 |
|
The Internet Worm incident during the first week of November 1988, was the incident that resulted in the establishment of the CERT®/CC as discussed in Chapter 3. It was also the first wide-spread denial-of-service attack on the Internet. Service was denied in two ways. First, infected hosts were rendered useless because their processing capability was absorbed by multiple copies of the worm program. Until all copies of the worm were removed, these hosts were not available for their intended use. Second, although most hosts on the Internet were never infected by the worm, the fear of infection effectively "shut down" the Internet for several days as many sites disconnected from the network as a defensive measure [Hug95:142]. Since the Internet Worm, there has not been another large-scale denial-of-service incident on the Internet. On the other hand, operating systems for host computers on the Internet provide few protections from denial-of-service attacks [GaS96:759]. It would, therefore, seem possible that denial-of-service incidents could become widespread on the Internet. As will be shown in this chapter, however, these type of incidents were apparently not widespread during the period of this study. This chapter presents the limited denial-of-service incidents that have been reported to the CERT®/CC. 11.1. Denial-of-service Definition and Types The baseline security that every user needs from a computer system is availability. Hardware and software must be kept working efficiently or else they become useless [RuG91:10]. If computer hardware, software, and data are not kept available, productivity can be degraded, even if nothing has been damaged [ISV95:20]. Denial-of-service can be conceived to include both intentional and unintentional assaults on a system's availability. The most comprehensive perspective would be that regardless of the cause, if a service is supposed to be available and it is not, then service has been denied [Coh95:55]. An attack, however, is an intentional act. A denial-of-service attack, therefore, is considered to take place only when access to a computer or network resource is intentionally blocked or degraded as a result of malicious action taken by another user [Amo94:4]. These attacks don't necessarily damage data directly, or permanently (although they could), but they intentionally compromise the availability of the resources [RuG91:10]. An attacker carries out a denial-of-service attack by making a resource inoperative, by taking up so much of a shared resource that none of the resource is left for other users, or by degrading the resource so that it is less valuable to users. Those shared resources are reached through processes and can include other processes, shared files, disk space, percentage of CPU, modems, etc. [GaS96:759].
Denial-of-service attacks over the Internet can be directed against three types of targets: a user, a host computer, or a network. This is shown in Figure 11.1, which expands a portion of the taxonomy developed in Chapter 6. Following the process in Figure 6.9, an attacker must begin a denial-of-service attack by using tools to exploit vulnerabilities and then either obtain unauthorized access to an appropriate process or group of processes, or to use a process in an unauthorized way. The attacker then completes the attack by using some method to destroy files, degrade processes, degrade storage capability, or cause a shutdown of a process or of the system. This chapter presents a general discussion of these categories of denial-of-service attack. The frequency of specific methods of attack are discussed in Chapter 8 and in Appendix A. 11.1.1 Destruction - If an attacker obtains access to user, host, or network files, the attacker could delete or corrupt some or all of these files. The effect could be to deny the use of these files. At the user level, an attacker could delete some or all of the account's files, rendering the account unusable. At the host level, critical system files could be deleted. On Unix systems, this could be files such as the /etc/passwd file, or files containing the system's programs. All files on the host's hard disk could also be removed, or the disk itself could be reformatted [GaS96:760]. This would make the host computer inaccessible or unusable to all users. At the network level, network files could be destroyed. The network or some of its services could then be degraded or unavailable. Computer viruses (self-replicating, autonomous computer code fragments [RuG91:79]), or worms (self-replicating complete programs) often contain destructive payloads which corrupt or destroy some or all of a system's files. When a virus or worm operates in this manner, it would be causing denial-of-service. Denial-of-service can be caused in a different way by the flash family of programs occasionally used on the Internet. These programs are designed to use the talk program to send control characters intended to cause changes in system terminal settings, which can cause the keyboard to lock, the screen to be unusable, or files to be corrupted [GaS96:333]. Electronic mail can also be used to send these control characters [Par90:545]. Another example of a method of denial-of-service through the destruction of files is found in some types of attacks against Usenet newsgroups or bulletin board systems. An example of an attack would be to delete postings by other users. Service to that user and the other users of that service would then be denied. Not all cases of file destruction should be considered a denial-of-service attack. For example, an attacker could delete a user's data files with the intention of destroying the user's stored information. This would be different than removing the user account itself, which would deny service to the user. The distinction between these is exact, but its classification also requires some understanding or speculation about the attacker's intentions. If the attacker's objective is to destroy information, then this would be in the "corruption of information" category. If the attacker's intention is to prevent the use of computer or network capabilities, then this would be considered in "denial-of-service." This potential problem is discussed in Chapter 13, where the taxonomy's utility is evaluated. 11.1.2 Process Degradation - Instead of destroying files, denial-of-service could be accomplished through overloading processes on a host computer to such a point that the users' ability to use the resource is degraded either by reduced performance, or by the resource becoming unavailable. This can take place in two ways. First, an attacker could connect to a host across the Internet and then spawn multiple processes on the host to the point where the host could no longer support any new processes, either for an individual user, or for all the users on the target host computer. The targeted user, or users, would then not be able to run processes of their own [GaS96:761]. Programs that accomplish this are sometimes referred to as fork bombs. A second method would be to slow the host computer by spawning many processes that consume large amounts of central processing unit (CPU) time, causing a CPU overload [GaS96:764]. An attacker does not need to connect directly to a command interface on a host computer to cause a process degradation. An attacker could instead direct an attack against network processes. Figure 11.2 shows the layering for the primary Internet protocol suite, Transmission Control Protocol/Internet Protocol (TCP/IP) [Cer93:83]. In the classification shown in Figure 11.1, attacks against processes conceptualized at the application layer in a network protocol suite are classified as attacks directed at a network application and attacks against processes conceptualized to be at lower layers are considered directed at a network service.
For both network services and network applications, the denial-of-service attack method is to send a flood of network requests to a server program (daemon) on a host computer. These requests can be initiated in a number of ways, many intentional. The result of these floods can cause [a] system to be so busy servicing interrupt requests and network packets that it is unable to process regular tasks in a timely fashion [GaS96:775]. One type of network attack directed against network services is a broadcast storm. Although broadcast storms usually occur through faulty software or failing hardware, they can be used for intentional attack [GaS96:777]. Broadcast storms result when . . . a host receives a broadcast, decides it needs to be responded to, and then blindly sends the response back out to the destination address, resulting in another broadcast. A few hosts doing this, perhaps infinitely as they respond to the new broadcasts with more broadcasts, can cause the network to freeze up entirely [LyR93:452]. The nuke family of programs sometimes used on the Internet, is similar to a broadcast storm in that it accomplishes denial-of-service at the network service layer by overloading a system with Internet Control Message Protocol (ICMP) "Echo" or "Destination Unreachable" messages [GaS96:461]. These are commonly called Ping floods, or ICMP bombs. In some cases, requests for network services only need to be initiated in order to cause denial-of-service. An attacker could send multiple requests to initiate a connection but then fail to respond to the network server, which would prevent completing the connection. The network server would then have multiple half-open connections waiting to time out, which would consume network resources [GaS96:778]. There are even some cases where a single packet could cause system problems and denial-of-service. This occurs when a process does not properly check for a packet to be of the correct form when it is received. In the case of the ping utility, an assumption is often inadvertently made by programmers implementing this utility that incoming packets will be small. In some instances, a large packet sent to the ping utility can cause systems to shut down (the so-called "ping of death"). 