Transcription
Auburn Information Assurance LaboratoryJ. A. “Drew” Hamilton, Jr., Ph.D.Director, Information Assurance Laboratoryand Associate ProfessorComputer Science & Software Engineering107 Dunstan HallAuburn University, AL FAX: (334) comDenial of Service: Distributed Reflection DOS urity/1
Denial of Service (DoS) Attacks AgainstWireless LANs and Protection SeminarDistributed Reflection Denial of ServiceReferences:“The Distributed Reflection DoS Attack,”Steve Gibson, Gibson Research“Understanding BGP Misconfiguration,”Mahajan, Wetherall and AndersonDenial of Service: Distributed Reflection DOS urity/2
Attack Overview Perhaps the most startling aspect of this attackwas that the apparent source was hundreds ofthe Internet's "core routers", web serversbelonging to yahoo.com, and even a machinewith an IP resolving to "gary7.nsa.gov".– Cyberarmy.com Victims appeared to be under attack by hundredsof very powerful and well-connected machines.Denial of Service: Distributed Reflection DOS urity/3
IP Security Overview IP Packets have no inherent security– Relatively easy to forge contents of IP packets modify contents of IP packets inspect the contents of IP packets in transit Therefore, there is no guarantee that IPdatagrams received:– are from the claimed sender (source address in the IPheader)– contain the original data that the sender placed in them– were not inspected by a third party while the packet wasbeing sent from source to destinationDenial of Service: Distributed Reflection DOS urity/4
TCP Review The establishment of a TCP connection typicallyrequires the exchange of three Internet packetsbetween two machines in an interchange knownas the TCP three-way handshake. Here's how itworks:– SYN: A TCP client (such as a web browser, ftp client,etc.) initiates a connection with a TCP server by sendinga SYN packet to the server.– SYN/ACK: When a connection-requesting SYN packet isreceived at an ‘open’ TCP service port, the server'soperating system replies with a connection-acceptingSYN/ACK packet.– ACK: When the client receives the server'sacknowledging SYN/ACK packet for the pendingconnection, it replies with an ACK packet.Denial of Service: Distributed Reflection DOS urity/5
Bandwidth Consumption DoS Traditional SYN flooding DoS attacks are eitherone-on-one– (one machine sending out enough SYN packets to thetarget machine to effectively choke off access to theother machine) or many-on-one– (SYN flooding ‘zombie’ programs loaded by the attackerinto compromised machines and commanded by theattacker to send huge volumes of SYN commands to thetarget machine).Denial of Service: Distributed Reflection DOS urity/6
Review of SYN PacketsSYN: A TCP client (such as a web browser, ftpclient, etc.) initiates connection with a TCP serverby sending a "SYN" packet to the server.Denial of Service: Distributed Reflection DOS urity/7
Review of SYN PacketsSYN/ACK: When a connection-requesting SYN packet isreceived at an "open“ TCP service port, the server'soperating system replies with a connection accepting the"SYN/ACK" packet.ACK: When the client receives the server's acknowledgingSYN/ACK packet for the pending connection, it replies withan ACK packet.Denial of Service: Distributed Reflection DOS urity/8
SYN Packet with Deliberately SpoofedReturn AddressThrough the use of "Raw Sockets", the packet's "returnaddress" (source IP) can be overridden and falsified.When a SYN packet with a spoofed source IP arrives atthe server, it appears as any other valid connectionrequest.Denial of Service: Distributed Reflection DOS urity/9
Raw Socket Review Data is exchanged across theInternet by either establishinga bi-directional "TCPConnection" between twomachines, or by sending a unidirectional "UDP Datagram"message from one machine toanother. Both of these datatransferring operationsemploy standard sockets.Denial of Service: Distributed Reflection DOS urity/10
Raw Sockets Review Smooth and orderly traffic flow across the Internet requiresmachines to inform each other of various non-data events suchas closed ports, network congestion, unreachable IP addresses,etc. The ICMP (Internet Control Message Protocol) was created tofill this need.The operating system's built-in TCP/IP stack automatically andtransparently generates and receives most of these "Internetplumbing" ICMP messages on behalf of the machine. To facilitatethe creation of Internet plumbing applications, such as "ping" and"traceroute", which also employ ICMP messages, the Berkeleydesigners allowed programmers to manually generate and receivetheir own ICMP, and other, message traffic. As shown in thediagram, the Berkeley Sockets system provides this powerthrough the use of a so-called "Raw Socket".A Raw Socket short-circuits the TCP/IP stack to open a"backdoor" directly into the underlying network data transport.– This provides full and direct "packet level" Internet access to any Unixsockets programmer.Denial of Service: Distributed Reflection DOS urity/11
SYN Packet: Destination Unknown The server will allocate the required memory buffers,record the information about the new connection,and send an answering SYN/ACK packet back to theclient. But since the source IP contained in the SYN packetwas deliberately falsified (it is often a randomnumber), the SYN/ACK will be sent to a random IPaddress on the Internet. If the packet were addressed to a valid IP, themachine at that address might reply with a "RST"(reset) packet to let the server know that it did notrequest a connection. But with over 4 billion Internet addresses, thechances are that there will be no machine at theaddress and the packet will be discarded.Denial of Service: Distributed Reflection DOS urity/12
