Thursday, July 21, 2011

How To Test a DDoS Mitigation System

Knowledge of DDoS attacks is mostly through hearsay. Most people purchasing DDoS mitigation systems do not know how to decide one system from the other. This knol discusses a minimum feature set that you must test and benchmark to see the functionality and performance of a given DDoS mitigation system.


Introduction

Distributed Denial of Service (DDoS) attacks are becoming common now with the proliferation of botnets. Network managers and security managers are deploying DDoS mitigation systems. Since most DDoS mitigation systems are fewer than 5 year old today, there is a trust issue with them.  Those that have been tested by third parties such as Tolly Group are fewer. Most people would rather test them in their own lab before deploying them.
There are well know criteria for testing firewalls and Intrusion Prevention Systems (IPS). For DDoS mitigation systems, there is a need for a comprehensive test conditions.
This knol therefore focuses on idenifying different kind of floods that can be tested using DDoS mitigation systems.
The reader is expected to create test-benches and test scripts to create these tests.

 


Typical Test Benches

Following diagram shows a simple test bed. The appliances SmartBits and Avalanche are packet generator. Smartbits is used for creating session-less attack packets and Avalanche is used for creating sessions or attack sessions. Client PCs (PC1, PC2) and Server PCs (PC3 etc.) are used to seeing the results of mitigation.SmartBits and Avalanche here can be replaced with PCs runnig Linux/Windows with attack scripts.
Following diagram shows a more complex test bed. The appliances SmartBits and Avalanche are packet generators. Such setups are typically used for third-party performance tests.

DDoS Attack Types - A Broad Classification

DDoS attacks can be broadly classified into following categories:
  • Spoofed floods vs. Non-spoofed floods
    • A spoofed flood sends packets that seem to come from an IP that either does not exist or did not actually send the packet.
    • A non-spoofed flood on the other hand comes from real IP addresses. Due to proliferation of botnets, it is quite common these days to see non-spoofed attacks coming from a large number of sources.

  • Anomalous header floods
    • These are packets which are typically generated by scripts. Scripts simple use loops to increment certain header parameters. Since many of these header parameter values may not be valid from standards perspective, they are anomalous. Examples of these attacks are packets with invalid TCP flag combinations. If a packet has flags such as RST, FIN, SYN, and ACK set simultaneously, it is anomalous.



  • Anomalous state floods
    • Protocols such as TCP are stateful. They follow predefined state transition rules. When scripted bots generate attacks, they violate many of these rules. Examples of such attacks are ACK packets coming without connection establishment, out of TCP window packets etc.



  • Limited sources vs. Large number of sources Floods
    • Some DDoS attacks are launched using very limited numer of sources while some others are launched with a very large number of sources. It is easy to launch a spoofed attack with a seemingly large number of sources. To launch a non-spoofed large number source attack, you need a control over  a large botnet.



  • Layer 2, 3, 4 or 7 DDoS attack
    • It is possible to launch DDoS attacks on different network layers.
    • Within a LAN, it easy to launch a layer 2 DDoS attack. Examples could be a brodcast flood, ARP flood, RARP flood etc.
    • Over the Internet, one can launch Layer 3, 4 or 7 attacks.
    • Example of Layer 3 attacks are protcol floods such as ICMP floods, TCP floods, fragment floods. These are created using a variation in the layer 3 headers.
    • Example of layer 4 floods are port floods (TCP or UDP). In these attacks, a single port is continuously attacked. ICMP echo flood are also of this kind.
    • Example of layer 7 floods are URL floods. In this attack, a single URL is continuously attacked from mutliple sources.



    • Random header parameter attack
      • It is easy to create DDoS attacks in which some specific header parameter is continuously varying. Examples are TCP random flag flooding, IP option flooding, TCP option flooding etc.



      • Blended attack
          • It is easy to create DDoS attacks in which many attacks are combined to further confuse the destination. Examples are port floods on TCP and UDP simultaneously, .

