Denial of Service Attacks and Countermeasures Analysis Dang Nguyen Duc School of Engineering (2001816)

Slides:

Advertisements

Similar presentations

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Advertisements

CSC 774 Advanced Network Security

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

CSC 774 Advanced Network Security

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Firewalls and Intrusion Detection Systems

Computer Security and Penetration Testing

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.

Outline Definition Point-to-point network denial of service

Evaluating Authenticated, DoS Resistant Key Exchange Protocols J.W. Pope CS 589 December 12, 2003.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Chapter 9 Phase 3: Denial-of-Service Attacks. Fig 9.1 Denial-of-Service attack categories.

Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).

DENIAL OF SERVICE ATTACK

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

Week 8-1 Week 8: Denial of Service (DoS) What is Denial of Service Attack? –Any attack that causes a system to be unavailability. This is a violation of.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Overview Network communications exposes one to many different types of risks: No protection of the privacy, integrity, or authenticity of messages Traffic.

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

1 Tao Wan Digital Security Group School of Computer Science Carleton University Oct 30, 2003 IP Spoofing Attacks & Defenses.

EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Protecting Privacy in WLAN with DoS Resistance using Client Puzzle Team 7 Yanisa Akkarawichai Rohan Shah CSC 774 – Advanced Network Security Prof. Peng.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

Limiting Denial of Service Using Client Puzzles Presented by Ed Kaiser.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.

Distributed Denial of Service Attacks

Denial-of-Service, Address Ownership,and,Early Authentication in IPv6 World (An Approach) Aditya Vutukuri From article by Pekka Nikander Ericsson Research.

Mehmud Abliz, Taieb Znati, ACSAC (Dec., 2009). Outline Introduction Desired properties Basic scheme Improvements to the basic scheme Analysis Related.

Denial of Service Attacks Dr. John R. Durrett ISQS 6342 Spring 2003 Dipen Joshi.

Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.

Denial of Service Attacks

A Cost-Based Framework for Analysis of Denial of Service in Networks Author: Catherine Meadows Presenter: Ajay Mahimkar.

Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.

________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.

Denial of Service Attacks: Methods, Tools, and Defenses Prof. Mort Anvari Strayer University at Arlington.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.

TCP Security Vulnerabilities Phil Cayton CSE

1 Distributed Denial of Service Attacks. Potential Damage of DDoS Attacks l The Problem: Massive distributed DoS attacks have the potential to severely.

DoS/DDoS attack and defense

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.

Using Rhythmic Nonces for Puzzle-Based DoS Resistance Ellick M. Chan, Carl A. Gunter, Sonia Jahid, Evgeni Peryshkin, and Daniel Rebolledo University of.

Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.

FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.

DDoS Attacks on Financial Institutions Presentation

Distributed Denial of Service Attacks

Domain 4 – Communication and Network Security

Outline Basics of network security Definitions Sample attacks

Introduction to Networking

Intro to Denial of Serice Attacks

A Cryptographic Defense Against Connection Depletion Attacks

Distributed Denial of Service Attacks

Distributed Denial of Service Attacks

Outline Basics of network security Definitions Sample attacks

Presentation transcript:

Denial of Service Attacks and Countermeasures Analysis Dang Nguyen Duc School of Engineering ( )

2 Contents 1. Introduction 2. What is DoS attacks? 3. Well-known DoS attacks 4. Intermediate countermeasures 5. Protocols against DoS 6. Conclusion 7. References

3 1.Introduction We are at war, not at risk. DoS is very simple but powerful attack To defeat attack, we need to analyze it We need intermediate solutions We need long-term solutions (make use of cryptogra phic primitives)

What is DoS attack?  attempts to flood a network, thereby preventing legitimate network traffic  attempts to disrupt connections between two machines, thereby preventing access to a service  attempts to prevent a particular individual from accessing a service  attempts to disrupt to a specific system or person.

