IMS584 (네트워크보안) Prof. Huy Kang Kim
Transcription
IMS584 (네트워크보안) Prof. Huy Kang Kim
IMS584 (네트워크보안) Prof. Huy Kang Kim acknowledgement • Ref: Redbook chapter 8 Denial-of-Service Attacks • (Redbook chapter 8) by Aikaterini Mitrokotsa and Christos Douligeris • The most challenge of today – DoS (denial of service attack) – It consumes network or server’s availability – The main aim of a DoS is the disruption of services – the attack target resources - the fi le system space, the process space, the netw ork bandwidth, or the network connections. • Distributed denial-of-service (DDoS) attacks add the many-to-one dimen sion to the DoS problem, making the prevention and mitigation of such attacks more difficult • and the impact proportionally severe. – The traffic is usually so aggregated that it is difficult to distinguish legitimate pac kets from attack packets. – the attack volume can be larger than the system can handle. • The attacks achieve their desired effect by sending large amounts of net work traffic and by varying packet fields in order to avoid characterizatio n and tracing. • Extremely sophisticated, “user-friendly,” and powerful DDoS toolkits are available to potential attackers DoS attack examples – the old types • • • • • • • Ping of Death SYN Flooding Boink, Bonk, Teardrop Land Win Nuke Smurf, Fraggle Mail Bomb DoS attack examples – ping of death • Ping of death – send large size of ICMP packets to the ta rget host • % ping –s 1000 targethost (UNIX) DoS attack examples – SYN flooding • Synk4 – 1st well-known SYN flooding tool • http://www.hoobie.net/security/exploits/hacking/synk4.c – Just compile & run • compile: gcc -o synk synk.c • # ./synk 0 143.248.1.177 53 53 – Source IP address – random spoofed – Target IP : 143.248.1.177 – Target port 53 • note: – Source IP 를 0.0.0.0~255.255.255.255 까지 모두 spoofing 하는 데 걸리는 비용과 노력이 극히 적음 – 이론상 공격자 PC 의 network bandwidth 와 CPU 성능만큼 패킷생 성 및 전송 DoS attack examples – SYN flooding (defense) • C:>netstat -na | findstr ` SYN_RECEIVED` TCP 211.241.82.71:80 6.55.194.236:51370 SYN_RECEIVED TCP 211.241.82.71:80 16.192.252.18:22452 SYN_RECEIVED TCP 211.241.82.71:80 49.5.243.221:52363 SYN_RECEIVED TCP 211.241.82.71:80 50.145.99.80:46108 SYN_RECEIVED TCP 211.241.82.71:80 51.53.109.147:28308 SYN_RECEIVED TCP 211.241.82.71:80 61.58.85.212:52375 SYN_RECEIVED TCP 211.241.82.71:80 63.33.85.135:32111 SYN_RECEIVED TCP 211.241.82.71:80 67.206.19.195:28501 SYN_RECEIVED TCP 211.241.82.71:80 68.79.239.155:42810 SYN_RECEIVED TCP 211.241.82.71:80 221.29.79.118:36387 SYN_RECEIVED DoS attack examples – SYN flooding (defense) • How can we defend? – Update network kernel parameter in registry (Windows) or ndd (UNIX) – Related windows registry key (Windows 2000 기준) • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip\para meters " • name hex값(10진) EnableICMPRedirect 0 SynattackProtect 2 TcpMaxHalfOpen 64(100) TcpMaxHalfOpenRetried 64(100) EnableDeadGWDetect 0 EnablePMTUDiscovery 0 KeepAliveTime 493e0(300000) DisableIPSourceRouting 2 TcpMaxConnectResponseRetransmissions 2 TcpMaxDataRetransmissions 3 PerformRouterDiscovery 0 TcpMaxPortsExhausted 5 NoNameReleaseOnDemand 1 DoS attack examples – SYN flooding (defense) • Related key description DoS attack examples – SYN flooding (defense) • SYN flooding 공격 – 가장 단순하면서도 가장 위력적 – TCP IP 구조상의 헛점을 노림 • 대응방법 권고안 – OS level 에서 백 로그 큐 사이즈 늘임 (windows registry 수정, UNIX 에서 ndd 커맨드 사용 커널 파라메터 튜닝) – 시스템 튜닝, 메모리 증설 – 결론: 시스템 단에서의 튜닝을 통한 대응은 사실 백약이 무효 • 물론 효과가 아주 없는 것은 아니나 현실성이 너무 떨어짐 DoS attack example – application level (defense) • Application 단에서의 방어 방식 (예) • HTTP GET flooding attack – Apache web server - mod_evasive 를 통한 방어 • http://www.zdziarski.com/blog/?page_id=442 – 결론: application 단에서의 튜닝을 통한 대응은 백약이 무효 • 물론 효과가 아주 없는 것은 아니나 임계치 값 기반 대응 • Network bandwidth 자체가 consuming 이 된 경우 server 는 응답가 능한 상태라 할지라도, network 을 통한 통신 자체가 불가능 DoS attack examples – boink, bonk, teardrop • Boink, Bonk, TearDrop – Boink, Bonk, TearDrop은 패킷의 순서, 손실된 패킷의 유무, 손 실된 패킷의 재전송 요구 등 3가지 사항을 위반함으로써 공격 대 상 시스템에 DoS 공격을 가하는 것 – Boink, Bonk: Bonk는 처음 패킷을 1번으로 보낸 후 두 번째, 세 번째 패킷 모두 시퀀 스 넘버를 1번으로 조작해서 보냄, Boink 공격은 처음 패킷을 정상적으로 보내다가 중간에 서 계속 일정한 시퀀스 넘버로 보냄 – TearDrop : 패킷을 겹치게 또는 일정한 간격의 데이터가 빠지게 전송 DoS attack examples – LAND attack • LAND attack – 패킷을 전송할 때 출발지 IP와 목적지 IP을 공격대상자의IP으로 보냄 – 시스템은 처음 시도된 Syn에 대한 Reply 패킷을 출발지 IP 주소 값을 참조하여 그 값을 목적지 IP 주소 값으로 설정하여 패킷을 보낸다. 