Presentation is loading. Please wait.

Presentation is loading. Please wait.

Outline Definition Point-to-point network denial of service

Published byEdith Douglas Modified over 5 years ago

Similar presentations

Presentation on theme: "Outline Definition Point-to-point network denial of service"— Presentation transcript:

1 Outline Definition Point-to-point network denial of service
Smurf Distributed denial of service attacks TCP SYN Flooding and Detection

2 Objectives Understand the concept of DoS attacks and its current threat trends Understand the SYN flooding attacks and be able to detect at the network level and defense them (SYN cookie)

3 Denial of Service Attack Definition
An explicit attempt by attackers to prevent legitimate users of a service from using that service Threat model – taxonomy from CERT Consumption of network connectivity and/or bandwidth Consumption of other resources, e.g. queue, CPU Destruction or alternation of configuration information Malformed packets confusing an application, cause it to freeze Physical destruction or alternation of network components Established in 1988, the CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.

4 Status DoS attacks increasing in frequency, severity and sophistication August 6, 2009, several social networking sites, including Twitter, Facebook, Livejournal, and Google blogging pages were hit by DDoS attacks Aimed at Georgian blogger "Cyxymu". Internet's root DNS servers attacked on Oct. 22, 2002, 9 out of 13 disabled for about an hour Feb. 6, 2007, one of the servers crashed, two reportedly "suffered badly", while others saw "heavy traffic” An apparent attempt to disable the Internet itself DoS attack on major DNS providers bring Internet to morning crawl (10/21/2016)

5 Two General Classes of Attacks
Flooding Attacks Point-to-point attacks: TCP/UDP/ICMP flooding, Smurf attacks Distributed attacks: hierarchical structures Corruption Attacks Application/service specific Eg, polluting P2P systems

6 Smurf DoS Attack gateway
Send ping request to brdcst addr (ICMP Echo Req) Lots of responses: Every host on target network generates a ping reply (ICMP Echo Reply) to victim Ping reply stream can overload victim 1 ICMP Echo Req Src: Dos Target Dest: brdct addr 3 ICMP Echo Reply Dest: Dos Target gateway DoS Target DoS Source Prevention: reject external packets to brdcst address.

7 Distributed DOS Stacheldraht is a classic example of a DDoS tool.
BadGuy Unidirectional commands Handler Handler Handler Coordinating communication Why such hierarchy? Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.[1] Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Attack traffic Victim

8 Can you find source of attack?
Hard to find BadGuy Originator of attack compromised the handlers Originator not active when DDOS attack occurs Can try to find agents Source IP address in packets is not reliable Need to examine traffic at many points, modify traffic, or modify routers

9 Targets of Attack End hosts Critical servers (disrupt C/S network)
Web, File, Authentication, Update DNS Infrastructure Routers within org All routers in upstream path

10 The DDoS Landscape

11 Attack Tools Over Time Tools High Attackers Low 1980 1985 1990 1995
binary encryption “stealth” / advanced scanning techniques Tools High denial of service packet spoofing sniffers distributed attack tools Intruder Knowledge www attacks automated probes/scans GUI back doors disabling audits network mgmt. diagnostics hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking Attackers Low password guessing 1980 1985 1990 1995 2001 Source: CERT/CC Possible Questions: What is “stealth scanning”?

12 (D)DoS Tools Over Time 1996 - Point-to-point
1997 – Combined w/ multiple tools Distributed (small, C/S) Add encryption, covert channel comms, shell features, auto-update, bundled w/rootkit trin00, Stacheldraht, TFN, TFN2K Speed ups, use of IRC for C&C Added scanning, IRC channel hopping, worms include DDoS features Code Red (attacked Linux “lion” worm (TFN) Added reflection attack 2003 – IPv6 DDoS BNC is an IRC (Internet Relay Chat) proxying server released under the GPL License. It allows users to connect to chat servers by bouncing off the computer which is running BNC. Basically, it forwards the information from the user to the server and vice versa.

