ddos attacks and defence technics
TRANSCRIPT
DENIAL OF SERVICE ATTACKS
AND DEFENCE TECHNICS
BEGÜM TOKUYUCU
1
OUTLINE
• What is DOS?
• What is DDOS?
• Types of DOS and DDOS Attacks
• Defencing ways of DDOS Attacks
2
What is DENial of service attacks?
• To prevent or impairs the authorised use of
networks, systems or applications by resources.
• Resources:
• Network Bandwidth,
• System Resources,
• Application Resources
• To characterise by how many systems are used to
direct traffic at the target system
WHAT IS DISTRIBUTED DENIAL
SERVICE ATTACK?
• DDOS
• Steps
• Recruiting of zombie machines
• Discovering the vulnerability of the target
• Sending the attack instructions to the zombies
• Attack
WHY DDOS?
• Financial and economical gain
• Revenge
• Fun
• Show
• Cyberwarfare
6
TYPES OF ATTACKS
• Classical DOS Attacks
• Source Address Spoofing
• TCP SYN/ACK Spoofing
• ICMP Flood Attacks
• UDP Flood Attacks
• Smurf Attack
• DNS DDOS
• Peer to Peer Attacks9
CLASSIC DOS ATTACKS
• Flooding attack
• To overwhelm the capacity of network
connection to the target organization
• The source of the attack is clearly identified.
10
SOURCE ADDRESS SPOOFING
• Use of forged source address.
• Forged source address harder to identify.
• You cannot create a normal network connection. Receiver will not be able to
reply to you.
• Raw socket interface on many operating systems
• Example:
• Man in the middle
• Routing redirect
• Source routing
11
TCP SYN/ACK SPOOFING
• Ability of a network server to respond to TCP
connection requests
• If there is a valid ->
(RST)
• If the system is busy -
>NO REPLY
• Using table to keep
connections
• When table is full
increase the table size
DEFENCE WAY OF
TCP SYN/ACK SPOOFING• Decrease the TCP connection timeout on the server
(victim)
• Using firewall as an intermediatory between server &
client.
14
FLOODING ATTACKS
• Based on network protocol. (TCP, UDP, ICMP)
• Goal:
• to overload the network capacity on same link in server
• to overload server’s ability to handle the traffic
• Types:
• ICMP Flood Attacks
• UDP Flood Attacks
• Smurf Attack
ICMP FLOOD ATTACKS
• Packets was chosen
traditionally network
administrators
allowed.
• Attackers used
ICMP packets
• Send packets to
victims address16
DEFENCE WAY OF
ICMP FLOOD ATTACKS
• To set a packet-per-second threshold for
ICMP requests.
• When the ICMP packet flow exceeds the
defined threshold, the security device
ignores further ICMP echo requests.
17
UDP FLOOD ATTACKS• Attackers obtain IP address of
many devices.
• Send data packets (UDP packets)
to random ports of the server
• If the server is not running then
packet discarded.
• If the server is running, it try to
identify data received wrong ports
and sent to “destination
unreachable” message.
18
DEFENCE WAY
OF UDPFLOOD ATTACKS
• Limit the rate at which destination unreachable
messages are sent or not send such packets.
• Introduce firewall before the server to check
whether the incoming packets are assigned to
the correct port or not.
• If correct than pass the packets, else reject the
packet.19
SMURF ATTACKS
• To send a huge amount of traffic and cause a virtual explosion of
traffic at the intended target.
• Steps
• To obtain IP address of victim,
• Use this spoofed IP address, hackers send ICMP packets via
routers to a networks broadcasting address of this IP address.
• Devices reply messages via ICMP to the IP address of victim.
• Victim get flooded with incoming packets.
20
DEFENCE WAYS OF SMURF
ATTACKS
• To set up a firewall so as to filters unwanted
messages.
• To configure the router to not contact all the
devices connected to its network when ICMP
message is obtained to its broadcast
address.
DNS DDOS ATTACKS
• Attacker asks zombies to send DNS queries of a site
www.kfssdfsdffks.com to a DNS server and zombies
are impersonated as the target server.
• DNS server thinks that it is the target server which is
requesting the pages and so the DNS server sends
these requested page’s IP address as reply to the
target.
• Target server is receiving a load of DNS replies and
server cashes 23
DEFENCE WAY OF
DNS DDOS ATTACKS
• You know the IP addresses of the sites
which the DNS server is sending to you
continuously, it is a simple matter to use your
firewall to block traffic from those addresses.
24
PEER TO PEER ATTACKS
• The attacker act as puppet, instructing clients of large
P2P file sharing networks to disconnect from their P2P
network and to connect o the victim’s website instead.
• Thousand of computers try to connect to the target
website specified by the attackers for
downloading/uploading files.
• Server get confused of whats going on with the
requests from different thousand computers. 25
DEFENCE WAY OF
PEER TO PEER ATTACKS• To have a semi centralised authority to track
large scale malicious P2P network activity.
• Update to torrent clients as most of the P2P
attacks are done using those computers
running old torrent clients whose loopholes
hadn’t be fixed.
• To encrypt P2P traffic.27
REFERENCES
• Computer Security Principles & Practice (book)
• https://www.nordu.net/articles/smurf.html
• http://hackmageddon.com/2012/10/22/1-15-october-2012-
cyber-attack-statistics/
• https://www.securelist.com/en/analysis/204792189/DDoS_
attacks_in_Q2_2011
• http://www.cse.wustl.edu/~jain/cse571-07/ftp/p2p/
28
• THANKS!
29