Computer Security: Principles and Practice

Chapter 7: Denial-of-Service Attacks

1
Lecture slides prepared by Dr Lawrie Brown (UNSW@ADFA) for “Computer Security:
Principles and Practice”, 1/e, by William Stallings and Lawrie Brown, Chapter 1
“Overview”.

Denial-of-service
Denial of service (DoS) an action that prevents or impairs the authorized use of
networks, systems, or applications by exhausting resources such as central
processing units (CPU), memory, bandwidth, and disk space
Attacks (overload or invalid request services that consume significant resources)
network bandwidth
system resources (SYN Spoofing)
application resources
Have been an issue for some time (25% of respondents to an FBI survey)
2
This chapter explores denial of service attacks, their definition, the various
forms they take, and defenses against them. Denial of service is a form of attack
on the availability of some service. In the context of computer and communications
security, the focus is generally on network services that are attacked over their
network connection. From this definition you can see that there are several
categories of resources that could be attacked:
• network bandwidth - relates to the capacity of the network links connecting a
server to the wider Internet
• system resources - typically aims to overload or crash its network handling
software
• application resources - aim to overload the capabilities of a server and limit
its ability to respond to requests from other users
Denial of Service attacks have been a problem for many years. The 2006 CSI/FBI
Computer Crime and Security Survey states that 25% of respondents experienced some
form of denial of service attack in the previous 12 months. This value has varied
between 25% and 40% over the previous 8 years of surveys.

Ping (ICMP) flooding

Software utility used to test the reachability of a host
Flooding ping command (ICMP flooding)
Aim of this attack is to overwhelm the capacity of the network connection to the
target organization
Traffic can be handled by higher capacity links on the path, but packets are
discarded as capacity decreases
Source of the attack is clearly identified unless a spoofed address is used
Network performance is noticeably affected
Attack traffic is symmetrical; the amount of bandwidth the targeted device receives
is simply the sum of the total traffic sent from each bot

Internet Control Message Protocol (ICMP)

The Internet Control Message Protocol (ICMP) is one of the main IP protocols; it is
used by network devices, like routers, to send error messages (e.g., a requested
service is not available or a host or router could not be reached)

The host must respond to all echo requests with an

echo reply containing the exact data received in the
request message
Classic DoS attacks
5
For example, in the network shown in Figure 8.1, the attacker might use the large
company’s web server to target the medium sized company with a lower capacity
network connection.

Source address spoofing

Use forged source addresses
Makes attacking systems harder to identify
Attacker generates large volumes of packets that have the target system as the
destination address
Congestion would result in the router connected to the final, lower capacity link
6
A common characteristic of packets used in many types of denial of service attacks,
is the use of forged source addresses. This is known as source address spoofing.
Given sufficiently privileged access to the network handling code on a computer
system, it is easy to create packets with a forged source address (and indeed any
other attribute that is desired). Given raw access to the network interface, the
attacker now generates large volumes of packets. These would all have the target
system as the destination address, but use randomly selected, usually different,
source addresses for each packet. These packets would flow over the same path from
the source towards the target system. The same congestion would result in the
router connected to the final, lower capacity link. However the response packets,
generated in response to those packets reaching the target system, would no longer
be reflected back to the source system. Rather they would be scattered across the
Internet to all the various forged source addresses. Some of these addresses might
correspond to real systems, others may not be used, or not reachable. As well, the
use of packets with forged source addresses means the attacking system is much
harder to identify. The attack packets seem to have originated at addresses
scattered across the Internet. Hence just inspecting each packet’s header is not
sufficient to identify its source. Rather the flow of packets of some specific form
through the routers along the path from the source to the target system must be
identified.

SYN spoofing
Common DoS attack
Attacks the ability of a server to respond to future connection requests by
overflowing the TCP tables used to manage them
Legitimate users are denied access to the server
Hence an attack on system resources, specifically the network handling code in the
operating system
7
Along with the basic flooding attack, the other common classic denial of service
attack is the SYN spoofing attack. This attacks the ability of a network server to
respond to TCP connection requests by overflowing the tables used to manage such
connections. This means future connection requests from legitimate users fail,
denying them access to the server. It is thus an attack on system resources,
specifically the network handling code in the operating system.