Reflection SYN Flooding With a reflection SYN flooding attack theattacking machines send out huge volumes ofSYN packets but with the IP source addresspointing to the target machine. The TCP three-way handshake requires that anyTCP based service that receives a SYN packetmust respond with a SYN/ACK packet. The servers and routers that receive thesefraudulent SYN packets dutifully send out theSYN/ACK packet to the machine pointed to by theSYN packets IP source address.Denial of Service: Distributed Reflection DOS urity/13
SYN Reflector Capability Consider this, any general-purpose TCP connectionaccepting Internet server could be used to reflect SYNpackets.Here is a short list of the more popular TCP ports:––––– 22 (Secure Shell)23 (Telnet)53 (DNS)80 (HTTP/web)And, virtually all of the Internet’s routers will accept TCPconnections on port 179.To fully comprehend the potential of this new form of DoSattack consider this:– it uses a fundamental Internet communications protocol;– machines that use this protocol exist in the millions;– it is extremely easy to generate a list of ‘SYN packetreflectors’.Denial of Service: Distributed Reflection DOS urity/14
Generating and Using the ‘SYN PacketReflector’ List A simple script can be constructed to collect a largenumber of ‘SYN packet reflection’ capable routers andservers.– Well-known web server farms, such as eBay and Yahoo, areeasily available.– Simple port scans through high bandwidth IP regions willreveal thousands, if not millions, of available TCP servers.– Readily available tools such as Trace Route provide the IPaddress of every Internet router between the tracer and anyother IP address. Given a large list of SYN packet reflectors, each SYNspoofing attack host can distribute its fraudulent SYNpackets evenly across every reflector on its list.Denial of Service: Distributed Reflection DOS urity/15
Load Balancing the Attack The big win for the attacker is that since the SYNflooding machine is distributing its packetsacross a huge number of SYN packet reflectors,none of the innocent reflectors will experiencesignificant levels of incomplete TCP connections. And, since routers generally do not retain anyrecord of previously routed packets, it makestracking an attack from the victim to the attackerextremely difficult.Denial of Service: Distributed Reflection DOS urity/16
Force Multipliers As if ease of attack and ubiquity of reflectors were not badenough, it turns out that the reflectors will generate three orfour times more SYN/ACK packets than the number of SYNpackets they receive.Since the TCP connection that receives the SYN command isexpecting to receive an ACK back from the machine it sentthe SYN/ACK response to, it will send out three or four moreSYN/ACK responses over the next few minutes.This TCP protocol feature essentially multiplies the numberof malicious SYN/ACK packets being sent to the targetmachine by a factor of three or four.It also means that the flood of SYN/ACK packets will continueto disable the target site for a minute or two even after theattacker has called off the attack.Denial of Service: Distributed Reflection DOS urity/17
Collateral Damage The basic connection unit in the Internet is the router.– Some routers serve only a small number of machines while other‘aggregation routers’ collect and disperse large amounts of packettraffic from smaller networks. During normal operations, the traffic flowing through theaggregation routers can be sorted and forwarded to the router'svarious lower bandwidth client networks.Now imagine a SYN/ACK flood that is so large that it starts todegrade the performance of the aggregation router.– Having to process and disperse so many packets to the clientnetworks, the router will drop and discard a portion of the packets.– Legitimate Internet clients, trying to access resources that havenothing to do with the target under attack, will also experiencedegraded, or complete denial of, service.Denial of Service: Distributed Reflection DOS urity/18
Solutions to SYN Spoofing Operating system vendors responded to spoofed SYNpacket DoS attacks by strengthening their TCP "protocolstacks" in various ways.Most of these were quantitative improvements to make theirsystems less vulnerable, but they did not eliminate theproblem.Two complete, robust, and practical solutions weredeveloped:– The Unix community invented a clever "stateless" TCPconnection system known as "SYN-cookies".– Steve Gibson implemented a different solution which wasdubbed "GENESIS". Both of these DoS solutions arrange to stay compatiblewith all important aspects of the standard TCP protocol.They operate by eliminating all allocation of serverresources after receiving a SYN packet and generating aSYN/ACK reply.Denial of Service: Distributed Reflection DOS urity/19
Bandwidth Consumption Unlike a DoS-style attack, in which a low rate offraudulent SYN packets consumes a vulnerableserver's TCP connection resources, a bandwidthattack creates a brute force flood of malicious"nonsense" Internet traffic to swamp andconsume the target server's or its networkconnection bandwidth. This malicious packet flood competes with, andoverwhelms, the network's valid traffic so that"good packets" have a low likelihood of survivingthe flood. The network's servers become cut off from therest of the Internet, and their service is denied.Denial of Service: Distributed Reflection DOS urity/20
Internet Aggregation RouterDenial of Service: Distributed Reflection DOS urity/21
