Confidentiality
Integrity
Availability
1561: Network Security
Denial of Service
Dr. George Loukas
University of Greenwich
Anonymous calling for demonstrations at choke points in a
city is not unlike Anonymous calling for a network denial of
service
San Francisco subways, 2011
System limitations
Every system is limited by the processing capacity of its
components
Denial of Service
In the context of computer networks …
A Denial of Service attack (DoS) is any intended attempt to
prevent legitimate users from reaching a specific network resource.
Loukas, G., & Öke, G. (2010). Protection against denial of service
attacks: a survey. The Computer Journal, 53(7), 1020-1037.
This can be done by:
- Exhausting resources, such as CPU, memory, disk space, or more
often network bandwidth
- Triggering a bug in the network protocol (poison packet)
- Gaining access to a server and making it unavailable / shutting it
down
Classic Denial of Service
A high-capacity link
flooding a lowercapacity one, causing
most packets (both
legitimate and not) to
be lost
1 Gbps sent
Max 100 Mbps
received
Packets
dropped
Simplest Ping Flood
ping X.X.X.X -t -l 1000
By default, ping waits for 1
second between packets
Exercise: Simplest Ping Flood
Consider the following Ping (ICMP echo request) to the computer
with IP address X.X.X.X. The ping rate is 1 packet per second.
A network link’s performance usually degrades severely when it is
down to around 80% of its capacity. How many of the following pings
are needed to run simultaneously for this to happen on a 100 Mbps
link?
ping X.X.X.X -t -l 500
One ping sends 500*8 = 4,000 bits/s
To get up to 80*106 bits/s, we need 80,000,000 / 4,000 = 2,000
simultaneous pings
Bronze Night
2 days. $1 million physical damage.
1,200 arrested
3 weeks. $40 million cyber damage.
1 was arrested
How did it happen?





Link to attack script posted in forums and blogs:
http://fipip.ru/raznoe/pingi.bat
Email addresses of Estonian officials posted online
Paypal donations for hiring botnets
Attacks peaked at 500,000 packets/s
115 of 128 DoS attacks were simple PING floods
pinguem estonskie servera“
"
Просто введи в гугле "site:.ee правительство"
(вместо слова правительство любой
интересующий запрос для поиска по эстонским
сайтам). Выбери понравившийся сайт (не
русскоязычный!!!), нажми (пуск -> выполнить->
cmd)
и вводи "ping -n 5000 -l 10000" эстонский_сайт-t".
ОК. ВСЕ!!!
пример:
"ping -n 5000 -l
1000 www.riik.ee -t "
Why so easily?
Estonia was the e-government leader in Europe.
All citizens already had IDs with embedded PKI chips
allowing secure connection with the government and the
banks. Security servers were physically separate computers
with specialised software, encrypting everything, controlling
access, keeping logs etc.
Most Estonians had not been to a bank for years (99% ebanking users)
Example
Alex wants to talk to Betty on skype.
Login Server
Alex’s
PC
Betty’s
PC
Charlie wants to stop them from talking to each other. What can he do?
What if he does not know the IP addresses of either Alex or Betty?
Charlie
Problems with the simple ping flood