TCP connection handshake

syn/ack pkts
y= server seq#
x= client seq#
8
To understand the operation of these attacks we need to review the 3-way handshake
that TCP uses to establish a connection. This is illustrated in Figure 8.2. The
client system initiates the request for a TCP connection by sending a SYN packet to
the server. This identifies the client’s address and port number, and supplies an
initial sequence number. The server records all the details about this request in a
table of known TCP connections. It then responds to the client with a SYN-ACK
packet. This includes a sequence number for the server, and increments the client’s
sequence number to confirm receipt of the SYN packet. Once the client receives this
it sends an ACK packet to the server with an incremented server sequence number,
and marks the connection as established. Likewise, when the server receives this
ACK packet it also marks the connection as established. Either party may then
proceed with data transfer. In practice, this ideal exchange sometimes fails. These
packets are transported using IP, which is an unreliable, though best-effort,
network protocol. Any of the packets might be lost in transit, as a result of
congestion for example. Hence both the client and server keep track of which
packets they have sent, and if no response is received in a reasonable time, will
resend those packets. As a result, TCP is a reliable transport protocol, and any
applications using it need not concern themselves with problems of lost or
reordered packets.

SYN spoofing attack

9
A SYN spoofing attack exploits this behavior on the targeted server system. The
attacker generates a number of SYN connection request packets with forged source
addresses. For each of these the server records the details of the TCP connection
request, and sends the SYN-ACK packet to the claimed source address, as shown in
Figure 8.3. The server will resend the SYN-ACK packet a number of times before
finally assuming the connection request has failed, and deleting the information
saved concerning it. This table is typically sized on the assumption that most
connection requests quickly succeed, and that a reasonable number of requests may
be handled simultaneously. However in a SYN spoofing attack, the attacker directs a
very large number of forged connection requests at the targeted server. These
rapidly fill the table of known TCP connections on the server. Once this table is
full, any future requests, including legitimate requests from other users, are
rejected. The table entries will time out and be removed, which in normal network
usage, corrects temporary overflow problems. However, if the attacker keeps a
sufficient volume of forged requests flowing, this table will be constantly full
and the server will be effectively cutoff from the Internet, unable to respond to
most legitimate connection requests.

SYN spoofing attack: attacker’s source

Attacker often uses either
random source addresses (addresses that may not exist)
or that of an overloaded server (that may not send a RST)
to block return of (most) reset packets
Has much lower traffic volume
attacker can be on a much lower capacity link
Objective: uses addresses that will not respond to the SYN-ACK with a RST
10
In order to increase the usage of the known TCP connections table, the attacker
ideally wishes to use addresses that will not respond to the SYN-ACK with a RST.
This can be done by overloading the host that owns the chosen spoofed source
address, or by simply using a wide range of random addresses. In this case, the
attacker relies on the fact that there are many unused addresses on the Internet.
Consequently a reasonable proportion of randomly generated addresses will not
correspond to a real host.
There is a significant difference in the volume of network traffic between a SYN
spoof attack, and the basic flooding attack we discussed. The actual volume of SYN
traffic can be comparatively low, nowhere near the maximum capacity of the link to
the server. It simply has to be high enough to keep the known TCP connections table
filled. Unlike the flooding attack, this means the attacker does not need access to
a high volume network connection. In the network shown in Figure 8.1, the medium
sized organization, or even a broadband home user, could successfully attack the
large company server using a SYN spoofing attack.

