Embed Size (px)
Citation preview
Network Security: Denial of Service (DoS),
AnonymityTuomas Aura
2
OutlineDenial of Service1. DoS principles2. Packet-flooding attacks on the Internet3. Distributed denial of service (DDoS)4. Filtering defenses5. Most effective attack strategies6. Infrastructural defenses7. DoS-resistant protocol designAnonymity8. Anonymity and privacy9. High-latency anonymous routing10. Low-latency anonymous routing — Tor
DoS principles
3
4
Denial of service (DoS)Goal of denial-of-service (DoS) attacks is to prevent authorized users from accessing a resource, or to reduce the quality of service (QoS) that authorized users receiveSeveral kinds of DoS attacks:
Destroy the resourceDisable the resource with misconfiguration or by inducing an invalid stateExhaust the resource or reduce its capacity
6
Resource exhaustion attacksAttacker overloads a system to exhaust its capacity → never possible to prevent completelyExamples:
Flooding a web server with requestsFilling the mailbox with spam
It is difficult to tell the difference between attack and legitimate overload (e.g. Slashdotting, flash crowds)
For highly scalable services, may need to try
Some resource in the system under attack becomes a bottleneck i.e. runs out first → Attacks can exploit a limited bottleneck resource:
SYN flooding and fixed-size kernel tablesPublic-key cryptography on slow processors
Packet-flooding attacks on the Internet
7
8
Internet characteristics
Open network: anyone can join, no central controlEnd to end connectivity: anyone can send packets to anyoneNo global authentication or accountabilityFlat-rate chargingUnreliable best-effort routing; congestion causes packet lossQ: Could these be changed?
Internet1.2.3.4
5.6.7.8
1.2.3.0/24
5.6.7.0/24
Gateway router
Gateway router
src 1.2.3.4dst 5.6.7.8
data
9
Packet-flooding attackPing flooding: attacker sends a flood of ping packets (ICMP echo request) to the target
Unix command ping -f can be used to send the packets
Any IP packets can be used for flooding, not just pingPackets can be sent with a spoofed source IP addressQ: Where is the bottleneck resource that fails first?Typically, packet-flooding exhausts the ISP link bandwidth, in which case the router before the congested link will drop packets
Other potential bottlenecks: processing capacity of the gateway router , processing capacity of the IP stack at the target host
10
Traffic amplification
Example: Smurf attack in the late 90s used IP broadcast addresses for traffic amplificationAny protocol or service that can be used for DoS amplification is dangerous! → Non-amplification is a key design requirement
Internet1.2.3.4
5.6.7.8
Echo request
src 5.6.7.8dst 3.4.5.255
3.4.5.0/24
Echo response
src 3.4.5.10
dst 5.6.7.8Echo response
src 3.4.5.10
dst 5.6.7.8Echo response
src 3.4.5.10
dst 5.6.7.8Echo response
src 3.4.5.10
dst 5.6.7.8Echo response
src 3.4.5.10
dst 5.6.7.8
12
Traffic reflection
Reflection attack: get others to send packets to the targetHides attacker IP address:
Confuses IP tracebackSome forms get around topological filtering and amplify traffic
Example: Attacker pings various hosts, sets the source address of the ICMP Echo Request to the attack-target address
Internet1.2.3.4
5.6.7.8
Echo response
src 3.4.5.6
dst 5.6.7.8
Echo request
src 5.6.7.8dst 3.4.5.6
3.4.5.6
Honest client
ServerAttacker
Honest packet rate
HR
Attack packet rate
AR
Bottleneck link capacity
C
13
Attack impact
When HR+AR < C, some packets dropped by routerWith FIFO or RED queuing discipline at router, dropped packets are selected randomlyPacket loss = (HR+AR-C)/(HR+AR) if HR+AR > C; 0 otherwiseWhen HR<<AR, packet loss = (AR-C)/AR
14
Attack impactPacket loss = (HR+AR-C)/(HR+AR) if HR+AR > C; 0 otherwiseWhen HR<<AR, packet loss = (AR-C)/AR
→ Attacker needs to exceed C to cause packet loss→ Packet-loss for low-bandwidth honest connections only
depends on AR→ Any AR > C severely reduces TCP throughput for honest client→ Some honest packets always make it thought;
to cause 90% packet loss, need attack traffic A = 10 × C,to cause 99% packet loss, need attack traffic A = 100 × C
Distributed denial of service (DDoS)
15
Botnet and DDoSAttacker controls thousands of compromised computers and launches a coordinated packet-flooding attack
Cloud
Target
Bots
Attacker
Control network
17
BotnetsBots (also called zombies) are home or office computers infected with virus, Trojan, rootkit etc.
