Presentation on theme: "Network Security: DoS Attacks, Smurf Attack, & Worms"— Presentation transcript:
1 Network Security: DoS Attacks, Smurf Attack, & Worms Team 4Jessica Waleski, Nicolas Keeton, Griffith Knoop, Richard Luthringshauser, & Samuel Rodriguez
2 DoS Attack What is a DoS Attack? DoS stands for Denial of Service. DoS attack is when an attacker prevents a user or computer from accessing a site or service by flooding the network with traffic.Common Tools for DoS Attacks:TFN & TFN2KStacheldrahtPopular & Common Attacks:SYN floodICMP floodSmurf attackUDP floodPing floodPing of death (PoD)
3 DDoS Attack What is a DDoS Attack? DDoS stands for Distributed Denial of Service.It is a subclass of the DoS.DDoS attack is when a botnet (multiple connected devices that are usually connected through illicit means) is used to overwhelm a target host with fake traffic.Main Difference Between DoS and DDoS:DoS Attack - a single internet connection.DDoS Attack - multiple connected devices.
4 DoS & DDoS Attack - Weakness From the Attacker’s Point of View:Flood of packets must be sustained.When packets stop sending, the target system is backed up.Often used with another form of attack, such as:Disabling a connection in TCP hijackingPreventing authenticationAdministrators/owners realize their machine is infected, remove the issue, and stop the attack.Must be aware that each packet can be traced back to its source.For this reason, DDoS is the most common type of DoS attack.
5 Common Tools for DoS Attacks - TFN & TFN2K TFN stands for Tribal Flood Network and TFN2K stands for Tribal Flood Network 2000.Can not be used to perform a DDoS attack.TFN2K is a Newer Version of TFN:More difficult to detect than its predecessor.Can use a number of agents (other hosts) to coordinate an attack against one or more targets.TFN & TFN2K - Perform Various Attacks:UDP flood attacksICMP flood attacksTCP SYN flood attacks
6 TFN2K - How It Works & Advantages TFN2K Works on Two Fronts:Command-driven client on the attacker’s system.A daemon process (runs as a background process and the user has no direct control) operating on an agent system.How It Works:Attacker instructs its agents to attack a list of designated targets.Agents respond by flooding the targets with a large amount of packets.Advantages:Attacker-to-agent communications are encrypted and can be mixed with decoy packets.The attack and attacker-to-agent communications can be be randomly sent viaTCP, UDP, and ICMP packets.Attacker can falsify (spoof) its IP address.
7 Common Tools for DoS Attacks - Stacheldraht German for “barbed wire.”Combines features of the Trinoo DDoS tool with the source code from the TFN DoS attack tool.Advantages:Adds encryption of communication, like TFN2K.It also adds an automatic updating of the agents.Detects and automatically enables source address forgery.Performs Various Attacks:UDP floodICMP floodTCP SYN floodSmurf attacks.
8 DoS Attack - SYN Flood What is SYN Flood Attack? SYN is short for synchronize.This attack is dependent on the knowledge of the attacker on how connections are made to a server.The Three-Way Handshake:Client sends a packet with the SYN flag set.Server gives resources for the client and then responds with the SYN and ACK flags set.Client responds with the ACK flag set.
9 DoS Attack - ICMP Flood: Smurf Attack A specific type of DDoS attack.How It Works:Attacker sends an ICMP echo request packet to the IP broadcast addresses of the targeted network.The protocol echoes the packet out to all hosts on that network.Each of the hosts receives a packet and send back an ICMP echo reply packet.
10 DoS Attack - ICMP Flood: UDP Flood UDP Flood Attack:An attacker will use the UDP (User Datagram Protocol) packets to overwhelm the targeted host.The targeted host:Determine what application is at that port.Finds no application waiting at that port.Reply back with an ICMP Destination Unreachable packet.
11 DoS Attack - ICMP Flood: Ping Flood Three Categories Based on the Target’s IP Address:Targeted local disclosed ping flood: targets a known IP address of the host.Router disclosed ping flood: targets a known internal IP address of a local router.Blind ping flood: targets a chosen IP address of the host from an external program.How It Works:Attacker sends continuous ICMP echo request packetsDoes not wait for repliesHost attempts to reply back with the ICMP echo reply packets.
12 DoS Attack - Ping of Death (PoD) What is Ping of Death?An attacker sends an oversized ICMP packet to a targeted host, in order to shut it down.How It Works:Attacker sends ICMP packet (IPv4) of a size greater than 65,535 bytes.Internet Protocol RFC 791: maximum packet size of 65,535 bytes.The targeted host is overloaded and is shut down.
13 The First Computer Worm The Morris Internet Worm:Written by Robert Tappan Morris Jr, a student at Cornell University in 1988from an MIT system.Intended for the worm to reveal bugs in programsThe worm was used in order to spread, not to cause actual harm.However, due to bugs in the worm’s code, it allowed a machine to be infected many times over.Each additional infection created a new process in the infected system.At least 6,000 UNIX machines were infected.Led to the creation of the Computer Emergency Response Team(CERT).
14 Worms - PropagationWorms do not require direct human interaction to propagate, unlike a virus.Propagation (Two primary ways):Spreads through the network of the infected host. Copying itself onto any other hosts that the infected host has access to.Most efficient, but harder to program.Example: The ILOVEYOU wormScan your address book and s a copy of itself to everyone in your address book.Easier to program, much more common.
15 Worms - Harmful Effects Negative Effects:Worms could:Potentially delete/modify files.Degrade your Internet connection and overall system performance.Open a backdoor for a malicious attacker to useUsed to send spam or performing DoS attacks.Least harm: consume bandwidth via its growth.
17 Works CitedMcAfee. “What is a Computer Worm?” McAfee Blogs, McAfee, 17 Nov 2014,“Denial of Service Attacks.” Computer Security Fundamentals, by Chuck Easttom, 2nd ed., Pearson, 2012, pp. 72–84.“Distributed Denial of Service Attacks.” Incapsula.com, Imperva,“In Unix, What Is a Daemon?” Knowledge Base, Indiana University, 16 May 2017, kb.iu.edu/d/aiau.Kabachinski, Jeff. "Viruses, Worms, and Trojans." Biomedical Instrumentation & Technology, vol. 39, no. 1, Jan. 2005, pp EBSCOhost, proxy.kennesaw.edu/login?url=
18 Works Cited Cont’d“Malware.” Computer Security Fundamentals, by Chuck Easttom, 2nd ed., Pearson, 2012, pp. 92–106.“Ping Flood (ICMP Flood).” Incapsula.com, Imperva,Ping of Death (PoD).” Incapsula.com, Imperva,“Smurf DDoS Attack.” Incapsula.com, Imperva,“TCP SYN Flood.” Incapsula.com, Imperva,