Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service (DoS) and Distributed Denial of Service (DDoS)

Published byLoren Bradley Modified over 5 years ago

Similar presentations

Presentation on theme: "Denial of Service (DoS) and Distributed Denial of Service (DDoS)"— Presentation transcript:

1 Denial of Service (DoS) and Distributed Denial of Service (DDoS)
Lesson 15

2 Email Flooding/bombing
A form of denial of service attack. From the CERT web page: "bombing" is characterized by abusers repeatedly sending an identical message to a particular address. "spamming" is a variant of bombing; it refers to sending to hundreds or thousands of users (or to lists that expand to that many users). spamming can be made worse if recipients reply to the , causing all the original addressees to receive the reply. It may also occur innocently, as a result of sending a message to mailing lists and not realizing that the list explodes to thousands of users, or as a result of an incorrectly set-up responder message (such as vacation(1)). bombing/spamming may be combined with "spoofing" (which alters the identity of the account sending the ), making it more difficult to determine who the is actually coming from.

3 Email Flooding Attacker sends 100’s or 1000’s of emails to target
Target user’s box fills or target system can go down. Effectiveness as means to attack a system depends on the relative size of the systems and the “pipes”.

4 Email Spoofing and bombing
-----Original Message----- From: Sent: Monday, October 15, :07 PM To: Subject: Congratulation! Dr. White: Congratulation upon becomming a full time faculty at UTSA. Well, I am obviously not President Bush. This is a program I wrote last semester for my project in Ecommerce class. Is this also considered spoofing based on your definition Dr. White? I know I do need to send a spoofing using Linux. This's only my little game. Thank you. Sincerely, What happens if the announced a contest, or contained something designed to anger folks to have them respond?

5 Email Flooding Systems return email to system that
appears to have sent s. Target system goes down under load of too many s. Attacker sends spoofed with error to 100’s of systems Attacker

6 Bombing example

7 Email Flooding What can you do?
From the CERT web page: A.Detection If your system suddenly appears sluggish ( is slow or doesn't appear to be sent or received), the reason may be that your mailer is trying to process a large number of messages. B.Reaction Identify the source of the bomb/spam and configure your router (or have your Network Service Provider configure the router) to prevent incoming packets from that address. Review headers to determine the true origin of the . Review the information related to the bomb/spam following relevant policies and procedures of your organization. Follow up with the site(s) you identified in your review to alert them to the activity. Contact them to alert them to the activity. NOTE: When contacting these sites, keep in mind that the abuser may be trying to hide their identity. Ensure you are up to date with the most current version of delivery daemon (sendmail, for example) and increase logging capabilities as necessary to detect or alert you to such activity.

8 Denial of Service Attacks

9 Denial of Service Attacks

10 Denial of Service (DoS)
Attacks that deny legitimate users service and access to information resources. Different ways to categorize them Nature of attack Poisoned traffic malformed or invalid data that can’t be properly handled Brute-force resource simply use up all available capacity Stateful resource take advantage of client/server relationship in protocols “target” of attack Operating system attacks target flaws in specific operating systems Networking attacks exploit inherent limitations of networking

11 Sources of the Attack Can come from many places (any place) in the network An attacker can hide the source of an attack through IP spoofing Attackers can also hide their identity by enslaving unwitting victims. “owned” or “zombie” agents When an attacker uses many zombie agents together simultaneously the result is a Distributed Denial of Service (DDoS) attack

12 IIS Attack Operating System/Poisoned Traffic attack
Worked against NT 4.0 running Microsoft’s Internet Information Server version 3.0 All that was required was for the user to request a document with a very long name from the server to halt it. e.g. A patch for this bug was issued by MS

13 Ping of Death (POD) Normal Ping utility used to determine whether another machine on the network is up. Accomplished by sending an Internet Control Message Protocol (ICMP) “echo” or “ping” packet to the target. The target replies if it is operating POD accomplished by sending packet > 64K Buffer overflow ensues causing reboot or crash Patches issued to address this attack

14 ICMP Packet Considered part of IP layer
Communicates error messages and other conditions that require attention. ICMP messages are usually acted on by either the IP layer or the higher layer protocol. ICMP messages are transmitted within IP datagrams as shown: ICMP Message IP Header 20 bytes

15 ICMP packet 8-bit type 8-bit code 16-bit checksum
(contents depends on type and code)

16 ICMP Messages Type code Description Query Error 0 0 echo reply x
3 destination unreachable 0 network unreachable x 1 host unreachable x 2 protocol unreachable x 3 port unreachable x 4 0 source quench (flow control) x 5 redirect 0 redirect for network x 1 redirect for host x 8 0 echo request x 13 0 timestamp request x

17 Smurf/ping flooding/ICMP storm
Another attack that exploits the ping utility Attacker sends a large stream of spoofed ping packets to a broadcast address (an IP address that services a network of computers) All of the packets have as their source address the target’s IP address. Broadcast host will relay request to all hosts on network. Hosts reply to the victim Amount of data sent to victim is multiplied by a factor of the number of hosts in network If multiple requests sent to broadcast host, target will be overloaded with replies A Network/Brute-force attack

