Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service Attacks: Detection and Reaction Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on.

Published byGladys Briggs Modified over 8 years ago

Similar presentations

Presentation on theme: "Denial of Service Attacks: Detection and Reaction Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on."— Presentation transcript:

1 Denial of Service Attacks: Detection and Reaction Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on Information Security 2002 October 12, 2002

2 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 What is "Denial of Service"? An attack to suspend the availability of a service Until recently the "bad guys" tried to enter our systems. Now it’s: "If not us, then Nobody" No break-in attempts, no information stealing, although they can be combined with other attacks to confuse Intrusion Detection Systems. No easy solutions! DoS still mostly a research issue

3 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Main Characteristics of DoS Variable targets: –Single hosts or whole domains –Computer systems or networks –Important –Important: Active network components (e.g. routers) also vulnerable and possible targets! Variable uses & effects: –Hacker "turf" wars –High profile commercial targets (or just competitors…). –Useful in cyber-warfare, terrorism etc…

4 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Brief History First Phase (starting in the '90s): DoS Started as bug/vulnerability exploitation Single hosts - single services were the first targets Single malicious packets Second Phase (1996-2000) Resource consuming requests from many sources Internet infrastructure used for attack amplification Third Phase (after 2000): Distributed DoS Bandwidth of network connections is the main target Use of many pirated machines, possibly many attack stages, escalation effect to saturate the victims

5 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Brief History (cont.) Important Events: February 7-11 2000: Big commercial sites (CNN, Yahoo, E-Bay) are taken down by flooding of their networks. –The attacks capture the attention of the media –The US President assembles emergency council members of Internet, e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security January 2002: The British ISP CloudNine suspends operations because of continuous interruption in Internet connectivity.

6 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Host DoS Attacks Usually one attacker - one target Methods used are derivatives of ones used for unauthorized access:  Buffer Overflows on wrongly designed input fields can overwrite parts of the memory stack. The results: open doors or failure of the service/system  Ambiguities in network protocols and their implementations. Specially designed packets can halt the protocol stack or the whole system

7 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Examples of Host DoS Attacks –Land IP DoS attack: Special SYN packets with same source and destination –Teardrop attack: It sends IP fragments to a network- connected machine. It exploits an overlapping IP fragment bug present in various TCP/IP implementations.

8 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Host Resource DoS Attacks Target continues (most of the times) operation but cannot offer any useful services. Resource exhaustion through legitimate requests to the target host –SYN Flooding attack –Ping Flooding attack –Smurf attack: the ping flow is "amplified" by being first sent to a number of network broadcast addresses with the victim’s return address in the packets

9 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Example of a "Smurf " Attack Attacker Unsecured LAN ICMP Echo request Destination: LAN broadcast Source: victim.host AdminProblem: Router allows Ping to LAN broadcast Target (web Server) victim.host ICMP Echo reply Destination:victim.host ICMP Echo reply Destination:victim.host ICMP Echo reply Destination:victim.host

10 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Admin Problem 1: Active "zombies" Admin Problem 2: The network allows outgoing packets with wrong source addresses 1. Taking Control 2. Commanding the attack Network Attacks: Distributed DoS Target domain "zombies" Pirated machines Domain A Pirated machines Domain B Attacker X

11 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Main Characteristics of DDoS Some hundred of persistent flows are enough to knock a large network off the Internet Incoming traffic has to be controlled, outside the victim’s domain, at the upstream providers Usually source IPs spoofed on attack packets Offending systems may be controlled without their users suspecting it Possible many levels of command & control: –Attacker-Manager-Agents –Examples of automatic tools for such attacks: "Trinoo", "Stacheldraht", and "TFN2K", also called rootkits

12 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Multi-tier attack Multi-tier attack Admin Problem: No detection of malicious activities Target domain "zombies" Attack Agents Attacker X Attack Master Attack Master

