1 / 39

Defensive Measures for DDoS

Defensive Measures for DDoS. By Farhan Mirza. Contents. Survey Topics Introduction Common Target of DoS Attacks DoS Tools Defensive Measures & Their Vulnerabilities Honeypot for DDoS Honeypot implementation Issues & Concerns Conclusion. Survey Topic. Paper 1

alexia
Download Presentation

Defensive Measures for DDoS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defensive Measures for DDoS By Farhan Mirza

  2. Contents • Survey Topics • Introduction • Common Target of DoS Attacks • DoS Tools • Defensive Measures & Their Vulnerabilities • Honeypot for DDoS • Honeypot implementation • Issues & Concerns • Conclusion

  3. Survey Topic • Paper 1 • Analysis of Denial-of-Service Attacks on Denial-of-Service Defensive Measures • Paper 2 • Honeypots for Distributed Denial of Service Attacks

  4. Introduction DoS attacks • Weapons of Mass Destruction • Paralyze Internet systems with bogus traffic • 4th Major Attack in 2001 – Computer Crime & Survey Report

  5. Attacks on Targets • Attacking tools - More offensive • To discover and filter – More difficult • Powerful automatic scanning & observing target’s vulnerability • Uses methods - TCP Syn, UDP, ICMP Flooding etc • Includes Viruses & Worms - MS-SQL Server Worm, Code Red etc

  6. Code Red Worm Attack

  7. Common Target of DoS attacks • Bandwidth DOS Attack • Memory DOS Attacks • Computation DOS Attacks

  8. Bandwidth DoS Attacks • Target - Bandwidth • Example – Slammer (MS-SQL Server Worm) • Self Propagating malicious code • Employs multiple vulnerabilities of SQL Server Resolution Service

  9. Memory Dos Attacks • Target – Memory • Backscatter Analysis(Moore Investigation): • 94% DoS attacks occurs on TCP Protocol • 49% of attacks are TCP Syn attacks targeting 3 way handshake • 2% on UDP • 2% on ICMP

  10. Memory DoS Attacks (Cont..) • Every TCP connection establishment requires an allocated memory resource • Limited number of concurrent TCP half-open connections • Attacker can disable service - Sending overdosed connection requests with spoofed source addresses

  11. Computation DoS Attacks • Target – Computational Resources • Example: Database Query Attacks • Sequence of queries requesting DBMS to execute complex commands, overwhelming the CPU

  12. Software Bugs & Exploits • Exploit on 7xx routers – connecting with Telnet and typing very long passwords • Effects – • Reboot the router • Deny service to users during reboot period Connecting with Telnet and Typing long passwords

  13. Software Bugs & Exploits (Cont...) • Smurf DoS Bug – uses ICMP Echo Request packet with spoofed source address • Effects – • All machines on the subnet reply directly to victim’s address • Congestion in the victim’s network connection

  14. DoS Tools • Trin00 • TFN – Tribe Flood Newtork • Stacheldraht – “Barbed Wire”

  15. Trin00 • Distributed attacking tool • Installed on intermediate host using a buffer overrun bug • Compiled on Linux and Solaris operating systems • Capable of generating a UDP packets for attack • Target Ports – 0 to 65534

  16. TFN – Tribe Flood Network • Launch Distributed Denial of Service attacks • Installed on Intermediate host and based on buffer overrun bug • Capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks • Compiled on Linux and Solaris operating systems

  17. Stacheldraht ("barbed wire") • Combines features of Trin00 and TFN • Capable of producing ICMP flood, SYN flood, UDP flood, and SMURF attacks • ICMP, UDP and TCP-SYN packets of sizes up to 1024 bytes against multiple victim hosts • TCP-SYN packets are generated against random ports taken from selected range of port numbers

  18. DDoS Pattern Scanning of large ranges for potential vulnerable targets Setting up of a stolen account as a repository for attack tools Creation of script to perform the exploit and to report the results Choice of a subset of suitable compromised servers from the list Script automated installation of the needed tools on the compromised servers Optional installation of a root kit to hide the compromise

  19. Defensive Measures • System Self Defense • Stop all unnecessary or non-essential system services and network ports. • Reduce the timeout period for simultaneous half open connections • Vulnerability: • Reconfiguration may delay, or even deny, legitimate access • Lead to a potential increase in resource usage

