Network-Based Denial of Service Attacks
Trends, Descriptions, and How to Protect Your Network | |
Craig A. Huegen <chuegen@cisco.com> | |
Cisco Systems, Inc. | |
NANOG 12 Interprovider Operations BOF | |
Significant increase in network-based DoS attacks over the last year | ||
Attackers’ growing accessibility to networks | ||
Growing number of organizations connected to networks | ||
Vulnerability | ||
Most networks have not implemented spoof prevention filters | ||
Very little protection currently implemented against attacks | ||
Tools of the Trade | ||
Anonymity | ||
Internet Relay Chat | ||
Cracked super-user account on well-connected enterprise network | ||
Super-user account on university residence hall network | ||
“Throw-away” PPP dial-up accounts | ||
Typical Victims | ||
IRC Users, Operators, and Servers | ||
Providers who eliminate troublesome users’ accounts |
Prevent another user from using network connection | ||
“Smurf” attacks, “pepsi” (UDP floods), ping floods | ||
Disable a host or service | ||
“Land”, “Teardrop”, “Bonk”, “Boink”, SYN flooding, “Ping of death” | ||
Traffic monitoring | ||
Sniffing |
Very dangerous attack | ||
Network-based, fills access pipes | ||
Uses ICMP echo/reply packets with broadcast networks to multiply traffic | ||
Requires the ability to send spoofed packets | ||
Abuses “bounce-sites” to attack victims | ||
Traffic multiplied by a factor of 50 to 200 | ||
Low-bandwidth source can kill high-bandwidth connections | ||
Similar to ping flooding, UDP flooding but more dangerous due to traffic multiplication |
Smurf attacks are still “in style” for attackers | ||
Significant advances made in reducing the effects | ||
Education campaigns through the use of white paper and other education by NOCs has reduced the average “smurf” attack from 80 Mbits/sec to 5 Mbits/sec | ||
Most attacks can still inundate a T1 link |
Goal is to severely impair or disable a host or its IP stack | |
Connects address and port pair to itself | |
Requires the ability to spoof packet source addresses | |
Requires the victim’s network to be unprotected against packets coming from outside with own IP addresses |
“Teardrop”, “Bonk”, “Boink”, “Ping of Death”
Goal is to severely impair or disable a host or its IP stack | |
Use packet fragmentation and reassembly vulnerabilities | |
Require that a host IP stack be able to receive a packet from an attacker |
Goal is to deny access to a TCP service running on a host | |
Creates a number of half-open TCP connections which fill up a host’s listen queue; host stops accepting connections | |
Requires the TCP service be open to connections from the victim |
Goal is generally to obtain information | ||
Account usernames, passwords | ||
Source code, business critical information | ||
Usually a program placing an Ethernet adapter into promiscuous mode and saving information for retrieval later | ||
Hosts running the sniffer program is compromised using host attack methods |
How to prevent your network from being the source of the attack: | |||
Apply filters to each customer network | |||
Allow only those packets with source addresses within the customer’s assigned netblocks to enter your network | |||
Apply filters to your upstreams | |||
Allow only those packets with source addresses within your netblocks to exit your network, to protect others | |||
Deny those packets with source addresses within your netblocks from coming into your network, to protect your network | |||
This removes the possibility of your network being used as an attack source for many attacks which rely on anonymity |
How to prevent being a “bounce site” in a “Smurf” attack: | |||
Turn off directed broadcasts to networks: | |||
Cisco: Interface command “no ip directed-broadcast” | |||
Proteon: IP protocol configuration “disable directed-broadcast” | |||
Bay Networks: Set a false static ARP address for bcast address | |||
Use access control lists (if necessary) to prevent ICMP echo requests from entering your network | |||
Encourage vendors to turn off replies for ICMP echos to broadcast addresses | |||
Host Requirements RFC-1122 Section 3.2.2.6 states “An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.” | |||
Patches are available for free UNIX-ish operating systems. | |||
Technical help tips for Cisco routers | ||
BugID CSCdj35407 - “fast drop” ACL code | ||
BugID CSCdj35856 - ACL logging throttles | ||
Unicast RPF checking | ||
Interprovider Cooperation | ||
Stories from the field | ||
Publish proper procedures for getting filters put in place and tracing started |
White paper on “smurf” attacks: | |||
http://www.quadrunner.com/~chuegen/smurf.txt | |||
Ingress filtering: | |||
ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-03.txt | |||
MCI’s DoSTracker tool: | |||
http://www.security.mci.net/dostracker/ | |||
Other DoS attacks: | |||
“Defining Strategies to Protect Against TCP SYN Denial of Service Attacks” | |||
http://www.cisco.com/warp/public/707/4.html | |||
“Defining Strategies to Protect Against UDP Diagnostic Port Denial of Service Attacks” | |||
http://www.cisco.com/warp/public/707/3.html |
Craig Huegen | ||
<chuegen@cisco.com> | ||
Questions? |