Chapter 7 Denial-of-Service Attacks (Part 1) PDF

Summary

This chapter covers denial-of-service attacks, explaining the basic concepts, types of attacks (flooding, application-based, distributed), and defenses. It also details attack targets, such as network bandwidth, system resources, and application resources. The chapter also discusses source address spoofing and flooding attacks.

Full Transcript

Objectives

Explain the basic concept of a denial-of-service attack.

Computer Security CS433 Understand the nature of flooding attacks.

Describe distributed denial-of-service attacks.
Chapter 7 Explain the concept of an application-based bandwidth attack and give some examples.

- Denial-of-Service Attacks ( Part 1 ) – Present an overview of reflector and amplifier attacks.

Summarize some of the common defenses against denial-of-service attacks.

Summarize common responses to denial-of-service attacks
Diyala Alturki

Definition Attack Targets

Denial of service is a form of attack on the availability of some service. There are several categories of resources that could be attacked:

In the context of computer and communications security, the focus is generally on network services Network bandwidth

that are attacked over their network connection. System resources

A denial of service (DoS): is an action that prevents or impairs the authorized use of networks, Application resource

systems, or applications by exhausting resources such as central processing units (CPU), memory,

bandwidth, and disk space.
 DoS Attack on Network Bandwidth DoS Attack on System Resources
Network bandwidth relates to the capacity of the network links connecting a server to the wider
A DoS attack targeting system resources typically aims to overload or crash its network handling
Internet. software.

Rather than consuming bandwidth with large volumes of traffic, specific types of packets are sent
In a DoS attack, the vast majority of traffic directed at the target server is malicious, generated
that consume the limited resources available on the system.
either directly or indirectly by the attacker. This traffic overwhelms any legitimate traffic, effectively
These include temporary buffers used to hold arriving packets, tables of open connections, and
denying legitimate users access to the server.
similar memory data structures.

The SYN spoofing attack, which we discuss next, is of this type. It targets the table of TCP
connections on the server.

Another form of system resource attack uses packets whose structure triggers a bug in the system’s
network handling software, causing it to crash à This is known as a poison packet.

DoS Attack on Application Resource Source Address Spoofing
An attack on a specific application, such as a Web server, typically involves a number of valid
A common characteristic of packets used in many types of DoS attacks is the use of forged source
requests, each of which consumes significant resources. This then limits the ability of the server to
addresses. This is known as source address spoofing.
respond to requests from other users.
Given sufficiently privileged access to the network handling code on a computer system, it is easy
For example, a Web server might include the ability to make database queries. If a large, costly query
to create packets with a forged source address (and indeed any other attribute that is desired).
can be constructed, then an attacker could generate a large number of these that severely load the
This type of access is usually via the raw socket interface on many operating systems.
server. This limits its ability to respond to valid requests from other users.
Given raw access to the network interface, the attacker now generates large volumes of packets.
This type of attack is known as a cyberslam.
These would all have the target system as the destination address but would use randomly
Another alternative is to construct a request that triggers a bug in the server program, causing it to
selected, usually different, source addresses for each packet.
crash. This means the server is no longer able to respond to requests until it is restarted.
 Syn Spoofing Flooding Attacks
Syn Spoofing attacks the ability of a network server to respond to TCP connection requests by Flooding attacks take a variety of forms, based on which network protocol is being used to implement
overflowing the tables used to manage such connections. This means future connection requests the attack.
from legitimate users fail, denying them access to the server. It is thus an attack on system resources,
In all cases the intent is generally to overload the network capacity on some link to a server.
specifically the network handling code in the operating system.
The attack may alternatively aim to overload the server’s ability to handle and respond to this traffic.

These attacks flood the network link to the server with a torrent of malicious packets competing with,
and usually overwhelming, valid traffic flowing to the server. In response to the congestion this
causes in some routers on the path to the targeted server, many packets will be dropped.

Valid traffic has a low probability of surviving discard caused by this flood and hence of accessing the
server. This results in the server’s ability to respond to network connection requests being either
severely degraded or failing entirely.

Examples:

ICMP flood, UDP flood, and TCP SYN flood

Distributed Denial-of-Service Attacks (DDoS) DDoS Attack Architecture
Recognizing the limitations of flooding attacks generated by a single system, one of the earlier
significant developments in DoS attack tools was the use of multiple systems to generate attacks.

These systems were typically compromised user workstations or PCs. The attacker uses malware to
subvert the system and install an attack agent which they can control. Such systems are known as
zombies.

Large collections of such systems under the control of one attacker can be created, collectively
forming a botnet.

Such networks of compromised systems are a favorite tool of attacker, and can be used for a
variety of purposes, including distributed denial-of-service (DDoS) attacks.
 DDoS Countermeasures
The best defense against being an unwitting participant in a DDoS attack is to prevent your systems

Computer Security CS433
from being compromised.

This requires good system security practices and keeping the operating systems and applications on

such systems current and patched. Chapter 7
- Denial-of-Service Attacks ( Part 2 ) –

Diyala Alturki

Application-Based Bandwidth Attacks SIP Flood (1/2)
A potentially effective strategy for denial of service is to force the target to execute resource-consuming Voice over IP (VoIP) telephony is now widely deployed over the Internet. The standard protocol used for call setup in

VoIP is the Session Initiation Protocol (SIP).
operations that are disproportionate to the attack effort.

