503162-001_DoSandDDoSProtection

8/9/2019 503162-001_DoSandDDoSProtection

1/13

503162-001 06/05

Denial of Service andDistributed Denial of Service

Protection


2/13

Page 2

IntroductionThe degraded service and lost business from a Denial of Service (DoS) attack can lead tostaggering costs both during and after an attack. For an e-commerce site like eBay orBuy.com, one day of downtime due to a DoS attack can cost in the tens of millions of dollars inlost revenue. The SQL Slammer worm, a DoS attack that made mission-critical Microsoft SQL

servers inaccessible, cost corporations billions of dollars worldwide. Beyond worms, targetedDoS attacks are on the rise. According to the 2004 CSI/FBI Computer Crime and SecuritySurvey, targeted DoS attacks were the most expensive computer threat last year, causing over$26M in damages for the 250 companies included in the survey,more than double in any other category. Beyond the immediatecosts, the lasting effects of a successful DoS attack include lostcustomers, loss of faith in the services dependability, and damage tothe corporate brand.

A recent trend in DDoS attacks reveals a new twist in the spiralingcosts to companies and organizations. The evolution of Denial of

Service attacks began with hackers that targeted larger websites forthe thrill of hacking.1 However, as the opportunities increase,organized crime has set their sights on companies with more to losein their businesses and reputations, such as online banks, lenders,and service providers.

Organized crime syndicates extort money from online companies bydemanding money to keep them from receiving severe DDoSattacks. If a company does not meet the demands, the attackersbombard the companys systems with constant and overwhelmingDDoS attacks from thousands of zombies, placing their eCommerce

businesses into gridlock.

What is a Denial of Service Attack?Denial of Service (DoS) attacks are network-based attacks that prevent access to a service.DoS attacks disable a network service by flooding connections, crashing servers or programsrunning on the servers, exhausting server resources, or otherwise preventing legitimate clientsfrom accessing the network service.

DoS attacks range from single packet attacks that crash servers to coordinated packet floodsfrom multiple hosts. In single packet attacks, a carefully crafted packet that exploits a knownoperating system or application vulnerability is sent through the network to disable a server

and/or any associated services it performs. The Slammer worm exploited one suchvulnerability.

In a flood attack, server or network resources are corrupted or exhausted by a flood ofpackets. Since a single site launching a flood can be identified and isolated fairly easily, a

1 Naftali Bennett, chief executive officer of U.S. Internet security company Cyota, quoted by Robin Arnfield inCredit-Card Processor Hit by DDoS Attack for NewsFactor

DoS attacks were themost expensivecomputer crime lastyear, more than doubleany other category.2004 CSI/FBI ComputerCrime and SecuritySurvey

Denial of Service (DoS)attacks are on the rise.Denial of Serviceprotection is a naturalextension for intrusionprevention systemsbecause they are in-lineand have the ability todeeply inspect andclassify traffic, then takeaction accordingly.Richard Stiennon,Gartner Research Vice

President


3/13

Page 3

more sophisticated approach, called a Distributed DoS (DDoS) attack, is the tool of choice formany flood attacks.

In a DDoS attack, an attacker uses multiple machines to assault a target. Some attacks aresimple in design, such as sending a relentless stream of data to flood the network connection

to the server. Other attacks, such as SYN floods, use carefully crafted packets to exhaustcritical server resources in order to prevent legitimate clients from connecting to the server.

Regardless of the specifics, a DDoS attack utilizes a significant number of machines in acoordinated manner. These machines, known as zombies, are machines that have beenpreviously compromised and are under the attackers control. Hackers often boast about thenumber of zombies that they have under their control. By sending commands to the zombiesover covert communication channels, hackers can stage large coordinated attacks. Becausethe attack is originating from a large number of PCs spread across a wide network, simpleidentification and isolation techniques do not work. In many cases, it is extremely difficult toseparate legitimate traffic from attack traffic.