Types of flooding attacks

Classified based on network protocol used
Objective: to overload the network capacity on some link to a server
Virtually any type of network packet can be used
ICMP Flood
Uses ICMP packets, eg ping (echo) request
Typically allowed through, some required
UDP Flood
Uses UDP packets to random ports
Without an initial handshake to ensure a legitimate connection, UDP channels can be
used to send a large volume of traffic to any host.
TCP SYN Flood
Sends TCP SYN (connection request) packets
But for volume attack
11
Flooding attacks take a variety of forms, based on which network protocol is being
used to implement the attack. Common flooding attacks use any of the ICMP, UDP or
TCP SYN packet types.
An ICMP flooding attack uses an ICMP packet, such as ICMP echo request packets in a
ping flood. This type of ICMP packet was chosen since traditionally network
administrators allowed such packets into their networks. More recently, many
organizations have restricted the ability of these packets to pass through their
firewalls. In response, attackers have started using other ICMP packet types. Since
some of these should be handled to allow the correct operation of TCP/IP, they are
much more likely to be allowed through an organization’s firewall.
An alternative to using ICMP packets is to use UDP packets directed to some port
number, and hence potential service, on the target system. Spoofed source addresses
are normally used if the attack is generated using a single source system, for the
same reasons as with ICMP attacks.
Another alternative is to send TCP packets to the target system. Most likely these
would be normal TCP connection requests, with either real or spoofed source
addresses. In this case, it is the total volume of packets that is the aim of the
attack, rather than specifically targeting the system code. This is the difference
between a SYN spoofing attack and a SYN flooding attack.

Distributed DoS attacks

Have limited volume if single source used
Multiple systems allow much higher traffic volumes to form a distributed DoS (DDoS)
attack
Often compromised PC’s/workstations
Zombies with backdoor programs installed
Forming a botnet
Example: Tribe Flood Network (TFN), TFN2K
did ICMP, SYN, UDPF and ICMP floods
12
All of these flooding attack variants are limited in the total volume of traffic
that can be generated if just a single system is used to launch the attack. By
using multiple systems, the attacker can significantly scale up the volume of
traffic that can be generated. Each of these systems need not be particularly
powerful, or on a high capacity link. But what they don’t have individually, they
more than compensate for in large numbers. These systems were typically compromised
user workstations or PC’s. The attacker used some well-known flaw in the operating
system or in some common application, to gain access to these systems, and to
install their own programs on it. Such systems are known as “zombies”. Once
suitable “backdoor” programs were installed on these systems, they were entirely
under the attacker’s control. Large collections of such systems under the control
of one attacker can be created, collectively forming a “botnet”. One of the
earliest and best known DDoS tools is Tribe Flood Network (TFN), written by the
hacker known as Mixter. The original variant from the 1990’s exploited Sun Solaris
systems. It was later rewritten as Tribe Flood Network 2000 (TFN2K), and could run
on UNIX, Solaris, and Windows NT systems. The agent was a Trojan program that was
copied to, and run on compromised, zombie systems. It was capable of implementing
ICMP flood, SYN flood, UDP flood, and ICMP amplification forms of denial of service
attacks.

DDoS control hierarchy

Attacker sends one command to the handler zombies;
the handler forwards to other handlers, agents
13
Whilst the attacker could command each zombie individually, more generally a
control hierarchy is used. A small number of systems act as handlers controlling a
much larger number of agent systems, as shown in Figure 8.4. There are a number of
advantages to this arrangement. The attacker can send a single command to a
handler, which then automatically forwards it to all the agents under its control.
Automated infection tools can also be used to scan for and compromise suitable
zombie systems. Once the agent software is uploaded to a newly compromised system,
it can contact one or more handlers to automatically notify them of its
availability. By this means, the attacker can automatically grow suitable
“botnets”. TFN and TFN2K use a version of this two-layer command hierarchy.
The best defense against being an unwitting participant in a DDoS attack is to
prevent your systems from being compromised. For the target of a DDoS attack, the
response is the same as for any flooding attack, but with greater volume and
complexity.

