DoS
February 22, 2010Aurthor unknown
Whether launched by high school novices or savvy cyber-terrorists, Denial-of-Service (DoS) attacks have become a threat to network reliability. These attacks often result in considerable loss of time and money since they consume scarce and expensive resources: network bandwidth, memory and disk space, CPU time, access to other computers and networks, and the time and energy of high-paid network personnel.
It’s clear from anecdotal reports that DoS attacks have had a huge impact on many sites, both domestic and foreign, but until now there has been little data to quantify the prevalence of these attacks, nor any representative characterization of their behavior. Moreover, attempting to gather such data by monitoring traffic through enough sites to obtain a representative measure of Internet-wide attacks had been considered nearly impossible.
Describing a methodology for measuring DoS attacks
Recognizing that a strong quantitative foundation is necessary both for understanding the nature of DoS attacks and as a baseline for longer-term comparison and analysis, Savage and colleagues David Moore and Geoff Voelker at the University of California, San Diego, developed a technique called backscatter analysis.
The key observation behind this technique is that, in direct DoS attacks such as SYN floods and ICMP floods, random spoofed source addresses are used for each packet sent. When a spoofed packet arrives, the victim sends what it believes to be an appropriate response to the spoofed IP address. However, since the spoofed addresses are selected randomly, the victim’s responses, also known as backscatter, are also distributed randomly across the entire Internet address space.
In this illustration, the attacker sends a series of SYN packets towards the victim using a series of random spoofed addresses (represented by B, C, and D). The victim responds by sending SYN/ACK packets to each of the spoofed hosts, which are randomly distributed across the Internet address space.
Therefore, by monitoring a large enough fraction of the Internet address space, it is possible to “sample” all such DoS attacks occurring in the Internet. Every unsolicited response packet contains the identity of the victim, information about the attack, and a timestamp which can be used to estimate the duration of the attack. Finally, using the average arrival rate of unsolicited responses directed at the monitored address range, the actual rate of the attack being directed at the victim can be estimated.
Summary of global Denial-of-Service activity
Using the backscatter technique and additional attack classification methods, Professor Savage and his colleagues observed 12,805 attacks over the course of 3 weeks, with more than 5,000 distinct victims in more than 2,000 distinct DNS domains. They were also able to estimate a lower-bound on the intensity of DoS attacks – some of which were in excess of 600,000 packets-per-second (pps). They found attack behavior ranged from short periodic attacks degrading service for only a few minutes at a time, to continuous attacks flooding a site for an entire week.
Many victims were attacked multiple times – one site experiencing 48 separate attacks during the measurement period. Finally, in characterizing the victims, they found attacks directed against a wide range of targets including large commercial sites, such as Amazon and AOL, small to mid-sized commercial sites and corporations, Internet Service Providers (ISPs), foreign sites and home machines. In particular, a significant number of attacks were detected against key pieces of Internet infrastructure, including core network routers and name servers.
Ongoing Trends
DoS attacks remain a big challenge to network reliability as they become more sophisticated and prevalent. The barriers to prevent attacker activity have been steadily crumbling – available defense tools have little automation, response is expensive, and the availability of good security and network personnel is shrinking due to the demand for them.
Degradation of Service
Known as the new DoS, a Degradation of Service attack causes a decrease in processing speed and may not initially be recognized as an attack. Businesses that pay for bandwidth on a per-usage basis will notice a increase in costs, but since the effects are not immediately and dramatically evident, the attacks may go undetected for long periods.
Behind these new DoS attacks is the latest generation of DoS attack methods, the pulsing zombies. In a pulsing zombie DoS attack, several small, short-lived bursts of traffic from multiple sources are directed toward a single target over an extended period of time. Since the stream of traffic is transmitted intermittently by alternating zombies instead of as a long constant flow, attacks are more difficult to detect and trace. Pulsing zombie attacks have two forms:
Periodic attacks, during which an attacker launches an hour-long attack on the same target every 24 hours.
Punctuated attacks, launched at one minute intervals. These types of attacks are not designed to cause damage and usually do not crash systems. Instead, they create a pattern of network unreliability that results in constant and consistent interruption and annoyance to legitimate traffic.
Reflector attacks
Another new trend in DoS attacks is the reflector attack. The attacker “launders” an attack by sending a packet spoofed with the victim’s source address to a third party. The third party responds by sending a response back towards the victim. If the third party is accessed using a broadcast address (as they are with the popular smurf or fraggle attacks) then third parties may amplify the attack further.
The key issue with reflector attacks is that the source address is specifically selected. Unless an IP address in the range monitored is used as a reflector, these types of attacks cannot be observed.
