Denial of Service WORLDS ATTAKS

1
Denial of Service WORLDS ATTAKS

• Prepared by Mohammed Mahmoud Hussain
• Supervised by Dr. Loai Tawalbeh
• NYIT-winter 2007

2
Good News / Bad News

• The Internet and Networks give us better
  connectivity
• Share information
• Collaborate (a)synchronously
• The Internet and Networks give us better
  connectivity
• Viruses can spread easier
• The bad guys now have easier access to your
  information as well

3
Why do I want to be secure?(Whats in it for me?)

• You can ensure private information is kept
  private
• Some things are for certain eyes only and you
  probably want to keep them that way
• Is someone looking over your shoulder (physically
  or virtually)?

4
The 3 Main Forms of Bad Guys

• Virus/Worm
• Trojan
• Denial of Service

5
Viruses / Worms

• Most widely known thanks to press coverage
• What is it?
• Computer programs written bybad guys ( ) to
  do malicious things often triggered by a specific
  event
• Example Word Macro Virus that sends out junk
  email when word document is opened

6
Trojan horse

• Most dangerous of all
• What is it?
• Computer programs often written by good guys but
  used by bad guys ( ) to give them a back door
  to intended computer
• Example Remote Management application that runs
  in background
• and allows the bad guys to get in
• and use your computer as they wish

7

• Typically can not besafely removed must start
  from working backup or scratch
• Because
• Deleting/modifying data files is one of their
  goals
• Stealing personal information also
• Interrupting/destroying business processes
  (contingency plan)

8
Denial of service ( DOS )

• Too many requests for a particular web site clog
  the pipe so that no one else can access the site
• Also the using of land attack

9
Possible impacts -May reboot your
computer -Slows down computers-Certain sites
-applications become inaccessible
you are off.
10
Where are you

• Every one has to know that they come from 3
  places
• New Files
• Viewed Content
• Exposed Services

11
Where they come from

• Unwanted email with attachments you werent
  expecting
• Downloaded programs from the internet that come
  from less than trustworthy locations
• File Sharing Programs (P2P)

12

• Websites that will install things for you
• The more open doors your computer has, the
  more chance of someone coming in

13
What is Denial of Service Attack?

• Attack in which the primary goal is to deny the
  victim(s) access to a particular resource.

14

• A "denial-of-service" attack is characterized by
  an explicit attempt by attackers to prevent
  legitimate users of a service from using that
  service.

15
How to take down a restaurant
Restauranteur
Saboteur
16
Saboteur vs. Restauranteur
Restauranteur
Saboteur
17
Restauranteur
No More Tables!
Saboteur
18

• Denial-of-service attacks are most frequently
  executed against network connectivity. The goal
  is to prevent hosts or networks from
  communicating on the network. An example of this
  type of attack is the "SYN flood" attack

19
Categories of DOS attack

• Bandwidth attacks
• Protocol exceptions
• Logic attacks

20

• A bandwidth attack is the oldest and most common
  DoS attack. In this approach, the malicious
  hacker saturates a network with data traffic. A
  vulnerable system or network is unable to handle
  the amount of traffic sent to it and subsequently
  crashes or slows down, preventing legitimate
  access to users.

21

• A protocol attack is a trickier approach, but it
  is becoming quite popular. Here, the malicious
  attacker sends traffic in a way that the target
  system never expected, such as when an attacker
  sends a flood of SYN packets.

22
(No Transcript)
23

• The third type of attack is a logic attack. This
  is the most advanced type of attack because it
  involves a sophisticated understanding of
  networking. A classic example of a logic attack
  is a LAND attack, where an attacker sends a
  forged packet with the same source and
  destination IP address. Many systems are unable
  to handle this type of confused activity and
  subsequently crash.

24
Types

• Types of DoS AttacksThe infos here introduce the
  common types of DoS attacks, many of which can be
  done as a DDoS attack.

25
PING OF DEATH

• A Ping of Death attack uses Internet Control
  Message Protocol (ICMP) ping messages. Ping is
  used to see if a host is active on a network. It
  also is a valuable tool for troubleshooting and
  diagnosing problems on a network. As the
  following picture, a normal ping has two messages

26

• BUT
• With a Ping of Death attack, an echo packet is
  sent that is larger than the maximum allowed size
  of 65,536 bytes. The packet is broken down into
  smaller segments, but when it is reassembled, it
  is discovered to be too large for the receiving
  buffer. Subsequently, systems that are unable to
  handle such abnormalities either crash or reboot.
• You can perform a Ping of Death from within Linux
  by typing ping f s 65537. Note the use of the
  f switch. This switch causes the packets to be
  sent as quickly as possible. Often the cause of a
  DoS attack is not just the size or amount of
  traffic, but the rapid rate at which packets are
  being sent to a target.
• Tools-
• -Jolt -SPing-ICMP Bug -IceNewk

27
Smurf and Fraggle

• A Smurf attack is another DoS attack that uses
  ICMP. Here, an request is sent to a network
  broadcast address with the target as the spoofed
  source. When hosts receive the echo request, they
  send an echo reply back to the target. sending
  multiple Smurf attacks directed at a single
  target in a distributed fashion might succeed in
  crashing it.

