Analysis and Simulation of Defence Wide Area Network Performance Under Denial of Service Attack

1
Analysis and Simulation of Defence Wide Area
Network Performance Under Denial of Service
Attack

• Thesis Summary
• Captain Tim Malo
• 23 May 2001
• Advisor Dr. Scott Knight

2
Statement

• An analysis and simulation of Defense Wide Area
  Network (DWAN) performance under Denial of
  Service (DoS) attacks to highlight DWAN
  vulnerabilities and propose solutions to mitigate
  negative effects associated with DoS attacks.

3
Outline

• DWAN
• DoS
• Definition
• Classification
• Attacks Studied
• Opnet Modeler Network Simulation Tool
• Opnet Models
• Observed Results
• Mitigation Techniques
• Summary of Results
• Questions/Comments

4
DWAN Architecture

• Router-based TCP/IP network
• Connects units/bases via leased, frame relay
  services
• Two logical networks
• Designated Domain
• Classified Domain

5
DWAN Architecture

• Three levels
• Backbone
• Concentrator
• Access

6
(No Transcript)
7
DoS Definition

• It is an attempt by an intruder, either within or
  external to an organization, to block a certain
  service or the entire organizations network by
  overwhelming that service or network with
  directed requests. The premise is that an attack
  will take advantage of certain weaknesses in
  security of the underlying operating system or
  network technology.

8
DoS Classification

• Operating System Based Attacks
• Network Based Attacks
• Traditional Network Based DoS
• Distributed DoS (DDoS)

9
Smurf Attack
10
Wingenocide

• Variant of Win Nuke attack
• Affects unpatched Win 95 boxes
• Send OOB traffic to port 139 (NetBIOS)
• most common port but other listening ports can be
  used
• Unexpected packets cause host to bluescreen

11
DDoS Attack
12
TFN2K

• ICMP Ping Flood
• UDP Flood
• TCP SYN Flood
• TARGA3
• Mix
• Combination of ICMP Ping, UDP and TCP SYN Flood

13
Trinoo

• UDP Flood

14
Simulation Tool

• OPNET Modeler
• Support for Numerous Protocols Including OSPF and
  TCP/IP
• Object Oriented
• Supports Complex Network Topologies
• Allows for Customization in C/C

15
(No Transcript)
16
(No Transcript)
17
Lab Work

• CSL Internal network used to run attacks/collect
  results
• csl6, csl8, csl12 and longjohn used as hosts for
  attacks (attacker, IN, target, data collection)
• tcpdump used as tool for data collection
• Analysis of tcpdump data lead to creation of
  attack traffic modeling

18
Attack Models

• Custom Application
• Smurf (ICMP/UDP/ both)
• Wingenocide
• Video Conferencing Application
• TFN2K
• ICMP Ping/UDP/TCP SYN/Mix/TARGA3
• Trinoo

19
Observed Results

• Router CPU utilization experiences a step
  increase
• Link utilization does not necessarily reflect
  attack traffic generated
• Traffic loss within the frame relay cloud
• Not all traffic submitted to network gets
  transmitted (CIR, Bc, Be)
• Target router CPU and link utilization is not as
  seriously affected as it should be
• background infrastructure taking brunt of attack

20
Observed Results(continued)

• Standard application performance at attacking,
  intermediate network and target sites all
  affected by attack scenarios
• Http light browsing
• Email light load
• Remote login light load
• Minimal attackers (as few as 1 in some scenarios)
  required to cause denial of service for all three
  applications

21
Attack Mitigation Techniques

• Host Based
• OS and Security Patches
• OS Modifications
• Minimize Services
• Host Compromise Detection Tools

22
Attack Mitigation Techniques (continued)

• Network Based
• Blocking Directed IP Broadcasts
• Ingress/Egress Packet Filtering
• IP Verify Unicast Reverse-Path
• Committed Access Rate
• Frame Relay Traffic Shaping
• Demilitarized Zone

23
(No Transcript)
24
Questions
25
Papasmurf ICMP Flood
26
Papasmurf ICMP Flood(continued)
27
Papasmurf ICMP Flood(continued)
28
Papasmurf ICMP Flood(continued)
29
Papasmurf ICMP Flood(continued)
30
Papasmurf ICMP Flood(continued)
31
Papasmurf ICMP Flood(continued)