DoS Attack and Mitigation
byGopi Krishnan S
Society for Electronic Transactions & Security
Denial of Service Attack
● To make the victim server to deny the service to intended clients. It is often done by keeping the server busy in handling meaningless request.
● It is achieved by exhausting either the bandwidth of communication channel or computational resource available on the server.
Analogy
You are visiting a hotel to have dinner – Hotel has only one server person. When we ask for menu card to order food, the others interrupt the server person and chat unnecessarily.
Result: You are the one with intention to get service, but not getting it; because the server is busy in responding others.
(D)DoS Attack perspective
● From Server
– Flood Attack
– S(L)ow Attack
– Vulnerability Exploitation Attack
– Non-Vulnerability/Misuse Attack● From Client
– Reflected DDoS Attack
– Spoofed DDoS Attack
– Exploit based (D)DoS Attack
Flooding Attack
● Flooding attack is a kind of resource exhaustion attack.
● An attacker floods the victim with many packet than it could handle.
● Flooding Attack can be done at various layers of OSI model to take-down different devices.
● Example:
– MAC Flooding, TCP SYN Flood, UDP Flood, SSL Handshake Flood, HTTP Flood
MAC Flood
● The target is Ethernet switch.
● Hub will broadcast all the packet and results in data leak.
● To devoid potential risk of data leak, an Ethernet switch is used instead of hub.
● MAC flood overflows the buffer of Ethernet switch and makes it acts like a hub, results in data leak.
PkM = (Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff")/ARP(op=2, psrc="0.0.0.0", hwdst="ff:ff:ff:ff:ff:ff"))
TCP SYN Flood
● The target is any server uses TCP in transport layer.
● Example: HTTP, FTP, SMTP, IRC, etc.
● In TCP Handshake, SYN is the first packet in 3-Way handshake.
● Flooding victim with TCP SYN packet leaves too much of half open connection.
● Attack can be mitigated using TCP SYN Cookie.
PkT = Ether(src=RandMAC(),dst="08:00:27:67:f9:1a")/IP(ttl=32,dst='10.1.1.2')/TCP(sport=RandShort(),dport=80,flags='S')
UDP Flood
● The target is any server uses UDP in transport layer.
● Example: DNS, TFTP, SysLog, NTP, etc.
● UDP is connectionless – It doesn't maintain any state.
● Flooding victim with UDP overwhelms the application service running on top of OS.
PkU = Ether(src=RandMAC(),dst="08:00:27:67:f9:1a")/IP(ttl=32,dst='10.1.1.2')/UDP(sport=RandShort(),dport=53)
SSL Flood
● The target is any server uses SSL/TLS to secure the connection.
● Example: HTTPS, SSH, VPN, etc.
● Popularly launched by PushDo botnet.
● During client key exchange in SSL Handshake, a client would send a bogus data instead of sending the valid key.
● To send a valid pre-master secret, the client must compute XY mod N , – no matter RSA or DHE or ECDHE Protocol.
● Can be mitigated by process outsourcing or TLS puzzle.
HTTP Flood
● The target is Web Server
● Example: Apache, NGINX, IIS
● Popularly launched by LOIC, HOIC, HTTPerf
PkH = Ether(src="0a:00:27:00:00:00",dst="08:00:27:67:f9:1a")/
IP(ttl=32,src='10.1.1.1',dst='10.1.1.2')/TCP(seq=1111,ack=2222,
sport=12098,dport=80)/"GET / HTTP/1.0 \r\n\r\n"
Non-Vulnerability/Misuse Attack
● Misusing the feature of a system to DoS attack it.
● Example
– HTTP Post flood
– SSL Renegotiation
– TCP Syn Flood → Already covered in flood attack
HTTP POST Flood
● The target is Web Server – a type of HTTP Flood attack.
● Any server that performs back-end operations with POST data.
● Often web applications process POST data with database.
– Example: Login, Registration, Ticket Booking, etc● Web server and database server tends to execute
expensive operation.
● It can be prevented by using HASH based interactive puzzle integrated with form submission.
SSL Renegotiation Attack
● The target is any SSL Application with Renegotiation support.
● Often launched using THC-SSL-DOS
● Immediately after establishing a new SSL session, parameters for the SSL session are renegotiated continuously again and again to exhaust the server resource.
● Apache was vulnerable to this attack; but can be prevented using configuration keyword in apache.conf
– SSLRenegotiation off
State-of-Art DDoS mitigation software/systems are developed at SETS● HTTP Post Flood mitigation using interactive client-puzzle
integrated with HTML form
● Protection for entire cloud based/individual web hosting using platform/client independent Puzzle R-Proxy service
● Alleviating SSL attacks using Crypto-chip platform
● And progressing to mitigate other attacks too.