We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byElvin Townsend
Modified about 1 year ago
CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense. © 2001 by Carnegie Mellon University some images copyright 1 Trends in Denial of Service Attack Technology Kevin J. Houle NANOG23 – October 2001
© 2001 by Carnegie Mellon University 2 Background: Pre-1999 DoS Tools: -Single-source, single target tools -IP source address spoofing -Packet amplification (e.g., smurf) Deployment: -Widespread scanning and exploitation via scripted tools -Hand-installed tools and toolkits on compromised hosts (unix) Use: -Hand executed on source host
© 2001 by Carnegie Mellon University 3 Background: 1999 DoS Tools: -Multiple-source, single target tools -Distributed attack networks (handler/agent) -DDoS attacks Deployment: -Hand-selected, hard-coded handlers -Scripted agent installation (unix) Use: -Custom, obfuscated control channels ›intruder handlers ›handlers agents
© 2001 by Carnegie Mellon University 4 Background: : Infamous DDoS attacks : DNS amplification attacks, mstream DDoS tool : VBS/Loveletter, t0rnkit : Hybris : Trinity IRC-based DDoS tool (unix) :Multiple IRC-based DDoS tools (Windows)
© 2001 by Carnegie Mellon University 5 Background: :Ramen worm :VBS/OnTheFly (Anna Kournikova), erkms worm, 1i0n worm :Adore/Red worm, carko DDoS tool :cheese worm, w0rmkit worm, sadmind/IIS worm :Maniac worm, Code Red worm :W32/Sircam, Leaves, Code Red II, various telnetd worms, various IRC-based DDoS tools (knight, kaiten) : Nimda worm
© 2001 by Carnegie Mellon University 6 Trends – Deployment Greater degree of automation Self-propagating worms -Central source propagation -Back channel propagation -Autonomous propagation
© 2001 by Carnegie Mellon University 7 Central Source Propagation central-source attackervictims next-victims 1 - exploit 2 – copy code 3 - repeat Example: 1i0n worm
© 2001 by Carnegie Mellon University 8 Back Channel Propagation attackervictims next-victims 1 - exploit 2 – copy code 3 - repeat Example: Ramen worm
© 2001 by Carnegie Mellon University 9 Autonomous Propagation attackervictims next-victims 1 – exploit & copy code2 - repeat Examples: Code Red, Code Red II
© 2001 by Carnegie Mellon University 10 Trends – Deployment (cont.) Degree of Blind Targeting Selective Targeting AutomationVery highLow high Vulnerability- specificity Very highLow high Other criteriaLowVery high Targeting Systems: Blind vs. Selective Targeting
© 2001 by Carnegie Mellon University 11 Blind Targeting Social Engineering -W32/Sircam Specific vulnerabilities -sadmind/IIS worm unix/Microsoft IIS -Code Red, Code Red II Microsoft IIS -Nimda Windows/IIS -Various telnetd worms unix Activity tends to follow vulnerability lifecycles
© 2001 by Carnegie Mellon University 12 Selective Targeting Windows end-users increasingly targeted -less technically sophisticated -less protected -difficult to contact en mass -slow response to security alerts/events -well-known netblocks -widespread broadband connectivity -increase in home networking -exploit technology base is maturing CERT® Tech Tip - Home Network Security
© 2001 by Carnegie Mellon University 13 Selective Targeting (3) Routers increasingly targeted -source for recon/scanning -proxy to IRC networks -source for packet flooding attacks -Compromise via weak/default passwords -Routers sometimes reconfigured ›public guides are available -Increased threat of routing protocol attacks ›discussions at DefCon and Black Hat Briefings
© 2001 by Carnegie Mellon University 14 Trends: Use Control Infrastructure – The classic DDoS model intruder handler agent victim
© 2001 by Carnegie Mellon University 15 Control Infrastructure Increased use of IRC networks and protocols -IRC server replaces the handler ›common, ‘legit’ service ports (e.g., 6667/tcp) ›commands are buried in ‘legit’ traffic ›no agent listeners; outbound connections only -More ‘survivable’ infrastructure ›reduction in address lists maintained ›disposable, easy to obtain agents ›makes use of public IRC networks ›private servers are also used
© 2001 by Carnegie Mellon University 16 Control Infrastructure (2) Increased use of IRC networks and protocols (cont.) -Agent redirection / update is easier ›everyone change to a new channel ›everyone change to a new IRC server ›everyone download this updated module -“floating” domains used to direct agents ›bogus WHOIS data, stolen credit cards ›‘A’ record modification redirects hard-wired agents
© 2001 by Carnegie Mellon University 17 Trends: Use Less emphasis on forged packet characteristics -size and distribution of DDoS makes response difficult ›overwhelming number of sources in DDoS attack ›sources often cross multiple AS boundaries ›high bandwidth consumption is easy; no need for fancy packets -increase in attacks using legitimate traffic ›mixes with other traffic ›harder to filter/limit
