Presentation is loading. Please wait.

Presentation is loading. Please wait.

DoS/DDoS attack and defense

Published bySusanna Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "DoS/DDoS attack and defense"— Presentation transcript:

1 DoS/DDoS attack and defense
Nguyen Tien Thanh

2 Outline Countermeasures to DoS/DDoS Tools for DoS/DDoS
Denial of Service attack Introduction Impact of DoS attack DoS attack types (ping flood, UDP flood, buffer overflow, ping of death, teardrop, SYN flood) Distributed Denial of Service attack Handler-Agent model IRC based model Countermeasures to DoS/DDoS Tools for DoS/DDoS

3 DoS Introduction Denial of Service attack is an attack which can render a system service slow or unusable for legitimate users, by consuming system resources

4 DoS Impact of DoS attack
Financial loss Reputation damage Disabled network Disabled organization

5 DoS attack types Smurf attack (ping flood)
The attacker generates a large amount of ICMP echo (ping) traffic to the network broadcast address with a spoofed source IP address of the victim The result will be a lot of ping replies flooding the victim host, severely impact the victim’s network connection

6 DoS attack types Fraggle attack (UDP flood)
The attacker sends UDP packets to the random ports on the victim host. The victim will check for application listening on the port and reply with the “ICMP destination unreachable” packet The attacker can spoof the IP address of the UDP packets so that no one can trace back

7 DoS attack types Buffer overflow
Buffer overflow occurs when a program writes data into the buffer and overruns the buffer boundary, overwrites the adjacent memory location. The attacker can use this to crash the victim machine

8 DoS attack types Ping of death
The IP protocol allows the maximum IP packet size of 65,535 bytes. The attacker sends an IP packet larger than that. The fragmentation allows IP packets to be divided into smaller fragments The fragments can be combined up to more than the allowed size. The Operating system cannot handle the oversized packet and crash.

9 DoS attack types Teardrop attack
The fragmentation allows IP packets to be divided into smaller fragments The attacker puts the confusing offset value into the second or later fragment The target machine cannot reassemble the packets and crash

10 DoS attack types SYN flooding
SYN flooding exploits a flaw in TCP three-way handshake

11 DoS attack types SYN flooding (cont.)
When a host receives the SYN request it must keep track of the partially opened connection in a "listen queue“ for at least 75 seconds The attacker can fill up the listen queue by sending multiple SYN requests to the host, but never reply to the SYN&ACK

12 DDoS Introduction (video)
Distributed Denial of Service attack is carried out by using multiple compromised systems to attack a target to deny the service to the legitimate users The service under attack is the “primary victim,” while the compromised systems used to launch the attack are often called the “secondary victims” The sheer volume of sources involved in DDoS attacks make it nearly impossible to stop

13 DDoS Handler-Agent model

14 DDoS DDoS IRC based model

15 DoS/DDoS Countermeasures
Smurf attacks (ping flood) Disable IP-directed broadcasts at routers. Most of the time, this function is not needed (defend against outside attack) Configure your operating system to prevent the machine from responding to ICMP packets sent to IP broadcast addresses (defend against inside attack) Fraggle attack (UDP flood) Disable UDP echo UDP is not very important, the negative impact is low.

16 DoS/DDoS Countermeasures (cont.)
Buffer Overflow attack Operating system and software vendors often employ countermeasures in their products to prevent Buffer Overflow Attacks; particularly call stack and virtual memory randomization. Buffer Overflow Attacks have been rendered more difficult, although still possible to carry out. Ping of death does not affect modern Operating Systems Teardrop attack does not affect modern Operating Systems

17 DoS/DDoS Countermeasures (cont.)
SYN flooding attack prevention: using firewall/proxy The firewall spoofs the ACK to prevent the listener TCB (transmission control block) from staying in the SYN-RECEIVED state, and thus maintains free space in the backlog. The firewall waits for sometime. If a legitimate ACK from the initiator is not observed, then it can signal the listener to free the TCB using a spoofed TCP RST segment. For legitimate connections, packet flow can continue, with no interference from the firewall/ proxy

18 DoS/DDoS Countermeasures (cont.)
SYN flood attack countermeasure: Packet Exchanges through an ACK-spoofing Firewall/Proxy.

19 DoS/DDoS Countermeasures (cont.)
There is no absolute solution to prevent DDoS, we only try to reduce the impact of the attack DoS countermeasures can be used also Based on the Handler-Agent model, we deduce the countermeasures in 3 components Prevent secondary victim; detect and neutralize handlers Detect and mitigate the attack Post-attack forensic

20 Improve awareness of internet users Install antivirus software
DoS/DDoS Countermeasures (cont.) Prevent secondary victim; detect and neutralize handlers Improve awareness of internet users Install antivirus software Detect and neutralize handlers Study the communication protocol and traffic pattern between handlers and agents to locate the handler Handler-agent model suffers from single point of failure

21 DoS/DDoS Countermeasures (cont.) Detect and mitigate the attack
Scan packets’ IP addresses when they leave the network. The spoofed source address of DDoS attack packets will not represent the valid source address of the specific network Load balancing: Increase bandwidth to prevent connection going down when under attack Balancing the load to each server in multi-server architecture Honeypot: Systems that are set up with low security act as a lure for an attacker Used to learn the attacker’s activities

22 DoS/DDoS Countermeasures (cont.) Post-attack forensics
Analyze data to find specific pattern of the attacking traffic. This can help network admin to develop new filtering techniques Packet traceback: Can help identify the attacker Event logs: It keeps logs of DDoS attack information to do a forensic analysis

23 Tools for DoS/DDoS

24 References Certified Ethical Hacker ver.6 module 14 Denial of Service
Tools for DoS and DDoS. Retrieved 1-Nov DDoSpedia. Retrieved 1-Nov Smurf attack prevention. Retrieved 1-Nov SYN flood attack prevention. Retrieved 1-Nov Video. Retrieved 1-Nov

Download ppt "DoS/DDoS attack and defense"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Similar presentations

Ads by Google