Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defensive Measures for DDoS By Farhan Mirza. Contents Survey Topics Survey Topics Introduction Introduction Common Target of DoS Attacks Common Target.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Defensive Measures for DDoS By Farhan Mirza. Contents Survey Topics Survey Topics Introduction Introduction Common Target of DoS Attacks Common Target."— Presentation transcript:

1 Defensive Measures for DDoS By Farhan Mirza

2 Contents Survey Topics Survey Topics Introduction Introduction Common Target of DoS Attacks Common Target of DoS Attacks DoS Tools DoS Tools Defensive Measures & Their Vulnerabilities Defensive Measures & Their Vulnerabilities Honeypot for DDoS Honeypot for DDoS Honeypot implementation Honeypot implementation Issues & Concerns Issues & Concerns Conclusion Conclusion

3 Survey Topic Paper 1 Paper 1  Analysis of Denial-of-Service Attacks on Denial- of-Service Defensive Measures Paper 2 Paper 2  Honeypots for Distributed Denial of Service Attacks

4 Introduction DoS attacks Weapons of Mass Destruction Weapons of Mass Destruction Paralyze Internet systems with bogus traffic Paralyze Internet systems with bogus traffic 4 th Major Attack in 2001 – Computer Crime & Survey Report 4 th Major Attack in 2001 – Computer Crime & Survey Report

5 Attacks on Targets Attacking tools - More offensive Attacking tools - More offensive To discover and filter – More difficult To discover and filter – More difficult Powerful automatic scanning & observing target’s vulnerability Powerful automatic scanning & observing target’s vulnerability Uses methods - TCP Syn, UDP, ICMP Flooding etc Uses methods - TCP Syn, UDP, ICMP Flooding etc Includes Viruses & Worms - MS-SQL Server Worm, Code Red etc Includes Viruses & Worms - MS-SQL Server Worm, Code Red etc

6 Code Red Worm Attack

7 Common Target of DoS attacks Bandwidth DOS Attack Bandwidth DOS Attack Memory DOS Attacks Memory DOS Attacks Computation DOS Attacks Computation DOS Attacks

8 Bandwidth DoS Attacks Target - Bandwidth Target - Bandwidth Example – Slammer (MS-SQL Server Worm) Example – Slammer (MS-SQL Server Worm)  Self Propagating malicious code  Employs multiple vulnerabilities of SQL Server Resolution Service

9 Memory Dos Attacks Target – Memory Target – Memory Backscatter Analysis (Moore Investigation) : Backscatter Analysis (Moore Investigation) :  94% DoS attacks occurs on TCP Protocol  49% of attacks are TCP Syn attacks targeting 3 way handshake  2% on UDP  2% on ICMP

10 Memory DoS Attacks (Cont..) Every TCP connection establishment requires an allocated memory resource Every TCP connection establishment requires an allocated memory resource Limited number of concurrent TCP half-open connections Limited number of concurrent TCP half-open connections Attacker can disable service - Sending overdosed connection requests with spoofed source addresses Attacker can disable service - Sending overdosed connection requests with spoofed source addresses

11 Computation DoS Attacks Target – Computational Resources Target – Computational Resources Example: Database Query Attacks Example: Database Query Attacks  Sequence of queries requesting DBMS to execute complex commands, overwhelming the CPU

12 Software Bugs & Exploits Exploit on 7xx routers – connecting with Telnet and typing very long passwords Exploit on 7xx routers – connecting with Telnet and typing very long passwords  Effects – Reboot the router Reboot the router Deny service to users during reboot period Deny service to users during reboot period Connecting with Telnet and Typing long passwords

13 Software Bugs & Exploits (Cont...) Smurf DoS Bug – uses ICMP Echo Request packet with spoofed source address Smurf DoS Bug – uses ICMP Echo Request packet with spoofed source address  Effects – All machines on the subnet reply directly to victim’s address All machines on the subnet reply directly to victim’s address Congestion in the victim’s network connection Congestion in the victim’s network connection

14 DoS Tools Trin00 Trin00 TFN – Tribe Flood Newtork TFN – Tribe Flood Newtork Stacheldraht – “Barbed Wire” Stacheldraht – “Barbed Wire”

