Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services
What is Denial of Service? Attempts to make a Web resources unavailable to legitimate users Attacks flooding a network, creating congestion and blocking Disrupting connections between two machines Why are such attacks launched? Purpose is often to knock web services off Hacker may need to masquerade as a server or workstation and needs to remove that machine from the network
A typical Website configuration Vulnerable points The Router The Firewall The Load Balancer The Webserver The Backend Database servers
Other Vulnerabilities …. Part of system attacked — A malicious packet could disrupt functioning of CPU or network card or can overload ethernet link, based on limitation of hardware OS or TCP/IP stack — Definite limitations of protocol can be exploited to launch attacks, example SYN attacks. Bugs or overload — Bugs in a system make it open to attack but they can be fixed, fundamental limitations of protocols require system wide changes which are difficult to implement. Example of Cisco 7xxx routers where a long password would lead to buffer overflow attscks
DdoS Attacks Attacker uses client tools that controls handlers which in turn launch daemons. Client tools like scan- ners help in identifying vulnerabilities A script is run on a set of vulnerable machines. From this set of comp- romised machines DdoS handlers and daemons Are created. This script production is automated so that it can be produced in more systems to compromise many systems in short span of time
Defenses against DoS and DdoS General Requirements of Defense framework: The framework has to be general since attacks can be over multiple platforms. Security holes should not be exploitable by DoS attacks. Instead fault tolerance and confidentiality should be built in so that an attack can be foiled.
Case study of a classic DoS attack The attack on GRC.com in Jan flooded the two T-1 trunks connecting the Verio aggregate router to the GRC internal router. Valid webservice requests were not able to reach the webserver after competing with bogus packets, so the webserver was knocked off
Analysis of the DoS attack case Most of the SYN/ACK packets had BGP address 179, and other port no.s like 23(telnet), 22(ssh), 53(dns) and 80(http).. This showed that attacker had spoofed IP address of GRC.com and used that to bounce off several webservers, towards GRC.com The fanning effect of malicious packets leaving the attacker m/c, reflecting from several webservers towards GRC.com flooded the network and took it off air for several hours.
A comprehensive solution for a Website Use Linux kernel 2.6 as base for all systems as backlog queue for system is 128 entries and TCP SYN cookies is enabled. Linux Virtual Server as Load Balancer for max. performance and protection against overload IP tables firewall — Filter incoming packets against security rules.
A comprehensive solution for a Website(contd..) Class based Queuing and Traffic Monitor — Queues of packets are formed, each queue assigned a priority and bandwidth. Overload conditions are detected by the Traffic Monitor and packets from a source with more load are relegated to queue of lower priority.
Evaluation of Performance Tests Webserver was attacked by 8 hosts Attack was done by TCP SYN floods --Handled by Linux SYN cookies/backlog queue HTTP overloading and ICMP flooding --Handled by Class Based Queuing/Traffic Monitoring
References Frank Kargl, Joern Maier, Michael Weber; Protecting web servers from Distributed Denial of Service Attacks, Proceedings of the 10th international conference on World Wide Web WWW '01, Publisher: ACM Press Wang, B.-T.; Schulzrinne, H.; Analysis of Denial-of-Service Attacks on Denial-of-Service Defensive Measures Global Telecommunications conference 2003,GLOBECOM ’ 03, IEEE, Volume 3, 1-5 Dec Page(s): vol.3
Thank You!