© 2001 by Carnegie Mellon University 18 Trends: Impact Increase in collateral damage (e.g., blast radius) -backup systems impacted by sharp increases in log volumes -financial impact at sites with measured usage circuits -multiple sites impacted in shared data centers -arp storms impacting locally infected networks Highly automated deployments are themselves causing denial of service conditions
© 2001 by Carnegie Mellon University 19 What We Are Not Seeing Changes in fundamental conditions that enable denial of service attacks Consumption of limited resources -Processing cycles -Memory resources -Network bandwidth Interdependency of security on the Internet -The exposure to DoS attack of SiteA depends on the security of SiteB -There are huge numbers of SiteB’s
© 2001 by Carnegie Mellon University 20 What We Are Not Seeing (2) Advances in DoS attack payload Seeing the same common packet stream types Known attacks work, there is little incentive to improve -TCP (SYN|ACK|FIN|RST) flood -UDP flood -ICMP echo request/reply flood -Amplification attacks -Source IP address spoofing
© 2001 by Carnegie Mellon University 21 What We Are Not Seeing (3) Reductions in launch-point availability Vendors are still producing insecure products Administrators/users are still deploying and operating systems insecurely Vulnerability life cycle is still lengthy (2-3 years)
© 2001 by Carnegie Mellon University 22 Credits Paper:Trends in Denial of Service Attack Technology Authors: Kevin Houle Neil Long Rob Thomas George Weaver
© 2001 by Carnegie Mellon University 23 CERT Coordination Center Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh PA USA Hotline: CERT personnel answer 8:00 a.m. — 8:00 p.m. EST(GMT-5) / EDT(GMT-4), and are on call for emergencies during other hours. Fax: Web:http://www.cert.org/ CERT ® Contact Information
Trends in Denial of Service Attack Technology -or – Oh, please, they arent smart enough to do that… Presentation to CERT-Polska November 2001 Rob Thomas,
Denial of Service (DoS) By Vijay C Uyyuru, Prateek Arora, & Terry Griffin.
Outcomes Why are computer networks vulnerable? Methods used by hacker to gain unauthorised access Viruses –Different type of viruses –How do viruses infect.
Todays Modern Network Killing Robot Viki Navratilova Network Security Officer The University of Chicago.
Defending Against Denial of Service Attacks Presented By: Jordan Deveroux 1.
Denial-of-Service and Resource Exhaustion Nick Feamster CS 7260 April 2, 2007.
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Common types of online attacks Dr.Talal Alkharobi.
Ethical Hacking Module VIII Denial Of Service. EC-Council Module Objective What is a Denial Of Service Attack? What is a Distributed Denial Of Service.
Botnets: Infrastructure and Attacks Nick Feamster CS 6262 Spring 2009.
Security Incident Handlings How can we work together to provide confidence for Internet users? Suguru Yamaguchi, Ph.D. JPCERT/CC (WIDE Project/NAIST)
Security Threats and Protection Mechanisms. Learning Objectives Internet security issues (intellectual property rights, client, communication channels,
Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.
Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.
© 2009 Pearson Education, Inc. Publishing as Prentice Hall Chapter 9 Pankos Business Data Networks and Telecommunications, 7th edition © 2009 Pearson Education,
Chapter 11 E-Commerce Security. Electronic CommercePrentice Hall © Learning Objectives 1.Document the trends in computer and network security attacks.
UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls.
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
Securing a Virtualized Environment Stefano Alei Senior Systems Engineer.
Unwanted Network Traffic: Threats and Countermeasures CS 3251 Prof. Nick Feamster November 13, 2006.
Botconomics – Mastering the Underground Economy of Botnets. LACNIC May, 2008 Kleber Carriello de Oliveira Consulting Engineer Arbor Networks.
Copyright COMP 3410 – I.T. in Electronic Commerce eSecurity Malware and Other Attacks Roger Clarke Xamax Consultancy, Canberra Visiting Professor,
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Logical IT Security By Prashant Mali.
© AT&T Inc Detection of DNS Traffic Anomalies Anestis Karasaridis, PhD,CISSP.
Malware, Viruses, Worms Nick Feamster CS 6262 Spring 2009.
International Telecommunication Union ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004 Threat Evolution in Wireless Telecommunications.
Trends in Endpoint Security by Richard Lau Trends in Endpoint Security by Richard Lau 29 September 2005.
An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,
© 2016 SlidePlayer.com Inc. All rights reserved.