Defensive Measures for DDoS By Farhan Mirza

Contents Survey Topics Survey Topics Introduction Introduction Common Target of DoS Attacks Common Target of DoS Attacks DoS Tools DoS Tools Defensive Measures & Their Vulnerabilities Defensive Measures & Their Vulnerabilities Honeypot for DDoS Honeypot for DDoS Honeypot implementation Honeypot implementation Issues & Concerns Issues & Concerns Conclusion Conclusion

Survey Topic Paper 1 Paper 1  Analysis of Denial-of-Service Attacks on Denial- of-Service Defensive Measures Paper 2 Paper 2  Honeypots for Distributed Denial of Service Attacks

Introduction DoS attacks Weapons of Mass Destruction Weapons of Mass Destruction Paralyze Internet systems with bogus traffic Paralyze Internet systems with bogus traffic 4 th Major Attack in 2001 – Computer Crime & Survey Report 4 th Major Attack in 2001 – Computer Crime & Survey Report

Attacks on Targets Attacking tools - More offensive Attacking tools - More offensive To discover and filter – More difficult To discover and filter – More difficult Powerful automatic scanning & observing target’s vulnerability Powerful automatic scanning & observing target’s vulnerability Uses methods - TCP Syn, UDP, ICMP Flooding etc Uses methods - TCP Syn, UDP, ICMP Flooding etc Includes Viruses & Worms - MS-SQL Server Worm, Code Red etc Includes Viruses & Worms - MS-SQL Server Worm, Code Red etc

Code Red Worm Attack

Common Target of DoS attacks Bandwidth DOS Attack Bandwidth DOS Attack Memory DOS Attacks Memory DOS Attacks Computation DOS Attacks Computation DOS Attacks

Bandwidth DoS Attacks Target - Bandwidth Target - Bandwidth Example – Slammer (MS-SQL Server Worm) Example – Slammer (MS-SQL Server Worm)  Self Propagating malicious code  Employs multiple vulnerabilities of SQL Server Resolution Service

Memory Dos Attacks Target – Memory Target – Memory Backscatter Analysis (Moore Investigation) : Backscatter Analysis (Moore Investigation) :  94% DoS attacks occurs on TCP Protocol  49% of attacks are TCP Syn attacks targeting 3 way handshake  2% on UDP  2% on ICMP

Memory DoS Attacks (Cont..) Every TCP connection establishment requires an allocated memory resource Every TCP connection establishment requires an allocated memory resource Limited number of concurrent TCP half-open connections Limited number of concurrent TCP half-open connections Attacker can disable service - Sending overdosed connection requests with spoofed source addresses Attacker can disable service - Sending overdosed connection requests with spoofed source addresses

Computation DoS Attacks Target – Computational Resources Target – Computational Resources Example: Database Query Attacks Example: Database Query Attacks  Sequence of queries requesting DBMS to execute complex commands, overwhelming the CPU

Software Bugs & Exploits Exploit on 7xx routers – connecting with Telnet and typing very long passwords Exploit on 7xx routers – connecting with Telnet and typing very long passwords  Effects – Reboot the router Reboot the router Deny service to users during reboot period Deny service to users during reboot period Connecting with Telnet and Typing long passwords

Software Bugs & Exploits (Cont...) Smurf DoS Bug – uses ICMP Echo Request packet with spoofed source address Smurf DoS Bug – uses ICMP Echo Request packet with spoofed source address  Effects – All machines on the subnet reply directly to victim’s address All machines on the subnet reply directly to victim’s address Congestion in the victim’s network connection Congestion in the victim’s network connection

DoS Tools Trin00 Trin00 TFN – Tribe Flood Newtork TFN – Tribe Flood Newtork Stacheldraht – “Barbed Wire” Stacheldraht – “Barbed Wire”

Trin00 Distributed attacking tool Distributed attacking tool Installed on intermediate host using a buffer overrun bug Installed on intermediate host using a buffer overrun bug Compiled on Linux and Solaris operating systems Compiled on Linux and Solaris operating systems Capable of generating a UDP packets for attack Capable of generating a UDP packets for attack Target Ports – 0 to Target Ports – 0 to 65534