As more PCs gain broadband access from homes, the field of potential zombies increases.Experts estimate that 1/3 of home user PCs on the Internet have been compromised. Thesophistication required and barrier to launching these DDoS attacks has been greatly reducedthrough the availability of packaged tools (e.g., Tribe Flood Network and Stacheldracht) thatare freely available on the Internet.

TippingPoints SolutionIn response to the evolving nature of DoS and DDoS attacks, TippingPoint has developed anarsenal of protection mechanisms corresponding to the methods attackers employ. TheTippingPoint Intrusion Prevention System (IPS) operates in-line to protect a network and the

hosts connected to it by examining every bit of traffic that passes through it and filtering outunwanted traffic.

TippingPoint has two primary classes of protection: Standard DoS protection and AdvancedDDoS protection. Standard DoS protection provides a base level of protection againstvulnerabilities, attack tools, and traffic anomalies. Advanced DDoS protection guards againstSYN flood, established connection flood, and connections per second flood attacks.

TippingPoint provides Standard DoS Protection in all its IPS products:

Vulnerability Protection Protects against DoS attacks that crash servers by

exploiting known vulnerabilities. Zombie Recruitment Protection Protects against Zombie recruitment of systems

through Trojan programs. Attack Tool Protection Blocks the covert channels used by well-known DDoS

attack programs including TFN, Loki, and Stacheldraht. Bandwidth Protection Protects against packet floods like ICMP, TCP or UDP that

can consume network bandwidth or server resources causing legitimate packets to be


4/13

Page 4

dropped. These filters baseline and throttle traffic when it goes beyond a setpercentage.

Advanced DDoS Protection provides the following additional protection:

SYN Proxy An attacker floods a server with malicious connection requests (TCPSYNs) with spoofed source IP addresses, preventing legitimate clients from accessingthe server.

Connection Per Second (CPS) Flood An attacker uses a Zombie army torepeatedly request resources, such as Web pages, from a server. The resulting loadmakes the server sluggish or inaccessible.

Established Connection Flood An attacker uses a Zombie army establish a largenumber - potentially millions - of malicious TCP connections to a server, preventing itfrom accepting new requests from legitimate clients.

Standard and Advanced DoS/DDoS protection work together to stop surgical and brute force

DoS attacks and prevent the recruitment of new zombies.

Seven Common DoS Attack MethodsHackers have an arsenal of methods to enact Denial of Service (DoS) attacks. The followingseven sections highlight the extent of the dilemma faced by organizations trying to combat theDoS threat. TippingPoint provides solutions to combat these common methods of DDoSattacks:

Vulnerabilities Zombie Recruitment Attack Tools Bandwidth Attacks SYN Floods Established Connection Floods Connections-Per-Second Floods

Method 1 VulnerabilitiesAttackers can attempt to crash a service or underlying operating system directly through anetwork. These attacks disable services by exploiting buffer overflows and otherimplementation loopholes that exist in unprotected servers. Vulnerability attacks do not requireextensive resources or bandwidth to perpetrate; attackers only need to know of the existenceof a vulnerability to be able to exploit it and cause extensive damage.

Once an attacker has control of a vulnerable service, application, or operating system, theyabuse the opening to disable systems and ultimately crash an entire network from within.

The TippingPoint Solution for VulnerabilitiesTippingPoint provides a powerful engine that detects and blocks attempts to exploitvulnerabilities for all incoming and outgoing traffic. The TippingPoint security teamsimultaneously develops attack filters to address discovered vulnerabilities in network servicesand operating systems and incorporates these filters into Digital Vaccines. Digital Vaccines are


5/13

Page 5

delivered to customers every week, or immediately when critical vulnerabilities emerge, andcan be deployed automatically without user interaction for automatic protection.

Method 2 Zombie RecruitmentThe same vulnerabilities used to crash a server allow hackers to

transform vulnerable PCs into DDoS zombies. Once the hackerexploits the vulnerability to gain control of the system, they plant abackdoor into the system for later use in perpetrating DDoSattacks. The Trojan or similar infection provides a path into thesystem. Once the attacker has the path, they remotely control thenetwork, making the server a Zombie that waits for the givenattack command. Using these zombies, attackers can send amultitude of DoS and DDoS attacks with anonymity.

