CS 513 - System Security
Lecture 5
Lecturer: Professor Fred B. Schneider
Notes by: Vicky Weissman
Lecture Date: 2/10/00
Today's Topic - Denial of Service Attacks
- What is a denial of service attack?
- General Observations
- Attack Strategies and Corresponding Defenses
What is a denial of service attack?
A denial of service attack is an attack with the intent of compromising
availability. The goal is to prevent the victim from rendering service to
bonafide customers. This goal is achieved by exhausting the victim's resources.
General Observations
- Wherever a design relies on an assumption, there is a vulnerability (an
attack can violate the assumption.) Often a designer will not even realize that an
assumption has been made.
- Using standards does not necessarily introduce vulnerabilities into the system, but
assuming that a particular standard is being used does.
- In a monoculture (where everyone uses the same product/technique) vulnerabilities in
the common components is a vulnerability in every system. Therefore, an attack that
exploits these common vulnerabilities can be used to attack any (or all) of the systems.
Attack Strategies and Corresponding Defenses
Defense x is used to prevent Attack x.
Defense 0: Increase capacity and/or weaken server guarantees so that the server can
handle the largest possible load (even if that load is very unlikely to occur). This would
prohibit denial of service attacks, but is a huge waste of resources. Since Defense 0 is
usually impractical, designers must make assumptions about the load. Like all assumptions,
this will create vulnerabilities.
Attack 1: Violate load assumption by repeatedly sending the server requests as fast as
possible. The attack succeeds if it is cheaper (time wise) to send a request than to
handle it.
Defense 1: Design the system so that a request is cheaper to handle than it
is for the attacker to construct and send.
The relevant handling cost of a request could be reduced by cheaply detecting and
blocking/discarding requests that are not bonafide. Alternatively, the request processing
cost could be increased by requiring a show of good faith (ie. computation or other
expedature of resource) before processing the request.
Example of Good Faith Protocol:
- client sends request
- server chooses 2 large numbers, x and y,
multiplies x and y to a get a number z,
encrypts x and y to get e(x) and e(y) respectively,
sends the client z, e(x), and e(y)
- client factors z into x and y
sends the server z, x, y, e(x), e(y) (and request)
- server verifies that x and y match e(x) and e(y),
if the matches are correct, then the request is handled
The above protocol relies on both efficient encryption and on multiplication being a
faster operation than factoring. The server sends e(x) and e(y) rather than storing
x and y to conserve the server's memory resources. (An attack cannot exhaust server
memory by repeatedly making requests without following through on good faith factoring.)
Attack 2 (Distributed Attack): Follow the Attack 1 strategy on several computers
simultaneously. (Reduce the cost of sending requests by splitting the work between
different machines.) Attack is successful if it is cheaper to send requests than
to handle them.
Defense 2: The server keeps a list of computers involved in the attack. A request from
any machine on the list is cheaply detected and blocked. (Server handling time is decreased.)
Attack 3: Automatically distribute the attack code to any machine that can be
infiltrated. Upon activation, the attack code uses its host machine in a distributed
attack. Note: activation can be done indirectly (ex. monitoring the Internet and activating
when a certain stock drops).
Defense 3: Routinely scan computers for knwon attack code.