28

• If the broadcast ping cannot be sent to a
  network, a Smurf amplifier is instead. A Smurf
  amplifier is a network that allows the hacker to
  send broadcast pings to it and sends back a ping
  response to his target host on a different
  network. NMap provides the capability to detect
  whether a network can be used as a Smurf
  amplifier.

29

• A variation of the Smurf attack is a Fraggle
  attack, which uses User Datagram Protocol (UDP)
  instead of ICMP. Fraggle attacks work by using
  the CHARGEN and ECHO UDP programs that operate on
  UDP ports 19 and 7. Both of these applications
  are designed to operate much like ICMP pings
  they are designed to respond to requesting hosts
  to notify them that they are active on a network.

30
LAND Attack

• In a LAND attack, a TCP SYN packet is sent with
  the same source and destination address and port
  number. When a host receives this abnormal
  traffic, it often either slows down or comes to a
  complete halt as it tries to initiate
  communication with itself in an infinite loop.
  Although this is an old attack (first reportedly
  discovered in 1997), both Windows XP with service
  pack 2 and Windows Server 2003 are vulnerable to
  this attack.
• HPing can be used to craft packets with the
  same spoofed source and destination address.

31
Synchronous flood

• A SYN flood is one of the oldest and yet still
  most effective DoS attacks. As a review of the
  three-way handshake, TCP communication begins
  with a SYN, a SYN-ACK response, and then an ACK
  response. When the handshake is complete, traffic
  is sent between two hosts.

32

• but in our case the using of the syn flood for
  the 3 way handshaking is taking another deal,
  that is the attacker host will send a flood of
  syn packet but will not respond with an ACK
  packet.The TCP/IP stack will wait a certain
  amount of time before dropping the connection, a
  syn flooding attack will therefore keep the
  syn_received connection queue of the target
  machine filled.

33
With a SYN flood attack, these rules are
violated. Instead of the normal three-way
handshake, an attacker sends a packet from a
spoofed address with the SYN flag set but does
not respond when the target sends a SYN-ACK
response. A host has a limited number of
half-open (embryonic) sessions that it can
maintain at any given time. After those sessions
are used up, no more communication can take place
until

34

• the half-open sessions are cleared out. This
  means that no users can communicate with the host
  while the attack is active. SYN packets are being
  sent so rapidly that even when a half-open
  session is cleared out, another SYN packet is
  sent to fill up the queue again.

35

• SYN floods are still successful today for three
  reasons
• 1) SYN packets are part of normal, everyday
  traffic, so it is difficult for devices to filter
  this type of attack.
• 2) SYN packets do not require a lot of bandwidth
  to launch an attack because they are relatively
  small.
• 3) SYN packets can be spoofed because no response
  needs to be given back to the target. As a
  result, you can choose random IP addresses to
  launch the attack, making filtering difficult for
  security administrators.

36
An example TCP SYN flooding
Buffer
37

• Now we may categorize the DOS in to 3 parts
  depending on the number of characters.

38
Direct Single-tier DoS Attacks

• Straightforward 'point-to-point' attack, that
  means we have 2 actors hacker and victim.
• Examples
• Ping of Death
• SYN floods
• Other malformed packet attacks

39
(No Transcript)
40
Direct Dual-tier DoS Attacks

• More complex attack model
• Difficult for victim to trace and identify
  attacker
• Examples
• Smurf

41
(No Transcript)
42
Direct Triple-tier DDoS Attacks

• Highly complex attack model, known as Distributed
  Denial of Service (DDoS).
• DDoS exploits vulnerabilities in the very fabric
  of the Internet, making it virtually impossible
  to protect your networks against this level of
  attack.
• Examples
• TFN2K
• Stacheldraht
• Mstream

43
The Components of a DDoS Flood Network

• Attacker
• Often a hacker with good networking and routing
  knowledge.
• Master servers
• Handful of backdoored machines running DDoS
  master software, controlling and keeping track of
  available zombie hosts.
• Zombie hosts
• Thousands of backdoored hosts over the world

44
(No Transcript)
45
Distributed Denial of Service Attack (DDoS)

• In and around early 2001 a new type of DoS
  attack became rampant, called a Distributed
  Denial of Service attack, or DDoS. In this case
  multiple comprised systems are used to attack a
  single target. The flood of incoming traffic to
  the target will usually force it to shut down.
  Like a DoS attack, In a DDoS attack the
  legitimate requests to the affected system are
  denied. Since a DDoS attack it launched from
  multiple sources, it is often more difficult to
  detect and block than a DoS attack.

46
Results expected

• Denial-of-service attacks can essentially disable
  your computer or your network. Depending on the
  nature of your enterprise.
• Some denial-of-service attacks can be executed
  with limited resources against a large,
  sophisticated site. This type of attack is
  sometimes called an "asymmetric attack." For
  example, an attacker with an old PC and a slow
  modem may be able to disable much faster and more
  sophisticated machines or networks.