Viruses can also be used for Zombie recruitment. For instance, theMyDoom virus was designed to convert PCs into Zombies that

attacked SCO and Microsoft at a predetermined time programmedinto the virus. Other viruses install backdoors that allow hackers tolaunch coordinated attacks, increasing the distribution of theattacks across networks around the globe.

The following figures detail how attackers create and launch these attacks against a network.

The attacker builds a pool of zombies by compromising unprotected computers.

To perpetrate an attackusing a large number ofhosts that attack

simultaneously,attackers infect hostswith a zombie or agentprogram, which connectsto a pre-defined masterhost. Once connected,the attacker can sendthe command across theentire zombie network.

TippingPoint protectsagainst Zombie attacksby detecting and

blocking the virusesused to introduce theZombie a ent.


6/13

Page 6

The attacker launches an attack against a server/network using zombie computers. The attack cripplesperformance and blocks the network from receiving legitimate traffic.

The TippingPoint Solution for Zombie RecruitmentIn addition to the previously described vulnerability protection, the TippingPoint IPS includesfilters to detect and block viruses. The combined effects of virus and vulnerability filters make itvirtually impossible for hackers to recruit new zombies.

Method 3 Attack ToolsThrough zombie recruitment, hackers use covert communication channels to contact andcontrol their zombie army. They can select from hundreds of off-the-shelf backdoor programsand custom tools from websites. These tools and programs initiate these attacks to infiltrateand control networks as zombie armies to enact further attacks from within. Once they havethe zombie systems, they can use other tools to send a single command to all zombiessimultaneously. In some cases, commands are carried in ICMP or UDP packets that canbypass firewalls. In other cases, the zombie phones home by creating a TCP connection tothe master. Once the connection is created, the master can control the Zombie.


7/13

Page 7

The tools used to attack and control systems include:

Tribe Flood Network (TFN) Focuses on Smurf, UDP, SYN, and ICMP echorequest floods.

Tribe Flood Network 2000 (TFN2K) The updated version of TFN.

Trinoo Focuses on UDP floods. Sends UDP packets to random destination ports.The size is configurable.

Stacheldraht Software tool that focuses on TCP, ACK, TCP NULL, HAVOC, DNSfloods, and TCP packet floods with random headers.

DDoS tools are maturing both in terms of covert channel implementation and in DDoSflooding techniques. New tools utilize arbitrary port numbers or work across IRC. Further,smarter tools intelligently disguise flooding packets as legitimate service requests and/orintroduce a high degree of randomness. These enhancements make it increasingly difficultfor a port-filtering device to separate attack packets from legitimate traffic.

The TippingPoint Solution for DDoS ToolsTippingPoint offers hundreds of filters that accurately detect and block the covertcommunication channels, disrupting the command and control network of the hackers DDoSarmy. When combined with virus and vulnerability protection, TippingPoint preventsrecruitment of new zombies, blocks communications to existing zombies, and gives theadministrator detailed information needed to clean the infected system.

Method 4 Bandwidth AttacksWhen a DDoS attack is launched, it can often be detected as a significant change in thestatistical composition of the network traffic. For example, a typical network might consist of80 percent TCP and a 20 percent mix of UDP and ICMP. A change in the statistical mix can

be a signal of a new attack. For instance, the Slammer worm resulted in a surge of UDPpackets, whereas the Welchi worm created a flood of ICMP packets. Such surges can beDDoS attacks or so-called zero-day attacks attacks that exploit undisclosed vulnerabilities.

The TippingPoint Solution for Bandwidth AttacksThe TippingPoint IPS provides statistical anomaly filters to detectpacket floods and rate-shaping to mitigate their effects.TippingPoint provides both protocol and application traffic thresholdfilters. Protocol traffic threshold filters can be created for TCP,UDP, ICMP, and other IP protocols. Application traffic thresholdfilters monitor traffic to specific TCP and UDP ports. Both types of

statistical anomaly filters create a baseline of normal levels for onetraffic type and alert if the traffic of that type surges above a user-defined level. For example, you can create a protocol trafficthreshold filter that creates a baseline of the normal level for ICMPtraffic and alerts if the ICMP traffic levels exceed 300% of normal.