        Attacks To Test Functionality and Performance 

        • Spoofed Syn Flood Attack
          • This is a layer 4 spoofed flood in which the attacker sends TCP SYN packets in which the IP addresses are continuously changing.
        • Spoofed UDP Attack
          • This is a spoofed flood in which the protocol is UDP and source address keeps changing.
        • Spoofed ICMP Attack
          • This is a spoofed flood in which the protocol is ICMP and source address keeps changing.
        • Spoofed TCP SYN-ACK Attack
          • This is a spoofed TCP flood in which SYN-ACK packets are sent in an anomalous state manner. Connections are not established prior to this through a SYN packet.
        • Spoofed TCP FIN-Ack Attack
          • This is a spoofed TCP flood in which FIN-ACK packets are sent in an anomalous state manner. Connections are not established prior to this through a SYN packet.
        • Spoofed IP Attack
          • This is a spoofed IP protocol flood. Packets may not necessarily be TCP, UDP or ICMP and can be any protocol.
        • Spoofed IP Fragments Attack
          • This is a spoofed IP flood in which packets are fragmented - the fragment bit is set in the layer-3 IP header.
        • IP-UDP Fragments Attack
          • This is a IP flood in which packets are fragmented - the fragment bit is set in the layer-3 IP header and packets belong to protocol 17 (UDP).
        • IP-ICMP Fragments Attack
          • This is a IP flood in which packets are fragmented - the fragment bit is set in the layer-3 IP header and packets belong to protocol 1 (ICMP).
        • TCP/UDP Destination Port Attack
          • This is a layer 4 flood in which packets attack either a TCP or UDP destination port.
        • Spoofed TCP-SYN / UDP / ICMP Blended Attack
          • This is a blended attack in which source IP addresses are spoofed and at the same time, the protocol keeps changing as TCP, UDP and ICMP. The TCP packets are SYN packets.
        • Non-Spoofed TCP SYN-ACK
          • This is a limited source layer 4 flood in which TCP SYN-ACK packets are sent continuously without a formal connection establishment.
        • Non-Spoofed TCP SYN Attack
          • This is a limited source layer 4 flood in which TCP SYN packets are sent continuously without further sending more packets within the connection. The connections will stay on the server until they timeout from the SYN-state.
        • Non-Spoofed TCP FIN-ACK Attack
          • This is a limited source layer 4 flood in which TCP FIN-ACK packets are continuously sent without establishing formal connections.
        • Non-Spoofed TCP ACK Attack
          • This is a limited source layer 4 flood in which TCP ACK packets are continuously sent without establishing formal connections.
        • HTTP Half-Connection Attack
          • Half-connections or embryonic connections are connections that have not completed. When such a SYN flood occurs on HTTP port (80), it is called HTTP half-connection attack. This is obviously a spoofed layer 4 attack.
        • Non-Spoofed UDP Attack
          • This is a limited source layer 3 protocol flood in which the sources send IP protocol 17 - UDP packets. Remember that this would be a layer 4 flood if the UDP port is fixed in all the packets.
        • Non-Spoofed DNS Attack
          • This is a limited source layer 4 flood in which the sources send UDP packets with destination port set to 53 which corresponds to DNS protocol.
        • Non-Spoofed ICMP Attack
          • This is a limited source layer 3 protocol flood in which the sources send IP protocol 1 which corresponds to ICMP. Remember that this would be a layer 4 ICMP type and code flood, if a specific ICMP type and code is used in the attack packets.
        • Non-spoofed TCP ACK Flood
          • This is a limited source layer 4 flood in which TCP ACK packets are continuously sent without establishing formal connections.
        • Spoofed TCP ACK Flood
          • This is a spoofed layer 4 flood in which TCP ACK packets are continuously sent without establishing formal connections.
        • Non-spoofed TCP NULL Flood
          • This is a limited source layer 4 flood in which TCP packets are continuously sent without establishing formal connections. These packets don't have any flags set in them and therefore have a header anomaly in layer 4 header.
        • Spoofed TCP NULL Flood
          • This is a spoofed layer 4 flood in which TCP packets are continuously sent without establishing formal connections. These packets don't have any flags set in them and therefore have a header anomaly in layer 4 header.
        • Non-spoofed TCP Random flag Flood
          • This is a limited source layer 4 flood in which TCP packets are continuously sent with randomly changing TCP flags. Due to the randomization, there may be a header anomaly in layer 4 header. Some flag combinations are illegal. Example of legal combinations are SYN-ACK, FIN-ACK. Examples of illegal flag combinations are SYN-FIN-RST-ACK, SYN-RST etc.
        • Spoofed TCP Random flag Flood
          • This is a spoofed layer 4 flood in which TCP packets are continuously sent with randomly changing TCP flags. Due to the randomization, there may be a header anomaly in layer 4 header. Some flag combinations are illegal. Example of legal combinations are SYN-ACK, FIN-ACK. Examples of illegal flag combinations are SYN-FIN-RST-ACK, SYN-RST etc.
        • TCP random sequence, ackknowledgement numbers
          • TCP is a connection-based stateful protocol to complete datagram oriented IP protocol which it uses as an underlying protocol. It uses sequence numbers and acknowledgement numbers to ensure proper windowing and end-to-end ordered delivery. Normally sequence numbers are randomly chosen in a given connection. Once chosen, they follow a discipline. In a random sequence or acknowledgement number attack, these numbers are randomly chosen and varied. It can confuse the receiving end-point stack.
        • TCP Random window size
          • TCP is a connection-based stateful protocol to complete datagram oriented IP protocol which it uses as an underlying protocol. It uses windowing to break large application packets to ensure proper end-to-end ordered delivery. The window size determines the number of bytes of data that can be sent before an acknowledgement from the receiver is necessary. In a random window size attack, the window sizes are randomly chosen and varied. It can confuse the receiving end-point stack.
        • TCP random option value
          • The TCP Options are located at the end of the TCP Header. These options have been used to enhance TCP protocol. TCP options include Maximum Segment Size (MSS), Window Scaling, Selective Acknowledgement (SACK), etc. In a random option value flood, the option values are changed randomly. Some of the combinations may be anomalous while some values may be anomalous too as they may be unassigned values.
        • TCP random data length
          •  The length of TCP payload is dependent on the MTU (Maximum Transmission Unit) supported by the network, for normal ethernet the MTU  is 1500. This is the maximum amount of data available to IP, TCP, and the application, it excludes the bytes for the ethernet header and  trailer. From this 1500 you need to subtract bytes for the IP and TCP  headers (normally 20 bytes each) leaving 1460 bytes available to the  application. If the RFC1323 Timestamp option is used (fairly common  nowadays) it extends the TCP header by 12 bytes leaving 1448 bytes. In a random data length attack, the payload size is randomly chosen.
        • TCP checksum error flood
          • TCP checksum field is the 16 bit one's complement of the one's complement sum of all 16 bit words in the header and text. The checksum also covers a 96 bit pseudo header conceptually prefixed to the TCP header.  This pseudo header contains the Source Address, the Destination Address, the Protocol, and TCP length. This gives the TCP protection against misrouted segments. In a TCP checksum error flood, TCP segments with bad checksums are sent to overload the checksum validation logic.
        • IP Random Identification flood
          • The IP-Identification (IP-ID) field value in the IP header is used to uniquely identify the fragments of  a particular datagram. Fragments of a particular datagram are assembled if  they have the same source, destination, protocol, and Identifier. The IP identifier field can have 65,536 different values. It is  important  for an operating system to have some sort of a mechanism in order to control  the identification numbers correctly. In this flood, the IP-ID file is randomly varied.
        • IP Random fragment flag, offset flood
          • IP-V4 header has a field called Flags related to fragmentation. This 3-bit flag has a reserved bit followed by Don't Fragment (DF) and More Fragment (MF) bits. A flood that continuously varies the above bits can confuse network devices. Just after the flags, there is a 13-bit fragment offset field. A flood that continously varies this field can also cause confusion.
        • IP Random TTL flood

