1 / 29

Chapter 7: Denial-of-Service Attacks

Chapter 7: Denial-of-Service Attacks. Computer Security: Principles and Practice William Stallings and Lawrie Brown Lecture slides by Lawrie Brown. Denial-of-Service ( DoS ) Attack. The NIST Computer Security Incident Handling Guide defines a DoS attack as:

kiana
Download Presentation

Chapter 7: Denial-of-Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7: Denial-of-Service Attacks Computer Security: Principles and Practice William Stallings and Lawrie Brown Lecture slides by Lawrie Brown

  2. Denial-of-Service (DoS) Attack • The NIST Computer Security Incident Handling Guide defines a DoS attack as: “an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.”

  3. Denial-of-Service (DoS) • a form of attack on the availability of some service • categories of resources that could be attacked are:

  4. Examples of DoS Attacks • SYN spoofing attack: target table of open connections • Poison packet attack: triggers a bug in the system’s network, causing it to crash • ping of death • teardrop • Cyberslam: an attack on a specific application (e.g., a database)

  5. ICMP Message Types  One of the core protocols of the  IP suite used by theoperating system of networked computers to send error messages indicating (e.g., a requested service is not available) 0 - Echo Reply 3 - Destination Unreachable 4 - Source Quench 5 - Redirect 8 - Echo 11 - Time Exceeded 12 - Parameter Problem 13 - Timestamp 14 - Timestamp Reply …

  6. IPS Targets in DoS Attacks

  7. Classic Denial-of-Service Attacks • flooding ping command • “ping”: an ICMP to test connectivity; sender waits for echo response packet to return • aim of this attack is to overwhelm the capacity of the network connection to the target organization • traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases • source of the attack is clearly identified unless a spoofed address is used • network performance is noticeably affected

  8. Source Address Spoofing • use forged source addresses • usually via the raw socket interface on operating systems • makes attacking systems harder to identify • attacker generates large volumes of packets that have the target system as the destination address • congestion would result in the router connected to the final, lower capacity link • backscatter traffic (by researchers) • advertise routes to unused IP addresses to monitor attack traffic

  9. SYN Spoofing • common DoS attack • attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them • thus legitimate users are denied access to the server • hence an attack on system resources, specifically the network handling code in the operating system

  10. TCP Connection Handshake syn/ackpkts y= server seq# x= client seq#

  11. SYN Spoofing Attack assumption: most connections succeed and thus table cleared quickly

  12. SYN Spoofing Attack • attacker often uses either • random source addresses (addresses that may not exist) • or that of an overloaded server (that may not send a RST) • to block return of (most) reset packets • objective: uses addresses that will not respond to to the SYN-ACK with a RST

  13. Types of Flooding Attacks • classified based on network protocol used • ICMP Flood • uses ICMP packets, eg ping (echo) request • typically allowed through, some required • UDP Flood • alternative uses UDP packets to random ports (even if no service is available, attacker achieves its goal) • TCP SYN Flood (SYN spoof vs SYN flood) • use TCP SYN (connection request) packets • but for volume attack

  14. UDP Packet • User Datagram Protocol (UDP) is a component of the IP suite and allows computer applications to send messages • A UDP can be directed at practically any service (port); if service is unavailable, the packet is discarded but the attacker objective is achieved

  15. Distributed Denial of Service Attacks • have limited volume if single source used • multiple systems allow much higher traffic volumes to form a Distributed Denial of Service (DDoS) Attack • often compromised PC’s / workstations • zombies with backdoor programs installed • forming a botnet • Example: Tribe Flood Network (TFN), TFN2K • did ICMP, SYN, UDPF and ICMP floods

  16. DDoS Attack Architecture • Attacker can command each zombie individually or via a control hierarchy

  17. Application-Based Bandwidth Attacks • Force the victim system to execute resource-consuming operations (e.g., searches, complex DB queries) • VoIP Session Initiation Protocol (SIP) flood (see Figure 7.5): attacker sends many INVITE requests; major burden on the proxies • server resources depleted while handling requests • bandwidth capacity is consumed

  18. Session Initiation Protocol (SIP) Flood standard protocol for VoIP telephony text-based protocol with a syntax similar to that of HTTP two types of SIP messages: requests and responses

  19. Hypertext Transfer Protocol (HTTP) Based Attacks HTTP flood Slowloris attempts to monopolize by sending HTTP requests that never complete eventually consumes Web server’s connection capacity utilizes legitimate HTTP traffic • attack that bombards Web servers with HTTP requests • consumes considerable resources • spidering • bots starting from a given HTTP link and following all links on the provided Web site in a recursive way

  20. Reflection Attacks • use normal behavior of network • attacker sends packet with spoofed source address being that of target to a server • server response is directed at target • if send many requests to multiple servers, response can flood target • various protocols e.g. UDP or TCP/SYN • ideally want response larger than request • prevent if block source spoofed packets

  21. DNS Reflection Attacks

  22. Amplification Attacks can take advantage of broadcast address of some network

  23. DNS Amplification Attacks • use DNS requests with spoofed source address being the target • exploit DNS server behavior to convert a small request to a much larger response • 60 byte request to 512-4000 byte response • attacker sends requests to multiple well connected DNS servers, which flood target • need only moderate flow of request packets • DNS servers will also be loaded

  24. DoS Attack Defenses • high traffic volumes may be legitimate • result of high publicity, e.g. “slash-dotted” • or to a very popular site, e.g. Olympics • or “legitimate” traffic created by an attacker • three lines of defense against (D)DoS: • attack prevention and preemption • attack detection and filtering • attack source traceback and identification • attack reaction

  25. Attack Prevention • block/filter spoofed source addresses • on routers as close to source as possible • still far too rarely implemented • rate controls in upstream distribution nets • on specific packets types • e.g. some ICMP, some UDP, TCP/SYN • impose limits • use modified TCP connection handling • e.g., selective or random drop when table full

  26. Attack Prevention • block IP directed broadcasts (especially when request is from outside) • block suspicious services & src/dest combinations • manage application/interaction attacks with “puzzles” to distinguish legitimate human requests • good general system security practices • use mirrored and replicated servers when high-performance and reliability required

  27. Responding to Attacks • need good incident response plan • needed to impose traffic filtering upstream (rate limiting filters) • organizational issue: provides details of response process • contact number for ISP • have standard filters • ideally have network monitors and IDS • to detect and notify abnormal traffic patterns

  28. Responding to Attacks • identify type of attack • capture and analyze packets • design filters to block attack traffic upstream • or identify and correct system/application bug • have ISP trace packet flow back to source • may be difficult and time consuming • necessary if legal action desired • implement contingency plan • update incident response plan

  29. Summary • introduced denial of service (DoS) attacks • classic flooding and SYN spoofing attacks • ICMP, UDP, TCP SYN floods • distributed denial of service (DDoS) attacks • reflection and amplification attacks • defenses against DoS attacks • responding to DoS attacks

More Related