denial of service attacks detection and reaction n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Denial of Service Attacks: Detection and Reaction PowerPoint Presentation
Download Presentation
Denial of Service Attacks: Detection and Reaction

Loading in 2 Seconds...

play fullscreen
1 / 26

Denial of Service Attacks: Detection and Reaction - PowerPoint PPT Presentation


  • 342 Views
  • Uploaded on

Denial of Service Attacks: Detection and Reaction. Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on Information Security 2002 October 12, 2002. What is " Denial of Service "?. An attack to suspend the availability of a service

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Denial of Service Attacks: Detection and Reaction


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
denial of service attacks detection and reaction

Denial of Service Attacks:Detection and Reaction

Georgios Koutepas, Basil Maglaris

National Technical University of Athens, Greece

Cyprus Conference on Information Security 2002

October 12, 2002

what is denial of service
What is "Denial of Service"?
  • An attack to suspend the availability of a service
  • Until recently the "bad guys" tried to enter our systems. Now it’s:

"If not us, then Nobody"

  • No break-in attempts, no information stealing, although they can be combined with other attacks to confuse Intrusion Detection Systems.
  • No easy solutions! DoS still mostly a research issue

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

main characteristics of dos
Main Characteristics of DoS
  • Variable targets:
    • Single hosts or whole domains
    • Computer systems or networks
    • Important: Active network components (e.g. routers) also vulnerable and possible targets!
  • Variable uses & effects:
    • Hacker "turf" wars
    • High profile commercial targets (or just competitors…).
    • Useful in cyber-warfare, terrorism etc…

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

brief history
Brief History

First Phase (starting in the '90s): DoS

  • Started as bug/vulnerability exploitation
  • Single hosts - single services were the first targets
  • Single malicious packets

Second Phase (1996-2000)

  • Resource consuming requests from many sources
  • Internet infrastructure used for attack amplification

Third Phase (after 2000): Distributed DoS

  • Bandwidth of network connections is the main target
  • Use of many pirated machines, possibly many attack stages, escalation effect to saturate the victims

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

brief history cont
Brief History (cont.)

Important Events:

  • February 7-11 2000: Big commercial sites (CNN, Yahoo, E-Bay) are taken down by flooding of their networks.
    • The attacks capture the attention of the media
    • The US President assembles emergency council members of Internet, e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security
  • January 2002: The British ISP CloudNine suspends operations because of continuous interruption in Internet connectivity.

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

host dos attacks
Host DoS Attacks
  • Usually one attacker - one target
  • Methods used are derivatives of ones used for unauthorized access:
    • Buffer Overflows on wrongly designed input fields can overwrite parts of the memory stack. The results: open doors or failure of the service/system
    • Ambiguities in network protocols and their implementations. Specially designed packets can halt the protocol stack or the whole system

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

examples of host dos attacks
Examples of Host DoS Attacks
  • Land IP DoS attack: Special SYN packets with same source and destination
  • Teardrop attack: It sends IP fragments to a network-connected machine. It exploits an overlapping IP fragment bug present in various TCP/IP implementations.

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

host resource dos attacks
Host Resource DoS Attacks
  • Target continues (most of the times) operation but cannot offer any useful services.
  • Resource exhaustion through legitimate requests to the target host
    • SYN Flooding attack
    • Ping Flooding attack
    • Smurf attack: the ping flow is "amplified" by being first sent to a number of network broadcast addresses with the victim’s return address in the packets

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

example of a smurf attack

ICMP Echo request

Destination: LAN broadcast

Source: victim.host

AdminProblem:

Router allows Ping to LAN broadcast

Example of a "Smurf " Attack

Target (web Server)

victim.host

Attacker

ICMP Echo reply

Destination:victim.host

ICMP Echo reply

Destination:victim.host

ICMP Echo reply

Destination:victim.host

Unsecured

LAN

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

network attacks distributed dos

Pirated machines

Domain A

2. Commanding

the attack

1. Taking

Control

"zombies"

Pirated machines

Domain B

Network Attacks: Distributed DoS

Target

domain

Attacker

X

Admin Problem 2:

The network allows outgoing

packets with wrong source

addresses

Admin Problem 1:

Active "zombies"

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

main characteristics of ddos
Main Characteristics of DDoS
  • Some hundred of persistent flows are enough to knock a large network off the Internet
  • Incoming traffic has to be controlled, outside the victim’s domain, at the upstream providers
  • Usually source IPs spoofed on attack packets
  • Offending systems may be controlled without their users suspecting it
  • Possible many levels of command & control:
    • Attacker-Manager-Agents
    • Examples of automatic tools for such attacks: "Trinoo", "Stacheldraht", and "TFN2K", also called rootkits

