IMS584 (네트워크보안) Prof. Huy Kang Kim

IMS584 (네트워크보안)
Prof. Huy Kang Kim
acknowledgement
•  Ref: Redbook chapter 8
Denial-of-Service Attacks
•  (Redbook chapter 8) by Aikaterini Mitrokotsa and Christos Douligeris
•  The most challenge of today – DoS (denial of service attack)
–  It consumes network or server’s availability
–  The main aim of a DoS is the disruption of services
–  the attack target resources - the fi le system space, the process space, the netw
ork bandwidth, or the network connections.
•  Distributed denial-of-service (DDoS) attacks add the many-to-one dimen
sion to the DoS problem, making the prevention and mitigation of such
attacks more difficult
•  and the impact proportionally severe.
–  The traffic is usually so aggregated that it is difficult to distinguish legitimate pac
kets from attack packets.
–  the attack volume can be larger than the system can handle.
•  The attacks achieve their desired effect by sending large amounts of net
work traffic and by varying packet fields in order to avoid characterizatio
n and tracing.
•  Extremely sophisticated, “user-friendly,” and powerful DDoS toolkits are
available to potential attackers
DoS attack examples – the old types
• 
• 
• 
• 
• 
• 
• 
Ping of Death
SYN Flooding
Boink, Bonk, Teardrop
Land
Win Nuke
Smurf, Fraggle
Mail Bomb
DoS attack examples – ping of death
•  Ping of death – send large size of ICMP packets to the ta
rget host
•  % ping –s 1000 targethost (UNIX)
DoS attack examples – SYN flooding
•  Synk4
–  1st well-known SYN flooding tool
•  http://www.hoobie.net/security/exploits/hacking/synk4.c
–  Just compile & run
• 
compile: gcc -o synk synk.c
• 
# ./synk 0 143.248.1.177 53 53
–  Source IP address – random spoofed
–  Target IP : 143.248.1.177
–  Target port 53
•  note:
–  Source IP 를 0.0.0.0~255.255.255.255 까지 모두 spoofing 하는
데 걸리는 비용과 노력이 극히 적음
–  이론상 공격자 PC 의 network bandwidth 와 CPU 성능만큼 패킷생
성 및 전송
DoS attack examples – SYN flooding (defense)
•  C:>netstat -na | findstr ` SYN_RECEIVED`
TCP 211.241.82.71:80 6.55.194.236:51370 SYN_RECEIVED
TCP 211.241.82.71:80 16.192.252.18:22452 SYN_RECEIVED
TCP 211.241.82.71:80 49.5.243.221:52363 SYN_RECEIVED
TCP 211.241.82.71:80 50.145.99.80:46108 SYN_RECEIVED
TCP 211.241.82.71:80 51.53.109.147:28308 SYN_RECEIVED
TCP 211.241.82.71:80 61.58.85.212:52375 SYN_RECEIVED
TCP 211.241.82.71:80 63.33.85.135:32111 SYN_RECEIVED
TCP 211.241.82.71:80 67.206.19.195:28501 SYN_RECEIVED
TCP 211.241.82.71:80 68.79.239.155:42810 SYN_RECEIVED
TCP 211.241.82.71:80 221.29.79.118:36387 SYN_RECEIVED
DoS attack examples – SYN flooding (defense)
•  How can we defend?