Controlled and coordinated by attacker, e.g. over IRC, P2PHackers initially attacked each other; now used by criminals
Examples:MyDoom worm, HTTP GET flooding against www.sco.comStorm botnet, commercially available DDoS service Conficker >10M hosts
Dangers:Overwhelming flooding capacity of botnets can exhaust any link; no need to find special weaknesses in the targetNo need to spoof IP address ; filtering by source IP is hard
Q: Are criminals interested in DDoS if they can make money from spam and phishing? What about politically motivated attacks or rogue governments?
Filtering defenses
18
19
Filtering DoS attacksFiltering near the target is the main defense mechanisms against DoS attacks
Protect yourself → immediate benefit
Configure firewall to drop anything not necessary:Drop protocols and ports no used in the local networkDrop “unnecessary” protocols such as ping or all ICMP, UDP etc. Stateful firewall can drop packets received at the wrong state e.g. TCP packets for non-existing connectionsApplication-level firewall could filter at application level; probably too slowFilter dynamically based on ICMP destination-unreachable messages
(Q: Are there side effects?)
20
Flooding detection and responseFilter probable attack trafficNetwork or host-based intrusion detection to separate attacks from normal traffic based on traffic characteristicsLimitations:
IP spoofing → source IP address not reliable for individual packetsAttacker can evade detection by varying attack patterns and mimicking legitimate traffic(Q: Which attributes are difficult to mimic?)
21
Preventing source spoofingHow to prevent spoofing of the source IP address?Ingress and egress filtering:
Gateway router checks that packets routed from a local network to the ISP have a local source addressGeneralization: reverse path forwardingDeployment slow: selfless defense without immediate payoff
IP traceback Mechanisms for tracing IP packets to their sourceLimited utility: take-down thought legal channels is slow; automatic blacklisting of attackers can be misused
SYN cookies (we’ll come back to this)
Most effective attack strategies
22
23
SYN floodingAttackers goal: make filtering ineffective → honest and attack packets dropped with equal probabilityTarget destination ports that are open to the Internet, e.g. HTTP (port 80), SMTP (port 25) Send initial packets → looks like a new honest clientSYN flooding:
TCP SYN is the first packet of TCP handshakeSent by web/email/ftp/etc. clients to start communication with a serverFlooding target or firewall cannot know which SYN packets are legitimate and which attack traffic → has to treat all SYN packets equally
24
DNS floodingDNS query is sent to UDP port 53 on a DNS serverAttack amplification using DNS:
Most firewalls allow DNS responses throughAmplification: craft a DNS record for which 60-byte query can produce 4000-byte responses (fragmented)Botnet queries the record via open recursive DNS servers that cache the response → traffic amplification happens at the recursive serverQueries are sent with a spoofed source IP address, the target address → DNS response goes to the target
Infrastructural defenses
25
26
Over-provisioningIncrease bottleneck resource capacity to cope with attacksRecall:Packet loss = (HR+AR-C)/(HR+AR) if HR+AR > C; 0 otherwiseWhen HR<<AR, packet loss = (AR-C)/AR
→ Does doubling link capacity C help? Depends on AR:If attacker sends 100×C to achieve 99% packet loss, doubling C will result in 98% packet lossIf attacker sends 10×C to achieve 90% packet loss, doubling C will result in 80% packet lossIf attacker sends 2×C to achieve 50% packet loss, doubling C will result in zero (or minimal) packet loss
27
QoS routingQoS routing mechanisms can guarantee service quality to some important clients and servicesResource reservation, e.g. Intserv, RSVP Traffic classes, e.g. Diffserv, 802.1Q
Protect important clients and connections by giving them a higher traffic class Protect intranet traffic by giving packets from Internet a lower class
Prioritizing existing connectionsAfter TCP handshake or after authentication
Potential problems:How to take into account new honest clients? Cannot trust traffic class of packets from untrusted sourcesPolitical opposition to Diffserv (net neutrality lobby)
Some research proposalsIP traceback to prevent IP spoofingPushback for scalable filteringCapabilities, e.g. SIFF, for prioritizing authorized connections at routersNew Internet routing architectures:
Overlay routing (e.g. Pastry, i3), publish-subscribe modelsClaimed DoS resistance remains to be fully proven
DoS-resistant protocol design
29
31
Stateless handshake (IKEv2)
HDR(A,0), SAi1, KEi, Ni
HDR(A,0), N(COOKIE), SAi1, KEi, NiHDR(A,0), N(COOKIE)
HDR(A,B), SAr1, KEr, Nr, [CERTREQ]
Initiator i
Responder r
HDR(A,B), SK{ IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr }
...HDR(A,B), ESK (IDr, [CERT,] AUTH, SAr2, TSi, TSr)
Store state
Kr
Responder stores per-client state only after it has received valid cookie:COOKIE = hash(Kr , initiator and responder IP addresses)
where Kr is a periodically changing key known only by responder→ initiator cannot spoof its IP addressNo state-management problems caused by spoofed initial messages
32
TCP SYN Cookies
Random initial sequence numbers in TCP protect against IP spoofing: client must receive msg 2 to send a valid msg 3SYN cookie: stateless implementation of the handshake;
y = hash(Kserver, client addr, port, server addr, port)
where Kserver is a key known only to the server.
