Denial of Service - PowerPoint PPT Presentation

About This Presentation
Title:

Denial of Service

Description:

However, DoS attacks can be very big. Millions of packets/second. ... Concealment: packets come from multiple reflection servers, not actual attacker host. ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 30
Provided by: kosh2
Learn more at: https://kosh.nku.edu
Category:

less

Transcript and Presenter's Notes

Title: Denial of Service


1
CSC 382/582 Computer Security
  • Denial of Service

2
Topics
  1. Introduction
  2. History of DoS
  3. Modes of Attack
  4. Technical Attacks
  5. Distributed DOS (DDOS)
  6. Computational Attacks
  7. Defending against DoS

3
Denial of Service
  • Attacks against availability of services.
  • Common attacks
  • CAIDA conservatively estimated 4000/week.
  • Attacks have increased since 2001 estimate.
  • Most DoS vs. small site for short duration.
  • However, DoS attacks can be very big
  • Millions of packets/second.
  • Many thousands of hosts involved.
  • DoS attacks are very difficult to stop.

4
Denial of Service Motives
  • Attacker Competitions
  • Take over IRC channels.
  • Fame take down a well-known target.
  • Revenge for being DoSed.
  • Political
  • Take down computers of political opponents.
  • Financial
  • Take down competitor web site.
  • Extortion pay attacker or be DoSed.

5
History of Denial of Service
  • 1988 Morris Worm brings down most of Internet.
  • 1996 SYN flood attacks take out IRC networks.
  • 1997 Fragment attacks used to DoS Windows
    systems.
  • 1998 Distributed DoS attack tools appear.
  • 1999 Heavy use of DDoS tools.
  • 2000 DDoS attacks takes down Amazon, eBay,
    Yahoo.
  • 2001 Reflected DDoS attacks appear.
  • 2002 DDoS takes down 9 of 13 root DNS servers.
  • 2003 DDoS takes down Al-Jazeera after
    broadcasting pictures of captured American
    soldiers.
  • 2003- Financially motivated DDoS. Spammers DDoS
    anti-spam organizations. Extortionists DDoS
    small sites.

6
DoS Modes of Attack
  • Technical Attacks
  • Fragment attacks.
  • SYN Floods
  • Smurf.
  • Bandwidth Consumption
  • DDoS, amplifier-based attacks.
  • Other Resource Consumption
  • Email bombs.
  • Disk filling by syslog spoofing/anonymous ftp.
  • Computational attacks.

7
Packet Fragmentation
  • Occurs at IP layer
  • Each fragment has own IP header
  • Characteristics
  • Each fragment of a packet has same identification
    field.
  • More Fragments flag set (except on final frag).
  • Fragment Offset is offset (8-byte units) of
    fragment from beginning of original datagram.
  • Total Length field is length of fragment.

8
Fragment Security Issues
  • Large Datagrams
  • Use multiple fragments that will be re-assembled
    into a packet larger than the maximum IP packet
    size of 64KB.
  • example ping of death
  • Incomplete Datagrams
  • Jolt2 stream of fragments, with no first
    fragment.
  • Overlapping Fragments
  • Fragment offsets overlap, so during reassembly,
    second packet is copied over part of TCP header,
    allowing true header to be hidden in second
    packet while firewall reads misleading header
    data from first packet.
  • Denial of Service Teardrop attack uses
    overlapping fragments to overflow integer in
    memory copy to crash Windows 95/NT and Linux
    lt2.0.32 hosts.

9
SYN Floods
  • Create many half-open connections to target
  • Send SYN packet from spoofed, invalid IP address.
  • Ignore SYNACK response
  • Target connection table fills up
  • all new TCP connections refused

SYN a, ACK x
SYN x
SYN b, ACK y
SYN y
SYN c, ACK z
SYN z
SYN_RECV x from IP n
SYN_RECV y from IP n
SYN_RECV z from IP n



Target
Attacker
10
SYN Flood Defences
  • Micro-connections Allocate few resources (16
    bytes) micro-record until ACK recvd
  • RST Cookies
  • Server sends incorrect SYNACK to first client
    connection request, eliciting RST as response.
    Thereafter, connections from that client are
    accepted.
  • SYN Cookies Store state in ISN, not on server.
  • Compute ISN using hash of src dst IP addresses
    and ports.
  • Valid clients will respond with ISN1, allowing
    server to compute connection table entry.