15 Trin00 Distributed attacking tool Distributed attacking tool Installed on intermediate host using a buffer overrun bug Installed on intermediate host using a buffer overrun bug Compiled on Linux and Solaris operating systems Compiled on Linux and Solaris operating systems Capable of generating a UDP packets for attack Capable of generating a UDP packets for attack Target Ports – 0 to 65534 Target Ports – 0 to 65534

16 TFN – Tribe Flood Network Launch Distributed Denial of Service attacks Launch Distributed Denial of Service attacks Installed on Intermediate host and based on buffer overrun bug Installed on Intermediate host and based on buffer overrun bug Capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks Capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks Compiled on Linux and Solaris operating systems Compiled on Linux and Solaris operating systems

17 Stacheldraht ("barbed wire") Combines features of Trin00 and TFN Combines features of Trin00 and TFN Capable of producing ICMP flood, SYN flood, UDP flood, and SMURF attacks Capable of producing ICMP flood, SYN flood, UDP flood, and SMURF attacks ICMP, UDP and TCP-SYN packets of sizes up to 1024 bytes against multiple victim hosts ICMP, UDP and TCP-SYN packets of sizes up to 1024 bytes against multiple victim hosts TCP-SYN packets are generated against random ports taken from selected range of port numbers TCP-SYN packets are generated against random ports taken from selected range of port numbers

18 DDoS Pattern Setting up of a stolen account as a repository for attack tools Scanning of large ranges for potential vulnerable targets Creation of script to perform the exploit and to report the results Choice of a subset of suitable compromised servers from the list Script automated installation of the needed tools on the compromised servers Optional installation of a root kit to hide the compromise

19 Defensive Measures System Self Defense System Self Defense  Stop all unnecessary or non-essential system services and network ports.  Reduce the timeout period for simultaneous half open connections Vulnerability: Vulnerability:  Reconfiguration may delay, or even deny, legitimate access  Lead to a potential increase in resource usage

20 Packet Filtering Most popular defensive mechanism Most popular defensive mechanism Selectively screens out suspicious or malicious packets Selectively screens out suspicious or malicious packets Itself a deformed DoS Itself a deformed DoS Vulnerability: Vulnerability:  If manipulated or abused - Most convenient way to accomplish DOS attack

21 Packet Filtering (Cont…) Types of Packet Filtering Types of Packet Filtering  Egress/Ingress Manages the flow inside and outside the network Manages the flow inside and outside the network Ingress - Used to block packets with spoofed source address Ingress - Used to block packets with spoofed source address Egress - manages the flow of traffic as it leaves a network Egress - manages the flow of traffic as it leaves a network  Vulnerability Effective only if used in large-scale applications Effective only if used in large-scale applications

22 Packet Filtering (Cont…)  Firewalls Victims network mechanism Victims network mechanism Enable a form of protection against SYN Flooding Enable a form of protection against SYN Flooding Examine packets and maintain connection and state information of session traffic Examine packets and maintain connection and state information of session traffic Configured as a relay, as a semi-transparent gateway Configured as a relay, as a semi-transparent gateway  Vulnerability Cause delays for every connection Cause delays for every connection Flood of 14k packets/sec can disable even specialized firewalls Flood of 14k packets/sec can disable even specialized firewalls

23 IP Traceback Effective & aggressive way to terminate DoS attacks at their sources Effective & aggressive way to terminate DoS attacks at their sources Vulnerability: Vulnerability:  Doesn’t locate the attacker, if attacker is attacking from reflectors

24 State Monitoring Uses software agents to continuously monitor TCP/IP traffic in a network Uses software agents to continuously monitor TCP/IP traffic in a network RealSecure – RealSecure –  Monitors local network for SYN packets that are not acknowledged for a period of time defined by the users Vulnerabilities: Vulnerabilities:  Need to maintain tremendous states to determine malicious packets and consume system resources

25 Resource Allocation Control Way to prevent exhaustion of the victim’s resources to limit the resource allocation and usage for each user or service Way to prevent exhaustion of the victim’s resources to limit the resource allocation and usage for each user or service Class Based Queuing – Class Based Queuing –  Configures different traffic priority queues and rules that determine which packets should be put into which queue Vulnerability: Vulnerability:  In case of DoS attacks - Cannot determine which packet belong to the same users or service for sharing some quota or resources

26 Congestion Control Network Congestion - Reduction in network throughput Network Congestion - Reduction in network throughput Pushback Pushback  Mechanism for defending against DDoS attacks  To identify most of the malicious packets, based on Aggregate-based Congestion Control Vulnerability: Vulnerability:  Not an effective method to block bad traffic under typical DDoS attack  Cannot differentiate good and bad traffic and will drop them equally

