 |
 |
 |
|
 |
After the first widely reported dDoS attack in 2000 (initiated by a 17-year old Canadian, "Mafiaboy", who was caught only due to his bragging about the incident), solutions were sought to defend against the multiple vulnerabilities allowing dDoS attacks to be successful. However, the technology hurdle to provide an effective solution has not been overcome. Traditional technologies have proven unsuccessful in creating a working defense (see below for traditional Intrusion Detection Systems, Quality-of-Service systems, Firewalls, and the section on Competition). Applying Ingress/Egress filters on every router on the Internet (at the source) has proven to not be practical. The ideal solution for a working dDoS defense addresses the root cause to determine valid ("good") traffic from all forms of dDoS (or "bad") attack traffic at the target site as much upstream as possible, react in real-time, and defend against both known and unknown forms of Denial-of-Service attacks. Signature-based, Traditional Intrusion Detection Systems (IDS)Traditional Intrusion Detection Systems ("IDS") are able to recognize some forms of TCP/IP, Denial-of-Service, and application attacks, if those attacks were observed before, and could be transformed into definitions (also known as "signatures") by which IDS compare the network traffic they observe against "known" forms of attacks. Not all attacks can be defined in a signature, and every attack not defined in a pattern match (or signature) is not recognized by a traditional IDS.Updates to signature databases to address newly developed and recognized forms of attacks need to be done by qualified system administrators or by vendors and require the regular download and integration into each deployed Intrusion Detection System. This delay introduces an additional risk factor between the observation of a new attack, its definition as a signature file, and the successful download and implementation for comparison against live network traffic. A traditional IDS is limited to only alert to a recognized, "known" attack, leaving it to other security systems to defend against the attack. Often the time to compare traffic patterns against the signature database, determine a match, and send out the alert is longer than it takes for a dDoS attack to generate the damage. Most dDoS attack cause the damage within a few seconds, and sustain the damage until the attacker decides to stop the attack. In June 2003, the Gartner group classified IDS as a technology with little value to contribute to computer and network security, creating a passionate discussion in the security community. Gartner predicts that by year-end 2003, 90 percent of intrusion detection system deployments will fail if false positives are not reduced by 90 percent. IDS systems are, however, still seen as a factor in identifying known forms of irregular network traffic to justify IT budgets. While network troubleshooting tools ("sniffers") show all traffic without providing any analysis on their own, IDS systems match (known forms of) irregular network traffic – even though creating large logs which are difficult and time-consuming for administrators to interpret. Quality-of-Service (QoS) SystemsThe development of Quality-of-Service systems was geared to overcome drawbacks in the TCP/IP protocol for network-based applications, which require a consistent stream of data (for example, IP telephony or video-streaming applications). While other network protocols such as the Asynchronous Transmission Mode ("ATM") communication protocol have built-in provisions to allocate and reserve bandwidth for applications, this feature is not present in TCP/IP.With the emerging Denial-of-Service attacks, an attempt was made to use the same QoS technology to throttle traffic observed in these attacks. This approach has not proven successful, as it effectively aids a DoS attack. The "bad" DoS traffic generates significantly more bandwidth usage than the regular, valid (or "good") traffic. While QoS contributes to some extent to keep the infrastructure connected by throttling traffic during DoS attacks on specific TCP ports, it practically "drowns out" the good traffic. During a bandwidth-flooding DoS attack on web port 80 (HTTP), the "bad" traffic consumes 95% or more of the bandwidth to this port. If throttled, both "good" and "bad" traffic is treated equally by a QoS system, practically allowing almost none of the "good" traffic through. In a low-level, application-based DoS attack (such as "Synk4") or a TCP/IP protocol attack, a QoS system provides no value, as the overall bandwidth is not increased in measurable terms, necessary to trigger QoS settings. Router Security: Access Control Lists (ACLs)Routers direct traffic to the attached networks, and pass on traffic bound to other networks on the Internet. These routing functions are either static (passing packets to hard-configured IP number ranges within the networks attached to the router) or dynamic (using protocols such as BGP4[1], the dynamic routing protocol providing the redundant infrastructure of the Internet, or OSPF, by which a router learns and updates changing IP number ranges for connectivity to other routers).Routers can add security to networks by applying filtering techniques such as the Ingress/Egress configuration to validate source addresses (though not implemented widely, as it does not provide many benefits for the owner of the router and slows down performance) and Access Control Lists ("ACLs"). While ACLs can provide some basic restrictions which IP ranges can connect to a router (thus decreasing the processing load on a firewall), they add a significant processing load on the router. A router is typically not equipped with an abundance of processing power itself; as each incoming packet requires to be checked by the entire Access Control List, router performance is significantly reduced the longer the ACL becomes. Deploying routers with excessive CPU processing power for the network connections a router serves is a costly task defying business validation per connection, and can still be exceeded by Denial-of-Service attacks. The number of TCP and UDP ports in use is limited. Among those, the most popular ports are 80 (HTTP, the "web" port, which is also the most attacked one), 443 (encrypted HTTP), 25 and 110 (sending and receiving e-mail), 22 (SSH for secure remote access), and 20 and 21 (FTP). On the UDP side, 53 for DNS und the ports used for Voice-over-IP (VoIP) are the most used, running critical services. While only a fairly extensive ACL has the ability to provide more than basic security settings, it invalidates the function as a router. In addition, most TCP/IP protocol and Denial-of-Service