 So, when we've defined the services that we want in network security and computer security, we said one requirement was availability, remember CIA, confidentiality, integrity, availability and when we listed six security services, one of them's availability. This is, we have a computer system, a set of computers, a single computer, a network, that has some purpose. So, there is a set of users that use that to achieve their goal. Availability is making sure that that computer system is available for those normal users. If it's unavailable, then that's an attack on the security of that computer system. So, we're going to look at denial of service attacks, attacks which deny the availability of the computer system. They deny service to the normal users. So, a definition, an action, a DOS or denial of service attack is an action that prevents or impairs the authorised use of network systems or applications. So, the authorised use, the normal use of the computer system, the computer network or applications running on those systems. And doing so by exhausting the resources of those systems. So, using up the CPU so that the CPU cannot be used for the normal purpose. Using up memory, bandwidth on the network, disk space. So, that's the common techniques that denial of service attacks use. Why? Why do that? What's the benefit that an attacker can gain? Anyone want to know? Why do a denial of service attack? Why would some malicious person want to do that? Any reason? There are multiple reasons. Anyone want to have a guess? Think, put on your malicious, your black hat, your malicious hat and try and think, well, what could you gain by stopping other people from accessing the SIT web server? Or what could you gain from stopping other people from doing something on a computer system? Any ideas? You look a little bit malicious. Come on, what idea? What can you gain from a denial of service attack? Loss profit. How? Who loses profit? Okay, many websites, of course, either make money for the organization that owns the website. So, for example, the obvious one is Amazon, the Amazon website. The company makes money because people buy through that website. If the website is unavailable, that company will lose money. But what does the attack gain? Well, maybe they're just malicious in terms of they're being annoying. So, sometimes denial of service attacks are just trying to cause someone else harm. But making one company lose money may be a benefit to you because if they don't go to your competitor's website, because that's down, maybe they come to your website and start buying by your website. So, that's one reason why a denial of service attack. Another one is people just like annoying other people, okay? So, make it inconvenient for other people. Some people will try and do that. So, they may not get any gain other from recognition and their own satisfaction. There may not be any commercial gain. So, the definition mentioned that we exhaust resources. What type of resources? The resources in the network. So, if we think of the system that we're attacking, I say a system that can mean a single computer or a set of computers connected together via a network. So, we may exhaust the resources of that network or the network leading to the system we're attacking. So, that network becomes overloaded and packets cannot travel through the network for the normal purpose. So, overload the links to the, for example, to the web server, to devices leading to that server. Such that, so the links have some capacity. If the attacker can use up that capacity, then the links cannot carry the data for the normal users. And therefore, the normal users will not be able to get their packets to the server and get some response. We'll look at some examples, which links do we want to attack or do we want to overload? Usually, the link from an organization to the USP to the ISP is the lowest capacity in a path. That is, we'll look at, well, where's the bottleneck? If you think of, you're accessing the Amazon website. So, there's a set of links between your computer and the Amazon web server, which is in the US. Of those links, which one do you think has the lowest capacity, the lowest data rate? From your computer to the first router and then that router to the next one via many internet service providers across Asia and into the US. And then a link into the Amazon web server. Which link do you think is the slowest? From your computer, most likely. That is, the link from, at least from your computer, in many cases, let's say, if you're home, the link from your computer to your ISP is normally the slowest in that path. And we call the slowest link in the path the bottleneck. Because the fastest you can transfer data between one endpoint and another in a path is limited by the slowest link in that path, the bottleneck link. So, usually, the link from your home, for example, to your ISP is the slowest in the path. Within the ISP's network, usually they have fast links. And from one ISP to another, and the link that connects, say, Tokyo to Los Angeles, is many gigabytes per second, gigabits per second. So, it's much faster than our home links. So, usually, one bottleneck is from your home or from the source computer. Another potential bottleneck, we'll see later why, is to the final web server. So, normally, within the internet service provider's network, they are quite fast links and networks. The two bottlenecks are usually at the endpoints, from your computer to your ISP, or from the ISP to the web server that you're contacting. And we'll see that denial of service attacks try to attack the link, usually, from the ISP of the web server to that web server. And also, show some pictures to illustrate. So, how do we exhaust network resources? Well, you need to understand that we send packets across links. What happens if we have a link that has a capacity of one gigabit per second? If we send a lot of packets towards that link, sending in at more than one gigabit per second, then some of those packets will not be sent across the link. Because if the link can support one gigabit per second being sent across it, and the packets arriving at that link is, say, two gigabit per second, then on average, over time, half of them will be dropped. We can only support sending one gigabit per second. We've got two coming in, so one gets sent and the other one goes somewhere. Well, goes somewhere, usually the router at the start of that link drops those packets, meaning the