13 Outline Definition Point-to-point network denial of service
Smurf Distributed denial of service attacks Trin00, TFN, Stacheldraht, TFN2K TCP SYN Flooding and Detection/Defense

14 SYN Flooding Attack The most classical DoS attacks
Streaming spoofed TCP SYNs Takes advantage of three way handshake Server start “half-open” connections These build up… until queue is full and all additional requests are blocked

15 TCP Connection Management
Three way handshake: Step 1: client host sends TCP SYN segment to server specifies initial seq # no data Step 2: server host receives SYN, replies with SYNACK segment server allocates buffers specifies server initial seq. # Step 3: client receives SYNACK, replies with ACK segment, which may contain data Recall: TCP sender, receiver establish “connection” before exchanging data segments initialize TCP variables: seq. #s buffers, flow control info (e.g. RcvWindow) client: connection initiator server: contacted by client

16 TCP Handshake C S SYNC Listening Store data SYNS, ACKC Wait ACKS
Connected

17 TCP segment structure source port # dest port # application data
32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) counting by bytes of data (not segments!) ACK: ACK # valid PSH: push data now (generally not used) # bytes rcvr willing to accept RST, SYN, FIN: connection estab (setup, teardown commands) Internet checksum (as in UDP)

18 SYN Flooding C S SYNC1 Listening SYNC2 Store data SYNC3 SYNC4 SYNC5

19 SYN Flooding Explained
Attacker sends many connection requests with spoofed source addresses Victim allocates resources for each request New thread, connection state maintained until timeout Fixed bound on half-open connections Once resources exhausted, requests from legitimate clients are denied This is a classic denial of service attack Common pattern: it costs nothing to TCP initiator to send a connection request, but TCP responder must spawn a thread for each request - asymmetry!

20 Flood Detection System on Router/Gateway
Can we maintain states for each connection flow? Stateless, simple detection system on edge (leaf) routers desired Placement: First/last mile leaf routers First mile – detect large DoS attacker Last mile – detect DDoS attacks that first mile would miss What metrics can capture the SYN flooding attacks?

21 Detection Method (II) SYN – SYN/ACK pair behavior
Hard to evade for the attacking source Problems Need to sniff both incoming and outgoing traffic Only becomes obvious when really swamped

22 Preventing Denial of Service
DoS is caused by asymmetric state allocation If responder opens new state for each connection attempt, attacker can initiate thousands of connections from bogus or forged IP addresses Cookies ensure that the responder is stateless until initiator produced at least two messages Responder’s state (IP addresses and ports of the connection) is stored in a cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator

23 SYN Cookies C S SYNC SYNS, ACKC ACKS(cookie) Listening…
Does not store state Compatible with standard TCP; simply a “weird” sequence number scheme SYNS, ACKC sequence # = cookie Cookie must be unforgeable and tamper-proof Client should not be able to invert a cookie F(source addr, source port, dest addr, dest port, coarse time, server secret) F=Rijndael or crypto hash ACKS(cookie) Recompute cookie, compare with with the one received, only establish connection if they match More info:

24 Backup Slides

25 Attack using Trin00 In August 1999, network of > 2,200 systems took University of Minnesota offline for 3 days scan for known vulnerabilities, then attack with UDP traffic once host compromised, script the installation of the DDoS master agents According to the incident report, took about 3 seconds to get root access Source addresses were not spoofed, so systems running the offending daemons were contacted. However, the attacker responded simply by introducing new daemon machines into the attack.

26 False Positive Possibilities
Many new online users with long-lived TCP sessions More SYNs coming in than FINs An overloaded server would result in 3 SYNs to a FIN or SYN-ACK Because clients would retransmit the SYN

27 Source Address Validity
Spoofed Source Address random source addresses in attack packets Subnet Spoofed Source Address - random address from address space assigned to the agent machine’s subnet En Route Spoofed Source Address - address spoofed en route from agent machine to victim Valid Source Address - used when attack strategy requires several request/reply exchanges between an agent and the victim machine - target specific applications or protocol features

28 Attack Rate Dynamics Agent machine sends a stream of packets to the victim Constant Rate - Attack packets generated at constant rate, usually as many as resources allow Variable Rate Delay or avoid detection and response Increasing Rate - gradually increasing rate causes a slow exhaustion of the victim’s resources Fluctuating Rate - occasionally relieving the effect - victim can experience periodic service disruptions

29 Up to 1996 Point-to-point (single threaded) SYN flood
Fragmented packet attacks “Ping of Death” “UDP kill”

30 1997 Combined attacks Targa Rape
bonk, jolt, nestea, newtear, syndrop, teardrop, winnuke Rape teardrop v2, newtear, boink, bonk, frag, fucked, troll icmp, troll udp, nestea2, fusion2, peace keeper, arnudp, nos, nuclear, sping, pingodeth, smurf, smurf4, land, jolt, pepsi