To provide greaterprotection of a network,The UnityOneincorporates advancedtraffic pattern monitoringand filters to watch forand react to possible

traffic anomalies. Thesesudden changes in trafficcould indicate an attack.With these advancedfeatures, the UnityOneprovides the bestprotection of anorganizations assets.


8/13

Page 8

In addition to alerting, the TippingPoint IPS can prevent the monitored traffic from exceedingor consuming more than a preset amount of network bandwidth. For example, if ICMP trafficexceeds 500% of normal, it can be rate-limited so that it uses no more than 3 Mbps. Thispowerful capability controls excessive bandwidth consumption of non-mission criticalapplications and ensures bandwidth availability for mission critical traffic. The aggressive

propagation traffic produced by recent worms has resulted in DoS attacks against routers,firewalls, and other network infrastructure elements. Limiting this traffic to a cappedbandwidth keeps the network running and stifles the attack.

Traffic threshold filters are edge-triggered. These filters fire when the threshold is exceededand again when the threshold is no longer being exceeded. These triggers provideinformation on the duration of each change in traffic patterns.

Method 5 SYN FloodOne of the most common types of DoS attacks is the SYN Flood.This attack can be launched from one or more attacker machines

to disable access to a target server. The attack exploits themechanism used to establish a TCP connection. Every TCPconnection requires the completion of a three-way handshakebefore it can pass data:

Connection Request First packet (SYN) sent from therequester to the server, starting the three-way handshake

Request Acknowledgement Second packet(SYN+ACK) sent from the server to the requester

Connection Complete Third packet (ACK) sent fromthe requester back to the server, completing the three-way

handshake

The attack consists of a flood of invalid SYN packets with spoofedsource IP addresses. The spoofed source address causes thetarget server to respond to the SYN with a SYN-ACK to anunsuspecting or nonexistent source machine. The target thenwaits for an ACK packet from the source to complete theconnection. The ACK never comes and ties up the connectiontable with a pending connection request that never completes. The table will quickly fill upand consume all available resources with invalid requests. While the number of connectionentries may vary from one server to another, tables may fill up with only hundreds or

thousands of requests. The result is a denial of service since, once a table is full, the targetserver is unable to service legitimate requests.

The difficulty with SYN attacks is that each request in isolation looks benign. An invalidrequest is very difficult to distinguish from a legitimate one.

SYN Floods are one of theoldest DoS attacks inexistence. Anyknowledgeable person canlaunch a TCP SYN flood,making this attack one ofthe most common. Withoutproper protection, SYNfloods can place an entireorganization at risk.

As DoS attacks bombard anetwork, the requestsquickly fill up theconnection table of mostnetwork security devices.

TippingPoint 100E removesDoS attack traffic from thenetworkthe TippingPoint100E drops the requestsimmediately from theconnection table, as in thecase of a TCP SYN flood.


9/13

Page 9

Figure 1: SYN Flood Attack

The SYN flood attack using spoofed IPs prevents a valid requesterfrom accessing a server due to lack of connections.

Figure 2: Mitigating SYN Flood Attacks with Proxy Server

The addition of a TippingPoint 100E with Advanced DDoS Protection (including SYN Proxy filters) preventsthe SYN flood attack from consuming all TCP connections on the server.

A valid request can complete a three-way handshake.

TippingPoint 100E


10/13

Page 10

The TippingPoint Solution for SYN FloodsThe TippingPoint 100E uses advanced methods to detect andprotect enterprise networks against SYN Flood. The IPS acts as aproxy, synthesizing and sending the SYN/ACK packet back to theoriginator, waiting for the final ACK packet. After the IPS receives

the ACK packet from the originator, the IPS "replays" the three-stepsequence to the receiver.