Server does not store any state before receiving and verifying the cookie value in msg 2Sending the cookie as the initial sequence number; in new protocols, a separate field would be used for the cookie
SYN, seq=x, 0
ACK, seq=x+1, ack=y+1
SYN|ACK, seq=y, ack=x+1
...
data
Client Server
Store state
33
Client puzzle (HIP)
Client “pays” for server resources by solving a puzzle firstPuzzle is brute-force reversal of a K-bit cryptographic hash; puzzle difficulty K can be adjusted according to server loadServer does not do public-key operations before verifying solutionServer can also be stateless; puzzle created like cookies above
I1: HIT-I, HIT-R
R1: HIT-I, HIT-R, Puzzle(I,K), (gx, PKR, Transforms)SIG
I2: (HIT-I, HIT-R, Solution(I,K,J ), SPI-I, gy, Transforms, {PKI}) SIG
R2: (HIT-I, HIT-R, SPI-R, HMAC) SIG
Initiator I
Responder R
...Store state, public-key crypto
Verify solution O(1)
Solve puzzleO(2K)
Weaknesses in new protocols
36
Routing loop
Against mobility protocols with a forwarding agent: Mobile IP, MIPv6, NEMO etc.
I’ve moved!Home address H1New address H2
H1
Another home address
H2I’ve moved!Home address H2New address H1
C
Home address
Mobilecomputer =attacker
38
Further readingDavid Moore, Geoffrey M. Voelker, and Stefan, Savage, Inferring Internet Denial-of-Service Activity, ACM TACS, 24(2), May 2006.
http://www.cs.ucsd.edu/~savage/papers/Tocs06.pdf
Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson, Network Support for IP TracebackSIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks
http://www.ece.cmu.edu/~adrian/projects/siff.pdf
Mahajan et al., Aggregate-Based Congestion Control http://www.icir.org/pushback/pushback-tohotnets.pdf
Anonymity and privacy
39
40
Anonymity terminologyIdentity, identifierAnonymity — they don’t know who you areUnlinkability — they cannot link two events or actions (e.g. messages) with each otherPseudonymity — intentionally allow linking of some events to each other
E.g. sessions, payment and service access
Authentication — strong verification of identityWeak identifier — not usable for strong authentication but may compromise privacy
E.g. nickname, IP address, SSID, service usage profile
Authorization — verification of access rightsDoes not always imply authentication (remember SPKI)
41
Anonymity in communicationsAnonymity towards communication peers
Sender anonymity — receiver does not know who and where sent the messageReceiver anonymity — can send a message to a recipient without knowing who and where they are
Third-party anonymity — an outside observer cannot know who is talking to whom
Unobservability — an outside observer cannot tell whether communication takes place or notStrength depends on the capabilities of the adversary
Anonymity towards access networkAccess network does not know who is roaming there
Relate concept: location privacy
45
Who is the adversary?Discussion: who could violate your privacy and anonymity?Global attacker, your government
e.g. total information awareness, retention of traffic data
Servers across the Internet, colluding commercial interests
e.g. web cookies, trackers, advertisers