11
Smurf Attack
Reflector Network
SRCTarget IP, DST10.0.0.255
10.0.0.
Target
Attacker
12
Smurf Attack
  • Build special ICMP/UDP echo packet
  • Forge IP source address to be that of target.
  • Destination address is a broadcast address.
  • Each host that receives broadcast will respond to
    the spoofed target address with an echo packet,
    overwhelming target host.
  • Most current routers refuse to pass on directed
    broadcast packets.

13
DDoS Attacks
Z
Attack zombies
  • Use valid protocols
  • Spoof source IP
  • Massively distributed
  • Variety of attacks
  • Entire Data Center
  • Servers, security devices, routers
  • Ecommerce, web, DNS, email,

14
Timeline of a DDOS Attack
  • Set up DDOS Network (Botnet)
  • Manual compromise by group of crackers.
  • Automated comprise by a worm.
  • Launch Attack
  • Victim networks become unresponsive
  • Identification difficult due to router/host
    failures and lack of logging of packets.
  • Third party effects
  • Victim responses sent to spoofed IP addresses.

15
DDoS Attack Architecture
16
DDOS Machines
  • Intruder One or more intruders access master
    machines to control network, typically through
    intermediate proxies.
  • Master The command and control servers that
    control agents. Multiple masters are used for
    redundancy and scalability. Often communication
    is via the IRC protocol.
  • Agent Infected hosts that launch DDOS attack and
    recruit more agents, aka zombies or bots.

17
Level of Automation
  • Manual
  • Manual compromise and attack
  • Semi-automated
  • Use of automated exploit to compromise hosts,
    then DDoS agent (Stacheldraht, TFN2k, Trinoo)
  • Automated
  • Worm such as W32/Blaster

18
Agent Lifecycle
  1. Old agent scanner selects target host.
  2. Old agent attempts exploit against target.
  3. If exploit ok, agent transfers self to target.
  4. Agent begins running on target.
  5. Agent registers itself with master server.
  6. Master accepts agent as member w/ pw.
  7. Agent logs into communication channel with
    provided password.
  8. Agent waits for commands from master.

19
Agent Capabilities
  • DDOS Attacks
  • SYN floods
  • Smurf
  • UDP floods
  • ICMP floods
  • Mixed
  • Recruitment
  • Scanning engine.
  • Many exploits.
  • Use other bot backdoors.
  • File transfer
  • Proxying
  • E-mail harvesting
  • Sniffing
  • Spamming
  • Self-defence
  • Anti-virus
  • Polymorphism
  • Rootkit.

20
Botnet Families
  • Agobot/Phatbot
  • Over 500 variants.
  • Modular structure easy to add features.
  • Some use WASTE p2p communication.
  • SDBot
  • Simpler than Agobot, but common.
  • mIRC-based bots
  • Script mIRC client for Windows.

21
Distributed Reflection DOS
  • Combine SYN Flood DDOS attacks
  • Forge targets IP address in SYN flood on
    multiple reflection servers.
  • Amplification most OSes send multiple SYNACK
    responses to SYN packet.
  • Concealment packets come from multiple
    reflection servers, not actual attacker host.
  • Difficult to block attacker may rotate attacks
    from large pool of reflection servers, many of
    which may be important hosts which you need to
    receive traffic from.

22
Computational Attacks
  • Goal Exhaust CPU resources of target.
  • Target Application Layer
  • Examples
  • 2002. BBCode markup language of phpBB could
    consume 100 CPU in infinite expansion of
    multiply nested tags.
  • 2003. Crosby and Wallach show how to select input
    to reduce hash (O(1) performance) to linked list
    (O(n) performance). Attacks vs. Bro IDS, perl.
  • 2005. Tomcat 5.5 directory listing of large
    directories could use large amounts of CPU.

