2021-05-07 23:17:24 +02:00
|
|
|
|
% ============================================================================ %
|
2021-05-08 02:18:32 +02:00
|
|
|
|
\nn{Introduction}
|
2021-05-16 10:29:20 +02:00
|
|
|
|
In this day and age, there has probably been nothing else considered as
|
|
|
|
|
inevitable and impactful on one's personal or professional life, media,
|
|
|
|
|
politics, culture or science as reliable Internet connection, allowing seemless
|
|
|
|
|
interaction and access to information.
|
|
|
|
|
Networking infrastructure powering the Internet has been the target of various
|
|
|
|
|
attacks almost since day one. While the early network interconnections had
|
|
|
|
|
been based on mutual trust and strong sharing spirit for advancement of humanity, with
|
|
|
|
|
increasing amount of participants from different backgrounds (essentially
|
|
|
|
|
democratization) and proliferating deeds of mischief, trust could no longer be
|
|
|
|
|
taken for granted.
|
|
|
|
|
Although trolling has always been an integral part of the Internet culture, it
|
|
|
|
|
had not taken long until criminals found their way into the online world with
|
|
|
|
|
the intention of taking advantage of lacking legislation and collecting easy
|
|
|
|
|
(though huge) economic profit. Furthermore, another popular activity has become
|
|
|
|
|
causing real harm to anybody on the way with the sense of lawlessness.
|
|
|
|
|
|
|
|
|
|
It is this willful damage in its many shapes and forms brought upon the
|
|
|
|
|
Internet service providers and users that our thesis deals with. What we have
|
|
|
|
|
commonly observed as being used in the wild in recent years may be called
|
|
|
|
|
attack 'professionalizing', by which we mean that the tools typically available
|
|
|
|
|
10 years ago cannot match to practically anything you can get ready in minutes
|
|
|
|
|
to cause real harm today. Since the networks compose the medium of
|
|
|
|
|
communication, it is essential they remained secured and protected, which in
|
|
|
|
|
fact poses a challenging task for us of coming up with new solutions to rapidly
|
|
|
|
|
evolving problem.
|
|
|
|
|
|
|
|
|
|
On the side of the user, unavailability of the service often means inability to
|
|
|
|
|
proceed with fulfilling their tasks. For the provider, an attack that cripples
|
|
|
|
|
the network or its resources means inability to provide the promised service.
|
|
|
|
|
|
|
|
|
|
We would like to take a look on some of the conventional methods and tools
|
|
|
|
|
which attackers resort to as well as methods and tools both users and network
|
|
|
|
|
operators may (and should) utilise to protect the network. The main objectives
|
|
|
|
|
of our thesis aim at researching key ways of DoS attack mitigations and
|
|
|
|
|
performing a DoS attack and a BGP blackhole reaction simulation.
|
|
|
|
|
|
|
|
|
|
Our thesis comprises two main parts - theoretical and practical. The
|
|
|
|
|
theoretical part discusses relevant context, different types of attack methods
|
|
|
|
|
and tools, mitigation attack methods and tools. The practical part describes a
|
|
|
|
|
simulated simple topology and an attack in lab conditions.
|
2021-05-20 05:59:59 +02:00
|
|
|
|
In the first two sections of the theoretical part, we were focused on attack
|
|
|
|
|
definitions and providing context. Section \ref{sec:attack-methods} attempts to
|
|
|
|
|
categorise attack methods based on several metrics and explain some of the
|
|
|
|
|
mentioned. The fourth section presents a list of some of the popular DoS tools
|
|
|
|
|
that are available. Next on, the \autoref{sec:mitigation-methods} traces
|
|
|
|
|
various ways to mitigate attacks, both on the user and provider level and the
|
|
|
|
|
final section of the theoretical part, \autoref{sec:mitigation-tools}, marks
|
|
|
|
|
out some of the tools that can be used to mitigate an attack.
|
2021-05-16 10:29:20 +02:00
|
|
|
|
First of the practical part, \autoref{sec:infrastructure-set-up-description} gives an
|
|
|
|
|
overview of the tools used to construct the lab infrastructure and configure
|
|
|
|
|
the systems, as well as specifics of the configuration. It also focuses on
|
|
|
|
|
setting up the infrastructure and the tools and processes to achieve a
|
|
|
|
|
reproducible outcome. In \autoref{sec:mitigation-tools-set-up}, we set up
|
|
|
|
|
mitigation tools in preparation of an attack. In
|
|
|
|
|
\autoref{sec:attack-tools-set-up} we go through the process of preparing attack
|
2021-05-17 21:10:50 +02:00
|
|
|
|
tools. The final section \ref{sec:performing-an-attack} describes performing the attack
|
|
|
|
|
itself.
|
2021-05-07 23:17:24 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
% ============================================================================ %
|
2021-05-08 02:18:32 +02:00
|
|
|
|
\part{Theoretical part}
|
2021-05-07 23:17:24 +02:00
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
|
|
|
|
|
\n{1}{Definition} \label{sec:definition}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
While denial of service can be caused in a multitude of different ways and
|
|
|
|
|
impact any part of the stack, we are predominantly going to look at the ones
|
2021-05-16 10:29:20 +02:00
|
|
|
|
pertaining Internet networks. First, we shall define what a denial of service
|
|
|
|
|
(\it{DoS}) attack in fact \it{is} and we can achieve it by understanding what
|
|
|
|
|
it does.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
A DoS attack is an action that harms a \it{service} in such a way that it can
|
|
|
|
|
no longer serve legitimate requests as a result of being occupied by bogus or
|
|
|
|
|
excessive requests from the attacker.
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
A DDoS is a DoS that is distributed among many participant devices (and
|
|
|
|
|
operators).
|
|
|
|
|
|
2021-05-17 21:10:50 +02:00
|
|
|
|
\begin{figure}[!hbt]
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\centering
|
|
|
|
|
\begin{tikzpicture}
|
|
|
|
|
\draw (1,1)[color=red!60,thick,fill=red!15] circle (2.2cm);
|
|
|
|
|
\draw (0.4,0.2pt) node[below left] {$DoS$};
|
|
|
|
|
\draw (1,1)[dashed,fill=purple!25] circle (1.2cm);
|
|
|
|
|
\draw (1,5pt) node[above] {$DDoS$};
|
|
|
|
|
\end{tikzpicture}
|
|
|
|
|
\caption{Illustration of relationship between DoS and DDoS attacks.}
|
|
|
|
|
\end{figure}
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
The devices participating are generally also victims in this, most of the
|
|
|
|
|
attacks are performed with open DNS resolvers, home routers left to rot by
|
|
|
|
|
vendors, misconfigured web services or IoT devices as involuntary
|
|
|
|
|
participants. All one has to do is open Shodan and look for specific ports open
|
|
|
|
|
(ports of protocols with good reflection ratio such as DNS, CLDAP, or SSDP),
|
|
|
|
|
start probing and then reap the easy harvest. A quick search for devices
|
|
|
|
|
running with port 123 (NTP) open is certain to return a mind-blowing number
|
|
|
|
|
\cite{ShodanNTPd}.
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{1}{Context} \label{sec:context}
|
|
|
|
|
In the last decade only we have witnessed many large DoS/DDoS attacks, some of
|
|
|
|
|
them against critical infrastructure services like cloud hosting, DNS, git
|
|
|
|
|
hosting services or even CCTV cameras. All of the attacks weaponized poorly
|
|
|
|
|
managed endpoints, unpatched IoT devices or
|
|
|
|
|
malware-infected-hosts-turned-botnet-zombies. The intensity and frequency have
|
|
|
|
|
also been sharply increasing with the latest of attacks passing over the Tbps
|
2021-05-14 06:44:16 +02:00
|
|
|
|
threshold (Akamai mitigated a 1.44Tbps DDoS in 2020
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\cite{akamai2020ddosretrospect}), with data from Cisco Annual Internet Report
|
|
|
|
|
showing that overall there was a \textbf{776\%} growth in attacks between 100
|
|
|
|
|
Gbps and 400 Gbps from 2018 to 2019, and with predictions for the total number
|
|
|
|
|
of DDoS attacks to double from 7.9 million in 2018 to 15.4 million by 2023
|
|
|
|
|
\cite{cisco2020report}. The question is: why?
|
2021-05-14 06:44:16 +02:00
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
The motifs will probably more often than not stay a mystery; however, a
|
|
|
|
|
proliferation of DDoS-for-hire websites \cite{Santanna2018BooterLG}, even on
|
|
|
|
|
\emph{clearnet}\footnotemark, points us to a plausible answer.
