Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.

Published byRandell Norton Modified over 8 years ago

Similar presentations

Presentation on theme: "Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus."— Presentation transcript:

1 Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus DoS is relatively easy. Hackers often consider DoS as the last resort, which usually is always possible. DoS may be made in order to force the administrators to restart a system, which enables some other attack. Types of DoS attacks in the Internet: –Bandwidth consumption –Resource starvation –Programming flaws –Routing and DNS attacks DoS is a problem in networks where a small number of sources can generate large amount of traffic, especially if there is no admission control.

2 Denial of Service Most of DoS attacks in the Internet use errors in protocols. DDoS attacks do not and they are most dangerous. Maybe errors can be removed, DDoS attacks cannot. DoS attacks can be divided into simple DoS and Distributed DoS (DDoS) attacks. Simple DoS examples: –Ping of Death –Land attack –Teardrop –Syn flood –Smurf attack DDoS attack examples –Trin00, TFN, TFN2k, Stacheldraht

3 Denial of Service How could one protect the Internet against denial of service? How is it done in PSTN? –call admission control (CAC) –distributing traffic as a way to resolve congestion –focused overloads: congestion control ACG, window mechanisms, percent thinning –problems in concentrators –why these will not work in the Internet but work in PSTN (ISDN)? How is it done in B-ISDN? –Source Traffic Descriptor is available for every source (almost as in PSTN), but a small number of sources can demand much bandwidth. Sill CAC protects from DoS. –Why this almost works but will not work in the Internet?

4 Denial of Service Authenticate traffic (by IPsec etc.) –stops spoofing?, attacking computers can be located by IP address? No! Then attacker can make DoS by offering so much processing that a computer checking authentication is jammed This is: you can make DoS in several ways: –to overload network elements you can use –traffic –processing –protocol timers, protocol behavior Currently people think, DoS attack using processing can be stopped with cookie method. Is this true? What about port hopping? This could work with routing protocols?

5 Denial of Service Active network DoS prevention, agents move back stream close to attackers and program routers to discard traffic. How this works with IP address spoofing? Priority is always good: Communications on lower priority than internal processes, fine, computer stays responsive but then communications is congested. One possibility: recognize an attacker by looking at target addresses, if there is much traffic to one target, router puts traffic to lower Diffserv class. We can detect increase of traffic by observing queue length in routers, then count to which targets in some time window is directed much traffic, conclude that it looks like DoS. (DDoS version, traffic comes from many sources. One could have routers exchanging information which 10 targets are most popular.)

6 Denial of Service The mentioned Diffserv priority idea is not tried yet, maybe could work? Back to existing methods: If the attacker is using known DoS tools, recognize traffic generated by them, but then protection will not work against new tools. Attacks against protocols (TCP SYN Flood) can be solved by decreasing timers, or by improving the protocol, but the timers are there for some reason so they cannot be set to zero. This method will not solve the problem completely. Restrict the amount of traffic a source can send, but is it any more the Internet we like (then we could go to B-ISDN, or to other connection oriented networks) Require STD (Source Traffic Descriptor, Tspec etc.) but this will lead us to ATM.

7 Denial of Service What about DoS made by dropping packets? This is always possible unless the network is secure. Secure network leads to operator networks, again it is not the Internet. Agent based Intruder Response System: these have been tried and they have worked. It means intruder detection and blocking or reducing priority of attacker’s traffic. Block the ports - then no attacks possible. This will protect some sites, but cannot protect Web-servers which anonymous users should be able to access. The same problem is with authentication- if anybody can access a web-server, authentication is no good since attackers also must be able to access. We cannot know which of the users are attackers and all must have the right to access, get credentials etc.

8 Denial of Service Load balancing, this cannot protect against sites which are not duplicated. Currently services are being developed on Parlay APIs etc. These will be centralized resources. Load balancing will not help even though there is CORBA under Parlay. Load balancing does not work that well either. In some cases it works: multiprocessor service systems which are not easily congested, but it is simply a matter of increasing the load. Use police: locate and catch the attackers. This is a slow process and can work for a society, but does not protect the country from terrorists or foreign powers (as you cannot catch them by a police, and the attack does not need to last long).

9 Denial of Service Dimension so, that there is a bottleneck resource (link of limited capacity, slow router etc.) before your network. The bottleneck resource gets congested, rest of your network works fine. This works, but you lose communication possibilities. It is certainly not a protection for Web-servers etc. Summary: DoS problems in the Internet are caused by the connectionless operation where a user can send any amount of data without reserving network resources. If one user only could send limited amount of traffic,like in PSTN, making DoS would be harder. If the end systems were not so easily hacked we would not have so large a problem, but even a small number of sources can create congestion. In the Internet there will always be many unsafe computers that can be used for DDoS.

10 Denial of Service Individual attacks, like TCP SYN flooding, ICMP-based DoS attacks etc. can be alleviated by tuning protocols, but this will not solve the DDoS problem. I think, one could try two ways. 1. Intruder response systems, which recognize an attack and respond by blocking traffic or by lowering priority. 2. Change to a connection oriented network where there is connection admission control, traffic spreading by alternative routing and congestion control mechanisms. In order to solve DoS by dropping packets, the solution can only be a closed network: operators run the network and the routers in the core, packets do not wonder anywhere as they do in the Internet, network has a far better management system. Case 2 is not the Internet. Try if case 1 works.

Download ppt "Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus."

Similar presentations

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Using Prices to Allocate Resources at Access Points Jimmy Shih, Randy Katz, Anthony Joseph One Administrative Domain Access Point A Access Point B Network.

Using Prices to Allocate Resources at Access Points Jimmy Shih, Randy Katz, Anthony Joseph One Administrative Domain Access Point A Access Point B Network.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Similar presentations

Ads by Google