Internet Denial of Service Considerations
UCL
Gower Street
London
WC1E 6BT
UK
M.Handley@cs.ucl.ac.uk
Network Resonance
2483 E. Bayshore #212
Palo Alto
94303
CA
USA
ekr@networkresonance.com
IAB
Avoiding allowing attacks that are better than generic resource consumption.
Minimizing the extent to which generic resource consumption attacks crowd
out legitimate users.
In the remainder of this section, we consider specific applications of these
two approaches at a variety of levels of network system architecture.
From an end-system server point of view, one simple aim is to avoid
instantiating state without having completed a handshake with the client
to validate their address, and as far as possible to push work and
stateholding to client. There are a number of techniques that might be
used to do this, including SYN-cookies [5] [2]. All client-server
protocols should probably be designed to allow such techniques to be
used, but the enabling of the mechanism should normally be at the
server's discretion to avoid unnecessary work under normal
circumstances.
Other than having massive overcapacity, the only real defense against
resource consumption attacks is to preferentially discriminate
against attackers. The general idea is to find something that legitimate
users can do but attackers can't. The most commonly proposed approaches
include:
Puzzles: force the attacker to do some computation that would not
be onerous for a single user but is too expensive to do en masse. [2]
Reverse Turing Tests: specialized puzzles that are hard for
machines to do but easy for humans, thus making automated attacks
hard.[42]
Reachability testing: force the proposed client to demonstrate
that it can receive traffic at a given IP address. This makes it
easier to trace attackers.
All of these techniques have substantial limitations. Puzzles tend
to discriminate against legitimate users with slow computers. In
addition, the wide availability of "bots" means that attackers
have ample computing power at their disposal. There has been
substantial work in attacking Reverse Turing Tests automatically,
thus making them of limited applicability. Finally, reachability
testing is substantially weakened by bots because the attacker
does not need to hide his source address.
A goal with routing protocols is that of graceful degradation in
overload, and automatic recovery after the source of the overload has
been remedied. Some routing protocols satisfy this goal more than
others. Although RIP doesn't scale well, if a router runs out of memory
when receiving a RIP route, it can just drop the route and send an
infinite metric to its peers. The route will later be refreshed, and if
the original source of the problem has been resolved, the router will
now be able to process it correctly.
On the other hand, BGP is stateful in the sense that a peer assumes you
have processed or chosen to filter any route that it sent you. There is
no mechanism to refresh state in the base BGP spec, and even the later
route refresh option [16] is hard to use usefully in the presence of
overload. A BGP router that cannot store a route it received has two
choices: completely restart BGP, or shutdown one or more peerings [15].
This means that the effects of a BGP overload are rather more severe
than they need to be, and so amplifies the effect of any attack.
In general, few routing protocol designs actively consider the possible
behaviour of routers under overload conditions; this should be an
explicit part of future routing protocol designs. Although precise
details should clearly be left to implementors, the protocol design
needs to give them the capability to do their job properly.
Autoconfiguration mechanisms greatly ease deployment, and are
increasingly necessary as the number of networked devices grows beyond
what can be managed manually. However, it should be recognised that
unauthenticated autoconfiguration opens up many avenues for attack.
There is a clear tension between ease of configuration and security of
configuration, especially because there are environments in which
it is desirable for units to operate with effectively no authentication
(e.g., airport hotspots). Future autoconfiguration protocols should consider the
need to allow different end-systems to operate at different points in
this spectrum within the same autoconfiguration framework.
However, this also implies that the network elements should avoid
acting for unauthenticated hosts, instead just letting them
access the network more or less directly.
In general, networks should be provisioned with private,
out-of-band access to console or control ports so that
such control facilities will be available in the face of a
DoS attack launched against either the control or data plane
of the (in-band) network. Typically such out-of-band
networks are provisioned on a separate infrastructure for
exactly this purpose. Out-of-band access is a crucial
capability for DoS mitigation, since many of the typical
redundancy and capacity management techniques (such as
prioritizing routing or network management traffic) fail
during such attacks. In addition, many redundancy protocols
such as VRRP [50] can fail during such attacks as they
may be unable to keep adjacencies alive.