attacks cannot be detected by routers and their Access Control Lists. While dynamic routing protocols such as BGP4 and OSPF are necessary and critical for a redundant connectivity architecture within enterprise networks and the Internet itself, they are also often themselves the target for attacks. Due to the lack of authentication procedures, so far there is no known remedy for BGP4 poisoning attacks, which feed invalid data to the dynamic configuration of a BGP4 router, thus disabling the function. "TCP Intercept" is another attempt to filter traffic at the router level (for example as an option in the Cisco IOS router operating system). Due to the nature of routers, this function requires the router to build a stateful table of intercepted connections, which creates a severe vulnerability. Attackers can saturate this table easily; the severity of the vulnerability outweighs the benefit of the feature. FirewallsFirewalls were the first steps towards improved security, and have undergone a long development cycle. The fundamental purpose of a firewall is to limit the availability of TCP and UDP connection ports from 65,535 each to those actually in use. These ports fall into three categories: "well known ports" are those from 0 through 1,023, "registered ports" are those from 1,024 through 49,151, and "dynamic" or "private ports" are those from 49,152 through 65,535.The number of TCP and UDP ports in use is limited. Among those, the most popular ports are 80 (HTTP, the "web" port, which is also the most attacked one), 443 (encrypted HTTP), 25 and 110 (sending and receiving e-mail), 22 (SSH for secure remote access), and 20 and 21 (FTP). A CSI/FBI study found 90% of all attacks bypass firewalls. Firewalls limit the access to the ports allowed, and monitor both valid and invalid connection attempts, thus generating large logs. The content of those logs today is largely represented by low-level scans, which make is very difficult for administrators to find relevant entries to detect serious attempts to compromise a firewall or the infrastructure it protects, and thus remain largely unchecked. The development of firewalls went from simple "port allow/deny" firewalls to "application proxy" firewalls and then to the "stateful inspection of established connections". None of these approaches provides a final solution; they represent an adaptation to the evolving threat levels. An application proxy firewall is a software application that runs on a server between a network and the server (for example, an HTTP proxy for a Web server). The proxy firewall runs an HTTP server that looks like the destination server when viewed externally; it looks like the requesting client browser when viewed internally. This "server in the middle" offers the security administrator an opportunity to establish rules about what type of traffic can be accepted or blocked. A robust application proxy firewall would need to run an instance of every application that it defended, including Web servers, database servers, Internet relay chat, File Transfer Protocol, Telnet, e-mail, Morpheus, and an enterprise's custom applications. Application proxies failed to succeed in the firewall market because of the need to address the multitude of applications. In addition, invoking an application adds too much latency to enable network processing at wire speeds. Stateful inspection firewalls face the challenge of throughput. Stateful inspection was developed to improve throughput by allowing a rule to be applied to the initiation of a session. A stateful inspection firewall looks at packet headers to make a decision based on a rule set. The decision to block or allow access is applied to all subsequent packets in the session (a session is defined by source, destination, protocol and a time factor). A stateful inspection firewall is a packet processor, which is a network device that can scale to the multi-gigabit speeds that are needed in Internet data centers and some enterprises. However, application defenses require more awareness of payload content and the ability to inspect it at wire speeds. Web services will require high-speed parsing of XML and Simple Object Access Protocol (SOAP) objects. Applying security policies to these applications will require the ability perform 100 percent inspection of packet payloads. The current trend in firewalls (starting in late 2002) is to develop In-Line Scanner devices ("deep packet inspection"), which should work in real-time (i.e. wire speed) and apply security policies based on application content, source, destination, and port; essentially the determination between "good" and "bad" packets by inspecting deeper into the packet stream. Gartner predicts that by 2005, enterprises will no longer use software-based application proxy firewalls, and that by 2006, enterprises that rely on only proxy and stateful packet inspection will experience successful application-layer attacks at twice the rate of enterprises that use leading deep packet inspection approaches. The leading commercial firewalls (Cisco PIX, formerly NTI; Checkpoint Firewall, Secure Computing, etc) do not incorporate this technology yet. Web services are forcing perimeter defenses to be more aware of what types of traffic they allow to access the network via port 80 as code (such as SOAP elements) and control messages (such as XML statements). In recent developments, Check Point Software Technologies' add-on product "SmartDefense" enables their product to look for common attacks and drop sessions that are associated with them. This is the same approach as used in IDS and Anti-Virus solutions, where "known" form of attacks are defined, downloaded to each firewall, and compared to observed traffic. "Unknown" (or new) forms of attacks are not recognized and defended against. Previous Check Point add-on products (such as "SynDefender") made the problem worse. While adding some capabilities, a Check Point [1] also equipped with "SynDefender" not only becomes unavailable for the duration of a "Synk4" attack, but needs to be completed re-installed, including license keys and a restore of the user-defined access rule base. None of these solutions incorporate the ability to truly differentiate between "good" and "bad" packets, and do not provide a solution for an effective, real-time (i.e. wire-speed) defense against (distributed) Denial-of-Service attacks. Firewalls remain vulnerable themselves against TCP/IP protocol and Denial-of-Service attacks.
[1] Melior, Inc. owns the domain name "BGP4.com"
|
|
© Copyright 1987 - 2006 Melior, Inc. - CyberWarfare Defense
Trade- and Servicemarks, Copyrights, and Patent-Pending Protection is effective in WTO countries.
v 09082010-2045 NetGroup GmbH Dortmund/MEZ