Protecting yourself against denial of service

Since 2000, denial-of-service (DoS) attacks have emerged as the latest threat to globally linked networks. In just the few months since their first appearance, DoS attacks have already taken some of the most popular e-commerce sites off-line for several hours, causing enormous losses and repair costs.

  • E-Mail
By  Jon Tullett Published  January 24, 2001

Introduction|~||~||~|DoS attacks are typically aimed at servers connected to the Internet with the intent of degrading or disabling the systems to the extent that the services become unavailable to legitimate users.

Instead of attempting to hack into the target systems to access confidential data, DoS attacks focus on overwhelming the systems with bogus and/or defective traffic that undermines their ability to function normally.

DoS attacks come in a variety of forms and aim at a variety of services. There are three basic types of attacks:

- Consumption of scarce, limited or non-renewable resources
- Destruction or alteration of con figuration information
- Physical destruction or alteration of network components

Some DoS attacks can be executed with limited resources against a large, sophisticated web site or network. This type of attack is sometimes called an asymmetric attack. For example, an attacker with an old PC and a slow modem may be able to disable faster and more sophisticated machines or networks. Many DoS attacks have also been referred to as distributed because they make use of a wide array of individual computers that have been subversively co-opted to fire DoS traffic from many different directions at the target system or network.

Typical examples of recent trends in DoS attacks have included:

- Attempts to "flood" a network, thereby preventing legitimate network traffic
- Attempts to disrupt connections between two machines, , thereby preventing access to a service
- Attempts to prevent a particular individual from accessing a service
- Attempts to disrupt service to a specific system or person

||**||Types of attack|~||~||~|SYN-ACK attacks or TCP-SYN flooding

A SYN-ACK attack exploits the TCP/IP mechanism by using a three-way handshake in order to establish a communications link. By only initiating the handshakes and not responding to the server's acknowledgements, SYN-ACK attacks force the server to store huge numbers of acknowledgement packets in its backlog queue, with the objective of over flowing the queue and disabling the server's ability to issue any more acknowledgements. One variation of SYN-ACK attacks actually spoofs the IP address of the victim's system so that the system is taken out of service by talking to itself.

Teardrop attacks

Teardrop attacks exploit IP mechanisms involved in the reassembly of packets that have been disassembled for efficient transmission. In normal practice, each packet fragment looks like the original IP packet with the exception of an offset field that specifies which bytes of the original packet are included (i.e. bytes 400 through 600), thereby enabling the receiving system to reassemble all of the data in the proper sequence. By purposely creating packet fragments with overlapping offset fields, these types of attacks make it impossible for the victim's system to correctly reassemble the packet fragments, which can sometimes cause the destination system to hang, crash or reboot.

Smurf attacks

Smurf attacks take advantage of direct broadcast addressing mechanisms by spoofing the target system's IP address and broadcasting Internet Control Message Protocol (ICMP)ping requests across multiple subnets. This attack clogs the victim's network with bogus ICMP echo requests and responses, thereby making it unavailable to legitimate traffic. All intermediary systems that are co-opted or drawn into the echo-response cycle become victims of this attack, both suffering from and contributing to overall network congestion.

Oversized packet attacks

Sometimes referred to as "ping of death" attacks, oversized packet attacks exploit a known bug in some TCP/IP implementations by using the ping utility to send packets that exceed the maximum 65, 536 bytes of data allowed by the IP specification. When it first emerged, this type of attack caused crashes, hangs or reboots in victim's systems. However, most operating system vendors have now addressed this issue with software updates that enable smooth disposition of oversized packets.

UDP Flood Attacks

This DoS attack takes advantage of User Datagram Protocol (UDP)mechanisms by creating bogus UDP connections between unsuspecting systems. When a connection is established between two UDP services, each of which produces output, the combined effects can produce a very high number of packets and result in denial of services to legitimate users. In UDP flood attacks, the intruders use forged UDP packets to connect the echo service on one machine to the chargen service on the other machine, causing the two machines to consume all available bandwidth on the connection between them.

Distributed Denial of Service

One of the latest threats to networks is the rise of distributed denial of service (DDoS) attacks. These use numerous servers on the network (usually the Internet) to launch a concerted attack on a target.

While some use the standard DoS techniques described here, others use simple HTTP connections (or other services), relying on their sheer numbers to overwhelm the target. As attacks on high-profile international sites have shown, the attacks are frightening effective. The source machines are usually innocent victims whose networks have been compromised by Trojans, or otherwise penetrated by the co-ordinator of the attack. Publicly available DDoS tools such as Trinoo and TFN (Tribe Flood Network) make co-ordinating and launching such an attack extremely easy.