Application-based bandwidth attacks

Force the victim system to execute resource-consuming operations (e.g., searches,
complex DB queries)
14

HTTP-based attacks
Attempts to monopolize by sending HTTP requests that never complete
Eventually consumes Web server’s connection capacity
Utilizes legitimate HTTP traffic
Spidering: Bots starting from a given HTTP link and following all links on the
provided Web site in a recursive way
Existing intrusion detection and prevention solutions that rely on signatures to
detect attacks will generally not recognize Slowloris

Reflection attacks
Attacker sends packets to a known service on the intermediary with a spoofed source
address of the actual target system
When intermediary responds, the response is sent to the target
“Reflects” the attack off the intermediary (reflector)
Goal is to generate enough volumes of packets to flood the link to the target
system without alerting the intermediary
The basic defense against these attacks is blocking spoofed-source packets
16
Reflection and amplification attacks use network systems functioning normally. The
attacker sends a network packet with a spoofed source address to a service running
on some network server, which responds to this packet, sending it to the spoofed
source address that belongs to the actual attack target. If the attacker sends a
number of requests to a number of servers, all with the same spoofed source
address, the resulting flood of responses can overwhelm the target’s network link.
The fact that normal server systems are being used as intermediaries, and that
their handling of the packets is entirely conventional, means these attacks can be
easier to deploy, and harder to trace back to the actual attacker. Ideally the
attacker would like to use a service that created a larger response packet than the
original request. This allows the attacker to convert a lower volume stream of
packets from the originating system into a higher volume of packets from the
intermediary directed at the target. Common UDP services are often used for this
purpose. Another variant of reflection attack uses TCP SYN packets, and exploits
the normal 3-way handshake used to establish a TCP connection. Fundamental to the
success of reflection attacks is the ability to create source spoofed packets. If
filters are in place which block source spoofed packets, then these attacks are
simply not possible.

Reflection attacks

Reflection attacks
Further variation creates a self-contained loop between intermediary and target
(attacker spoofs using port 7 requiring echoes)
18
A further variation of the reflector attack establishes a self-contained loop
between the intermediary and the target system. Originally the UDP echo service was
used for this, if running on both systems. The attacker would send a large UDP
packet to the echo service on the intermediary, using a spoofed source address and
port for the echo service on the target system. The intermediary would respond with
a packet to the echo service on the target. When the target received this, it would
reply in turn to the intermediary. This process would continue with the packet
being echoed back and forth between these systems, until a packet was discarded or
otherwise failed to arrive at its destination. If the attacker kept generating a
low volume of the original source spoofed packets, this attack could be sustained
for long periods, flooding the link between the intermediary and the target. The
echo and chargen services, and other similar diagnostic network services can be
used to create such reflection loops. Figure 8.5 illustrates this attack. Whilst
very effective if possible, this type of attack is fairly easy to filter for, since
the combinations of service ports used should never occur in normal network
operation.

DNS amplification attacks

Allows attackers to magnify the amount of malicious traffic they can generate
Use packets directed at a legitimate DNS server as the intermediary system
Attacker creates a series of DNS requests containing the spoofed source address of
the target system
Exploit DNS behavior to convert a small request to a much larger response
(amplification)
In the classic DNS protocol, a 60-byte UDP request packet results in a 512-byte UDP
response
Target is flooded with responses
19
A further variant of a reflection or amplification attack uses packets directed at
a legitimate DNS server as the intermediary system. They gain attack amplification
by exploiting the behavior of the DNS protocol to convert a small request into a
much larger response. Using the classic DNS protocol, a 60 byte UDP request packet
can easily result in a 512 byte UDP response, the maximum traditionally allowed.
More recently, the DNS protocol has been extended to allow much larger responses of
over 4000 bytes, to support extended DNS features such as IPv6, security, and
others. By targeting servers that support the extended DNS protocol, significantly
greater amplification can be achieved than with the classic DNS protocol.
In this attack, a selection of suitable DNS servers with good network connections,
are chosen. The attacker creates a series of DNS requests containing the spoofed
source address of the target system. These are directed at a number of the selected
name servers. They respond to these requests, sending the replies to the spoofed
source, which appears to them to be the legitimate requesting system. The target is
then flooded with their responses. Because of the amplification achieved, the
attacker need only generate a moderate flow of packets to cause a larger, amplified
flow to flood and overflow the link to the target system. Whilst the intermediate
systems will also experience significant loads, by using a number of high capacity,
well connected systems, the attacker can ensure they are not overloaded, allowing
the attack to proceed.

