denial of service attacks: methods, tools, and defenses
DESCRIPTION
Denial of Service Attacks: Methods, Tools, and Defenses. Prof. Mort Anvari Strayer University at Arlington. Introduction. Basic types of DoS attacks Evolution of DoS tools Overview of DoS tools Defenses. What is Denial of Service Attack?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/1.jpg)
Denial of Service Attacks:Methods, Tools, and
Defenses
Prof. Mort AnvariStrayer University at Arlington
![Page 2: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/2.jpg)
2
Introduction
Basic types of DoS attacksEvolution of DoS toolsOverview of DoS toolsDefenses
![Page 3: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/3.jpg)
3
What is Denial of Service Attack?
“Attack in which the primary goal is to deny the victim(s) access to a particular resource.” (CERT/CC)Very vide definition, covers lots of casesThis tutorial covers only subset of all DoS attacks
![Page 4: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/4.jpg)
4
Modes of Denial of Service Attack
Consumption of limited resources Network connectivity Bandwidth consumption Other resources:
Processing time Disk space Lockout of an account
Alteration of configuration information
![Page 5: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/5.jpg)
5
DoS Attacks - StatisticsThere are more than 4000 attacks per weekDuring 2000, 27% of security professionals detected DoS attack against their systemIn February 2000 attacks, stream going to one of affected sites was about 800Mb/s
![Page 6: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/6.jpg)
6
DoS Attacks - StatisticsOverall Internet performance degradation
during February 2000 attacksDate PPW PAW CPWFeb. 7th 5.66 5.98 +5.7%Feb. 8th 5.53 5.96 +7.8%Feb. 9th 5.26 6.67 +26.8%Feb 10th 4.97 4.86 -2.2%PPW – Performance in previous week
PAW – Performance in attacking week
CPW – Change from previous week
Source:Keynote Systems
![Page 7: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/7.jpg)
DoS Attacks - Basics
Prof. Mort AnvariStrayer University at Arlington
![Page 8: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/8.jpg)
8
DoS Attacks - BasicsAttack has two phases:
Installation of DoS tools Committing an attack
![Page 9: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/9.jpg)
9
DoS Attacks - BasicsInstallation of DoS tools: Finding a suitable machine:
Unprotected ports Vulnerable services Errors in operating systems Trojan horses and worms
Installation of the tool itself Installation of a root-kit
![Page 10: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/10.jpg)
10
DoS Attacks - BasicsPing of Death
Maximum size of TCP/IP packet is 65536 bytes
Oversized packet may crash, freeze, reboot system
Obsolete
![Page 11: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/11.jpg)
11
DoS Attacks - BasicsTeardrop
IP packet can be broken Broken packet is reassembled
using offset fields
![Page 12: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/12.jpg)
12
DoS Attacks BasicsTeardrop
Overlapping offset fields
Obsolete
![Page 13: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/13.jpg)
13
DoS Attacks - BasicsSyn flood attack
TCP Syn handshake
Finite length of backlog queue
Lots of half-open connections
Partially solved
SYN
ACK
SYNACK
Client
Server
![Page 14: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/14.jpg)
14
DoS Attacks - BasicsUDP flood
UDP echo service UDP chargen service Spoofed address Easy prevention Brute force approach
if this one doesn’t work
Victim
AttackerVictim
SpoofedRequest
chargenecho
![Page 15: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/15.jpg)
15
DoS Attacks - BasicsSmurf attack
ICMP packets Broadcast request Spoofed address Two victims Cannot be
easily prevented
Victim
IntermediateSystems
Attacker
![Page 16: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/16.jpg)
16
Evolution of DoS Attacks
Defenses were improvedTechnology was improved, as wellAttackers had to improve their techniques for attacks
![Page 17: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/17.jpg)
17
Evolution of DoS Attacks
Packet processing rate is more limiting than bandwidthCPU can be a limit in SYN flood attack“Reflected” attacks
Bad packet ICMP Reply
VictimAttacker Intermediate
![Page 18: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/18.jpg)
18
(R)evolution of DoS Attacks
Distributed DoS tools and networks
Client-Server architecture Open-source approach Several layers Difficulties in tracking back the attacker
![Page 19: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/19.jpg)
19
Evolution of DoS Attacks
All of the systems are compromised
Terminology: Client Handler Agent
![Page 20: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/20.jpg)
20
Evolution of DoS Attacks
Implications of DDoS network:
One or two attackers
Small number of clients
Several handlers Huge number of agents
Humongous traffic
![Page 21: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/21.jpg)
DoS Attacks - Tools
Prof. Mort AnvariStrayer University at Arlington
![Page 22: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/22.jpg)
22
DoS Attacks - ToolsHistory of DoS tools:
IRC disable tools Single attack method tools Distributed tools,
with possibility of selecting the type of attack
