Chapter 1 INTRODUCTION
1.2 Motivation
Chapter 1 INTRODUCTION
1.1 Background
With the proliferation of computer networks come many kinds of network attacks.
On Feb 7, 2000, the first massive distributed denial-of-service (DDoS) attack, which was targeted against the Yahoo web site [1], was launched. Yahoo servers crashed down and could not provide services to their customers for about several hours, which resulted in serious financial loss. But the attacks were never over. Many other well-known commercial web sites, such as e-Bay, Buy.com, CNN.com, and Amazon, etc., came under similar attacks [2]. These kinds of DDoS attacks cause those web sites serious loss.
1.2 Motivation
Due to the potential serious loss that DDoS attacks could bring up, effective and efficient protection systems are urgently needed. First we must address the DDoS attack methods.
Denial-of-service attacks, as the term suggests, attempt to deny legitimate users the services that the servers provide. Together with the following security issues in today’s networks, attacks occur more and more frequently:
1. The whole network is formed by autonomous systems (AS). Every AS enforces its own policy to manage its network environment. This makes it hard or impossible for the individual intranets to cooperate closely.
2. Existing network protocols do not incorporate sufficient authentication
2
facilities to verify members in the network. For example, an attacker could easily modify the source address of a packet, which results in difficulties in the traceback of an attack.
3. Software, such as operating systems, frequently contains known or unknown bugs and vulnerabilities which an attacker could take advantage of. This provides the chances to inject malicious code into innocent computers.
Several methods are introduced in [3][4][5] that take advantage of the vulnerabilities in network protocols and bugs in software for DDoS attacks. There are two broad categories of DDoS attack methods:
1. It consumes all the limited resources and bandwidth allocated to the victim, for example, TCP SYN flood attack, ICMP flood attack, UDP flood attack, etc.
2. It takes advantage of the vulnerability of processing packets in OS, for example, Teardrop, Ping of death, etc.
[5] also classifies attack methods into Figure 1.1.
Figure 1.1 Classification of DoS (cited from [5])
CERT/TW [6] classifies DDoS attacks into two categories, flooding–based attacks and software exploits. The latter are often referred to as worm attacks. Figure 1.2 illustrates the relationship between the classification in CERT/TW and classification in [5].
3 Data Flood
Flooding - based
OS Level Application Level
Software Exploits
Network Device Level
Protocol Feature Attack
Figure 1.2 Maps figure 1.1 to categories
Before we present our detection system, further understanding of the attack methods is required. We will discuss how a DDoS attack is launched in what follows.
1 TCP SYN flooding attack (flooding-based):
The TCP SYN flooding attack is aimed at the three-way-handshake vulnerability in network protocols of layer 4. A client and a server establish a communication session with a three-way-handshake procedure. When a client intends to communicate with a server, he first submits a SYN (synchronize/start) packet, which includes the IP address and the port number of the client. Upon receiving a SYN packet, the server would send back to the client a SYN-ACK (synchronize/acknowledge) packet. After sending the SYN-ACK packet, the server will create a TCB (task control block) to maintain communication and wait for the client to send back an ACK packet. A communication session is established when the server receives the ACK packet from the client. Nevertheless the number of the TCBs in the server is often limited. The attacker could send a large number of
4
SYN packets to the server and hence, occupies a lot of TCBs. Due to the lack of available TCBs, the server could not provide services to legitimate clients.
TCP SYN flooding attack does not depend on the bugs in software, but on the defects in the network protocols. The Mail Bombing DoS attack [7] is also a variation of flooding attack. The land attack [8] is a variation of TCP SYN attacks but is aimed at exhausting the resources in a server. The attacker fill the source-IP-address and destination-IP-address fields in the SYN packet with the victim’s address, which means that the source-IP-address and destination-IP-address are victim’s IP address. Therefore the victim couldn’t complete the three-way-handshake procedure and consumes the CPU and memory usage of victim’s own.
