15computer and network security--Denial of Service Attacks

1 .1 Unwanted Traffic: Denial of Service Attacks Dan Boneh CS 155

2 .2 What is network DoS? Goal: take out a large site with little computing work How: Amplification Small number of packets ⇒ big effect Two types of amplification attacks: DoS bug: Design flaw allowing one machine to disrupt a service DoS flood: Command bot-net to generate flood of requests

3 .3 DoS can happen at any layer This lecture: Sample Dos at different layers (by order): Link TCP/UDP Application DoS mitigations Sad truth: Current Internet not designed to handle DDoS attacks

4 .4 Warm up: 802.11b DoS bugs Radio jamming attacks: trivial, not our focus. Protocol DoS bugs: [ Bellardo , Savage, ’ 03] NAV (Network Allocation Vector): 15-bit field. Max value: 32767 Any node can reserve channel for NAV seconds No one else should transmit during NAV period … but not followed by most 802.11b cards De-authentication bug : Any node can send deauth packet to AP Deauth packet unauthenticated ⇒ attacker can repeatedly deauth anyone

5 .5 Smurf amplification DoS attack Send ping request to broadcast addr (ICMP Echo Req) Lots of responses: Every host on target network generates a ping reply (ICMP Echo Reply) to victim Prevention: reject external packets to broadcast address gateway DoS Source DoS Target 1 ICMP Echo Req Src: Dos Target Dest: brdct addr 3 ICMP Echo Reply Dest: Dos Target

6 .6 Modern day example (Feb ’18 ) 2018: 87,000 exposed memcached servers ⇒ Feb. 2018: 1.35 Tbps attack on GitHub Simple solution: disable Memcached over UDP (no attack over TCP) memcached server DoS Source DoS Target memcached query SrcIP : Dos Target (15 bytes UDP) request for a large file response (750 KB) memcached amplification attack: ( ×51K amplification )

7 .Modern day example Same attack using other protocols: DNS, NTP, … (over UDP) DNS amplification : short DNS query, large response 2006: 0.58M open resolvers on Internet (Kaminsky- Shiffman ) 2017: 15M open resolvers ( openresolverproject.org ) ⇒ 3/2013: DDoS attack generating 309 Gbps for 28 mins. 31,000 open DNS resolvers, each outputting 10Mbps. Source: 3 networks that allowed source IP spoofing. NTP amplification: 2014: 400 Gbps (4500 NTP servers) 7

8 .8 Feb. 2014: 400 Gbps via NTP amplification (4500 NTP servers)

9 .9 Review: IP Header format Connectionless Unreliable Best effort Version Header Length Type of Service Total Length Identification Flags Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Fragment Offset 0 31

10 .10 Review: TCP Header format TCP: Session based Congestion control In order delivery Source Port Dest port SEQ Number ACK Number Other stuff U R G P S R A C K P S H S Y N F I N 0 31

11 .11 Review: TCP Handshake C S SYN : SYN/ACK : ACK : Listening Store SN C , SN S Wait Established SN C ⟵ rand C AN C ⟵ 0 SN S ⟵ rand S AN S ⟵ SN C SN ⟵ SN C AN ⟵ SN S

12 .12 TCP SYN Flood I: low rate (DoS bug) C SYN C1 SYN C2 SYN C3 SYN C4 SYN C5 S Single machine : SYN Packets with random source IP addresses Fills up backlog queue on server No further connections possible

13 .13 SYN Floods (phrack 48, no 13, 1996) OS Backlog queue size Linux 1.2.x 10 FreeBSD 2.1.5 128 WinNT 4.0 6 Backlog timeout: 3 minutes Attacker needs only 128 SYN packets every 3 minutes Low rate SYN flood

14 .14 A classic SYN flood example MS Blaster worm (2003) Infected machines at noon on Aug 16 th : SYN flood on port 80 to windowsupdate.com 50 SYN packets every second. each packet is 40 bytes. Spoofed source IP: a.b.X.Y where X,Y random. MS solution : new name: windowsupdate.microsoft.com

15 .15 Low rate SYN flood defenses The problem: server commits resources (memory) before client responds Non-solution: Increase backlog queue size or decrease timeout Correct solution (when under attack) : Syncookies : remove state from server Small performance overhead