There are several default configuration settings that can
also be exploited to generate several of the attacks
outlined in this document. For example, some vendors may
have features such as IP redirect, directed broadcast, and
proxy ARP enabled by default. Similar defaults, such
as publicly readable SNMP [51] communities (e.g.,
"public") can be used to reveal otherwise confidential
information to a prospective attacker. Finally, other
unauthenticated configuration management protocols such
as TFTP [RFC1350] should be avoided if possible; at the
very least access to TFTP configuration archives should
be protected and TFTP should be filtered at administrative
boundaries. Finally, since many of the password
encryption techniques used by router vendors are
reversible, keeping such passwords on a configuration
archive (as part of a configuration file), even in the
encrypted form written by the router, can lead to
unauthorized access if the archive is compromized.
A basic principle of designing systems to handle failure
to have redundant servers which can take over when
one fails. This is equally true in the case of DoS attacks,
which often focus on a given server and/or link.
If service delivery points can be distributed across
the network, then it becomes much harder to attack the
entire service. In particular, this makes attacks on a single
network link more difficult.
In general, cryptographic authentication mechanisms are too costly to
form the main part in DoS prevention. However, routing adjacencies are
too important to risk an attacker being able to inject bad routing
information, which can affect more than the router in question.
Additional non-cryptographic mechanisms should then be used to avoid
arbitrary end-systems being able to cause the router to spend CPU cycles
on validating authentication data.
For BGP, at the very least, this implies the use of TCP MD5 [24] or
IPsec authentication, combined with the GTSM [23] to prevent
EBGP association with non-immediate neighbours. In future, this will
likely imply better authentication of the routing information itself.
As far as is feasible, router-to-router traffic should be isolated from
data traffic. How this should be implemented depends on the precise
technologies available, both in the router and at the link-layer. The
goal should be that failure of the link for data traffic should also
cause failure for the routing traffic, but that an attacker cannot
directly send packets to the control processor of the routers.
A downside of this is that some diagnostic techniques (such as pinging
consecutive routers to find the source of a delay) may no longer be
possible. Ideally, alternative mechanisms (which do not open up
additional avenues for DoS) should be designed to replace such lost
techniques.
Because a router can be considered as an end-system, it can potentially
benefit from all the prevention mechanisms prescribed for end-system
implementation. However one basic distinction between a router and a
host is that the former implements routing protocols and forwards
data, which in turn lead to additional router specific implementation
considerations. The issues described below are meant to be
illustrative and not exhaustive.
Protocol syntax defines the formation of the protocol messages and
the rules of exchanges. The questions addressed by protocol syntax
checking includes, but is not limited to, the following:
Who sent the message?
Does the content conform to the protocol format?
Was the message sent with correct timing?
The first step in protocol syntax verification is to ensure that an
incoming message was sent by a legitimate party. There are multiple
ways to perform this check. One can verify the source IP address and
even the MAC address of the message. Utilizing the fact that eBGP
peers are normally directly connected, one can also check the TTL
value in a packet and discard any BGP updates packet whose TTL is
less than some maximum value (typically max TTL - 1) [23].
Cryptographic authentication should
also be used whenever available to verify that an incoming message is
indeed from an expected sender. For BGP, at the very least, this
implies the use of TCP MD5 [24] or IPsec authentication.
In addition to the sender verification, it is also important to check
the syntax of a received routing message, as opposed to assuming that
all messages came in a correct format. It happened in the past that
routers crashed upon receiving ill-formed routing messages. Such
faults will be prevented by performing rigorous syntax checking.
Protocol semantics define the meaning of the message content, the
interpretation of the values, and the actions to be taken according
to the content. Here is a simple example of using semantic checking.
