Presentation is loading. Please wait.

Presentation is loading. Please wait.

DDoS: Distributed Denial of Service Cs5090: Advanced Computer Networks, fall 2004 Department of Computer Science Michigan Tech University Rock K. C. Chang.

Published byJosephine Holland Modified over 9 years ago

Similar presentations

Presentation on theme: "DDoS: Distributed Denial of Service Cs5090: Advanced Computer Networks, fall 2004 Department of Computer Science Michigan Tech University Rock K. C. Chang."— Presentation transcript:

1 DDoS: Distributed Denial of Service Cs5090: Advanced Computer Networks, fall 2004 Department of Computer Science Michigan Tech University Rock K. C. Chang Byung Choi Mark Schuchter

2 Outline Introduction The DDOS Problems Solutions to the DDoS Problems Conclusion

3 Introduction (cont.) DoS : Denial of service attack.  System design weaknesses Ping of death Teardrop  Computationally intensive tasks Encryption and decryption computation  DDoS attack ( Flooding-Based) CPU, Memory, bandwidth exhaustion

4 DDoS: Typical attack preparation 1. prepare attack 2. set up network3. communication IntroductionWhy?TimelineHow?Typ. UNIX atkTyp. Windows atk

5 Why? sub-cultural status to gain access political reasons economic reasons revenge nastiness IntroductionWhy?TimelineHow?Typ. UNIX atkTyp. Windows atk Showing off

6 Timeline 1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption 2000: bundled with rootkits, controlled with talk or ÍRC 2002: DrDos (reflected) attack tools, (179/TCP; BGP=Border Gateway Protocol) 2001: worms include DDos-features (i.e. Code Red), include time synchro., <1999: Point2Point (SYN flood, Ping of death,...), first distributed attack tools (‘fapi’) 2003: Mydoom infects thousands of victims to attack SCO and Microsoft IntroductionWhy?TimelineHow?Typ. UNIX atkTyp. Windows atk

7 Development IntroductionWhy?TimelineHow?Typ. UNIX atkTyp. Windows atk High Low 1980198519901995 2001 password guessing password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools binary encryption Source : CERT/CC

8 Conversation between Moms Mom1: I’m so proud of Mike. Apparently he’s one of the world’s best at a new computer game! Mom2: Oh really! Which game? Mom1: Something called “DDoS Attack”… Mike: (Keeping clicking…)

9 DDoS Tools and Their Attack Methods Trin00UDP Tribe Flood NetworkUDP, ICMP, SYN, Smurf Stacheldracht UDP, ICMP, SYN, Smurf TFN 2KUDP, ICMP, SYN, Smurf ShaftUDP, ICMP, SYN TrinityUDP, SYN, RST, ACK

10 DDoS Problems : Direct Attacks Send out a large number of attack packets directly toward a victim  Packet types can be TCP, ICMP, UDP, or a mixture of them. TCP SYN attacks  Spoofed random source address of attack packets  The victim respond by sending back SYN-ACK packets  Cause half-open connection  consume all the memories for pending connections  unable to accepting new requests.

11 Direct attack (cont.)

12 Direct Attacks (cont.) To congest a victim’s incoming link.  The victims usually responds with RST packets Sets up a DDoS attack network.  Attacker  attack hosts ( compromised machines)  masters  agents  victim

13 Direct Attacks

14 Direct Attack Example: Trinoo Discovered in August 1999 Daemons found on Solaris 2.x systems Attack a system in University of Minnesota Victim unusable for 2 days

15 Trinoo Attack type UDP flooding Default size of UDP packet: 1000 bytes  malloc() buffer of this size and send uninitialized content Default period of attack: 120 seconds Destination port: randomly chosen from 0 – 65534

16 Reflector Attacks (cont.) An attacker sends packets that require responses to the reflectors with the packer’s inscribed source addresses set to a victim’s address. The reflectors returns response packets to the victim according to the types of the attack packets. Thus the reflected packets can flood the victim’s link if the number of reflectors is large enough.

17 Redirect Attacks (cont.)

18 Reflector Attacks (cont.) Reflector behaves like a victim of SYN flooding attacks, because it also maintain a number of half-open connections. SYN ACK flooding does not exhaust the victim’s ability to accept new connections but clog the victim’s network link.

19 Reflector Attacks

20 Reflector Attack Examples:

21 How Many Attack Packets Are Needed? (cont.)

22 SYN flooding:  If each SYN packet is 84 bytes long (including the Ethernet frame header and interframe gap)  a 56 kb/s connection is sufficient to stall both Linux and BSD servers with N <= 6000 SYN ACK flooding:  A 1Mb/s connection is sufficient to stall all three servers with N <= 10000. How Many Attack Packets Are Needed? (cont.)

23 How Many Attack Packets Are Needed? In other flooding attacks aimed at jamming a victim’s incoming link, an aggregated attack traffic rate has to be at least 1.544 Mb/s to jam a T1 link.  Direct ICMP flooding: 5000 agents ( 1 query/s)  Reflect ICMP flooding: 5000 reflector ( # of agents can be much fewer, if each agent is responsible for sending ICMP echo requests to a number of reflectors.)