47
Forms

• attempts to "flood" a network, thereby preventing
  legitimate network traffic
• attempts to disrupt connections between two
  machines, thereby preventing access to a service
• attempts to prevent a particular individual from
  accessing a service
• attempts to disrupt service to a specific system
  or person

48

• Defense

49
Internet Service Providers

• Deploy source address anti-spoof filters (very
  important!).
• Turn off directed broadcasts.
• Develop security relationships with neighbor
  ISPs.
• Set up mechanism for handling customer security
  complaints.
• Develop traffic volume monitoring techniques.

50
High loaded machines

• Look for too much traffic to a particular
  destination.
• Learn to look for traffic to that destination at
  your border routers (access routers, peers,
  exchange points, etc.).
• Can we automate the tools too many queue drops
  on an access router will trigger source
  detection? (bl..
• Disable and filter out all unused UDP services.

51
Also

• Routers, machines, and all other Internet
  accessible equipment should be periodically
  checked to verify that all security patches have
  been installed
• System should be checked periodically for
  presence of malicious software (Trojan horses,
  viruses, worms, back doors, etc.)

52

• Train your system and network administrators
• Read security bulletins like www.cert.org,
  www.sans.org, www.eEye.com
• From time to time listen on to attacker
  community to be informed about their latest
  achievements
• Be in contact with your ISP. In case that your
  network is being attacked, this can save a lot
  of time

53
Can both do better some day

• ICMP Traceback message.
• Warning this technique is untested idea
  practically.

54
ICMP

• Its a message that usually used to indicate for
  errors at the net, request not complete, router
  not reachable.
• While in TCP and UDP it has different story, it
  used mainly to check the communication between
  nodes, goes as echo message request (ping) to
  determine-
• 1-host is reachable.
• 2-how long packets it takes long to get
  
• and from the host.

55
ICMP Traceback

• Its the way that we determine the real
  source attacker specially in the dos attack and
  its kinds, so we are going to the original point
  in backtracking way.
• there is 2 methods-
• 1-IP logging .
• 2-IP marking .

56
ICMP Traceback

• In IP logging we have an log information that is
  stored at the routers in tables, at each router,
  when we traceback we get all the table and
  finally get the source.
• While in the IP marking we each router used to
  add an traffic and defining info to each packet
  then it has the real source.

57
ICMP Traceback

• For a very few packets (about 1 in 20,000), each
  router will send the destination a new ICMP
  message indicating the previous hop for that
  packet.
• Net traffic increase at endpoint is about .1 --
  probably acceptable.
• Issues authentication, loss of traceback
  packets, load on routers.

58
Overview

• What happens these days on

59
Throw away requests
Server
Buffer
Problem Legitimate clients must keep retrying
60
IP Tracing (or Syncookies)
Client
Request
Problems

• Can be evaded, particularly on, e.g., Ethernet

61
Digital signatures
Problems

• Requires carefully regulated PKI
• Does not allow for anonymity

62
Connection timeout
Server
Problem Hard to achieve balance between security
and latency demands
63
A Solution client puzzle by
Juels and Brainardwith improvement by Wang and
Reiter
64
Intuition
65
Intuition
Suppose

• A puzzle takes an hour to solve
• There are 40 tables in restaurant
• Reserve at most one day in advance

66
The client puzzle protocol
Server
Buffer
67
What does a puzzle look like?

68
Puzzle basis partial hash inversion
160 bits
Pair (X, Y) is k-bit-hard puzzle
69
Puzzle construction
70
Puzzle construction
Server computes
secret S
time T
request R
hash
pre-image X
hash
image Y
71
Puzzles cannot always be used

• The attack may be performed on
• Phones, SMS,MMS or physical e-mail
• It may not be possible to add puzzles
• Sometimes, the adversary will be more powerful
  than normal users (e.g., computer vs. cell
  phone.)

72
references

• .1. http//www.eecs.nwu.edu/jmyers/bugtraq
  /1354.htmlArticle by Christopher Klaus,
  including a "solution". .2.
  http//jya.com/floodd.txt2600, Summer, 1996, pp.
  6-11. FLOOD WARNING by Jason Fairlane.3.
  http//www.fc.net/phrack/files/p48/p48-14.htmlIP-
  spoofing Demystified by daemon9 / route /
  infinityfor Phrack Magazine
• .4.http//www.gao.gov/new.items/d011073t.
  pdf
• .5.http//www.cl.cam.ac.uk/rc277/
• .6.http//www.cert.org/reports/dsit_worksh
  op.pdf
• .7.http//staff.washington.edu/dittrich/mi
  sc/tfn.analysis

73

• Presented to Dr Loae Al-Tawalbeh
• Executed by Mohammed Hussain
• Course intrusion detection and hacker exploits
• Winter jan-2007

74
(No Transcript)