2. UDP flooding attack (flooding-based):
Attacker send the UDP packet with forged source IP address toward to any port number (usually 7, echo) of the victim end. The victim end would find out which application is occupying. If no applications are detected, the victim end would send an ICMP destination unreachable back to the source IP address. Therefore the method of attack is that the attacker sends huge amount of UDP packets to victim end and make the victim too busy send back the ICMP packets to deal with sessions with other clients.
3. ICMP flooding (angry ping) :
Attacker also generates huge number of ICMP echo request packets toward victim with forged source IP address, therefore the victim end must reply the number of packets as much as the attacker sends. The victim would not only have to deal with the receiving the packets from attacker, but to reply the
5
ICMP echo response back. Consequently, the bandwidth, CPU, memory resources of victim will be used up.
4. Smurf attack (flooding - based):
Smurf attack is a kind of variation of ICMP floods and similar to the land attack; Attacker modify the source IP address of ICMP echo request as the victim’s IP address as well, then sends this modified packet to the IP broadcast address. The victim would receive the ICMP echo reply from all the hosts within the subnet it resides. Therefore the subnet network would be congested due to those ICMP packets storm. This kind of attack has the effect of amplifying the threat of ICMP flooding attack. The UDP version of smurf attack is called fraggle attack.
5. Ping of death (software exploits):
This attack takes advantage of the procedure of processing the ICMP packets.
When a host receives an ICMP echo request (type 8), the network device would issue an interrupt to kernel for processing and sending the ICMP echo reply (type 0) back to source and the original option data in ICMP echo request must be copied to the reply packet without change(Figure 1.3). So the attacker injects lots of garbage into the “Option Data” segment of ICMP format(Figure 1.4) and extends the total length of packet to exceed the legal length, 65535 bytes, therefore the victim would be crashed when receiving this kind of malformed packet. This attack is aimed to the vulnerability in the implementation of kernel.
6
Kernel
Network Device Driver
Step1 Interrupt
ICMP echo request
Step2 Send back ICMP echo
reply (type 0)
Network Interface Card ICMP echo reply
Figure 1.3 Processing ICMP echo requests
Figure 1.4 ICMP echo request/reply header 6. Teardrop (software exploits):
Teardrop attack’s target is the leakage in the reassembly of packet fragments.
Because the maximum transmission unit (MTU) in every network environment is different (Table 1.1), therefore the IP packets are cut into small fragments when transmitting to networks applied different protocol.
The teardrop attack modifies the offset in packet fragments to make some them overlap. When the victim received these kinds of modified fragments and try to reassemble them according to the offset, some kernel would be
7
crashed if it couldn’t handle this exception.
Protocol MTU (bytes)
Ethernet Used 1,500
Ethernet Actually 1,496
PPPoE 1,492 Dial-up 576
Table 1.1 MTU in different environments
Except the attacks we mentioned above, there are another two different attacks aimed to the lack of authentication in routing protocol, such as RIP (Router Information Protocol) v1 and BGP (Border Gateway Protocol) v4 and DNS (Domain name server). These vulnerability provides the probability that attacker might masquerade the routing information or perpetrate the cache poisoning to modify the information in routing table and cache in DNS in order to redirect the legitimate user’s connection to the attacker’s own malicious website.
Among all the attack mentioned above, attacker modifies the source IP address in the packets (a.k.a. IP spoofing) to make traceback much more difficult. Therefore the goal that our system will achieve is to detect the attack quickly, traceback to the attack launching source with more accuracy. We could summary our demand to the detection and traceback system as follow:
1. No need to modify the existing protocol of TCP/IP for increasing the compatibility.
2. Only slightly setup procedures on routers.
3. Easy modification to accommodate novel attacks in the future.
8
4. Could fit to large-scale of topology.
5. Efficient while processing the traceback 6. Information about topology isn’t needed
In the thesis, we focus on the flooding-based attack aiming to layer 3/layer 4 in the OSI 7 layers model and apply the AI-algorithm based decision tree to help distinguish and detect between the abnormal and normal traffic flows. Then the traffic flow pattern matching methodology would help us find the traffic flow most similar to the attack flow and trace it back to the original source.