13 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Reflection DDoS Attack Reflection DDoS Attack Target domain "zombies" Attacker X Attack Master Routers Web or other servers Legitimate TCP SYN requests TCP SYN-ACK answers

14 PART II What Can We Do

15 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Detection Detection Host DoS attacks: –Border Defenses must be kept up to date –Host and Network based Intrusion Detection Systems –Investigate suspicious activity indications

16 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Detection (cont.) Detection (cont.) Distributed DoS attacks - on the Network –Offensive flows must be identified quickly Tip: set generalized Pass filters on the border routers and see what they catch (high number of matches: attack) Use Netflow or other monitoring tool –Follow router indications Tip: Check router load for abnormal signs Distributed DoS attacks - in the Domain –Perform often security audits for hidden malicious code ("zombies") or attack rootkits –Install an anti-virus package

17 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Reaction to DDoS The malicious flows have to be determined. Timely reaction is critical! The attack characteristics have to be communicated (in any way possible) upstream. This usually has to be done manually and is an uncertain and time-consuming procedure. Filters that will block attack traffic must be set up and maintained. The effectiveness of the actions must be verified. The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks on the attack path

18 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Reaction to DDoS (cont.) Another possible solution (helps the ISP): stop all traffic to the target. Direct it to a central point and discard it. Completes the attack! Trace-back efforts: –Following the routing (if sources not spoofed) –Step by step through ISPs. Difficult to convince them if not concerned about the bandwidth penalty The conclusion: not a matter of a single site

19 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Prevention - Preperation Prevention - Preperation Good administrative practices: a must –Backup! –Have a recovery plan, possibly a stand-by system –Train your personnel, have someone aware of security issues available at all times –Have emergency contact points with your ISPs and CERTs, know beforehand whom to call and have clear service policies on what they are obliged to do Care for the rest of the world –Prevent spoofed traffic from exiting your network –Filter pings to broadcast addresses (smurf amplifier)

20 PART III Research Directions

21 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Main DoS Research Problems Main DoS Research Problems DoS –Is mostly an Intusion Detection / Prevention Problem –Not many things possible since a single packet can do all the damage –Some efforts to have an "Immune System" type of detection for anomalous system call sequenses. DDoS –Timely attack detection –Source tracing –Traffic flow control and attack suppression –Intrusion Detection Systems not very helpful

22 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 CenterTrack R Stone, "CenterTrack: An IP Overlay Network for Tracking DoS Floods", 9th USENIX Security Symposium, Denver Col., USA, August 2000 Target domain X

23 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 PushBack J. Ioannidis and S. Bellovin, "Pushback: Router-Based Defense Against DDoS Attacks", NDSS, February 2002 Target domain 1. Aggregate characteristics determined 2. Incoming traffic I/f determined 3. Containment filter set locally X 4. Continue to the next router in the attack path using the Pushback protocol

24 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Panoptis C. Kotsokalis, D.Kalogeras, and B. Maglaris, "Router-Based Detection of DoS and DDoS Attacks", HP OpenView University association (HPOVUA) Conference '01, Berlin, Ger-many, June 2001 Target domain X NetFlow Border Routers Panoptis Analysis Engine 1. Aggregate characteristics determined 2. Traffic I/fs determined 3. Automatic filter configuration

25 DoS Attacks: Detection and Reaction. CSC, October 12, 2002 Trans-Domain Cooperative IDS Entities G. Koutepas, F. Stamatelopoulos, B. Maglaris "A Trans-Domain Framework Against Denial of Service Attacks", Submitted to the 10th Annual Network and Distributed System Security Symposium, San Diego, California, February 2003 Cooperative IDS Entity Non-participating Domain Participating Domain Notification Propagation (Multicast) Activation of filters and reaction according to local Policies

26 Questions and Answers

Download ppt "Denial of Service Attacks: Detection and Reaction Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on."

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,

An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios.

Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Similar presentations

Ads by Google