Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.

Published byMervin Jessie Clark Modified over 8 years ago

Similar presentations

Presentation on theme: "Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt."— Presentation transcript:

1 Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt

2 Denial of Service Attacks A distributed denial of service attack involves overloading a company’s Internet connection with more traffic than it can handle. A distributed denial of service attack involves overloading a company’s Internet connection with more traffic than it can handle. Once the connection is overloaded, the company is unable to function on the Internet. Once the connection is overloaded, the company is unable to function on the Internet.

3 Denial of Service Attacks Banks, academic institutions, and small businesses have become dependent on the Internet for even the most fundamental of daily functions. Banks, academic institutions, and small businesses have become dependent on the Internet for even the most fundamental of daily functions. Therefore, the cost of a disruption in service and the subsequent recovery can be truly enormous. Therefore, the cost of a disruption in service and the subsequent recovery can be truly enormous.

4 Denial of Service Attacks Distributed Denial of Service Attacks are one of the most difficult security threats. Distributed Denial of Service Attacks are one of the most difficult security threats. Network administrators typically cannot stop a DDoS attack without contacting the ISP. Network administrators typically cannot stop a DDoS attack without contacting the ISP. Failure to stop a DDoS attack can result in a complete network overload and shutdown. Failure to stop a DDoS attack can result in a complete network overload and shutdown.

5 Denial of Service Attacks Any skilled hacker can gain control of a large number of proxy computer systems and use them to flood a targeted server. Any skilled hacker can gain control of a large number of proxy computer systems and use them to flood a targeted server. It is virtually impossible to discover the identity of the hacker. It is virtually impossible to discover the identity of the hacker. Once the targeted server is flooded, it will shut down, thereby halting even the legitimate traffic of the organization. Once the targeted server is flooded, it will shut down, thereby halting even the legitimate traffic of the organization.

6 Physical Layout Because there is a large physical distance between the ISP router and the company network that an ISP services, the ISP usually has to use cheaper, low-bandwidth cable for this part of the connection. Because there is a large physical distance between the ISP router and the company network that an ISP services, the ISP usually has to use cheaper, low-bandwidth cable for this part of the connection. This is typically the slowest part of the connection line, and it is called a “bottleneck”. This is typically the slowest part of the connection line, and it is called a “bottleneck”.

7 Bottleneck To shut down the company’s connection, a hacker only has to overload this relatively slow part of the line. To shut down the company’s connection, a hacker only has to overload this relatively slow part of the line. To stop DDoS attacks, illegitimate traffic must never be allowed to reach the bottleneck. To stop DDoS attacks, illegitimate traffic must never be allowed to reach the bottleneck.

8 ISP Cable connection (Bottleneck) Normal connection Firewall (Bad traffic stopped here)

9 Strategic Firewall Placement In the strategic firewall placement method, the company’s firewall is placed on the ISP’s premises. In the strategic firewall placement method, the company’s firewall is placed on the ISP’s premises. This means that the line connecting the ISP router to the firewall is very short, and a much higher bandwidth line (ex. Ethernet) can be used for this connection at very little extra cost. This means that the line connecting the ISP router to the firewall is very short, and a much higher bandwidth line (ex. Ethernet) can be used for this connection at very little extra cost.

10 ISP Firewall Ethernet connection Bottleneck Strategic Firewall Placement ISP Firewall (Bad traffic stopped here) Ethernet connection Bottleneck

11 Strategic Firewall Placement Firewall remains under the control of the company. Firewall remains under the control of the company. Now the company is able to control exactly which traffic is allowed into the bottleneck part of the connection. Now the company is able to control exactly which traffic is allowed into the bottleneck part of the connection.

12 Strategic Firewall Placement Attack packets are dropped before they can reach the bottleneck. Attack packets are dropped before they can reach the bottleneck. A hacker could still run a denial of service attack, but would require a huge amount of bandwidth to overwhelm the system. A hacker could still run a denial of service attack, but would require a huge amount of bandwidth to overwhelm the system.

13 Strategic Firewall Placement In the old setup, to thwart a DDoS attack, the company had to call the ISP and tell them which kinds of packets to filter. In the old setup, to thwart a DDoS attack, the company had to call the ISP and tell them which kinds of packets to filter. The company’s internet connection remained inoperative until the ISP was able to complete the company’s request. The company’s internet connection remained inoperative until the ISP was able to complete the company’s request. When the company controls the firewall, as in strategic firewall placement, they can instead filter unwanted packets almost immediately. When the company controls the firewall, as in strategic firewall placement, they can instead filter unwanted packets almost immediately.

14 Additional Requirements Moving the firewall is helpful, but, to completely protect against DDoS attacks, the company also has to change the way its firewall handles inbound connection requests. Moving the firewall is helpful, but, to completely protect against DDoS attacks, the company also has to change the way its firewall handles inbound connection requests.

15 Default Deny The changes deal with how the company’s firewall handles inbound connections. The changes deal with how the company’s firewall handles inbound connections. When a computer wants to connect to the company’s server, it sends a packet called a TCP/SYN packet requesting the connection. When a computer wants to connect to the company’s server, it sends a packet called a TCP/SYN packet requesting the connection. The normal response to this packet is a SYN/ACK packet from the company’s server, acknowledging that the connection is open. The normal response to this packet is a SYN/ACK packet from the company’s server, acknowledging that the connection is open.

