Denial of Service WORLDS ATTAKS Prepared by: Mohammed Mahmoud Hussain Supervised by : Dr. Lo’ai Tawalbeh NYIT-winter 2007
Good News / Bad News • The Internet and Networks give us better connectivity • Share information • Collaborate (a)synchronously • The Internet and Networks give us better connectivity • Viruses can spread easier • “The bad guys” now have easier access to your information as well
Why do I want to be secure?(What’s in it for me?) • You can ensure private information is kept private • Some things are for certain eyes only and you probably want to keep them that way • Is someone looking over your shoulder (physically or virtually)?
The 3 Main Forms of Bad Guys • Virus/Worm • Trojan • Denial of Service
Viruses / Worms • Most widely known – thanks to press coverage • What is it? • Computer programs written bybad guys ( ) to do malicious things often triggered by a specific event • Example – Word Macro Virus that sends out junk email when word document is opened
Trojan horse • Most dangerous of all • What is it? • Computer programs often written by good guys but used by bad guys ( ) to give them a back door to intended computer • Example – Remote Management application that runs in background • and allows the bad guys to “get in” • and use your computer as they wish
Typically can not besafely removed – must start from working backup or scratch • Because • Deleting/modifying data files is one of their goals • Stealing personal information also • Interrupting/destroying business processes (contingency plan)
Denial of service ( DOS ) • Too many requests for a particular web site “clog the pipe” so that no one else can access the site • Also the using of land attack
Possible impacts: -May reboot your computer -Slows down computers-Certain sites -applications become inaccessible **you are off.
Where are you • Every one has to know that they come from 3 places • New Files” • “Viewed Content” • “Exposed Services
Where they come from • Unwanted email with attachments you weren’t expecting • Downloaded programs from the internet that come from less than trustworthy locations • File Sharing Programs (P2P)
Websites that will “install” things for you The more open doors your computer has, the more chance of someone coming in
What is Denial of Service Attack? • “Attack in which the primary goal is to deny the victim(s) access to a particular resource.”
A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.
How to take down a restaurant Restauranteur Saboteur
O.K., Mr. Smith Table for four at 8 o’clock. Name of Mr. Smith. Saboteur vs. Restauranteur Restauranteur Saboteur
Restauranteur No More Tables! Saboteur
Denial-of-service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating on the network. An example of this type of attack is the "SYN flood" attack
Categories of DOS attack • Bandwidth attacks • Protocol exceptions • Logic attacks
A bandwidth attack is the oldest and most common DoS attack. In this approach, the malicious hacker saturates a network with data traffic. A vulnerable system or network is unable to handle the amount of traffic sent to it and subsequently crashes or slows down, preventing legitimate access to users.
A protocol attack is a trickier approach, but it is becoming quite popular. Here, the malicious attacker sends traffic in a way that the target system never expected, such as when an attacker sends a flood of SYN packets.
The third type of attack is a logic attack. This is the most advanced type of attack because it involves a sophisticated understanding of networking. A classic example of a logic attack is a LAND attack, where an attacker sends a forged packet with the same source and destination IP address. Many systems are unable to handle this type of confused activity and subsequently crash.
Types • Types of DoS AttacksThe infos here introduce the common types of DoS attacks, many of which can be done as a DDoS attack.
PING OF DEATH A Ping of Death attack uses Internet Control Message Protocol (ICMP) ping messages. Ping is used to see if a host is active on a network. It also is a valuable tool for troubleshooting and diagnosing problems on a network. As the following picture, a normal ping has two messages:
BUT • With a Ping of Death attack, an echo packet is sent that is larger than the maximum allowed size of 65,536 bytes. The packet is broken down into smaller segments, but when it is reassembled, it is discovered to be too large for the receiving buffer. Subsequently, systems that are unable to handle such abnormalities either crash or reboot. • You can perform a Ping of Death from within Linux by typing ping –f –s 65537. Note the use of the –f switch. This switch causes the packets to be sent as quickly as possible. Often the cause of a DoS attack is not just the size or amount of traffic, but the rapid rate at which packets are being sent to a target. Tools:- -Jolt -SPing-ICMP Bug -IceNewk
Smurf and Fraggle A Smurf attack is another DoS attack that uses ICMP. Here, an request is sent to a network broadcast address with the target as the spoofed source. When hosts receive the echo request, they send an echo reply back to the target. sending multiple Smurf attacks directed at a single target in a distributed fashion might succeed in crashing it.
If the broadcast ping cannot be sent to a network, a Smurf amplifier is instead. A Smurf amplifier is a network that allows the hacker to send broadcast pings to it and sends back a ping response to his target host on a different network. NMap provides the capability to detect whether a network can be used as a Smurf amplifier.