23
Why DDoS is Hard to Stop
  • Attacker ease of use
  • Attackers can d/l user friendly advanced tools.
  • IP spoofing
  • DDoS attacks can always be spoofed.
  • Numerous agents
  • Attacker agents spread across networks.
  • Variety of traffic
  • DDoS attacks can be launched with any protocol.
  • High-volume traffic
  • At DDoS traffic volumes, firewalls and IDS must
    analyze each packet quickly, i.e. without deep
    packet inspection or cross-packet correlations.

24
Filterable and non-Filterable Attacks
  • Filterable Attacks
  • Attack non-essential services (ICMP echo) or
    ports (random UDP flood.)
  • Non-filterable Attacks
  • Attack essential services (email or web.)
  • Packets may be partially valid for targeted
    protocol.

25
DDOS Prevention
  • Apply patches against technical attacks.
  • Firewall rules to drop known attacks at
    perimeter.
  • Overprovisioning
  • Network bandwidth, NICs
  • Memory, disk
  • CPU
  • Load balancing
  • Caching
  • Create static page frequently instead of
    dynamically creating page whenever accessed.

26
DDOS Detection
  • Detecting zombie hosts
  • DDOSPing
  • Zombie Zapper
  • Detecting a DDOS attack
  • Performance monitoring network and host
  • Network intrusion detection systems

27
DDOS Reaction
  • Filter out identifiable DDOS traffic.
  • Contact ISP for help with
  • Filtering and rate limiting.
  • Tracking down source of attack.
  • Move the target
  • White House avoided by changing IP address.
  • Use Alternate Infrastructure
  • Use caching to decrease server load.
  • Use anti-ddos provider like Akamai, Prolexic.

28
Key Points
  • Types of denial of service attack
  • Technical attacks (SYN flood, smurfing)
  • Bandwidth attacks (DDOS)
  • DOS attacks are a serious threat
  • Can take down large sites (often for money.)
  • Difficult to prevent and react to.
  • Botnets make DDOS easy and effective
  • Agents evolve rapidly, offer auto-updating.

29
References
  1. Al-Jazeera Hobbled by DDOS Attack, InfoWorld,
    http//www.infoworld.com/article/03/03/26/HNjazeer
    a_1.html, March 26, 2003.
  2. Scott Berinato, How a Bookmaker and a Whiz Kid
    Took On an Extortionistand Won, CSO Online,
    http//www.csoonline.com/read/050105/extortion_pf.
    html, Nov 22 2003.
  3. CERT Coordination Center, Results of the
    Distributed-Systems Intruder Tools Workshop,
    December 1999, http//www.cert.org/reports/dsit_wo
    rkshop-final.html
  4. David Dittrich, DDOS Archives, http//staff.washin
    gton.edu/dittrich/misc/ddos/, 2006.
  5. Greene, ISP Security 101 Primer,
    http//www.nanog.org/mtg-0602/greene.html, 2003.
  6. The Honeynet Project, Know Your Enemy Tracking
    Botnets, http//www.honeynet.org/papers/bots/,
    2005.
  7. Steve Gibson, Distributed Reflection Denial of
    Service, http//www.grc.com/dos/drdos.htm, Feb
    22 2002.
  8. Stuart McClure, Joel Scambray, and George Kurtz,
    Hacking Exposed, 5/e, McGraw-Hill, 2005.
  9. Jelena Mirkovic, Sven Dietrich, David Dittrich,
    and Peter Reiher, Internet Denial of Service
    Attack and Defense Mechanisms, Prentice Hall,
    2005.
  10. C. Nuttall, Crime Gangs Extort Money with
    Hacking Threat, The Financial Times, 11 Dec
    2003, http//www.rense.com/general44/hack.htm
  11. Joel Scambray, Mike Shema, Caleb Sima, Hacking
    Exposed Web Applications, Second Edition,
    McGraw-Hill, 2006.
  12. Ed Skoudis, Counter Hack Reloaded, Prentice Hall,
    2006.
  13. Scott A Crosby and Dan S Wallach, Denial of
    Service via Algorithmic Complexity Attacks,
    USENIX Security 2003, http//www.cs.rice.edu/scro
    sby/hash/, 2003.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Denial of Service" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!