11.1.3 Storage Degradation - A similar, although distinguishable, method of attack is aimed at consuming disk storage capacity on the target host or network of hosts. Since a disk has finite capacity, if an attacker fills up a user's disk quota, or fills up the space available for all users, then the user's account or the entire host, will not be available for use until the disk full condition is changed [GaS96:764]. An attacker can either create too many files for the system, or a few files that are too large. The same is true for a network, where the files may be distributed across multiple computers. An example of such an attack is "mail bombardment," or "mail spam." The attacker accomplishes this attack by either flooding a user, or group of users, with numerous, perhaps thousands, of electronic mail (e-mail) messages [ISV95:13], by flooding the user with very large messages, or by flooding the user having messages with large attachments. Any of these would quickly fill up a user's Mailbox, which would then deny the user access to e-mail, and perhaps all system services. Depending on how the system is configured, this could cause the system to run out of storage space and then stop processing for all users on the host or network. The attacker could also easily forge the "From:" block in these messages, which would disguise their origin. A variation on this type of attack would be to create enough empty files on a disk or network file service to exceed the I-node capacity of the file system [GaS96:767]. I-nodes (index-nodes) are special tables associated with each file that list the attributes and disk addresses of the file. For small files, the I-nodes and all of the file are stored together. For larger files, the I-nodes contain addresses that point to other locations on the disk where other parts of the file are stored [Tan92:165]. If the supply of available I-nodes is exhausted, an I-nodes full condition, then the operating system cannot create a new file, even if disk space is available [GaS96:766]. Usenet newsgroups and bulletin board systems provide another possible way to degrade storage. In this case, an attacker makes numerous postings of material that is inappropriate or otherwise unwanted on one or more newsgroups or bulletin boards. These postings are commonly referred to as spam. Spam may result in more than just the irritation of the users. It takes up resources, makes systems slower to respond, and may stifle the use of these systems. 11.1.4. Shutdowns - The last two categories of denial-of-service attacks shown in Figure 11.1 are process shutdown and system shutdown attacks. In these types of attacks, the attacker aims at halting a process, or all processing, on a host or network. If the attacker has privileged access, this could be accomplished by issuing the appropriate commands to kill a process or shutdown the system completely. The kill command in Unix is an example of a command that could be used to terminate a process. A complete system shutdown across a network may not be possible in some systems. On a Unix system, for example, a partial shutdown may be accomplished by running a program such as /etc/shutdown, which brings the system to the single-user mode [Sob95:497]. This would, however, result in the loss of network access for all users, including the attacker. An alternative would be to use the appropriate command to terminate processes on the host. For example, if logged in as a Unix superuser, an attacker could issue a command such as kill -9 0, which would terminate all processes and bring the system down [Sob95:624]. As shown in Figure 11.1, process or system shutdown could be caused by exploiting a software bug that causes the process or system to halt. In this case, an attacker has knowledge of a "silver bullet" command, or set of commands, that will crash the process or system. Just as with software bugs that are used to gain access, it is unlikely that such a command would be effective against all systems, but until the software bug is corrected, all systems of a certain type would be vulnerable. 11.2. History of Internet Denial-of-Service Attacks 11.2.1. Numbers of Attacks - The CERT®/CC has records of 104 denial-of-service incidents that took place on the Internet between 1989 and 1995. In addition, 39 other incident reports classified as either root-level or account-level break-ins also included denial-of-service attacks. These 143 incidents represent only 3.3% of the CERT®/CC incident reports. Of these 143 incidents, six took place at Site A, the case study site (discussed in Chapter 9). Figure 11.3 shows the average number of sites per day involved in denial-of-service incidents recorded by the CERT®/CC (including Site A). Because there are so few incidents in the CERT®/CC records, the incidents shown in Figure 11.3 were averaged over quarters.
A comparison to the size of the Internet is given in Figures 11.4 and 11.5. For Figure 11.4, the growth in Internet domains (discussed in Chapter 2) was used to determine the average sites per day per 100,000 Internet domains. If the rate of denial-of-service attacks matched the growth of Internet domains, we would expect to see a steady average. Instead, peaks occurred in 1990, 1992 and at the end of 1994. A simple linear least squares fit of the data in Figure 11.4 showed the slope to be positive, but not statistically different from zero (a = 5%).