하지만 이 값은 자기자신의 IP 주소 값이므로 네트워크 밖으로 나가지 않고 자신에게 다시 돌아온다. – Syn Flooding처럼 동시 사용자 수를 점유, CPU 부하 증가 – Switch/Router 를 직접 공격하는데 이용되어서, 대부분의 net work 장비 IOS 에서는 이를 차단하는 option 이 enable 되어 있음 DoS attack example – mail bomb • Mail bomb – Mail server /var/spool/mail 디렉토리에 garbage mail 을 계속 생 성시켜서 더 이상 메일 수신을 받지 못하게 함 – /var partition 이 / partition 과 같은 partition 인 경우, 시스템 동작 에도 악영향을 미침 DoS attack example – local resource attacks • Local attack – disk, memory, process exhaustion attack – Infinite local file creation – Infinite process fork DoS attack example – local resource attacks (def ense) • How to defend? – OS 의 process, disk quota 제약 기능을 이용 – E.g. Solaris 2.x /etc/system – edquota command • System 내에서의 방어는 H-IDPS, SecureOS 를 통해 쉽게 대응이 가능 – 피해가 발생하여도 해당 system 내부로 한정 • Network 단에서의 방어는 극히 어려운 상태 – 피해가 발생하면 network 내에 속한 모든 서버에 문제가 발생 Types of DoS attack (from textbook- redbook) • 1. network device level - by taking advantage of bugs or weaknesses in software or by exhausting the hardware r esources of network devices. – a buffer overrun error in the password checking routine. Using th is, certain routers could crash if the connection to the router is p erformed via telnet and extremely long passwords are entered. Types of DoS attack (from textbook- redbook) • 2. operating system (OS) level DoS attacks - take advantage of the ways protocols are implemented by OSs. – E.g. ping of death • 3. Application-based attacks - try to settle a machine or a serv ice out of order either by exploiting bugs in network applicatio ns that are running on the target host or by using such applic ations to drain the resources of their victim. – E.g. finger bomb , finger war by TCP/Wrapper • 4. data flooding attacks - an attacker attempts to use the ban dwidth available to a network, host, or device at its greatest e xtent by sending it massive quantities of data to process. – E.g. flooding • 5. protocol features attack - take advantage of certain standar d protocol features. – E.g. several attacks exploit the fact that IP source addresses can be spoofed. – E.g. attack the domain name system (DNS) cache on name servers. DoS Defense problems • 1. Highly Interdependent Internet security – The Internet has few built-in protection mechanisms to deal with DoS attack s. no matter how secure a host is, it is always under threat while the rest of the Internet is insecure. • 2. Inherently Difficult to Detect DoS Attacks – Detecting the origin of DoS attacks is quite difficult. Taking advantage of the stateless nature of the Internet, attackers use IP source address spoofing t o hide the identity of the attacking machines and hide their identity behind handler machines. • 3. limited resources – The large number of packet streams that need to be generated in massive D oS attacks require large amounts of resources. The systems and networks t hat comprise the Internet are composed of limited resources that can be ea sily exhausted during the detection of DoS attacks. • 4. Automated Tools – DoS tools are available on the Internet accompanied with instructions that al low easy and effective use even from nontechnically skilled users. DoS Defense problems (cont’) • 5. target rich environments – There are many hosts and networks in the Internet that are vulnera ble and may be exploited and provide fertile ground to launch DoS a ttacks. – Characteristics and requirements of DoS defense system • High security – have to be ensured that a DoS defense system cannot b e used as a victim of a DoS attack. • DoS defense system should be