When a link failure causes a router in AS A to send a peer router B a
withdrawal message for prefix P, B should make sure that any
alternative path it finds to reach P does not go through A. This
simple check is shown to significantly improve BGP convergence time
in many cases [45].
Another example of using semantic checking against false routing
injection is described in [47]. The basic idea is to attach to the
route announcement for prefix P a list of the valid origin ASes. Due
to the rich connectivity in today's Internet topology, a remote AS
will receive routing updates from multiple different paths and can
check to see whether each update carries the identical origin AS
list. Although a false origin may announce reachability to P, or
alter the origin AS list, it would be difficult, if not impossible,
to block the correct updates from propagating out, thus remote ASes
can detect the existence of false updates by observing the
inconsistency of the received origin AS lists for P. Research
studies show that the "allowed origin list" test can effectively
detect majority of falsely originated updates.
Generally speaking, verifying the validity of BGP routes can be
challenging because BGP is policy driven and policies of individual
ISPs are not known in most cases. But assuming policies do not change
in short time scale, in principle one could verify new updates
against observed routes from recent past, which reflect the routing
policies in place. Research work is needed to explore this direction.
Note that while the above steps are all fairly simple and
don't really "bullet-proof" the protocol, each adds some
degree of protection. As such, the combination of the above
techniques can result in an efffective reduction in the
probability of undetected faults.
There exist a number of configuration tunings that can enhance
robustness of BGP operations. One example is to let BGP peers
coordinate the setting of a limit on the number of prefixes which one
BGP speaker will send to its peer [46]. Although such check does not
validate the prefix owned by each peer, it can prevent false
announcements of large number of invalid routes. Had all BGP routers
been configured with this simple checking earlier, several large
scale routing outages in the past could have been prevented.
Note, however, that care must be taken with hard limits of this type
because they can be used to mount a DoS because implementations
often discard excess routes indiscriminately, thus potentially
causing black-holing of correct routes.
Another example of useful configuration tuning is to adjust the BGP's
KeepAlive and Hold Timer values to minimize BGP peering session
resets. Previous measurements show that heavy traffic load, such as
those caused by Worms, can cause BGP KeepAlive messages to be delayed
or dropped, which in turn cause BGP peering session break down. Such
load-induced session breaks and re-establishments can lead to
an excessive amount of BGP updates during the periods when stable
routing is needed most.
In addition to the resource exhaustion problems that are generally
apply to all end systems, as described in Section 2, router
implementations must also take special care in handling resource
exhaustions when they occur in order to keep the router operating
despite the problem. For example under normal operations a router
does not require a large cache to hold outstanding ARP requests
because the replies are normally received within a few milliseconds.
However certain conditions can lead to ARP cache exhaustion, for
example during a virus attack where many packets are sent to non-
existing IP addresses, thus there are no ARP replies to the requests
for those addresses. Such phenomena have happened in the past and led to
routers failing to forward packets.
Another example is queue management. Many high-end routers are designed
so that most packets can be handled purely in specialized processors
(ASICs, FPGAs, etc.). However, exceptional packets must be
routed to a supporting general purpose CPU for handling.
On some such systems, it may be possible
mount a low-effort DoS attack by saturating
the queues between the specialized hardware and the supporting
processor.
So the attack vector on routers/network devices is a low PPS
queue saturation attack on the ASIC's raw queue structure. The
countermeasure here is to have multiple such queues designed
in such a way that it's difficult for an attacker to arrange
to fill multiple queues [41].
Any system that instantiates per-connection state should take great care
to implement state-lookup mechanisms in such a way that performance
can not be controlled by the attacker. One way to achieve this is to
use hash-tables where the hash mechanism is keyed in such a way that the
attacker cannot instantiate a large number of flows in the same hash
bucket.
