle difficulty K can be adjusted according to server loadServer does not do public-key operations before verifying solutionServer can also be stateless; puzzle created like cookies above

I1: HIT-I, HIT-R

R1: HIT-I, HIT-R,

Puzzle(I,K), (gx, PKR, Transforms)SIG

I2: (HIT-I, HIT-R, Solution(I,K,J),

SPI-I, gy, Transforms, {PKI}) SIG

R2: (HIT-I, HIT-R, SPI-R, HMAC) SIG

Initiator I

Responder R

...

Store state,

public-key crypto

Verify solution O(1)

Solve puzzle

O(2K)

34

Prioritizing old clients

One way to cope with overload: give priority to old clients and connections, reject new ones

Filtering examples:

Remember client IP addresses that have completed sessions previously, completed handshake, or authenticated successfully

Prioritize TCP connections from address prefixes that have had many clients over long time (bots are scattered all over the IP address space)

Protocol design:

Give previous clients a credential (e.g. key) that can be used for reconnecting

35

Cryptographic authentication

Idea: authenticate packets and allow only authorized ones

IPsec ESP

Filter at firewall or end host

Problems:Requires system for authorizing clients

First packet of the authentication protocol becomes the weak point

Difficult to use authentication to prevent DoS

Recall: some honest packets always get though → If we can perform initial handshake under heavy packet loss, the rest can be authenticated — but that is just a research idea

Weaknesses in new protocols

36

Routing loop

Against mobility protocols with a forwarding agent: Mobile IP, MIPv6, NEMO etc.

I’ve moved!Home address H1New address H2

H1

Anotherhome address

H2

I’ve moved!Home address H2New address H1

C

Home address

Mobilecomputer =attacker

38

Further reading

David Moore, Geoffrey M. Voelker, and Stefan, Savage, Inferring Internet Denial-of-Service Activity, ACM TACS, 24(2), May 2006.

http://www.cs.ucsd.edu/~savage/papers/Tocs06.pdf

Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson, Network Support for IP Traceback

SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks

http://www.ece.cmu.edu/~adrian/projects/siff.pdf

Mahajan et al., Aggregate-Based Congestion Control

http://www.icir.org/pushback/pushback-tohotnets.pdf

http://www.cs.ucsd.edu/~savage/papers/Tocs06.pdfhttp://www.ece.cmu.edu/~adrian/projects/siff.pdfhttp://www.icir.org/pushback/pushback-tohotnets.pdfhttp://www.icir.org/pushback/pushback-tohotnets.pdfhttp://www.icir.org/pushback/pushback-tohotnets.pdf

Anonymity and privacy

39

40

Anonymity terminologyIdentity, identifierAnonymity — they don’t know who you areUnlinkability — they cannot link two events or actions (e.g. messages) with each otherPseudonymity — intentionally allow linking of some events to each other

E.g. sessions, payment and service access

Authentication — strong verification of identityWeak identifier — not usable for strong authentication but may compromise privacy

E.g. nickname, IP address, SSID, service usage profile

Authorization — verification of access rightsDoes not always imply authentication (remember SPKI)

41

Anonymity in communications

Anonymity towards communication peersSender anonymity — receiver does not know who and where sent the message

Receiver anonymity — can send a message to a recipient without knowing who and where they are

Third-party anonymity — an outside observer cannot know who is talking to whom

Unobservability — an outside observer cannot tell whether communication takes place or not

Strength depends on the capabilities of the adversary

Anonymity towards access networkAccess network does not know who is roaming there

Relate concept: location privacy

42

Privacy

Control over personal information

Emphasized in Europe

Gathering, disclosure and false representation of facts about one’s personal life

Right to be left alone

Emphasized in America

Avoiding spam, control, discrimination, censorship

Anonymity is a tool for achieving privacy

Blending into the crowd

43

Identity protection in key exchangeIdentity protection against passive observers achieved by encrypting the authentication with a Diffie-Hellman key or a secret send with public-key encryptionIdentity protection of one party against active attackersachieved by authenticating the other party firstRecall these protocols:

PGPTLS/SSL, EAP-TLSIKEv2KerberosWPA2

Lower-layer identifiers (MAC and IP address) can still leak identityTraffic analysis can still be used to profile the node

44

Randomized identifiers

Replace permanent identifiers with random pseudonyms

Especially important below the encryption layer

Random interface id in IPv6 address [RFC 4941]

Random MAC addresses suggested

Need to consider weak identifiers, too

E.g., IPID, TCP sequence number

45

Who is the adversary?