16 Spoofed TCP/SYN SYN/ACK Blocked Connection Default Deny If every TCP/SYN packet is allowed to reach the company server, hackers can still flood the company’s server with these packets, and overload the connection. If every TCP/SYN packet is allowed to reach the company server, hackers can still flood the company’s server with these packets, and overload the connection. Instead, the firewall sends back a SYN/ACK packet that only looks like it came from the company’s server. Instead, the firewall sends back a SYN/ACK packet that only looks like it came from the company’s server. Firewall Spoofed TCP/SYN SYN/ACK Blocked Connection Spoofed TCP/SYN SYN/ACK Blocked Connection Real TCP/SYN SYN/ACK Connection Allowed Server 1 2 3 4

17 Default Deny Once the firewall sends out the SYN/ACK packet, it only allows a connection from the IP address that sent the original TCP/SYN packet. Once the firewall sends out the SYN/ACK packet, it only allows a connection from the IP address that sent the original TCP/SYN packet. A hacker has to have control of that IP address to be able to connect to the company. A hacker has to have control of that IP address to be able to connect to the company.

18 Default Deny This helps prevent a technique known as “spoofing” IP addresses. This helps prevent a technique known as “spoofing” IP addresses. Spoofing allows a hacker to send the server connection requests from IP addresses that he is not actually using. Spoofing allows a hacker to send the server connection requests from IP addresses that he is not actually using. The default deny policy prevents hackers from using multiple spoofed addresses at once, and using them to flood the network. The default deny policy prevents hackers from using multiple spoofed addresses at once, and using them to flood the network.

19 Firewall Capabilities Maintaining these policies could require a lot of computational power from the firewall. Maintaining these policies could require a lot of computational power from the firewall. Firewall may not be able to handle the entire job itself. Firewall may not be able to handle the entire job itself. The processing work of the firewall can be spread among multiple computers if necessary, and those computers would feed directly into the firewall. The processing work of the firewall can be spread among multiple computers if necessary, and those computers would feed directly into the firewall.

20 Simulation of Strategic Firewall Placement Used network simulation program NS-2 to simulate DDoS traffic. Used network simulation program NS-2 to simulate DDoS traffic. Red – legitimate packets Red – legitimate packets Blue – DDoS attack packets Blue – DDoS attack packets

21 Simulation of Strategic Firewall Placement DDoS attack Legitimate traffic Router Firewall Target Buildup of packets in queue on high-speed link 1.5 mbps

22 Simulation Results Attack Traffic 100 Mbps50 Mbps10 Mbps1.5 Mbps Bottleneck Link 100 Mbps 1.24 Mbps 50 Mbps1.24 Mbps 10 Mbps816 bps32 Kbps57 Kbps1.23 Mbps 1.5 Mbps0 bps 816 bps6.5 Kbps

23 Simulation of Strategic Firewall Placement When the link leading up to the firewall is too slow, a DDoS attack basically shuts down the system. When the link leading up to the firewall is too slow, a DDoS attack basically shuts down the system. When the link leading up to the firewall is fast enough, the system continues running through a DDoS attack, even after the attack is increased in intensity from 50 to 100 mbps. When the link leading up to the firewall is fast enough, the system continues running through a DDoS attack, even after the attack is increased in intensity from 50 to 100 mbps.

24 Conclusion Strategic firewall placement allows companies to use the Internet during a DDoS attack, and it allows them to continue receiving the packets they want. Strategic firewall placement allows companies to use the Internet during a DDoS attack, and it allows them to continue receiving the packets they want.

25 Sources S. Gibson, “Distributed Reflection Denial of Service. Description and analysis of a potent, increasingly prevalent, and worrisome Internet attack,” February 22, 2002, http://grc.com/dos/drdos.htm S. Gibson, “Distributed Reflection Denial of Service. Description and analysis of a potent, increasingly prevalent, and worrisome Internet attack,” February 22, 2002, http://grc.com/dos/drdos.htmhttp://grc.com/dos/drdos.htm Smith, R.; Chen, Y; and Bhattacharya, S., “Cascade of Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE Transactions on Knowledge and Data Engineering, IEEE Educational Activities Department, vol 40, no 5, (September): pp 1307 – 1315, 2003. Smith, R.; Chen, Y; and Bhattacharya, S., “Cascade of Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE Transactions on Knowledge and Data Engineering, IEEE Educational Activities Department, vol 40, no 5, (September): pp 1307 – 1315, 2003. Chatam, W. Rice, J. and Hamilton, J.A. Jr., "Using Simulation to Analyze Denial of Service Attacks" 2004 Advanced Simulation Technology Conference, April 18 - 24, Arlington, VA Chatam, W. Rice, J. and Hamilton, J.A. Jr., "Using Simulation to Analyze Denial of Service Attacks" 2004 Advanced Simulation Technology Conference, April 18 - 24, Arlington, VA

Download ppt "Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
1/42 Arab Academy for Banking &Financial Sciences Faculty of Information Systems & Technology - Department of CIS Information System Security Ph.D Prepared.

1/42 Arab Academy for Banking &Financial Sciences Faculty of Information Systems & Technology - Department of CIS Information System Security Ph.D Prepared.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Department of Information Engineering 1 What is port number? OK, you know that in order to connect to Internet, each computer must have a unique address.

Department of Information Engineering 1 What is port number? OK, you know that in order to connect to Internet, each computer must have a unique address.
DoS/DDoS Attack Forbes Henderson. What is a DoS Attack  DoS Attack (Denial of Service Attack)  A Denial of Service Attack is Often used by hackers to.

DoS/DDoS Attack Forbes Henderson. What is a DoS Attack  DoS Attack (Denial of Service Attack)  A Denial of Service Attack is Often used by hackers to.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Similar presentations

Ads by Google