![Page 23: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/23.jpg)
23
DoS Attacks - ToolsTrinoo
Distributed UDP flood (brute force) Menu operated Agent passwords are sent in plain text form
(not encrypted)
![Page 24: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/24.jpg)
24
DoS Attacks - ToolsTFN (Tribal Flood Network)
Multi-type attack UDP flood SYN flood ICMP_ECHOREPLY flood Smurf
Handler keeps track of its agents in “Blowfish” encrypted file
![Page 25: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/25.jpg)
25
DoS Attacks - Tools
Improved version of TFNAgent can randomly alternate between the types of attackAgent is completely silent - handler sends the same command several times, hoping that agent will receive at least one)
TFN2K
![Page 26: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/26.jpg)
26
DoS Attacks - Tools
All communication is encryptedRandom source IP address and port numberDecoy packets (sent to non-target networks)
TFN2K
![Page 27: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/27.jpg)
27
DoS Attacks - Tools
Several levels of protection:Hard-coded password in client Password is needed
to take control over handlerEncrypted communication
between handler and agent
Stacheldraht
![Page 28: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/28.jpg)
28
DoS Attacks - ToolsStacheldraht
Automated update of agents TCP is used for communication
between client and handler, and ICMP_ECHOREPLY for communication between handler and agent
![Page 29: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/29.jpg)
29
DoS Attacks - Tools
ICMP_ECHOREPLY packets are difficult to stopEach agent has a list of its handlers (Blowfish encrypted) and in case that there is no such list, agent uses several hard-coded IP addressesAgent tests for a possibility of spoofing the source address
Stacheldraht
![Page 30: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/30.jpg)
30
DoS Attacks - Tools
Weakness: it uses rpc command for updateListening on this port can lead to detection of an agent. Drawback is in fact that this can generate a lot of false alarms (rpc is used by legitimate users too)
Stacheldraht
![Page 31: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/31.jpg)
Defenses
![Page 32: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/32.jpg)
32
DefensesThere is no universal solutionThere are some preventions that can help in minimizing the damage:Prevention of becoming
the source of an attackPreparations for defending
against an attack
![Page 33: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/33.jpg)
33
DefensesDisable and filter out chargen and echo servicesDisable and filter out all unused UDP services. Good practice is to block all UDP ports below 900 (excluding some specific ports like DNS)
![Page 34: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/34.jpg)
34
DefensesInstall a filtering router to disable following cases: Do not allow packet to pass through
if it is coming to your network and has a source address from your network
Do not allow packet to pass through if it comes from your network and has a source address that doesn’t belong to your network
![Page 35: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/35.jpg)
35
DefensesNetwork administrators should log all information on packets that are droppedIf you are providing external UDP services, monitor them for signs of misuse
![Page 36: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/36.jpg)
36
DefensesThe following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router: 10.0.0.0 to 10.255.255.255 (reserved) 127.0.0.0 to 127.255.255.255 (loopback) 172.16.0.0 to 172.31.255.255 (reserved) 192.168.0.0 to 192.168.255.255
(reserved) 0.0.0.0 and 255.255.255.255 (broadcasts)
![Page 37: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/37.jpg)
37
DefensesRouters, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installedSystem should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, root-kits, back doors, etc.)
![Page 38: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/38.jpg)
38
DefensesTrain your system and network administratorsRead security bulletins like: www.cert.org, www.sans.org, www.eEye.comFrom time to time listen on to attacker community to be informed about their latest achievementsBe in contact with your ISP. In case that your network is being attacked, this can save a lot of time
![Page 39: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/39.jpg)
39
ConclusionSeveral examples of large scale DoS attacks (yahoo, eBuy, CERT, FBI, Amazon)Increased number of consumers with high bandwidth technologies, but with poor knowledge of network securityEasy accessible, easy to use DoS attack toolsNo final solution for attacks
![Page 40: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/40.jpg)
40
This tutorial is based on research paper done for isitworking.comIsitworking is part of Biopop company, Charlotte, NC, USASo far, it was presented on:SSGRR 2002w, L’Aquila, ItalyYU-INFO 2002, Kopaonik, Serbia
![Page 41: Denial of Service Attacks: Methods, Tools, and Defenses](https://reader036.vdocument.in/reader036/viewer/2022062310/56815d93550346895dcbac69/html5/thumbnails/41.jpg)
Denial of Service Attacks:Methods, Tools, and
Defenses
Prof. Mort AnvariStrayer University at Arlington