Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service Attacks and Countermeasures Analysis Dang Nguyen Duc School of Engineering (2001816)

Published byDennis Joseph Modified over 8 years ago

Similar presentations

Presentation on theme: "Denial of Service Attacks and Countermeasures Analysis Dang Nguyen Duc School of Engineering (2001816)"— Presentation transcript:

1 Denial of Service Attacks and Countermeasures Analysis Dang Nguyen Duc School of Engineering (2001816)

2 2 Contents 1. Introduction 2. What is DoS attacks? 3. Well-known DoS attacks 4. Intermediate countermeasures 5. Protocols against DoS 6. Conclusion 7. References

3 3 1.Introduction We are at war, not at risk. DoS is very simple but powerful attack To defeat attack, we need to analyze it We need intermediate solutions We need long-term solutions (make use of cryptogra phic primitives)

4 4 2.1. What is DoS attack?  attempts to flood a network, thereby preventing legitimate network traffic  attempts to disrupt connections between two machines, thereby preventing access to a service  attempts to prevent a particular individual from accessing a service  attempts to disrupt to a specific system or person.

5 5 2.1.Distributed DoS

6 6 2.2. Modes of attacks Consumption of limited or non-renewable Resources: network connectivity, bandwidth, etc. Destruction or Alteration of Configuration Information Physical Destruction or Alteration of Network Components

7 7 3.1. Smurf attack (ping of death)

8 8 3.1. SYN flood SourceDestination Listen SYN_RECVDD CONNECTED SYN n SYN m, ACK n+1 SYN m+1 AttackerVictim Listen SYN_RECVDD SYN n SYN m, ACK n+1 SYN n+1 Port flooding occurs

9 9 3.1. UDP flood (fraggle) Similar to Smurf attack UDP echo messages always expects UDP reply mess ages

10 10 Distributed DoS attacks Trinoo Tribe Flood Network (TFN) Stacheldraht Shaft TFN2K

11 11 4. Intermediate countermeasures Software patches Secure host computer from hacking, trojan horse, vir us, back door,… Configure router to deny spoofed source address Reduce time-out of half-open connections Increase resources for half-open connections (backl og) Close unused TCP/UDP port Firewall Etc.

12 12 5.1. Why IPsec not work? Too many design goals High complexity Provide authentication but introduce another attack: abuse resources for expensive operations (i.e. expon entiation)

13 13 5.2. Client Puzzle Client commits its resources into solving the puzzle Server does not store state data or perform expensive computation Puzzle Solution Server verifies the solution If it accepts, it may now commit resources to expensive parts of the authentication

14 14 5.2. Client Puzzle (cont.) Creating a puzzle and verifying puzzle ’ s solution is inexpensive for the server The cost of solving the puzzle is easy to adjust from zero to impossible (i.e. when server ’ s resource is getting exhausted, server should increase the difficulty level). It is not possible to precompute solutions While client is solving the puzzle, the server does not need to store the solution or other client specific data. The same puzzle may be given to several clients. Knowing the solution of one or more clients does not help a new client in solving the puzzle A client can reuse a puzzle by creating several instances of it

15 15 5.2. Puzzle by hash function Hash function is simplest cryptographic primitive, free of charg e H(Ns, x) = 0 k y Ns: Server’s Nonce (Puzzle) X : solution to puzzle Y: anything K : difficulty level Client find x by brute-force method Unique solution H(client_id, Nc, Ns, x) = 0 k y Nc : Client’s nonce client_id : Client identity

16 16 5.2. Authentication protocol Client verifies signature on Ns, k. It then generates a nonce Nc and find solution x by brute-force method: h(client_id, Ns, Nc, x) = 0 k y Client sends following message Server periodically decides difficulty level k, generates nonce Ns and sends following message together with its signature Ns, k, sign(Ns, k) Client_id, Ns, Nc, x Server verifies that Ns is recently in use and client_id, Ns, Nc not used before, and checks that h(client_id, Ns, Nc, x) = 0 k y If it accepts, server now commit resources for expensive operation. Server also stores client_id, Ns, Nc while Ns is recently in use. Client Hello Server in idle state during client solving puzzle Sever

17 17 6. Conclusion Analyze attacks and countermeasures Client Puzzle using hash function We are behind attackers Combination of countermeasures is required

18 18 7. References [1] http://www.cert.orghttp://www.cert.org [2] Jussipekka Leiwo, Towards Network Denial of Service Resistant Protocols. [3] Christoph L. Schuba, Ivan V.Krusl, Markus G. Kuhn, et al., Analysis of a Denial of Service Attack on TCP. [4] Felix Lau, Stuart H. Rubin, Michael H. Smith, Ljiljana Trajkovic, Distributed Denial of Service. [5] Tuomas Aura, Pekka Nikander, Jussipekka Leiwo, DoS-Resistant Authentication with Client Puzzles. [6] Pasi Eronen, Denial of Service In Public Key Protocols. [7] Douglas E. Comer, Internetworking with TCP/IP, Principles, Protocols, and Architectures – Volume 1, Fourth Edition [8] RFC(s) [9] David Dittrich et al, The distributed denial of service attack tool series. [10] Niels Ferguson and Bruce Schneier, A Cryptographic Evaluation of IPsec.

Download ppt "Denial of Service Attacks and Countermeasures Analysis Dang Nguyen Duc School of Engineering (2001816)"

Similar presentations

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
Evaluating Authenticated, DoS Resistant Key Exchange Protocols J.W. Pope CS 589 December 12, 2003.

Evaluating Authenticated, DoS Resistant Key Exchange Protocols J.W. Pope CS 589 December 12, 2003.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Similar presentations

Ads by Google