24 Solutions to the DDoS Problems (cont.) Three lines of defense against the attack  Attack prevention and preemption( before the attack)  Attack detection and filtering (during the attack)  Attack source traceback and identification (during and after the attack)  Attack avoidance by victims

25 Attack prevention and preemption On the passive side  Hosts may be securely protected from master and agent implants. Ultimate solution?  To monitor network traffic for known attack messages sent between attackers. On the active side  Cyber-informants and cyber spies to intercept attack plans for known attacks only?

26 Virus example (Wed. 03 Mar. 2004) Hello User of mtu.edu-email server, Our main mailing server will be temporarily unavailable for next two days for regular maintenance and upgrade. To continue receiving mail in these days, please configure our auto- forwarding service. Further details can be obtained from attached file For security purposes the file is password protected. Your password is “00461” Best Wishes, MTU email service team!

27 Attack Source traceback and Identification Two approach  For routers to record information  Send additional information Two reason of infeasible stop an ongoing attack  Hard to trace packets’ origins Those behind firewall & NAT Reflector attack  Hard to stop Scattered in various autonomous systems Helpful in identifying the attacker and collecting for post-attack law enforcement

28 Attack Detection and Filtering (cont.) The detection part is responsible for identifying DDoS attacks or attack packets The filtering part is responsible for classifying those packets and then dropping them ( rate- limiting is another possible action).

29 Attack Detection and Filtering (cont.) Measure the effectiveness of the attack detection and filtering  FPR ( false positive ratio): # of packets classified as attack packets (positive) by a detection system that are confirmed to be normal (negative),  FNR (false negative ratio): # of packets classified as normal (negative) by a detection system that are confirmed to be attack packets (positive),  NPSR (normal packet survival ratio): The percentage of normal packets that can make their way to the victim in the midst of a DDoS attack.

30 Attack Detection and Filtering (cont.)

31 At Source Networks  ISP networks that are directly connected to source networks can effectively ingress-filter spoofed packets.  Can drop all attack packets in direct attacks and all attack packets indirect attacks.  The attack agents can be traced easily in direct attacks  Ensuring all ISP networks to install ingress filtering is an impossible task in itself.

32 Attack Detection and Filtering (cont.) At the Victim’s Network  A DDoS victim can detect a DDoS attack based on an unusually high volume of incoming traffic or degraded server and network performance.  IP hopping or the moving target defense: A host frequently changes its IP address or changes its IP address when a DDoS attack is detected.  To tackle SYN flooding attacks by proxying TCP connection requests.

33 Attack Detection and Filtering (cont.) At a victim’s Upstream ISP network  Victim network may send to an upstream ISP router an intrusion alert message  Such intrusion alert protocol need to be design carefully  The message also have to be protected by strong authentication and encryption algorithms.  Similar to the victim networks, it isn’t effective to filter attack packets.

34 Attack Detection and Filtering (cont.) At further Upstream ISP networks  Packet filtering is pushed as upstream as possible  if ISP networks are willing to install packet filters upon receiving intrusion alerts.

35 Attack avoidance by victims Online task migration  Process  Thread  Object CPU time depletion Bandwidth depletion Memory space depletion

36 Conclusion Hard to design perfectly secure computers and networks…. There are (will be) still many insecure areas in the Internet today that can be compromised to launch large-scale DDoS attacks Attack avoidance schemes at victims have not been fully investigated!  Contributions are solicited!  Task migration on-the-fly

Download ppt "DDoS: Distributed Denial of Service Cs5090: Advanced Computer Networks, fall 2004 Department of Computer Science Michigan Tech University Rock K. C. Chang."

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/7 2003.

DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Lesson 3-Hacker Techniques

Lesson 3-Hacker Techniques
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
1.1 Operating System Concepts An Introduction to DDoS And the “Trinoo” Attack Tool Acknowledgement: Ray Lam, Ivan Wong.

1.1 Operating System Concepts An Introduction to DDoS And the “Trinoo” Attack Tool Acknowledgement: Ray Lam, Ivan Wong.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Defending against Flooding-based Distributed Denial-of- Service Attacks: A Tutorial AUTHOR ROCKY K. C. CHANG, THE HONG KONG POLYTECHNIC UNIVERSITY PRESENTED.

Defending against Flooding-based Distributed Denial-of- Service Attacks: A Tutorial AUTHOR ROCKY K. C. CHANG, THE HONG KONG POLYTECHNIC UNIVERSITY PRESENTED.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Defensive Measures for DDoS By Farhan Mirza. Contents Survey Topics Survey Topics Introduction Introduction Common Target of DoS Attacks Common Target.

Defensive Measures for DDoS By Farhan Mirza. Contents Survey Topics Survey Topics Introduction Introduction Common Target of DoS Attacks Common Target.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
An Introduction to DDoS And the “Trinoo” Attack Tool Prepared by Ray Lam, Ivan Wong July 10, 2003.

An Introduction to DDoS And the “Trinoo” Attack Tool Prepared by Ray Lam, Ivan Wong July 10, 2003.
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Rocky K. C. Chang.

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Rocky K. C. Chang.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Similar presentations

Ads by Google