DOS Threats and Countermeasure

DOS Attacks in news

• Anonymous takes down formula1 website with ddos attack against the bahrain’s hosting the grand prix race.

Source-jalopnik.com

• DDOS attack on paypal,visa and mastercard against blocking the accounts of wikileaks.

Terminology-:

• DOS,DDOS attack is an attempt to make computer or network resource unavailable to its intended users.

• However, DDOS is something more artistic and involves the masters controlling bots which are then used to attack the network all together.

• DRDOS i.e. distributed reflected DOS that involves spoofing the victim

• Bots also known as zombies are infected computers under the control of attacker.

• Botnet is the network of bots.

• C&C server is known as command and control server.

DDOS in action

Classification of DoS attacks-:

Bandwidth consumption

Local Resource starvation

Programming flaws

Different types of DOS Attack

TCP SYN attack

TCP SYN flood sends a host more TCP SYN packets than the

protocol implementation can handle.

Smurf attack

• A smurf attack is an exploitation of the Internet Protocol (IP)

broadcast addressing to create a denial of service.

Vulnerable HTTP

Type of resource starvation attack

Slow http response attack Exploiting the content-length field of the http request which is used to specify the length of message body in

bytes.

Slow Read basically sends a legitimate HTTP request and then very slowly reads the response, thus keeping as many open connections as possible and eventually causing a DoS.

DHCP Starvation & prevention

• An idea to make dummy leased for all the IPs in DHCP range and will effectively cause the DOS to new connecting users that are trying to receive ip from DHCP.

Programming flaws exploited

TORPIG BOTNET-an analysis

Communicating bots

• IP fast-flux which provides multiple IPs to a domain name and the IPs changing frequently.

• Domain flux involves the use of DGA i.e.Domain Generation

Algorithm.

Countermeasures

• Delayed binding (TCP connection splicing)

• Rate limiter

• IPS and rate based IPS

• Blackholing

• Sinkholing

• Clean Pipes

• Bogon filtering, URPF i.e. unicast reverse path forwarding

• Wan-link failover

Some more to know

• Bots are available on rent pricing as $3 per day to $300 a week.

• Zombies are also used for spamming but difficult to get blocked by DNSBLs.

• Know hacking but no hacking.

References

`• http://en.wikipedia.org/wiki/Denial-of-service_attack

• DDOS attack and countermeasure by Pier Luigi Rotondo

• RioRey_Taxonomy_DDoS_Attacks_2.2_2011

• http://www.honeynet.org/node/132

• IEEE security and privacy magazine-volume9,number 1