18 Multiple Ping requests
ICMP Flooding Multiple Ping replies Multiple Ping requests System or network becomes overloaded Broadcast request Ping Broadcast request Attacker

19 SYN flooding Exploits the synchronization protocol used to initiate connections Normal process is: Initiator sends synchronization (SYN) packet Target replies with a SYN/ACK (acknowledgement) Initiator sends ACK, two machines are now ready In SYN flooding, attacker sends SYN packets with phony source address target replies with SYN/ACK but it goes nowhere target waits for ACK, eventually gives up but… if enough SYN’s received, space will fill up Network/Stateful Resource attack

20 SYN Flooding

21 SYN Attacks Syn_Flooder an example of SYN Flooding attack
Land is a specialized version of SYN attack From CERT Advisory CA Teardrop_Land Some implementations of TCP/IP are vulnerable to packets that are crafted in a particular way (a SYN packet in which the source address and port are the same as the destination--i.e., spoofed). Land is a widely available attack tool that exploits this vulnerability. Any remote user that can send spoofed packets to a host can crash or "hang" that host. Operating System/Poisoned traffic attack A patch to fix this problem is available from vendors

22 Other DoS Attacks - Teardrop
From CERT Advisory CA Teardrop_Land Some implementations of the TCP/IP IP fragmentation re-assembly code do not properly handle overlapping IP fragments. Teardrop is a widely available attack tool that exploits this vulnerability. Any remote user can crash a vulnerable machine. Operating System/Poisoned traffic Patch to prevent is available from vendors Note similarity with previous exploit.

23 Other DoS Attacks - Bonk
A variant of Teardrop aimed at W95 and NT From Based On: teardrop.c by route|daemon9 & klepto Crashes *patched* win95/(NT?) machines. Basically, we set the frag offset > header length (teardrop reversed). There are many theories as to why this works, however i do not have the resources to perform extensive testing. Operating System/Poisoned traffic Patch to prevent is available from vendors For fun, check out

24 Other DoS Attacks - WinNuke
Affects Window 95/3.1/NT Caused “Blue Screen of Death” Computer recovers but Internet connection hosed, requires reboot uses Out of Band (OOB) data sent to an established connection. Windows doesn’t handle OOB well and goes into a panic. Operating System/Poisoned traffic attack

25 DDoS Attack

26 tribal flood network (TFN) DDoS
TFN is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks. Remote control of a TFN is accomplished via command line execution of the client program, using any of a number of connection methods (e.g., remote shell bound to a TCP port, UDP based client/server remote shells, ICMP based client/server shells, or normal "telnet" TCP terminal sessions. Communication from the TFN client to daemons is accomplished via ICMP_ECHOREPLY (why?) packets. There is no TCP or UDP based communication between the client and daemons at all. Data inserted into echoreply packet because if sent in echo request then the daemons would all reply with echoreply thus performing a DoS on itself.

27 trinoo DDoS A trinoo network of at least 227 systems was used on Aug 17, 1999 to flood a single system at the University of Minnesota. The attacker(s) control one or more “master”servers, each of which can control many daemons. Remote control of the master is accomplished via a TCP connection to port 27665, after which the user must authenticate with a password. Communication between the master to daemons is via UDP packects on port When the daemon starts, it initially sends a “hello” message to the master which maintains a list of active daemons it controls. The daemons send UDP packets to random (0-64K) UDP ports on the target for a period of time (120 seconds default)

28 Stacheldraht (barbed wire) DDoS
Combines features of the trinoo and the original TFN and adds encryption of communication between attacker and masters and automated updating of agents. Can do ICMP flood, SYN flood, UDP flood, and smurf style attacks. There is a limit of 1000 agents for each master Used TCP and ICMP for communication between master and agents (trinoo used UDP, TFN used ICMP)

29 Protection from DoS and DDoS
Best way would seem to be to stop the attack before it happens Detect and Remove Trojans from servers, use file-integrity checking programs Block “marching orders” e.g. one method to send the “attack” order is to send an unsolicited ICMP ping response -- firewalls should be set to block this. Broadcasts should not send ping requests. Limit ability to spoof. Block the attack at the source

30 Mitigating the Effects of DoS
Acknowledges that we can’t stop DoS Harden the network Avoid putting “all of your eggs in one basket” Use Load balancers can employ “delayed binds” which drop sessions can also drop “Silent” TCP sessions Adjust state limits (e.g. wait time)

Download ppt "Denial of Service (DoS) and Distributed Denial of Service (DDoS)"

Similar presentations

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Denial of Service (DoS) and Distributed Denial of Service (DDoS)

Denial of Service (DoS) and Distributed Denial of Service (DDoS)
Chapter 9 Phase 3: Denial-of-Service Attacks. Fig 9.1 Denial-of-Service attack categories.

Chapter 9 Phase 3: Denial-of-Service Attacks. Fig 9.1 Denial-of-Service attack categories.
Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).

Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).
DENIAL OF SERVICE ATTACK

DENIAL OF SERVICE ATTACK
ECE-6612 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: Klaus 3362.

ECE Prof. John A. Copeland fax Office: Klaus 3362.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Similar presentations

Ads by Google