|
|
|
|
|
|
|
|
|
|
\footnotetext{the surface web; i.e.\ not even attempting to hide}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
|
|
|
|
|
Somebody is making money selling abusive services that are being used for
|
|
|
|
|
putting competitors out of business or just plain extortion. According to
|
2021-05-16 10:29:20 +02:00
|
|
|
|
Akamai, extortion attacks have seen a widespread return, with a new wave
|
|
|
|
|
launching in mid-August 2020 \cite{akamai2021ddos}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
Akamai went on to note that DDoS attackers are expanding their reach across
|
2021-05-16 10:29:20 +02:00
|
|
|
|
geographies and industries, with the number of targeted entities now being 57\%
|
2021-05-14 06:44:16 +02:00
|
|
|
|
higher than the year before that.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{1}{Attack methods} \label{sec:attack-methods}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
There are generally several different ways to categorise a method of
|
2021-05-14 06:44:16 +02:00
|
|
|
|
attack:
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\begin{description}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\item[By layers, in which the attacks are performed:]\
|
2021-05-12 04:04:36 +02:00
|
|
|
|
\begin{itemize}
|
2021-05-17 21:10:50 +02:00
|
|
|
|
\item Link layer
|
|
|
|
|
\item Internet layer
|
|
|
|
|
\item Transport layer
|
|
|
|
|
\item Application layer
|
2021-05-12 04:04:36 +02:00
|
|
|
|
\end{itemize}
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\end{description}
|
|
|
|
|
|
|
|
|
|
\begin{description}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\item[By the nature of their distribution:]\
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\begin{description}
|
|
|
|
|
\item[distributed] the effort is collectively advanced by a group of
|
2021-05-14 06:44:16 +02:00
|
|
|
|
devices
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\begin{enumerate}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\item deliberate
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
\item remotely coordinated devices (IRC C\&C) - so called \it{voluntary botnets}
|
|
|
|
|
\item each operating their own computer, performing a premeditated operation
|
|
|
|
|
in a synchronized manner
|
|
|
|
|
\end{enumerate}
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\item involuntary - hijacked devices
|
|
|
|
|
\end{enumerate}
|
|
|
|
|
\item[not distributed] there is a single source of badness
|
|
|
|
|
\end{description}
|
|
|
|
|
\end{description}
|
|
|
|
|
|
|
|
|
|
\begin{description}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\item [By the kind of remoteness necessary to successfully execute the
|
2021-05-12 17:21:01 +02:00
|
|
|
|
attack:]\
|
|
|
|
|
\begin{description}
|
|
|
|
|
\item[close-proximity] (physical engagement, i.e. sabotage) requires physical
|
|
|
|
|
presence in/near e.g. a datacenter, networking equipment (cutting cables,
|
|
|
|
|
playing a pyro)
|
|
|
|
|
\item[local network access] such as over a WiFi access point or on LAN
|
2021-05-17 21:10:50 +02:00
|
|
|
|
\item[remote] such as over the Internet
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\end{description}
|
|
|
|
|
\end{description}
|
|
|
|
|
|
|
|
|
|
\begin{description}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\item[By specific features:]\
|
2021-05-12 04:04:36 +02:00
|
|
|
|
\begin{itemize}
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\item IP fragmentation
|
|
|
|
|
\item SYN flood - a rapid sequence of TCP protocol SYN messages
|
|
|
|
|
\item volumetric DDoS attack
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\item amplification attack (also called 'reflection attack')
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\begin{itemize}
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\item memcached (up to 1:51200)
|
|
|
|
|
\item DNS with a formula \cite{akamaidnsampl}
|
|
|
|
|
\rov[DNSamplificationformula]{R = answer size / query size}
|
|
|
|
|
\item SNMP (theoretically 1:650)
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\item NTP
|
|
|
|
|
\end{itemize}
|
|
|
|
|
\item exploits
|
|
|
|
|
\begin{itemize}
|
|
|
|
|
\item 0days
|
|
|
|
|
\item simply running unpatched versions of software
|
|
|
|
|
\end{itemize}
|
|
|
|
|
\item physical network destruction/crippling
|
2021-05-12 04:04:36 +02:00
|
|
|
|
\end{itemize}
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\end{description}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
\n{2}{IP fragmentation}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
This is the type of attack whereby an attacker attempts to send a fragmented
|
|
|
|
|
payload (TCP, UDP or even ICMP) that the client is supposed to reassemble at
|
|
|
|
|
the destination, by doing of which their system resources (CPU and mainly
|
|
|
|
|
memory) would quickly get depleted, ultimately crashing the host.
|
|
|
|
|
|
|
|
|
|
It is usually necessary for IP datagrams (packets) to get fragmented in order
|
|
|
|
|
to be transmitted over the network. If a packet being sent is larger than the
|
|
|
|
|
maximum transmission unit (MTU) of the receiving side (e.g. a server), it has
|
|
|
|
|
to be fragmented to be transmitted completely.
|
|
|
|
|
|
|
|
|
|
ICMP and UDP fragmentation usually involves packets larger than the MTU, a
|
|
|
|
|
simple attempt to overwhelm the receiver that is unable to reassemble such
|
|
|
|
|
packets, ideally even accompanied by a buffer overflow that the attacker can
|
|
|
|
|
exploit further. Fragmenting TCP segments, on the other hand, targets the TCP
|
|
|
|
|
mechanism for reassembly. Reasonably recent Linux kernel implements protection
|
|
|
|
|
against this \cite{linuxretransmission}.
|
2021-05-16 10:29:20 +02:00
|
|
|
|
In either case, this is a network layer attack, since it targets the way the
|
|
|
|
|
Internet Protocol requires data to be transmitted and processed.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{2}{SYN flood} \label{synfloodattack}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
To establish a TCP connection, a \emph{three way handshake} must be
|
|
|
|
|
performed.\\
|
|
|
|
|
That is the opening sequence of a TCP connection that any two machines -
|
|
|
|
|
let's call them TCP A and TCP B - perform, whereby TCP A wanting to talk
|
|
|
|
|
sends a \emph{segment} with a SYN control flag, TCP B (assuming also willing to
|
|
|
|
|
communicate) responds with a segment with SYN and ACK control flags set and
|
|
|
|
|
finally, TCP A answers with a final ACK \cite{rfc793tcp}.
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
Using \texttt{tcpdump} we can capture an outgoing SYN packet on interface
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\texttt{enp0s31f6}.
|
|
|
|
|
\begin{verbatim}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
# tcpdump -Q out -n -N -c 1 -v -i enp0s31f6 "tcp[tcpflags] == tcp-syn"
|
2021-05-12 17:21:01 +02:00
|
|
|
|
\end{verbatim}
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
A malicious actor is able to misuse the handshake mechanism by posing as a
|
|
|
|
|
legitimate \emph{client} (or rather many legitimate clients) and sending large
|
|
|
|
|
number of SYN segments to a \emph{server} willing to establish a connection
|
|
|
|
|
(\it{LISTEN} state). The server replies with a [SYN, ACK], which is a combined
|
2021-05-16 10:29:20 +02:00
|
|
|
|
acknowledgement of the client's request \it{and} a synchronization request of
|
2021-05-14 06:44:16 +02:00
|
|
|
|
its own. The client responds back with an ACK and then the connection reaches
|
|
|
|
|
the \it{ESTABLISHED} state.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
There is a state in which a handshake is in the process but connection has not
|
|
|
|
|
yet been ESTABLISHED. These connections are referred to as embryonic
|
|
|
|
|
(half-formed) sessions. That is precisely what happens when an attacker sends
|
|
|
|
|
many SYNs but stops there and leaves the connection hanging.
|
|
|
|
|
|
|
|
|
|
One particularly sly method aimed at causing as much network congestion near/at
|
|
|
|
|
the victim as possible is setting a private IP address (these are unroutable,
|
2021-05-17 21:10:50 +02:00
|
|
|
|
or rather, \it{should not be routed} over public Internet) or an address from
|
2021-05-14 06:44:16 +02:00
|
|
|
|
deallocated space as the source IP address. For the sake of the argument
|
|
|
|
|
suppose it is an address from deallocated space, what then ends up happening is
|
|
|
|
|
the server responds with a [SYN, ACK] and since no response comes from an address
|
|
|
|
|
that's not currently allocated to a customer (no response \it{can} come because
|
|
|
|
|
nobody is using it), TCP just assumes that the packets lost on the
|
|
|
|
|
way and attempts packet \it{retransmission} \cite{rfc6298}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
Obviously, this cannot yield a successful result so in the end the server just
|
2021-05-14 06:44:16 +02:00
|
|
|
|
added onto the already congesting network.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
Current recommended practice as per RFC 3704 is to enable strict mode when
|
|
|
|
|
possible to prevent IP spoofing from DDoS attacks. If asymmetric routing or
|
|
|
|
|
other kind of complicated routing is used, then loose mode is recommended
|
|
|
|
|
\cite{rfc3704multihomed}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
That way the spoofed traffic never leaves the source network (responsibility of
|
2021-05-14 06:44:16 +02:00
|
|
|
|
the transit provider/ISP) and does not aggregate on a single host's interface.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
For this to be a reality the adoption rate of the subject RFC recommendations
|
2021-05-17 21:10:50 +02:00
|
|
|
|
would need to see a proper increase.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
As is true for anything, if countermeasures are set up improperly, legitimate
|
|
|
|
|
traffic could end up being blocked as a result.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
\n{2}{Amplified Reflection Attack}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
The name suggests this type of attack is based on two concepts: amplification and
|
2021-05-12 04:04:36 +02:00
|
|
|
|
reflection. The amplification part pertains the fact that certain protocols
|
|
|
|
|
answer even a relatively small query with a sizable response.
|
|
|
|
|
The reflection part is usually taking advantage of session-less protocols.
|
|
|
|
|
One such protocol is UDP with session-less meaning that hosts are not required
|
|
|
|
|
to first establish a \it{session} to communicate, a response is simply sent
|
|
|
|
|
back to the address that the packet arrives from (source address).
|
2021-05-14 06:44:16 +02:00
|
|
|
|
Except for the fact that if a malicious player is not interested in
|
|
|
|
|
communication but only wants to cause harm, a packet's source address does not
|
2021-05-12 04:04:36 +02:00
|
|
|
|
necessarily have to, in fact \it{cannot} (from an attacker's point of view)
|
|
|
|
|
correspond to the source address of their machine.
|
|
|
|
|
|
|
|
|
|
Since overwriting fields of the packet header (where the information important
|
|
|
|
|
to routing reside) is trivial and there's nothing easier than supplying a UDP
|
|
|
|
|
request with (either a bogus but more commonly) a victim IP address as the
|
|
|
|
|
source address instead of our own that's present there by default.
|
|
|
|
|
The response is then returned \it{back} - not to the actual sender, but simply
|
|
|
|
|
according to the source address.\\
|
2021-05-16 10:29:20 +02:00
|
|
|
|
Since UDP has no concept of a \it{connection} or any verification mechanism,
|
|
|
|
|
the response arrives at the door of the victim that has never asked for it - in
|
|
|
|
|
the worst case an unsolicited pile of them.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
This is why the three-way handshake is used with TCP, which was developed later
|
|
|
|
|
than UDP, as it reduces the possibility of false connections.