          • IPV4 header has an eight-bit time-to-live (TTL) field that helps prevent datagrams from going in circles on the Internet. Each packet intermediate network appliance that a datagram crosses decrements the TTL field by one. When the TTL field hits zero, the packet is no longer forwarded by a packet switch and is discarded. This flood sends packets with random TTL values.


        • IP random protocol
          • IPV4 protocol supports up to 256 protocol types. In this flood, the protocol field value is randomly changed while (may be) keeping rest of the packet header values similar.


        • UDP checksum error
          • UDP header has a checksum field. By sending a wrongly computed checksum value, packets with anomalous header can be flooded on the network.


        • Non-spoofed ICMP echo reply flood
          • ICMP echo request is typically used to identify the presence of a machine on the network. The machine responds with a ICMP echo reply. This flood that continuously sends ICMP echo replies to an IP address. The sources are non-spoofed.


        • Spoofed ICMP Echo Reply
          • Unlike above, this flood uses spoofed IP addresses to send ICMP echo replies. 


        • Un-spoofed ICMP Type/Code Flooding
          • ICMP allows 65535 combinations of type/codes. This is an un-spoofed flood from limited number of sources that randomly send a type/code flood.


        • Spoofed ICMP Random Type/Code Flooding
          • This is a spoofed flood where a single but random ICMP type/code is flooded. Rest of the packet header may be similar in the packets.


        • Non-IP Flooding
          • Ethernet header allows different protocols. IP version 4 or version 6 are just two of them. There are other protocols too. In a non-IP flood, un-common values of the protocol values are used.

          Conclusion

          There are many ways to test DDoS mitigation equipment. Conditions given above are just some examples. DDoS mitigation is a police and thief game. The hackers come up with new techniques and therefore the testers and equipment makers have to come up new techniques to test and benchmark the equipment. 


        http://knol.google.com/k/how-to-test-a-ddos-mitigation-system
          • Posted by at
          Labels: , , ,