The computers and/or networks shown to the right are servicedby the central "aggregation router."– This router is placed at the "customer edge" of the Internet serviceprovider's network to collect and disperse traffic from many smallercustomer networks.– Thus, many lower-bandwidth Internet connections are "aggregated"into a single high-bandwidth Internet connection for routing to thepublic Internet. During normal operation, the traffic coming from the Internetdown the "Big Pipe" will be sorted and forwarded to the router'svarious lower bandwidth client networks.When the Big Pipe is filled by a high volume of packets bound forjust one of the router's client networks.– Faced with the task of squeezing too many packets from the big pipeinto the much smaller pipe, the router has no choice but todeliberately drop and discard a large percentage of the packetsstruggling to get through the smaller pipe.– Valid Internet clients, trying to access the resources on the far side ofthe smaller pipe, will resend their dropped packets. But these clientswill generally give up after a few attempts. The victim's network iseffectively blasted off the Internet by the flood of malicious traffic.Denial of Service: Distributed Reflection DOS urity/22
DoS versus DDoSDenial of Service: Distributed Reflection DOS urity/23
Distributed zombie traffic aggregation Denial of Service: Distributed Reflection DOS urity/As theindividualstreams oftraffic moveacross theInternetfrom theirmanyseparatesources,they arecombinedby theInternet'srouters toform asinglemassiveflood . . .24
SYN FLOODING INTERNET ROUTERS(Bandwidth Attack) TCP serverswere sendingSYN/ACKpackets togrc.com inthe wellmeaningbelief that WEwanted toopen a TCPconnectionwith theirbuilt-in BGPservers.Denial of Service: Distributed Reflection DOS urity/25
Blocking the reflection attack Gibson Research reaction to DRDoS: First, block any inbound traffic originating fromthe BGP service port 179.– Since the malicious hacker's SYN packets were aimed atthe intermediate routers' port 179, any reflected packetswould be originating from that port.– Verio's engineer added a "filter" to the aggregationrouter servicing our Internet connection to block (drop)any packets inbound to us from port 179.– The flood of packets coming in from port 179immediately stopped. But we did NOT return to the Internet.Denial of Service: Distributed Reflection DOS urity/26
Secondary Flooding A fresh packet capture revealed that Gibson Research wasnow being actively flooded by an entirely new set ofInternet servers.Since this second set of traffic appeared only after the port179 router traffic had been blocked, it appeared that thissecond wave of reflection traffic had been unable tocompete with the routers' flood.– (You know you're in trouble when packet floods are competingto flood you.) With the routers traffic blocked, we were now being floodedby a SYN/ACK packets pouring in from ports 22 (SecureShell), 23 (Telnet), 53 (DNS), and 80 (HTTP/Web).There were also some packets coming from port 4001 (aproxy server port) and 6668 (IRC chat).Denial of Service: Distributed Reflection DOS urity/27
Packet Path Diffusion The big win for the attacker is the extreme degree of"packet path diffusion" made possible when attack trafficcan be bounced off a large number of intermediate TCPservers. This diagram is a representation of the path oftraffic between a single attacker and victim.Denial of Service: Distributed Reflection DOS urity/28
Packet Path Diffusion with Reflectors The addition of innocent reflection serverssubstantially transforms the attack.Denial of Service: Distributed Reflection DOS urity/29
Packet Path Diffusion with Reflectors Upon leaving an attacking machine, the maliciousSYN packets immediately fan out. No longer aimed at the victim, these attackpackets are instead being sent to widely spreadTCP servers. As we know, these servers are potentially locatedthroughout the entire Internet. Just a few "router hops" away from the attacker,the heavy packet flow will no longer bediscernible because it will have diffused intoneighboring routers rather than following a singlepath.Denial of Service: Distributed Reflection DOS urity/30
Defending against DRDoS Routers can be configured to filter (drop) packets destinedfor a particular address or group of addresses.– Router port 179 can be blocked as a reflector. Since reflected SYN/ACK packets must bounce off a TCPserver, and since almost all common service ports fallwithin the range from 1 to 1023, blocking all inboundpackets originating from the service port range will blockmost of the traffic being innocently generated by reflectionservers. Holes in the reflection filter may have to be createdto allow legitimate traffic to pass through.Block all inbound packets to high-numbered service ports.This has the undesirable effect that legitimate clients of theprotected server could be generating connections fromthose blocked ports.Denial of Service: Distributed Reflection DOS urity/31
Defending against DRDoS End-user client machines cannot be protected. Most clientmachines spend all of their time connecting to remote serversall over the Internet and require access to data coming backfrom many of the most common low-numbered service ports.Servers could be programmed to recognize a SYN source IPaddress that never completes its connections and has ananomalous number of failed connections occurring within aperiod of time. The target of the reflection attack could beeasily determined and the SYN/ACK response could betemporarily turned off.ISPs could prevent the transmission of fraudulently addressedpackets (packets with an IP source address not within theirsource address space) from within their controlled networks.This control mechanism alone would have a major dampeningeffect on this type of attack.Denial of Service: Distributed Reflection DOS urity/32
– SYN: A TCP client (such as a web browser, ftp client, etc.) initiates a connection with a TCP server by sending a SYN packet to the server. – SYN/ACK: When a connection-requesting SYN packet is received at an ‘open’ TCP service port, the server's operating s