Criminalse.g. identity theft
EmployerPeople close to you
e.g. stalkers, co-workers, neighbors, family members
46
Strong anonymity?Anonymity and privacy of communications mechanisms are not strong in the same sense as strong encryption or authenticationEven the strongest mechanisms have serious weaknesses
Need to trust many others to be honestServices operated by volunteers and activistsSide-channel attacks
Anonymity tends to degrade over time for persistent communication
High-latency anonymous routing
48
Mix (1)
MixEMix(F,M1)
EMix(H,M2)
EMix(G,M3)
EMix(E,M4)
M1
M2
M3
M4
D
C
B
A E
F
G
H
Mix is an anonymity service [Chaum 1981]Attacker sees both sent and received messages but cannot link them to each other → sender anonymity, third-party anonymity against a global observerThe mix receives encrypted messages (e.g. email), decrypts them, and forwards to recipients
49
Mix (2)
Attacker can see the input and output of the mixAttacker cannot see how messages are shuffled in the mixAnonymity set = all nodes that could have sent (or could be recipients of) a particular message
MixEMix(F,M1)
EMix(H,M2)
EMix(G,M3)
EMix(E,M4)
M1
M2
M3
M4
D
C
B
A E
F
G
H
50
Mix (3)MixEMix(F,M1)
EMix(H,M2)
EMix(G,M3)
EMix(E,M4)
M1
M2
M3
M4
D
C
B
A E
F
G
H
Two security requirements:Bitwise unlinkability of input and output messages — cryptographic property, must resist active attacksResistance to traffic analysis — add delay or inject dummy messages
Not just basic encryption! Resist adaptive chosen-ciphertext attacks (IND-CCA2 i.e. NM-CCA2)Replay prevention and integrity check needed at the mix
Examples of bad mix designs: Missing random initialization vector, padding or freshnessMalleable encryption, e.g. stream cipher, or no integrity checkFIFO order of delivering messages
51
Mixing in practiceThreshold mix — wait to receive k messages before delivering
Anonymity set size k
Pool mix — mix always buffers k messages, sends one when it receives oneBoth strategies add delay → high latencyNot all senders and receivers are always active
In a closed system, injecting cover traffic can fix this; in the Internet, not
Real communication (email, TCP packets) does not comprise single, independent messages but common traffic patterns such as connections
Attacker can observe beginning and end of connectionsAttacker can observe requests and response pairs
→ statistical attacks
52
Who sends to whom?
DCBA E
FGH
DCBA E
FGH
DCBA E
FGH
DCBA E
FGH
DCBA E
FGH
DCBA E
FGH
DCBA E
FGH
Round 1 Round 2 Round 3
Round 4 Round 5 Round 6
Round 7
DCBA E
FGH D
CBA E
FGH
Round 8 Round 9
Threshold mix with threshold 3
53
Anonymity metricsSize of the anonymity set: k-anonymity
Suitable for one round of threshold mixing
Problems with k-anonymity:Multiple rounds → statistical analysis based on understanding common patterns of communications can reveal who talks to whom, even if k for each individual message is highPool mix → k = ∞
Entropy: E = Σi=1…n (pi ∙ log2pi)
Measures the amount of missing in information in bits: how much does the attacker not knowCan measure entropy of the sender, recipient etc.
