130 likes | 334 Views
Distributed Denial of Service Attacks. Darius Law. What is DDOS?. Distributed denial-of-service attack is one in which a multitude of compromised systems attack a single target, thereby causing denial-of-service for users of the targeted system
E N D
Distributed Denial of Service Attacks Darius Law CMPT 471
What is DDOS? • Distributed denial-of-service attack is one in which a multitude of compromised systems attack a single target, thereby causing denial-of-service for users of the targeted system • Forces system to shutdown by flooding with incoming messages, thereby denying services to legitimate users CMPT 471
Distributed… • Distributed computing is a method of computer processing in which different parts of a program run simultaneously on two or more computers that are communicating with each other over a network. • Major advantages of using a distributed denial-of-service attack • Generate more traffic • Multiple machines attacking harder to turn off • Each attack machine is stealthier, making it harder to track and shutdown CMPT 471
Types of DOS attacks • Exercising software bug that causes the software running the service to fail • Sending enough data to consume all available network resources • Sending data in such a way as to consume a particular resource needed by the service CMPT 471
How do DDOS attacks work? • A hacker first exploits a vulnerable computer system making it the DDOS “master” • “Master” computer communicates and loads on cracking tools to thousands of other compromised systems on the internet • All computers can then be instructed to launch one of many flood attacks to specified target CMPT 471
SYN Flood • SYN packet initiates TCP/IP connection • SYN flood consumes all available slots in server’s TCP connection table • Exploits basic weakness of TCP/IP protocol • Prevents other users from establishing new connections • HTTP particularly vulnerable to SYN flood attack CMPT 471
SYN Flood (2) • TCP/IP Protocol requires 3-step process • The originator of the connection (such as a web browser) initiates the connection by sending a packet having the SYN flag set in the TCP header (referred to as a “SYN packet”). • The receiver responds by sending back to the originator a packet that has the SYN and ACK flags set (a “SYN/ACK packet”) • The originator acknowledges receipt of the 2nd packet by sending to the receiver a third packet with only the ACK flag set (an “ACK packet”). CMPT 471
SYN Flood (3) • During SYN flood, attacker sends large number of SYN packets alone without ACK packet response CMPT 471
SYN Flood (4) • Connection table fills up rapidly with incomplete connections, crowding legitimate traffic CMPT 471
Responding to DDOS attacks • Increasing size of network table seems most straightforward but may not be configurable • Spare servers to be placed in service during an attack • Very expensive to have idle equipment CMPT 471
Prevention • Most DDOS attacks use forged source address to lie about where they are being sent • Manufacturers of firewalls/network security devices developed variety of defense methods • SYN threshold: establish limit of incomplete transactions, then start discarding • SYN defender: when SYN packet received, firewall synthesizes the final ACK packet in step 3, so no need to wait for actual ACK packet from originator • SYN Proxy: firewall synthesizes and sends SYN/ACK packet back to originator, and waits for final ACK packet. After firewall receives ACK packet from originator, firewall “replays” 3-step sequence to receiver. CMPT 471
DDOS attack tools • Tribal flood network • Trin00 • TFN2K • Stacheldraht CMPT 471
Sources What is denial of service; http://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci213591,00.html Distributed Denial of Service Attacks; http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-whitepaper.html Distributed Denial of Service Attack Tools; http://documents.iss.net/whitepapers/ddos.pdf How a ‘denial of service’ attack works; http://www.news.com/2100-1017-236728.html DDOS; http://chinese-school.netfirms.com/computer-article-denial-of-service.html CMPT 471