reliable in detecting DoS attacks and hav e no false positives. • DoS defense system should be efficient in detecting and responding to a DoS attack in order to mitigate the effectiveness of the attack. • DoS defense mechanism should be realistic in design and applicable in e xisting security infrastructures without requiring important changes in th e Internet infrastructure. • DoS defense mechanism should not require many resources and should have low performance cost to avoid the degradation of the performance of the attacked network. DDoS attack example – concept • Attacker : Hacker’s machine, the r oot of the attack (overmind) • Master/handler – Master : managing multiple a gent program, get order from attacker – handler : a program for handli ng agents by Master • Attack daemon/Agent – Agent: a system that send att ack to target – Attack daemon: attack progra m running in Agent system – Zombie hosts • Victim hosts Well-known DDoS attack programs • Traditional programs – Trin00 – TFN, TFN2k – Stacheldraht DDoS attack procedures • • • • • 1. selection of agents 2. compromise 3. communications 4. attack The latest generation of DDoS attacks do not wait for a trigge r from the aggressor but instead monitor a public location on t he Internet – a chat room could be monitored and the attack may start automatic ally as soon as a particular key word or phrase is typed. – in this way the aggressor is more or less untraceable. – IRC (Internet Relay Chat) channels are used to achieve communicati on between the agents and the attacker • Nowadays, IRC based DDoS is not usually used. (P2P or obfus cated traffic are chosen) – Old IRC based DDoS tool : Trinity, Plague, Knight and Kaiten DDoS attack categories DDoS attack categories – degree of automation • Based on the degree of automation of the attack, DDoS attacks can be divided into manual, semiautomatic, and automatic attacks. – The early DDoS attacks were manual – Semi automatic attacks belong in the agent–handler attack mode l, and the attacker scans and compromises the handlers and age nts by using automated scripts. • Attacks with direct communication include attacks during which it is necessary for the agent and handler to know each other’s identity in order to communicate. This approach includes the hard coding of t he IP address of the handler machines. – The main drawback - if the identity of one compromised host is reveale d the whole DDoS network may be exposed. • Attacks with indirect communication achieve greater survivability. Ex amples of this kind of attack are the IRC-based DDoS attacks. – automatic DDoS attacks the attacker and agent machines do not need to communicate. DDoS attack categories – Exploited vulnerability • Can be divided into flood attacks, amplification attacks, p rotocol exploit attacks, and malformed packet attacks. • flood attack – the agents send a vast amount of IP traffic to a victim system in order to congest the victim system’s bandwidth. The impact of p acket streams sent by the agents to the victim varies from slowin g it down or crashing the system to saturation of the network ba ndwidth. • UDP flood attacks and ICMP flood attacks • UDP flood attack is possible when a large number of UDP packets ar e sent to a victim system • ICMP flood attacks exploit the ICMP, which enables users to send an echo packet to a remote host to check whether it is alive • agents send a large number of ICMP_ECHO_REPLY packets (“ping”) to the victim. • During an ICMP flood attack the technique of IP spoofing is used. DDoS attack categories – amplification attacks • the attacker or the agents exploit the broadcast IP address feature t hat most routers have. • This feature is exploited in order to achieve amplification and reflecti on of attacks by sending messages to broadcast IP addresses. – all the routers that are in the network sending the packets to all the IP addr esses that are in the broadcast range • Reflector – The intermediary