The full attack and response scenario is as follows.1. The attacker sends a SYN packet to the target. The

TippingPoint 100E intercepts the SYN and determines if theTippingPoint IPS protects the target.

2. If so, the IPS generates SYN-ACK on behalf of the target.3. If the IPS receives the final ACK of the 3-way handshake, the

IPS validates the ACK by utilizing advanced algorithms toverify that this packet is in response to a SYN-ACK

generated by the IPS. If so, the IPS creates a connectionwith the target.4. Once both connections are established, TippingPoint

maintains the data and connection, ensuring safe traffic. Ifthe originator of the attack does not complete the 3-wayhandshake, no packets are sent to the target and no state ismaintained on the TippingPoint IPS.

In the case of a SYN flood, respondent is fully protected from theattack as the TippingPoint 100E scans, detects, and block the SYN flood.

TippingPoint allows the user to designate clients as trusted.Connections from trusted sources are never proxied.

Method 6 Established Connection FloodAn Established Connection Flood is an evolution of the SYN Floodattack that employs a multiplicity of zombies to perpetrate a DDoSattack on a target. Zombies establish seemingly legitimateconnections to the target server. By using a large number ofzombies, each creating a large number of connections to the target,an attacker can create so many connections that the target is nolonger able to accept to legitimate connection requests. For

example, if a thousand zombies create a thousand connections to atarget server, the server must manage a million open connections.The effect is similar to a SYN Flood attack in that it consumesserver resources, but is even more difficult to detect.

When TippingPointdetects a DoS attack, itenacts a series ofactions and notificationsaccording to customizedsettings. Administratorscan set the system toblock, permit, orgenerate notifications forthe system, users andlogs.

Every filter in the IPSprovides protectionagainst a wide variety ofattacks. Networkadministrators cancustomize the settingsfor filters, including the

following:

Actions for attackresponses

Notification contactsfor alert messages

Exceptions for specificIP addresses

Established connectionFlood attacks can besome of the most difficultto detect and block.These attacks originatefrom an IP address thatis checked and acceptedby a proxy serverthrough a completethree-way handshake.

Once an EstablishedConnection Flood attack

enters a network, itstrikes against the proxyserver, intending tocrash it. Once the proxycrashes, access tosystems and serversbehind the proxy serveris blocked.


11/13

Page 11

The TippingPoint Solution for Established Connection FloodsTippingPoint Established Connection Flood filters track the number of connections eachsource has made to a protected server. When a source attempts to create more than aspecified number of connections to a protected server, new connections are blocked until thesource closes some connections. For example, TippingPoint can ensure that no single

source can create more than 10 open connections to a server. Thus, a thousand zombiescan create no more than ten thousand connections to a protected server.

Method 7 Connections Per Second FloodsConnections Per Second (CPS) Flood attacks flood servers with a high rate of connectionsfrom a seemingly valid source. In these attacks, an attacker or army of zombies attempts toexhaust server resources by quickly setting up and tearing down TCP connections, possiblyinitiating a request on each connection. For example, an attacker might use his zombie armyto repeatedly fetch the home page from a target web server. The resulting load makes theserver extremely sluggish.

The TippingPoint Solution for CPS FloodsTippingPoint enables network administrators to create ConnectionsPer Second (CPS) filters. Each filter limits the average number ofconnections that a client may open to a particular server per second.Each filter includes a threshold setting of the calculated averagenumber of connections per second to allow from a particular client.The network administrator can create a CPS filter for both port A ->Band port B->A traffic. The flexible settings allow customizations for in-coming and outgoing traffic and attack detection based on networktraffic needs.

TippingPoint computes the average of a ten second window to allow for normal fluctuations oftraffic. A common traffic pattern is a web browser that opens 10 connections to download acomplex page, then sits idle while the user reads. To accommodate this pattern, the filtersscan and detect against the amount of new connections averaged over a ten second period.For example, if a filter specifies a maximum of 3.5 connections per second, browsers canopen up to 35 connections in a second. However, after making these connections, thebrowser is unable to open any new connections for 9 more seconds. As a result, over the 10-second period, the browser has averaged 3.5 connections permitted per second. Used inconjunction with Established Connection filters, CPS Flood protection can provide powerfuldetection and protection of a network.