  20. Packet Filtering • Most popular defensive mechanism • Selectively screens out suspicious or malicious packets • Itself a deformed DoS • Vulnerability: • If manipulated or abused - Most convenient way to accomplish DOS attack

  21. Packet Filtering (Cont…) • Types of Packet Filtering • Egress/Ingress • Manages the flow inside and outside the network • Ingress - Used to block packets with spoofed source address • Egress - manages the flow of traffic as it leaves a network • Vulnerability • Effective only if used in large-scale applications

  22. Packet Filtering (Cont…) • Firewalls • Victims network mechanism • Enable a form of protection against SYN Flooding • Examine packets and maintain connection and state information of session traffic • Configured as a relay, as a semi-transparent gateway • Vulnerability • Cause delays for every connection • Flood of 14k packets/sec can disable even specialized firewalls

  23. IP Traceback • Effective & aggressive way to terminate DoS attacks at their sources • Vulnerability: • Doesn’t locate the attacker, if attacker is attacking from reflectors

  24. State Monitoring • Uses software agents to continuously monitor TCP/IP traffic in a network • RealSecure – • Monitors local network for SYN packets that are not acknowledged for a period of time defined by the users • Vulnerabilities: • Need to maintain tremendous states to determine malicious packets and consume system resources

  25. Resource Allocation Control • Way to prevent exhaustion of the victim’s resources to limit the resource allocation and usage for each user or service • Class Based Queuing – • Configures different traffic priority queues and rules that determine which packets should be put into which queue • Vulnerability: • In case of DoS attacks - Cannot determine which packet belong to the same users or service for sharing some quota or resources

  26. Congestion Control • Network Congestion - Reduction in network throughput • Pushback • Mechanism for defending against DDoS attacks • To identify most of the malicious packets, based on Aggregate-based Congestion Control • Vulnerability: • Not an effective method to block bad traffic under typical DDoS attack • Cannot differentiate good and bad traffic and will drop them equally

  27. Active Networks • Programs can perform customized computations and manipulations • Allow users to inject customized programs into the nodes of the network • Active edge-Tagging – • One of the example, which tags the actual source IP address into the active networks layer header for each incoming packets from the hosts with first-hop routers • Vulnerability: • AN poses serious security threats as it is designed to run executable codes on remote hosts

  28. Bandwidth Overhead of Defensive Measures

  29. Memory Overhead of Defensive Measures

  30. Computational Overhead of Defensive Measures

  31. Attacks on Defensive Measures

  32. Honeypot for DDoS • Vantages of System: • Defending the operational network with high probability against DDoS & new variant • Trapping attacker to record the compromise to help in legal action against attacker • Devised System: • Implemented to lures the hacker to believe he successfully compromised the system • To learn the tactics, tools, methods and motive of an attacker in order to secure the system

  33. Characterization • Should be a replica of operational system • Consists of similar systems and application • Services such as Web, Mail, FTP, DNS should be accessible for attacker • Must be located in DMZ

  34. Local Network Protection • Must be located in another zone protected with Firewall • Encrypted Transmission - Inside the LAN • Clients run trusted OS • Services are managed by an indirect authentication method – Kerberos • Detecting Systems like host based IDS & vulnerability scanner must be running

  35. Honeypot Implementation in Organization

  36. View for an Attacker

  37. Issues To Be Resolved • Attack must be detectable • Attack packets must be actively directed to the Honeypot • Honeypot must be able to simulate the organization’s network infrastructure

  38. Concerns & Issues • Not a good idea in real operational environment • Require expertise • Small configuration mistake or loophole will create a disaster • Difficult to identify regular user and attacker in most of the cases • Uses DDoS signature type method while authentication – Not as effective especially for first time authentication • Hard to identify culprit – Attacker using compromised system • VPN and PKI as proposed – How both the environment work

  39. Conclusion • Like a Game - Attacking and defending of networks • Defensive Measure are not always secure and valuable data is at risk with small effort of attacker • Honeypot – Promising tool for luring attacker for DDoS attack • To secure our network – Defensive measures with proper knowledge and expertise are required

More Related