Problems with measuring anonymity:Anonymity of individual messages vs. anonymity in a systemDepends on the attacker’s capabilities and background informationAnonymity usually degrades over time as attacker collects more statistics
54
Trusting the mixThe mix must be honest Example: anonymous remailers for email
anon.penet.fi 1993–96
→ Route packets through multiple mixes to avoid single point of failure Attacker must compromise all mixes on the route
Compromising almost all may reduce the size of the anonymity set
55
Mix network (1)
56
Mix network (2)
Mix network is just a distributed implementation of mix
57
Mix networksMix cascade — all messages from all senders are routed through the same sequence of mixes
Good anonymity, poor load balancing, poor reliability
Free routing — each message is routed independently via multiple mixesOther policies between these two extremes
But remember that the choice of mixes could be a weak identifier
Onion encryption: Alice → M1: EM1(M2,EM2(M3,EM3(Bob,M)))
M1 → M2: EM2(M3,EM3(Bob,M))
M2 → M3: EM3(Bob,M)
M3 → Bob: MEncryption at every layer must provide bitwise unlinkability → detect replays and check integrity→ for free routing, must keep message length constant
Re-encryption mix — special crypto that keeps the message length constant with multiple layers of encryption
58
Sybil attackAttack against open systems which anyone can join
Mixes tend to be run by volunteers
Attacker creates a large number of seemingly independent nodes, e.g. 50% off all nodes → some routes will go through only attacker’s nodesDefence: increase the cost of joining the network:
Human verification that each mix is operated by a different person or organizationThe IP address of each mix must be in a new domainRequire good reputation of some kind that takes time and effort to establishSelect mixes in a route to be at diverse locations
Sybil attacks are a danger to most P2P systems, not just anonymous routing
E.g. reputation systems, content distribution
59
Other attacks(n-1) attack
Attacker blocks all but one honest sender, floods all mixes with its own messages, and finally allows one honest sender to get though → easy to trace because all other packets are the attacker’sPotential solutions: access control and rate limiting for senders, dummy traffic injection, attack detection
Statistical attacksAttacker may accumulate statistics about the communication over time and reconstruct the sender-receiver pairs based on its knowledge of common traffic patterns
60
Receiver anonymityAlice distributes a reply onion: EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K))))
Messages from Bob to Alice: Bob → M3: EM3(M2,k3,EM2(M1,k2,EM1(Alice,k1,EAlice(K)))), MM3 → M2: EM2(M1,k2,EM1(Alice,k1,EAlice(K))), Ek3(M)
M2 → M1: EM1(Alice,k1,EAlice(K)), Ek2(Ek3(M))
M1 → Alice: EAlice(K), Ek1(Ek2(Ek3(M)))
Alice can be memoryless:ki = h(K, i)
Low-latency anonymous routing
61
62
Tor“2nd generation onion router”Mix networks are ok for email but too slow for interactive use like web browsingNew compromise between efficiency and anonymity:
No mixing at the onion routersAll packets in a session, in both directions, go through the same routers Short route, always three onion routersTunnels based on symmetric cryptographyNo cover trafficProtects against local observers at any part of the path, but vulnerable to a global attacker
More realistic attacker model: can control some nodes, can sniff some links, not everythingSOCKS interface at clients → works for any TCP connection
63
Tunnels in TorAlice OR1 OR2 OR3 Bob
Authenticated DHAlice – OR1
Authenticated DH, Alice – OR2
K1
Encrypted with K1
K2
Authenticated DH, Alice – OR3
Encrypted with K1, K2
Encrypted with K1, K2, K3
K3
[Danezis]
Last link unencrypted
Alice not authenticated,
only the ORs
K1
TCP connection Alice –Bob
K1,K2
K1,K2,K3
64
Tunnels in TorAlice OR1 OR2 OR3 Bob
Authenticated DHAlice – OR1
Authenticated DH, Alice – OR2
K1
Encrypted with K1
K2
Authenticated DH, Alice – OR3
Encrypted with K1, K2
Encrypted with K1, K2, K3
K3
[Danezis]
Last link unencrypted
Alice not authenticated,
only the ORs
K1
TCP connection Alice –Bob
K1,K2
K1,K2,K3 Additionally, linkwise TLS connections:
Alice–OR1–OR2–OR3
65
Tor limitations (1)Identifying packet streams is very easy
Passive fingerprinting by packet size, timingActive traffic shaping (stream watermarking)
→ Anonymity compromised if attacker can see or control the first and last link
Includes attackers who own the first and last OR→ longer routes do not helpIf c is the fraction of compromised ORs, probability of compromise is c2
Why three routers?Out of habit?Attacker in control of 1st or last router cannot immediately go and compromise the other when there is a middle router
66
Tor limitations (2)Client must know the addresses and public keys of all onion routers
If client only knows a small subset of routers, it will always choose all three routers from this subset → implicit identifierE.g. client knows 10 out of 1000 routers = 1% → Attacker in control of the last router can narrow down the client identity to (0.01)2 = 0.01% of all clients→ Attacker in control of two last routers can narrow the client identity down to (0.01)3 = 0.0001% of all clients
Blacklisting of entry or exit nodes
67
Applications of anonymous routingCensorship resistance, freedom or speechProtection against discrimination, e.g. geographic access control or price differentiationBusiness intelligence, police investigation, political and military intelligence Whistle blowing, crime reportingElectronic votingCrime, forbidden and immoral activities?