Most operating systems use network interrupts to receive data from the
network, which is a good solution if the host spends only a small amount
of its time handling network traffic. However, this leaves the host
open to livelock [29], where under heavy load the OS spends all its time
handling interrupts and no time doing the work needed to handle the
traffic at the application level. Server operating systems should
consider using network polling at times of heavy load, rather than being
interrupt-driven, and should be carefully architected so that as far as
reasonably possible, traffic received by the OS is processed to
completion, or very cheaply discarded.
Most recent TCP implementations use fairly good random mechanisms for
allocating the TCP initial sequence numbers. In general, any
dynamically allocated value used purely to identify a communication
session should be allocated using an unpredictable mechanism, as this
increases the search space for an attacker that wishes to disrupt
ongoing communications. Thus the dynamically allocated port of the
active end of a TCP connection might also be randomly allocated.
With DNS, the ID which is used to match responses with requests should
also be randomly generated. However, as the ID field is only 16 bits,
the protection is rather limited.
Many DoS attacks are generic bandwidth consumption attacks that operate
by clogging the link that connects the victim server to the Internet.
Filtering these attacks at the server does no good because the
traffic has already traversed the link which is the scarce resource.
Such flows need to be filtered at some point closer to the attacker.
Where possible, operators should filter out obviously bad traffic.
In particular, they should perform ingress filtering [22].
Network operators are strongly encouraged to establish a monitoring
framework to detect and log abnormal network activity. One can not
defend against an attack one doesn't detect or understand. Such
monitoring tools can be used to set a baseline of "normal" traffic, and
can be used to detect aberrant flows and determine the
type and source of the aberrant flows.
This is extremely helpful when responding to distributed
DoS attacks or a flash crowd, and
should be in place prior to the event.
In this document we have highlighted possible avenues for DoS attacks
on
networks and networked systems, with the aim of encouraging protocol
designers and network engineers towards designs that are more robust.
We have discussed partial solutions that reduce the effectiveness of
attacks, and highlighted how some partial solutions can be taken
advantage of by attackers to perpetrate alternative attacks.
Our focus has primarily been on protocol and network architecture
issues, but there are many things that network and service operators can
do to lessen the threat. Further advice and information for network
operators can be found in [13] [37] [14].
It is our hope that this document will spur discussion leading to
architectural solutions that reduce the succeptibility of all Internet
systems to denial-of-service attacks.
This entire document is about security.
We are very grateful to Vern Paxson, Paul Vixie, Rob Thomas, Dug Song,
George Jones, Jari Arkko, and Geoff Huston for their constructive comments on earlier
versions of this document.
[1] J. Abley, "Hierarchical Anycast for Global Service Distribution",
http://www.isc.org/tn/isc-tn-2003-1.txt
[5] D.J. Bernstein, "SYN Cookies", http://cr.yp.to/syncookies.html
[16] E. Chen, "Route Refresh Capability for BGP-4", RFC 2918, September
2000
[19] S. Deering, "Host extensions for IP multicasting", RFC 1112, Aug
1989.
[20] T. Dierks, C. Allen, "The TLS Protocol, Version 1.0", RFC 2246, Jan
1999.
[21] D. Estrin, D. Farinacci, A. Helmy, D. Thaler, S. Deering, M.
Handley, V. Jacobson, C. Liu, P. Sharma, L. Wei, "Protocol
Independent Multicast-Sparse Mode (PIM-SM): Protocol
Specification", RFC 2362, June 1998.
[22] P. Ferguson, D. Senie, "Network Ingress Filtering: Defeating Denial
of Service Attacks which employ IP Source Address Spoofing", RFC
2827, May 2000.
[23] V. Gill, J. Heasley, D. Meyer "The Generalized TTL Security
Mechanism (GTSM)", RFC 3682, February 2004.
[24] A. Heffernan, "Protection of BGP Sessions via the TCP MD5 Signature
Option", RFC 2385, August 1998.
