Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service Attacks. Understanding to Denial of Services.

Published byReynard Mosley Modified over 8 years ago

Similar presentations

Presentation on theme: "Denial of Service Attacks. Understanding to Denial of Services."— Presentation transcript:

1 Denial of Service Attacks

2 Understanding to Denial of Services

3 Using up resources is the most common approach Several ways.. Crash the machine Put it into an infinite loop Crash routers on the path to the machine Use up a machine resource Use up a network resource Deny another service needed for this one (e.g. DNS) How can a service be denied?

4 What is Denial of Service? Denial of Service (DoS) Attack to disrupt the authorized use of networks, systems, or applications Distributed Denial of Service (DDoS) Employ multiple compromised computers to perform a coordinated and widely distributed DoS attack

5 DoS Single Source

6 DDoS Collateral damage points

7 DDoS Attack Traffic (1) One Day Traffic Graph

8 DDoS Attack Traffic (2) One Week Traffic Graph

9 DDoS Attack Traffic (3) One Year Traffic Graph

10 How Severe?

11 DDoS Botnets Botnet: Collection of compromised computers that are controlled for the purposes of carrying out DDoS attacks or other activities Can be large in number Systems join a botnet when they become infected by certain types of malware Like a virus, but instead of harming the system, it wants to take it over and control it Through email attachments, website links, or IM links Through unpatched operating system vulnerabilities

12 Botnets Modus Operandi Zombies multi-tier design

13 13 Bot: Direct control

14 14 Bot: Indirect control

15 Cost of DDoS Attacks Victims of (D)DoS attacks Service-providers (in terms of time, money, resources, good will) Legitimate users (deprived of availability of service) Hard to quantify Incomplete data – Companies reluctant to admit they have been victimized Lost business Lost productivity

16 Why? Who? Several motives Earlier attacks were proofs of concepts Pseudo-supremacy feeling Eye-for-eye attitude Political issues Competition Hired Levels of attackers Highly proficient attackers who are rarely identified or caught Script-kiddies 16

17 The DDoS Landscape

18 DDoS Timeline

19 DoS Attacks Fast Facts Early 1990s: Individual Attacks single source. First DoS Tools Late 1990s: Botnets, First DDoS Tools Feb 2000: First Large-Scale DDoS Attack CNN, Yahoo, E*Trade, eBay, Amazon.com, Buy.com 2001: Microsoft’s name sever infrastructure was disabled 2002: DDoD attack Root DNS 2004: DDoS for hire and Extortion 2007: DDoS against Estonia 2008: DDoS against Georgia during military conflict with Russia 2009: Ddos on Twitter and Facebook 2010: Ddos on VISA and Master Card

20 2000 DoS Attacks In Feb 2000, series of massive DoS attacks Yahoo, Amazon, eBay, CNN, E*Trade, ZDNet, Datek and Buy.com all hit Attacks allegedly perpetrated by teenagers Used compromised systems at UCSB Yahoo : 3 hours down with $500,000 lost revenue Amazon: 10 hours down with $600,000 lost revenue

21 2002 DNS DoS Attacks l ICMP floods 150 Kpps (primitive attack) Took down 7 root servers (two hours) DNS root servers

22 Hours-long service outage 44 million users affected At the same time Facebook, LiveJournal, and YouTube were under attacked some users experienced an outage Real target: a Georgian blogger 2009 DDoS on Twitter

23 December 2010 Targets: MasterCard, Visa, Amazon, Paypal, Swiss Postal Finance, and more DDoS on Mastercard and Visa Attack launched by a group of vigilantes called Anonymous (~5000 people) DDoS tool is called LOIC or “Low Orbit Ion Cannon” Bots recruited through social engineering Directed to download DDoS software and take instructions from a master Motivation: Payback, due to cut support of WikiLeaks after their founder was arrested on unrelated charges

24 The new DDoS tool by Anonymous New operation is beginning A successor of LOIC Using SQL and.js vulnerability, remotely deface page May be available in this September 2011 V for Vendetta

25 Operation Facebook Announcement on YouTube to bomb Facebook on Nov. 5 2011 Facebook’s privacy reveals issues Remember Remember poem Remember remember the fifth of November Gunpowder, treason and plot. I see no reason why gunpowder, treason Should ever be forgot... Why Nov. 5? V

26 DDoS Attack Classification

27 DOS attack list Flood attack TCP SYN flood UDP flood ICMP (PING) flood Amplification ( Smurf, Fraggle since 1998) Vulnerability attack Ping of Death (since 1990) Tear Drop (since 1997) Land (since 1997)

28 Flooding attack Commonly used DDoS attack Sending a vast number of messages whose processing consumes some key resource at the target The strength lies in the volume, rather than the content Implications : The traffic look legitimate Large traffic flow large enough to consume victim’s resources High packet rate sending 28

29 Vulnerability DoS attack Vulnerability : a bug in implementation or a bug in a default configuration of a service Malicious messages (exploits) : unexpected input that utilize the vulnerability are sent Consequences : The system slows down or crashes or freezes or reboots Target application goes into infinite loop Consumes a vast amount of memory 29

30 TCP SYN flood SYN RQST SYN ACK client server Spoofed SYN RQST zombie victim Waiting queue overflows Zombies SYN ACK

31 Smurf attack Amplification attack Sends ICMP ECHO to network Amplified network flood widespread pings with faked return address (broadcast address) Network sends response to victim system The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion 31