The pattern shown in Figure 11.4 may be influenced somewhat by the reduction in the number of Internet hosts per Internet domain after 1993, as shown in Chapter 2 (Figure 2.8). For Figure 11.5, the growth in Internet hosts (discussed in Chapter 2) was used to determine the average sites per day per 10,000,000 Internet hosts. Again, if the rate of denial-of-service attacks matched the growth of Internet hosts, we would expect to see a steady average. Instead, a large peak is shown in 1992, and smaller peaks are shown in 1990, and at the end of 1994. With these exceptions, however, the rate of denial-of-service reports to the CERT®/CC relative to the number of Internet hosts has been relatively constant, and presented this way, the decline in 1995 appears less significant.
The data from Figure 11.5 were fitted to a line using simple regression. The slope was found to be positive (0.13 sites/day/year/10,000,000 hosts), and statistically different from zero (a = 1%). This corresponds to an increase of around 50% per year (R2 = 39.0%), which indicates denial-of-service was becoming a greater problem for the Internet during this period. The sample size, however, was small, with the absolute numbers being only 143 incidents (3.3% of all incidents). 11.2.2. Methods of Attack - Each of the 143 denial-of-service incidents in the CERT®/CC records used at least one of the methods in the categories of Figure 11.1. Five of these incidents included multiple methods of attack (a total of eight additional methods used were recorded). In addition, the Internet Worm of November, 1988, was an additional denial-of-service attack not recorded in the early CERT®/CC records. Figure 11.6 shows these 152 instances of a denial-of-service methods being used, classified according to attack method (Figure 11.1).
Destruction: Process Degradation: Storage Degradation: Process Shutdown System Shutdown: 1. All disk files 3. Multiple processes 7. Disk full 9. Commands 11. Commands 2. Critical files 4. CPU overload 8. I-nodes fill 10. Software bug 12. Software bug 5. Network application 6. Network service Aside from the overall low numbers of denial-of-service incidents, perhaps the most interesting aspect of CERT®/CC records of denial-of-service attacks can be seen in Figure 11.6: the small numbers of denial-of-service attacks resulting in the destruction of files. Even the 27 incidents shown were primarily minor attacks. First, the majority (15) of these incidents involved the use of variants of the flash program to send control characters to modify the files controlling the screen and keyboard of a host computer. The rest of the incidents involved the deletion of files on host computers, including the deletion of user accounts, the deletion of files on bulletin board systems, and one incident of the corruption of root name server files. Only one incident resulted in the deletion of all files on a host computer's hard drive. This was an incident where an intruder had broken into a computer at the root level and then found out he was being monitored. He removed all files on the hard drive before terminating his last connection. More than 40% of denial-of-service instances in the CERT®/CC records were in the category of Process Degradation. Eight of the incidents were characterized by the intruder overloading a host computer with multiple processes - fork bombs. An additional incident, the Internet Worm, became a denial-of-service incident when copies of the worm on host computers spawned multiple copies, causing processing on these hosts to slow and usually terminate [ISV95:14]. The remaining process degradations were accomplished by repeated calling of network applications (finger, login, mail, IRC, talk and inetd), or with floods of ICMP and Ping messages (primarily nuke family programs).
