1. 1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal includes data that shall not be disclosed outside Strayer University and shall not be duplicated, used, or disclosed–in whole or in part–for any purpose other than to evaluate this oral presentation. July 24, 2004 Alex Ramos Denial Of Service Federal Network Systems, LLC

2. 2 Agenda What is a Denial of Service Attack? What is a Distributed Denial of Service Attack? Why Are They Difficult to Protect Against? Types of Denial of Service Attacks Tools for Running Denial of Service Attacks Preventing Denial of Service Attacks Summary

3. 3Federal Network Systems, LLC What is a Denial Of Service Attack? An attack that is specifically designed to prevent the normal functioning of a system, and thereby to prevent lawful access to that system and its data by its authorized users. DOS can be caused by the destruction or modification of data, by bringing down the system, or by overloading the system's servers to the extent that service to authorized users is delayed or prevented. www.itsecurity.com/ds.htmwww.itsecurity.com/ds.htm DoS goals –Flooding a network to prevent legitimate network traffic –Disrupting connections between two specific machines –Preventing a service access to a specific entity or to all individuals

4. 4Federal Network Systems, LLC What is a Distributed Denial of Service Attack? Use of Several to Thousands of machines to initiate a Denial of Service attack “Zombies” or “User Controlled” Yahoo!,eBay, and Amazon were struck with DDoS in February 2000. Most go Unreported Most common form of attack on the Internet today Recent Study showed more than 12000 DoS (DDoS) attacks during a 3 week period. –Actual number is probably higher

5. 5Federal Network Systems, LLC Costs of a Distributed Denial of Service Attack

6. 6Federal Network Systems, LLC Costs of a Distributed Denial of Service Attack Problem: Need a robust and automatic way of classifying DoS attacks into these two classes: single- and multi-source. Because: Different types of attacks (single- or multi-source) are handled differently. Classification is not easy. For instance, packets can be spoofed by attacker.

7. 7Federal Network Systems, LLC Video Demonstration of a Healthy Network

8. 8Federal Network Systems, LLC Video Demonstration of a Distributed Denial of Service Attack

9. 9Federal Network Systems, LLC Video Demonstration of a Distributed Denial of Service Attack (Reflector Type)

10. 10Federal Network Systems, LLC Why Are They Difficult To Protect Against? Minimize the threats but fully Protect Threats are always there Trade offs between Security and Functionality Resources used to Protect against DDOS –Costly –Time Consuming –Restrictive

11. 11Federal Network Systems, LLC Types of Denial of Service Attacks? Ping of Death –Sends very Large Ping Packets to a host machine –Causes the Operating System to hang or crash –Unix command Ping –s 65527 (ip address of the victim’s machine –DOS command Ping –l 65527 (ip address of the victim’s machine)

12. 12Federal Network Systems, LLC Types of Denial of Service Attacks? SSPing –Sends Fragmented oversized ICMP data packets –Victim Computers try to Put the Fragmented data back together –Causes the Operating System to hang or crash –Affects Windows 95, NT, and older versions of the Mac OS –Protection Patches for affected Operating Systems –Updated version of the TCP/IP stack

13. 13Federal Network Systems, LLC Types of Denial of Service Attacks? Smurf –Involves forged ICMP packets sent to a broadcast address –Symptoms: Everybody connected gets bogged down and kicked off, attack can last for hours or days. –Causes the Operating System to hang or crash –Affects most OS’ and Routers –Protection No real protection

14. 14Federal Network Systems, LLC Types of Denial of Service Attacks? Land Program that sends a TCP SYN packet where the target and source address are the same and the port numbers are the same SYN packets are used to synchronize 2 machines Attacking machines exploits the synchronization process by spoofing the destination pc. So when the destination pc tries to sync with an address the same as it’s own. It doesn’t know what to do. Affects Most operating systems Protection Patches for affected Operating Systems –Updated version of the TCP/IP stack

15. 15Federal Network Systems, LLC Types of Denial of Service Attacks? SYN Flood –Attacker violates the 3-way handshake and opens a large number of half-open TCP/IP Connections. –Affects most OS –Causes the Operating System to hang or crash –Affects Windows 95, NT, and older versions of the Mac OS –Protection Patches for affected Operating Systems –Updated version of the TCP/IP stack

16. 16Federal Network Systems, LLC Tools for Running Denial Of Service Attacks? Trinoo Tribal Flood Network Stacheldraht Shaft MStream Tribal Flood Network 2000 –All the tools are similar in function –All the tools here are mainly used in Unix type machines

17. 17Federal Network Systems, LLC Tools for Running Denial Of Service Attacks? Tribal Flood Network 2000 –communicates via TCP (random ports), UDP (random ports), ICMP (Echo Replies), or all three at random. –communicates via TCP (random ports), UDP (random ports), ICMP (Echo Replies), or all three at random. The daemon never communicates with the master. The master sends all commands twenty times in order to make sure that they're received. TFN2k also will send out decoy packets -- messages to random machines so that it's not clear which machines are clients. Commands are encrypted using CAST-256 via a password specified at compile time. All packets are spoofed by default. –can attack using a SYN attack, UDP Flood, ICMP Flood, or Smurf attacks. The daemon can be set to randomly alternate between each attack type.

18. 18Federal Network Systems, LLC Preventing Denial of Service Attacks? Nothing can be done to entirely prevent DOS Minimize the dangers –Effective and Robust Design –Bandwidth Limitations –Keep Systems Patched –Run the least amount of services –Allow only necessary traffic –Block IP addresses

19. 19Federal Network Systems, LLC Preventing Denial of Service Attacks? Nothing can be done to entirely prevent DOS Minimize the dangers –Effective and Robust Design –Bandwidth Limitations * implement egress and ingress filtering * implement rate limit on ICMP packets * implement rate limit on SYN packets –Keep Systems Patched –Run the least amount of services –Allow only necessary traffic –Block IP addresses

20. 20Federal Network Systems, LLC Simple Demo of what a Filter \ Firewall Does Typical Connection Denial of Service Attack Blocking a Denial of Service Attack

21. 21Federal Network Systems, LLC Demonstration of Minimizing Your Computer’s Vulnerbility Patch Management Antivirus Layered Security Distributed Resources Bandwidth Throttling Physical Security

22. 22Federal Network Systems, LLC Summary What is a Denial of Service Attack? What is a Distributed Denial of Service Attack? Why Are They Difficult to Protect Against? Types of Denial of Service Attacks Tools for Running Denial of Service Attacks Preventing Denial of Service Attacks