Shared Flashcard Set


Comp2005 - Lecture 11 - DDoS
Alejandro Saucedo - Comp2005 Lecture 10 FlashCard Set
Computer Networking
Undergraduate 2

Additional Computer Networking Flashcards




What is a DDoS?

A distributed attack where the goal is to target a system or network out of service by consuming a critical resource.


What benefits from having an attack being distributed?
  • Use more client systems to starve the victim of whatever resource you're targeting (commonly bandwidth)
  • Become more difficult to mitigate/stop
    • Victim may be attacked by many thousands of sources, many of which they might expect to exchange traffic with normally
What role each layer has on DoS attacks?
  • Can target all five layers
    • Application layer
      • Consume appication resources, overload server
    • Transport layer
      • Exploit TCP or UDP e.g. (TCP SYN attacks)
    • Network layer
      • Exploit IP, e.g. source routing, IPv6 ND exhaustion
    • Data link layer
      • Exploit Ethernet, ARP attacks
    • Physical layer
      • RF interference, cut cables
Reasons for DDoS
  • Mischiviewous in nature (Fun, fame, etc)
  • Tacting for significant national conflicts
    • Russia vs Georgia 2008
  • Extortion threats by organised crime gangs
    • Pay to avoid your service going offline
  • Peaceful protest or virtual sit-in
  • Revenge attacks
DDoS tools
  • Low Orbit Ion Cannon (LOIC)
    • User joins a voluntary DDoS
  • High Orbit Ion Cannon (HOIC)
    • Wrapper for HTTP attacks - 'booster' stcripts
  • PenTBox
  • Slowloris
    • Low bandwidth, keeps HTTP sockets open
    • Useful for 'surgical' DoS attacks in low bandwidth networks
Why is it important to remain anonymous in DDoS and how can it be achieved?
  • Activity could be traced back to your IP address
  • Anonimity can be achieved through
    • Use ToR (if using TCP) - uses a set of relay nodes to hide the original source of TCP traffic
      • Not high performance overlay
    • Anonymous VPN service
    • Spoof your IP address - particularily for UDP attacks
What does itmean by spoofing an address?
  • Normally an IP packet is sent with the source addres set to an IP address belonging to the sending host
    • With a given destination IP address
  • In principle you can usually set the IP source address to be any address
    • Write own scripts or use tools like Scapy
    • In practice you don't do this as you would never get a reply
    • If you want to shift blame, then it's appealing
What are DDoS Botnets?
  • Usually downloaded, these are malicious inter-connected programs connected with other similar programs in order to perform tasks like sending spam e-mail, DDoS attacks, etc.
  • They go undetected.
  • May not have much uplink capacity, so attacks via third party are desirable.
  • Key logger botnet is stealthy by design.
  • Botnet has more value if it can be re-used (Don't generate heavy traffic directly from client)
What is DDoS amplification?
  • Always have to look for a way to exploit third party services to target a victim
    • Gain 'free' extra bandwidth/resource
    • Especially if the amplification effect can be large
      • If designing a protocol or distributed system, you should consider the potential for this
    • Less easily traced back to original source
      • Especially when participants are an involuntary botnet
What is the Smurf attack?
  • One of the earliest amplification methods
  • Ping is sent to destination network broadcast address
    • Vicrim IP is the spoofed IP Source address
    • All live hosts in the target network will respond
    • Causes an amplification attack on the victim
  • Relatively easy to configure and avoid
    • No genuine reason to let externally sourced traffic into a subnet directed at its broadcast IP address
  • Fragile variant used UDP packets instead
What does source routing attacks consist of?
  • Both IPv4 and IPv6 have an option that allows the sender to specify IP addresses for the packet to route through towards the destination
    • At each specified intermediate node, the next node on the path list becomes the destination
  • One packet can be made to "ping pong"
    • Can thus amplify load on a specific link between two nodes
    • Can also be used to circumvent firewalls
      • Send packet via allowed destination
What is DNS amplification?
  • An example of the bad guys looking for more sophisticated 'reflectors'
  • Relies on availability of open recursive DNS servers to non-local users
    • Such servers will answer external DNS queries for domains other than those belonging to the local site
  • And on attacker being able to send DNS requests to those open resolvers, spoofing the IP source address
    • Generates a UDP reply to the victim
    • Small query, larger response
    • The victim is hit by Dns replies to queries it never sent
What are the principles of open recurisve DNS resolvers?
  • Any site/ISP responsible for a domain will operate a DNS service to answer queries for its clients who wish to connect to external services by name
  • The DNS-based amplification attack relies on such servers also answering queries form external vlients
    • Known as 'open recursive' servers; attackers can then send queries that will be known to generate large replies
What are other problems related to DNS resolvers
  • An attacker could equally target any site's DNS servers and send spoofed DNS requests querying domains that that site is actually authoritative for
    • This would still cause DNS responses to be sent to the victim
  • It's easier though for attackers to build lists of open resolvers that are known to generate large replies to small DNS queries
  • Also, a site that disables open resolvers probably also configures rate limiting on DNS responses
What is BCP 38?
  • The real core of the problem is the ability of attackers to spoof IP source address, therefore this is one of the best DDoS defences:
    • Recommends sites and ISPs to check source addresses
    • Drop packets tat cross a firewall/router with a source address that does not belong to site network behind that interface
    • Do not let packets from your network that do not have one of your IP addresses as a source address
    • Applying BCP38 ensures your site can't be part of such an amplification attack
  • May be applied by a site and/or its upstream ISP
    • But many ISPs/sites still don't do this (55%)
What is anycast?
  • Running multiple instances on the same server/service, on the same IP address
    • The routing system leads clients accessing the service to the nearest instancel every router still only has one best route to destination network/service
    • Still 1:1 communication but the load is distributed
  • Useful for content distribution networks (CDNs) and indirectly spread DDooS load
    • Provides resilence for the root DNS servers
What are some Countermeasures for DDoS?
  • Spread your service using anycast
  • Black holding, sink holding, upstream by your ISP
    • Has implications if DDoS comes from systems you might normally exchange traffic with
  • Filtering traffic with spoofed source addreses; BCP38
  • Not running open recursive DNS resolvers
  • Rate limiting - e.v. Response rate limiting on DNS
  • Hardware accelerators, application preprocessors
  • Darknets; monitor/detect randomly spoofed IP addreses
Supporting users have an ad free experience!