index.md (5040B)
1 +++ 2 title = "Lecture 4: DOS" 3 +++ 4 5 # Lecture 4: DOS 6 ## IP fragmentation 7 When datagram encapsulated in lower-level protocols, it might need to be split into smaller portions. 8 Specifically if datagram is bigger than data link layer maximum transmission unit (MTU) 9 Fragmentation can be done at source host, or at intermediate step in delivery. 10 If datagram has "do not fragment" flag set, RCMP error is sent back to origin 11 Uses the fields: length (headers+data), fragflag (fragmented or not), offset (in multiples of 8) 12 13 Attack: The Ping of Death 14 - offset of last segment is where total size of reassembled datagram is bigger than max allowed size 15 - kernel static buffer overflowed, causing a kernel panic 16 17 ## SYN flooding 18 Nicknamed "Neptune" 19 Attacker starts handshake with SYN-marked segment 20 Victim replies with SYN-ACK 21 Attacker stays silent 22 The host can keep max number of TCP connections in half-open, after that can't accept any more 23 24 Current solutions: filtering, increasing length of half-open queue, reduce SYN-received timeout, drop some connections, or use SYN cookies 25 26 SYN cookies: 27 - algorithm used to determine initial sequence number of server 28 - top 5 bits: t mod 32, where t is 32-bit time counter increasing every 64 seconds 29 - next 3 bits: encoding of max segment size (MSS) chosen by server in response to client's MSS 30 - next 24 bits: keyed hash of counter t, source/dest IP addresses and ports 31 - when server receives ack, it checks that secret function works for recent value of t, then rebuilds SYN queue entry using encoded MSS info 32 - drawbacks: 33 - server sequence num grows faster 34 - MSS value limited by encoding procedure (only 8 possible values) 35 - no data included in initial SYN 36 37 ## Modern attacks 38 Low-volume attacks 39 - Exploit fact that server must maintain resources associated with each open TCP connection 40 - Algorithmic complexity attacks: use low-volume streams of requests consuming lots of resources (worst-case of algorithms) 41 42 Massive attacks 43 - DDOS botnets: DirtJumper for HTTP, Yoddos for TCP/UDP/HTTP/etc, Mirai botnet of IoT devices 44 - Amplification: small request leads to huge reply; SMURF (spoof IP address of victim, send broadcast echo request), today Distributed Reflective DOS (e.g. NTP monlist command reports list of last 600 hosts that contacted the server, Memcrashed) 45 46 Stealthier method: attack sites that share same bottleneck link as victim, only tiny amount of data for a small amount of time from many bot machines. you congest all of the paths towards the target servers. 47 48  49 50 ## Scanning 51 We want to know available services at remote side. 52 May want to fingerprint OS, app, etc. 53 54 UDP port scan: 55 - used to find available UDP services 56 - zero-length UDP packet sent to each port 57 - if ICMP error "port unreachable", services assumed to be unavailable 58 - if no reply, open or filtered 59 60 TCP port scan: 61 - used to find available TCP services 62 - most services statically associated with port numbers 63 - attacker tries to open TCP connection to all ports, if handshake successful then available 64 65 TCP SYN scanning ("half-open" scanning) 66 - attacker sends SYN packet 67 - if server answers with SYN/ACK, the port is open 68 - attacker sends RST packet instead of final ACK 69 70 TCP FIN scan 71 - attacker sends FIN-marked packet (normally to terminate connection) 72 - most TCP/IP implementations: 73 - if port closed, RST sent back 74 - if port open, FIN packet ignored 75 76 Idle scanning 77 - use relay victim host to "relay" scan, but the relay must be relatively idle to avoid noise 78 - attacker sends spoofed TCP SYN packets to target 79 - packets appear to come from relay (victim) 80 - target replies to relay 81 - if target replies with SYN/ACK packet, victim sends out RST (open port) 82 - if target replies with RST, victim will not send out any packet (closed port) 83 - attacker checks IP datagram ID of victim before and after each port probe 84 - if increased: port on target open 85 - if not increased: port on target closed 86 87 ## FTP 88 Based on TCP, provides file transfer service, listens on port 21. 89 Control stream used for commands, data stream for data transfer. 90 Client tells server to connect to its local port using PORT command, server opens connection from port 20 to that port. 91 Connection closed when transfer completes. 92 93 <table class="invis"> 94 <tr> 95 <th>FTP</th> 96 <th>Passive FTP</th> 97 </tr> 98 <tr> 99 <td><img alt="FTP" src="2b17c1d086fe4b9ba90e672ebc4e41e2.png" /></td> 100 <td><img alt="Passive FTP" src="bf473146f09843ffad9c2d3600c2090d.png" /></td> 101 </tr> 102 </table> 103 104 105 Problems: 106 - Writable FTP home: anonymous user can write config files in home directory 107 - PASV connection theft: attacker connects to port opened by server before legit client, client commands lead to file transfers from attacker 108 - FTP bounce: PORT command used by client to tell server address and port for data connection, address doesn't have to be same as client so you can open connection to third host