Denial of Service attacks - PowerPoint PPT Presentation

About This Presentation
Title:

Denial of Service attacks

Description:

Denial of Service attacks Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps). attackers ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 8
Provided by: Dr658
Learn more at: http://home.ubalt.edu
Category:
Tags: attacks | denial | icmp | service

less

Transcript and Presenter's Notes

Title: Denial of Service attacks


1
Denial of Service attacks
2
Types of DoS attacks
  • Bandwidth consumption
  • attackers have more bandwidth than victim, e.g T3
    (45Mpbs) attacks T1 (1.544 Mbps).
  • attackers amplify their bandwidth engaging other
    computers to attack victim with higher bandwidth,
    e.g. 100 56Kbps attack a T1
  • Resource starvation consumes system resources
    like CPU, memory, disk space on the victim
    machine.
  • Program flaws exploit inability of programs to
    handle exceptions (vulnerabilities).
  • Routing and DNS attacks manipulate routing
    tables
  • routing protocols RIP v1 and BGP v4 have no, or
    weak authentication
  • change routing tables to route to attackers net
    or black hole.
  • attack to DNS servers, again route to attackers
    or black hole.
  • Generic attacks like the Melissa virus which
    shutdown mail servers

3
Generic attacks
  • Smurf
  • 1. Attacker sends sustained ICMP Echo packets to
    broadcast address of the amplifying network
    xxx.255, with source address is forged to read
    the victims IP address
  • 2. Since traffic was sent to broadcast address
    all hosts in the amplifying LAN will answer to
    the victims IP address
  • Fraggle
  • similar to Smurf, but sends UDP packets to port 7
    (echo) of the broadcast address.
  • Countermeasures
  • Prevent being an amplifying LAN disable directed
    broadcast functionality at the border router and
    set OS firewall to not respond to broadcast ECHO
    requests (see book for specific OS commands)
  • Victim sites limit ICMP requests at the border
    router and contact ISP to do the same, when under
    attack.

attacker
amplifying LAN
victim
4
Generic attacks (2)
  • Syn flood
  • 1. attacker sends SYN packet to victim forging
    non-existent IP address
  • 2. victim replies with Syn/Ack but neither
    receives Ack nor RST from non-existent IP address
  • 3. victim keeps potential connection in a queue
    in Syn_Recv state, but the queue is small and
    takes some time to timeout and flush the queue,
    e.g 75 seconds
  • 4. If a few SYN packets are sent by the attacker
    every 10 seconds, the victim will never clear the
    queue and stops to respond.
  • Countermeasures (1) Increase size of queue, (2)
    decrease the timeout period, (3) apply patches to
    OS to protect from Syn attacks, and (4) use IDS,
    which can respond to the Syn attack by providing
    RST responses.
  • DNS attacks
  • primarily an UNIX /Linux problem. Go to the BIND
    site and download the latest version which fixes
    it.

5
UNIX and NT DoS/DDoS
  • IP fragmentation overlap IP packets may need to
    be broken in parts (fragments) in route and put
    together by the destination OS which may have a
    flaw
  • teardrop (Linux), syndrop.c, boink.c (Windows)
  • countermeasures Linux kernels 2.0 and above, NT
    use SP6a.
  • Stream and raped attacks (UNIX/NT) resource
    starvation, making the CPU run up to 100,
    preventing access to the NET and
    stopping/slowing other jobs
  • stream.c sends TCP Ack packets to a series of
    ports with random sequence numbers and random
    source IP addresses
  • raped.c attacks sends TCP Ack packets with
    spoofed IP addresses
  • countermeasures in practice, none (unless you
    can change your IP address).
  • DDoS attacks first attacks in February of 200
    --gt Yahoo, ETRADE, eBay, Buy.com, CNN.com, etc.
    Attacks have three stages
  • attack systems and gain administration privileges
    (hunting grounds _at_Home, DSL providers, etc).
  • Upload DDoS software (server) in the slaves
    (zombies) and run it (listen).
  • When there are enough slaves command them to
    attack victim.
  • Examples GRC.COM a case example and press
    coverage of other attacks.

6
DDoS attacks
  • TFN - Tribe Flood Network install server in
    slaves and with client send attack command.
  • attacks available ICMP, Smurf, UDP SYN floods,
    see more here.
  • Countermeasures
  • detection DDOSPing, Zombie Zapper and
    find_ddos.
  • Prevention apply patches, firewall blocks to
    prevent hackers to gain admin privileges, and
    block ICMP inbound traffic (not all that
    practical, but necessary under attack).
  • Trinoo and WinTrinoo install server in slaves
    and masters, and with client send instruction to
    the master which tells the slaves to attack. The
    hierarchy is needed because of the large scale of
    the attacks, see more here.
  • Countermeasures same as TFN, including the above
    detection software.
  • WinTrinoo the trojan is the file service .exe
    (not services) and anti-virus software can find
    it.
  • Stacheldraht (barbed wire) combines the features
    of TFN with Trinoo and encrypt telnet
    connections between master and slave, preventing
    IDSs to respond.
  • attacks available ICMP, Smurf, UDP SYN floods,
    see more here.
  • Countermeasures same as TFN, including the above
    detection software.

7
DDoS attacks (2)
  • TFN2K TFN 2000 Upgrade of original TFN, using
    randomized ports (preventing port blocking at
    router), and encryption (preventing IDS to
    respond). See more here.
  • Attacks SYN, UDP, ICMP, Smurf and randomly
    switch between them.
  • Countermeasures again use the same detection
    software and protect your machines, the best
    remedy (dont become a zombie!).
  • DDoS trends
  • CERT recent report automation of propagation and
    router attacks.
  • NIPC recent advisory DDoS to increase.
  • DDoS defense
  • FedCIRC - Defense Tactics for Distributed Denial
    of Service Attacks.
  • SANS - Consensus Roadmap for Defeating
    Distributed Denial of Service Attacks.
  • Alerts and Advisories
  • CERT - incidents and fixes
  • NIPC - Warnings
  • Securityteam.com - NT and UNIX.
  • Denial of Service (DoS) Attack Resources page.
Write a Comment
User Comments (0)
About PowerShow.com