Destruction: Process Degradation: Storage Degradation: Process Shutdown System Shutdown: 1. All disk files 3. Multiple processes 7. Disk full 9. Commands 11. Commands 2. Critical files 4. CPU overload 8. I-nodes fill 10. Software bug 12. Software bug 5. Network application 6. Network service The largest single method used for denial-of-service attacks as recorded in CERT®/CC records was the use of mail spam to degrade storage capacity (49 incidents, 32% of instances). In another two incidents, this same result was achieved by using the file transfer protocol (FTP) to transfer large files to the host computer. Finally, process or systems shutdown was achieved in 11 of the incidents. The methods used included terminating user connections (3 incidents IRC, 3 incidents telnet), commanding host computer shutdown (2 incidents), and exploiting software bugs to cause shutdown (3 instances). There were no instances of attacks directed specifically at overloading the CPU processing capability (Method 4), or specifically at exceeding the I-node capacity (Method 8). Figure 11.7 shows these 152 instances of denial-of-service methods, plotted by method over time. There is some indication in this figure of the peak in sites per day at the end of 1994. The peak in 1992 is less visible, but it occurred when the Internet was smaller and the incidents at this time involved more sites per incident. 11.2.3. Additional Denial-of-service Attack Characteristics - Two additional characteristics of denial-of-service attacks were shown in CERT®/CC records. First, the average number of sites involved in denial-of-service incidents is relatively low compared to root and account level break-ins. The mean number of sites involved in the 4,299 incidents reported to the CERT®/CC between 1989 and 1995 was 6.5. On the other hand, the average number of sites per incident in the 104 denial-of-service incidents in this population was 3.7. These were statistically different according to a two-sample t-test assuming unequal variances [P(T t) one-tail = 0.0007]. In addition, 70% of these incidents involved only two sites: the attacking site and the target site. Only three of the incidents involved more than six sites. In fact, none of the denial-of-service incidents in the CERT®/CC records is of the order of magnitude of the Internet Worm, which involved 2,100 to 2,600 host computers, representing around 5% of the entire Internet at the time [RuG91:4]. The other additional characteristic of CERT®/CC denial-of-service records is that a large number of the attackers were apparently identified. Although the CERT®/CC records do not confirm that it was "relatively easy to figure out who was responsible" for the attacks, as postulated by Ritchie [GaS96:759], the attacker was reported in more than 50% of the denial-of-service incidents. This is significantly higher than the other incidents reported to CERT®/CC. Chapter 12 gives an estimate of the total rate of denial-of-service attacks on the Internet using the information from this chapter and Chapter 9. 11.3. Summary of Denial-of-Service Incidents The Internet Worm incident during the first week of November 1988, was a wide-spread denial-of-service attack. Since the Internet Worm, there has not been another large-scale denial-of-service incident on the Internet. On the other hand, the CERT®/CC records do not give any indication that Internet denial-of-service incidents could not become widespread. A denial-of-service attack is considered to take place only when access to a computer or network resource is intentionally blocked or degraded as a result of malicious action taken by another user. These attacks don't necessarily damage data directly, or permanently (although they could), but they intentionally compromise the availability of the resources. An attacker carries out a denial-of-service attack by making a resource inoperative, by taking up so much of a shared resource that none of the resource is left for other users, or by degraded the resource so that it is less valuable to users. Those shared resources are reached through processes and can include other processes, shared files, disk space, percentage of CPU, modems, etc. Denial-of-service attacks over the Internet can be directed against three types of targets: a user, a host computer, or a network. An attacker must begin a denial-of-service attack by using tools to exploit vulnerabilities and then either obtain unauthorized access to an appropriate process or group of processes, or to use a process in an unauthorized way. The attacker then completes the attack by using some method to destroy files, degrade processes, degrade storage capability, or cause a shutdown of a process or of the system. Unlike other attacks reported to the CERT®/CC, denial-of-service incidents grew at a rate around 50% per year greater than the rate of growth of Internet hosts. This indicates that denial-of-service was becoming a greater problem for the Internet during this period, although the total number of denial-of-service incidents was small. The largest single method used for denial-of-service attacks as recorded in CERT®/CC records was the use of mail spam to degrade storage capacity (49 incidents, 32% of instances). Another large category was process degradation (40% of the instances). The average number of sites involved in denial-of-service incidents was found to be relatively low compared to root and account level break-ins. In addition, a large number of the attackers were apparently identified, compared to the average for all incidents.  [11]
 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