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

multi tier attack
Multi-tier attack

Attack

Master

Admin Problem:

No detection of

malicious activities

Target

domain

"zombies"

Attack Agents

X

Attacker

Attack

Master

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

reflection ddos attack
Reflection DDoS Attack

Attack

Master

Legitimate TCP SYN

requests

Web or other

servers

Target

domain

X

Attacker

TCP SYN-ACK

answers

"zombies"

Routers

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

detection
Detection
  • Host DoS attacks:
    • Border Defenses must be kept up to date
    • Host and Network based Intrusion Detection Systems
    • Investigate suspicious activity indications

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

detection cont
Detection (cont.)
  • Distributed DoS attacks - on the Network
    • Offensive flows must be identified quickly
      • Tip: set generalized Pass filters on the border routers and see what they catch (high number of matches: attack)
      • Use Netflow or other monitoring tool
    • Follow router indications
      • Tip: Check router load for abnormal signs
  • Distributed DoS attacks - in the Domain
    • Perform often security audits for hidden malicious code ("zombies") or attack rootkits
    • Install an anti-virus package

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

reaction to ddos
Reaction to DDoS
  • The malicious flows have to be determined. Timely reaction is critical!
  • The attack characteristics have to be communicated (in any way possible) upstream. This usually has to be done manually and is an uncertain and time-consuming procedure.
  • Filters that will block attack traffic must be set up and maintained. The effectiveness of the actions must be verified.
  • The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks on the attack path

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

reaction to ddos cont
Reaction to DDoS (cont.)
  • Another possible solution (helps the ISP): stop all traffic to the target. Direct it to a central point and discard it. Completes the attack!
  • Trace-back efforts:
    • Following the routing (if sources not spoofed)
    • Step by step through ISPs. Difficult to convince them if not concerned about the bandwidth penalty
  • The conclusion: not a matter of a single site

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

prevention preperation
Prevention - Preperation
  • Good administrative practices: a must
    • Backup!
    • Have a recovery plan, possibly a stand-by system
    • Train your personnel, have someone aware of security issues available at all times
    • Have emergency contact points with your ISPs and CERTs, know beforehand whom to call and have clear service policies on what they are obliged to do
  • Care for the rest of the world
    • Prevent spoofed traffic from exiting your network
    • Filter pings to broadcast addresses (smurf amplifier)

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

main dos research problems
Main DoS Research Problems
  • DoS
    • Is mostly an Intusion Detection / Prevention Problem
    • Not many things possible since a single packet can do all the damage
    • Some efforts to have an "Immune System" type of detection for anomalous system call sequenses.
  • DDoS
    • Timely attack detection
    • Source tracing
    • Traffic flow control and attack suppression
    • Intrusion Detection Systems not very helpful

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

centertrack
CenterTrack

Target

domain

  • R Stone, "CenterTrack: An IP Overlay Network for Tracking DoS Floods", 9th USENIX Security Symposium, Denver Col., USA, August 2000

X

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

pushback
PushBack

Target

domain

4. Continue to the next router in the attack path using the Pushback protocol

  • J. Ioannidis and S. Bellovin, "Pushback: Router-Based Defense Against DDoS Attacks", NDSS, February 2002

3. Containment

filter set locally

X

1. Aggregate

characteristics

determined

2. Incoming

traffic I/f

determined

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

panoptis
Panoptis

3. Automatic filter

configuration

Panoptis Analysis Engine

Target

domain

  • C. Kotsokalis, D.Kalogeras, and B. Maglaris, "Router-Based Detection of DoS and DDoS Attacks", HP OpenView University association (HPOVUA) Conference '01, Berlin, Ger-many, June 2001

X

1. Aggregate

characteristics

determined

NetFlowBorder Routers

2. Traffic I/fs

determined

DoS Attacks: Detection and Reaction. CSC, October 12, 2002

trans domain cooperative ids entities
Trans-Domain Cooperative IDS Entities

Cooperative IDS

Entity

Activation of

filters and reaction

according

to local Policies

  • G. Koutepas, F. Stamatelopoulos, B. Maglaris "A Trans-Domain Framework Against Denial of Service Attacks", Submitted to the 10th Annual Network and Distributed System Security Symposium, San Diego, California, February 2003

Participating

Domain

Non-participating

Domain

Notification

Propagation

(Multicast)

DoS Attacks: Detection and Reaction. CSC, October 12, 2002