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
The goal of the attacker is then clear: get the largest possible response and
|
2021-05-12 04:04:36 +02:00
|
|
|
|
have it delivered to the victim (in good faith of the server even).
|
|
|
|
|
|
|
|
|
|
Spoofing the source address is done with the purpose of evading detection as a
|
|
|
|
|
blocking or rate-limiting mechanism at the destination would likely identify any
|
|
|
|
|
above-threshold-number requests coming from a single IP and ban them, thus
|
|
|
|
|
decreasing the impact of the attack when the intent was to achieve congestion
|
|
|
|
|
at the designated destination - the victim.
|
|
|
|
|
|
|
|
|
|
A perfect example for how bad this can get is unpatched or misconfigured
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\texttt{memcached} software, that is very commonly being used as e.g. a database
|
2021-05-12 04:04:36 +02:00
|
|
|
|
caching system and has an option to listen on UDP port.
|
2021-05-14 06:44:16 +02:00
|
|
|
|
Cloudflare say they have witnessed amplification factors up to 51200 times
|
|
|
|
|
\cite{cfmemcached}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
As has already been mentioned in ~\ref{synfloodattack}, this entire suite of issues
|
|
|
|
|
could be if not entirely prevented then largely mitigated if the very sound
|
|
|
|
|
recommendations of RFC 3704 gained greater adoption among ISPs.
|
|
|
|
|
|
|
|
|
|
Until then, brace yourselves for the next assault.
|
|
|
|
|
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{2}{Slowloris} \label{slowloris}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
The principle of this attack is to first open as many connections as
|
|
|
|
|
possible, aiming to fill the capacity of the server, and then keep them
|
|
|
|
|
open for as long as possible by sending periodic keep-alive packets.\\
|
|
|
|
|
This attack works at the application layer but the principle can easily be
|
|
|
|
|
reapplied elsewhere.
|
|
|
|
|
|
|
|
|
|
\n{2}{BGP hijacking}
|
|
|
|
|
BGP is an inter-Autonomous System routing protocol, whose primary function is
|
|
|
|
|
to exchange network reachability information with other BGP systems.
|
|
|
|
|
Furthermore, this network reachability information "includes information on the
|
|
|
|
|
list of Autonomous Systems (ASes) that reachability information traverses.
|
|
|
|
|
This information is sufficient for constructing a graph of AS connectivity for
|
|
|
|
|
this reachability, from which routing loops may be pruned and, at the AS level,
|
2021-05-14 06:44:16 +02:00
|
|
|
|
some policy decisions may be enforced. This information is sufficient for
|
|
|
|
|
constructing a graph of AS connectivity for this reachability, from which
|
|
|
|
|
routing loops may be pruned and, at the AS level, some policy decisions may be
|
|
|
|
|
enforced." \cite{rfc4271bgp4}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
BGP hijacking, in some places spoken of as prefix hijacking, route hijacking or
|
|
|
|
|
IP hijacking is a result of a intentional or unintentional misbehavior in
|
2021-05-14 06:44:16 +02:00
|
|
|
|
which a malicious or misconfigured BGP router originates a route to an IP
|
|
|
|
|
prefix it does not own and Zhang et al. find it is becoming an increasingly
|
|
|
|
|
serious security problem in the Internet \cite{Zhang2007PracticalDA}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
\n{2}{Low-rate DoS on BGP}
|
|
|
|
|
As shown by Zhang et al. in their "Low-Rate TCP-Targeted DoS Attack Disrupts
|
|
|
|
|
Internet Routing" paper, BGP itself is prone to a variation of slowloris due to
|
|
|
|
|
the fact that it runs over TCP for reliability. Importantly, this is a
|
|
|
|
|
low-bandwidth attack and a more difficult one to detect because of that.
|
|
|
|
|
Beyond the attack's ability to further slow down the already slow BGP
|
2021-05-14 06:44:16 +02:00
|
|
|
|
convergence process during route changes, it can cause a BGP session reset. For
|
2021-05-12 04:04:36 +02:00
|
|
|
|
the BGP session to be reset, the induced congestion by attack traffic needs to
|
2021-05-14 06:44:16 +02:00
|
|
|
|
last sufficiently long to cause the BGP Hold Timer to expire \cite{Zhang2007LowRateTD}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
On top of all that, this attack is especially hideous in that it can be launched
|
|
|
|
|
remotely from end hosts without access to routers or the ability to send
|
|
|
|
|
traffic directly to them.
|
|
|
|
|
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{1}{Attack tools} \label{sec:attack-tools}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
Believe it or not there actually exists a DDoS attack tools topic on
|
|
|
|
|
GitHub
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\url{https://github.com/topics/ddos-attack-tools?o=desc\&s=stars}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
\n{2}{HOIC}
|
|
|
|
|
LOIC successor HTTP flooding High Orbit Ion Cannon, affectionately
|
2021-05-14 06:44:16 +02:00
|
|
|
|
referred to as 'HOIC' is a \emph{free software}\footnotemark tool which enables
|
2021-05-12 04:04:36 +02:00
|
|
|
|
one to stress-test the robustness of their infrastructure by applying
|
2021-05-14 06:44:16 +02:00
|
|
|
|
enormous pressure on the designated target in form of high number of requests.
|
|
|
|
|
It operates with HTTP and users are able to send 'GET' or 'POST' requests to as
|
|
|
|
|
many as 256 sites simultaneously.
|
|
|
|
|
While it is relatively easily defeated by a WAF (see \ref{waf}), the
|
|
|
|
|
possibility to target many sites at once makes it possible for users to
|
|
|
|
|
coordinate the attack, consequently making detection and mitigation efforts
|
|
|
|
|
more difficult.
|
|
|
|
|
|
|
|
|
|
\footnotetext{free as both in freedom and free beer}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
\n{2}{slowloris.py}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\texttt{slowloris.py} is a python script available
|
|
|
|
|
from~\url{github.com/gkbrk/slowloris} that is able to perform a slowloris
|
2021-05-12 04:04:36 +02:00
|
|
|
|
attack. It seeks to extinguish file descriptors needed for opening new
|
2021-05-14 06:44:16 +02:00
|
|
|
|
connections on the server and then keeping the connections for as long as it can.\\
|
2021-05-12 04:04:36 +02:00
|
|
|
|
Legitimate requests cannot be served as a result, since there is no way for the
|
2021-05-14 06:44:16 +02:00
|
|
|
|
server to facilitate them until resources bound by bogus requests are freed,
|
|
|
|
|
i.e. the attack ceases to be.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\n{2}{Metasploit Framework}
|
|
|
|
|
Metasploit is a penetration testing framework with an open source community
|
2021-05-16 10:29:20 +02:00
|
|
|
|
version and a commercial version (Metasploit Unleashed) available. It enables
|
|
|
|
|
security researchers to automate workflows of probing vulnerable services or
|
|
|
|
|
devices via use of so called modules - smaller programs with definable inputs
|
|
|
|
|
that perform prefined actions. Modules are often community-contributed and one
|
|
|
|
|
can even write a module ourselves.a The SYN-flooding funtionality has been
|
|
|
|
|
implemented - \texttt{aux/synflood} an auxiliary module. Auxiliary modules do
|
|
|
|
|
not execute payloads and perform arbitrary actions that may not be related to
|
2021-05-14 06:44:16 +02:00
|
|
|
|
exploitation, such as scanning, fuzzing and denial of service attacks
|
|
|
|
|
\cite{metasploit}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
\n{2}{Web browser}
|
|
|
|
|
Depending on our point of view (more fittingly, our scaling
|
|
|
|
|
capabilities), sometimes all that is needed to cause a denial of
|
|
|
|
|
service is tons of people behind a web browser.\\
|
|
|
|
|
Numerous requests quickly overload a small server, eventually causing it
|
|
|
|
|
respond so slowly that the impact is indistinguishable from a DoS attack.
|
|
|
|
|
|
|
|
|
|
That is because in principle \it{a DoS attack} is practically the same
|
|
|
|
|
thing as discussed above, the only difference is the malicious intent,
|
|
|
|
|
imperceivable to a machine.
|
|
|
|
|
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{1}{Mitigation methods} \label{sec:mitigation-methods}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
Drastic times require drastic measures and since a DDoS attacks coming
|
|
|
|
|
at us practically every other month classify as
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\it{drastic} quite easily, we're forced to act accordingly
|
|
|
|
|
\cite{akamai2021ddos}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
Still, it is more reasonable to prepare than to improvise, therefore the
|
2021-05-16 10:29:20 +02:00
|
|
|
|
following write-up mentions of commonly used mitigation methods at different
|
|
|
|
|
levels, from a hobbyist server to an e-commerce service to an ISP. The list is
|
2021-05-12 04:04:36 +02:00
|
|
|
|
inconclusive and of course if reading this at a later date, always cross-check
|
|
|
|
|
with the current best practices at the time.