Even with DoS protection in place on your network, the volume of traffic alone may be enough to cripple your access.

Preventing DDoS attacks is not easy; filtering what are effectively legitimate access requests is simply doing the attacker’s job for him. Your upstream ISP may be able to block entire IP ranges to prevent attacks from specific subnets (in a case where many attacking clients are from the same network). Alternatively, you may be able to rehost the service on a different machine; changing the IP address of your host can often sidestep the attack. Assuming your DNS and routing is kept carefully synchronised, a minimum of interruption can be achieved.

Prevention is better than cure

Prevention is the best cure, though. To avoid DDoS attacks, make sure your network is not participating in them. Perform virus scans for DDoS agents regularly, check for machines with ports servicing DDoS port number, and make sure that your firewall blocks packets with spoofed source addresses from originating inside your network. If you can be fairly sure you are not participating in DDoS attacks by keeping your own network clean, and everyone else does the same, the number of DDoS incidents would drop substantially.

Unfortunately, not many network admins bother to configure outgoing filters on their firewalls, or even run anti-virus applications. However, every administrator who tightens up his own environment and is guilty of allowing DDoS attacks to originate from within his network is one step closer to a safer Internet.

||**||Impacts of DoS attacks|~||~||~|Using relatively simple assault methods, DoS attacks can completely disable target systems or even disrupt entire networks by not allowing them to function properly. A DoS attack can bring entire organizations to a complete standstill, thereby costing millions of dollars in lost revenue and/or productivity.

For example, some recent high-pro file DoS attacks have targeted major Internet portals or e-commerce sites by disabling web site access for extended periods of time and resulting in loss of revenue and credibility. In other cases, DoS attacks have been aimed at disrupting and disabling major Internet service providers (ISPs), causing widespread havoc among all users across large geographic areas.

Effective protection against DoS attacks involves taking countermeasures at all levels across the inter- networking infrastructure, including taking specific actions at the LAN level and addressing broader issues at the network transport level.

At the LAN level, system administrators can take a number of preventive measures to guard against the disabling effects of DoS attacks. These preventive measures range from maintaining solid overall administrative and security procedures to implementing specific safeguards targeted at countering each of the various types of DoS attacks.

For example, while it is virtually impossible to completely eliminate spoofing of IP packets, system administrators can effectively reduce the risk of internally fuelled spoofed IP attacks by instituting filtering actions that restrict the flow of data input if they have source addresses from within the internal network. In addition, administrators can reduce the risk of being used as an intermediary in spoofed IP DoS attacks by installing filters to restrict the external flow of IP packets with source addresses that don't originate within the internal network.

Other methods associated with specific types of DoS attacks may include turning off or restricting specific services that might otherwise be compromised or subverted. For instance, UDP services could be restricted for use only within the internal network, thus keeping UDP available for network diagnostic purposes only. This prevents its unauthorized use for UDP flooding attacks.

Unfortunately, such restrictive measures must also be weighed against the impact they may have on legitimate applications, such as RealAudio that uses UDP as the transport mechanism. If attackers are able to intimidate victims into not using beneficial IP services or legitimate applications, to some extent, they have accomplished their objectives.

While actions taken by LAN administrators are key to laying the groundwork for preventing and combating DoS attacks, they must also be supplemented by comprehensive countermeasures instituted at the network transport level. These network transport issues fall into two categories:

- Actively policing internetwork level data flows to identify DoS attacks and protect users and subnets against their impacts
- Protecting the internetworking infrastructure's switching and routing equipment to ensure resiliency against DoS attacks

Effectively protecting network data flow involves a variety of complementary strategies, including using multilayer switching for layer-independent access control, leveraging customisable filtering and "trusted neighbour" criteria, and controlling network login access by unauthorized users.

The emergence of wire-speed multilayer switching systems with intelligent software-configurable, layer-independent QoS and access control capabilities are significantly improving the ability of network transport infrastructures to protect data flow integrity.

||**||Protecting data flow|~||~||~|With conventional router-based network infrastructures, authentication mechanisms such as filtering out spoofed packets with internal addresses would require traffic to hit the router boundary and be matched against criteria in specific access control lists. Maintaining access control lists makes this procedure very time consuming, while imposing significant overhead on overall router performance.

