Professional Documents
Culture Documents
CS 155
How: Amplification
Small number of packets
big effect
Two types of amplification attacks:
DoS bug:
Design flaw allowing one machine to disrupt a
service
DoS flood:
Command bot-net to generate flood of requests
Dan Boneh
Warm up:
802.11b
This lecture:
Sad truth:
Current Internet not designed to handle DDoS attacks
DoS bugs
TCP Handshake
3 ICMP Echo Reply
Dest: Dos Target
gateway
S
SYNC
DoS
Target
Listening
SYNS, ACKC
Send ping request to broadcast addr (ICMP Echo Req)
Lots of responses:
Wait
ACKS
Store data
Connected
5
Single machine:
SYNC2
SYNC3
SYNC1
SYNC4
SYN Floods
(DoS bug)
OS
Linux 1.2.x
FreeBSD 2.1.5
WinNT 4.0
Backlog timeout:
No further connections
possible
SYNC5
[MVS01]
Backscatter analysis
10
[MVS01]
/8 network
monitor
232
Larger experiments:
Internet motion sensor (U.Mich)
Network telescope (UCSD)
11
What to do ???
12
Prolexic
Few ACKs
Forward
to site
Web
site
Attack Packet
Victim Response
TCP SYN/ACK
TCP RST
TCP RST
TCP RST
No response
TCP NULL
TCP RST
14
MS Blaster worm
but:
Attacker can no longer use random source IPs.
Reveals location of bot zombies
(2003)
MS solution:
15
16
DNS DoS
DDoS attack:
flood victim_isp.com with requests for victim.com
Random source IP address in UDP packets
What to do ???
17
CoDoNS: [Sirer04]
Cooperative Domain Name System
P2P design for DNS system:
DNS nodes share the load
Simple update of DNS entries
Backwards compatible with existing DNS
18
Payment DDoS
Client Hello
Server Hello (pub-key)
RSA
Encrypt
Web
Server
RSA
Decrypt
Merchant A
Merchant B
Merchant C
Dummy
purchase
Requests
19
20
1. Client puzzles
Idea: slow down attacker
DoS Mitigation
LSBn ( SHA-1( C || X ) ) = 0n
21
Examples
22
Hardness of challenge: n
Decided based on DoS attack volume.
Limitations:
Memory-bound functions
2. CAPTCHAs
Interesting observation:
Main memory access time ratio:
high end server / low end cell phone = 2
Better puzzles:
Solution requires many main memory accesses
Dwork-Goldberg-Naor, Crypto 03
Abadi-Burrows-Manasse-Wobber, ACM ToIT 05
25
1. Ingress filtering
Big problem:
3. Source identification
2000)
(RFC 2827,
26
ISP
Internet
27
Implementation problems
28
2. Traceback
Goal:
Given set of attack packets
Determine path to source
R2
R3
Transit AS
dest
R4
Assumptions:
Most routers remain uncompromised
Attacker sends many packets
Route from attacker to victim remains relatively
stable
Dest AS
No
29
30
Simple method
Better idea
Problem:
Requires space in packet
Path can be long
No extra fields in current IP format
A1
A2
R6
Each router
probabilistically stores
own address
Fixed space regardless
of path length
A3
R7
A4
A5
R8
R9
R10
R12
V
31
Edge Sampling
32
Packet received
R receives packet from source or another router
1
Packet contains space for start, end, distance
packet
e d
R1
R2
R3
33
Edge Sampling
packet
R1
R1
34
packet
R2
R3
R1
35
R1 R2 1
R2
R3
36
Edge Sampling
Path reconstruction
Increment distance
R chooses not to overwrite edge
3
Distance >0
Increment distance to 2
R1
R2
R1 R2 2
R3
E(X) <
ln(d)
p(1-p)d-1
37
Node Sampling?
38
1-p
1-p
1-p
V
a
Problems
Need many packets to infer path order
Does not work well if many paths
Version
Flags
b+c
c+d
40
Header Length
Type of Service
Total Length
Identification
Identification
Fragment Offset
Time to Live
Protocol
Header Checksum
Hash-Based IP Traceback
Snoeren, Partridge, Sanchez, Jones, Tchakountio,
Kent, Strayer. SIGCOMM 01
Options
39
a+b
Padding
IP Data
41
42
[Paxson 01]
Reflector:
A network component that responds to packets
Response sent to victim
(spoofed source IP)
Single Master
Many bots to
generate flood
Examples:
DoS Attack
Zillions of reflectors to
hide bots
Kills traceback and
pushback methods
44
Basic idea:
Receivers can specify what packets they want
How:
Sender requests capability in SYN packet
Path identifier used to limit # reqs from one source
Receiver responds with capability
Sender includes capability in all future packets
46
R1
Source AS
R2
R3
Transit AS
R4
dest
Dest AS
Attack packets
dropped
47
48
Pushback filtering
Mahajan, Bellovin, Floyd, Ioannidis, Paxson, Shenker.
Controlling High Bandwidth Aggregates in the Network.
Computer Communications Review 02.
Ioannidis, Bellovin.
Implementing Pushback: Router-Based Defense
Against DoS Attacks.
NDSS 02
Argyraki, Cheriton.
Active Internet Traffic Filtering: Real-Time Response to
Denial-of-Service Attacks.
USENIX 05.
49
50
Overlay filtering
Overlay filtering
52
D. Andersen. Mayday.
Distributed Filtering for Internet Services.
Usenix USITS 03.
Sad truth:
Current Internet is ill-equipped to handle DDoS
attacks
Many good proposals for core redesign.
53
54
THE END
55
10