data doesn't get to the server, meaning the data from the normal user doesn't get to the server, meaning the normal user is denied service. So we'll see some examples of how we can overload the network resources. The other form of overloading is overloading the system, say the computer resources. So the computer has CPU, memory, hard disk. If we use up those resources from the attacker's perspective, then the system, the computer cannot do what it's intending to do. So if we can somehow cause the CPU to run at 100% utilization, then the CPU cannot allocate, cannot perform tasks for the normal operation. So you try and use up the resources of the computer system. Often that's by causing some bug to be triggered. So taking advantage of some bug in the software that, for example, causes the CPU to do something unexpected. For example, if there's a bug in the software running on the computer such that it enters an infinite loop and keeps running and that uses up all the CPU, then the CPU cannot be used for other tasks. So overload the system, the computer resources. And of course, the computer runs applications. So focusing on specific applications, send packets to them such that they start to consume resources. So this is in particular for web servers, for example, a web server is an application running on a particular computer. If we can send packets to that web server such that it again consumes resources of the system, then we can slow down the response time of that web server and eventually deny service to the normal users. So that's a general set of resources that a denial of service attacks. We'll see some examples of them. We'll first look at it and a simple example of attacking the computer, trying to use up memory of the computer. And then we'll go through a set of examples that attack the network resources. Just step through and see what concepts are used in denial of service attacks. So the first two examples are what we sometimes call classic denial of service attacks in that some of the original ones that were developed. Usually they're quite, well, there are ways now to defend against them. So the original ones, but the concepts of these classic attacks have been extended to become realistic attacks today. And we'll go through and in the next part, extend upon these classic attacks. And we'll go through just two classic attacks. There are many. We're just going through two examples. The first one is takes advantage of TCP. So TCP is a transport protocol that is used widely across the internet. And when one application wants to transmit data to another, from a web browser to a web server, for example, then before they transmit data, they establish a TCP connection between the two endpoints, negotiate some parameters, agree upon some parameters, and then transfer data. So TCP, once the data or once the connection is established, the data transfer follows some rules to make sure that the data transfer is efficient, that we don't send too fast, that we can recover from errors and so on. So the important part with respect to this attack for TCP will be that before we send data, we establish a connection. And I hope I look around, I think all of you have taken my course and you've seen the TCP three-way handshake is the general way to establish a connection. Computer A wants to or TCP or Computer A wants to transfer some data to Computer B. So before it can transfer data, it establishes a TCP connection. What it does is it sends a special TCP segment to B and that has a flag set saying this is a SIN segment to synchronize sequence numbers and it includes some sequence number. When B receives that, it sends back a TCP segment saying everything's OK and it sets a flag SIN, gives a sequence number and an act saying I acknowledge the one I just received and then there's a final third act saying I acknowledge the SIN and sequence number that you sent me. So SIN, SIN, act, act, that's the typical set up a connection with TCP. Now, a little bit more detail, when Computer B receives the first SIN packet, it allocates some memory in preparation for the connection that it's going to establish. So from Computer B's perspective, it's received a SIN segment, meaning Computer A wants to establish a connection with me. So what I do at Computer B, the operating system does this, it allocates some memory for the upcoming connection. So allocates a little bit of memory, keeps track of the sequence number it sent, the sequence number it received and the sequence number it sends in the response, it keeps track of those variables and some other memory for the operating system to keep track of this TCP connection. So B receives a SIN segment, allocates some memory, sends back a SIN act and then it waits for the final act. It will not do anything until it gets the final act. And what it's expecting is once it gets this final act, it will start transferring data with A. That's the normal operation with TCP. Now, how does another feature, so that's here, we allocate memory and wait for an act. And another thing is if we don't receive an act, okay, we send the SIN act, we're waiting for the act, we've allocated some memory, we have some time out. If we don't receive the act, then eventually after some time, okay, I haven't received the act, so let's maybe after one minute, let's give up waiting and delete the information from memory. Delete the connection information. So that's the normal behavior with TCP connection set up. A client initiates a connection to a server. The server allocates some memory, sends back a SIN act, waits for the act. If it doesn't receive the act, then eventually it will give up and delete and move on to another connection. Of course, many clients can do this to the server at the same time. It's not just one SIN act, that is, this server may be receiving many SINs from many different clients. Think of a web server. Computer B is a web server. Many people contact that web server at the same time. They want to browse to the website. Before we can transfer the request and the web page, we set up a TCP connection with that web server. So your browser to the web server that goes through this process. And then there's the request for the web page and response. So a TCP SIN flooding attack is quite simple. What the attacker does is that they send many TCP SIN segments to the target. So the target is the, in this case, the computer that we want to overload. Deny service act for this computer. So we send many TCP SIN