Protecting Web Servers from DoSDDoS Flooding Attacks A Technical Overview

1
Protecting Web Servers from DoS/DDoS Flooding
Attacks A Technical Overview

• Noureldien A. Noureldien
• College of Technological Sciences
• Omdurman, Sudan

2
Agenda

• Introduction
• DoS/DDoS Attacks Methods
• DDoS Tools and Their Attack Methods
• DoS/DDoS Exploited Vulnerability
• DoS/DDoS Defense Mechanisms
• System Level Mechanisms
• Network level Mechanism
• Global Mechanisms

3
DoS/DDoS

• DoS attacks are as old as the Internet itself
• Year 2000 when a complete new quality of DoS
  attack started (DDoS).
• (DDoS) stroke a huge number of prominent web
  sites including Yahoo, Ebay, Amazon and Buy.com
• DDoS Concepts Distributing the attack across
  several hosts. Coordinating the attack among
  many machines. Using the distribution system to
  thwart all attempts of discovering the origin of
  the attack.

4
DoS/DDoS Flood Attack Methods

• Smurf Attack
• TCP SYN Attack
• UDP Attack
• TCP Attack
• ICMP Attack

5
DoS/DDoS TCP SYN Attack

• Exploits the three-way handshake

6
Smurf
7
DDoS Tools and Their Attack Methods

• Trin00 UDP
• Tribe Flood Network UDP, ICMP, SYN, Smurf
• Stacheldracht UDP, ICMP, SYN, Smurf
• TFN 2K UDP, ICMP, SYN, Smurf
• Shaft UDP, ICMP, SYN
• Trinity UDP, SYN, RST, ACK

8
DoS/DDoS Exploited Vulnerability

• Protocol Attacks
• Brute-force Attacks
• Filterable Attacks
• Non-filterable Attacks

9
DoS/DDoS Defense Mechanisms

• System level mechanisms
• Network level mechanisms
• and Global mechanisms.

10
System Level Mechanisms

• Scanning Tools
• Client Bottlenecks
• Moving Target Defense

11
Network Level Mechanisms

• Network mechanisms can either be deployed at
• Victim-network
• Intermediate-network
• Source-network

12
Victim Network Mechanisms

• Firewalls- enable a form of protection against
  SYN floods.
• Active Monitoring - Examples for active monitors
  are synkill from COAST Laboratory, The Nozzle,
  and The SYNDEF
• Load Balancing

13
Intermediate-Network Mechanisms

• Ingress Filtering
  Deployed by ISP's to drop packets with IP
  addresses outside the range of a customers
  network, so that they can prevent attackers from
  using forged source addresses to launch a DoS
  attack.

14
Source-Network Mechanisms

• Egress Filtering prevents
  ones network from being the source of forged
  communications used in DoS attacks.
• MULTOPS Bandwidth Attack Detection
  to detect an IP
  addresses that participate in a DDoS attack, then
  measures could be taken to block only these
  particular addresses.

15
Global Mechanisms

• Improving the security of the entire Internet
• Using globally coordinated filters
• Tracing the source IP address

16
Conclusion

• The ultimate solution for preventing DDoS/DoS is
  to detect and block floods at source-networks.
  This cuts the problem off before it can ever
  manifest. So we have to pull together as a
  community to secure our Internet.