–  Update network kernel parameter in registry (Windows) or ndd (UNIX)
–  Related windows registry key (Windows 2000 기준)
•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip\para
meters "
•  name
hex값(10진)
EnableICMPRedirect
0
SynattackProtect
2
TcpMaxHalfOpen
64(100)
TcpMaxHalfOpenRetried
64(100)
EnableDeadGWDetect 0
EnablePMTUDiscovery 0
KeepAliveTime 493e0(300000)
DisableIPSourceRouting 2
TcpMaxConnectResponseRetransmissions 2
TcpMaxDataRetransmissions 3
PerformRouterDiscovery 0
TcpMaxPortsExhausted 5
NoNameReleaseOnDemand
1
DoS attack examples – SYN flooding (defense)
•  Related key description
DoS attack examples – SYN flooding (defense)
•  SYN flooding 공격
–  가장 단순하면서도 가장 위력적
–  TCP IP 구조상의 헛점을 노림
•  대응방법 권고안
–  OS level 에서 백 로그 큐 사이즈 늘임 (windows registry 수정,
UNIX 에서 ndd 커맨드 사용 커널 파라메터 튜닝)
–  시스템 튜닝, 메모리 증설
–  결론: 시스템 단에서의 튜닝을 통한 대응은 사실 백약이 무효
•  물론 효과가 아주 없는 것은 아니나 현실성이 너무 떨어짐
DoS attack example – application level (defense)
•  Application 단에서의 방어 방식 (예)
•  HTTP GET flooding attack
–  Apache web server - mod_evasive 를 통한 방어
•  http://www.zdziarski.com/blog/?page_id=442
–  결론: application 단에서의 튜닝을 통한 대응은 백약이 무효
•  물론 효과가 아주 없는 것은 아니나 임계치 값 기반 대응
•  Network bandwidth 자체가 consuming 이 된 경우 server 는 응답가
능한 상태라 할지라도, network 을 통한 통신 자체가 불가능
DoS attack examples – boink, bonk, teardrop
•  Boink, Bonk, TearDrop
–  Boink, Bonk, TearDrop은 패킷의 순서, 손실된 패킷의 유무, 손
실된 패킷의 재전송 요구 등 3가지 사항을 위반함으로써 공격 대
상 시스템에 DoS 공격을 가하는 것
–  Boink, Bonk: Bonk는 처음 패킷을 1번으로 보낸 후 두 번째, 세 번째 패킷 모두 시퀀
스 넘버를 1번으로 조작해서 보냄, Boink 공격은 처음 패킷을 정상적으로 보내다가 중간에
서 계속 일정한 시퀀스 넘버로 보냄
–  TearDrop : 패킷을 겹치게 또는 일정한 간격의 데이터가 빠지게
전송
DoS attack examples – LAND attack
•  LAND attack
–  패킷을 전송할 때 출발지 IP와 목적지 IP을 공격대상자의IP으로
보냄
–  시스템은 처음 시도된 Syn에 대한 Reply 패킷을 출발지 IP 주소
값을 참조하여 그 값을 목적지 IP 주소 값으로 설정하여 패킷을
보낸다. 하지만 이 값은 자기자신의 IP 주소 값이므로 네트워크
밖으로 나가지 않고 자신에게 다시 돌아온다.
–  Syn Flooding처럼 동시 사용자 수를 점유, CPU 부하 증가
–  Switch/Router 를 직접 공격하는데 이용되어서, 대부분의 net
work 장비 IOS 에서는 이를 차단하는 option 이 enable 되어
있음
DoS attack example – mail bomb
•  Mail bomb
–  Mail server /var/spool/mail 디렉토리에 garbage mail 을 계속 생
성시켜서 더 이상 메일 수신을 받지 못하게 함
–  /var partition 이 / partition 과 같은 partition 인 경우, 시스템 동작
에도 악영향을 미침
DoS attack example – local resource attacks
•  Local attack – disk, memory, process exhaustion attack
–  Infinite local file creation
–  Infinite process fork
DoS attack example – local resource attacks (def
ense)
•  How to defend?
–  OS 의 process, disk quota 제약 기능을 이용
–  E.g. Solaris 2.x  /etc/system
– 
edquota command
•  System 내에서의 방어는 H-IDPS, SecureOS 를 통해 쉽게
대응이 가능
–  피해가 발생하여도 해당 system 내부로 한정
•  Network 단에서의 방어는 극히 어려운 상태
–  피해가 발생하면 network 내에 속한 모든 서버에 문제가 발생
Types of DoS attack (from textbook- redbook)
•  1. network device level - by taking advantage of bugs or
weaknesses in software or by exhausting the hardware r
esources of network devices.
–  a buffer overrun error in the password checking routine. Using th
is, certain routers could crash if the connection to the router is p
erformed via telnet and extremely long passwords are entered.
Types of DoS attack (from textbook- redbook)
•  2. operating system (OS) level DoS attacks - take advantage
of the ways protocols are implemented by OSs.
–  E.g. ping of death
•  3. Application-based attacks - try to settle a machine or a serv
ice out of order either by exploiting bugs in network applicatio
ns that are running on the target host or by using such applic
ations to drain the resources of their victim.
–  E.g. finger bomb , finger war by TCP/Wrapper
•  4. data flooding attacks - an attacker attempts to use the ban
dwidth available to a network, host, or device at its greatest e
xtent by sending it massive quantities of data to process.
–  E.g. flooding
•  5. protocol features attack - take advantage of certain standar
d protocol features.
–  E.g. several attacks exploit the fact that IP source addresses can be
spoofed.