[32] Y. Rekhter, T. Li, "A Border Gateway Protocol 4 (BGP-4)", RFC 1771,
March 1995.
[35] C. Villamizar, R. Chandra, R. Govindan, "BGP Route Flap Damping",
RFC 2439, November 1998.
[38] D. Waitzman, C. Partridge, S.E. Deering, "Distance Vector Multicast
Routing Protocol", RFC 1075, Nov 1988.
[42] L. von Ahn, M. Blum, N. Hopper, and J. Langford. CAPTCHA:
Using hard AI problems for security. In Proceedings of Eurocrypt, 2003.
[2] T. Aura, P. Nikander, J. Leiwo, "DOS-resistant authentication with
client puzzles", In B. Christianson, B. Crispo, and M. Roe,
editors, Proceedings of the 8th International Workshop on Security
Protocols, Lecture Notes in Computer Science, Cambridge, UK, April
2000.
[3] J. Bellardo, S. Savage, "802.11 Denial-of-Service Attacks: Real
Vulnerabilities and Practical Solutions", Proceedings of the USENIX
Security Symposium, Washington D.C., August 2003.
[4] S.M. Bellovin, "Security Problems in the TCP/IP Protocol Suite",
Computer Communication Review, Vol. 19, No. 2, pp. 32-48, April
1989.
[6] CCAIS/RNP Alertas do Cais ALR-19112002a, "Vulnerability in the
sending requests control of Bind versions 4 and 8 allows DNS
spoofing", http://www.rnp.br/cais/alertas/2002/cais-
ALR-19112002a.html
[7] CERT Advisory CA-1996-01, "UDP Port Denial-of-Service Attack", Feb
1996.
[8] CERT Advisory CA-1996-21, "TCP SYN Flooding and IP Spoofing
Attacks", Sept 1996.
[9] CERT Advisory CA-2001-09, "Statistical Weaknesses in TCP/IP Initial
Sequence Numbers", May 2001.
[10] CERT Advisory CA-1996-26, "Denial-of-Service Attack via ping", Dec
1996.
[11] CERT Advisory CA-1998-01, "Smurf IP Denial-of-Service Attacks",
http://www.cert.org/advisories/CA-1998-01.html, Jan 1998.
[12] CERT Incident Note IN-2000-05, "'mstream' Distributed Denial of
Service Tool", May 2000.
[13] CERT/CC - "Managing the Threat of Denial of Service Attacks",
http://www.cert.org/archive/pdf/Managing_DoS.pdf
[14] CERT/CC - "Trends in Denial of Service Attack Technology",
http://www.cert.org/archive/pdf/DoS_trends.pdf
[15] D.F. Chang, R. Govindan, J. Heidemann, "An Empirical Study of
Router Response to Large Routing Table Load", Proceedings of the
2nd Internet Measurement Workshop (IMW 2002), 2002.
[17] Cisco Systems, "Configuring the BGP Maximum-Prefix Feature", Cisco
Document ID: 25160, http://www.cisco.com/warp/public/459/bgp-
maximum-prefix.html
[18] Scott A Crosby and Dan S Wallach, "Denial of Service via
Algorithmic Complexity Attacks", Proceedings of the USENIX Security
Symposium, Washington D.C., August 2003.
[25] Laurent Joncheray, "Simple Active Attack Against TCP", 5th USENIX
Security Symposium, 1995.
[26] M. Lough, "A Taxonomy of Computer Attacks with Applications to
Wireless", PhD thesis, Virginia Polytechnic Institute, April 2001.
[27] Z. Mao, R. Govindan, G. Varghese, R. Katz, "Route Flap Dampening
Exacerbates Internet Routing Convergence", Proceedings of ACM
SIGCOMM, 2002.
[28] D. Meyer, W. Fenner (Editors), "Multicast Source Discovery Protocol
(MSDP)", RFC 3618, October 2003.