TFN – Tribe Flood Network Launch Distributed Denial of Service attacks Launch Distributed Denial of Service attacks Installed on Intermediate host and based on buffer overrun bug Installed on Intermediate host and based on buffer overrun bug Capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks Capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks Compiled on Linux and Solaris operating systems Compiled on Linux and Solaris operating systems

Stacheldraht ("barbed wire") Combines features of Trin00 and TFN Combines features of Trin00 and TFN Capable of producing ICMP flood, SYN flood, UDP flood, and SMURF attacks Capable of producing ICMP flood, SYN flood, UDP flood, and SMURF attacks ICMP, UDP and TCP-SYN packets of sizes up to 1024 bytes against multiple victim hosts ICMP, UDP and TCP-SYN packets of sizes up to 1024 bytes against multiple victim hosts TCP-SYN packets are generated against random ports taken from selected range of port numbers TCP-SYN packets are generated against random ports taken from selected range of port numbers

DDoS Pattern Setting up of a stolen account as a repository for attack tools Scanning of large ranges for potential vulnerable targets Creation of script to perform the exploit and to report the results Choice of a subset of suitable compromised servers from the list Script automated installation of the needed tools on the compromised servers Optional installation of a root kit to hide the compromise

Defensive Measures System Self Defense System Self Defense  Stop all unnecessary or non-essential system services and network ports.  Reduce the timeout period for simultaneous half open connections Vulnerability: Vulnerability:  Reconfiguration may delay, or even deny, legitimate access  Lead to a potential increase in resource usage

Packet Filtering Most popular defensive mechanism Most popular defensive mechanism Selectively screens out suspicious or malicious packets Selectively screens out suspicious or malicious packets Itself a deformed DoS Itself a deformed DoS Vulnerability: Vulnerability:  If manipulated or abused - Most convenient way to accomplish DOS attack

Packet Filtering (Cont…) Types of Packet Filtering Types of Packet Filtering  Egress/Ingress Manages the flow inside and outside the network Manages the flow inside and outside the network Ingress - Used to block packets with spoofed source address Ingress - Used to block packets with spoofed source address Egress - manages the flow of traffic as it leaves a network Egress - manages the flow of traffic as it leaves a network  Vulnerability Effective only if used in large-scale applications Effective only if used in large-scale applications

Packet Filtering (Cont…)  Firewalls Victims network mechanism Victims network mechanism Enable a form of protection against SYN Flooding Enable a form of protection against SYN Flooding Examine packets and maintain connection and state information of session traffic Examine packets and maintain connection and state information of session traffic Configured as a relay, as a semi-transparent gateway Configured as a relay, as a semi-transparent gateway  Vulnerability Cause delays for every connection Cause delays for every connection Flood of 14k packets/sec can disable even specialized firewalls Flood of 14k packets/sec can disable even specialized firewalls

IP Traceback Effective & aggressive way to terminate DoS attacks at their sources Effective & aggressive way to terminate DoS attacks at their sources Vulnerability: Vulnerability:  Doesn’t locate the attacker, if attacker is attacking from reflectors

State Monitoring Uses software agents to continuously monitor TCP/IP traffic in a network Uses software agents to continuously monitor TCP/IP traffic in a network RealSecure – RealSecure –  Monitors local network for SYN packets that are not acknowledged for a period of time defined by the users Vulnerabilities: Vulnerabilities:  Need to maintain tremendous states to determine malicious packets and consume system resources

Resource Allocation Control Way to prevent exhaustion of the victim’s resources to limit the resource allocation and usage for each user or service Way to prevent exhaustion of the victim’s resources to limit the resource allocation and usage for each user or service Class Based Queuing – Class Based Queuing –  Configures different traffic priority queues and rules that determine which packets should be put into which queue Vulnerability: Vulnerability:  In case of DoS attacks - Cannot determine which packet belong to the same users or service for sharing some quota or resources

