Denial of Service
Last Class • Fault tolerance • Concurrency • Naming
This Class • Networking • How DDoS works
UDP Data Client Server Response
TCP
DDoS • Distributed denial-of-service attack • Attacker targets a victim from a number of different IP addresses • Purpose is to overwhelm victim’s resources so that legitimate users can’t use them
DDoS as Protest
DDoS as Protest
DDoS as Protest • 1995 Strano Network took down French government websites to protest French nuclear policy • 1998 NYTimes article about “virtual sit-ins” • 2014 Hong Kong protests https://motherboard.vice.com/en_us/article/d734pm/history-of-the-ddos-attack https://www.nytimes.com/1998/10/31/world/hacktivists-of-all-persuasions-take-their-struggle-to-the-web.html https://www.forbes.com/sites/parmyolson/2014/11/20/the-largest-cyber-attack-in-history-has-been-hitting-hong-kong- sites/
Mirai Botnet https://www.usenix.org/conference/usenixsecurity17/technical- sessions/presentation/antonakakis
Victim Population
Compromised Devices
DDoS over time
TCP
SYN Flood
Protecting against SYN flood • Filtering • Increasing Backlog • Reducing SYN-RECEIVED Timer • Recycling the Oldest Half-Open TCB • SYN Cache • SYN Cookies • Firewalls and Proxies https://tools.ietf.org/html/rfc4987
Smurf Attack • Send ping message “from” victim to broadcast IP address • Every computer on that network will helpfully reply to the victim.
Ping Flood • Send a bunch of ping messages to a server • ping: ICMP "echo request"
DNS amplification • Forge a DNS query to an open DNS resolver with victim’s IP address as return address • Victim gets overwhelmed with DNS queries they didn’t ask for • Queries for a DNSSEC-signed zone if victim is a DNS server
DNS amplification • dig +trace cr.yp.to any cr.yp.to. 600 IN MX 0 a.mx.cr.yp.to. cr.yp.to. 600 IN MX 10 b.mx.cr.yp.to. cr.yp.to. 600 IN A 80.101.159.118 yp.to. 259200 IN NS a.ns.yp.to. yp.to. 259200 IN NS uz5uu2c7j228ujjccp3ustnfmr4pgcg5ylvt16kmd0qzw7bbjgd5xq.ns.yp.to. yp.to. 259200 IN NS b.ns.yp.to. yp.to. 259200 IN NS f.ns.yp.to. yp.to. 259200 IN NS uz5ftd8vckduy37du64bptk56gb8fg91mm33746r7hfwms2b58zrbv.ns.yp.t o. ;; Received 414 bytes from 131.193.36.24#53(f.ns.yp.to) in 32 ms https://dankaminsky.com/2011/01/05/djb-ccc/#dnsamp
DNS amplification • http://www.pir.org. 300 IN A 173.201.238.128 pir.org. 300 IN NS ns1.sea1.afilias-nst.info. pir.org. 300 IN NS ns1.mia1.afilias-nst.info. pir.org. 300 IN NS ns1.ams1.afilias-nst.info. pir.org. 300 IN NS ns1.yyz1.afilias-nst.info. ;; Received 329 bytes from 199.19.50.79#53(ns1.sea1.afilias-nst.info) in 90 ms • http://www.pir.org. 300 IN A 173.201.238.128 http://www.pir.org. 300 IN RRSIG A 5 3 300 20110118085021 20110104085021 61847 pir.org. n5cv0V0GeWDPfrz4K/CzH9uzMGoPnzEr7MuxPuLUxwrek+922xiS3BJG NfcM9nlbM5GZ5+UPGv668NJ1dx6oKxH8SlR+x3d8gvw2DHdA51Ke3Rjn z +P595ZPB67D9Gh6l61itZOJexwsVNX4CYt6CXTSOhX/1nKzU80PVjiM wg0= pir.org. 300 IN NS ns1.mia1.afilias-nst.info. pir.org. 300 IN NS ns1.yyz1.afilias-nst.info. pir.org. 300 IN NS ns1.ams1.afilias-nst.info. pir.org. 300 IN NS ns1.sea1.afilias-nst.info. pir.org. 300 IN RRSIG NS 5 2 300 20110118085021 20110104085021 61847 pir.org. IIn3FUnmotgv6ygxBM8R3IsVv4jShN71j6DLEGxWJzVWQ6xbs5SIS0oL OA1ym3aQ4Y7wWZZIXpFK +/Z+Jnd8OXFsFyLo1yacjTylD94/54h11Irb fydAyESbEqxUBzKILMOhvoAtTJy1gi8ZGezMp1+M4L +RvqfGze+XFAHN N/U= ;; Received 674 bytes from 199.19.49.79#53(ns1.yyz1.afilias-nst.info) in 26 ms
Spam • Unwanted email • Sending email from bad server farms • Moved to sending from compromised machines
Spam Case Study: McColo • California-based Hosting Provider • Shut down in November 2008. Guess which day? • Chart of emails rejected
In Class Exercise • Most security competitions explicitly disallow denial of service attacks. • Today we’re going to play around with Google Gruyere. • https://google-gruyere.appspot.com/ part1#1__setup • https://google-gruyere.appspot.com/ part4#4__denial_of_service
Recommend
More recommend
