Denial of Service Attacks Ben Schmidt University of Tulsa Tulsa, Oklahoma

Denial of Service Defined Denial of Service Attack (DoS) –Any attack that attempts to prevent legitimate users from accessing a service, thus violating the principle of availability. Distributed Denial of Service Attack (DDoS) –Any attack that uses multiple computers, acting in unison, to cause a denial of service situation.

Types of Denial of Service Software Flaws –Usually “one-off” vulnerabilities –Require little effort to exploit once found Ex. Non-exploitable memory issues, control flow errors Famous Examples: Ping of death, Teardrop, Windows device files Resource Exhaustion –Attempt to overwhelm a specific computing resource CPU, memory, bandwidth, and thread pools are common targets Ex. SYN/UDP/ICMP floods, HTTP slow POST, etc –Difficult to defend against, given a large number of attackers Made much worse by amplification attacks (i.e. smurf)

Types of Denial of Service (cont.) Communication Channel Disruption –Attacks the infrastructure carrying the data –Ex. Cutting cables, modifying routes, TCP reset spoofing –If an attacker has this capability, nearly impossible to defeat

Software Flaws –Been around for most of computing history –In the early days, very simple to execute Reference device file on Windows, set URG pointer in TCP packet –Flaws have since became slightly more complicated Communication Channel Disruption –Not as prevalent, but has been used for censorship in recent years –China blocking connections, modifying routes, etc –Routes dropped during unrest in the Middle East in DoS: A History

DDoS: A History Resource Exhaustion –Became prevalent as simple DoS attacks became more difficult –IRC wars fueled the building of botnets to attack rival servers –First documented attack in 1999 on University of Minnesota –Greatly expanded the following year Yahoo, Amazon, Buy.com, CNN, and eBay all taken down in 2000 –Since then, has become a constant threat –Fueled an arms race in malware to cash in on blackmail scam –Even used in real life conflicts -> Estonia + Georgia –Wikileaks/Anonymous attacks most recent news

DoS Attacks Explained Software Flaws –Ping of death – oversized ICMP packets –Teardrop – mangled IP fragments –Winnuke – exploits URG pointer vulnerability in Netbios –Can all be exploited with packet manipulation tools –Most bugs are application/device specific Communication Disruption –ARP/DNS blackholes –Compromising/attacking routers (Cisco torch) –BGP manipulation –PDoS (Permanent denial of service) –Explosions/bullets/knives/fire/water/Thor

DDoS Attacks Explained DDoS –SYN flooding Exploits TCP 3 way handshake by sending massive # of SYN’s –Smurf attacks Spoof ICMP echo request to broadcast, from target –DNS amplification attacks Spoof short DNS requests from target that have long responses –Slowloris uses slow POST technique to attack web servers –HTML 5 CORS attack hijack browsers to make requests –Simply making large numbers of legitimate requests

DoS Mitigation Software flaws –Usually quite simple to defend against (if you can) –Appropriate firewall rules, updating software, and IPS –Should already be doing these things anyway –0-day flaws could still cause serious problems Communication Disruption –Protect ARP tables and DNS records –Attacks against external infrastructure beyond control Generally must rely on ISP to ensure connectivity –Mesh networks might make these attacks more difficult –Host in multiple locations

DDoS Mitigation Bandwidth –Isolate bandwidth intensive services, if possible Content delivery networks –Get more bandwidth –Smurf attacks and DNS amplification Report misconfigurations to network administrators –Try to work with ISP to coordinate blocking of traffic CPU/Memory –Write/use efficient code –Disable all unnecessary services –Use caching whenever possible –Faster server / more memory

DDoS Mitigation (cont.) Thread pool / application resource attacks –SYN Floods (layer 3) Most *nix OSs –SYN cookies – used by default on most systems –echo 1 > /proc/sys/net/ipv4/tcp_syncookies Windows –Add SynAttackProtect DWORD value set to 2 in HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters –Set TcpMaxHalfOpen to 100 or less, TcpMaxHalfOpenRetired to 200 or less, and TcpMaxPortsExhausted to 5 or less. Also helpful to increase backlog queue and decrease time and number of retransmission attempts Hardware appliances that implement these features

DDoS Mitigation (cont.) Thread pool / application resource (cont.) –HTTP attacks (or, generally, layer 7) Use WAF (mod_evasive, mod_security), fail2ban, or comparable Lower timeout values Caching / Reverse proxies Per-IP connection rate limiting mod_rewrite (or similar) for some smaller attacks

Conclusions Denial of service attacks aren’t going away Not all can be defended against, but many can With precautions, most can be mitigated Understanding of the threats is critical

Questions?

References M. Kola. Botnets: Overview and Case Study. PhD thesis, IBM Research, 2008 Kessler, Gary C. "Distributed Denial-Of-Service." Web. 12 Apr "CERT/CC Denial of Service." Web. 12 Apr Burdach, Mariusz. "Hardening the TCP/IP Stack to SYN Attacks." Symantec. Web.. Jackson, Don. "DNS Amplification Variation Used in Recent DDoS Attacks." Web.. Schmidt, Ben. "D0z.me: The Evil URL Shortener." Spare Clock Cycles. 10 Dec Web. 12 Apr url-shortener/ url-shortener/ Nazario, Jose. "Estonian DDoS Attacks." Security Blog | Arbor Networks. 17 May Web. 12 Apr