1 / 24

Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014

Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014. Outline. Attacker solution #2: distributed denial of service attacks What are they? DDoS toolkits. But does it actually deny service here?. A Flooding Attack. The Problem With This Attack.

ula
Download Presentation

Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Distributed Denial of Service AttacksAdvanced Network Security Peter ReiherAugust, 2014

  2. Outline • Attacker solution #2: distributed denial of service attacks • What are they? • DDoS toolkits

  3. But does it actually deny service here? A Flooding Attack

  4. The Problem With This Attack The attacking computer is usually a home machine or office workstation Maybe it’s got outgoing bandwidth of 10Mbps The target is usually a server Maybe it’s got incoming bandwidth of 1 Gbps The target barely notices the attack

  5. “Solving” This Problem • How can an attacker overwhelm a machine with more resources than his? • Two possibilities: • Find a way to make the target pay more per message than the attacker • Use more than one machine to attack

  6. Solution #2: Use Multiple Machines to Attack If one machine can’t generate enough traffic to overwhelm a server, Maybe two can Or three Or four Or forty thousand

  7. Distributed Denial of Service Attacks

  8. What Is Distributed Denial of Service? • A concerted attack by multiple machines on a single target • Usually a large number of machines • Intended to make the target unable to service its regular customers • By overwhelming some resource • Typically bandwidth

  9. How To Perform a DDoS Attack: Step 1 • Gain control of a lot of machines • You could buy them • But, if you’re going to use them to make an illegal attack, why buy them? • Usually, you steal them • Or, more precisely, take them over with malware

  10. How To Perform a DDoS Attack: Step 2 • Install software on all the machines to send packets to a specified target • Usually the software has various options • When to begin • For how long • What kind of packets

  11. How To Perform a DDoS Attack: Step 3 • Issue commands to your machines to start them sending packets • If there are a lot of your machines, maybe use an efficient way to tell them • Like some tree-structured distribution system • They will then start attacking

  12. Some Refinements to the Attack • Vary the number of packets sent by each attacker over time • Only use a fraction of your available machines at any given moment • Cycling through the entire set • Pulse the attack, turning it on and off

  13. Typical Attack Modus Operandi

  14. Typical Effects of a DDoS Attack • A sudden, vast flood of packets being sent to a site • Typically packets that are fairly clearly junk • But could be close to real traffic • These packets drown out the legitimate traffic • So only junk gets delivered

  15. DDoS Attacks in the Real World • Very common • Some are pretty small • On small targets, often • Occasionally we see a really big one • Typically on a high profile target • Often difficult to handle

  16. Some Important Examples Microsoft, Yahoo, etc. targeted Recent large DDoS attack on Hong Kong voting site 25 million packet per second attacks on domain hosting and online gaming sites At least one company went out of business due to a DDoS attack

  17. DDoS Attack on DNS Root Servers • Concerted ping flood attack on all 13 of the DNS root servers in October 2002 • Successfully halted operations on 9 of them • Lasted for 1 hour • Turned itself off, was not defeated • Did not cause major impact on Internet • DNS uses caching aggressively • Another (less effective) attack in February 2007

  18. DDoS Attack on Estonia Occurred April-May 2007 Estonia removed a statue that Russians liked Then somebody launched large DDoS attack on Estonian government sites Took much of Estonia off-line for ~ 3 weeks DDoS attack on Radio Free Europe sites in Belarus in 2008

  19. DDoS Attack on Al Jazeera • DNS name server floods of 200-300 Mbps on English language web site • Successfully made Al Jazeera web site unreachable for two days • After which, their DNS name was hijacked • Al Jazeera not easily able to recover from attack • As Al Jazeera added capacity, the attack got stronger

  20. Combining the Two Attacker “Solutions” Attackers can use both asymmetry and multiple machines Making the problem that much harder to solve Reflector attacks are one example Recent Hong Kong attack required SSL decryption from large number of attack machines

  21. Attack Toolkits • Widely available on net • Easily downloaded along with source code • Easily deployed and used • Automated code for: • Scanning – detection of vulnerable machines • Exploit – breaking into the machine • Infection – placing the attack code • Rootkit • Hides the attack code • Restarts the attack code • Keeps open backdoors for attacker access • DDoS attack code: • Trinoo, TFN, TFN2K, Stacheldraht, Shaft, mstream, Trinity

  22. DDoS Attack Code • Attacker can customize: • Type of attack • UDP flood, ICMP flood, TCP SYN flood, Smurf attack • Web server request flood, authentication request flood, DNS flood • Victim IP address • Duration • Packet size • Source IP spoofing • Dynamics (constant rate or pulsing) • Communication between master and slaves

  23. Implications of Attack Toolkits • You don’t need much knowledge or many skills to perpetrate DDoS • Toolkits allow unsophisticated users to become DDoS perpetrators in little time • DDoS is, unfortunately, a game anyone can play

  24. Conclusion • Distributed denial of service attacks solve the attacker’s problem of asymmetric capabilities • DDoS attacks harness multiple hosts to attack a single machine • DDoS attacks are simple, yet hard to handle

More Related