In contrast, the use of wire-speed multilayer switching allows the flexible implementation of a variety of policy-based access control criteria, using many of the same mechanisms that have become vital for effectively implementing QoS criteria throughout complex network infrastructures.

Even while carrying out wire-speed switching functions at Layer 2, these multilayer switching systems are able to seamlessly incorporate QoS and access control criteria from Layers 1-4 as well as other sources.

This built-in flexibility for layer-independent access control completely separates security decisions from network architecture decisions, thereby enabling network administrators to efficiently deploy DoS preventive measures without being forced into sub-optimal routing or switching topologies. As a result, network administrators and service providers now have the ability to seamlessly integrate policy-based access control criteria throughout their metropolitan, data centre or enterprise network environments, whether using complex router-based core services or relatively simple Layer 2 switched local loops.

In addition, wire-speed handling of criteria lookups and data flow authentication decisions enable DoS countermeasures to effectively take place in the background with little or no performance delays.

Another advantage of intelligent multilayer access control is the ability to easily implement customized filtering actions such as tailoring the granularity of control over the systems' response to certain criteria. . For example, rather than making a simple "pass" or "discard" decision on packets that may be part of a DoS attack, multilayer switching allows the system to push the packets to a specific QoS profile with specified maximum bandwidth limits. This way, the network can be protected from the impacts of DoS attacks while reducing the risk of inadvertently discarding legitimate traffic.

Another advantage of layer-independent access control is the ability to manage and optimise intersystem data flow by tailoring routing access policies to support "trusted neighbour" relationships between specific systems. In addition, multilayer switching incorporates options that protect internal routing policies from unauthorized exposure and potential subversion.

For examples, the ExtremeWare software suite from Extreme Networks allows mapping and overwriting of IEEE 802.1p and DiffServ tags to enable DiffServ functionalities that are invisible to external observation. By using these policy mechanisms, system administrators can adjust internal routing control policies for traffic from specific neighbouring systems without advertising the actual policies being internally enforced.

The flexibility to differentiate between internal and external DiffServ and IEEE 802. 1p criteria can be an effective tool for thwarting a new wave of potential DoS attacks referred to as QoS attacks. In the instances that have appeared so far, these attacks attempt to make use of bogus QoS criteria in order to adversely impact network routing behaviours. It does this by spoofing high-priority traffic classifications and usurping bandwidth away from legitimate QoS classes.

Tailored network login

The incorporation of network login mechanisms play a key role in reducing vulnerability to DoS attacks. Network login works by using unique usernames and passwords to authenticate users before granting access or passing packet traffic, thereby preventing the risk of pre-authentication DoS assaults.

By using DHCP to emulate how the dial-up world uses PPP, network login can stop unauthorized access at the edge of the network and mitigate any negative impact on the network infrastructure. Network login works by having the user's browser submit a DHCP request to the switch, which captures the required user identification data and sends a request to a RADIUS server for authentication. Only after authentication will the switch grant the user access to the network's DHCP service and allow packet traffic from the user to flow through the network.

By leveraging existing standards within the constructs contained in IEEE draft 802. 1, these network login mechanisms provide control over user access to the switch and minimize the risk of direct DoS attacks. At the same time, network login offers a robust mechanism for managing and tracking user connectivity and transactions within an enterprise or a service provider network.

||**||Protect infrastructure|~||~||~|In addition to protecting network dataflow, it is equally important to protect the network infrastructure from DoS attacks to ensure reliability and resiliency. Key to protecting the infrastructure are maintaining independent access lists, tightly managing forwarding-controls and load-balancing functions, and conducting rigorous design tests to ensure system resiliency.

One of the first steps to enforce security is to ensure that users can only perform tasks they are authorized to do and obtain information that they are authorized to have, while preventing damage to data, applications and network systems. Since all of these enforcement actions are handled on systems that form the network, controlling access to these systems is extremely important.

Typically, network devices can be managed using a combination of console access, SNMP, HTTP or telnet, combined with advanced authentication mechanisms.

The use of independent access lists based on source IP addresses can also help protect the remote management methodologies used to maintain, update and manage network switching and routing systems.

FIPS-186 (Federal Information Processing Standards Publication 186) SSH2 is an alternative to telnet which uses private keys to establish an encrypted tunnel before opening a remote shell. Use of SSH or SSH2 avoids configuration commands or passwords being sent in clear over the network, potentially available to a traffic sniffer.

