Denial-of-Service (DoS)
Attacks Network Systems
Security

Mort Anvari


A Security Problem in
Network








An adversary that has access to a network can
insert new messages, modify current
messages, or replay old messages in the
network
These inserted, modified, and replayed
messages can go undetected until they cause
severe damage to network
The physical location of the adversary in
network may never be determined
Example: denial-of-service attacks

10/5/2004

2

Denial-of-Service (DoS)
Attacks




Aimed to deny normal service
provided by the target computer
Communication-stopping attacks




ARP spoofing attack

Resource-exhausting attacks



Smurf attack
SYN attack

10/5/2004

3


Ping Protocol





Allow any computer to check whether any other computer in the
Internet is up
Any computer x can send a “ping” message to any computer y
which replies by sending back a “pong” message (thus x knows y is
up)



In ping message:
In pong message:

src = xand
src = yand

dst = y
dst = x

ping(x, y)

x

y
pong(y, x)

10/5/2004


4


Broadcast Ping Protocol




If in ping message dst = “all”, a copy of ping is broadcast to
every computer
Each computer replies by sending back a pong, and x is
flooded with pong messages



In ping message:
In pong message:

src = xand
src = yand

pong(y´,x)

dst = “all”
dst = x

y´

ping(x,all)


x

y
pong(y, x)

10/5/2004

5


Smurf Attack




An adversary pretends to be x and broadcasts a
ping message where src = x and dst = “all”
Thus, x is flooded with pong messages that it has
not requested: denial-of-service attack at x

a

ping(x,all)

y´

pong(y´,x)

x


y
pong(y, x)

10/5/2004

6


Countering Smurf Attack


Make each router check the src of each
received message and discard the message
if the src is suspicious
src=x
shouldn’t
come to me

a

ping(x, all)

R1

R2

R3

y´


x

10/5/2004

y

7


Clever Smurf Attack




An adversary inserts a ping(x, all) message
between routers R2 and R3
R3 thinks the message was forwarded by
R2 and so accepts the message
a

R1

R2

R3

y´

ping(x, all)


x

10/5/2004

y

8


Countering Clever Smurf
Attack






When R3 receives a message, R3 needs to
determine whether message was indeed
sent by R2, or was modified or replayed
by an adversary between R3 and R2
If use IPSec, will need to set up SA’s
between each pair of adjacent routers: too
expensive
Our solution: use hop integrity protocol
between each pair of adjacent routers

10/5/2004

9



Hop Integrity




Let p, q be routers connected to same
subnetwork
Detection of Message Modification:




when q receives a message m supposedly
from p, q can check that m was not modified
after sent

Detection of Message Replay:


when q receives a message m supposedly
from p, q can check that m was not a replay
of an old message

10/5/2004

10



Adversary vs. Routers


The adversary can perform three types of
actions to disrupt communication between
two routers








Message loss
Message modification
Message replay

The routers are assumed to be secure and
cannot be compromised by the adversary
The routers will execute hop integrity
protocols that can detect and defeat the
adversary actions

10/5/2004

11


Hop Integrity Protocol





Each pair of adjacent routers need to share a secret S,
which is updated periodically by the two routers using a
secret exchange protocol
To each IP message sent between two adjacent routers,
add a sequence number sq, and an integrity check d

hd

txt

IP message

d := MD(S | hd | sq | txt)
d
16 bytes if MD5;
20 bytes if SHA-1

hd

sq

10/5/2004

d

txt


MD

MD5 or SHA-1

sq

4 bytes

12


Architecture of
Hop Integrity Protocols

secret
exchange
layer

router p

router q

Applications

Applications

Transport

Transport

qe

pe

secrets

Network

Network
integrity
check
layer

pw

or

Subnetwork

ps

secrets

qw

or

qs

Subnetwork


.