|
|
|
|
|
|
|
|
|
|
\n{2}{Blackhole routing (black-holing, null routing)}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
Black-holing is a technique that instructs routers that traffic for a specific
|
2021-05-12 04:04:36 +02:00
|
|
|
|
prefix is to be routed to the null interface, i.e. be dropped and is used to
|
|
|
|
|
cut attack traffic before it reaches the destination AS.\\
|
|
|
|
|
Assuming the router is properly configured to direct RFC 1918 destined traffic
|
|
|
|
|
to a null interface, traffic destined to the attacked network gets dropped,
|
|
|
|
|
making the attacked network unreachable to the attacker and everyone else.
|
|
|
|
|
Matter of factly, we actually conclude the DoS for the attacker
|
|
|
|
|
ourselves.\cite{rfc1918}\cite{rfc3882}
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
In case of a DDoS, the traffic is likely to come from all over the world
|
|
|
|
|
\cite{akamai2020ddosretrospect}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
The idea here is to announce to our upstream (ingress provider) that supports RTBH
|
2021-05-14 06:44:16 +02:00
|
|
|
|
(remotely-triggered black hole) signalling (critical) that we do not need any
|
2021-05-12 04:04:36 +02:00
|
|
|
|
traffic for the victim IP anymore. They would then propagate the announcement
|
|
|
|
|
further and in no time we'd stop seeing malicious traffic coming to a victim IP
|
|
|
|
|
in our network.
|
2021-05-14 06:44:16 +02:00
|
|
|
|
In fact, we would not see any traffic coming to the victim anymore, because we
|
|
|
|
|
just broadcast a message that we do not wish to receive traffic for it.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
For the entire time we're announcing it, the victim host stays unreachable.
|
|
|
|
|
|
|
|
|
|
We should make sure to announce the smallest possible prefix to minimise the
|
|
|
|
|
collateral damage. Generally, a /21 or /22 prefix is assigned to an AS (the
|
2021-05-16 10:29:20 +02:00
|
|
|
|
average prefix per AS being 22.7866 as of 11 May 2021 \cite{prefixavgsize})
|
|
|
|
|
announcing a black hole for such a large space would likely cause more damage
|
|
|
|
|
than the attack itself.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
To reduce BGP overhead, prefixes are usually announced aggregated, with the
|
|
|
|
|
exception of "a~situation", such as when we wish to only stop receiving traffic
|
|
|
|
|
for one IP address. Smallest possible accepted prefix size tends to be /24
|
2021-05-14 06:44:16 +02:00
|
|
|
|
(which is still a lot) with average prefix size updated being 23.11
|
|
|
|
|
\cite{prefixavgupdatedsize}, however, some upstream providers might even
|
|
|
|
|
support a /32 in case of emergency, effectively dropping traffic only for the
|
|
|
|
|
victim.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
When an attack hits, all we have to do is:
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
\item deaggregate prefixes
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\item withdraw hit prefixes.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
In case our upstream provider did not support RTBH and we could not lose them
|
2021-05-12 04:04:36 +02:00
|
|
|
|
(e.g. the only one around), we could still make use of Team Cymru's new
|
|
|
|
|
BGP-based solution that distributes routes to participating networks using only
|
|
|
|
|
vetted information about current and ongoing unwanted traffic - the \b{Unwanted
|
|
|
|
|
Traffic Removal Service} (UTRS). It is a free community service, currently only
|
|
|
|
|
available to operators who have an existing ASN assigned and publicly announce
|
|
|
|
|
one or more netblocks with their own originating ASN into the public Internet
|
|
|
|
|
BGP routing tables.
|
|
|
|
|
|
|
|
|
|
If only there was a way to just shut down the bad traffic but keep the good one
|
2021-05-14 06:44:16 +02:00
|
|
|
|
flowing\footnotemark!
|
|
|
|
|
|
|
|
|
|
\footnotetext{other than scrubbing}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
Behold, this is what \it{selective black-holing} actually is. Some upstream
|
|
|
|
|
providers define multiple different blackhole communities each followed by a
|
2021-05-16 10:29:20 +02:00
|
|
|
|
predefined action on the upstream. One is able to announce to these communities
|
|
|
|
|
as needed.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
Assume we would announce to a community that would in response announce the
|
2021-05-17 21:10:50 +02:00
|
|
|
|
blackhole to Internet exchanges in, say, North America and Asia and but allow
|
2021-05-16 10:29:20 +02:00
|
|
|
|
traffic coming from Europe, would be a perfect example of selective
|
|
|
|
|
black-holing.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
This causes two things to happen. First, our customer's IP is still reachable
|
|
|
|
|
from our local area (e.g. Europe) and since our fictitious customer mostly
|
|
|
|
|
serves European customers that's fine. Second, outside of the prefedined radius
|
|
|
|
|
(Europe in this exercise) any traffic destined for our network (of which the
|
|
|
|
|
victim IP is a part of) is immediately dropped at the remote IXPs, long before
|
|
|
|
|
it ever comes anywhere near our geographical area, let alone our network.
|
|
|
|
|
|
|
|
|
|
I believe this approach is superior to indiscriminate black-holing and, given
|
2021-05-14 06:44:16 +02:00
|
|
|
|
it is reasonably automated and quick to respond, in combination with other
|
2021-05-12 04:04:36 +02:00
|
|
|
|
mitigation methods it can provide a viable protection for the network.
|
|
|
|
|
|
|
|
|
|
\n{2}{Sinkholing}
|
2021-05-16 10:29:20 +02:00
|
|
|
|
Moving on, this method works by diverting only malicious traffic away from its
|
|
|
|
|
target, usually using a predefined list of IP addresses known to be part of
|
|
|
|
|
malicious activities to identify DDoS traffic. False positives can occur more
|
|
|
|
|
rarely and collateral damage is lesser than with black-holing but since botnet
|
|
|
|
|
IPs can be also used by legitimate users this is still prone to false
|
|
|
|
|
positives.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
Additionally, sinkholing as such is ineffective against IP
|
|
|
|
|
spoofing, which is a common feature in network layer attacks.
|
|
|
|
|
|
|
|
|
|
\n{2}{Scrubbing}
|
|
|
|
|
An improvement on arbitrary full-blown sinkholing, during the scrubbing process
|
|
|
|
|
all ingress traffic is routed through a security service, which can be
|
|
|
|
|
performed in-house or can even be outsourced. Malicious network
|
|
|
|
|
packets are identified based on their header content, size, type, point of
|
|
|
|
|
origin, etc. using heuristics or just simple rules. The challenge is to perform
|
|
|
|
|
scrubbing at an inline rate without impacting legitimate users.
|
|
|
|
|
|
|
|
|
|
If outsourced, the scrubber service has the bandwidth capacity (either
|
2021-05-14 06:44:16 +02:00
|
|
|
|
on-demand or permanently) to take the hit that we do not have. There are at
|
2021-05-16 10:29:20 +02:00
|
|
|
|
least two ways to go about this - the BGP and the DNS way, we will cover the
|
|
|
|
|
BGP one. Once an attack is identified, we stop announcing the prefix that is
|
2021-05-12 04:04:36 +02:00
|
|
|
|
currently being hit, contact our scrubbing provider (usually
|
|
|
|
|
automatically/programatically) to start announcing the subject prefix,
|
|
|
|
|
receiving all its traffic (including the attack traffic), the scrubbing service
|
|
|
|
|
does the cleaning and sends us back the clean traffic \cite{akamaiddosdefence}.
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
When performing the scrubbing in-house, we have to clean the traffic on our own
|
2021-05-12 04:04:36 +02:00
|
|
|
|
appliance that has to have sufficient bandwidth (usually on par with upstream).
|
|
|
|
|
|
|
|
|
|
A poor man's scrubber:
|
|
|
|
|
\begin{itemize}
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\item utilizing hardware accelerated ACLs on switches,
|
|
|
|
|
\item switches can do simple filtering at \it{inline rate} (ASICs)
|
|
|
|
|
\item this can be effective when attack protocol is easily distinguishable from
|
|
|
|
|
real traffic
|
2021-05-12 04:04:36 +02:00
|
|
|
|
\item hit by NTP/DNS/SNMP/SSDP amplification attack
|
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
|
|
We should be performing network analysis and once higher rates of packets with
|
|
|
|
|
source ports of protocols known to be misused for DoS/DDoS start arriving to
|
|
|
|
|
our network (such as 123 or 53), we start signalling to our upstream
|
|
|
|
|
providers, since they can probably handle it better than us and have as much
|
|
|
|
|
interest in doing so as us (or should).
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
Volumetric attacks sending traffic in smaller packet sizes will, however,
|
|
|
|
|
still result in higher CPU utilization, especially on non-dedicated networking
|
|
|
|
|
equipment.
|
|
|
|
|
|
|
|
|
|
One thing we should do no matter whether we are currently suffering an attack
|
|
|
|
|
(and scrubbing it ourselves) is to rule out and drop and never receive traffic
|
2021-05-12 04:04:36 +02:00
|
|
|
|
appearing to come from \it{our own network}, since such traffic could not exist
|
|
|
|
|
naturally and is obviously spoofed.
|
|
|
|
|
|
|
|
|
|
Team Cymru has got now a long tradition of maintaining bogons lists called the
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\textbf{Bogon Reference}. Bogon prefixes are routes that should never appear in the
|
2021-05-12 04:04:36 +02:00
|
|
|
|
Internet routing table. A packet with an address from a bogon range should
|
|
|
|
|
not be routed over the public Internet. These ranges are commonly found as the
|
|
|
|
|
source addresses in DoS/DDoS attacks.\\
|
2021-05-17 21:10:50 +02:00
|
|
|
|
Bogons are netblocks that have not been allocated to a regional Internet
|
2021-05-12 04:04:36 +02:00
|
|
|
|
registry (RIR) by the Internet Assigned Numbers Authority (IANA) and Martian packets
|
2021-05-14 06:44:16 +02:00
|
|
|
|
(private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598
|
|
|
|
|
\cite{rfc1918}, \cite{rfc5735}, \cite{rfc6598}).