RADIUS and TACAS+

The RADIUS protocol was developed as an access server authentication and accounting protocol. RADIUS (IETF RFC 2138) is a mechanism for authenticating and centrally administrating access to network nodes.

First, a primary and secondary RADIUS server is defined for the switch to contact. When a user attempts to login, the request is sent to the primary RADIUS server and then to the secondary RADIUS server, if the primary does not respond.

Privileged and non-privileged mode passwords are global and apply to every user accessing a switch from either the console port or from a telnet session. As an alternative, TACACS+ provides a way to validate every user on an individual basis before they gain access to the network. TACACS+ was derived from the U.S. Department of Defense and is described in IETF RFC 1492.

Although RADIUS and TACACS+ provide similar functionality, they have several key differences.

Most notably, RADIUS encrypts only the password in the access-request packet from the client to the server. The remainder of the packet is in the clear. Other information such as username, authorized services and accounting can be captured by a third party, making RADIUS networks potential targets of hackers using session capture and replay attacks. Because of this feature, RADIUS networks must be carefully designed to minimize DoS attacks.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether or not the body is encrypted. Normal operation fully encrypts the body of the packet for more secure communications.

The RADIUS protocol combines the processes of authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain all the authorization information, making separation of the authentication and authorization functions difficult. The use of RADIUS is most appropriate when simple, single-step authentication and authorization is required, as seen in many service provider networks.

During a session, if additional authorization checking is required, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This feature provides greater control over the commands that can be executed on the access server while decoupling authorization from the authentication mechanism. TACACS+ is thus more appropriate to use when multiple authentication methods in a complex network are deployed.

||**||Access and routing policies|~||~||~|Once access to the network is authenticated, the next step is to protect networked resources. These resources or nodes are where intellectual property and confidential information reside. Access policies are a general category of preset decision making rules that impact forwarding and route forwarding decisions. Access policies are used primarily for security and QoS purposes. There are three categories of access policies: access lists, routing access policies and route maps.

IP access lists consist of IP access rules that are used to perform packet filtering and forwarding decisions on incoming traffic. Each packet arriving on an ingress port is compared to the access list in sequential order. Then, it is either forwarded to a specified QoS pro file or dropped. Using access lists has no impact on switch performance. Access lists are typically applied to traffic that crosses Layer 3 router boundaries, but it is also possible to use access lists within a Layer 2 VLAN.

Each entry that makes up an IP access list contains an unique name. It can also contain an optional, unique precedence number. The rules of an IP access list consist of a combination of the following six components:

- IP source address and mask
- IP destination address and mask
- TCP or UDP source port range
- TCP or UDP destination port range
- Physical source port
- Precedence number (optional)

When a packet arrives on an ingress port, the packet is compared with the access list rules to determine a match. When a match is found, the packet is processed. If the access list is of type deny, the packet is dropped. If the list is of type permit, the packet is forwarded. A permit access list can also apply a QoS pro file to the packet.

Because some DoS attacks result from intruders understanding your routing policies, it is also important to maintain tight controls over basic policy disciplines such as IP-broadcast forwarding controls, ICMP and IP option response controls. Forwarding criteria can also be tailored to provide unidirectional session control, where broadcast sessions can be restricted to occur only from within the network and not from external sources.

The final area of critical importance is ensuring that the switching and routing systems themselves undergo rigorous design tests to ensure resiliency and robustness, even when directly subjected to the most demanding DoS stress testing. Achieving these objectives depends on the robustness of the system architecture and is ultimately tested using real world DoS attacks.

The Bottom Line

It is clear that the wave of DoS attacks will continue to pose as a significant threat to all businesses whether you are a service provider, e-business or a big enterprise. As new countermeasures are developed, new DoS attack modes undoubtedly will also emerge. Ensuring high resiliency and high performance in public and private networks will require concerted efforts from administrators, service providers and equipment manufacturers.

Use of tightly controlled management access to systems and intelligent management of routing policies are critical in laying the groundwork for building a first line of security against DoS attacks.

Network switching and routing equipment also need to provide a broad adherence to standard security methodologies and mechanisms to provide system administrators with the flexibility to effectively manage and scale their network infrastructures in a secure manner.

From a network infrastructure standpoint, the ability to prevent and withstand DoS attacks depends heavily on deploying advanced hardware and software capabilities embodied in leading edge switching and routing system architectures.

Key factors such as multilayer switching with layer-independent access-control decisions enable the network transport infrastructure to automatically recognize and fend off DoS attacks while continuing to maintain wire-speed performance.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code