nodes that are used as attack launchers in amplification at tacks • During an amplification attack the attacker sends spoofed packets th at require responses to the reflectors. The source addresses of the p ackets are spoofed with the address of the victim. After receiving th e spoofed packets, the reflectors respond to the victim accordingly. – In an amplification attack some predetermined reflectors are necessary. – The reflectors may be dispersed on the Internet – The packets sent from the reflectors are normal packets with legitimate origi n and thus cannot be captured and eliminated through filtering and route-ba sed mechanisms. DDoS attack categories – protocol exploit/malfor med attacks • Protocol exploit attacks exploit a specific feature or imple mentation bug of some protocol • Malformed packet attacks – rely on incorrectly formed IP packets that are sent from agents t o the victim that will lead to the crash of the victim’s system. Mal formed packet attacks can be divided into IP address attack and IP packet options attack. In an IP address attack, the packet has the same source and destination IP addresses. DDoS attack categories - Attack Rate Dynamics • Continuous-rate attacks – comprise attacks that after the onset of the attack are executed with full force and without a break or decrement of force. The im pact of such an attack is very quick. • Variable-rate attacks, – “vary the attack rate” and thus avoid detection and immediate re sponse. • fluctuating-rate : it has a wavy rate that is defined by the victim’s be havior and response to the attack, at times decreasing the rate to a void detection. • Increasing-rate attacks gradually lead to the exhaustion of a victim’s resources, something that may delay detection of the attack. DDoS attack categories - Impact • Disruptive attacks – It leads to complete denial of the victim’s service to its clients. • degrading attacks – This results in delay of the detection of the attack and much da mage to the victim’s system. 현재의 DDoS 공격 방식과 과거 방식과의 차이 • 기본적인 원리는 다르지 않음 • 현재는 DDoS agent 확보의 효율을 위해 – 대규모 악성코드 전파 (SPAM, web site 해킹 후 악성 script 삽입 등) zombie PC 를 이용한 BOTNET 을 만드는 기법이 보다 정교 해 진 상태 DDoS attack defense mechanism DDoS attack defense mechanism • First category (by activity) – – – – Intrusion Intrusion Intrusion Intrusion prevention detection response tolerance and mitigation • Second category (by location) – Victim network – Intermediate network – Source network DDoS attack defense mechanism – intrusion prev ention • Intrusion prevention – attacking packets can be stopped before they cause serious damage. – ingress filtering, egress filtering, route-based distributed packet filtering, hist ory-based IP (HIP) filtering • In ingress filtering – set up to block out of the network incoming packets with illegitimate origin. • Egress filtering – filtering method on outbound traffic, which allows packets only from a specif ic set of IP addresses to leave the network. • Route-based distributed packet filtering – an approach capable of filtering out a large portion of spoofed IP packets an d preventing attack packets from reaching their targets as well as to help in IP traceback. • HIP filtering – the edge router admits the incoming packets according to a prebuilt IP addr ess database. DDoS attack defense mechanism – intrusion prev ention • Disabling unused services • Applying security patches • Changing the IP address is a simple way to guard against a DDoS attack. – If network services are not needed or unused, the services should be disabled to prevent att acks. – (e.g.) if UDP echo is not required, disabling this service will make the system more secure ag ainst this kind of attack. – It can armor the hosts against DDoS attacks “moving the target defense.” All Internet and edge routers are informed when the IP addres s is changed in order to drop malicious packets – only for local DDoS attacks based on IP addresses. – attackers can render