–  E.g. attack the domain name system (DNS) cache on name servers.
DoS Defense problems
•  1. Highly Interdependent Internet security
–  The Internet has few built-in protection mechanisms to deal with DoS attack
s. no matter how secure a host is, it is always under threat while the rest of
the Internet is insecure.
•  2. Inherently Difficult to Detect DoS Attacks
–  Detecting the origin of DoS attacks is quite difficult. Taking advantage of the
stateless nature of the Internet, attackers use IP source address spoofing t
o hide the identity of the attacking machines and hide their identity behind
handler machines.
•  3. limited resources
–  The large number of packet streams that need to be generated in massive D
oS attacks require large amounts of resources. The systems and networks t
hat comprise the Internet are composed of limited resources that can be ea
sily exhausted during the detection of DoS attacks.
•  4. Automated Tools
–  DoS tools are available on the Internet accompanied with instructions that al
low easy and effective use even from nontechnically skilled users.
DoS Defense problems (cont’)
•  5. target rich environments
–  There are many hosts and networks in the Internet that are vulnera
ble and may be exploited and provide fertile ground to launch DoS a
ttacks.
–  Characteristics and requirements of DoS defense system
•  High security – have to be ensured that a DoS defense system cannot b
e used as a victim of a DoS attack.
•  DoS defense system should be reliable in detecting DoS attacks and hav
e no false positives.
•  DoS defense system should be efficient in detecting and responding to a
DoS attack in order to mitigate the effectiveness of the attack.
•  DoS defense mechanism should be realistic in design and applicable in e
xisting security infrastructures without requiring important changes in th
e Internet infrastructure.
•  DoS defense mechanism should not require many resources and should
have low performance cost to avoid the degradation of the performance
of the attacked network.
DDoS attack example – concept
• 
Attacker : Hacker’s machine, the r
oot of the attack (overmind)
• 
Master/handler
–  Master : managing multiple a
gent program, get order from
attacker
–  handler : a program for handli
ng agents by Master
• 
Attack daemon/Agent
–  Agent: a system that send att
ack to target
–  Attack daemon: attack progra
m running in Agent system
–  Zombie hosts
• 
Victim hosts
Well-known DDoS attack programs
•  Traditional programs
–  Trin00
–  TFN, TFN2k
–  Stacheldraht
DDoS attack procedures
• 
• 
• 
• 
• 
1. selection of agents
2. compromise
3. communications
4. attack
The latest generation of DDoS attacks do not wait for a trigge
r from the aggressor but instead monitor a public location on t
he Internet
–  a chat room could be monitored and the attack may start automatic
ally as soon as a particular key word or phrase is typed.
–  in this way the aggressor is more or less untraceable.
–  IRC (Internet Relay Chat) channels are used to achieve communicati
on between the agents and the attacker
•  Nowadays, IRC based DDoS is not usually used. (P2P or obfus
cated traffic are chosen)
–  Old IRC based DDoS tool : Trinity, Plague, Knight and Kaiten
DDoS attack categories
DDoS attack categories – degree of automation
•  Based on the degree of automation of the attack, DDoS
attacks can be divided into manual, semiautomatic, and
automatic attacks.
–  The early DDoS attacks were manual
–  Semi automatic attacks belong in the agent–handler attack mode
l, and the attacker scans and compromises the handlers and age
nts by using automated scripts.
•  Attacks with direct communication include attacks during which it is
necessary for the agent and handler to know each other’s identity in
order to communicate. This approach includes the hard coding of t
he IP address of the handler machines.
–  The main drawback - if the identity of one compromised host is reveale
d the whole DDoS network may be exposed.
•  Attacks with indirect communication achieve greater survivability. Ex
amples of this kind of attack are the IRC-based DDoS attacks.
–  automatic DDoS attacks the attacker and agent machines do not
need to communicate.
DDoS attack categories – Exploited vulnerability
•  Can be divided into flood attacks, amplification attacks, p
rotocol exploit attacks, and malformed packet attacks.
•  flood attack
–  the agents send a vast amount of IP traffic to a victim system in
order to congest the victim system’s bandwidth. The impact of p
acket streams sent by the agents to the victim varies from slowin
g it down or crashing the system to saturation of the network ba
ndwidth.