SIP is a text-based protocol with a syntax similar to that of HTTP.
For example, Web sites may engage in lengthy operations such as searches, in response to a simple request.
The figure is a simplified illustration of the operation of the SIP INVITE message, used to establish a media session
Application-based bandwidth attacks attempt to take advantage of the disproportionally large resource
between user agents.
consumption at a server.

We look at two protocols that can be used for such attacks
 SIP Flood (2/2) HTTP-Based Attacks
We consider two different approaches to exploiting the Hypertext Transfer Protocol (HTTP) to deny service:
A SIP flood attack exploits the fact that a single INVITE request triggers considerable resource consumption.
HTTP Flood
The attacker can flood a SIP proxy with numerous INVITE requests with spoofed IP addresses, or alternately a

DDoS attack using a botnet to generate numerous INVITE request. Slowloris

This attack puts a load on the SIP proxy servers in two ways:

First, their server resources are depleted in processing the INVITE requests.

Second, their network capacity is consumed.

Call receivers are also victims of this attack. A target system will be flooded with forged VoIP calls, making the
system unavailable for legitimate incoming calls.

HTTP Flood Slowloris
An HTTP flood refers to an attack that bombards Web servers with HTTP requests. Typically, this is a DDoS Slowloris exploits the common server technique of using multiple threads to support multiple requests to the
attack, with HTTP requests coming from many different bots. same server application. It attempts to monopolize all of the available request handling threads on the Web
server by sending HTTP requests that never complete.

The requests can be designed to consume considerable resources.
Since each request consumes a thread, the Slowloris attack eventually consumes all of the Web server’s
connection capacity, effectively denying access to legitimate users
For example, an HTTP request to download a large file from the target causes the Web server to read the
file from hard disk, store it in memory, convert it into a packet stream, and then transmit the packets. This
process consumes memory, processing, and transmission resources.

A variant of this attack is known as a recursive HTTP flood. In this case, the bots start from a given HTTP
link and then follows all links on the provided Web site in a recursive way. This is also called spidering.
 Reflector and Amplifier Attacks The Simple Reflection Attack
In contrast to DDoS attacks, where the intermediaries are compromised systems running the attacker’s The attacker sends packets to a known service on the intermediary with a spoofed source address of the actual
programs, reflector and amplifier attacks use network systems functioning normally.
target system.
The attacker sends a network packet with a spoofed source address to a service running on some network server.
The server responds to this packet, sending it to the spoofed source address that belongs to the actual attack When the intermediary responds, the response is sent to the target.
target.
Effectively this reflects the attack off the intermediary, which is termed the reflector, and is why this is called a
If the attacker sends a number of requests to a number of servers, all with the same spoofed source address, the
reflection attack.
resulting flood of responses can overwhelm the target’s network link.

Ideally the attacker would like to use a service that created a larger response packet than the original request.

There are two basic variants of this type of attack: This allows the attacker to convert a lower volume stream of packets from the originating system into a higher

The simple reflection attack volume of packet data from the intermediary directed at the target. Common UDP services are often used for this

The amplification attack purpose (e.g., DNS)

DNS Reflection Attack Amplification Attacks
A further variation of the reflector attack establishes a self-contained loop between the intermediary and the target
system. Amplification attacks are a variant of reflector attacks and also involve sending a packet with a spoofed source

For example, the attacker sends a query to the DNS server with a spoofed IP source address of j.k.l.m; this is the IP address for the target system to intermediaries.
address of the target.
They differ in generating multiple response packets for each original packet sent. This can be achieved by
The attacker uses port 7, which is usually associated with echo, a reflector service.
directing the original request to the broadcast address for some network.
The DNS server then sends a response to the victim of the attack, j.k.l.m, addressed to port 7. If the victim is
offering the echo service, it may create a packet that echoes the received data back to the DNS server. As a result, all hosts on that network can potentially respond to the request, generating a flood of responses

This can cause a loop between the DNS server and the victim if the DNS server responds to the packets sent by the
victim. Most reflector attacks can be prevented through network-based and host-based firewall rulesets that reject
suspicious combinations of source and destination ports.
 Amplification Attacks - Defense DNS Amplification Attacks
Do not allow directed broadcasts to be routed into a network from outside. Attackers gain attack amplification by exploiting the behavior of the DNS protocol to convert a small request into a

much larger response. This contrasts with the original amplifier attacks, which use responses from multiple systems
Limit network services like echo and ping from being accessed from outside an organization. This restricts which
to a single request to gain amplification.
services could be used in these attacks, at a cost in ease of analyzing some legitimate network problems.

Using the classic DNS protocol, a 60-byte UDP request packet can easily result in a 512-byte UDP response, the

maximum traditionally allowed. All that is needed is a name server with DNS records large enough for this to occur.

Defenses Against DoS Attacks (1/2) Defenses Against DoS Attacks (2/2)
Attack prevention and preemption (before the attack): Attack source traceback and identification (during and after the attack):

These mechanisms enable the victim to endure attack attempts without denying service to legitimate clients. This is an attempt to identify the source of the attack as a first step in preventing future attacks. However, this

Techniques include enforcing policies for resource consumption and providing backup resources available on method typically does not yield results fast enough, if at all, to mitigate an ongoing attack.

demand. In addition, prevention mechanisms modify systems and protocols on the Internet to reduce the

possibility of DDoS attacks.
Attack reaction (after the attack):

This is an attempt to eliminate or curtail the effects of an attack.
Attack detection and filtering (during the attack):

These mechanisms attempt to detect the attack as it begins and respond immediately. This minimizes the impact

of the attack on the target. Detection involves looking for suspicious patterns of behavior. Response involves

filtering out packets likely to be part of the attack.