Congestion Control Network Congestion - Reduction in network throughput Network Congestion - Reduction in network throughput Pushback Pushback  Mechanism for defending against DDoS attacks  To identify most of the malicious packets, based on Aggregate-based Congestion Control Vulnerability: Vulnerability:  Not an effective method to block bad traffic under typical DDoS attack  Cannot differentiate good and bad traffic and will drop them equally

Active Networks Programs can perform customized computations and manipulations Programs can perform customized computations and manipulations Allow users to inject customized programs into the nodes of the network Allow users to inject customized programs into the nodes of the network Active edge-Tagging – Active edge-Tagging –  One of the example, which tags the actual source IP address into the active networks layer header for each incoming packets from the hosts with first-hop routers Vulnerability: Vulnerability:  AN poses serious security threats as it is designed to run executable codes on remote hosts

Bandwidth Overhead of Defensive Measures

Memory Overhead of Defensive Measures

Computational Overhead of Defensive Measures

Attacks on Defensive Measures Firewalls - invincible and power unlimited resources Firewalls - still limited and causes the single-failure point or bottleneck Network Congestion - control messages delivered to destination efficiently and successfully Network Congestion - the control messages dropped or lost during transmission Defensive devices - will not be targeted by attacker Defensive devices – Many are vulnerable to attack Network devices - Trustworthy and control messages will not be tampered, eavesdropped or forged Network Devices - Control messages might be tampered, eavesdropped or forged AssumptionReality

Honeypot for DDoS Vantages of System: Vantages of System:  Defending the operational network with high probability against DDoS & new variant  Trapping attacker to record the compromise to help in legal action against attacker Devised System: Devised System:  Implemented to lures the hacker to believe he successfully compromised the system  To learn the tactics, tools, methods and motive of an attacker in order to secure the system

Characterization Should be a replica of operational system Should be a replica of operational system Consists of similar systems and application Consists of similar systems and application Services such as Web, Mail, FTP, DNS should be accessible for attacker Services such as Web, Mail, FTP, DNS should be accessible for attacker Must be located in DMZ Must be located in DMZ

Local Network Protection Must be located in another zone protected with Firewall Must be located in another zone protected with Firewall Encrypted Transmission - Inside the LAN Encrypted Transmission - Inside the LAN Clients run trusted OS Clients run trusted OS Services are managed by an indirect authentication method – Kerberos Services are managed by an indirect authentication method – Kerberos Detecting Systems like host based IDS & vulnerability scanner must be running Detecting Systems like host based IDS & vulnerability scanner must be running

Honeypot Implementation in Organization

View for an Attacker

Issues To Be Resolved Attack must be detectable Attack must be detectable Attack packets must be actively directed to the Honeypot Attack packets must be actively directed to the Honeypot Honeypot must be able to simulate the organization’s network infrastructure Honeypot must be able to simulate the organization’s network infrastructure

Concerns & Issues Not a good idea in real operational environment Not a good idea in real operational environment Require expertise Require expertise Small configuration mistake or loophole will create a disaster Small configuration mistake or loophole will create a disaster Difficult to identify regular user and attacker in most of the cases Difficult to identify regular user and attacker in most of the cases Uses DDoS signature type method while authentication – Not as effective especially for first time authentication Uses DDoS signature type method while authentication – Not as effective especially for first time authentication Hard to identify culprit – Attacker using compromised system Hard to identify culprit – Attacker using compromised system VPN and PKI as proposed – How both the environment work VPN and PKI as proposed – How both the environment work

Conclusion Like a Game - Attacking and defending of networks Like a Game - Attacking and defending of networks Defensive Measure are not always secure and valuable data is at risk with small effort of attacker Defensive Measure are not always secure and valuable data is at risk with small effort of attacker Honeypot – Promising tool for luring attacker for DDoS attack Honeypot – Promising tool for luring attacker for DDoS attack To secure our network – Defensive measures with proper knowledge and expertise are required To secure our network – Defensive measures with proper knowledge and expertise are required