dos threats and countermeasures
DESCRIPTION
null Pune April 2012 MeetTRANSCRIPT
DOS Threats and Countermeasure
DOS Attacks in news
• Anonymous takes down formula1 website with ddos attack against the bahrain’s hosting the grand prix race.
Source-jalopnik.com
• DDOS attack on paypal,visa and mastercard against blocking the accounts of wikileaks.
Terminology-:
• DOS,DDOS attack is an attempt to make computer or network resource unavailable to its intended users.
• However, DDOS is something more artistic and involves the masters controlling bots which are then used to attack the network all together.
• DRDOS i.e. distributed reflected DOS that involves spoofing the victim
• Bots also known as zombies are infected computers under the control of attacker.
• Botnet is the network of bots.
• C&C server is known as command and control server.
DDOS in action
Classification of DoS attacks-:
Bandwidth consumption
Local Resource starvation
Programming flaws
Different types of DOS Attack
TCP SYN attack
TCP SYN flood sends a host more TCP SYN packets than the
protocol implementation can handle.
Smurf attack
• A smurf attack is an exploitation of the Internet Protocol (IP)
broadcast addressing to create a denial of service.
Vulnerable HTTP
Type of resource starvation attack
Slow http response attack Exploiting the content-length field of the http request which is used to specify the length of message body in
bytes.
Slow Read basically sends a legitimate HTTP request and then very slowly reads the response, thus keeping as many open connections as possible and eventually causing a DoS.
DHCP Starvation & prevention
• An idea to make dummy leased for all the IPs in DHCP range and will effectively cause the DOS to new connecting users that are trying to receive ip from DHCP.
Programming flaws exploited
TORPIG BOTNET-an analysis
Communicating bots
• IP fast-flux which provides multiple IPs to a domain name and the IPs changing frequently.
• Domain flux involves the use of DGA i.e.Domain Generation
Algorithm.
Countermeasures
• Delayed binding (TCP connection splicing)
• Rate limiter
• IPS and rate based IPS
• Blackholing
• Sinkholing
• Clean Pipes
• Bogon filtering, URPF i.e. unicast reverse path forwarding
• Wan-link failover
Some more to know
• Bots are available on rent pricing as $3 per day to $300 a week.
• Zombies are also used for spamming but difficult to get blocked by DNSBLs.
• Know hacking but no hacking.
References
`• http://en.wikipedia.org/wiki/Denial-of-service_attack
• DDOS attack and countermeasure by Pier Luigi Rotondo
• RioRey_Taxonomy_DDoS_Attacks_2.2_2011
• http://www.honeynet.org/node/132
• IEEE security and privacy magazine-volume9,number 1