Amplification attacks
Can take advantage of broadcast address of some network
20
Amplification attacks are a variant of reflector attacks and also involve sending a
packet with a spoofed source address for the target system to intermediaries. They
differ in generating multiple response packets for each original packet sent. This
can
be achieved by directing the original request to the broadcast address for some
network.
As a result, all hosts on that network can potentially respond to the request,
generating a flood of responses as shown in Figure 7.7 . It is only necessary to
use
a service handled by large numbers of hosts on the intermediate network. A ping
flood using ICMP echo request packets was a common choice, since this service
is a fundamental component of TCP/IP implementations and was often allowed
into networks. The well-known smurf DoS program used this mechanism and was
widely popular for some time. Another possibility is to use a suitable UDP service,
such as the echo service. The fraggle program implemented this variant. Note that
TCP services cannot be used in this type of attack; because they are connection
oriented, they cannot be directed at a broadcast address. Broadcasts are inherently
connectionless.

The best additional defense against this form of attack is to not allow directed
broadcasts to be routed into a network from outside. Indeed, this is another
longstanding
security recommendation, unfortunately about as widely implemented as
that for blocking spoofed source addresses. If these forms of filtering are in
place,
these attacks cannot succeed. Another defense is to limit network services like
echo
and ping from being accessed from outside an organization. This restricts which
services could be used in these attacks, at a cost in ease of analyzing some
legitimate
network problems.

Attackers scan the Internet looking for well-connected networks that do allow
directed broadcasts and that implement suitable services attackers can reflect off.
These lists are traded and used to implement such attacks.

Four lines of defense against DDoS attacks

Attack prevention and preemption (before attack)
Attack detection and filtering (during the attack)
Attack source traceback and identification (during and after the attack)
Attack reaction (after the attack)

DoS attack prevention

Block spoofed source addresses
On routers as close to source as possible
Filters may be used to ensure path back to the claimed source address is the one
being used by the current packet
Filters must be applied to traffic before it leaves the ISP’s network or at the
point of entry to their network
Use modified TCP connection handling code
Cryptographically encode critical information in a cookie that is sent as the
server’s initial sequence number
Legitimate client responds with an ACK packet containing the incremented sequence
number cookie
Drop an entry for an incomplete connection from the TCP connections table when it
overflows

Attack prevention
Rate controls in upstream distribution nets
On specific packets types e.g. some ICMP, some UDP, TCP/SYN
Impose limits
Use modified TCP connection handling
Server sends SYN cookies when table full (reconstruct table data from the cookie
from legit clients)
Sr selective or random drop when table full
23
A critical component of many denial of service attacks, is the use of spoofed
source addresses. One of the fundamental, and longest standing, recommendations for
defense against these attacks is to limit the ability of systems to send packets
with spoofed source addresses, cf. RFC 2827. This filtering needs to be done as
close to the source as possible, by routers or gateways knowing the valid address
ranges of incoming packets. Typically this is the ISP providing the network
connection for an organization or home user. Regrettably, despite this being a
well-known recommendation, many ISPs still do not perform this type of filtering.
Any defenses against flooding attacks need to be located back in the Internet
cloud, not at a target organization’s boundary router, since this is usually
located after the resource being attacked. The filters must be applied to traffic
before it leaves the ISP’s network, or even at the point of entry to their network.
Some attacks using particular packet types, such as ICMP floods, or UDP floods to
diagnostic services, can be throttled by imposing limits on the rate at which these
packets will be accepted.
It is possible to specifically defend against the SYN spoofing attack by using a
modified version of the TCP connection handling code. Instead of saving the
connection details on the server, critical information about the requested
connection is cryptographically encoded in a “cookie” that is sent as the server’s
initial sequence number. Typically this technique is only used when the table
overflows. Alternatively, the system’s TCP/IP network code can be modified to
“selective drop” or “random drop” an entry for an incomplete connection from the
TCP connections table when it overflows, allowing a new connection attempt to
proceed.