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
To get help with bogon ingress and egress filtering, we should set up automated
|
|
|
|
|
obtaining of updated and curated bogon lists via HTTP, BGP, RIRs and DNS from
|
2021-05-14 06:44:16 +02:00
|
|
|
|
Team Cymru \cite{teamcymru}.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
In case we have our own ASN, are connected directly at an IXP, have no
|
2021-05-12 04:04:36 +02:00
|
|
|
|
RTBH support upstream and basically have no other choice, we just need
|
2021-05-16 10:29:20 +02:00
|
|
|
|
to find out who is sending the malicious traffic and, if possible, drop the
|
|
|
|
|
session and receive traffic from other peers.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{2}{IP masking} \label{ipmasking}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
This is technique is widely used (e.g. CloudFlare flagship service), relying
|
|
|
|
|
solely on not divulging sensitive information - in this case server IP - to
|
|
|
|
|
attackers and the capacity of the \it{fronting} service to withstand the attack
|
|
|
|
|
due to having access to more badwidth than the attacker can produce. All traffic
|
|
|
|
|
- including potentially harmful traffic - flows through what is basically a giant
|
|
|
|
|
proxy. However, before declaring it a net win for us, it is important to
|
|
|
|
|
acknowledge that it also comes with heavy privacy implications, as now some
|
|
|
|
|
other service performs TLS termination in our behalf and \textbf{sees
|
|
|
|
|
everything} (that was encrypted only \emph{in transit} and is not additionally
|
|
|
|
|
encrypted) that \emph{anyone} sends us, before finally forwarding it back.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{2}{WAF} \label{waf}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
WAF - \it{Web Application Firewall} - is an appliance used to protect
|
|
|
|
|
(as name suggests) web applications. In this day and age, this is
|
2021-05-14 06:44:16 +02:00
|
|
|
|
especially necessary and enables system administrators to craft protection
|
|
|
|
|
logic in one place and shield potentially vulnerable applications. This method
|
2021-05-12 04:04:36 +02:00
|
|
|
|
works on the application layer of the OSI model and is commonly deployed
|
2021-05-14 06:44:16 +02:00
|
|
|
|
as part of a web proxy or a module of a web proxy, which means network layer
|
2021-05-12 04:04:36 +02:00
|
|
|
|
attacks cannot be handled in this way. While not negligible, as always,
|
2021-05-14 06:44:16 +02:00
|
|
|
|
it is crucial to not have any assumptions and know exactly what
|
2021-05-12 04:04:36 +02:00
|
|
|
|
\it{layer} of protection using of WAF brings.
|
|
|
|
|
|
|
|
|
|
Generally or at least as per CBP (current best practices), applications are not
|
|
|
|
|
deployed with ports exposed directly to the Internet. A sane approach of having
|
|
|
|
|
access to resources \it{proxied} yields multiple possibilities in terms of
|
|
|
|
|
authentication/authorization and protection scenarios and also several ways to
|
|
|
|
|
more effectively use resources available. For one, where any web content
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\it{caching} is required, it is easily achieved with a \it{caching} proxy
|
2021-05-12 04:04:36 +02:00
|
|
|
|
server. It commonly also enables specifying custom access policies.
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
There are also hosted (cloud) WAF offerings, however, they come with exactly
|
|
|
|
|
the same privacy implications as IP masking solutions (see \ref{ipmasking}).
|
|
|
|
|
|
2021-05-12 04:04:36 +02:00
|
|
|
|
\n{2}{Rate-limiting}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
As a general precaution, it is sane to limit number of connections a client is
|
2021-05-12 04:04:36 +02:00
|
|
|
|
able to make in a predefined amount of time (based on the requirements of the
|
|
|
|
|
service). The same applies to a limit on how many connections a client can have
|
|
|
|
|
open simultaneously, which can even prevent Slowloris (see \ref{slowloris}).
|
2021-05-14 06:44:16 +02:00
|
|
|
|
Rate-limiting is usually set either on a proxy or a WAF, but some form of
|
|
|
|
|
rate-limiting can even be built into an app.
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
A well known rate-limiting pluggable solution that can be used with SSHd, HTTP
|
|
|
|
|
or multitude of other endpoints is \texttt{Fail2Ban}.
|
2021-05-14 06:44:16 +02:00
|
|
|
|
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
\n{2}{Decreased-TIME\_WAIT connection closing}
|
|
|
|
|
This can help withstand a situation when conntrack table fills up and
|
|
|
|
|
the server refuses to accept any new connections. There is absolutely no
|
|
|
|
|
reason to keep connections in the conntrack table long after they become
|
|
|
|
|
inactive. The Linux kernel's NetFilter actually has a scrubbing mechanism, that
|
|
|
|
|
is supposed to be getting the conntrack table rid of the timed-out entries.
|
|
|
|
|
Except practice shows they can linger for much longer than necessary.
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
When dealing with massive amounts of traffic it is very reasonable not only to
|
2021-05-12 04:04:36 +02:00
|
|
|
|
increase the size of the conntrack table (memory trade-off), which is the
|
|
|
|
|
generally recommended solution, but also to decrease the TIME\_WAIT timeout to
|
|
|
|
|
force-evict connections that have stopped sending data.
|
|
|
|
|
It is also an easy way to mitigate slowloris (see \ref{slowloris}).
|
|
|
|
|
More on the workings of conntrack in \ref{netfilter}
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
Nginx is a widely used proxy. It uses two FDs (file descriptors) for each
|
|
|
|
|
connection. The limit of max open FDs can indeed be increased easily,
|
|
|
|
|
howerever, we might still just be delaying the inevitable (FD exhaustion)
|
|
|
|
|
and inefficiently wasting precious compute resources needed when an attack
|
|
|
|
|
comes. If Nginx is unable to allocate FDs necessary to track a connection, the
|
|
|
|
|
connection attempt will fail. By resetting connections that timed out we
|
|
|
|
|
prevent such a situation from occurring easily. In Nginx this is set with a
|
|
|
|
|
single line: \texttt{reset\_timedout\_connection on;}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{1}{Mitigation tools} \label{sec:mitigation-tools}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
No tools are going to remedy for a bad design decision and that applies
|
2021-05-17 21:10:50 +02:00
|
|
|
|
equally to physical and Internet engineering.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
\n{2}{Firewall}
|
|
|
|
|
No matter the specific implementation, it is presumably safe to say that
|
|
|
|
|
any firewall is better than no firewall.
|
|
|
|
|
|
|
|
|
|
There are two main types of firewalls:
|
|
|
|
|
\begin{itemize}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\item software,
|
|
|
|
|
\item appliance (hardware-accelerated).
|
2021-05-12 04:04:36 +02:00
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
|
|
A software firewall is just another program running on the operating
|
2021-05-16 10:29:20 +02:00
|
|
|
|
system, apart from the fact that it is typically running with system-level
|
|
|
|
|
privileges. It can be run on a general-purpose computer. In fact most of the
|
|
|
|
|
consumer-grade operating systems nowadays incorporate or by default enable a
|
|
|
|
|
firewall solution.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
In contrast, an appliance firewall is a dedicated piece of hardware
|
|
|
|
|
purpose-build specifically for the sole role of behaving as a firewall and
|
|
|
|
|
is typically running a custom and very minimal operating system and no
|
2021-05-14 06:44:16 +02:00
|
|
|
|
userspace programs. Usually the system does not have a userspace, since it is
|
2021-05-12 04:04:36 +02:00
|
|
|
|
vendored to run as an appliance.
|
|
|
|
|
|
|
|
|
|
\n{3}{Software firewall}
|
|
|
|
|
Solutions available as software firewalls are typically specific to a given
|
|
|
|
|
operating system.
|
|
|
|
|
|
|
|
|
|
Usually, there exist several tools that enable communication with the core
|
|
|
|
|
implementing the logic, commonly by a way of embedding deeply in the networking
|
|
|
|
|
stack of the OS or utilizing kernel APIs. In Linux distributions, the Linux
|
|
|
|
|
kernel is the one that sees all. Each packet arriving at the network interface
|
|
|
|
|
is inspected by the kernel and a decision is made regarding it.
|
|
|
|
|
|
|
|
|
|
Historically, \texttt{ipset} and later \texttt{iptables} used to be the de-facto
|
|
|
|
|
standard, however, a more recent successor emerged quite some time ago
|
|
|
|
|
and is replacing (in modern distributions has replaced, although
|
|
|
|
|
backward compatibility has been preserved) the former two - the
|
|
|
|
|
\texttt{nftables} tool.
