1 / 64

Forensics Book 4: Investigating Network Intrusions and Cybercrime

Forensics Book 4: Investigating Network Intrusions and Cybercrime. Chapter 5: Investigating DoS Attacks. Objectives. Understand DoS attacks Recognize the indications of a DoS/DDoS attack Understand the different types of DoS attacks Understand DDoS attacks

Download Presentation

Forensics Book 4: Investigating Network Intrusions and Cybercrime

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 5: Investigating DoS Attacks

  2. Objectives • Understand DoS attacks • Recognize the indications of a DoS/DDoS attack • Understand the different types of DoS attacks • Understand DDoS attacks • Understand the working of a DDoS attack

  3. Objectives (continued) • Understand the classification of a DDoS attack • Detect DoS attacks using Cisco NetFlow • Investigate DoS attacks • Understand the challenges in investigating DoS attacks

  4. Introduction to Investigating DoS Attacks • Denial-of-service (DoS) attacks • Attackers attempt to prevent legitimate users of a service from using it by flooding the network with traffic or disrupting connections • Attacker may target a particular server application or the network as a whole • May also be an effort to interrupt the connection between two machines • Improper use of resources may also create a DoS • DoS attacks can harm the target in terms of time and resources

  5. Indications of a DoS/DDoS Attack • Indications of a DoS/DDoS attack are as follows: • Unusual slowdown of network services • Unavailability of a particular Web site • Dramatic increase in the volume of spam

  6. Types of DoS Attacks • Main types of DoS attacks: • Ping of death • Teardrop • SYN flooding • LAND • Smurf • Fraggle • Snork • OOB attack • Buffer overflow attack • Nuke attack • Reflected attack

  7. Ping of Death Attack • Attacker deliberately sends an ICMP echo packet of more than 65,536 bytes • Attacks are dangerous since the identity of the attacker sending the huge packet could simply be spoofed • Attacker does not have to know anything about the target except its IP address • Several Web sites block ICMP ping messages at their firewalls to avoid this type of DoS attack

  8. Teardrop Attack • Occurs when an attacker sends fragments with overlapping values in their offset fields • Causes the target system to crash when it attempts to reassemble the data • Affects systems that run Windows NT 4.0, Windows 95, and Linux up to 2.0.32, causing them to hang, crash, or reboot

  9. SYN Flooding Attack • Occurs when the intruder sends SYN packets (requests) to the host system faster than the system can handle them • A connection is established through a TCP three-way handshake • Intruder transmits large numbers of such SYN requests, producing a TCP SYN flooding attack • Attack works by filling the table reserved for half-open TCP connections in the operating system’s TCP/IP stack

  10. LAND Attack • Attacker sends a fake TCP SYN packet with the same source and destination IP addresses and ports to a host computer • IP address used is the host’s IP address • For this to work, the victim’s network must be unprotected against packets coming from outside with their own IP addresses • Symptoms of a LAND attack depend upon the operating system running on the targeted machine • Because LAND uses spoofed packets to attack, only blocking spoofed packets can prevent it

  11. Smurf Attack • Network-level attack against hosts • Named after the program used to carry it out • Attacker sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses using a spoofed source address matching that of the victim • Generates a large number of echo responses from a single request • Results in a huge network traffic jam, causing the network to crash

  12. Fraggle Attack • UDP variant of the Smurf attack • Attacker sends a large number of UDP ping packets to a list of IP addresses using a spoofed IP address • All of the addressed hosts then send an ICMP echo reply, which may crash the targeted system • Target networks where UDP ports are open and allow unrestricted UDP traffic to bypass firewalls

  13. Snork Attack • UDP packet sent by an attacker consumes 100% of CPU usage on a remote Windows NT machine • If there are several Snork-infected NT systems in a network, they can send echoes to each other • Generating enough network traffic to consume all available bandwidth

  14. OOB Attack • Exploits a bug in Microsoft’s implementation of its IP stack, causing a Windows system to crash • RPC port 135, also known as the NetBIOS Session Service port, is the most susceptible port for these kinds of attacks • When a Windows system receives a data packet with an URGENT flag on, it assumes that the packet will have data with it • In OOB attacks, a virus file has an URGENT flag with no data

  15. Buffer Overflow Attack • Type of attack that sends excessive data to an application • Either brings down the application or forces the data being sent to the application to be run on the host system • Two types of buffer overflow attacks: heap based and stack based

  16. Nuke Attack • Attacker repeatedly sends fragmented or invalid ICMP packets to the target computer using a ping utility • This significantly slows the target computer

  17. Reflected Attack • Involves sending huge amounts of SYN packets, spoofed with the victim’s IP address, to a large number of computers that then respond to those requests • Requested computers reply to the IP address of the target’s system, which results in flooding

  18. DDoS Attack • Distributed denial-of-service (DDoS) attack • DoS attack where a large number of compromised systems attack a single target • Attackers first infect multiple systems, called zombies, which are then used to attack a particular target • Use of secondary victims in performing a DDoS attack provides the attacker with the ability to wage a much larger and more disruptive attack

  19. Working of a DDoS Attack Figure 5-1 In a DDoS attack, the attacker first corrupts handlers, which then corrupt zombies, which then attack the victim.