segments to the target. With the idea that every time the target receives a SIN segment, it allocates a memory for the upcoming connection, sends back a SIN act, and then waits for the act. But if we send many SIN segments to B, like thousands per second, then for each one it allocates a memory and waits for an act. And of course it receives another one, allocates some more memory, waits for an act. If we can send many in a short period of time, then we can exhaust the memory at computer B. That's the idea here. To overload the memory because for each connection, there's some memory that needs to be allocated. And if we use up all the memory allocated for the web server, then when a normal person tries to connect to the web server, they send a TCP SIN. There's no memory available on the web server. So the web server cannot respond. It cannot respond to the normal request, and therefore the normal user has been denied service. And so the target, actually two perspectives here, it gets overloaded in terms of memory. We use up the memory for storing connection information. It also must do a lot of processing. The target receives a SIN, does some processing, sends back a SIN act. So it's trying also to overload the processing ability of the target computer, such that we don't allow normal users to access the server. We have a picture. Now, all right, we'll go to the picture in a moment. What's the other point? So the attacker has their computer and sends many SIN packets to the target computer. We need many packets to come at a time to overload the memory. When we have a lot of memory at the server, then we need thousands to arrive, if not hundreds of thousands of packets per second to arrive to overload. One thing that the attacker will try to do to, A, cause others to, oh, cause many packets to arrive, and B, to try and hide itself, the attacker will often send a TCP SIN segment with a fake source address. Every packet we send across the internet using the internet protocol has the source IP address, the computer that generated it, and the destination IP address, the computer that it's destined to. So when the server B receives a packet, inside the packet is the address of the source computer A normally. So B knows it comes from A. What the attacker will often do is instead of including its real IP address as the source, it will include a fake IP address as the source. And that has different benefits. One is that, the first one is that B is receiving SIN segments, and it looks at the source IP address and it thinks that each SIN segment that it receives is from a different computer. If B receives SIN segments and the source address is always from A, then that's a simple way for B to detect something's gone wrong here. Maybe it's an attack. If B receives many SIN segments from computer A in a short period of time, B can quite easily say, oh, let's ignore this one. I've just received 1,000 from A. Likely, it's likely that A is performing an attack on me, so let's start ignoring all the SIN segments from A. Therefore, what A does, instead of including its real IP address in the source, it includes some other IP address. So even though A is sending thousands of packets per second to B, from B's perspective, the source address is always changing. So there's no way for B to know that they're all coming from A. The source IP address is different each time. So B just thinks this one's come from computer X, this one's from computer Y, this next one's from computer Z, and therefore cannot necessarily determine that they're coming from the same computer and start ignoring them. So the source, what's called source address spoofing, is used, which is the concept of when you send an IP datagram, include a fake source address. Don't include your real source address. The other benefit it has is it's one way to try and hide the attacker. If the attack computer can find out the IP address of who did the attack, then maybe later they can do some follow-up, maybe some legal repercussions are taken to take some legal action against the attacker. So it's also used to try and hide the attacker. Now, for such an attack to occur, you need to send many packets per second to that target computer. So my computer would need, if I was attacking would need to send many packets per second out to this target. And most commercial web servers today can handle hundreds of thousands of people connecting sort of in a short period of time. So for me to send the hundreds of thousands of packets to there within a second is quite hard. So to make the attack more effective, and we'll see it's a common trend in denial of service attacks, the attacker will try and get other computers to perform the attack on their behalf. And that's what this diagram illustrates, an extension of the simple TCP SYN flooding. The attacker somehow takes control of other computers in the internet. Somehow our previous topic, using some malicious software, a virus or a Trojan, where the attacker in the past has somehow installed some software on other computers in the internet, such that that software will perform the TCP SYN attack on some target. So they've infected these other computers, we'll call them slave computers, slave servers in this picture. And what the attacker does is that they send some control message to the programs running on these slave computers, saying initiate a TCP SYN attack on this target. And that triggers them to send SYN packets, all of them send SYN packets to the target. They're coming from different sources, maybe from different areas in the internet, from different countries, all to the same destination. And in that way, getting each one of these to send at a high rate to the target, more chance of overloading the target. Not just four slaves, but think of 40, 400, 400,000 slaves all sending to the single target. And at that point, it's quite easy to overload the target. And we'll see that concept of using multiple computers to do the attack instead of a single computer is quite common. So this first attack, and we won't go into any other details of this one, we'll go into details of another one, but the concept is overflow the system or the computer at the destination. Not the network, but use up the memory and the CPU at computer B by sending many TCP SYNs, because the way that TCP normally works is that it stores some memory for each one it receives and expects an act to come back. If the act doesn't come back, and it will not, because the attacker is