Discussion: who could violate your privacy and anonymity?

Global attacker, your governmente.g. total information awareness, retention of traffic data

Servers across the Internet, colluding commercial interests

e.g. web cookies, trackers, advertisers

Criminalse.g. identity theft

Employer

People close to youe.g. stalkers, co-workers, neighbors, family members

46

Strong anonymity?

Anonymity and privacy of communications mechanisms are not strong in the same sense as strong encryption or authentication

Even the strongest mechanisms have serious weaknesses

Need to trust many others to be honest

Services operated by volunteers and activists

Side-channel attacks

Anonymity tends to degrade over time for persistent communication

High-latency anonymous routing

48

Mix (1)

MixEMix(F,M1)

EMix(H,M2)

EMix(G,M3)

EMix(E,M4)

M1

M2

M3

M4

D

C

B

A E

F

G

H

Mix is an anonymity service [Chaum 1981]Attacker sees both sent and received messages but cannot link them to each other → sender anonymity, third-party anonymity against a global observerThe mix receives encrypted messages (e.g. email), decrypts them, and forwards to recipients

49

Mix (2)

Attacker can see the input and output of the mix

Attacker cannot see how messages are shuffled in the mix

Anonymity set = all nodes that could have sent (or could be recipients of) a particular message

MixEMix(F,M1)

EMix(H,M2)

EMix(G,M3)

EMix(E,M4)

M1

M2

M3

M4

D

C

B

A E

F

G

H

50

Mix (3)

MixEMix(F,M1)

EMix(H,M2)

EMix(G,M3)

EMix(E,M4)

M1

M2

M3

M4

D

C

B

A E

F

G

H

Two security requirements:Bitwise unlinkability of input and output messages — cryptographic property, must resist active attacksResistance to traffic analysis — add delay or inject dummy messages

Not just basic encryption! Resist adaptive chosen-ciphertext attacks (IND-CCA2 i.e. NM-CCA2)Replay prevention and integrity check needed at the mix

Examples of bad mix designs: Missing random initialization vector, padding or freshnessMalleable encryption, e.g. stream cipher, or no integrity checkFIFO order of delivering messages

51

Mixing in practiceThreshold mix — wait to receive k messages before delivering

Anonymity set size k

Pool mix — mix always buffers k messages, sends one when it receives oneBoth strategies add delay → high latencyNot all senders and receivers are always active

In a closed system, injecting cover traffic can fix this; in the Internet, not

Real communication (email, TCP packets) does not comprise single, independent messages but common traffic patterns such as connections

Attacker can observe beginning and end of connectionsAttacker can observe requests and response pairs

→ statistical attacks

52

Who sends to whom?

D

C

B

A E

F

G

H

D

C

B

A E

F

G

H

D

C

B

A E

F

G

H

D

C

B

A E

F

G

H

D

C

B

A E

F

G

H

D

C

B

A E

F

G

H

D

C

B

A E

F

G

H

Round 1 Round 2 Round 3

Round 4 Round 5 Round 6

Round 7

D

C

B

A E

F

G

H D

C

B

A E

F

G

H

Round 8 Round 9

Threshold mix with threshold 3

53

Anonymity metricsSize of the anonymity set: k-anonymity

Suitable for one round of threshold mixing

Problems with k-anonymity:Multiple rounds → statistical analysis based on understanding common patterns of communications can reveal who talks to whom, even if k for each individual message is highPool mix → k = ∞

Entropy: E = Σi=1…n (pi ∙ log2pi)Measures the amount of missing in information in bits: how much does the attacker not knowCan measure entropy of the sender, recipient etc.

Problems with measuring anonymity:Anonymity of individual messages vs. anonymity in a systemDepends on the attacker’s capabilities and background informationAnonymity usually degrades over time as attacker collects more statistics

54

Trusting the mix

The mix must be honest

Example: anonymous remailers for email

anon.penet.fi 1993–96

→ Route packets through multiple mixes to avoid single point of failure

Attacker must compromise all mixes on the route

Compromising almost all may reduce the size of the anonymity set

55

Mix network (1)

56

Mix network (2)

Mix network is just a distributed implementation of mix

57

Mix networksMix cascade — all messages from all senders are routed through the same sequence of mixes

Good anonymity, poor load balancing, poor reliability

Free routing — each message is routed independently via multiple mixesOther policies between these two extremes