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{3}{Netfilter} \label{netfilter}
|
2021-05-17 21:10:50 +02:00
|
|
|
|
The Linux kernel subsystem named \texttt{Netfilter} is part of the Internet
|
2021-05-12 04:04:36 +02:00
|
|
|
|
protocol stack of the kernel and is responsible for packet manipulation and
|
|
|
|
|
filtering \cite{Boye2012NetfilterCT}. The packet filtering and classification
|
|
|
|
|
rules framework frontend tools \texttt{iptables} as well as the newer
|
|
|
|
|
\texttt{nftables} can be interacted with via a shell utility and since they
|
2021-05-14 06:44:16 +02:00
|
|
|
|
also expose APIs of their own, it is common that they have graphical frontends
|
2021-05-12 04:04:36 +02:00
|
|
|
|
as additional convenience as well, most notably \texttt{firewalld}, which can
|
|
|
|
|
be used in conjunction with both of them.
|
|
|
|
|
|
|
|
|
|
Although newer versions of the Linux kernel support both \texttt{iptables} and
|
|
|
|
|
\texttt{nftables} just the same, only one of them can be used at a time. This
|
|
|
|
|
can be arbitrarily changed at runtime, a reboot is not necessary since they are
|
|
|
|
|
userspace tools) and interact with the kernel using \it{loadable kernel
|
|
|
|
|
modules}.
|
|
|
|
|
|
|
|
|
|
Part of the \texttt{Netfilter} framework responsible for connection tracking is
|
|
|
|
|
fittingly named Conntrack. Connection, or a \it{flow} is a tuple defined by a
|
|
|
|
|
unique combination of source address, destination address, source port,
|
2021-05-16 10:29:20 +02:00
|
|
|
|
destination port a and the transport protocol used.
|
2021-05-14 06:44:16 +02:00
|
|
|
|
Conntrack keeps track of the flows in a special fixed-size
|
|
|
|
|
(tunable\footnotemark) in-kernel
|
2021-05-12 04:04:36 +02:00
|
|
|
|
hash table structure with a fixed upper limit.
|
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
\footnotetext{via \texttt{net.netfilter.nf\_conntrack\_buckets}}
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
On Linux devices functioning as router devices (especially when you add NAT to
|
|
|
|
|
the mix) a common issue is the depletion of space in the conntrack table. Once
|
|
|
|
|
the maximum number of connection is reached, Linux simply logs an error message
|
|
|
|
|
\texttt{nf\_conntrack: table full, dropping packet} to the kernel log and
|
|
|
|
|
"all further new connection requests are dropped until the table is below the
|
|
|
|
|
maximum limit again." \cite{Westphal2017CT}. That, as Westphal further notes,
|
|
|
|
|
is indeed very unfortunate, especially in DoS scenarios.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
Unless the router also functions as a NAT, this can be remedied in two ways:
|
|
|
|
|
decreasing the timeout until an established connection is closed and decreasing
|
|
|
|
|
the timeout until an inactive connection in the TIME\_WAIT state is evicted from
|
|
|
|
|
the conntrack table. By default, the TIME\_WAIT timeout is several hours long
|
2021-05-16 10:29:20 +02:00
|
|
|
|
and leaves the router vulnerable to packet floods or Slowloris.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
Netfilter is here to help again with conntrack treating entries that have not
|
2021-05-14 06:44:16 +02:00
|
|
|
|
(yet) seen two-way communication specially – they can be evicted early if
|
2021-05-12 04:04:36 +02:00
|
|
|
|
the connection tracking table is full. In case insertion of a new entry fails
|
2021-05-16 10:29:20 +02:00
|
|
|
|
because the table is full, "...the kernel searches the next 8 adjacent buckets
|
|
|
|
|
of the hash slot where the new connection was supposed to be inserted at for an
|
|
|
|
|
entry that has not seen a reply. If one is found, it is discarded and the new
|
|
|
|
|
connection entry is allocated."\cite{Westphal2017CT}. Randomised source address
|
|
|
|
|
in TCP SYN floods becomes a non-issue because now most entries can be
|
|
|
|
|
early-evicted because the TCP connection tracker sets the "assured" flag only
|
|
|
|
|
once the three-way handshake has completed.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
In case of UDP, the assured flag is set once a packet arrives after the
|
|
|
|
|
connection has already seen at least one packet in the reply direction, that is
|
|
|
|
|
the request/response traffic does not have the assured bit set and can
|
|
|
|
|
therefore be early-dropped at any time.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\n{2}{FastNetMon DDoS Mitigation toolkit}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
Originally created by Pavel Odintsov, this program can serve as a helper on top
|
|
|
|
|
of analysis and metric collection tools, evaluate data and trigger configurable
|
2021-05-17 21:10:50 +02:00
|
|
|
|
mitigation reactions \cite{fastnetmonorig}, \cite{fastnetmonfork},
|
|
|
|
|
\cite{fastnetmonng}.
|
|
|
|
|
|
|
|
|
|
FastNetMon can run on most popular architectures an several different
|
|
|
|
|
general-purpose and specialised platforms such as Linux distributions, VyOS,
|
|
|
|
|
FreeBSD or Mikrotik devices. Most of the program is written in C++ but it uses
|
|
|
|
|
many C libraries for additional functionality and also Perl install scripts. It
|
|
|
|
|
has got a command line client and an API and analysis server. Its detection
|
|
|
|
|
engine is able to identify many types of flood attacks, fragmentation and
|
|
|
|
|
amplification attacks. The metrics can be exported into an InfluxDB engine for
|
|
|
|
|
visualization. It is capable of interacting directly with BGP-enabled equipment
|
|
|
|
|
and even supports Flow Spec.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-07 23:17:24 +02:00
|
|
|
|
|
|
|
|
|
% ============================================================================ %
|
2021-05-08 02:18:32 +02:00
|
|
|
|
\part{Practical part}
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{1}{Infrastructure Set-Up Description} \label{sec:infrastructure-set-up-description}
|
2021-05-14 06:44:16 +02:00
|
|
|
|
The testing was performed in a virtual lab comprised of five virtual machines
|
|
|
|
|
(VMs) running on a KVM-enabled Fedora 34. Since the expectation was to
|
|
|
|
|
frequently tweak various system settings of the guests (VMs) as part of the
|
|
|
|
|
verification process, we decided to take the \emph{infrastructure as code}
|
|
|
|
|
approach. Every piece of infrastructure - down to the details of how many
|
|
|
|
|
virtual CPUs are allocated to a host, what is the disk size and the filesystem,
|
|
|
|
|
etc. - is declared as code, can be versioned and used to provision resources.
|
|
|
|
|
|
|
|
|
|
The industry standard tool \texttt{Terraform} was chosen due to a broad support
|
|
|
|
|
of infrastructure and providers, great documentation, large user base and the
|
|
|
|
|
tool being open source.
|
|
|
|
|
|
|
|
|
|
For bootstrapping, \texttt{cloud-init} has been used mainly because of the fact
|
|
|
|
|
that it can integrate with terraform quite smoothly, works on many Linux
|
|
|
|
|
distributions and allows us to pre-setup things like copy over SSH pubkeys so
|
|
|
|
|
that a secure connection can be established right after first boot, set VM
|
|
|
|
|
hostname, locale, timezone, add users/groups, install packages, run commands
|
|
|
|
|
and even create arbitrary files, such as program configurations.
|
|
|
|
|
|
2021-05-13 01:43:46 +02:00
|
|
|
|
The disk sizes of the VMs were determined by the size of their base image.
|
|
|
|
|
The VM naming convention is specified as follows: a prefix \texttt{r\_} for
|
|
|
|
|
routers and \texttt{h\_} for other hosts, in our case the attacker, victim and
|
2021-05-14 06:44:16 +02:00
|
|
|
|
defender machines.
|
2021-05-13 01:43:46 +02:00
|
|
|
|
|
2021-05-08 04:10:50 +02:00
|
|
|
|
\n{2}{VM specifications}
|
2021-05-13 01:43:46 +02:00
|
|
|
|
\tab{VM specifications}{tab:vmspecifications}{0.75}{ |c||rrrrc| }{
|
2021-05-08 04:10:50 +02:00
|
|
|
|
\hline
|
|
|
|
|
\bf{VM name} & \bf{vCPU(s)} & \bf{RAM} & \bf{disk space} & \bf{net ifaces} &
|
|
|
|
|
\bf{operating system} \\
|
|
|
|
|
\hline\hline
|
2021-05-13 01:43:46 +02:00
|
|
|
|
r\_upstream & 1 & 768MB & 4.3GB & {outer,DMZ} & Fedora 33 \\
|
|
|
|
|
\hline
|
|
|
|
|
r\_edge& 1 & 768MB & 4.3GB & {DMZ,inner} & Fedora 33 \\
|
|
|
|
|
\hline
|
|
|
|
|
h\_victim & 1 & 768MB & 11GB & {inner} & CentOS 8 \\
|
|
|
|
|
\hline
|
|
|
|
|
h\_attacker & 1 & 1GB & 5.37GB & {outer} & Fedora 34 \\
|
|
|
|
|
\hline
|
|
|
|
|
h\_defender & 1 & 1GB & 5.37GB & {DMZ} & Fedora 34 \\
|
2021-05-08 04:10:50 +02:00
|
|
|
|
\hline
|
|
|
|
|
}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
The inner (our edge) and the upstream (our transit provider) routers are
|
2021-05-16 10:29:20 +02:00
|
|
|
|
each part of different \it{AS}. They are directly connected and communicate
|
|
|
|
|
using BGP. The outer router and the inner router are BGP peers.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
|
|
|
|
We assume our upstream provider supports RTBH signalling.
|
|
|
|
|
In this scenario the attacker is directly connected to our UPSTREAM router,
|
|
|
|
|
and while in reality there would probably be a greater distance between us and
|
|
|
|
|
them, this is fine for our simulation purposes, since malicious traffic will be
|
|
|
|
|
cut before it reaches us.
|
2021-05-08 04:10:50 +02:00
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
If our upstream provider did not support RTBH signalling, in case we were
|
|
|
|
|
attacked we could still use a scrubbing service but it is preferred that such a
|
2021-05-12 04:04:36 +02:00
|
|
|
|
provider is picked that has the RTBH capabilities.
|
2021-05-08 04:10:50 +02:00
|
|
|
|
|
2021-05-17 21:10:50 +02:00
|
|
|
|
The cunning plan is to watch for traffic anomalies, when the attack comes
|
|
|
|
|
detect it as soon as possible, trigger a reaction (announce a black hole), wait
|
|
|
|
|
for some time, withdraw the black hole if the attack is gone and reintroduce it
|
|
|
|
|
if it is still going on. Automatically, of course.
