1 / 7

Denial of Service attacks

Denial of Service attacks. Types of DoS attacks. Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps). attackers amplify their bandwidth engaging other computers to attack victim with higher bandwidth, e.g. 100 56Kbps attack a T1

daniel_millan
Download Presentation

Denial of Service attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Denial of Service attacks

  2. Types of DoS attacks • Bandwidth consumption • attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps). • attackers amplify their bandwidth engaging other computers to attack victim with higher bandwidth, e.g. 100 56Kbps attack a T1 • Resource starvation:consumes system resources like CPU, memory, disk space on the victim machine. • Program flaws:exploit inability of programs to handle exceptions (vulnerabilities). • Routing and DNS attacks: manipulate routing tables • routing protocols RIP v1 and BGP v4 have no, or weak authentication • change routing tables to route to attacker’s net or black hole. • attack to DNS servers, again route to attackers or black hole. • Generic attacks: like the Melissa virus which shutdown mail servers

  3. 1 2 Generic attacks • Smurf • 1. Attacker sends sustained ICMP Echo packets to broadcast address of the amplifying network xxx.255, with source address is forged to read the victim’s IP address • 2. Since traffic was sent to broadcast address all hosts in theamplifying LAN will answer to the victim’s IP address • Fraggle • similar to Smurf, but sends UDP packets to port 7 (echo) of the broadcast address. • Countermeasures • Prevent being an amplifying LAN: disable directed broadcast functionality at the border router and set OS firewall to not respond to broadcast ECHO requests (see book for specific OS commands) • Victim sites: limit ICMP requests at the border router and contact ISP to do the same, when under attack. attacker amplifying LAN victim

  4. attacker Syn packet victim Generic attacks (2) • Syn flood • 1. attacker sends SYN packet to victim forging non-existent IP address • 2. victim replies with Syn/Ack but neither receives Ack nor RST from non-existent IP address • 3. victim keeps potential connection in a queue in Syn_Recv state, but the queue is small and takes some time to timeout and flush the queue, e.g 75 seconds • 4. If a few SYN packets are sent by the attacker every 10 seconds, the victim will never clear the queue and stops to respond. • Countermeasures: (1) Increase size of queue, (2) decrease the timeout period, (3) apply patches to OS to protect from Syn attacks, and (4) use IDS, which can respond to the Syn attack by providing RST responses. • DNS attacks • primarily an UNIX /Linux problem. Go to the BIND site and download the latest version which fixes it.

  5. UNIX and NT DoS/DDoS • IP fragmentation overlap: IP packets may need to be broken in parts (fragments) in route and put together by the destination OS which may have a flaw: • teardrop (Linux), syndrop.c, boink.c (Windows) • countermeasures: Linux kernels 2.0 and above, NT use SP6a. • Stream and raped attacks (UNIX/NT): resource starvation, making the CPU run up to 100%, preventing access to the NET and stopping/slowing other jobs • stream.c: sends TCP Ack packets to a series of ports with random sequence numbers and random source IP addresses • raped.c attacks: sends TCP Ack packets with spoofed IP addresses • countermeasures: in practice, none (unless you can change your IP address). • DDoS attacks: first attacks in February of 200 --> Yahoo, E*TRADE, eBay, Buy.com, CNN.com, etc. Attacks have three stages: • attack systems and gain administration privileges (hunting grounds: @Home, DSL providers, etc). • Upload DDoS software (server) in the slaves (zombies) and run it (listen). • When there are enough slaves command them to attack victim. • Examples: GRC.COM: a case example and press coverage of other attacks.

  6. DDoS attacks • TFN - Tribe Flood Network: install server in slaves and with client send attack command. • attacks available: ICMP, Smurf, UDP & SYN floods, see more here. • Countermeasures • detection: DDOSPing, Zombie Zapper and find_ddos. • Prevention: apply patches, firewall blocks to prevent hackers to gain admin privileges, and block ICMP inbound traffic (not all that practical, but necessary under attack). • Trinoo and WinTrinoo: install server in slaves and masters, and with client send instruction to the master which tells the slaves to attack. The hierarchy is needed because of the large scale of the attacks, see more here. • Countermeasures: same as TFN, including the above detection software. • WinTrinoo: the trojan is the file service .exe (not services) and anti-virus software can find it. • Stacheldraht (barbed wire): combines the features of TFN with Trinoo and encrypt telnet connections between master and slave, preventing IDSs to respond. • attacks available: ICMP, Smurf, UDP & SYN floods, see more here. • Countermeasures: same as TFN, including the above detection software.

  7. DDoS attacks (2) • TFN2K: TFN 2000: Upgrade of original TFN, using randomized ports (preventing port blocking at router), and encryption (preventing IDS to respond). See more here. • Attacks: SYN, UDP, ICMP, Smurf and randomly switch between them. • Countermeasures: again use the same detection software and protect your machines, the best remedy (don’t become a zombie!). • DDoS trends • CERT recent report: automation of propagation and router attacks. • NIPC recent advisory: DDoS to increase. • DDoS defense • FedCIRC - Defense Tactics for Distributed Denial of Service Attacks. • SANS - Consensus Roadmap for Defeating Distributed Denial of Service Attacks. • Alerts and Advisories: • CERT - incidents and fixes • NIPC - Warnings • Securityteam.com - NT and UNIX. • Denial of Service (DoS) Attack Resources page.

More Related