•  UDP flood attacks and ICMP flood attacks
•  UDP flood attack is possible when a large number of UDP packets ar
e sent to a victim system
•  ICMP flood attacks exploit the ICMP, which enables users to send an
echo packet to a remote host to check whether it is alive
•  agents send a large number of ICMP_ECHO_REPLY packets (“ping”)
to the victim.
•  During an ICMP flood attack the technique of IP spoofing is used.
DDoS attack categories – amplification attacks
•  the attacker or the agents exploit the broadcast IP address feature t
hat most routers have.
•  This feature is exploited in order to achieve amplification and reflecti
on of attacks by sending messages to broadcast IP addresses.
–  all the routers that are in the network sending the packets to all the IP addr
esses that are in the broadcast range
•  Reflector
–  The intermediary nodes that are used as attack launchers in amplification at
tacks
•  During an amplification attack the attacker sends spoofed packets th
at require responses to the reflectors. The source addresses of the p
ackets are spoofed with the address of the victim. After receiving th
e spoofed packets, the reflectors respond to the victim accordingly.
–  In an amplification attack some predetermined reflectors are necessary.
–  The reflectors may be dispersed on the Internet
–  The packets sent from the reflectors are normal packets with legitimate origi
n and thus cannot be captured and eliminated through filtering and route-ba
sed mechanisms.
DDoS attack categories – protocol exploit/malfor
med attacks
•  Protocol exploit attacks exploit a specific feature or imple
mentation bug of some protocol
•  Malformed packet attacks
–  rely on incorrectly formed IP packets that are sent from agents t
o the victim that will lead to the crash of the victim’s system. Mal
formed packet attacks can be divided into IP address attack and
IP packet options attack. In an IP address attack, the packet has
the same source and destination IP addresses.
DDoS attack categories - Attack Rate Dynamics
•  Continuous-rate attacks
–  comprise attacks that after the onset of the attack are executed
with full force and without a break or decrement of force. The im
pact of such an attack is very quick.
•  Variable-rate attacks,
–  “vary the attack rate” and thus avoid detection and immediate re
sponse.
•  fluctuating-rate : it has a wavy rate that is defined by the victim’s be
havior and response to the attack, at times decreasing the rate to a
void detection.
•  Increasing-rate attacks gradually lead to the exhaustion of a victim’s
resources, something that may delay detection of the attack.
DDoS attack categories - Impact
•  Disruptive attacks
–  It leads to complete denial of the victim’s service to its clients.
•  degrading attacks
–  This results in delay of the detection of the attack and much da
mage to the victim’s system.
현재의 DDoS 공격 방식과 과거 방식과의 차이
•  기본적인 원리는 다르지 않음
•  현재는 DDoS agent 확보의 효율을 위해
–  대규모 악성코드 전파 (SPAM, web site 해킹 후 악성 script 삽입
등)  zombie PC 를 이용한 BOTNET 을 만드는 기법이 보다 정교
해 진 상태
DDoS attack defense mechanism
DDoS attack defense mechanism
•  First category (by activity)
– 
– 
– 
– 
Intrusion
Intrusion
Intrusion
Intrusion
prevention
detection
response
tolerance and mitigation
•  Second category (by location)
–  Victim network
–  Intermediate network
–  Source network
DDoS attack defense mechanism – intrusion prev
ention
•  Intrusion prevention
–  attacking packets can be stopped before they cause serious damage.
–  ingress filtering, egress filtering, route-based distributed packet filtering, hist
ory-based IP (HIP) filtering
•  In ingress filtering
–  set up to block out of the network incoming packets with illegitimate origin.
•  Egress filtering
–  filtering method on outbound traffic, which allows packets only from a specif
ic set of IP addresses to leave the network.
•  Route-based distributed packet filtering
–  an approach capable of filtering out a large portion of spoofed IP packets an
d preventing attack packets from reaching their targets as well as to help in
IP traceback.
•  HIP filtering
–  the edge router admits the incoming packets according to a prebuilt IP addr
ess database.
DDoS attack defense mechanism – intrusion prev
ention
• 
Disabling unused services
• 
Applying security patches
• 
Changing the IP address is a simple way to guard against a DDoS attack.
–  If network services are not needed or unused, the services should be disabled to prevent att
acks.
–  (e.g.) if UDP echo is not required, disabling this service will make the system more secure ag
ainst this kind of attack.
–  It can armor the hosts against DDoS attacks
“moving the target defense.” All Internet and edge routers are informed when the IP addres
s is changed in order to drop malicious packets
–  only for local DDoS attacks based on IP addresses.