10/5/2004

13


Component of
Hop Integrity Protocols


Three protocols between each pair
of adjacent routers




secret exchange protocol
weak integrity protocol
strong integrity protocol

10/5/2004

14


How to Exchange Secret






Each router p has a secret S that it uses
for computing the digest of every msg
sent to an adjacent router q
Both p and q need to know S
What if p sends secret update message
to q periodically?




Problem due to message loss

What if p sends secret update message
to q periodically and q sends an ack to p?


Problem due to bundling of secret exchange
layer and integrity check layer

10/5/2004

15


Secret Exchange Protocol







q updates secret S used by p by sending
a secret update message to p every T
hours
When p receives secret update message
from q, p updates secret and sends an
ack to q
If q does not receive ack from p for t
seconds, q retransmits the secret
update message

10/5/2004

16


Secret Exchange Protocol
S[0]
S[1]

q

p S
S[0] = S[1] = S

BpS[0], S[1]


S[0] old
S[1] new
if S[1] = S
then S[0] :=S[1]

if S = S[0]  S = S[1]
then S :=S[1]

BqS
S[0] = S[1] = S

T hours

BpS[0], S[1]

S[0] old
S[1] new
if S[1] = S
then S[0] :=S[1]

10/5/2004

BqS

if S = S[0]  S = S[1]
then S :=S[1]

S[0] = S[1] = S

17



Recovery in
Secret Exchange Protocol
S[0]
S[1]

t seconds

q

p S
S[0] = S[1] = S

BpS[0], S[1]

S[0] old
S[1] new

S[0] = S  S[1]

BpS[0], S[1]
t seconds

if S = S[0] S = S[1]
then S :=S[1]

BqS
S[1] = S  S[0]


BpS[0], S[1]

if S[1] = S
then S[0] :=S[1]

10/5/2004

BqS

if S = S[0] S = S[1]
then S :=S[1]

S[0] = S[1] = S

18


Weak Integrity Protocol





To detect insertion and modification
Each sent msg from p to q is as follows
(hd | d | txt)
where p computes d as
d = MD(S | hd | txt)
On receiving a msg, q checks
if

d = MD(S[0] | hd | txt) 
d = MD(S[1] | hd | txt)
then q forwards msg
else q discards msg

10/5/2004

19


Weak Integrity Protocol
S[0]
S[1]

p S

q
(hd | d | txt)

.
.

10/5/2004

20


Strong Integrity





To detect replay, successive sequence
numbers are attached to all sent msgs
from p to q
Problem with reset






If p is reset, unbounded number of fresh
messages are discarded by q
If q is reset, it can accept unbounded
number of replayed messages

Two solutions to overcome reset



Soft sequence numbers
Hard sequence numbers

10/5/2004

21


Soft Sequence Numbers







Successive sequence numbers are attached to
all sent msgs from p to q:
(hd | sq | txt)
q maintains two variables
expsequence number of next msg
c #msgs received
On receiving a msg, q checks
if (exp  sq)  (c = random value cmax)
then
q forwards msg
else
q discards msg
fi; q updates exp, c, cmax

10/5/2004

22


Soft Sequence Numbers
exp
c
cmax


p sq

q
(hd | sq | txt)

sq
sq+1

.
.

10/5/2004

23


Strong Integrity Protocol
Using Soft Sequence Numbers




Each sent msg from p to q is as follows
(hd | sq | d | txt)
where p computes d as
d = MD(S | hd | sq | txt)
On receiving a msg, q checks
if
(d = MD(S[0] | hd | sq | txt) 
d = MD(S[1] | hd | sq | txt) ) 

(exp  sq  c = random value cmax)
then q forwards msg
else q discards msg
fi;
q updates exp, c, cmax

10/5/2004

24


Hard Sequence Numbers






To overcome reset, use two operations
SAVE and FETCH
When SAVE is executed, the last
sequence number will be stored in
persistent memory
When FETCH is executed, the last
stored sequence number will be loaded
from persistent memory into memory

10/5/2004

25