31 1998 fapi (May 1998) fuck_them (ADM Crew, June 1998)
UDP, TCP (SYN and ACK), ICMP Echo, "Smurf" extension Runs on Windows and Unix UDP comms One client spoofs src, the other does not Built-in shell feature Not designed for large networks (<10) Not easy to setup/control network fuck_them (ADM Crew, June 1998) Agent written in C; Handler is a shell script ICMP Echo Reply flooder Control traffic uses UDP Can randomize source to R.R.R.R (where 0<=R<=255)

32 1999 More robust and functional tools
trin00, Stacheldraht, TFN, TFN2K Multiple attacks (TCP SYN flood, TCP ACK flood, UDP flood, ICMP flood, Smurf…) Added encryption to C&C Covert channel Shell features common Auto-update

33 2000 More floods (ip-proto-255, TCP NULL flood…)
Pre-convert IP addresses of 16,702 smurf amplifiers Stacheldraht v1.666 Bundled into rootkits (tornkit includes stacheldraht) Full control (multiple users, by nick, with talk and stats) Omegav3 Use of IRC for C&C Knight Kaiten IPv6 DDoS 4to6 (doesn’t require IPv6 support)

34 Single host in DDoS

35 2001 Worms include DDoS features
Code Red (attacked Linux “lion” worm (TFN) Added scanning, BNC, IRC channel hopping (“Blended threats” term coined in 1999 by AusCERT) “Power” bot Modified “Kaiten” bot Include time synchronization (?!!) Leaves worm

36 Power bot foo: oh damn, its gonna own shitloads
foo: on start of the script it will erase everything that it has foo: then scan over foo: they only reboot every few weeks anyways foo: and it will take them 24 hours to scan the whole ip range foo: !scan status Scanner[24]:[SCAN][Status: ][IP: XX.X.XX.108][Port: 80][Found: 319] Scanner[208]:[SCAN][Status: ][IP: XXX.X.XXX.86][Port: 80][Found: 320] . . . foo: almost 1000 and we aren't even close foo: we are gonna own more than we thought foo: i bet 100thousand [11 hours later] Scanner[129]: [SCAN][Status: ][IP: XXX.X.XXX.195][Port: 80][Found: 34] Scanner[128]: [SCAN][Status: ][IP: XXX.X.XXX.228][Port: 80][Found: 67] Scanner[24]: [SCAN][Status: ][IP: XX.XX.XX.42][Port: 80][Found: 3580] Scanner[208]: [SCAN][Status: ][IP: XXX.XXX.XXX.156][Port: 80][Found: 3425] Scanner[65]: [SCAN][Status: ][IP: XX.XX.XXX.222][Port: 80][Found: 3959] bar: cool

37 2002 Distributed reflected attack tools
d7-pH-orgasm drdos (reflects NBT, TCP SYN :80, ICMP) Reflected DNS attacks, steathly (NVP protocol) and encoded covert channel comms, closed port back door Honeynet Project Reverse Challenge binary IP-Proto11-Backdoor.pdf

38 2003 Slammer worm (effectively a DDoS on local infrastructure)
Windows RPC DCOM insertion vector for “blended threat” (CERT reports “thousands”) More IPv6 DoS (requires IPv6 this time) ipv6fuck, icmp6fuck

Download ppt "Outline Definition Point-to-point network denial of service"

Similar presentations

DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/7 2003.

DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Transportation Layer (2). TCP full duplex data: – bi-directional data flow in same connection – MSS: maximum segment size connection-oriented: – handshaking.

Transportation Layer (2). TCP full duplex data: – bi-directional data flow in same connection – MSS: maximum segment size connection-oriented: – handshaking.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CS 471/571 Transport Layer 5 Slides from Kurose and Ross.

CS 471/571 Transport Layer 5 Slides from Kurose and Ross.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
Outline Definition Point-to-point network denial of service – Smurf Distributed denial of service attacks TCP SYN Flooding and Detection.

Outline Definition Point-to-point network denial of service – Smurf Distributed denial of service attacks TCP SYN Flooding and Detection.
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.

TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
Outline Definition Point-to-point network denial of service –Smurf Distributed denial of service attacks –Trin00, TFN, Stacheldraht, TFN2K TCP SYN Flooding.

Outline Definition Point-to-point network denial of service –Smurf Distributed denial of service attacks –Trin00, TFN, Stacheldraht, TFN2K TCP SYN Flooding.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
Outline Definition Point-to-point network denial of service –Smurf Distributed denial of service attacks –Trin00, TFN, Stacheldraht, TFN2K TCP SYN Flooding.

Outline Definition Point-to-point network denial of service –Smurf Distributed denial of service attacks –Trin00, TFN, Stacheldraht, TFN2K TCP SYN Flooding.

Similar presentations

Ads by Google