Case Study eNomFounded in 1997, eNom, Inc. is one of the largest ICANN accredited domain name registrarswith over four million names. The company suffered from continual DoS attacks against theirservers and customers. According to eNom, their systems suffered DDoS attacks 15 days amonth for each month, January to August 2004. In reviewing their network traffic, the eNomservers received 6000 to 7000 attack SYNs/second. Peak attacks against the systemsincluded approximately 40,000 attack SYNs/sec.

Connections Per SecondFlood filters working inconjunction withEstablished ConnectionFlood filters and SYNProxy filters can providedynamic and powerfulprotection for yournetwork traffic.


12/13

Page 12

To protect their customers and network systems, the company sought an Intrusion PreventionSystem to detect and block attacks without interrupting legitimate traffic. Facing a difficult andcostly problem, eNom sought out a group of vendors of IPS systems powered with Denial ofService protection. The following list includes the vendors they considered for their companysnetwork protection and security:

TippingPoint Radware Top Layer NAI Netscreen

eNom evaluated the TippingPoint 100E IPS system withAdvanced Denial of Service (DoS) Protection. The enhancedDoS protection coupled with best-of-breed network protection,Digital Vaccine updates, and outstanding technical support

provided the solution they needed to ensure continued service fortheir customers. The Advanced DoS Protection blocked a varietyof DoS and Distributed Denial of Service (DDoS) attacks includingSYN floods, connection floods, packet floods, and difficult-to-detect attacks originating from spoofed and non-spoofed sources.

IPS Must HavesFor the most comprehensive protection for networks, an IPS solution should have a core set ofcapabilities. The following table details these attributes according to Intrusion ProtectionSystem companies. Of these must have categories, TippingPoint provides them all withaward-winning products and service.

1Rarely deployed inline, usually as IDS

In our evaluation of theleading DoS products,TippingPointsTippingPoint hasperformed the best and

has already blockedseveral DoS attackstargeting ournetwork.Jim Beaver, VPOperations, eNom

LimitedNNNYYFilter Method: Traffic Anomaly

NYNNNYBandwidth Management

LimitedNYYYYFilter Method: Protocol

YNNNNYDDoS Connection Rate Limits

YYNNNYSwitch-like latency

NNLimitedYYYFilter Method: Vulnerability

NNNNNYVoIP Protection

NYYYYYFilter Method: Signature

YYYNNYDDoS SYN FloodProtection

LimitedLimitedYY1Y1YInline Attack Blocking

2Gbps3Gbps500M1Gbps2Gbps5 Gb s50Mbps - 5 Gbps

YYsoftwaresoftware8 CeleronsYCustom ASICs

Attributes


13/13

Page 13

ConclusionTo obtain full protection for DoS attacks, organizations typically need to purchase multipleproxy servers, network security devices, intrusion preventions systems, as well as softwarepackages, updates, and expanded licenses as an organization grows.

TippingPoint provides the answer in a single system. The TippingPoint IPS is an easy,affordable, and scalable solution, equipped with a broad range of protection mechanismsincluding, application anomaly filters, protocol anomaly filters, exploit signature filters,statistical traffic anomaly filters, threshold rate-shaping filters, and advanced DoS/DDoSfilters for detecting and blocking attacks.

Attacks continue to evolve and increase in sophistication. The flexibility of TippingPointsplatform offers state-of-the-art protection against current attacks and the power to protectagainst future ones.

Copyright 2005 3Com Corporation. 3Com, 3Com logo, TippingPoint Technologies, the TippingPoint logo and Digital Vaccine areregistered trademarks and Exercise Choice is a trademark of 3Com Corporation. All other company and product names may be trademarksof their respective holders.

Documents

503162-001_DoSandDDoSProtection