not gonna send back the act, especially if it's a fake source address, this one will go to some fake computer and there'll be no act coming back. Still, the memory is used up at computer B. How do we stop this? If someone can perform such an attack, it was difficult to stop it using the common mechanisms that we have on the internet, because TCP is built like this, that we always have the SYNSYNAC act. One way is to try and stop the packets getting to the target web server. Filter the packets. It's not easy. There's no node in this diagram to show it, but imagine here at this point, there's a router that connects the link to the target web server. So one way is to try and filter the packets. When this router starts seeing many SYN packets coming in, then it may detect possibly this is a denial of service attack. I will start to drop the packets before they get to the target web server so that the web server is not overloaded. So try and filter the packets before they get to the target. That's one way to try and prevent the attack. But that's difficult because how does the router know that these TCP SYN packets are from an attack, or are they from just normal people trying to access the website because the website's popular because someone linked to it on some famous other website. So it's sometimes hard to know whether the TCP SYN packets are from an attack or from normal users. Therefore, it's hard to filter the right ones. If we filter and block the packets from the normal users, we've also denied service. So that's a difficult thing to consider of blocking traffic. There are a few other mechanisms, and one of them is a, sorry, a modification to how the TCP connection setup works using what's called SYN cookies. And we'll not go into them, but the idea is that we have some extra information that is sent back, and the idea is that B will not store memory, or is not as much memory for each connection, until it receives the act back. So it requires some extra effort on the attacker's behalf. It essentially stops the attack. The limitation is that you need to modify the way that the implementation of TCP works. So if you're using a new operating system or one that implements this feature, that's good, but many of the servers that are not using this don't have that capability yet. And in the internet, when there are millions of servers, it's not easy just to tell them all to upgrade at once. Many are old, running very old software. So TCP SYN flooding is an example of overflowing the resources on the computer, flooding the computer, not the network. Let's look at a different one. Before we look at the different one, any questions on the concepts of TCP SYN flooding? We're in denial of service in general. Everything okay? Exam was okay? Sure. Not sure about that. Okay, so try and follow along and have a chance of improving in the final exam. Some students who couldn't make it last week, if you want to see your midterm exam, you need to come to my office at some time and I'll show you your midterm exam. Any questions? SYN flooding? Easy. Next one. Just as easy. Now let's look at an attack that overflows the network. And very simple concepts. And we'll go through and we'll look at the basic form of the attack and then see how, what countermeasures we have available. How can we stop the attack and then see, well, how can we extend the attack to defeat those countermeasures and go through some iterations? It uses ping. Everyone knows ping. So you ping is this application that tests network connectivity. From one computer, you ping another computer by sending an ICMP packet, an ICMP echo request to the destination. And that destination, when it receives the ICMP echo request, sends back an echo reply. And if I receive the reply that it means I've got some connectivity with the destination. And it's also used to measure the round trip time, the time to get there and back. So I think many of you, most of you use ping to test the connectivity and measure round trip time. What transport protocol does ping use? ICMP. So that's almost a trick question. The two common transport protocols that we think about are TCP and UDP. TCP, we set up a connection, then transfer data. UDP, we just send the packets, no connection. ICMP we can think of as really a different transport protocol, but it's just used for controlling and managing the network. So in fact, ping uses ICMP inside IP packets. How do we use ping to perform an attack? Well, we have some target. Let's say some target computer. Say some web server, we don't want others to access. We want to deny normal people from accessing this web server. As an example. So this is the network of the target. These are routers, this is one router. There's a link to the target. And the target connects to the internet via an internet service provider. So I've simplified so that there's a link. Let's say this is a LAN, an ethernet cable, one gigabit per second. Whereas this is the link from the target's network to the ISP, which usually is much slower. Then the ISP connects to other ISPs to form the internet. And then from the attacker's perspective, here's the attacker's computer. There, let's say home network. And their connection to their ISP, that's this link. Now, before we look at how ping works, let's see the general concept of a flooding attack on the network. The aim is to overflow the network. That is send enough packets such that when someone else tries to send packets, they'll be delayed or even dropped because the network capacity is full. Well, such an attack usually depends upon the bottleneck link in this path. That is the slowest link between the target, between the attacker and target is at the target's end. And it's typically here at ISP of the target. So this link, we can assume, is fast, fine. We say this is the bottleneck link, meaning of all the links between attacker and target, this is the slowest. If that's the case, then what the attacker tries to do is send packets through the network as fast as possible, such that when the packets get to this router, we're sending the packets fast enough such that we use up the full capacity of this link. If the capacity of this link was 10 megabits per second, if we can send packets faster than that at 15 megabits per second, there are 15 megabits per second of data coming into the router, it can only send 10 megabits per second out. Where does the other five go? It gets dropped by the router. So you've got a router, you've got 15 