Attack prevention
Block IP directed broadcasts
Block suspicious services and combinations
Manage application attacks with a form of graphical puzzle (captcha) to distinguish
legitimate human requests
Use mirrored and replicated servers when high-performance and reliability is
required
24
The best defense against broadcast amplification attacks is to block the use of IP
directed broadcasts. This can be done either by the ISP, or by any organization
whose systems could potentially be used as an intermediary. As we noted earlier in
this chapter, this along with anti-spoofing filters are long standing security
recommendations that all organization’s ought to implement. More generally,
limiting or blocking traffic to suspicious services, or combinations of source and
destination ports, can restrict the types of reflection attacks that can be used
against an organization.
Defending against attacks on application resources generally requires modification
to the applications targeted, such as web servers. Defenses may involve attempts to
identify legitimate, generally human initiated, interactions from automated DoS
attacks. These often take the form of a “graphical puzzle”, which is easy for most
humans to solve, but difficult to automate.
Beyond these direct defenses against denial of service attack mechanisms, overall
good system security practices should be maintained. The aim is to ensure that your
systems are not compromised and used as zombie systems. Suitable configuration and
monitoring of high performance, well-connected servers, is also needed to help
ensure they don’t contribute to the problem as potential intermediary servers.
If an organization is dependent on network services, they should consider mirroring
and replicated these servers over multiple sites with multiple network connections.
This is good general practice for high performance servers, providing greater
levels of reliability and fault tolerance in general, not just as a response to
these types of attack.

Responding to attacks
Identify type of attack
Capture and analyze packets
Design filters to block attack traffic upstream
Or identify and correct system/application bug
Have ISP trace packet flow back to source
May be difficult and time consuming
Necessary if planning legal action
Implement contingency plan
Switch to alternate backup servers
Commission new servers at a new site with new addresses
Update incident response plan
25
When a denial of service attack is detected, the first step is to identify the type
of attack and hence the best approach to defend against it. Typically this involves
capturing packets flowing into the organization, and analyzing them looking for
common attack packet types. This may be done by organizational personnel or ISP,
depending on relevant expertise. From this analysis the type of attack is
identified, and suitable filters designed to block the flow of attack packets.
These have to be installed by the ISP on their routers. If the attack targets a bug
on a system or application, rather than high traffic volumes, then this must be
identified, and steps taken to correct it to prevent future attacks.
The organization may also wish to ask their ISP to trace the flow of packets back
in an attempt to identify their source. However if spoofed sources addresses are
used, this can be difficult and time-consuming. Whether this is attempted may well
depend on whether the organization intends to report the attack to the relevant law
enforcement agencies. In such a case, additional evidence must be collected and
actions documented to support any subsequent legal action.
In the case of an extended, concerted, attack, it may not be possible to
successfully filter enough of the attack packets to restore network connectivity.
In such cases the organization needs a contingency strategy to switch to alternate
backup servers, or to rapidly commission new servers at a new site with new
addresses, in order to restore service. Without forward planning to achieve this,
the consequence of such an attack will be extended loss of network connectivity.
Following the immediate response, the organization’s incident response policy may
specify further steps that are taken to respond to contingencies like this.
Responding to attacks
Good incidence response plan
Details on how to contact technical personal for ISP
Needed to impose traffic filtering upstream
Details of how to respond to the attack
Implement anti-spoofing, directed broadcast, and rate limiting filters
Ideally have network monitors and IDS to detect and notify abnormal traffic
patterns
26
In order to successfully respond to a denial of service attack, a good incident
response plan is needed, including details of how to contact technical personal
for your Internet Service Provider(s). Denial of service attacks, particularly
flooding attacks, can only be filtered upstream of your network connection. The
plan should also contain details of how to respond to the attack. The division of
responsibilities between organizational personnel and the ISP will depend on the
resources available, and technical capabilities of the organization.
Within an organization you should have implemented the standard anti-spoofing,
directed broadcast, and rate limiting filters we discuss earlier in this chapter.
Ideally, you should also have some form of automated network monitoring and
intrusion detection system (IDS) running, so personnel will be notified should
abnormal traffic be detected.

Summary
Introduced denial of service (DoS) attacks
Classic flooding and SYN spoofing attacks
ICMP, UDP, TCP SYN floods
Distributed denial of service (DDoS) attacks
Reflection and amplification attacks
Defenses against DoS attacks
Responding to DoS attacks
27
Chapter 8 summary.