Attack rate is not that high

Easy to defend: Instruct your firewall to block your IP
address

Your PC is also affected, as it receives one echo reply
for every echo request it sends
IP Spoofing
R.T. Morris (1985): “there is no
provision in the Internet Protocol
to discover the true origin of a
packet”
Contents of an IP packet
vers
hlen
TOS
identification
TTL
total length (in bytes)
flags
protocol
fragment offset
header checksum
Source IP address
Destination IP address
We trust that the source IP address
mentioned in the IP header is the real one,
but an attacker can write anything they
want there.
options and padding
DATA etc.
Causes “Backscatter”: responses
from the target (e.g. echo replies)
are sent to the fake addresses,
which may exist
Morris, R. T. (1985) A weakness in the 4.2BSD Unix TCP/IP software. Computer
Distributed Denial of Service
DDoS is a DoS attack
where more than one
computers participate
in the attack
100 Mbps each
Max 100 Mbps
received
Packets
dropped
Examples of Network DoS mechanisms
Distributed DoS attack involves thousands of “zombies” (agents)
Examples of Network DoS mechanisms
Normal TCP 3-way establishment of connection
Client
SYN
CLOSED
SENT
Server
SYN
My SEQ No = 200
Requests connection
Acknowledges receipt of
request
ACK
ACK
My SEQ =201
SYN-RCVD
LISTEN
My SEQ =500
Your SEQ = 201
Your SEQ = 501
Acknowledges acknowledgment
CONNECTION
ESTABLISHED
CONNECTION
ESTABLISHED
3-way handshake
Examples of Network DoS mechanisms
SYN FLOOD overwhelms the target by ignoring the 3-way handshake protocol
Client
SYN
CLOSED
SENT
Server
SYN
My SEQ No = 200
Requests connection
Requests connection
Requests connection
Requests connection
Requests connection
Requests connection
Requests connection
Requests connection
Requests connection
Requests connection
Requests connection
SYN-RCVD
LISTEN
ACK
My SEQ =500
Your SEQ = 201
...
Examples of Network DoS mechanisms
SYN FLOOD overwhelms the target by ignoring the 3-way handshake protocol
Examples of Network DoS mechanisms
Reflector DoS attack: The attacking machines send connection requests to
several legitimate websites, but pretending to have
the IP address of the victim. When the websites
reply back, it is the victim that receives all replies
Examples of Network DoS mechanisms
Amplification attacks:
What if you cannot get hold of thousands of bots or even that is not enough.
How can you further amplify the attack?
The original amplification attack was the Smurf attack: send IP-spoofed ICMP
requests to the network's broadcast address (X.X.X.255). Then the router
relays the ICMP request to all devices behind it. These in turn respond to the
target IP address.
Not applicable any more. Most routers are now configured to not allow relaying
ICMP behind the router.
Examples of Network DoS mechanisms
Amplification attacks: DNS Amplification
Currently, the main big gun in Denial of Service.
• Uses IP-spoofed DNS queries
Like ping, a DNS query is also “Fire and forget” – No need for handshake
• Traffic received is much larger than traffic sent by the attacker’s machine
• There are many DNS resolvers on the
Internet and they are often left open for
anyone to use for their DNS queries
Defending against DoS
PREVENT
DETECT
RESPOND
Prosecute
Defending against DoS
CAPTCHAS
MIRRORED
SERVERS
PREVENT
Server mirroring: A replica of a server is
continuously created on run-time.
Primarily for business continuity
HONEYPOTS
CAPTCHAs: Completely Automated Public Turing test to
tell Computers and Humans Apart
Honeypots: Fake servers existing to
divert attacks to themselves instead of
the real servers of the organisation
Defending against DoS
How can we tell that the traffic we receive is illegitimate traffic sent by a
DoS attacker and not normal?
Similarly, increase in
delays, packet losses …
Inbound bitrate:
Almost always a DoS
causes bitrate that is
higher than usual
DETECT
Rate of increase of inbound bitrate:
A DDoS does not reach its max rate
immediately, due to imperfect
synchronisation of zombies and
IP blacklists
different distances.
Differences between
inbound and outbound
traffic:
e.g. during a SYN flood,
the number of inbound
SYN requests are many
more than the outbound
SYN-ACKs
Packet sizes
…
Defending against DoS
Signature-based:
There are known
“signatures” of DoS
attacks and we
compare our network
traffic against them
Signature-based
Anomaly-based
DETECT
Anomaly-based:
We know what
“normal operation” is
and we determine
that there is an attack
when the current
network situation
differs to the normal
operation
Flash crowd
Sudden large surge of legitimate network traffic
Exactly the same impact as a DoS attack, but not
intentionally:
For example, websites recently mentioned on the BBC
often receive so many visitors that they collapse.
Smart attackers may masquerade their attacks as flash
crowds to overcome defences or may generate a flash
crowd via social engineering.
Defending against DoS
Implement Contingency Plan: e.g. revert to mirrored
servers, reduce internal use of network etc.
Prioritise legitimate
traffic: (same
assumption as above)
Limit bitrate of suspicious traffic: This
assumes that we have a classification
mechanism (often similar to a detection
mechanism) that can tell what is suspicious
and what is not
IMPLEMENT
CONTINGENCY PLAN
Traceback: Try to identify the
real source(s) of the attack
TRACEBACK
RESPOND
LIMIT BITRATE OF
SUSPICIOUS TRAFFIC
PRIORITISE THE TRAFFIC
MORE LIKELY TO BE
LEGITIMATE
Defending against DoS
CAPTCHAS
MIRRORED
SERVERS
BLOCK
SPOOFED IPS
PREVENT
LIMIT INCOMING
BITRATE PER PACKET
TYPE
HONEYPOTS
Anomaly-based
DETECT
IMPLEMENT
CONTINGENCY PLAN
Signature-based
TRACEBACK
RESPOND
LIMIT BITRATE OF
SUSPICIOUS TRAFFIC
PRIORITISE THE TRAFFIC
MORE LIKELY TO BE
LEGITIMATE
How Estonia defended against the 2007 attacks