  20. Classification of a DDoS Attack • DDoS attacks can be classified according to: • Degree of automation • Propagation mechanism • Vulnerability being exploited • Rate of attack • Final impact

  21. Classification of a DDoS Attack (continued) Figure 5-2 DDoS attacks are classified based on various criteria.

  22. Classification of a DDoS Attack (continued) • Degree of Automation • Manual attacks • Semiautomatic attacks • Automatic attacks • Propagation Mechanism • Attacks using central source propagation • Attacks using back-chaining propagation • Attacks using autonomous propagation • Exploited Vulnerability • Protocol attacks • Brute-force attacks

  23. Classification of a DDoS Attack (continued) • Attack-Rate Dynamics • Continuous-rate attacks • Variable-rate attacks • Impact • Disruptive attacks completely prevent legitimate users from using network services • Degrading attacks degrade the quality of services available to legitimate network users

  24. DoS Attack Modes • DoS attack is known as an asymmetric attack • When an attacker with limited resources attacks a large and advanced site • Denial-of-service attacks come in a variety of forms and target a variety of services • The attacks may cause the following: • Consumption of resources • Destruction or alteration of information regarding the configuration of the network • Destruction of programming and files in a computer system

  25. Network Connectivity • Denial-of-service attacks are most commonly executed against network connectivity • Goal is to stop hosts or networks from communicating on the network or to disrupt network traffic

  26. Misuse of Internal Resources • Fraggle attack, or UDP flood attack • Forged UDP packets are used to connect the echo service on one machine to the character generator on another machine • Results in the consumption of the available network bandwidth between them • Possibly affecting network connectivity for all machines

  27. Bandwidth Consumption • Generation of a large number of packets can cause the consumption of all the bandwidth on the network • Typically, these packets are ICMP echo packets

  28. Consumption of Other Resources • Attackers may be able to consume other resources that systems need to operate • Intruder may attempt to consume disk space • Many sites will lock an account after a certain number of failed login attempts

  29. Destruction or Alteration of Configuration Information • Alteration of the configuration of a computer or the components in a network may disrupt the normal functioning of a system • Examples: • Changing information stored in a router can disable a network • Making modifications to the registry of a Windows machine can disable certain services

  30. Techniques to Detect DoS Attacks • Detecting a DoS attack is a tricky job • Detector needs to distinguish between a genuine and a bogus data packet • One problem in filtering bogus traffic from legitimate traffic is the volume of traffic • All the detection techniques used today define an attack as an abnormal and noticeable deviation in network traffic characteristics

  31. Activity Profiling • Defined as the average packet rate of data packets with similar packet header information • Flow’s average packet rate or activity level is higher the less time there is between consecutive matching packets • Randomness in average packet rate or activity level can indicate suspicious activity • Entropy calculation method is used to measure randomness in activity levels • Entropy of network activity levels will increase if the network is attacked

  32. Sequential Change-Point Detection • Filters network traffic by IP addresses, targeted port numbers, and communication protocols used • Stores the traffic flow data in a graph that shows traffic flow rate versus time • Detection algorithms highlight any change in traffic flow rate • If there is a drastic change in traffic flow rate, a DoS attack may be occurring

  33. Wavelet-Based Signal Analysis • Analyzes network traffic in terms of spectral components • Divides incoming signals into various frequencies and analyzes different frequency components separately • Presence of an unfamiliar frequency indicates suspicious network activity

  34. Monitoring CPU Utilization to Detect DoS Attacks • High CPU utilization and a high number of packets • Common symptoms that can be seen during a DoS attack • Monitoring CPU utilization at the time of a DoS attack and comparing it to the CPU utilization baselines captured at normal traffic conditions can show the severity of an attack

  35. Detecting DoS Attacks Using Cisco NetFlow • NetFlow • Major service in Cisco routers that monitors and exports IP traffic-flow data • Checks the flow with a target IP destination and rings an alarm when the destination is reached • NetFlow sampling includes the following: • Source and destination IP address • Source and destination TCP/UDP ports • Port utilization numbers • Packet counts and bytes per packet • Start time and stop time of data-gathering events and sampling windows