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-17 21:10:50 +02:00
|
|
|
|
\begin{figure}[!hbt]
|
|
|
|
|
\centering
|
|
|
|
|
\begin{tikzpicture}
|
|
|
|
|
\fill[even odd rule,gray!30] circle (2.3) circle (2.2);
|
|
|
|
|
\arcarrow{2}{2.25}{2.5}{165}{200}{5}{red!50,
|
|
|
|
|
draw = red!50!black, very thick}{attack}
|
|
|
|
|
\arcarrow{2}{2.25}{2.5}{210}{260}{5}{blue!50,
|
|
|
|
|
draw = blue!50!black, very thick}{detection}
|
|
|
|
|
\arcarrow{2}{2.25}{2.5}{270}{320}{5}{green!50,
|
|
|
|
|
draw = green!50!black, very thick}{blackhole}
|
|
|
|
|
\arcarrow{2}{2.25}{2.5}{330}{460}{5}{blue!50,
|
|
|
|
|
draw = blue!50!black, very thick}{wait {\&} withdraw blackhole}
|
|
|
|
|
\arcarrow{2}{2.25}{2.5}{470}{515}{5}{blue!50,
|
|
|
|
|
draw = blue!50!black, very thick}{analysis}
|
|
|
|
|
\end{tikzpicture}
|
|
|
|
|
\caption{The Cunning Plan} \label{fig:cunning-plan}
|
|
|
|
|
\end{figure}
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-17 21:10:50 +02:00
|
|
|
|
Initially, two approaches for setting up infrastructure were considered.
|
|
|
|
|
While both proposed to use KVM and \texttt{Terraform} with \texttt{libvirt}
|
|
|
|
|
provider \cite{libvirt-tf-provider}, the first one planned to continue
|
|
|
|
|
configuring the VMs with \texttt{cloud-init}, which is compatible with any
|
|
|
|
|
GNU/Linux distribution. The finishing touches would be done using
|
|
|
|
|
\texttt{ansible}. The second one, on the other hand, considered a newer
|
|
|
|
|
technology - Fedora CoreOS, which uses a different paradigm where hosts are
|
|
|
|
|
only customised on initial boot via \texttt{ignition} (although he
|
|
|
|
|
configuration format used is called \it{Butane}, which uses YAML and is then
|
|
|
|
|
transpiled to Ignition's JSON) and ran as configured, by default without a
|
|
|
|
|
separate install disk. This provides the much needed system immutability during
|
|
|
|
|
runtime but also makes it more difficult to configure. Configuration changes
|
|
|
|
|
\it{can} be done during runtime, however, the CoreOS provisioning philosophy
|
|
|
|
|
teaches that there is no need to deploy once and endlessly configure (by hand
|
|
|
|
|
or e.g. with \texttt{ansible}) when boot times are short (Ignition runs before
|
|
|
|
|
the userspace begins to boot) and the system is as minimal as possible
|
|
|
|
|
(container-like).
|
2021-05-12 04:04:36 +02:00
|
|
|
|
|
2021-05-17 21:10:50 +02:00
|
|
|
|
\begin{description}
|
|
|
|
|
\item[approach 0:]\
|
|
|
|
|
\begin{itemize}
|
|
|
|
|
\item KVM
|
|
|
|
|
\item \texttt{terraform} with \texttt{libvirt} provider
|
|
|
|
|
\item \texttt{cloud-init}
|
|
|
|
|
\item \texttt{ansible}
|
|
|
|
|
\end{itemize}
|
|
|
|
|
\end{description}
|
2021-05-08 04:10:50 +02:00
|
|
|
|
|
2021-05-17 21:10:50 +02:00
|
|
|
|
\begin{description}
|
|
|
|
|
\item[approach 1:]\
|
|
|
|
|
\begin{itemize}
|
|
|
|
|
\item KVM
|
|
|
|
|
\item \texttt{terraform}
|
|
|
|
|
\item \texttt{ignition}
|
|
|
|
|
\item Fedora CoreOS
|
|
|
|
|
\end{itemize}
|
|
|
|
|
\end{description}
|
2021-05-08 04:10:50 +02:00
|
|
|
|
|
2021-05-17 21:10:50 +02:00
|
|
|
|
We decided to go with the approach 0 as we felt it was more appropriate for our
|
|
|
|
|
use case, which involves relatively lot of configuration.
|
|
|
|
|
|
|
|
|
|
\begin{description}
|
|
|
|
|
\item[VMs required:]\
|
|
|
|
|
\begin{itemize}
|
|
|
|
|
\item victim
|
|
|
|
|
\item router - inner
|
|
|
|
|
\item router - edge
|
|
|
|
|
\item attacker
|
|
|
|
|
\item defence machine
|
|
|
|
|
\end{itemize}
|
|
|
|
|
\end{description}
|
2021-05-08 04:10:50 +02:00
|
|
|
|
See tab.~\ref{tab:vmspecifications} for details.
|
|
|
|
|
|
2021-05-17 21:10:50 +02:00
|
|
|
|
To reiterate, simulating multiple physical devices performing different roles
|
|
|
|
|
(routing, attacking, playing victim) in our attack-defence/mitigation scenario
|
|
|
|
|
has been achieved by creating a test-lab virtual infrastructure.\\
|
|
|
|
|
The tried-and-true way, state-of-the-art Linux kernel-native virtualization
|
|
|
|
|
solution has been chosen to tackle the hypervisor task - the KVM technology.
|
|
|
|
|
|
|
|
|
|
Testing has been performed on our personal laptop - Dell Latitude 5480
|
|
|
|
|
machine equipped with a ULV dual-core Intel i5 Core 6300U processor with
|
|
|
|
|
\texttt{mitigations=off}, 24GB (8+16) of RAM and a 512GB SATA SSD (TLC).
|
|
|
|
|
|
|
|
|
|
The host operating system from the perspective of VMs was \texttt{Fedora\ 34}.
|
|
|
|
|
Both \texttt{updates} and \texttt{updates-testing} repositories have been
|
|
|
|
|
enabled, which allowed us to use latest (at the time) stable Linux kernel
|
|
|
|
|
Fedora had to offer directly without too much of a hassle, as of the time of
|
|
|
|
|
writing in version \texttt{5.11.20}.
|
2021-05-08 04:10:50 +02:00
|
|
|
|
|
2021-05-14 06:44:16 +02:00
|
|
|
|
File system in use on the host was Btrfs on top of LVM (LUKS+LVM to be
|
2021-05-08 04:10:50 +02:00
|
|
|
|
precise) and a Btrfs subvolume has been created specifically for the
|
2021-05-17 21:10:50 +02:00
|
|
|
|
libvirt storage pool for better logical isolation (subvolumes are omited during
|
|
|
|
|
snapshotting etc.; that way the lab does not end up in system snapshots. Since
|
|
|
|
|
all of the system images for our VMs have been downloaded in a QCOW2 format,
|
|
|
|
|
the CoW (Copy-on-Write) feature of Btrfs has been turned off for the subject
|
|
|
|
|
subvolume, just as recommended in the Brfs Sysadmin Guide \cite{linuxbtrfs}
|
|
|
|
|
for improved storage performance (and decreased flash wear).
|
2021-05-08 04:10:50 +02:00
|
|
|
|
|
|
|
|
|
Notably, the system has also been using the \texttt{nftables} backend of
|
|
|
|
|
\texttt{firewalld}, for which, luckily, \texttt{libvirt} was already
|
2021-05-17 21:10:50 +02:00
|
|
|
|
prepared and played nice together.
|
|
|
|
|
|
|
|
|
|
The whole infrastructure code resides in a git repository available at
|
|
|
|
|
\url{https://git.dotya.ml/mirre-bt/tf-libvirt}.
|
|
|
|
|
|
|
|
|
|
\n{2}{Terraform and Cloud-Init}
|
|
|
|
|
Thanks to the \texttt{libvirt} provider for Terraform, VMs could easily be
|
|
|
|
|
brought up and torn down. Terraform works by tracking state of the resources
|
|
|
|
|
that together create the infrastructure, which can be described in numerous ways.
|
|
|
|
|
Every resource that is absent needs to be created. Terraform uses a
|
|
|
|
|
\emph{plan} of the infrastructure as it wants to \emph{apply} changes to the
|
|
|
|
|
current \emph{state}. Every VM or a network, every backing storage is a
|
|
|
|
|
resource that is managed for us, which is very convenient especially for
|
|
|
|
|
testing.
|
|
|
|
|
|
|
|
|
|
The initial boot configuration has been performed by Cloud-Init
|
|
|
|
|
\cite{cloudinit}. It enabled us to configure users with SSH public keys to
|
|
|
|
|
secure further connections, install packages and create arbitrary files.
|
|
|
|
|
Scenario-role-specific configuration was made really easy thanks to this tool.
|
|
|
|
|
|
|
|
|
|
\n{2}{Ansible}
|
|
|
|
|
What has not been prepared by either Terraform or Cloud-Init was left to
|
|
|
|
|
Ansible. It was used to deploy configurations of GoBGPd and FastNetMon, as well
|
|
|
|
|
as to install and enable services.
