Distributed Denial of Service Attacks

1
Distributed Denial of Service Attacks

• Shankar Saxena
• Veer Vivek Kaushik

2
Agenda

• Introduction and Famous Attacks
• How Attack Takes Place
• Types of DDOS Attacks
• Smurfing
• UDP Flooding
• TCP SYN Flooding

3
Introduction

• Causes service to be unusable or unavailable
• Coordinated mass scale attack from compromised
  computers
• Exhaust bandwidth, router processing, network
  stack resource
• Hard to detect at firewall level

4
Famous Attacks

• February 2000
• Yahoo, Ebay, Amazon websites attacked
• Yahoo received packet traffic which some websites
  receive in 1 year
• 1 billion dollars
• October 2002
• 7 of 13 DNS root servers attacked
• Attack on internet itself

5
Scanning (Step 1)

• Port Scanning
• Search for open ports
• NMap
• Send packets to target to interact
• TCP Connect, TCP SYN, UDP,
• Software Vulnerabilities
• Common Default Configuration Weaknesses
• Nessus
• Plugin
• Windows, Backdoor, File Sharing, Firewalls, Mail
  Servers

6
Stack based Buffer overflow (Step 2)

• Attacker chooses most vulnerable machines.
• Buffer overflow occurs when attacker store too
  much data in undersize buffer.
• Attacker precisely tune the amount and content of
  data.
• Attacker overwrites the return pointer with his
  own , which points to his code.

7
Normal Stack
Bottom of memory
Fill Direction
Buffer(Local variable)
Return pointer
Function arguments

8
Smashed Stack
Bottom of memory
Fill direction
Buffer(Local variable)
Attacker machine code
New pointer
Top of memory
Function arg
9
Rootkit Attack (Step 3)

• Rootkit
• To get back into compromised system
• Replace system file with there Trojan version
• Attack
• Instruct compromised systems to attack
• Various flooding methods

10
DDoS attack
11
Kinds of Attacks

• Smurfing
• UDP Flooding
• TCP Syn Flooding

12
Smurfing

• Attacker sends packet to Network amplifier with
  return address spoofed to victim IP address
• Attacking packets are typically ICMP echo request
  
• This request generate ICMP echo reply which will
  flood the victim

13
TCP SYN Attack

• Exploits Three way handshaking protocol.
• Large number of bogus TCP Sync request are sent
  to victim in order to tie up its resources.
• No AckSyn responses are returned, Server run out
  of memory resources

14
TCP SYN Attack
15
UDP Flooding

• Connectionless protocol
• No 3 way handshaking is required
• Large number of UDP packets saturate the Network
  and deplete the bandwidth.

16
DDoS Counter Measures

• Egress filtering
• Scanning packets for certain criteria
• Spoofed address
• Close all unneeded ports
• Be More aware
• Install new patches
• Check server logs
• Test scanning tools on your system

17
Thanks

• Queries?