Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

Published byFlora Roberts Modified over 8 years ago

Similar presentations

Presentation on theme: "An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson."— Presentation transcript:

1 An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson

2 DDOS

3 Traceback ITRACE (Bellovin) – uses ICMP messages from routers to trace path back to source. However, these ICMP packets occur with low probability, so a high volume flow is needed to trace back all the routers. SPIE (Snoeren) – Source Path Isolation Engine records sets of hashes of packets traversing a given router. Can trace path even on low volume flows.

4 Reflectors A reflector is any IP host that returns a packet if sent a packet. Examples: SYN  SYN/ACK, ICMP, etc… Lots of reflectors on the internet. Attacker can program slaves to use millions of them. Hard to block since packets come from an extremely diffuse base.

5 DDOS with Reflectors

6 Tracing when reflectors are used Easy for victim to ID reflectors since SRC IP is real. However, hard to trace back to slaves since reflectors are given victim’s IP as the source. Also involves cooperation from the reflector’s operator for analysis. Hard to use ITRACE since flow is low-volume for any given reflector (flow is diffused through many reflectors). Can use SPIE.

7 Defenses Against Reflectors Ingress filtering. Can block all incoming packets except from known good IPs. (Not useful for public/commercial sites.) Timing or pattern match filtering (possible). Software on reflector to allow victim to trace back to slave. (Not practical, difficult/impossible to deploy.)

8 Filtering Techniques Stateless, since attack creates too much bogus state. Filtering done at ISP end (or sufficiently far enough away from victim to keep bandwidth available).

9 Filtering IP Packets Can filter IP SRC/DST if “bad” reflectors are known. IP TOS/DSCP possible if attack traffic non- premium. Fragments – possible to throw these out unless victim needs them (NFS, AFS, GRE, etc...) Conclusion: Too few headers to make filtering at the IP level very useful.

10 Filtering ICMP Can filter out echo requests/replies. Can stop smurf attacks. Harder to suppress other ICMP messages since these are needed for tearing down state (host unreachable), traceroute (time exceeded).

11 Filtering TCP Can block source port 80 to block most DDOS attacks that use web servers as reflectors. Downside: won’t be able to connect to any external web servers. Block RST. Causes victim to keep more state than usual (may be acceptable tradeoff). Block SYN/ACK. Causes victim to lose all remote services (may be acceptable if all traffic is outgoing).

12 Filtering TCP cont. Any other TCP packet type means slave must establish a connection with the reflector, so SRC address cannot be forged (thus slave is easily traceable). UNLESS... Reflector’s TCP stack has guessable sequence numbers. Can use ACK splitting to amplify traffic.

13 Filtering TCP summary Can be effective if victim is willing to endure loss of contact to external servers and doesn’t mind maintaining more state than usual. However, this won’t work if attacker can find a large number of reflectors with poorly implemented TCP stacks (guessable TCP sequence numbers).

14 Filtering UDP Attackers can use DNS as a reflector (send forged DNS queries so that reply goes to victim). Countermeasure: block DNS except from a small set of servers. Use internal DNS servers. However, if victim is a DNS server for a particular zone, then attacker can submit queries of the form bogus.victim.com, which causes recursive queries back to victim. Countermeasure: none!

15 Using proxies Attacker can use proxies (ex: http proxy) as a reflector. This would be effective except that it requires a non-spoofed source address, so slaves can be identified.

16 Gnutella Attacker can mount proxy attack without being traced. Using Gnutella “push” directive, request can propagate through Gnutella network being separated from client (slave). Victim can trace back to Gnutella server. Operator of Gnutella server can trace back to immediate neighbor, etc... Conclusion: virtually impossible to trace the chain of Gnutella servers back to slave.

17 Summary Reflectors make DDOS attacks much more diffuse and harder to prevent. Can guard against some DDOS reflector attacks if victim is willing to forgo some services. TCP guessable sequence numbers, recursive DNS queries, and Gnutella “push” directive present major threats (no known defenses).

Download ppt "An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,

NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Distributed Denial-of-Services (DDoS) Ho Jeong AN CSE 525 – Adv. Networking Reading Group #8.

Distributed Denial-of-Services (DDoS) Ho Jeong AN CSE 525 – Adv. Networking Reading Group #8.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.

1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.
John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks

Similar presentations

Ads by Google