megabits per second of data coming in, 15 megabits every second. It can only send out 10 megabits per second every second. So every second, five megabits per second is being dropped. That is, it's not being sent. That's the idea here. To overflow or to fill up the capacity of the link to the target. With the intention that if the attacker is sending 15 megabits per second into here, the link supports 10 megabits per second, then someone else on the internet tries to contact this server, then it's a high chance that their packet that comes into this router will either be dropped or significantly delayed. So slowing down the access to the server or even preventing access to the server. That's the idea here, yep. Ping spike, yeah, I think I'm not aware of that terminology, but yes, to send a lot of ping packets to the target. And we'll see how it works. To send, I don't know what ping spike means, but I guess it means to send a rapid increase or a rapid high number of pings to a particular target. Yep. No, that may be, so if ping measures the delay. So the normal use of ping from this computer, I send a message to the target. Target sends back a response and I measure the delay, the round trip time, the time to get there and back. That's what ping normally reports. So often you use ping to measure the delay across some network. For example, in games it's important to measure the delay between you and the server so you can have high interactivity. So an increase in the delay may be due to different factors. It may be due to an attack, but it may be also other factors. Really we're going to use ping just to generate this data to send. It doesn't matter that it's ping, it can be other data, we'll see. But the first point and the assumption is that this is the bottleneck in the path. That is a link leading to the target is the slowest in the path and our aim is to overload that so no other traffic can go across that link. Which means the attacker has a fast link. If this one is the bottleneck, it means the attacker has a link which is faster. In some cases that's unlikely. If this link is to the Amazon web server, it's probably hundreds of megabits per second and you're trying to do an attack from your home with your one megabit per second upload link for your ADSL, then this doesn't make sense, this attack. Because the bottleneck is your link and all you'll do is overflow your link but it have no impact on the target. So we assume this scenario where this is the bottleneck and we'll see where that's realistic shortly. So from your home network, not very likely. If you've got home ADSL, then this is your computer at home, this is your ADSL router, this is say a 100 megabit per second Ethernet link and this is your ADSL link. And think about the upload speed of your ADSL because we're ascending in this direction, we're uploading the data. Mine at home is 500 kilobits per second, my speed here. So one megabit per second, you get faster but compared to most servers, this is quite slow for home access. But if the attacker is on some commercial network and we'll see later has multiple attack sources, it becomes possible. So this is a concept is that we, the attacker using ping pings the target. And when you ping some target, it sends an ICMP echo request to the target and the target responds. If we send enough in a short period of time, we can overflow this link, okay? So if this link has some capacity, what we need to do is send enough pings to overflow that capacity, to use up that capacity. And then when someone else tries to access the target, they will either be slowed down or not be able to access the target. Send many ICMP requests, echo requests to the target server. That's a very simple attack. The link from the, in this example, the link from the ISP to the router is overloaded. The target computer is not overloaded because what happens, packets arrive here and they get sent across this link at, I'll say, 10 megabits per second. So the target computer can still receive them at 10 megabits per second. It's fast enough. So we're not overflowing the computer, we're overflowing this link or more precisely the router capacity before that link. So this is overflowing the network, not the target computer. How do we stop it? Get internet service providers to block ping packets. So if the internet service provider of the attacker was set up such that it doesn't allow their customers to send out ping packets, then that would stop such an attack. But ping has been developed for an ICMP is developed for purposes of managing and error reporting on the internet. So it has a legitimate purpose, a legitimate use in the network. So stopping it and not allowing it to be used in the internet has some other consequences. So that's not always possible. And in fact, ISPs don't necessarily do that all the time. Some do, some don't. What else? Let's say that the ISPs don't block the traffic. That is, they get to the target and overflow. Well, the target, what does it do? Every ping packet it receives contains the source IP address. And an IP address, the way IP addresses are structured, identifies really the internet service provider. So when the target sees this ping is coming from this IP address, the target can quite easily find who the ISP is for the attacker, and then maybe contact the ISP and the ISP will know who is the actual customer that sent this, who is the customer that had this IP address and maybe take some other action to stop them doing it in the future. So some countermeasures. Now another problem, well, there are many problems with this attack. One is that we rely on the bottleneck here, but if that's the case, note that our attacker is receiving all the responses coming back. So what may happen is that the attacker, yes, they overflow the target's network, but they're likely to overflow their own network as well and start to impact on their own performance. And often they don't want that to happen. So it would be better if the responses didn't come back to the attacker. How do we fix that from the attacker's perspective? Focusing just on ping, what can you do again, put on your black hat and think, what can you do as the attacker to make it A, such that the messages don't come back to you and B, to get more messages to the target. Same with our TCP sync, we can fake the source IP address so that we send them the target receives it, it sees the source address, which is some other address and replies. So the responses go to