Network-Based Denial of Service Attacks
Trends, Descriptions, and How to Protect Your Network | |
Craig A. Huegen <chuegen@cisco.com> | |
Cisco Systems, Inc. | |
NANOG 13 -- Dearborn, MI -- June 9, 1998 | |
Significant increase in network-based Denial-of-Service attacks over the last year | ||
Attackers’ growing accessibility to networks | ||
Growing number of organizations connected to networks | ||
Vulnerability | ||
Most networks have not implemented spoof prevention filters | ||
Very little protection currently implemented against attacks | ||
Tools of the Trade | ||
Anonymity | ||
Internet Relay Chat | ||
Cracked super-user account on enterprise network | ||
Super-user account on university residence hall network | ||
“Throw-away” PPP dial-up accounts | ||
Typical Victims | ||
IRC Users, Operators, and Servers | ||
Providers who eliminate troublesome users’ accounts |
Prevent another user from using network connection | ||
“Smurf” and “Fraggle” attacks, “pepsi” (UDP floods), ping floods | ||
Disable a host or service | ||
“Land”, “Teardrop”, “NewTear”, “Bonk”, “Boink”, SYN flooding, “Ping of death” | ||
Traffic monitoring | ||
Sniffing |
Very dangerous attacks | ||
Network-based, fills access pipes | ||
Uses ICMP echo/reply (smurf) or UDP echo (fraggle) packets with broadcast networks to multiply traffic | ||
Requires the ability to send spoofed packets | ||
Abuses “bounce-sites” to attack victims | ||
Traffic multiplied by a factor of 50 to 200 | ||
Low-bandwidth source can kill high-bandwidth connections | ||
Similar traffic content to ping, UDP flooding but more dangerous due to traffic multiplication |
How to prevent your network from being the source of the attack: | ||
Apply filters to each customer network | ||
Apply filters to your upstreams | ||
This removes the possibility of your network being used as an attack source for many attacks which rely on anonymity (source spoof) |
Prevention Techniques (cont’d)
How to prevent being a “bounce site” in a “Smurf” or “Fraggle” attack: | ||||
Turn off directed broadcasts to networks: | ||||
Cisco: Interface command “no ip directed-broadcast” | ||||
As of 12.0, this is default (CSCdj31162) | ||||
Proteon: IP protocol configuration “disable directed-broadcast” | ||||
Bay Networks: Set a false static ARP address for bcast address | ||||
3Com: SETDefault -IP CONTrol = NoFwdSubnetBcast | ||||
Use access control lists (if necessary) to prevent ICMP echo requests from entering your network | ||||
Configure host machines to not reply to broadcast ICMP echos | ||||
Prevention Techniques (cont’d)
Unicast RPF checking & CEF | ||
Inter-provider Cooperation | ||
Network Operations Centers should publish proper procedures for getting filters put in place and tracing started | ||
IOPS working group |
Detailed “Smurf” and “Fraggle” information | ||
http://www.quadrunner.com/~chuegen/smurf/ | ||
Ingress filtering | ||
RFC 2276 | ||
Other DoS attacks | ||
See expanded presentation at http://www.quadrunner.com/~chuegen/smurf/980513_dos |
Craig Huegen | ||
<chuegen@cisco.com> | ||
Questions? |