DOS

Overview Denial of Service (DoS) is the act of performing an attack which prevents the system from providing services to legitimate users When successful, the targeted host may stop providing any service, provide limited services only or provide services to some users only

Overview DoS can be achieved in various ways: – Application Crashing Memory Access Violation (Buffer Overflow) Various Exceptions – Data Destruction – Resource Depletion Memory CPU Bandwidth Disk Space

Application Crashing Common way of performing a Denial of Service attack In many cases, certain types of inputs may yield an error in the application which it did not anticipate, and will cause it to crash: – Buffer Overflows – Malformed data – causing parser exception Terminating with error – SQL Injection (; shutdown --)

Data Destruction One way to cause a DoS attack is by tampering with the data instead of the service itself If a site is vulnerable to SQL Injection, for instance, it may be possible to DELETE all data from all tables Although the Web site will keep being ‘online’, it will actually be useless without the information from the Database

Data Destruction  Intentional User Lock –Any web application login page –Taking advantage of the application security mechanisms to cause DoS by abusing the login failure user lock mechanism –Intentionally failing multiple login attempts with each possible username, will eventually result in DoS, since all the application users will be locked

Resource Depletion  Sophisticated attacks pinpoint the weak points of the application to achieve maximum effect using minimal resources  CPU Consumption –An attacker can easily create complicated regular expressions which consume a lot of CPU each time a search is initiated –The attacker then writes a script to launch this request over and over again

Resource Depletion  CPU Consumption – The SQL Injection version –When SQL Injection is possible – can be used for DoS even without permissions to Shutdown or Delete –Creating very intense nested queries does the trick:

Resource Depletion  Memory Consumption –A Web Mail Application –Allows uploading files for attachment –All attachments are stored in the application’s memory until the ‘Send’ button is sent –There is no limitation on the size or number of attachments –Assuming the hacker has a lot of bandwidth, the hacker can upload thousands of attachments, consuming all free memory in the machine

Resource Depletion  Disk Consumption –Any web application –Detailed logging is used for each application error –An attacker identifies a light-weight request which can generate a few KB of log –The attacker then repeats this until the Disk is full –Application behavior once Disk is full is unexpected: –Application might terminate when not being able to write to a file –If the files are located on the system partitions, the entire machine might crash

Resource Depletion  Network Consumption –Any web application –Attacker has wide Internet connection –Attacker identifies small requests which result in large amounts of data (Display all items in system) –Attacker can then launch the request over and over again, causing the database to send large amounts of data back to the web server in each request (potentially exhausting the connection pool as well)

DoS Type TCP DoS Attack –LAND – a series of SYN, cause system to crash and/or restart. For example, when src address = dest address may crash some OS with vulnerability. New Window and Linux had improved to prevent LAND attack –Teardrop – re-assembly of fragmented packet that is bigger or smaller that it suppose to be will cause system to crash or stop a certain service. –TCP SYN – many 3-ways handshaking that consume system resource => system crashed or simply no response (out of memory) UDP DoS Attack Fraggle – similar to TCP SYN but with UDP. ICMP DoS Attack –Ping of Death – small icmp echo request will cause server to response echo reply. Attack packet add data in Option Data to make the packet very big. Victim’s resource will be consumpted due to the reply packets (i.e. need to resend when no response) cause significant resource starvation. In some case, the packet size is more than 65535bytes, causing the system to crash.. New OS has fixed this problem. –Smurf – use IP Spoofed, that will cause a lot of flooded echo reply packet. DNS Replay Flooding

Why this problem ? Because it's Protocol … Three way handshake

Three way handshake ?

Three way handshake in TCP Protocol

DoS Methods Attack packetsReply packets SmurfICMP echo queries to broadcast address ICMP echo replies SYN floodingTCP SYN packetsTCP SYN ACK packets RST floodingTCP packets to closed portsTCP RST packets ICMP flooding  ICMP queries  UDP packets to closed ports  IP packets with low TTL  ICMP replies  Port unreachable  Time exceeded DNS reply flooding DNS queries (recursive) to DNS servers DNS replies

DDoS An attacker finds a group of computer that he/she can break into or installing software and running programs) This collection computer are then taken over and turned into “zombies” The zombies flood a web site with requests Legitimate requests are blocked

Distributed Denial of Service (DDoS) Victim Daemon Master Real Attacker Asymmetry comes in the form of a large farm of machines. IP addresses no longer need to be spoofed

February 2000: DDoS Traditional protection techniques no longer applicable.

DDoS Attack: Yahoo! February 2000 Intermittent outages for nearly three hours Estimated to have cost Yahoo $500,000 due to fewer page hits during the attack Attacker caught and successfully prosecuted Other companies (eBay, CNN) attacked in the same way the following days

DDoS Attack: Microsoft Target of multiple DDoS attacks Some successful, some not Successful one in January 2001 Attacked router in front of Microsoft’s DNS servers During attack, as few as 2% of web page requests were being fulfilled

DDoS Attack: DNS Root Servers October 2002 for 1 hour Ping flood to all 13 hour of the DNS root servers Successfully halted operations on 9 hour Did not cause major impact on Internet DNS NS record caching at local resolvers helped Several root servers are very well-provisioned

DDoS: Setting up the Infrastructure Zombies Slow-spreading installations can be difficult to detect Can be spread quickly with worms Indirection makes attacker harder to locate No need to spoof IP addresses

What is a Worm? Code that replicates and propagates across the network Often carries a “payload” Usually spread via exploiting flaws in open services “Viruses” require user action to spread First worm: Robert Morris, November % of all Internet hosts infected (!) Many more since, but none on that scale until July 2001

Example Worm: Code Red Initial version: July 13, 2001 Exploited known ISAPI vulnerability in Microsoft IIS Web servers 1 st through 20 th of each month: spread 20 th through end of each month: attack Payload: Web site defacement Scanning: Random IP addresses Bug: failure to seed random number generator

Why Denial-of-Service “Works” Asymmetry: generating a request is cheaper than formulating a response One attack machine can generate a lot of requests, and effectively multiply its power Not always possible to achieve this asymmetry

Defense  There are techniques to avoid some DoS attacks at the code level: –Perform thorough input validations. Expect for the worst! –Avoid highly CPU consuming operations –Try to create as little as possible bottlenecks –Avoid operations which must wait for completion of large tasks to proceed –Split operations to chunks –Set timeout timers for unreasonable time  Prepare for performance peaks –More Load Balancing –Caching  Always separate the data disks from theSystem disks

Defense Example Put limit on ping to prevent flood pings iptables -A INPUT -p icmp --icmp-type echo-request \ -m limit --limit 1/s -i eth0 -j ACCEPT Defense for SYN flood attacks –m limit sets maximum number of SYN packets iptables -A INPUT -p tcp --syn -m limit -- limit 5/s -i eth0 -j ACCEPT (*sorry example just in GNU/Linux)