DoS attacks outline ======================= * What are they? * Examples of such attacks. * Defenses An operational definition of DoS attacks ======================= * From Wikipedia: An attack "where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. " * An adversary tries to exhaust some scarce resource (e.g., network bandwidth, CPU cycles) * DDoS: Incoming traffic originates from many different host computers * DoS/DDoS: Prevent service for the good users by drowning the good users using a flood of bad requests. * Different kinds of services can be denied --> At the application level, an attacker can deny access to a database by creating many requests to a database. (Application level attacks are attractive because they don't require vast amounts of network bandwidth to carry out, e.g., TCP SYN FLOODS below.) --> At the network level, an attacker can deny access to a network's link capacity by sending too many packets. --> At the API level, an attacker can deny access to a remote functionality (e.g., a search API or a maps API) by sending too many API requests. * Goals might be activism (Anonymous), blackmail, revenge, depleting victim's monetary budget for computing, etc. Some simple DoS/DDoS attacks and the resources they exhaust ====================== * A UDP flood without any form of rate control. Recall that TCP has flow/congestion control built into it, but UDP doesn't by default. Cellular providers perform some degree of monitoring to detect and prevent such UDP floods (give example of accidental flooding of Verizon's network in grad school). * A fork bomb: Replicate a process until you exhaust process IDs. Can carry this out on a system with shell access. Can do this with two lines of code on your machines. * SYN flood: Initiate several TCP connections, but never complete them. Ties up and eventually exhausts socket descriptors. * LAND attack: Send a fake packet where the source IP address and destination IP address are equal and set to the target host's IP address. (https://www.juniper.net/documentation/en_US/junos/topics/concept/denial-of-service-network-land-attack-understanding.html) * ICMP flood pings * Sending malformed packets that exploit known bugs in OS stacks: This is why it's so important to patch your computers when new updates are released. * Many of these are easy to achieve (using tools like scapy, which is the inverse of tcpdump /wireshark in some ways) and also easy to defend against: rate limit the rate of UDP packets, rate limit the rate of newly created connections, etc. Other details: ===================== * Degradation of service (intermittent attacks) instead of flat out denial of service. * Amplification: Use a spoofed DNS request with the source address set to the victim's IP address. Send this DNS request to several different DNS servers that respond to the victim with a much larger payload than the request (by asking for as much zone information as possible). * Similar amplification also possible using NTP's monlist command. * DDoS attacks are the hardest to detect because the attack is spread out and in many cases DDoS is very similar to (and indistinguishable from) a flash crowd where a site just got very popular. * DDoS is typically carried out by an army of compromised computers (or botnets). Examples of recent high-profile DDoS attacks (in particular, Mirai) ======================= * Lecture draws material from "Understanding the Mirai botnet": https://zakird.com/papers/mirai.pdf * Source code for Mirai: https://github.com/jgamblin/Mirai-Source-Code/ * Mirai was extremely unsophisticated: brute force password guessing. But, it was far reaching (300K compromised hosts). Showed that IoT devices were a pretty easy target for DDoS attackers to take over. * "IoT botnets are the new normal of DDoS attacks": https://threatpost.com/iot-botnets-are-the-new-normal-of-ddos-attacks/121093/ * Mirai targets (quotes from the paper above): "DVRs, IP cameras, routers, and printers," * Launched attacks on Dyn, a Liberian Telecom provider, Krebs on Security, game servers, etc. * Mirai operation: Send TCP SYN packets to telnet servers at pseudorandom IP addresses. Try to login into these servers. If successful, report back to a central server. If so, download an exploit binary onto the server. Read Section 2 of the paper for details. * "only 2.8% of Mirai attack commands relied on bandwidth amplification" showing the capabilities of these devices. In other words, even with wimpy IoT style devices, you could reach attack volumes of a few Tbit/s, if you combined enough IoT devices. " Victims: "game servers, telecoms, and anti-DDoS providers, to political websites and relatively obscure Russian sites (Table 10)." * "we note that 47 of 484 Mirai C2 IPs were themselves the target of a Mirai DDoS attack" What does this mean?: multiple different botnets competing for resources. * Takeaway from Mirai paper: "IoT devices are much more heterogeneous and, from a security perspective, mostly neglected." Other DDoS attacks ====================== * Project Chanology: DDoS attacks by the Anonymous group against the Church of Scientology * The Anonymous group DDoSing paypal blog and other sites in solidarity with WikiLeaks * The Anonymous group DDoSing MIT in relation to the death of Aaron Swartz * DDoS for hire: Look at the paper "Understanding the Emerging Threat of DDoS-as-a-Service" Aside: Other botnets, besides the Mirai botnet ======================= * Botnet definition: an army of compromised computers * 5 famous botnets: https://tqaweekly.com/episodes/season5/tqa-se5ep11.php * Srizbi botnet: responsible for most of the spam in the world at some point * Kraken botnet: again responsible for spam * Carna: used for estimating the size of the Internet * Not all botnets are used for DDoS. Some are used for spamming and others for relatively benign purposes (e.g., Carna). Defenses: ====================== * Firewalls, switches, and routers at ingress points of a network that use packet filtering. * Build models of normal and abnormal behavior and flag abnormal behavior. * Intrusion detection systems that look for attack signatures or abnormally high rates of traffic or both. Example of abnormal behavior: source and destination address are the same as in the LAND attack. * CAPTCHAs to ensure that a human and not a bot is carrying out the request. * DDoS defense by offence: Counterintuitive design that asks everyone to send more traffic. Prevents against application-level DDoS assuming that the attackers' network resources have already been depleted. Basic idea is this: when a DDoS attack is detected, ask everyone to send you more requests so that the good requests eventually crowd out the bad. Assumption is that the good users can send more requests because their network capacity has still not been saturated: https://www.cc.gatech.edu/classes/AY2007/cs7260_spring/papers/ddos-offense.pdf