1 / 41

Denial of Service Attacks: Methods, Tools, and Defenses

Denial of Service Attacks: Methods, Tools, and Defenses. Prof. Mort Anvari Strayer University at Arlington. Introduction. Basic types of DoS attacks Evolution of DoS tools Overview of DoS tools Defenses. What is Denial of Service Attack?.

shaina
Download Presentation

Denial of Service Attacks: Methods, Tools, and Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Denial of Service Attacks:Methods, Tools, and Defenses Prof. Mort Anvari Strayer University at Arlington

  2. Introduction • Basic types of DoS attacks • Evolution of DoS tools • Overview of DoS tools • Defenses

  3. What is Denial of Service Attack? • “Attack in which the primary goal is to deny the victim(s) access to a particular resource.” (CERT/CC) • Very vide definition, covers lots of cases • This tutorial covers only subset of all DoS attacks

  4. Modes of Denial of Service Attack • Consumption of limited resources • Network connectivity • Bandwidth consumption • Other resources: • Processing time • Disk space • Lockout of an account • Alteration of configuration information

  5. DoS Attacks - Statistics • There are more than 4000 attacks per week • During 2000, 27% of security professionals detected DoS attack against their system • In February 2000 attacks, stream going to one of affected sites was about 800Mb/s

  6. PPW – Performance in previous week PAW – Performance in attacking week CPW – Change from previous week Source:Keynote Systems DoS Attacks - Statistics Overall Internet performance degradation during February 2000 attacks

  7. DoS Attacks - Basics Prof. Mort Anvari Strayer University at Arlington

  8. DoS Attacks - Basics Attack has two phases: • Installation of DoS tools • Committing an attack

  9. DoS Attacks - Basics Installation of DoS tools: • Finding a suitable machine: • Unprotected ports • Vulnerable services • Errors in operating systems • Trojan horses and worms • Installation of the tool itself • Installation of a root-kit

  10. Ping of Death DoS Attacks - Basics • Maximum size of TCP/IP packet is 65536 bytes • Oversized packet may crash, freeze, reboot system • Obsolete

  11. DoS Attacks - Basics Teardrop • IPpacket can be broken • Broken packet is reassembled using offset fields

  12. DoS Attacks Basics Teardrop • Overlapping offset fields • Obsolete

  13. Client SYNACK Server SYN ACK DoS Attacks - Basics Syn flood attack TCP Syn handshake • Finite length of backlog queue • Lots of half-open connections • Partially solved

  14. chargen SpoofedRequest echo Victim Victim Attacker DoS Attacks - Basics UDP flood • UDP echo service • UDP chargen service • Spoofed address • Easy prevention • Brute force approach if this one doesn’t work

  15. Attacker IntermediateSystems Victim DoS Attacks - Basics Smurf attack • ICMP packets • Broadcast request • Spoofed address • Two victims • Cannot be easily prevented

  16. Evolution of DoS Attacks • Defenses were improved • Technology was improved, as well • Attackers had to improve their techniques for attacks

  17. Intermediate Attacker Victim ICMP Reply Bad packet Evolution of DoS Attacks • Packet processing rate is more limiting than bandwidth • CPU can be a limit in SYN flood attack • “Reflected” attacks

  18. (R)evolution of DoS Attacks Distributed DoS tools and networks • Client-Server architecture • Open-source approach • Several layers • Difficulties in tracking back the attacker

  19. Evolution of DoS Attacks • All of the systems are compromised • Terminology: • Client • Handler • Agent

  20. Evolution of DoS Attacks Implications of DDoS network: • One or two attackers • Small number of clients • Several handlers • Huge number of agents • Humongous traffic

  21. DoS Attacks - Tools Prof. Mort Anvari Strayer University at Arlington

  22. DoS Attacks - Tools History of DoS tools: • IRC disable tools • Single attack method tools • Distributed tools, with possibility of selecting the type of attack

  23. DoS Attacks - Tools Trinoo • Distributed • UDP flood (brute force) • Menu operated • Agent passwords are sent in plain text form (not encrypted)

  24. DoS Attacks - Tools TFN (Tribal Flood Network) • Multi-type attack • UDP flood • SYN flood • ICMP_ECHOREPLY flood • Smurf • Handler keeps track of its agents in “Blowfish” encrypted file

  25. DoS Attacks - Tools TFN2K • Improved version of TFN • Agent can randomly alternate between the types of attack • Agent is completely silent - handler sends the same command several times, hoping that agent will receive at least one)

  26. DoS Attacks - Tools TFN2K • All communication is encrypted • Random source IP address and port number • Decoy packets (sent to non-target networks)

  27. DoS Attacks - Tools Stacheldraht • Several levels of protection: • Hard-coded password in client • Password is needed to take control over handler • Encrypted communication between handler and agent

  28. DoS Attacks - Tools Stacheldraht • Automated update of agents • TCP is used for communication between client and handler, and ICMP_ECHOREPLY for communication between handler and agent

  29. DoS Attacks - Tools Stacheldraht • ICMP_ECHOREPLY packets are difficult to stop • Each agent has a list of its handlers (Blowfish encrypted) and in case that there is no such list, agent uses several hard-coded IP addresses • Agent tests for a possibility of spoofing the source address

  30. DoS Attacks - Tools Stacheldraht • Weakness: it uses rpc command for update • Listening on this port can lead to detection of an agent. • Drawback is in fact that this can generate a lot of false alarms (rpc is used by legitimate users too)

  31. Defenses

  32. Defenses • There is no universal solution • There are some preventions that can help in minimizing the damage: • Prevention of becoming the source of an attack • Preparations for defending against an attack

  33. Defenses • Disable and filter out chargen and echo services • Disable and filter out all unused UDP services. • Good practice is to block all UDP ports below 900 (excluding some specific ports like DNS)

  34. Defenses • Install a filtering router to disable following cases: • Do not allow packet to pass through if it is coming to your network and has a source address from your network • Do not allow packet to pass through if it comes from your network and has a source address that doesn’t belong to your network

  35. Defenses • Network administrators should log all information on packets that are dropped • If you are providing external UDP services, monitor them for signs of misuse

  36. Defenses • The following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router: • 10.0.0.0 to 10.255.255.255 (reserved) • 127.0.0.0 to 127.255.255.255 (loopback) • 172.16.0.0 to 172.31.255.255 (reserved) • 192.168.0.0 to 192.168.255.255 (reserved) • 0.0.0.0 and 255.255.255.255 (broadcasts)

  37. Defenses • Routers, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installed • System should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, root-kits, back doors, etc.)

  38. Defenses • Train your system and network administrators • Read security bulletins like: www.cert.org, www.sans.org, www.eEye.com • From time to time listen on to attacker community to be informed about their latest achievements • Be in contact with your ISP. In case that your network is being attacked, this can save a lot of time

  39. Conclusion • Several examples of large scale DoS attacks (yahoo, eBuy, CERT, FBI, Amazon) • Increased number of consumers with high bandwidth technologies, but with poor knowledge of network security • Easy accessible, easy to use DoS attack tools • No final solution for attacks

  40. This tutorial is based on research paper done for isitworking.com • Isitworking is part of Biopop company, Charlotte, NC, USA • So far, it was presented on: • SSGRR 2002w, L’Aquila, Italy • YU-INFO 2002, Kopaonik, Serbia

  41. Denial of Service Attacks:Methods, Tools, and Defenses Prof. Mort Anvari Strayer University at Arlington

More Related