someone else on the internet, not to the attacker. What if, all right, then we'll see that one. What if you want to do it from home, right? Your home is a bottleneck. Well, the concept is to get others to attack. And that's what, to get a single computer to send, it's quite easy for the ISP to start to identify who it's coming from. Well, we use a fake address, but generally to get a single computer to send fast enough to overflow the link to the target is quite hard. Because if this target link has a capacity of one gigabit per second, the attacker needs a network and needs to pay for a connection of an upload speed of one gigabit per second, at least. So they need some access to a commercial network, which is much harder than, say, doing it at home. So let's look at some ways to, from the attacker's perspective, make this a more powerful attack. Now, returning to the fake source address, both used for TCP sync and can be used here. This is just a reminder, this is the structure of an IP datagram, the header. Two things to note, every IP datagram we send contains the source IP, the computer that generates the datagram, and the destination IP, the computer that's the final destination. Not the addresses of routers, but of the source computer, the destination computer. So that's normal, and ping all our communications across the internet use IP. So everything contains the addresses. So the attacker includes a fake address in here. So the attacker's computer has a real IP address, but when their computer generates this, because it's their computer that generates the datagram, they don't include their real address in this field, they include some fake address, some other IP address. It may be an address of another computer, or maybe just some random address, and see the impact. Now, what's the benefit of using a fake source address? The attacker, the target doesn't immediately know who performed the attack, there's one benefit. If you use your IP address, then it's quite easy for the target to see, okay, all these messages are coming from this ISP. So we contact this ISP and we tell them, some customer of yours is performing an attack, and therefore the ISP will know which customer has that IP address, because the ISP keeps a log of which customers get which IP address and can take some action. Using a fake source address makes that much harder. It's harder to track. The other result of using a fake source address is that the responses don't come back to the attacker, and avoiding an overflow of the attacker's own network. So this fake source address may be of an actual computer in the internet, or it may be a non-existent one, so it doesn't matter in some cases. Let's look at the detail. Let's look at an example of an attack using a fake address. How do you set your a fake source address? Okay, your computer has an IP address. You're the attacker. How do you set your IP address to be some other value? Anyone know? Is it possible? Well, in general, anything that your computer does, it's possible for you the operator to control. So if your computer sets an IP address, then yes, it's possible for you to modify the value that's set in the packet that's sent out. So yes, it's possible in theory, in practice, usually the setting of the IP address in, where are we? What software sets the IP address in the packet that we send out? Well, it's the operating system does that. The networking software and the OS sets this value. So if you're an attacker and you want to change it, then you usually need to change how the operating system normally behaves. So you can do that. A simple way, and we'll demonstrate, is to use some features of firewalls. And a firewall, or more specifically, network address translators, their job is to change addresses, and we'll take advantage of that to change. So I'm gonna go through a demonstration and show on our some Linux computers how to do a simple ping attack with a fake source address. I've set it up before a virtual network where we have eight nodes, okay? We use, not all of them today, we'll use the others later, but we have, let me just, we're gonna focus on several of the nodes, that is, computer eight is our target, okay? Let's say a web server that we want to deny other people from accessing. And this is their network. To keep it simple, we'll say this is, forget about the rectangles, that's a switch. This link from a router seven to web server eight, let's make this the bottleneck link. This is our slowest in the network. And computer one, the red one is the attacker. So let's first do a simple ping attack. So I think you can recognize if we try and ping, we can do a ping attack and send pings from computer one to computer eight, and the responses will come back to computer one. But let's do it with a fake address. So what we'll do is we'll send, set a fake source address for the ping that we send from computer one, with the intention of overloading computer eight. So I've set up this network, computer one, the red one, this is our malicious user. We'll look at the others in a moment. We need to set it such that we send fake source addresses in our packets. So when we ping another computer, we can zoom in, ping. This is computer one. It's not shown here, but the addresses, just so you remember, the address of the server is 192.168.3. Sorry, you don't see it, 31, I think it's here, 31. So that's the target IP address. And the IP address of computer one is 192.168.1.11. That's our attacker. So first, let's just ping the target and see if it works. 