16 .16 Syncookies Idea: use secret key and data in packet to gen. server SN Server responds to Client with SYN-ACK cookie: T = 5-bit counter incremented every 64 secs . L = MAC key ( SAddr , SPort , DAddr , DPort , SN C , T ) [24 bits] key: picked at random during boot SN S = (T . mss . L) ( |L| = 24 bits ) Server does not save state (other TCP options are lost) Honest client responds with ACK (AN=SN S , SN=SN C +1) Server allocates space for socket only if valid SN S [Bernstein, Schenk]

17 .17 SYN floods: backscatter [MVS ’ 01] SYN with forged source IP  SYN/ACK to random host

18 .18 Backscatter measurement Listen to unused IP addresss space ( darknet ) Lonely SYN/ACK packet likely to be result of SYN attack 2001: 400 SYN attacks/week 2013: 773 SYN attacks/24 hours (arbor networks ATLAS) Larger experiments: (monitor many ISP darknets ) Arbor networks 0 2 32 monitor /8 network

19 .Estonia attack (ATLAS ‘ 07) Attack types detected: 115 ICMP floods, 4 TCP SYN floods Bandwidth : 12 attacks: 70-95 Mbps for over 10 hours All attack traffic was coming from outside Estonia Estonia ’ s solution: Estonian ISPs blocked all foreign traffic until attacks stopped ⇒ DoS attack had little impact inside Estonia 19

20 .20 Massive floods Command bot army to flood specific target: (DDoS) Flood with SYN, ACK, UDP, and GRE packets 623 Gbps (peak) from ≈100K compromised IoT devices At web site: Saturates network uplink or network router Random source IP ⇒ attack SYNs look the same as real SYNs What to do ??? (e.g. Mirai 9/2016 on Krebs )

21 .21 src : incapsula.com

22 .22 Google project shield Protecting news organizations. (Commercial service: Akamai, Cloudlare , … ) Idea: only forward established TCP connections to site Project Shield Proxy Web site Lots-of-SYNs Lots-of-SYN/ACKs Few ACKs Forward to site

23 .23 Other junk packets Proxy must keep floods of these away from web site Attack Packet Victim Response Rate: attk /day [ATLAS 2013] TCP SYN to open port TCP SYN/ACK 773 TCP SYN to closed port TCP RST TCP ACK or TCP DATA TCP RST TCP RST No response TCP NULL TCP RST ICMP ECHO Request ICMP ECHO Response 50 UDP to closed port ICMP Port unreachable 387

24 .24 Stronger attacks: GET flood Command bot army to: Complete TCP connection to web site Send short HTTP GET request Repeat Will bypass SYN flood protection proxy … but: Attacker can no longer use random source IPs. Reveals location of bot zombies Proxy can now block or rate-limit bots.

25 .24 Stronger attacks: GET flood Command bot army to: Complete TCP connection to web site Send short HTTP GET request Repeat Will bypass SYN flood protection proxy … but: Attacker can no longer use random source IPs. Reveals location of bot zombies Proxy can now block or rate-limit bots.

26 .26 DNS DoS Attacks (e.g. Dyn attack 10/2016 ) DNS runs on UDP port 53 DNS entry for victim.com hosted at DNSProvider.com DDoS attack: flood DNSProvider.com with DNS queries Random source IP address in UDP packets Takes out entire DNS server (collateral damage) Dyn attack: used some Mirai -based bots At least 100,000 malicious end points ⇒ Dyn cannot answer many legit DNS queries ⇒ Disrupted service at Netflix, Github , Twitter, …

27 .DoS via route hijacking YouTube is 208.65.152.0 /22 (includes 2 10 IP addr) youtube.com is 208.65.153.238, … Feb. 2008: Pakistan telecom advertised a BGP path for 208.65.153.0 /24 (includes 2 8 IP addr) Routing decisions use most specific prefix The entire Internet now thinks 208.65.153.238 is in Pakistan Outage resolved within two hours … but demonstrates huge DoS vuln. with no solution! 27

28 .28 DoS at higher layers SSL/TLS handshake [SD ’ 03] RSA-encrypt speed ≈ 10 × RSA-decrypt speed ⇒ Single machine can bring down ten web servers Similar problem with application DoS : Send HTTP request for some large PDF file Easy work for client, hard work for server. Web Server Client Hello Server Hello (pub-key) Client key exchange RSA Encrypt RSA Decrypt

29 .29 DoS Mitigation