But remember that the choice of mixes could be a weak identifier

Onion encryption:Alice → M1: EM1(M2,EM2(M3,EM3(Bob,M)))M1 → M2: EM2(M3,EM3(Bob,M))M2 → M3: EM3(Bob,M)M3 → Bob: M

Encryption at every layer must provide bitwise unlinkability → detect replays and check integrity→ for free routing, must keep message length constant

Re-encryption mix — special crypto that keeps the message length constant with multiple layers of encryption

58

Sybil attackAttack against open systems which anyone can join

Mixes tend to be run by volunteers

Attacker creates a large number of seemingly independent nodes, e.g. 50% off all nodes → some routes will go through only attacker’s nodesDefence: increase the cost of joining the network:

Human verification that each mix is operated by a different person or organizationThe IP address of each mix must be in a new domainRequire good reputation of some kind that takes time and effort to establishSelect mixes in a route to be at diverse locations

Sybil attacks are a danger to most P2P systems, not just anonymous routing

E.g. reputation systems, content distribution

59

Other attacks

(n-1) attack

Attacker blocks all but one honest sender, floods all mixes with its own messages, and finally allows one honest sender to get though → easy to trace because all other packets are the attacker’s

Potential solutions: access control and rate limiting for senders, dummy traffic injection, attack detection

Statistical attacks

Attacker may accumulate statistics about the communication over time and reconstruct the sender-receiver pairs based on its knowledge of common traffic patterns

60

Receiver anonymity

Alice distributes a reply onion: EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K))))

Messages from Bob to Alice:

Bob → M3: EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K)))), M

M3 → M2: EM2(M1,k2,EM1(Alice,k1,EAlice(K))), Ek3(M)

M2 → M1: EM1(Alice,k1,EAlice(K)), Ek2(Ek3(M))

M1 → Alice: EAlice(K), Ek1(Ek2(Ek3(M)))

Alice can be memoryless: ki = h(K, i)

Low-latency anonymous routing

61

62

Tor“2nd generation onion router”Mix networks are ok for email but too slow for interactive use like web browsingNew compromise between efficiency and anonymity:

No mixing at the onion routersAll packets in a session, in both directions, go through the same routers Short route, always three onion routersTunnels based on symmetric cryptographyNo cover trafficProtects against local observers at any part of the path, but vulnerable to a global attacker

More realistic attacker model: can control some nodes, can sniff some links, not everythingSOCKS interface at clients → works for any TCP connection

63

Tunnels in TorAlice OR1 OR2 OR3 Bob

Authenticated DH

Alice – OR1

Authenticated DH, Alice – OR2

K1

Encrypted with K1

K2

Authenticated DH, Alice – OR3Encrypted with K1, K2

Encrypted with K1, K2, K3

K3

[Danezis]

Last link unencrypted

Alice not authenticated,

only the ORs

K1

TCP connection Alice –Bob

K1,K2

K1,K2,K3

64

Tunnels in TorAlice OR1 OR2 OR3 Bob

Authenticated DH

Alice – OR1

Authenticated DH, Alice – OR2

K1

Encrypted with K1

K2

Authenticated DH, Alice – OR3Encrypted with K1, K2

Encrypted with K1, K2, K3

K3

[Danezis]

Last link unencrypted

Alice not authenticated,

only the ORs

K1

TCP connection Alice –Bob

K1,K2

K1,K2,K3 Additionally, linkwiseTLS connections:

Alice–OR1–OR2–OR3

65

Tor limitations (1)

Identifying packet streams is very easyPassive fingerprinting by packet size, timing

Active traffic shaping (stream watermarking)

→ Anonymity compromised if attacker can see or control the first and last link

Includes attackers who own the first and last OR→ longer routes do not help

If c is the fraction of compromised ORs, probability of compromise is c2

Why three routers?Out of habit?

Attacker in control of 1st or last router cannot immediately go and compromise the other when there is a middle router

66

Tor limitations (2)

Client must know the addresses and public keys of all onion routers

If client only knows a small subset of routers, it will always choose all three routers from this subset → implicit identifier

E.g. client knows 10 out of 1000 routers = 1% → Attacker in control of the last router can narrow down the client identity to (0.01)2 = 0.01% of all clients

→ Attacker in control of two last routers can narrow the client identity down to (0.01)3 = 0.0001% of all clients

Blacklisting of entry or exit nodes

67

Applications of anonymous routing

Censorship resistance, freedom or speech

Protection against discrimination, e.g. geographic access control or price differentiation

Business intelligence, police investigation, political and military intelligence

Whistle blowing, crime reporting

Electronic voting

Crime, forbidden and immoral activities?