3 - Network- & Transport-Layer (Denial of Service Attacks) Flashcards
Whats Denial Of Service (DoS) Attacks?
DoS attacks aim at preventing or inhibiting the normal use of communication facilities (e.g. a web server)
Common attack form in the Internet since DoS attacks are easy to launch and hard to prevent
Denial Of Service (DoS) Attacks Three basic approaches
Exploit bad implementation to crash the target
- Examples: Ping Flood, Smurf Attack
Overload limited resources (e.g. a network’s bandwidth)
- Examples: Ping of death, Teardrop
Use flaws of protocols to bring the target into an undesired state
- Examples: Land, SYN flood
DoS Attacks
- Ping Of Death
- Teardrop
- Ping Flood
- Smurf Attack
- SYN Flooding
- Land (Local Area Network Denial)
DoS Attack #1: Ping Of Death
- RFC-791: maximum length of IPv4 packets is 65,535 b
- many systems crash or reboot on the reception of a single malformed packet.
- Flaw has been mostly patched, only old systems vulnerable
DoS Attack #2: Teardrop
Reassembly of fragmented IP packets done in a loop which copies the payload of all fragments into a buffer
There was a bug in many systems when they received overlapping fragments (i.e. the offset of the next fragment lies within the previous fragment)
- The routine passes a negative value to memcpy()
Like the ping of death, this attack exploits bad implementations of the TCP/IP stack
Many old versions of Windows (up to NT), Linux, and Unix are vulnerable
DoS Attack #3: Ping Flood
Adversary sends as many echo requests (pings) as possible to the victim
If the victim faithfully answers to each request, it consumes both, ingoing and outgoing bandwidth
- Attacker can spoof the sender’s address so that the replies are not sent back to him
- He only consumes outgoing bandwidth
If the attacker has more bandwidth than its victim, the victim
might experience
- A complete denial of service due to congestion
- Packet loss and very slow connection (degradation of service)
- Significantly decreased system performance on slow systems
Countermeasure: Tell routers and hosts not to forward broadcast messages
DoS Attack #4: Smurf Attack
Similar to ping flood but more efficient from the attackers point of view
ICMP supports echo requests to which most systems answer with an echo reply (ping)
IP addresses can simply be spoofed: no authentication
What happens if you send an echo request with your victim’s address as the source (spoofing) to the broadcast address of a network?
- So called amplification attack
- Attacker needs low bandwidth to cause high traffic at the victim
- Victim’s bandwidth might be exhausted → DoS
- Also degrades network performance
Smurf attack still possible
- Some networks are reported to generate more than 500 duplicate echo responses over the Internet [powertech]
Smurf attack possible on any layer that implements some sort of unauthenticated echo protocol
- Called “Fraggle Attack” on transport layer
Countermeasures
- Tell routers and hosts not to forward broadcast messages
- Configure your OS to prevent the machine from responding to ICMP packets sent to the broadcast address
DoS Attack #5: SYN Flooding
SYN flooding takes advantage of state retention TCP performs after receiving a SYN to a open TCP port
Problem: Buffer for TCBs is of finite size!
A server can only handle a certain number of “half-open” connections
Flooding a server with SYN packets will fill (and eventually exhaust) its TCB buffer
Server will not be able to accept new connections → DoS
Only new connections are affected, existing connections remain established
Attackers usually spoof the SYN packet’s origin
Attack is more efficient than many other DoS attacks which try to exhaust the network’s resources
- Requires fewer packets for depletion
- Lifetime of half-open connections limited
SYN Flooding
Countermeasures
Analyze SYN traffic and filter abnormal packets
Make TCB buffer larger to increase the attacker’s workload
- Ineffective since attacker’s effort only increases linearly
- Larger TCB buffer increases the complexity of connection handling
Decrease lifetime of half-open TCBs
- Also quite ineffective since attacker has to increase its packet rate by just a linearly proportional amount
Recycling the oldest half-open TCB
- Legitimate connections have to be established before the TCB is reused
Client Puzzles
- The connecting client must invest some resources before the server
SYN cookies
- Idea: No resource allocation before connection is established
- SYN cookies do that without changing TCP
SYN Cookies
SYN cookies are the key element of a technique used to guard against SYN flood attacks. Daniel J. Bernstein, the technique’s primary inventor, defines SYN cookies as “particular choices of initial TCP sequence numbers by TCP servers.” In particular, the use of SYN cookies allows a server to avoid dropping connections when the SYN queue fills up. Instead, the server behaves as if the SYN queue had been enlarged.
The server sends back the appropriate SYN+ACK response to the client but discards the SYN queue entry.
If the server then receives a subsequent ACK response from the client, the server is able to reconstruct the SYN queue entry using information encoded in the TCP sequence number.
DoS Attack #6: Land (Local Area Network Denial)
Transport-layer vulnerability (TCP)
Attacker sends TCP SYN packet, in which source and destination are both set to the target’s address
- Infinite loop of victim interpreted SYN+ACK as a new connection establishment
- floods itself with TCP SYN packages
Countermeasure: Block packets where
source is equal to destination
Denial Of Service Conclusion
DoS attacks are quite easy to launch
- Smurf Attacks are still possible in the Internet
Unfortunately, there is no easy solution for most DoS attacks
Proper packet filtering by ISPs required to prevent such attacks