[29] J. Mogul, KK. Ramakrishnan, "Eliminating Receive Livelock in an
Interrupt-driven Kernel", ACM Transactions on Computer Systems, Vol
15, Number 3, pp. 217-252, 1997.
[30] National Infrastructure Secuity Co-ordination Center (NISCC),
Vulnerability Advisory 236929, April 2004,
http://www.uniras.gov.uk/vuls/2004/236929/
[31] V. Paxson, "An Analysis of Using Reflectors for Distributed Denial-
of-Service Attacks", Computer Communication Review 31(3), July
2001.
[33] Joe Stewart, "DNS Cache Poisoning - The Next Generation", Jan 27
2003, http://www.securityfocus.com/guest/17905
[34] R. Stewart (ed.), M. Dalal, (ed.) "Improving TCP's Robustness
to Blind In-Window Attacks",, Internet Draft, February 2006,
draft-ietf-tcpm-tcpsecure-04.txt
[36] P. Vixie, G. Sneeringer, M. Schleifer, "Events of 21-Oct-2002",
http://f.root-servers.org/october21.txt
[37] P. Vixie, "Securing the Edge",
http://www.icann.org/committees/security/sac004.txt
[39] D. Wessels, "Running An Authoritative-Only BIND Nameserver",
http://www.isc.org/tn/isc-tn-2002-2.txt
[40] M. Zalewski, "Strange Attractors and TCP/IP Sequence Number
Analysis", http://razor.bindview.com/publish/papers/tcpseq.html
[41] J. Bellardo and S. Savage, "802.11 Denial-of-Service Attacks:
Real Vulnerabilities and Practical Solutions", Proceedings of
the 12th USENIX Security Symposium, August 2003.
[43] The whole world disappeared? http://www.merit.edu/mail.archives/
nanog/1998-04/msg00181.html, Apr 1998.
[44] Outage: MCI Worldcom nationwide ATM network. http://www.merit.edu/
mail.archives/nanog/1999-02/msg00077.html, Feb 1999.
[45] D. Pei, X. Zhao, L. Wang, D. Massey, A. Mankin, F. S. Wu, and L.
Zhang. Improving BGP Conver-gence Through Assertions Approach. In Proc.
of IEEE INFOCOM, June 2002.
[46] Srikanth Chavali, Vasile Radoaca, Mo Miri, Luyuan Fang, and Susan
Hares. Peer prefix limits ex-change in bgp.
http://www.ietf.org/internet-drafts/draft-chavali-bgp-prefixlimit-01.txt,
April 2004.
[47] X. Zhao, D. Massey, A. Mankin, S.F. Wu, D. Pei, L. Wang, L. Zhang,
"BGP Multiple Origin AS (MOAS) Conflicts",
http://nanog.org/mtg-0110/lixia.html, 2001.
[48] Cisco Systems, "Building Security Into the Hardware",
ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/
Paris-Sept-04/SE14-BUILDING-SECURITY-INTO-THE HARDWARE-c1_8_30_04.pdf,
2004.
[49] T. Ylonen, C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Architecture", RFC 4251, January 2006.
[50] Knight, S., Weaver, D., Whipple, D., Hinden, R., Mitzel,
D., Hunt, P., Higginson, P., Shand, M. and A. Lindemn,
"Virtual Router Redundancy Protocol", RFC 2338, April
1998.
[51] D. Harrington, R. Presuhn, B. Wijnen., "An Architecture
for Describing Simple Network Management Protocol (SNMP)
Management Frameworks.", RFC 3411, December 2002.
[52] K. Sollins., "The TFTP Protocol (Revision 2)",
RFC 1784, July 1992.
Bernard Aboba
Loa Andersson
Brian Carpenter
Leslie Daigle
Elwyn Davies
Kevin Fall
Olaf Kolkman
Kurtis Lindvist
David Meyer
David Oran
Eric Rescorla
Dave Thaler
Lixia Zhang