This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

Dos PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Dos. (Denial of Services) Aamir Wahid September 23 rd 2004. What is DoS Attack. A DoS attack can disrupts or completely denies service to legitimate users, networks, systems, or other resources.” Can last from a few minutes to several days. Types of DoS. Bandwidth Consumption

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript



(Denial of Services)

Aamir Wahid

September 23rd 2004

What is dos attack

What is DoS Attack

  • A DoS attack can disrupts or completely denies service to legitimate users, networks, systems, or other resources.”

  • Can last from a few minutes to several days

Types of dos

Types of DoS

  • Bandwidth Consumption

    • Network Flooding

      • T3 vs. 56K

    • Amplifying Attack

      • Using multiple sites for attack

Distributed dos attacks

Distributed DoS Attacks

  • More effective than

    DoS Attacks

  • Multiple sources

    for attack

    Tribe Flood Network,

    Trinoo, TFN2K

  • Zombie:A computer that has

    been implanted with a daemon that puts it under the control of a malicious hacker without the knowledge of the computer owner.


Some History

BP (Before Pain) – Pre - 1990

  • DoS Tools:

    • Single-source, single target tools

    • IP source address spoofing

    • Packet amplification (e.g., smurf)

  • Deployment:

    • Widespread scanning and exploitation via scripted tools

    • Hand-installed tools and toolkits on compromised hosts (unix)

  • Use:

    • Hand executed on source host

The danger grows 1999

The danger grows - 1999

  • DoS Tools:

    • Multiple-source, single target tools

    • Distributed attack networks (handler/agent)

    • DDoS attacks

  • Deployment:

    • Hand-selected, hard-coded handlers

    • Scripted agent installation (unix)

Dos attack in 2000

DoS Attack in 2000

  • Example SYN Flood Attack

  • February 5th . 11th, 2000

  • Yahoo, eBay, CNN, E*Trade, ZDNet, Datek and all hit

  • Attacks allegedly perpetrated by teenagers

  • Used compromised systems at UCSB


Detailed Account of DDoS

  • May 4th-20th, 2001

  • Gibson Research Corporation


  • DDoS attack from 474 machines

  • Completely saturated two T1s

  • 13-year-old claimed responsibility

Dos attacks on the rise

DoS Attacks on the Rise

  • Frequency of DoS attacks increased 60% over the last three years…and still rising


Common forms of DoS

  • Buffer Overflow Attacks

  • SYN Attack

  • Teardrop Attack

  • Smurf Attack

  • Viruses

  • Physical Infrastructure Attack

Buffer overflow attacks

Buffer Overflow Attacks

  • Buffer overflow is an attempt to stuff to much information into a space in a computers memory.


  • Sending e-mails that have attachments with 256-character file names to Netscape and Microsoft mail programs.

  • Sending large (ICMP) packets (this can be known as the Ping of Death attack)

What is a syn flood

What is a SYN Flood?

  • Send spoofed SYN packets to system

  • System responds with SYN/ACK

  • Never receives final connection

  • Backlog in connection queue

  • Web servers are particularly vulnerable

  • How to Detect SYN attack

    netstat -n -p TCP | grep SYN_RECV | grep :23 | wc -l

  • Dos

    • Smurf Attack

      • Amplification attack

      • Sends ICMP ECHO to network

      • Network sends response to victim system

      • The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion



    Computer viruses, which replicate across a network in various ways, can be viewed as denial-of-service attacks where the victim is not usually specifically targetted but simply a host unlucky enough to get the virus. Depending on the particular virus, the denial of service can be hardly noticeable ranging all the way through disastrous.

    Physical Infrastructure Attacks

    fiber optic cable. This kind of attack is usually mitigated by the fact that traffic can sometimes quickly be rerouted.


    Impact of DoS Attacks

    • Loss of Revenue

      cont …


    Impact of DoS Attacks

    • Damage to Corporate Image and Brand

    • Cost of Over-engineering Network Resources

    • Cost to diagnose and rebuild systems

      • Forensic cost estimated by University of Washington to be $22,000 per event

    • Violation of service level agreements (SLAs)

    • Risk of litigation

    • Increase in insurance protection

    Why defense is difficult

    Why Defense is Difficult

    • SYN packets are part of normal traffic

    • Source IP addresses can be faked

    • SYN packets are small

    • Lengthy timeout period

    Possible defenses

    Possible Defenses

    • Increase size of connections table

    • Add more servers

    • Trace attack back to source

    • Deploy firewalls employing SYN

    • flood defense

    Who offers a defense

    Who Offers a Defense?

    • PIX by Cisco

    • Firewall-1 by Checkpoint

    • Netscreen 100 by Netscreen

    • AppSafe/AppSwitch by Top Layer

    How bad can it get

    How Bad Can It Get?

    • Theoretical maximums for attackers using:

    • Analog modem: 87 SYNs/sec

    • ISDN, Cable, DSL: 200 SYNs/sec

    • T1: 2,343 SYNs/sec

    • 474 hacked systems 94,800 SYNs/sec

    How much do you need

    How Much Do You Need?

    • Single firewall for attacker with

      single ISDN, DSL, or T1

    • Multiple parallel units for higher bandwidth

    • Transparent. mode permits rapid




    • SYN floods are nasty

    • Firewalls with SYN flood defense

      can successfully counter attacks

    • Multiple or distributed attacks may

      require multiple parallel firewalls

    In summary

    In Summary


    Thank You

  • Login