32 DoS : Smurf A B Ping Broadcast Src Addr : B Dst Addr : Broadcast

33 DoS : Fraggle UDP Broadcast src port : echo dest port: chargen port A B Infinite Loop! Src Addr : B Dst Addr : Broadcast Well known exploit Echo/Chargen

34 Ping of Death Sending over size ping packet to victim >65535 bytes ping violates IP packet length Causes buffer overflow and system crash Problem in implementation, not protocol Has been fixed in modern OSes Was a problem in late 1990s

35 Teardrop A bug in their TCP/IP fragment reassembly code Mangle IP fragments with overlapping, over-sized payloads to the target machine Crash various operating systems

36 LAND A LAND (Local Area Network Denial) attack First discovered in 1997 by “m3lt” Effect several OS : AIX 3.0 FressBSD 2.2.5 IBM AS/400 OS7400 3.7 Mac OS 7.6.1 SUN OS 4.1.3, 4.1.4 Windows 95, NT and XP SP2 IP packets where the source and destination address are set to address the same device The machine replies to itself continuously Published code land.c

37 LAND

38 Well known old DDoS Tools BotnetCommunication Type Attack TypeEncrypted Communication? Trinoo or trin00TCP/UDPUDP FloodNo Tribe Flood Network (TFN) TCP/UDP/ICMPMultipleNo TFN2KTCP/UDP/ICMP Randomized Multiple Randomized No StacheldrahtTCP/UDP/ICMP Randomized Multiple Randomized Yes

39 DDoS Defense

40 Are we safe from DDoS? My machine are well secured It does not matter. The problem is not your machine but everyone else I have a Firewall It does not matter. We slip with legitimate traffic or we bomb your firewall I use VPN It does not matter. We can fill your VPN pipe My system is very high provision It does not matter. We can get bigger resource than you have 40

41 Why DoS Defense is difficult Conceptual difficulties Mostly random source packet Moving filtering upstream requires communication Practical difficulties Routers don’t have many spare cycles for analysis/filtering Networks must remain stable—bias against infrastructure change Attack tracking can cross administrative boundaries End-users/victims often see attack differently (more urgently) than network operators Nonetheless, need to: Maximize filtering of bad traffic Minimize “collateral damage”

42 Defenses against DoS attacks DoS attacks cannot be prevented entirely Impractical to prevent the flash crowds without compromising network performance Three lines of defense against (D)DoS attacks Attack prevention and preemption Attack detection and filtering Attack source traceback and identification 42

43 Attack prevention Limit ability of systems to send spoofed packets Filtering done as close to source as possible by routers/gateways Reverse-path filtering ensure that the path back to claimed source is same as the current packet’s path Ex: On Cisco router “ip verify unicast reverse-path” command Rate controls in upstream distribution nets On specific packet types Ex: Some ICMP, some UDP, TCP/SYN Block IP broadcasts 43

44 Responding to attacks Need good incident response plan With contacts for ISP Needed to impose traffic filtering upstream Details of response process Ideally have network monitors and IDS To detect and notify abnormal traffic patterns 44

45 Responding to attacks cont’d …. Identify the type of attack Capture and analyze packets Design filters to block attack traffic upstream Identify and correct system application bugs Have ISP trace packet flow back to source May be difficult and time consuming Necessary if legal action desired Implement contingency plan Update incident response plan 45

46 How are DDoS practical handled? 46

47 Router Filtering 47 Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 ACLs, CARs

48 Cisco uRPF 48 Router A Router B Pkt w/ source comes in Path back on this line? Accept pkt Path via different interface? Reject pkt Check source in routing table Unicast Reverse Path Forwarding Does routing back to the source go through same interface ? Cisco interface command: ip verify unicast rpf

49 Black hole Routing 49 Server1VictimServer2........ R3 R1 R2 R5R4 R R R 1000 FE peering 100 ip route A.B.C.0 255.255.255.0 Null0

50 Blackhole in Practice (I) 50 Victim Non-victimized servers Upstream = Not on the Critical Path Guard Detector

51 Blackhole in Practice (II) 51 Guard Victim Non-victimized servers BGP announcement 1. Detect 2. Activate: Auto/Manual 3. Divert only victim’s traffic Activate Detector

52 Blackhole in Practice (III) 52 Guard Victim Non-victimized servers Traffic destined to the victim Legitimate traffic to victim Inject= GRE, VRF, VLAN, FBF, PBR… Hijack traffic = BGP Detector

53 DDoS Epilogue 53

54 Attackers follow defense approaches, adjust their code to bypass defenses Use of subnet spoofing defeats ingress filtering Use of encryption and decoy packets, IRC or P2P obscures master-slave communication Encryption of attack packets defeats traffic analysis and signature detection Pulsing attacks defeat slow defenses and traceback Flash-crowd attacks generate application traffic DDoS Attack Trends

55 More complex attacks Recently seen trends: Larger networks of attack machines Rolling attacks from large number of machines Attacks at higher semantic levels Attacks on different types of network entities Attacks on DDoS defense mechanisms Need flexible defenses that evolve with attacks Implications For the Future

Download ppt "Denial of Service Attacks. Understanding to Denial of Services."

Similar presentations

Denial of Service By: Samarth Shah and Navin Soni.

Denial of Service By: Samarth Shah and Navin Soni.
NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Denial of Service, Firewalls, and Intrusion Detection

Denial of Service, Firewalls, and Intrusion Detection
Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.

Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 13 -- Dearborn,

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG Dearborn,
 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.

 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Network Attack and Defense

Network Attack and Defense
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Similar presentations

Ads by Google