The Effects of a DoS Attack
DoS attacks can have a significant effect on your CPU/memory resources, causing new connections to be dropped and existing connections to time out. They also affect network resources, and when traffic exceeds the router’s forwarding capacity, legitimate traffic is automatically dropped.
CPU/Memory resources
Many DoS attacks against servers, routers, and various network devices exploit legitimate features of applications or protocols, which makes them harder to prevent.
One example of this type of attack is the Transmission Control Protocol (TCP) SYN flood, during which a malicious client sends a TCP SYN packet from random spoofed IP addresses to the victim destination server. The victim destination server acknowledges receipt, sends back a SYN ACK packet to the spoofed IP addresses and waits for a final ACK packet from the spoofed IP address. With a low rate of fake TCP SYN packets, this simple process uses up resources that would otherwise be available to legitimate clients.
Another vulnerable area is the UDP (User Datagram Protocol), through which routers provide diagnostic information. A large number of fake diagnostic requests from random spoofed IP addresses can cause the router to answer the requests instead of forwarding packets.
Secure Sockets Layer (SSL), used to provide secure Web transactions, can also be a vulnerable point. Establishing an SSL-enabled HTTPS connection requires extensive cryptographic computation at the server, so even a moderate number of fake connection requests per second can overwhelm even powerful Web servers.
Other vulnerable points are e-mail servers, which can be easily overwhelmed with mail loops or forged mail to a large number of recipients.
Network resources
Due to the wave of attacks on prominent e-commerce and portal sites, attacks that consume network bandwidth and router resources have received a lot of media attention. By congesting the network with useless traffic that looks quite normal except for its unusually high volume, these attacks can render servers inaccessible and crash routers.
However, some attacks – for example, ICMP echo reply floods (smurf attacks) – generate easily identifiable traffic that can be easily filtered or rate-limited since these types of packets are not needed in high volume during normal operations.
Possible targets for a DoS Attack
Several parts of the network infrastructure are involved with any network or Internet activity – from DNS proxies and servers to routers and links, to firewalls, load balancers, end servers, and application code. All of these parts are vulnerable to DoS attacks.
DNS servers and proxies
All Internet connections start with a translation from the address typed in (for example, “astanetworks.com”) to the IP address of the machine(s) providing the service. This is implemented by a DNS lookup which is cached at the client or at the proxy serving a collection of clients.
These lookups and their replies are conveyed by individual, unauthenticated UDP packets, making it difficult to distinguish legitimate from bogus requests.
An attack against a DNS server can take the named service off-line, but an attack against a DNS proxy (for example, at an ISP) can take a collection of clients off-line.
Although DNS servers are usually replicated for improved performance and reliability, replication doesn’t guarantee protection from DoS attacks. With enough participating machines, an attacker can launch simultaneous flooding attacks against each replica and take them all down.
Routers
While most packets crossing a router are routed in hardware, traps to software are used for packets that require special handling – for example, ICMP “ping” requests tell if a router is still alive, TCP packets carry routing information, packets with invalid destination addresses (detected at the access link router), and TTL expirations. The router’s control processor handles these special packets at a much lower rate than the hardware forwarding path, but it’s usually not an issue since few normal packets require special processing.
A large numbers of special packets, however, can disrupt router operation. When flooded, the control processor is unable to receive and process routing updates and therefore appears “down” to its neighbors.
Links
The most powerful way to interrupt Internet service is to flood more packets across an individual link than it can carry. An upstream router receiving too many packets for a downstream link will simply drop the excess. And since routers can’t distinguish between legitimate and bogus packets, they are dropped indiscriminately.
Although any limited-capacity link in the path between a client and server (or DNS server) can be targeted, many link attacks have targeted the access link to Web servers, taking the servers off-line. For example, and attacker can take an enterprise or home user off-line by flooding its access link, disrupting both Web access and e-mail service at once.
Firewalls
One of the fundamental differences between Vantage System and existing attempts to solve DoS is in the approach. Firewalls and IDS products are designed to keep bad traffic out rather than to keep good traffic flowing. Although firewalls can examine each packet and attempt to discard malicious packets, they are not an effective DoS solution because they are themselves vulnerable to DoS attack. Since they process packets, their CPU resources can be overwhelmed by a flood of seemingly valid packets such as requests to set up authenticated connections.
Server operating systems
A number of DoS attacks have targeted the operating system resources for the end Web or application server. For example, some operating systems can handle only a limited number of open connections at a time, or a limited number of connections
that are closed but not acknowledged as being closed.
Application servers
Application servers such as chat rooms and e-mail servers are also vulnerable to DoS attacks.