|
2021-05-08 04:10:50 +02:00
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{1}{Mitigation tools set-up} \label{sec:mitigation-tools-set-up}
|
2021-05-17 21:10:50 +02:00
|
|
|
|
\n{2}{FastNetMon}
|
2021-05-08 04:10:50 +02:00
|
|
|
|
An open-source DDOS mitigation toolkit named \texttt{fastnetmon} was
|
2021-05-14 06:44:16 +02:00
|
|
|
|
picked to serve as an attack detection tool. It supports analysing traffic from
|
2021-05-16 10:29:20 +02:00
|
|
|
|
multiple different exporter types, including Netflow (v5 and v9), sFlow and port
|
2021-05-14 06:44:16 +02:00
|
|
|
|
mirrors.
|
2021-05-17 21:10:50 +02:00
|
|
|
|
We tried the installer from projects website, however, the
|
|
|
|
|
installation did not appear to succeed. Therefore, we decided to build it from
|
|
|
|
|
sources. That is when we uncovered some curious information.
|
|
|
|
|
|
|
|
|
|
The project's master branch on GitHub, where it is hosted, appears to have been
|
|
|
|
|
modified on 22 June 2016 \cite{fnm-wayback} \cite{fastnetmonorig}. Since we
|
|
|
|
|
knew about some propagation activities \cite{fnm-freebsd-wayback} and we found
|
|
|
|
|
the repo as "updated" on 17 Feb 2021 (that is what GitHub shows when e.g. a
|
|
|
|
|
description is updated) \cite{fnm-search-wayback} at the same time as we saw
|
|
|
|
|
the last commit pushed with a 2016 date, we went digging over the project's
|
|
|
|
|
forks to find out what happened to the project. They perfectly preserve it,
|
|
|
|
|
from a point in time when the "fork" (essentially a clone) was created, up
|
|
|
|
|
until the latest updates that have either been integrated from upstream or
|
|
|
|
|
changed by the owner of the fork. While some forks have been abandoned a long
|
|
|
|
|
time ago, several more showed the same tree with the exact same commits,
|
|
|
|
|
referring to a common history. Furthermore, the one thing giving away what
|
|
|
|
|
apparently happened (not why) with almost certainty is the Pull Requests tab.
|
|
|
|
|
It showed some 164 Closed PRs, some of them \it{merged} as late as 23 Dec 2020
|
|
|
|
|
\cite{fnm-pulls-wayback}. That is, the history \it{has} indeed been overwritten
|
|
|
|
|
and we have no information as to why, but that was also a reason why we chose
|
|
|
|
|
to use one of the latest updated forks \cite{fnm-fork-wayback} \cite{fastnetmonfork}
|
|
|
|
|
as a base for our work \cite{fastnetmonng} instead of the original upstream.
|
|
|
|
|
The claim that the history has been overwritten is also supported by an earlier
|
|
|
|
|
grab (snapshot) of the project by the Internet Archive's awesome \emph{Wayback
|
|
|
|
|
Machine} \cite{fnm-early-wayback}, the rest have been triggered by us to help
|
|
|
|
|
support the arguments in case anything changed.
|
|
|
|
|
|
|
|
|
|
Ad setup itself, several changes had to be made to the project to make it even
|
|
|
|
|
compile on recent hosts (Fedora 33/34, Arch Linux). A Drone CI build job has
|
|
|
|
|
been set up to help make sure nothing breaks with our changes. Fastnetmon needs
|
|
|
|
|
quite a lot of dependencies for its full functionality and the way to go about
|
|
|
|
|
it in the project was using custom versions of the third party libraries to
|
|
|
|
|
link against, all downloaded using the Perl install script mentioned earlier.
|
|
|
|
|
While that might seem like a sound idea, we feel in the long run it is always
|
|
|
|
|
better to use a reasonably recent distribution with sizable repositories and
|
|
|
|
|
active community that, combined, are able to provide for most developer needs.
|
|
|
|
|
The only major overhaul that had to be done was patching the
|
|
|
|
|
\texttt{CMakeLists.txt} file to instruct CMake/Make to use system locations to
|
|
|
|
|
look for headers and (dynamic) libraries (\texttt{.so} files) instead of
|
|
|
|
|
download location from the install script. Further, to accomodate using newer
|
|
|
|
|
version of \texttt{nDPI} (Open Source Deep Packet Inspection Software Toolkit)
|
|
|
|
|
that aids FastNetMon with traffic sorting (if enabled), an interface and
|
|
|
|
|
\texttt{fast\_dpi.h} header had to be updated. The history of all changes can be
|
|
|
|
|
found in the repository at \url{https://git.dotya.ml/wanderer/fastnetmon-ng}.
|
|
|
|
|
|
|
|
|
|
For building and deployment to the defender host, an Ansible role has been
|
|
|
|
|
created. It makes sure that FastNetMon is built correctly, installed and its
|
|
|
|
|
\texttt{systemd} service is \it{enabled} (at boot time) and started.
|
|
|
|
|
|
|
|
|
|
\n{2}{GoBGPd}
|
|
|
|
|
We attempted to peer the two router VMs, however, we were not able to pin down
|
|
|
|
|
the proper configuration that would allow us to define a community tied to a
|
|
|
|
|
black-holing action.
|
|
|
|
|
|
|
|
|
|
\n{2}{Netflow}
|
|
|
|
|
FastNetMon supports collecting Netflow metrics, therefore the edge router has
|
|
|
|
|
been configured to listen on the upstream interface and to send traffic
|
|
|
|
|
information to this FastNetMon's collector. The ansible role
|
|
|
|
|
\url{github.com/juju4/ansible-fprobe} has been edited and used to deploy
|
|
|
|
|
the configuration to the edge router.
|
2021-05-08 04:10:50 +02:00
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{1}{Attack tools set-up} \label{sec:attack-tools-set-up}
|
2021-05-08 04:10:50 +02:00
|
|
|
|
When considering the way to simulate an attack locally, we weren't
|
|
|
|
|
primarily looking for a tool, which would enable a decentralised (the
|
|
|
|
|
first "D" of DDOS) attack, instead the objective was mainly to congest
|
|
|
|
|
the weakest link, which would happen to live inside our network (that's
|
|
|
|
|
why we're concerned in the first place).
|
|
|
|
|
|
|
|
|
|
\n{2}{slowlorispy}
|
2021-05-17 21:10:50 +02:00
|
|
|
|
With this python script there are a couple of flags to tweak the intended
|
|
|
|
|
behaviour. Flag \texttt{-p} sets the port we want to target,
|
|
|
|
|
\texttt{--sleeptime} allows us to rate-limit the tool so that we open as many
|
|
|
|
|
connections as possible without getting banned. The \texttt{-s} flag specifies
|
|
|
|
|
the number of sockets we want to open.
|
|
|
|
|
|
|
|
|
|
\n{2}{iperf3}
|
|
|
|
|
This tool works in server-client mode. To receive traffic, it \texttt{runs in
|
|
|
|
|
server mode} and listens on port 5201 by default, although both the traffic
|
|
|
|
|
direction and port and multitude of other parameters can be configured.
|
|
|
|
|
To listen on the victim server, we simply ran \texttt{iperf3 -s -P 8} to
|
|
|
|
|
receive 8 parallel streams.
|
|
|
|
|
Then on the client - the attacker - we entered \texttt{iperf3 -c \{server
|
|
|
|
|
ip\} -P 8} to send 8 parallel streams to the victim. This filled the available
|
|
|
|
|
link bandwidth but, unfortunately, we haven not observed FastNetMon ban action
|
|
|
|
|
even though the threshold has been crossed.
|
2021-05-08 04:10:50 +02:00
|
|
|
|
|
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
\n{1}{Performing an attack} \label{sec:performing-an-attack}
|
2021-05-17 21:10:50 +02:00
|
|
|
|
We were not able to extinguish connections on the server using
|
|
|
|
|
\texttt{slowloris.py}, presumably because the inactive connections were quickly
|
|
|
|
|
being closed. While the number of used sockets steadily grew, after about 5000
|
|
|
|
|
this tool was not able to open any new connections and the server worked fine.
|
2021-05-08 04:10:50 +02:00
|
|
|
|
|
2021-05-17 21:10:50 +02:00
|
|
|
|
As per running FastNetMon attack traffic detection, we have experienced
|
|
|
|
|
unexpected troubles in the form of fastnetmon incorrectly reporting 0pps for
|
|
|
|
|
both outbound and inbound traffic. We were not able to uncover the root cause
|
|
|
|
|
of the issue.
|
2021-05-07 23:17:24 +02:00
|
|
|
|
|
2021-05-16 10:29:20 +02:00
|
|
|
|
|
2021-05-07 23:17:24 +02:00
|
|
|
|
% ============================================================================ %
|
2021-05-08 02:18:32 +02:00
|
|
|
|
\nn{Conclusion}
|
2021-05-17 21:10:50 +02:00
|
|
|
|
The goal of our work was to describe some of the popular types of DoS attacks,
|
|
|
|
|
casually used attack methods and tools. In the theoretical part, we also
|
|
|
|
|
outlined mitigation methods available to network operators and end users alike,
|
|
|
|
|
along with their scope and reach. Next, we looked at tools that aid mitigating
|
|
|
|
|
DoS attacks.
|
|
|
|
|
In the practical part, we have arrived at unexpected results, where we were not
|
|
|
|
|
able to fully simulate the black hole propagation among ASes due to
|
|
|
|
|
configuration inconsistencies. Unfortunately, this stays as a challenge for us.
|
2021-05-07 23:17:24 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
% ============================================================================ %
|