this technique useless by adding a DNS tracing function to the DDoS to ol. – • disabling IP broadcasts – Defense for reflectors in Smurf and ICMP flood attacks. – can be effective only if all the neighboring networks have also disabled IP broadcasts. • Load balancing – a simple approach that enables network providers to increase the provided bandwidth on crit ical connections and prevent their crash in case an attack is launched against them. – Additional failsafe protection can be the replication of servers in case some crash during a D DoS attack. • Honeypots DDoS attack defense mechanism – intrusion dete ction • Prevention is the utmost required way. Detection is the s econd line. – Anomaly detection – Misuse detection • Even detection is not easy – Degradation of performance is not only from DoS attack DDoS attack defense mechanism – intrusion resp onse • IP traceback – IP traceback traces the attacks back to their origin, so one can find t he true identity of the attacker and achieve detection of asymmetric routes as well as path characterization. – ICMP traceback, link-testing traceback, probabilistic packet marking (PPM), hash-based IP traceback, Sleepy Traceback, and CenterTrack • Traffic pattern analysis – During a DDoS attack, traffic pattern data can be stored and then a nalyzed after the attack in order to find specific characteristics and f eatures that may indicate an attack • Analysis of event logs – The selection of event logs recorded during the setup and the execu tion of the attack can be used to discover the type of DDoS attacks and do a forensic analysis. – Log sources: Network equipment such as firewalls, packet sniffers, s erver logs, and honeypots DDoS attack defense mechanism – Intrusion Tole rance and Mitigation • We already know that it is impossible to prevent or stop DDoS attacks completely – Then, let’s just focus on minimizing the attack impact and maxim izing the quality of its services • Fault tolerance – it is a research area whose designs are built in critical infrastruct ures and applied in three levels: hardware, software, and system . Duplicating server, application or network resources – Distribute resource in everywhere : CDN (Contents distribution n etwork) • QoS – the ability of a network to deliver predictable results for some ap plications. – Many intrusion-tolerant QoS techniques and intrusion-tolerant Q oS systems have been developed to mitigate DDoS attacks Consensus Roadmap for Defeating Distributed De nial of Service Attacks • http://www.sans.org/dosstep/roadmap.php Advices for writing your paper • DDoS 에 대해서 좋은 논문을 쓰려면… • Micro-level – DDoS 탐지 알고리즘 개발 – Radomness 발생, DDoS 자체도 state-transition 이 있음을 착안 • ISP-wide view 를 보여주어야 함 • 다른 application 과의 연동성 주목 – 예: DDoS 는 zombie PC 에 의해 발견된다. DDoS 를 근본적으로 막는 것은 불가능하니 zombie PC 에서 C&C server 를 먼저 찾는 것 – Zombie PC 는 DDoS 만 보내는 것이 아니라 평소에는 spam mail 을 보내는데 이용됨 – Spam mail 의 75%~80% 는 Zombie PC 에 의해 보내짐 – Spam mail 을 tracking 하여 zombie PC 를 찾고 이를 통해 C&C se rver 를 찾아보자 Reference sites for writing your paper • CAIDA – http://www.caida.org/research/security/ • Denial-of-Service Attack Backscatter – – – – – Backscatter-2008 Dataset Backscatter-2007 Dataset Backscatter-2006 Dataset Backscatter-2004-2005 Dataset Backscatter-TOCS Dataset • SCO Offline from Denial-of-Service Attack (2003) – [DoS Attack] Around 2:50 AM PST Thursday morning, December 11, the attacker (s) began to attack SCO's ftp (file transfer protocol) servers in addition to continu ing the web server attack. Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-mo rning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server laste d for a considerably shorter duration than the web server attack. In spite of rum ors that SCO has faked the denial-of-service attack to implicate Linux users and g arner sympathy from its critics, UCSD's Network Telescope received more than 2. 8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets over 32 hours.