27 Active Networks Programs can perform customized computations and manipulations Programs can perform customized computations and manipulations Allow users to inject customized programs into the nodes of the network Allow users to inject customized programs into the nodes of the network Active edge-Tagging – Active edge-Tagging –  One of the example, which tags the actual source IP address into the active networks layer header for each incoming packets from the hosts with first-hop routers Vulnerability: Vulnerability:  AN poses serious security threats as it is designed to run executable codes on remote hosts

28 Bandwidth Overhead of Defensive Measures

29 Memory Overhead of Defensive Measures

30 Computational Overhead of Defensive Measures

31 Attacks on Defensive Measures Firewalls - invincible and power unlimited resources Firewalls - still limited and causes the single-failure point or bottleneck Network Congestion - control messages delivered to destination efficiently and successfully Network Congestion - the control messages dropped or lost during transmission Defensive devices - will not be targeted by attacker Defensive devices – Many are vulnerable to attack Network devices - Trustworthy and control messages will not be tampered, eavesdropped or forged Network Devices - Control messages might be tampered, eavesdropped or forged AssumptionReality

32 Honeypot for DDoS Vantages of System: Vantages of System:  Defending the operational network with high probability against DDoS & new variant  Trapping attacker to record the compromise to help in legal action against attacker Devised System: Devised System:  Implemented to lures the hacker to believe he successfully compromised the system  To learn the tactics, tools, methods and motive of an attacker in order to secure the system

33 Characterization Should be a replica of operational system Should be a replica of operational system Consists of similar systems and application Consists of similar systems and application Services such as Web, Mail, FTP, DNS should be accessible for attacker Services such as Web, Mail, FTP, DNS should be accessible for attacker Must be located in DMZ Must be located in DMZ

34 Local Network Protection Must be located in another zone protected with Firewall Must be located in another zone protected with Firewall Encrypted Transmission - Inside the LAN Encrypted Transmission - Inside the LAN Clients run trusted OS Clients run trusted OS Services are managed by an indirect authentication method – Kerberos Services are managed by an indirect authentication method – Kerberos Detecting Systems like host based IDS & vulnerability scanner must be running Detecting Systems like host based IDS & vulnerability scanner must be running

35 Honeypot Implementation in Organization

36 View for an Attacker

37 Issues To Be Resolved Attack must be detectable Attack must be detectable Attack packets must be actively directed to the Honeypot Attack packets must be actively directed to the Honeypot Honeypot must be able to simulate the organization’s network infrastructure Honeypot must be able to simulate the organization’s network infrastructure

38 Concerns & Issues Not a good idea in real operational environment Not a good idea in real operational environment Require expertise Require expertise Small configuration mistake or loophole will create a disaster Small configuration mistake or loophole will create a disaster Difficult to identify regular user and attacker in most of the cases Difficult to identify regular user and attacker in most of the cases Uses DDoS signature type method while authentication – Not as effective especially for first time authentication Uses DDoS signature type method while authentication – Not as effective especially for first time authentication Hard to identify culprit – Attacker using compromised system Hard to identify culprit – Attacker using compromised system VPN and PKI as proposed – How both the environment work VPN and PKI as proposed – How both the environment work

39 Conclusion Like a Game - Attacking and defending of networks Like a Game - Attacking and defending of networks Defensive Measure are not always secure and valuable data is at risk with small effort of attacker Defensive Measure are not always secure and valuable data is at risk with small effort of attacker Honeypot – Promising tool for luring attacker for DDoS attack Honeypot – Promising tool for luring attacker for DDoS attack To secure our network – Defensive measures with proper knowledge and expertise are required To secure our network – Defensive measures with proper knowledge and expertise are required

Download ppt "Defensive Measures for DDoS By Farhan Mirza. Contents Survey Topics Survey Topics Introduction Introduction Common Target of DoS Attacks Common Target."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Denial of Service, Firewalls, and Intrusion Detection

Denial of Service, Firewalls, and Intrusion Detection
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Chapter 9 Phase 3: Denial-of-Service Attacks. Fig 9.1 Denial-of-Service attack categories.

Chapter 9 Phase 3: Denial-of-Service Attacks. Fig 9.1 Denial-of-Service attack categories.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google