Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service Attacks

Published byMarsha Johns Modified over 8 years ago

Similar presentations

Presentation on theme: "Denial of Service Attacks"— Presentation transcript:

1 Denial of Service Attacks
Lesson 14

2 Types of DoS Attacks Bandwidth Consumption Resource Starvation
Attackers consume all available bandwidth on a particular network. Often an issue of who has the larger “pipe” Resource Starvation Focuses on consuming resources for a target system as opposed to the network as a whole. Programming Flaws Failure of system to handle exceptional conditions or input. Routing and DNS attacks Attackers attempt to manipulate routing table entries to deny service to legitimate systems or networks.

3 Denial of Service (DoS)
Different ways to categorize them Nature of attack Poisoned traffic malformed or invalid data that can’t be properly handled Brute-force resource simply use up all available capacity Stateful resource take advantage of client/server relationship in protocols “target” of attack Operating system attacks target flaws in specific operating systems Networking attacks exploit inherent limitations of networking

4 Sources of the Attack Can come from many (any) places in the network
An attacker can hide the source of an attack through IP spoofing Attackers can also hide their identity by enslaving unwitting victims. “owned” or “zombie” agents When an attacker uses many zombie agents together simultaneously the result is a Distributed Denial of Service (DDoS) attack

5 Generic DoS Attacks Attacks that are capable of affecting different types of systems are known as generic attacks. Generally these fall into the bandwidth consumption category. One example would be -bombing Smurf attack (aka ICMP Storm, Ping flooding) Takes advantage of directed broadcasts on networks Will send an ICMP ECHO request to broadcast address on network with spoofed from address making it seem as if it came from the target system. All systems on the network will respond to this address Thus with one request you can have up to 254 responses Variation on this is a fraggle attack which uses UDP instead of ICMP.

6 More Attacks SYN Flood Exploits TCP 3-way handshake In the attack
System A sends SYN packet to specific listening port on System B. System B will send a SYN/ACK packet to System A System A responds with ACK, connection established In the attack Attacker sends SYN packet with spoofed from address Target tries to respond to address given, waits for ACK, its SYN/ACK goes off to “never-never land” Attacker repeats until queue is filled Queue may be as small as 10 available connection requests. Timeout generally anywhere from 75 seconds to over 20 minutes. Attack used in trusted host exploitation as well as DoS Countermeasures: bigger queue, shorter waits, detection

7 Remote DoS Attacks Premise of these attacks is the sending of specific packet or sequence of packets to the target system to exploit specific programing flaws. IP Fragmentation Overlap teardrop and similar attacks (boink, syndrop) exploit vulnerabilities in packet-reassembly code As packets travel through different networks they may get broken into different fragments. Fragments should not overlap. Teardrop takes advantage of the fact that some older programs didn’t handle overlapping fragments.

8 Other Attacks SMBdie Buffer Overflow in IIS FTP Server
Released in 2002, takes advantage of a flaw in Mircrosoft’s implementation of TCP/IP causing the system to “blue screen”. Works against NT/2K/XP Buffer Overflow in IIS FTP Server Buffer overflow in list command in FTP server, but only available to users after authentication, but if you allow anonymous users… Will result in server crashing Stream and Raped attacks Resource-starvation attacks, results in high CPU usage. stream sends TCP ACK packets to a series of ports with random sequence numbers and random source IPs raped sends TCP ACK packets with spoofed source IP

9 Distributed Denial of Service
Difference between DDoS and DoS is one-to-one versus many-to-one. First DDoS attacks hit the Internet in Feb 2000, affected eBay, Buy.com, CNN, Yahoo! First step is to target and gain administrative access on as many systems as possible (zombies). Normally a customized attack used for this Once access is obtained, attackers upload and run their DDoS software. Software waits for attack message which will provide information on the target. Once attack message sent to zombies they launch the specific attack against the identified target.

10 DDoS Attack

11 tribal flood network (TFN) DDoS
TFN is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks. Remote control of a TFN is accomplished via command line execution of the client program, using any of a number of connection methods (e.g., remote shell bound to a TCP port, UDP based client/server remote shells, ICMP based client/server shells, or normal "telnet" TCP terminal sessions. Communication from the TFN client to daemons is accomplished via ICMP_ECHOREPLY (why?) packets. There is no TCP or UDP based communication between the client and daemons at all. TFN2K is the successor to TFN, allows for randomized communication on ports (thus port blocking harder) Data inserted into echoreply packet because if sent in echo request then the daemons would all reply with echoreply thus performing a DoS on itself.

12 trinoo DDoS A trinoo network of at least 227 systems was used on Aug 17, 1999 to flood a single system at the University of Minnesota. The attacker(s) control one or more “master”servers, each of which can control many daemons. Remote control of the master is accomplished via a TCP connection to port 27665, after which the user must authenticate with a password. Communication between the master to daemons is via UDP packects on port When the daemon starts, it initially sends a “hello” message to the master which maintains a list of active daemons it controls. The daemons send UDP packets to random (0-64K) UDP ports on the target for a period of time (120 seconds default)

13 Stacheldraht (barbed wire) DDoS
Combines features of the trinoo and the original TFN and adds encryption of communication between attacker and masters and automated updating of agents. Can do ICMP flood, SYN flood, UDP flood, and smurf style attacks. There is a limit of 1000 agents for each master Used TCP and ICMP for communication between master and agents (trinoo used UDP, TFN used ICMP)

14 Summary What is the importance and significance of this material?
DoS and DDoS attacks can be devastating on network resources. Can prevent authorized use of systems/networks. How does this topic fit into the subject of “Security Risk Analysis”? We will most likely not be called upon to conduct DoS or DDoS attacks, but we must know how they work so we can help clients protect against them as much as possible.

Download ppt "Denial of Service Attacks"

Similar presentations

Module VIII Denial Of Service

Module VIII Denial Of Service
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Similar presentations

Ads by Google