|
|
|
|
|
Trends, Descriptions, and How to Protect Your
Network |
|
|
|
Craig A. Huegen <chuegen@cisco.com> |
|
Cisco Systems, Inc. |
|
|
|
NANOG 12 Interprovider Operations BOF |
|
|
|
|
|
|
|
|
|
Significant increase in network-based DoS
attacks over the last year |
|
Attackers’ growing accessibility to networks |
|
Growing number of organizations connected to
networks |
|
Vulnerability |
|
Most networks have not implemented spoof
prevention filters |
|
Very little protection currently implemented
against attacks |
|
|
|
|
|
|
|
Tools of the Trade |
|
Anonymity |
|
Internet Relay Chat |
|
Cracked super-user account on well-connected
enterprise network |
|
Super-user account on university residence hall
network |
|
“Throw-away” PPP dial-up accounts |
|
Typical Victims |
|
IRC Users, Operators, and Servers |
|
Providers who eliminate troublesome users’
accounts |
|
|
|
|
|
|
|
Prevent another user from using network
connection |
|
“Smurf” attacks, “pepsi” (UDP floods), ping
floods |
|
Disable a host or service |
|
“Land”, “Teardrop”, “Bonk”, “Boink”, SYN
flooding, “Ping of death” |
|
Traffic monitoring |
|
Sniffing |
|
|
|
|
|
Very dangerous attack |
|
Network-based, fills access pipes |
|
Uses ICMP echo/reply packets with broadcast
networks to multiply traffic |
|
Requires the ability to send spoofed packets |
|
Abuses “bounce-sites” to attack victims |
|
Traffic multiplied by a factor of 50 to 200 |
|
Low-bandwidth source can kill high-bandwidth
connections |
|
Similar to ping flooding, UDP flooding but more
dangerous due to traffic multiplication |
|
|
|
|
|
|
Smurf attacks are still “in style” for attackers |
|
Significant advances made in reducing the
effects |
|
Education campaigns through the use of white
paper and other education by NOCs has reduced the average “smurf” attack
from 80 Mbits/sec to 5 Mbits/sec |
|
Most attacks can still inundate a T1 link |
|
|
|
|
Goal is to severely impair or disable a host or
its IP stack |
|
Connects address and port pair to itself |
|
Requires the ability to spoof packet source
addresses |
|
Requires the victim’s network to be unprotected
against packets coming from outside with own IP addresses |
|
|
|
|
Goal is to severely impair or disable a host or
its IP stack |
|
Use packet fragmentation and reassembly
vulnerabilities |
|
Require that a host IP stack be able to receive
a packet from an attacker |
|
|
|
|
Goal is to deny access to a TCP service running
on a host |
|
Creates a number of half-open TCP connections
which fill up a host’s listen queue; host stops accepting connections |
|
Requires the TCP service be open to connections
from the victim |
|
|
|
|
|
Goal is generally to obtain information |
|
Account usernames, passwords |
|
Source code, business critical information |
|
Usually a program placing an Ethernet adapter
into promiscuous mode and saving information for retrieval later |
|
Hosts running the sniffer program is compromised
using host attack methods |
|
|
|
|
|
|
|
|
How to prevent your network from being the
source of the attack: |
|
Apply filters to each customer network |
|
Allow only those packets with source addresses
within the customer’s assigned netblocks to enter your network |
|
Apply filters to your upstreams |
|
Allow only those packets with source addresses
within your netblocks to exit your network, to protect others |
|
Deny those packets with source addresses within
your netblocks from coming into your network, to protect your network |
|
This removes the possibility of your network
being used as an attack source for many attacks which rely on anonymity |
|
|
|
|
|
|
|
|
|
|
How to prevent being a “bounce site” in a
“Smurf” attack: |
|
Turn off directed broadcasts to networks: |
|
Cisco:
Interface command “no ip directed-broadcast” |
|
Proteon:
IP protocol configuration “disable directed-broadcast” |
|
Bay Networks:
Set a false static ARP address for bcast address |
|
Use access control lists (if necessary) to
prevent ICMP echo requests from entering your network |
|
Encourage vendors to turn off replies for ICMP
echos to broadcast addresses |
|
Host Requirements RFC-1122 Section 3.2.2.6
states “An ICMP Echo Request destined to an IP broadcast or IP multicast
address MAY be silently discarded.” |
|
Patches are available for free UNIX-ish
operating systems. |
|
|
|
|
|
|
|
Technical help tips for Cisco routers |
|
BugID CSCdj35407 - “fast drop” ACL code |
|
BugID CSCdj35856 - ACL logging throttles |
|
Unicast RPF checking |
|
Interprovider Cooperation |
|
Stories from the field |
|
Publish proper procedures for getting filters
put in place and tracing started |
|
|
|
|
|
|
|
|
White paper on “smurf” attacks: |
|
http://www.quadrunner.com/~chuegen/smurf.txt |
|
Ingress filtering: |
|
ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-03.txt |
|
MCI’s DoSTracker tool: |
|
http://www.security.mci.net/dostracker/ |
|
Other DoS attacks: |
|
“Defining Strategies to Protect Against TCP SYN
Denial of Service Attacks” |
|
http://www.cisco.com/warp/public/707/4.html |
|
“Defining Strategies to Protect Against UDP
Diagnostic Port Denial of Service Attacks” |
|
http://www.cisco.com/warp/public/707/3.html |
|
|
|
|
|
Craig Huegen |
|
<chuegen@cisco.com> |
|
|
|
Questions? |
|