–  attackers can render this technique useless by adding a DNS tracing function to the DDoS to
ol.
– 
• 
disabling IP broadcasts
–  Defense for reflectors in Smurf and ICMP flood attacks.
–  can be effective only if all the neighboring networks have also disabled IP broadcasts.
• 
Load balancing
–  a simple approach that enables network providers to increase the provided bandwidth on crit
ical connections and prevent their crash in case an attack is launched against them.
–  Additional failsafe protection can be the replication of servers in case some crash during a D
DoS attack.
• 
Honeypots
DDoS attack defense mechanism – intrusion dete
ction
•  Prevention is the utmost required way. Detection is the s
econd line.
–  Anomaly detection
–  Misuse detection
•  Even detection is not easy
–  Degradation of performance is not only from DoS attack
DDoS attack defense mechanism – intrusion resp
onse
•  IP traceback
–  IP traceback traces the attacks back to their origin, so one can find t
he true identity of the attacker and achieve detection of asymmetric
routes as well as path characterization.
–  ICMP traceback, link-testing traceback, probabilistic packet marking
(PPM), hash-based IP traceback, Sleepy Traceback, and CenterTrack
•  Traffic pattern analysis
–  During a DDoS attack, traffic pattern data can be stored and then a
nalyzed after the attack in order to find specific characteristics and f
eatures that may indicate an attack
•  Analysis of event logs
–  The selection of event logs recorded during the setup and the execu
tion of the attack can be used to discover the type of DDoS attacks
and do a forensic analysis.
–  Log sources: Network equipment such as firewalls, packet sniffers, s
erver logs, and honeypots
DDoS attack defense mechanism – Intrusion Tole
rance and Mitigation
•  We already know that it is impossible to prevent or stop
DDoS attacks completely
–  Then, let’s just focus on minimizing the attack impact and maxim
izing the quality of its services
•  Fault tolerance
–  it is a research area whose designs are built in critical infrastruct
ures and applied in three levels: hardware, software, and system
. Duplicating server, application or network resources
–  Distribute resource in everywhere : CDN (Contents distribution n
etwork)
•  QoS
–  the ability of a network to deliver predictable results for some ap
plications.
–  Many intrusion-tolerant QoS techniques and intrusion-tolerant Q
oS systems have been developed to mitigate DDoS attacks
Consensus Roadmap for Defeating Distributed De
nial of Service Attacks
•  http://www.sans.org/dosstep/roadmap.php
Advices for writing your paper
•  DDoS 에 대해서 좋은 논문을 쓰려면…
•  Micro-level
–  DDoS 탐지 알고리즘 개발
–  Radomness 발생, DDoS 자체도 state-transition 이 있음을 착안
•  ISP-wide view 를 보여주어야 함
•  다른 application 과의 연동성 주목
–  예: DDoS 는 zombie PC 에 의해 발견된다. DDoS 를 근본적으로
막는 것은 불가능하니 zombie PC 에서 C&C server 를 먼저 찾는
것
–  Zombie PC 는 DDoS 만 보내는 것이 아니라 평소에는 spam mail
을 보내는데 이용됨
–  Spam mail 의 75%~80% 는 Zombie PC 에 의해 보내짐
–  Spam mail 을 tracking 하여 zombie PC 를 찾고 이를 통해 C&C se
rver 를 찾아보자
Reference sites for writing your paper
•  CAIDA
–  http://www.caida.org/research/security/
•  Denial-of-Service Attack Backscatter
– 
– 
– 
– 
– 
Backscatter-2008 Dataset
Backscatter-2007 Dataset
Backscatter-2006 Dataset
Backscatter-2004-2005 Dataset
Backscatter-TOCS Dataset
•  SCO Offline from Denial-of-Service Attack (2003)
–  [DoS Attack] Around 2:50 AM PST Thursday morning, December 11, the attacker
(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continu
ing the web server attack. Together www.sco.com and ftp.sco.com experienced a
SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-mo
rning Thursday (9 AM PST), the attack rate had reduced considerably to around
3,700 packets per second. Throughout Thursday morning, the ftp server received
the brunt of the attack, although the high-intensity attack on the ftp server laste
d for a considerably shorter duration than the web server attack. In spite of rum
ors that SCO has faked the denial-of-service attack to implicate Linux users and g
arner sympathy from its critics, UCSD's Network Telescope received more than 2.
8 million response packets from SCO servers, indicating that SCO responded to
more than 700 million attack packets over 32 hours.