Denial of Service Attacks:Methods, Tools, and Defenses Prof.. Basic types of DoS attacks Evolution of DoS tools Overview of DoS tools Defenses... DoS Attacks - BasicsUDP flood UDP echo
Trang 1Denial of Service Attacks:
Methods, Tools, and
Defenses
Prof Mort Anvari
Strayer University at Arlington
Trang 2Basic types of DoS attacks
Evolution of DoS tools
Overview of DoS tools
Defenses
Trang 3What is Denial of Service
Attack?
“Attack in which the primary goal is to
deny the victim(s) access to a particular resource.” (CERT/CC)
Very vide definition,
covers lots of cases
This tutorial covers only
subset of all DoS attacks
Trang 4Modes of Denial of Service Attack
Consumption of limited resources
Trang 5DoS Attacks - Statistics
There are more than 4000 attacks per weekDuring 2000,
27% of security professionals
detected DoS attack
against their system
In February 2000 attacks,
stream going to one of affected sites
was about 800Mb/s
Trang 6DoS Attacks - Statistics
Overall Internet performance degradation during February 2000 attacks
PPW – Performance in previous week
PAW – Performance in attacking week
Source:
Keynote Systems
Trang 7DoS Attacks - Basics
Prof Mort Anvari
Strayer University at Arlington
Trang 8DoS Attacks - Basics
Attack has two phases:
Installation of DoS tools Committing an attack
Trang 9DoS Attacks - Basics
Installation of DoS tools:
Finding a suitable machine:
Unprotected ports
Vulnerable services
Errors in operating systems
Trojan horses and worms
Installation of the tool itself
Trang 10DoS Attacks - Basics
Ping of Death
Maximum size of TCP/IP packet
is 65536 bytes
Oversized packet may
crash, freeze, reboot system
Obsolete
Trang 11DoS Attacks - Basics
Teardrop
IP packet can be broken
Broken packet is reassembled
using offset fields
Trang 12DoS Attacks Basics
Teardrop
Overlapping offset fields
Obsolete
Trang 13DoS Attacks - Basics
Syn flood attackTCP Syn handshake
Finite length
of backlog queue Lots of
half-open connections Partially solved
SY N
AC K
SY NA CK
Client
Server
Trang 14DoS Attacks - Basics
UDP flood
UDP echo service UDP chargen service Spoofed address
Easy prevention Brute force approach
if this one doesn’t work
ho
Trang 15DoS Attacks - Basics
Smurf attack
ICMP packets Broadcast request Spoofed address Two victims
Cannot be easily prevented
Intermediate Systems Attacker
Trang 16Evolution of DoS Attacks
Defenses were improved
Technology was improved, as well Attackers had to improve their
techniques for attacks
Trang 17Evolution of DoS Attacks
Packet processing rate
is more limiting than bandwidthCPU can be a limit in SYN flood attack
“Reflected” attacks
Victim
Trang 19Evolution of DoS Attacks
All of the systems are compromised
Terminology:
Client
Handler
Agent
Trang 20Evolution of DoS Attacks
Implications of DDoS network:
One or two attackers
Small number of clients
Several handlers
Huge number of agents
Humongous traffic
Trang 21DoS Attacks - Tools
Prof Mort Anvari
Strayer University at Arlington
Trang 22DoS Attacks - Tools
History of DoS tools:
IRC disable tools
Single attack method tools
Distributed tools,
with possibility of selecting
the type of attack
Trang 23DoS Attacks - Tools
Trinoo Distributed
UDP flood (brute force)
Menu operated
Agent passwords are sent in plain text form
(not encrypted)
Trang 24DoS Attacks - Tools
TFN (Tribal Flood Network) Multi-type attack
UDP flood
SYN flood
ICMP_ECHOREPLY flood
Smurf
Handler keeps track of its agents
in “Blowfish” encrypted file
Trang 25DoS Attacks - Tools
Improved version of TFN
Agent can randomly alternate
between the types of attack
Agent is completely silent - handler
sends the same command several times,
hoping that agent will receive at least one)
TFN2K
Trang 26DoS Attacks - Tools
All communication is encrypted
Random source IP address and port numberDecoy packets (sent to non-target networks)
TFN2K
Trang 27DoS Attacks - Tools
Several levels of protection:
Hard-coded password in client
Trang 28DoS Attacks - Tools
Stacheldraht
Automated update of agents
TCP is used for communication
between client and handler,
and ICMP_ECHOREPLY for communication between handler and agent
Trang 29DoS Attacks - Tools
ICMP_ECHOREPLY packets
are difficult to stop
Each agent has a list of its handlers
(Blowfish encrypted)
and in case that there is no such list,
agent uses several hard-coded IP addressesAgent tests for a possibility
of spoofing the source address
Stacheldraht
Trang 30DoS Attacks - Tools
Weakness: it uses rpc command for
update
Listening on this port
can lead to detection of an agent
Drawback is in fact that
this can generate a lot of false alarms (rpc is used by legitimate users too)
Stacheldraht
Trang 31Defenses
Trang 32There is no universal solution
There are some preventions
that can help in minimizing the damage:
Prevention of becoming
the source of an attack
Preparations for defending
against an attack
Trang 33Disable and filter out
chargen and echo services
Disable and filter out
all unused UDP services
Good practice is to
block all UDP ports below 900
(excluding some specific ports
like DNS)
Trang 34Install a filtering router
to disable following cases:
Do not allow packet to pass through
if it is coming to your network
and has a source address from your network
Do not allow packet to pass through
if it comes from your network
and has a source address that
doesn’t belong to your network
Trang 35Network administrators
should log all information
on packets that are dropped
If you are providing external UDP services, monitor them for signs of misuse
Trang 36The following networks
are defined as reserved private networks,
and no traffic should ever be received from
or transmitted to these networks
Trang 37Routers, machines, and
all other Internet accessible equipment
should be periodically checked
to verify that all security patches
have been installed
System should be checked periodically
for presence of malicious software
(Trojan horses, viruses,
worms, root-kits, back doors, etc.)
Trang 38Train your system and network administratorsRead security bulletins like:
www.cert.org, www.sans.org, www.eEye.com
From time to time
listen on to attacker community
to be informed about their latest achievements
Be in contact with your ISP
In case that your network is being attacked, this can save a lot of time
Trang 39Several examples of large scale DoS attacks (yahoo, eBuy, CERT, FBI, Amazon)
Increased number of consumers
with high bandwidth technologies,
but with poor knowledge of network securityEasy accessible,
easy to use DoS attack tools
No final solution for attacks
Trang 40This tutorial is based on research paper done for isitworking.com
Isitworking is part of Biopop company,
Trang 41Denial of Service Attacks:
Methods, Tools, and
Defenses
Prof Mort Anvari
Strayer University at Arlington