dos attack - incident handling
DESCRIPTION
DoS Attack - Incident handling - A study caseTRANSCRIPT
Keeping our network and systems safe
Information SecurityThe Health Clinic
Information Security Incident HandlingAgenda
The Denial of Service attack
Containment, Eradication, and Recovery
Maintaining network security
Detection and Analysis
Post-Incident Recovery
✓ 1
2
3
4
5
DoS do not are standing for “Department of Something!DoS
DoS it is about a kind of information security attack to the networks, systems and applications, in order to make them unavailable for the legitimate users.
Availability
Some security threats affect Confidentiality...
Others impact the Integrity of Information...
Denial of Service
!?
What the DoS is all about?• It is not about to gain unauthorized
access to a system• It is not about to corrupt data• It is not about to crack any
password.
It is not about Confidentiality or Integrity. It is about:
Availability
What happens when a DoS attack is going on?DoS
OSs are crashed by the action of malformed TCP/IP packets
Servers establish too many simultaneous login session
Too many processor-intensive requests are made
Large files are created
ComputersNetworks
Application crash by receiving illegal requests
Applications on Web tier, Application tier and Data tier can be affected
Applications
Network performance is compromised
Broadcasts are sent on the same frequencies than wireless devices
Network components are modified or destructed
• Agents are installed on compromised hosts • They perform the attacks• They are also called “bots”• The set of hosts running bots is called “botnet”
• It is a program that controls the agents• The handler says:
• When to attack• What to attack• How to attack
• Bots follow the instructions• Bots attack the targeted victims• The bots could be pre-programmed to attack• Attacker can also communicate with the bots via
IRC
How does it work?Distributed Denial of Service (DDoS)
DDoS Agents attack the victim
networks and hosts
Handler instructs the DDoS
Agents
DDoS Agents are installed on
the hosts
2
3
1
• An UDP service based is used to attack• An intermediate host is used to attack the victim• The intermediate host is called Reflector• The real source is hidden behide an spoofed address• Loops between Ports 7 (Echo) and 19 (Chargen)
• Also it involves sending requests with spoofed source address• Use a whole network of intermediate hosts• Uses ICMP and UDP requests to broadcast addresses• E.g.: DNS recursive attack
• Use large number of incomplete connection requests• Prevent new connections from being made• Examples: SYNFlood and peer-to-peer attacks• Can be used by sending UDP, ICMP and TCP packets
The three types of DDoS attacks
DDoS
Floods Attacks
Amplifier Attacks
Reflector Attacks
PrecursorsDetection and Analysis
• Reconnaissance activity Usually a low volume of the traffic Handlers could detect preparation for a DoS attack Changing the security implementation as a
Response
• Newly released DoS tool Usually a low volume of the traffic Investigate the new tool and change the security
controls
IndicationsDetection and Analysis
• Network-based DoS against a host
• Network-based DoS against a network
• DoS against the Operating System
• Layer 7 DoS attack - against an application/service
• Trace the source of attacks• The IP of the handler is not visible• False positive alerts • Server crash and service outages resultant from
attacks
Additional ChallengesDetection and Analysis
Performing containment, gathering and handling evidence for DoS incidents
Containment, Eradication and Recovery
1It usually consists of STOPPING the DoS. – It is not too easy!
Containment for a DoS incident
Try all possible solutions for containing a DoS attack
Stop bleeding
3 Clean up the house
Eradication & Recovery
• Correct the Vulnerability
• Implement Filtering based on the cahracteristics of the attack
• The ISPs are key partners against the network-based DoS
• Hide the target
2
Corrective and Preventive actionsPost-incident Recovery
• Hold a lessons learned meeting• Configure firewall rulsets to prevent reflector attacks• Configure border routers to prevent aplifier attacks• Implement/Configure NIDS and HIDS to detect DoS attacks• Create and maintain a multi-solution containment strategy• Separate critical services• Create a follow-up Report
Maintaining network security
• Only provide username and password on certified websites• Don’t accept any kind of software installation through the Internet• Be aware of the Social Engineering. Email messages can be used
for identity theft and phishing• Don’t click on suspicious email attachments• Prefer to use BCC when sending emails to multiple recipients• Emails usually are sent in clear-text format• Don’t forward any email chain letters
How employees can help maintain network security?
• Scarfone, K., & Grance, T., & Masone, K. (2008). . Computer Security Incident Handling Guide, NIST 800-61, Gaithersburg, MD: National Institute of Standards and Technology.
• EC Council (2010). Ethical Hacking and Countermeasures, Threats and Defense Mechanisms, Clifton Park, NY: EC-Council Press.
References