  36. Detecting DoS Attacks Using a Network Intrusion Detection System (NIDS) • NIDS monitors network traffic for suspicious activity • NIDS server • Can be placed on a network to monitor traffic for a particular server, switch, gateway, or router • Scans system files to identify unauthorized activity and monitor data and file integrity • Can identify changes in the server backbone components and scan log files to identify suspicious network activity, usage patterns, or remote hacking attempts • Scans local firewalls or network servers and monitors live traffic

  37. Investigating DoS Attacks • First step in investigating a DoS attack • Identify the DNS logs that are used by an attacker to trace the IP address of the target system before launching an attack • If this is performed automatically by using an attack tool, the time of the DNS query, and the time of the attack might be close to each other • Attacker’s DNS resolver could be determined by looking at the DNS queries during the start of the attack

  38. ICMP Traceback • ICMP traceback messages are used to find the source of an attack • Messages contain the following: • Router’s next and earlier hops addresses • Time stamp • Role of the traced packet • Authentication information

  39. ICMP Traceback (continued) Figure 5-3 This reverse trace can identify an attacker, even when using reflectors.

  40. Hop-by-Hop IP Traceback • Basic method for tracking and tracing attacks • Administrator can characterize the nature of the traffic and determine the input link on which the attack is arriving • Administrator then moves on to the upstream router • Administrator repeats the diagnostic procedure on this upstream router, and continues to trace backward, hop-by-hop • Until the source of the attack is found inside the ISP’s administrative domain of control • More likely, until the entry point of the attack into the ISP’s network is identified

  41. Hop-by-Hop IP Traceback (continued) • Hop-by-hop IP traceback limitations: • Traceback to the origin of an attack fails if cooperation is not provided at every hop or if a router along the way lacks sufficient diagnostic capabilities or resources • If the attack stops before the trace is completed, the trace fails • Hop-by-hop traceback is a labor-intensive, technical process, and since attack packets often cross administrative, jurisdictional, and national boundaries, cooperation can be difficult to obtain • Partial traceback can be useful, since packet filters can be put in place to limit the DoS flood

  42. Backscatter Traceback • Technique for tracing a flood of packets that are targeting the victim of a DDoS attack • Relies entirely on the standard characteristics of existing Internet routing protocols

  43. Backscatter Traceback (continued) Figure 5-4 After applying the correct filters, only a fraction of packets will be caught by the blackhole system.

  44. Hash-Based (Single-Packet) IP Traceback • Also known as single-packet IP traceback • Offers the possibility of making the traceback of single IP packets feasible • Fundamental idea • Store highly compact representations of each packet rather than the full packets themselves • Compact representations are called packet digests • Created using mathematical functions called hash functions

  45. IP Traceback with IPSec • IPSec uses cryptographic security services for securing communications over IP networks • IPSec tunnels are used by IP traceback systems such as DECIDUOUS (Decentralized Source Identification for Network-Based Intrusion) • Analysis is processed by introducing IPSec tunnels between an arbitrary router and the victim

  46. CenterTrack Method • Overlay network • Supplemental or auxiliary network that is created when a collection of nodes from an existing network are joined together using new physical or logical connections to form a network on top of the existing one • First step in the CenterTrack approach • Create an overlay network, using IP tunnels to connect the edge routers in an ISP’s network to special-purpose tracking routers that are optimized for analysis and tracking • Overlay network is also designed to further simplify hop-by-hop tracing

  47. Packet Marking • Packets are marked to identify their traffic class • Once the type of traffic is identified, it can be marked, or “colored,” within the packet’s IP header • Probabilistic Packet Marking (PPM) • Tracking information is placed into rarely used header fields inside the IP packets themselves • Tracking information is collected and correlated at the destination of the packets • If there is a sufficiently large packet flow, there will be enough tracking information embedded in the packets to successfully complete the trace

  48. Check Domain Name System (DNS) Logs • Attacker uses DNS to find the actual IP address of the target computer before the attack is introduced • DNS query closest to the attack could help to identify the attacker’s DNS resolver • Can be useful to compare DNS logs of different systems that are under attack • An investigator can identify the different attacks carried out within the same individual or group • Sawmill DNS log analyzer can help view and analyze DNS log files

  49. Tracing with “log-input” • Steps an investigator should take to trace an attack passing through a router using “log-input”: • Make an access list entry that goes with the attack traffic • Attach the log-input keyword to it • Use the access list outbound on the interface through which the attack stream is sent toward the destination

  50. Control Channel Detection • Large volume of control channel traffic indicates that the actual attacker or coordinator of the attack is close to the detector • Control channel function provides facilities to define, monitor, and control channels • Investigator can use a threshold-based detector • Determines the particular number of control channel detectors within a specific time period • Provides a clear way into the network and geographical location of the attacker

More Related