3.31, okay, so we can ping. How do we overflow? Ping normally sends one per second. Well, that's not gonna overflow a network, sending one packet per second. Well, with ping, you can change the speed at which you send. You can set the interval. For example, the interval between pings of 0.2 means five packets per second, every 0.2 seconds. So five times an increase in the amount of data we send. Okay, so now it's sending faster. Still not gonna overflow. It depends upon the link speed at the bottleneck. And we can set it smaller. So we can change the speed at which we send. We can also change the size of the packets we send. So we can change how many bytes are in the ping message and in the ping request, so using the minus s option. And I just set it to a value. So 972 bytes, when we add on the headers, it comes up to a total, I think, of a thousand bytes in the packet. Just for a nice round number. With 972 bytes in the data, then we add in 28 bytes of overhead. The total packet size is a thousand bytes. So in this case, how fast was I sending? What's the sending rate of my computer in this case? Can you see that? What's my sending rate from the attacker's perspective? A thousand bytes in each ping packet. Again, louder. How fast am I sending? On the attacker, I'm trying to overflow the target. And what I do with a ping, every time I send a ping, I send a thousand byte packet to the target and the target sends back a response, also a thousand bytes or similar. So with an interval of 0.2, I'm sending five packets per second. Each packet is a thousand, so a thousand, five thousand bytes per second, 40 kilobits per second. It's not gonna overload many links, 40 kilobits per second. We would need to send either larger packets or at a much smaller rate, and we can do that. But let's now do it with a fake source address. How do we set a fake source address? In Linux, we've got a firewall that will allow us to change the addresses in our packets. And I'm not gonna explain the command, I'll give it the commands to you later, but I'm just gonna use it and I'll explain the basic concept. The firewall is called IPTables, and it actually does network address translation. You've covered that in another course, Dr. Comet's course, not yet, soon, doesn't matter. We'll cover this in the lab at a later time. I'll explain after I type it. First, the concept is that this IPTables is a firewall, so what it does is as packets come in and out of this computer, the malicious computer, it can modify them. And what it's doing is post-routing means after the packet is generated, modify it. How do we modify it? If the packet is an ICMP packet, a PIN packet, then change the source address to the value we set it to be here. So it's just a simple way such that normally we generate a packet, the source address will be that of the target. This command, when that packet is generated, would change the source address to whatever we specify it to. What do we wanna change it to? Well, we wanna, where the target, the normal source address is 192.168.1.11. We send it to the target. What do we want? What can we change the source address to? No, yes, but no, I don't want to. Wrong. Anyone else? Any idea? Again, black hat on. How are you gonna perform some attack? Pretend that this, or set the source address to a hint, set it to be one of the other computers. Remember what PIN does. Send a request to the destination and send then the one who receives that sends back a reply to the source. So what we wanna do is to get many packets to the target eight. So let's PIN another computer in the internet and set a fake source address to be the target. So I will PIN, say, computer three, which is 192.168.2.21. When that one receives the PIN, the echo request, it looks at the source address and then sends a reply to that source address. So we'll set this fake source address to be that of the target, computer eight, which is 3.31. So the idea is that my computer, or the malicious computer, will send a PIN to the green computer in a moment. The green computer will receive it. We'll see that the source is 3.31, the yellow one, and therefore send a reply to 3.31. Let's hope this works. How are we gonna show? This is the target, the yellow one. And so what I hope to happen is that I'm gonna PIN from the malicious node to the green node and the target will receive the packets. The green one is 2.21, is that right? 2.21. So I'm gonna PIN that. The message should go to the green computer and then the green computer will reply to the source, which is the target. And just to see, let's capture what we see at the target. TCP dump will just capture the packets that the target receives and all of the ICMP packets that should display on the screen. It hasn't received anything and now let's start our PIN and you see it's receiving. Let's try again. Capture and print whatever we receive and now let's start the PIN and we see the target computer is receiving the echo replies. The malicious computer is not receiving the replies because it set a fake source address. So the malicious computer sends a request out. It goes to computer 2.21. The 2.21 receives the request, looks at the source address, 3.31 and sends the reply to 3.31. And this is showing that the target 3.31 is receiving these ICMP echo replies. They're coming from 2.21 to ask 3.31. So that hasn't changed the amount of traffic being received but now we've used a fake source address. Just stop that. So packets went to three and then they went to eight. And if I send faster, whatever rate I want, again, that'd go to three which would then send them on to eight. So now when eight receives the packets, it doesn't know they're coming from the target. It thinks they're coming from computer three. So it's somehow hidden and what else could I do? What's the next step I can do as the attacker to make that even better? What's the extension that I could do and the hints in the diagram? Why do I have many nodes there? Yeah, use slave servers. Three is a slave in this case. We're using three to do the attack on our behalf. All right, we haven't infected it but we're actually using three to do the attack on the target. And the way that we can do it is because most computers are programmed by default when they receive an echo request, they'll reply with an echo reply. That's normal behavior. So use more. Ping at the same time, four, five and six. So I ping, the target pings these four and all of them reply to the source and the source is three dot 31. So all of them reply to computer eight. We'll see that. But let's go back to our slides. All right, we've gone ahead. Let's go back and explain the concepts. So we saw a case where we sent to one of the other nodes which then reflected to the target. We'll see a slide that explains that. Now, setting fake source addresses. It's possible. We just did it very easily to change your address. There are ways to stop that from happening. What's common, okay, here's the attacker. Here's its real IP address in this example, 72, 16, three dot four. And the IP address given to the attacker comes from the network address or the range of addresses for the ISP. It's the internet service provider that gives the attackers computer and IP address. Same as your home internet, your ADSL router gets an IP address from your ISP. So the ISP has a range of addresses 72, 16, zero, zero. That is all of its customers get IP addresses starting with 72, 16. It