1. Distributed Denial-of-Services (DDoS) Ho Jeong AN CSE 525 – Adv. Networking Reading Group #8

2. Reading Group # 8 – DDoS Papers  F. Kargl, J. Maier, M. Weber “Protecting Web Servers from Distributed Denial of Service Attacks”, WWW 2001  V. Paxson, “An Analysis of Using Reflectors for Distributed Denail-of-Service Attacks”, CCR vol. 31, no. 3, July 2001  Catherine Meadows, “A cost-based framework for analysis of denial of service in network”, Journal of Computer Security, 9(1—2):143-164, 20012

3. Classification of IT Attacks Denial of Service (DoS)  Main goal of the attack is the disruption of service Intrusion  Intension is simply to get access to system and to circumvent certain barriers Information Theft  Main goal of attack is access to restricted, sensitive information Modification  Attacker tries to alter information.

4. Definition of DoS WWW Security FAQ (http://www.w3.org/Security/FAQ)http://www.w3.org/Security/FAQ  … an attack designed to render a computer or network incapable of providing normal services … J.D. Howard (http://www.cert.org)http://www.cert.org  … Denial-of-service can be conceived to include both intentional and unintentional assaults on a system's availability. The most comprehensive perspective would be that regardless of the cause, if a service is supposed to be available and it is not, then service has been denied...

5. Definition of DDoS WWW Security FAQ (http://www.w3.org/ Security/FAQ)http://www.w3.org/ Security/FAQ  … A Distributed Denial of Service attack uses many computer to launch a coordinated DoS attack against one or more targets. …

6. DoS attack Classification System Attacked  Router  Firewall  Load-balancer  Individual web server  Supporting services (i.e. database servers) Part of the system attacked  Hardware failure  OS or TCP/IP stack of host/router  Application level (i.e. web server, database servers) Bug or overload  Bugs  Overload

7. DoS attack Classification Example  Cisco 7xxx routers with IOS/700 Software version 4.1(1)/4.1(2)  Jolt2 – targeting most Microsoft Windows Systems (98/NT4/2000)  MIIS version 4.0/5.0  Smurf  SYN Flood  Apache MIME flooding/Apache Sioux Attack

8. DDoS tools Trinoo  Known to the first DDoS tools  UDP flooding Tribe Flood Network (TFN)  Trinoo’s UDP flooding, TCP SYN and ICMP flood TFN2K  Encrypted communication between components  TARGA attack stacheldraht  ICMP, UDP and TCP SYN flooding  Update to agents automatically

9. DDoS Protection Environment Linux Kernel  Immune to Teardrop, TARGA  tcp_syn_cookie enabled against SYN flood attack Load Balancer  Linux Virtual Server against overload attack

10. DDoS Protection Environment ipchains Firewall  Only port 80 is reachable directly  Only ICMP host unreachable messages are accepted Class Based Queuing  Function of the Linux kernel  Setup different traffic queues  Determines what packets to put in what queue  Assign a bandwidth to each of the queue

11. DDoS Protection Environment Traffic Monitor  Monitor Thread 1: monitors in and out packet Thread 2: checks the hashtable Thread 3: server thread  Manager Analyzes the supplied data Sorts the IPs in one of several classes, class 1 through class 4

12. Test 1: http-attack using http_load and static html database

13. DDoS attacks are substantial threat to today’s Internet infrastructure Solution to the problem of handling massive http overload requests is based on class based routing and active traffic monitoring Conclusion

14. DDoS attack by using reflector Reflector  Any IP host that will return a packet if it receives request  All web server, DNS server, router  ICMP Victim eventually receive “huge” number of message and clogging every single path to victim from the rest of the Internet

15. Defense against Reflector Ingress filtering Traffic generated by reflector  Our pick Reflector enable filtering  Require widespread deployment of filtering Deploy trace back mechanism  Enormous deployment difficulties IDS  Widespread deployment of security technology

16. Filtering out reflector replies IP  version, header length  TOS/DSCP  length  ID  fragments  TTL, protocol, checksum  source  destination

17. Filtering out reflector replies ICMP  Request/response  Generated ICMP messages TCP  source port  SYN ACK  RST  guessable sequence number  T/TCP

18. Filtering out reflector replies UDP DNS  DNS reply  DNS recursive query SNMP HTTP proxy server Gnutella (TCP application) Other UPD application

19. Implications of reflector attacks for traceback A major advantage to attackers in using ref lectors in DDOS attack is difficult tracebac k Low volume flows – SPIE HTTP proxies Logging Reverse ITRACE

20. Conclusion DDoS attack by using reflector have a seve ral significant threat Most major threats are  TCP guessable sequence number  DNS query to name server  Gnutella

21. Defender vs. Attacker Defense against attack  Increase the resources of the defender  Introduce authentication Goal of attacker  Waste resource of defender  Keep the defender from learning attacker’s identity Formal method are good way to addressing probl ems.

22. Station to Station protocol Station to station protocol is a protocol that was makes use of the Diffie-Hellman protocol togeth er with digital signatures in order to exchange an d authenticate keys between two principals.

23. Station to Station protocol

24. Compute the attack cost functions and the protocol engagement cost functions for eac h accept events Compute the attack cost functions and the message processing cost functions for each verification event

25. Station to Station protocol It is vulnerable to DOS attack in several pl aces  First message  Intruder could mount Lowe’s attack Solution  Cookie exchange  Lowe’s attack – including the identity of inten ded receiver

26. Conclusion This framework shows how existing tools a nd methods could be modified against DoS attack.