5 2.1.Distributed DoS

Modes of attacks Consumption of limited or non-renewable Resources: network connectivity, bandwidth, etc. Destruction or Alteration of Configuration Information Physical Destruction or Alteration of Network Components

Smurf attack (ping of death)

SYN flood SourceDestination Listen SYN_RECVDD CONNECTED SYN n SYN m, ACK n+1 SYN m+1 AttackerVictim Listen SYN_RECVDD SYN n SYN m, ACK n+1 SYN n+1 Port flooding occurs

UDP flood (fraggle) Similar to Smurf attack UDP echo messages always expects UDP reply mess ages

10 Distributed DoS attacks Trinoo Tribe Flood Network (TFN) Stacheldraht Shaft TFN2K

11 4. Intermediate countermeasures Software patches Secure host computer from hacking, trojan horse, vir us, back door,… Configure router to deny spoofed source address Reduce time-out of half-open connections Increase resources for half-open connections (backl og) Close unused TCP/UDP port Firewall Etc.

Why IPsec not work? Too many design goals High complexity Provide authentication but introduce another attack: abuse resources for expensive operations (i.e. expon entiation)

Client Puzzle Client commits its resources into solving the puzzle Server does not store state data or perform expensive computation Puzzle Solution Server verifies the solution If it accepts, it may now commit resources to expensive parts of the authentication

Client Puzzle (cont.) Creating a puzzle and verifying puzzle ’ s solution is inexpensive for the server The cost of solving the puzzle is easy to adjust from zero to impossible (i.e. when server ’ s resource is getting exhausted, server should increase the difficulty level). It is not possible to precompute solutions While client is solving the puzzle, the server does not need to store the solution or other client specific data. The same puzzle may be given to several clients. Knowing the solution of one or more clients does not help a new client in solving the puzzle A client can reuse a puzzle by creating several instances of it

Puzzle by hash function Hash function is simplest cryptographic primitive, free of charg e H(Ns, x) = 0 k y Ns: Server’s Nonce (Puzzle) X : solution to puzzle Y: anything K : difficulty level Client find x by brute-force method Unique solution H(client_id, Nc, Ns, x) = 0 k y Nc : Client’s nonce client_id : Client identity

Authentication protocol Client verifies signature on Ns, k. It then generates a nonce Nc and find solution x by brute-force method: h(client_id, Ns, Nc, x) = 0 k y Client sends following message Server periodically decides difficulty level k, generates nonce Ns and sends following message together with its signature Ns, k, sign(Ns, k) Client_id, Ns, Nc, x Server verifies that Ns is recently in use and client_id, Ns, Nc not used before, and checks that h(client_id, Ns, Nc, x) = 0 k y If it accepts, server now commit resources for expensive operation. Server also stores client_id, Ns, Nc while Ns is recently in use. Client Hello Server in idle state during client solving puzzle Sever

17 6. Conclusion Analyze attacks and countermeasures Client Puzzle using hash function We are behind attackers Combination of countermeasures is required

18 7. References [1] [2] Jussipekka Leiwo, Towards Network Denial of Service Resistant Protocols. [3] Christoph L. Schuba, Ivan V.Krusl, Markus G. Kuhn, et al., Analysis of a Denial of Service Attack on TCP. [4] Felix Lau, Stuart H. Rubin, Michael H. Smith, Ljiljana Trajkovic, Distributed Denial of Service. [5] Tuomas Aura, Pekka Nikander, Jussipekka Leiwo, DoS-Resistant Authentication with Client Puzzles. [6] Pasi Eronen, Denial of Service In Public Key Protocols. [7] Douglas E. Comer, Internetworking with TCP/IP, Principles, Protocols, and Architectures – Volume 1, Fourth Edition [8] RFC(s) [9] David Dittrich et al, The distributed denial of service attack tool series. [10] Niels Ferguson and Bruce Schneier, A Cryptographic Evaluation of IPsec.