A variation of the Smurf attack is a Fraggle attack, which uses User Datagram Protocol (UDP) instead of ICMP. Fraggle attacks work by using the CHARGEN and ECHO UDP programs that operate on UDP ports 19 and 7. Both of these applications are designed to operate much like ICMP pings; they are designed to respond to requesting hosts to notify them that they are active on a network.
LAND Attack • In a LAND attack, a TCP SYN packet is sent with the same source and destination address and port number. When a host receives this abnormal traffic, it often either slows down or comes to a complete halt as it tries to initiate communication with itself in an infinite loop. Although this is an old attack (first reportedly discovered in 1997), both Windows XP with service pack 2 and Windows Server 2003 are vulnerable to this attack. HPing can be used to craft packets with the same spoofed source and destination address.
Synchronous flood • A SYN flood is one of the oldest and yet still most effective DoS attacks. As a review of the three-way handshake, TCP communication begins with a SYN, a SYN-ACK response, and then an ACK response. When the handshake is complete, traffic is sent between two hosts.
but in our case the using of the syn flood for the 3 way handshaking is taking another deal, that is the attacker host will send a flood of syn packet but will not respond with an ACK packet.The TCP/IP stack will wait a certain amount of time before dropping the connection, a syn flooding attack will therefore keep the syn_received connection queue of the target machine filled.
With a SYN flood attack, these rules are violated. Instead of the normal three-way handshake, an attacker sends a packet from a spoofed address with the SYN flag set but does not respond when the target sends a SYN-ACK response. A host has a limited number of half-open (embryonic) sessions that it can maintain at any given time. After those sessions are used up, no more communication can take place until
the half-open sessions are cleared out. This means that no users can communicate with the host while the attack is active. SYN packets are being sent so rapidly that even when a half-open session is cleared out, another SYN packet is sent to fill up the queue again.
SYN floods are still successful today for three reasons: 1) SYN packets are part of normal, everyday traffic, so it is difficult for devices to filter this type of attack. 2) SYN packets do not require a lot of bandwidth to launch an attack because they are relatively small. 3) SYN packets can be spoofed because no response needs to be given back to the target. As a result, you can choose random IP addresses to launch the attack, making filtering difficult for security administrators.
“TCP connection, please.” “TCP connection, please.” “O.K. Please send ack.” “O.K. Please send ack.” An example: TCP SYN flooding Buffer
Now we may categorize the DOS in to 3 parts depending on the number of characters.
Direct Single-tier DoS Attacks • Straightforward 'point-to-point' attack, that means we have 2 actors hacker and victim. • Examples • Ping of Death • SYN floods • Other malformed packet attacks
Direct Dual-tier DoS Attacks • More complex attack model • Difficult for victim to trace and identify attacker • Examples • Smurf
Direct Triple-tier DDoS Attacks • Highly complex attack model, known as Distributed Denial of Service (DDoS). • DDoS exploits vulnerabilities in the very fabric of the Internet, making it virtually impossible to protect your networks against this level of attack. • Examples • TFN2K • Stacheldraht • Mstream
The Components of a DDoS Flood Network • Attacker • Often a hacker with good networking and routing knowledge. • Master servers • Handful of backdoored machines running DDoS master software, controlling and keeping track of available zombie hosts. • Zombie hosts • Thousands of backdoored hosts over the world
Distributed Denial of Service Attack (DDoS) In and around early 2001 a new type of DoS attack became rampant, called a Distributed Denial of Service attack, or DDoS. In this case multiple comprised systems are used to attack a single target. The flood of incoming traffic to the target will usually force it to shut down. Like a DoS attack, In a DDoS attack the legitimate requests to the affected system are denied. Since a DDoS attack it launched from multiple sources, it is often more difficult to detect and block than a DoS attack.
Results expected • Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise. • Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an "asymmetric attack." For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks.
Forms • attempts to "flood" a network, thereby preventing legitimate network traffic • attempts to disrupt connections between two machines, thereby preventing access to a service • attempts to prevent a particular individual from accessing a service • attempts to disrupt service to a specific system or person
Internet Service Providers • Deploy source address anti-spoof filters (very important!). • Turn off directed broadcasts. • Develop security relationships with neighbor ISPs. • Set up mechanism for handling customer security complaints. • Develop traffic volume monitoring techniques.
High loaded machines • Look for too much traffic to a particular destination. • Learn to look for traffic to that destination at your border routers (access routers, peers, exchange points, etc.). • Can we automate the tools – too many queue drops on an access router will trigger source detection? (bl.. • Disable and filter out all unused UDP services.