knows that, it sets that up. So here's the real address of the attacker. If it sets the packets it sends as a fake address, let's say this 33 address, sends them to the ISP, then one way to stop fake packets is that the ISP router should check. It should check. If there's a packet coming from my customers where the source address is not a valid source address, a valid source address is within this range of 72, 16, if it's not valid, then don't let it go out onto the internet. Drop the packet or filter the packet. So that's a counter measure against using fake addresses. There's nothing to stop the end user from using a fake address, but it's common practice in at least in some ISPs to filter out anything coming from a non valid, therefore fake address is not allowed out here and therefore it would not get to the target and this attack would be defeated. So a counter measure against using a spoofed or fake source address is that ISPs filter packets or drop packets that come from invalid source addresses. Nice, but not all ISPs do that. It takes some effort on the ISP and it takes some effort on the router here. So some do that, some don't. Therefore, there's still an opportunity for an attacker if they have an ISP that doesn't filter to perform such an attack. If we have a fake source address, this isn't the one that we demonstrated. This is a simpler one. If we set the fake source address, I can send to the target and the target will send back to these source addresses, these other fake addresses. The result of this is that the target doesn't know it was the attacker and the responses don't overload the attacker's network. This is what we just demonstrated, a reflector attack. The attacker sets the source address to be that of the target and sends the PIN to different computers in the internet. In my case, I sent it to computer three. We could have easily extended that to send to computer three, four, five, and six. And then they all send it to the target, the reply. This is a reflector attack where the packets are reflected off some innocent computer in the internet. Bounce the messages off normal computers. Again, hiding the attacker and making it look like the messages are coming from many different computers. Harder to filter from the attacker's perspective. And again, there's no response traffic coming to the attacker. How do we make the attack better? So for this to work, we still need to send a lot to overflow this bottleneck link. So we need to send enough such that the number of packets coming in overflows the link. But what we would like from the attacker's perspective is that, let's say this bottleneck link is one gigabit per second. It's common if it's coming into some organization. That means we need to send it one gigabit per second. That means we need an upload link of one gigabit per second. That's inconvenient for the attacker. So what we would like is for the attacker to be able to send a small amount, but generate a large amount on the target. And it's an amplification attack. We'll see another slide. The idea, use some protocol, and now we're moving away from ICMP and PING, use some protocol such that when we send a request to a computer, the request is small, but the reply is large. So let's say with PING, that's not the case. With PING, I send a request of 1,000 bytes. The reply is about 1,000 bytes. But some protocols, I can send a small request like 50 bytes, and the reply may be 500 bytes, much larger. The result is that the attacker sends a small amount out, but these innocent hosts amplify the amount that's sent to the target. And that's got a greater chance of overflowing the capacity, because it doesn't depend so much upon the capacity of the attacker. And there are some protocols in the internet that support that or have that characteristic that the request is small, but the response is much larger. DNS is one that you may know of. DNS, you send a query to a server. The server sends back some answers, a set of IP addresses and domains. The query is quite small. What is the IP for this domain? The answer can be quite large, containing many different answers. So DNS is an example where we can use a small packet and get a large reply. There are some others that I'll show you. Another one, just to finish off, we won't go through any extensions yet. Another one is network time protocol. You know NTP? Your computer gets the time from the internet, and most computers operating systems use it today. You get the time by contacting some time server on the internet who sends you the time on the internet who sends you some information that updates your clock on your computer. The protocol is called NTP, and it has this characteristic that there are servers. You can send a small request to a NTP server, and that will generate a large reply. And in the last week or so, some of the denial of service attacks have been using this characteristic. So just a few news pages, because it's got some nice plots. In the last couple of weeks, there's been what's called a distributed denial of service attack that used this approach of the attackers send small messages to NTP servers, which all of them respond to some target with some large response. What information does it show? Maybe another one. This was some attacks on some gaming websites. This is a plot of over time the amount of traffic that an ISP measured coming in. So the attack traffic. This is the normal traffic. This is in gigabits per second. 10 gigabits per second, 90 gigabits per second. So the ISP of the target, data coming in at this time, peaked up to 90 gigabits per second. So the attack was generating 90 billion bits per second coming into the single target. So this took advantage of this amplification of NTP. Small requests went out, large requests come in, and it also took advantage of using many different computers, many different slaves. So probably thousands, maybe even hundreds of thousands of computers, all sending the packets to the target. So real denial of service attacks, generating gigabits per second, tens of up to 100 gigabits per second peak times. We'll stop there. We'll go through some more demos of these ping attacks on Thursday and look at some further extensions. The demo that I'm doing, and I'll continue with on Thursday, you can do it yourself using the virtual network software that you set up from the previous homeworks. So I'll give you some instructions for what I'm doing and you can try it yourself. It's quite simple.