Estonia had a Computer Emergency Response Team (CERT) already in
place. They concentrated on protecting the most vital resources
Blocked all .ru addresses
Implemented diversion strategy attracting attackers to systems already
destroyed (including the president’s) and away from more critical ones
Analysed logs and data to identify and block attackers and bots
CERT persuaded ISPs around the world to blacklist attacking computers
Germany, Slovakia, Latvia, Lithuania, Italy and Spain supported and funded
CERT
Implemented further filtering and installed Cisco Guard
(After filtering, 4 Mpps dropped to 1.2 Mpps. After Cisco Guard: 0.15 Mpps and after it was
configured further: 0.003 Mpps)
Advanced defence against DoS
Cryptographic puzzles
Push the computational burden back to the attacker by
denying connection until the client pc solves a simple
cryptographic puzzle
Spoof detection
Evaluating whether the TTL value is realistic for the specific IP
source. Use tracert to test.
Advanced automated defence against DoS
Effective automated
defence systems against
DoS attacks are
disproportionately
complex and expensive
for such a relatively rare
event
G. Loukas, G. Oke and E. Gelenbe. Defending against Denial of Service in a
Self-Aware Network: A Practical Approach. NATO Symposium on
Information Assurance for Emerging and Future Military Systems. Ljubljana,
Slovenia, Oct. 2008.
Historical timeline of DoS
Incidents &
Attack types
SYN flood
Smurf Attack
Teardrop
Distributed DoS
1983 ...
… 1995
1996
1997
1998
1999
Reflector DDoS
Feb 2000
2001
2002
2003
2003 - …
2006
2007 2008
Next generation of DoS attacks

Against the battery of a laptop, phone, sensor, camera etc.


Sleep deprivation attacks (cause energy-hungry processes to
run, request network connections continuously etc.)
Smartphones used as mobile botnets.
Infect them at the airport and a few hours later you got bots that are
conveniently spread out globally.
Port of Houston (2001)
Legal aspects

Is DoS a crime in the UK?
Yes (since 2006). Maximum penalty: 10 years

Is merely downloading a DoS tool a crime?
(e.g. the one distributed online by Anonymous for the 2010 attacks against MasterCard in
support of Wikileaks).
Yes. Section 3A of the Computer Misuse Act: “a person is guilty of an offence if
he obtains any article with a view to its being supplied for use to commit, or to assist in
the commission of, an offence under section 1 or 3”