Bandwidth DoS Attacks and Defenses
Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS
What is a Denial of Service Attack?
• Goal: make a service unusable. • How: overload a server, router, network link. • Focus: bandwidth attacks (“trinoo”, “tfn”).
Logical View of Attack Net
Attacker Control Traffic
Link Customer’s Router
Attacks use IP Packets
IP Header: Source Address Destination Address
• Routers forward each packet independently. • Routers don’t know about connections. • Complexity is in end hosts; routers are simple.
• Case study: Yahoo.
– What happened. – Analysis.
• Our framework for defense: RON.
Case Study: Yahoo Attack
• Early February 2000. • Took Yahoo off the net for hours.
Yahoo’s Point of View
1 Gbit/second of Ping Response packets.
Yahoo Attack Overview
Co-location Centers Other ISPs Yahoo’s ISP
Attack Packet Generation
Leader Co-location Center
M S1 S2 … Sn Slaves
Ping, DST=bcast, SRC=Yahoo
Ping Responses, DST=Yahoo
What did the attack depend on?
• • • • • Pervasive insecure hosts. Fake IP source addresses. Use of hosts as amplifiers. Weak router software. Difficulty of diagnosis.
Pervasive Insecure Hosts
• Required for disguise and to generate enough traffic. • How do they break in?
– Buffer overruns. – Typically Solaris and Linux. – Highly automated.
– – – – Better programming practices. Disable services by default. Firewalls, intrusion detection. Motivation for deployment is not strong.
Fake IP Source Addresses
• Two uses:
– – Hide the source of attack. Part of weapon.
• Example: SYN flooding.
– Ingress/egress filtering. – But motivation for deployment is not strong.
Use of Hosts as Amplifiers
• Attackers need this:
– To avoid using their own machines. – To generate lots of traffic. – To avoid detection via load monitoring.
• Two approaches:
– Break into 1000s of machines. – Trick legitimate machines into generating traffic.
Weak Router Software
• Routers themselves are often victims. • Why?
– Forwarding and management compete for CPU. – Control and data traffic compete for net b/w.
– Simplify and partition.
Difficulty of Diagnosis
• Very little automatic support for traffic analysis and correlation.
– – – – Is the high load legitimate? What does the attack consist of? Where does the attack come from? How ask upstream routers to discard attack packets?
• Defense: distributed analysis system.
Why are these attacks easy?
• Internet built around end-to-end principle:
– Most functions done by end hosts. – Examples: reliable delivery.
– Simplifies network core.
• Example: IP packet forwarding. • Example: it’s easy to start an ISP.
– Anyone can introduce new services.
• Result: lots of innovation.
Why is defense hard?
• End-to-end principle conflicts with:
– – – – – Centralized control. Centralized monitoring. Separation of data from control traffic. Mandatory authentication. Mandatory accounting.
• End-to-end framework for:
– Cooperative statistics collection. – Cooperative reaction to attacks. – Fault-tolerant control and data routing.
• How: resilient overlay network (RON). • Funded by DARPA/IA/FTN.
What is an Overlay Network?
• Better routing functions built in end hosts. • Can be used to build distributed defenses.
Why Distributed Defenses?
• Presence of attack obvious near victim.
– Not obvious near sources of attack. – But control is easier near sources.
• Identifying attackers requires cooperation.
– Asymmetric routing. – Fake source addresses.
Why Distribution is Hard
• RON itself is a target. • Authorized communication between RON nodes. • Bandwidth attacks on RON nodes. • Application-level DoS attacks. • Political / deployment problems.
– Needs cooperation? Or single-organization?
Backbone B1 2. Communicate Backbone B2 3. Control
• Use Internet to connect multiple sites. • Inter-ISP routing:
– – – – Ignores link quality. Ignores many available paths due to policy. Chooses only one path. Reacts slowly.
• RON allows end-system control of routing.
Fault-tolerant Routing (2)
N3 Backbone B1 Peering Point Q Backbone B2
Peering Point P
• Multi-organization overlays. • Early work: Gnutella and FreeNet.
– Data replicated at many sites. – Queries traverse reliable overlay. – Explicit protection of virtual infrastructure.
• Raise the bar:
– Improve host security. – Make it hard to fake IP addresses.
• Experiment with RON-like and peer-to-peer architectures.