internetMCI VPN - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

internetMCI VPN

Description:

Sometimes victims can't use Internet to complain about or trace the attack ... Template code to create TCP/IP Packets exist. Their availability and dissemination ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 19
Provided by: bobs177
Category:
Tags: vpn | internetmci | ip | trace

less

Transcript and Presenter's Notes

Title: internetMCI VPN


1
Internet Threats Denial Of Service Attacks
2
The Internet And InformationSecurity
  • The wonderful thing about the Internet is that
    youre connected to everyone else. The terrible
    thing about the Internet is that youre connected
    to everyone else. Vint Cerf

3
Denial Of Service Attack Specifics
4
Denial Of Service Problems
  • Exploding in popularity
  • No skill required
  • High juvenile ratio
  • High availability of menu-driven programs
    available, on multiple platforms
  • Up and ruining in minutes
  • Unix, NT, Win95, etc
  • Programs available via the Internet within HOURS
    of the identified exploit
  • Often requires assistance across multiple ISPs
  • Coordination efforts impossible at best

5
Denial Of Service Problems
  • Tracing
  • Source is almost always hidden, or forged
  • Need to trace in real time, router by router to
    find Bad_Guy
  • High packet rates
  • Sometimes victims cant use Internet to complain
    about or trace the attack
  • Group accounts or throw-away accounts used
  • School Labs, piracy dialup, hacked systems

6
DOS TypesRevenge of the Nerds
  • SYN Floods
  • Mail Bombs
  • Smurf Attacks
  • Many, many others

7
Syn Floods
  • TCP Handshake required to set up communication
  • Send- HELLO! (TCP_SYN)
  • Recv- Yea, What? (TCP_SYN_ACK)
  • Send- Lets Talk! (TCP_ACK)
  • SYN Flood exploits Handshake
  • Bad_Guy sends TCP_SYN from forged source that
    doesnt exist
  • Victim tries to send a TCP_SYN_ACK, but cant
    find the source, so it queues the message
  • Message is queued for 75 seconds
  • Bad-Guy fills up SYN Queue
  • Victim cant communicate

8
DoS Packet FlowSYN Attack
SYN packet from Bad_Guy
Victim
Bad_Guy
Where do I send data?
9
Mail Bombs
  • Large amounts of email to victim
  • FROM address randomly created
  • Mail trail is often relayed through several relay
    systems
  • Difficult to track origination
  • One Word SPAM
  • Explosion of tools available from Spamming
    organizations to make this point-and-click, and
    professionally difficult to trace

10
Smurf Attacks
  • Most Recent Attack, also called a Broadcast Ping
    Attack
  • Broadcast ping
  • Send a broadcast_ping_request to a
    network/subnet, and everyhost in that
    network/subnet replies with a ping_reply
  • gt ping 166.45.1.255
  • 166.45.1.1 is alive
  • 166.45.1.2 is alive
  • 166.45.1.3 is alive
  • .
  • 166.45.1.255 is alive

11
Smurf Attacks
  • Attack
  • Bad_Guy sends a broadcast_ping_request, that
    looks like it came from Victim, and sends it to
    Innocent 3rd Party
  • Every host on Innocent 3rd Partys
    network/subnet sends a broadcast_ping_reply to
    the victim
  • Victim gets hit with a massive ping attack
  • Good_guy traces the Attack to the Innocent 3rd
    Party
  • Compensators
  • Disable Broadcast Ping Replies on your routers
  • no ip directed broadcasts
  • Deploy monitoring software
  • Call your ISP
  • Filter ICMP

12
Tools available to initiate attacks
  • How they are being developed so quickly
  • Hackers are subscribing to bug lists used to
    discuss product bugs
  • Public Domain Testing software becoming widely
    available, being used maliciously
  • Template code to create TCP/IP Packets exist
  • Their availability and dissemination
  • Ever try YAHOO?
  • IRC DOS channel
  • Available within hours after bug is reported
  • Professionally created, updated, etc

13
Impacts to ISPS
  • Bandwidth saturation
  • Dos Attacks affect links that belong to ISPS
  • Affects multiple customers
  • T1 backbone ISPs still exist!
  • Hackers can do much damage on a 28.8 dialup
  • T3 connected shell accounts in high demand
  • IRC shells
  • Resources required to trace are intense
  • Educating customer
  • Tracing attack
  • Time sensitive issue

14
MCIS DosTracker
  • Reactive
  • Victim calls in for assistance
  • DoSTracker installed on Victim Border router
  • (their connection to our Network)
  • Proactive
  • DosTracker installed on Victim router, and
    waits for Attack to come in. Alerts when
    identified
  • Not typically used, due to resource issues

15
MCIS DoSTracker
  • DoSTracker watches packets going to Victim, and
    analyzes them for DoS Characteristics
  • Forged source address
  • Smurf Attack
  • Large packet sources
  • DoSTracker traces identified DoS Packets router
    by router, interface by interface until it
    reaches an edge (customer or another network).

16
DoS Path
NET B
Customer
NET C
NET A
17
Migration of attacks
  • What can we expect for future attacks?
  • Automation
  • DoS Engines/Clients
  • Protocol exposures
  • Streaming protocols
  • CUSeeMe, Multi-Cast, UseNet
  • DNS
  • Reduction of detection capability
  • Services being deployed much too quickly for
    security analysis, compensators and monitoring
    can be deployed and integrated.
  • Well always be one-two steps behind

18
Contact
Dale DrewinternetMCI Security Engineering703/71
5-7058ddrew_at_mci.nethttp//www.security.mci.neth
ttp//www.security.mci.net/check.html
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "internetMCI VPN" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!