Download - Distributed Denial-of-Services (DDoS)
![Page 1: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/1.jpg)
Distributed Denial-of-Services (DDoS)Ho Jeong ANCSE 525 – Adv. NetworkingReading Group #8
![Page 2: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/2.jpg)
Reading Group # 8 – DDoS
Papers F. Kargl, J. Maier, M. Weber “Protecting Web Servers fr
om Distributed Denial of Service Attacks”, WWW 2001 V. Paxson, “An Analysis of Using Reflectors for Distribu
ted Denail-of-Service Attacks”, CCR vol. 31, no. 3, July 2001
Catherine Meadows, “A cost-based framework for analysis of denial of service in network”, Journal of Computer Security, 9(1—2):143-164, 20012
![Page 3: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/3.jpg)
Classification of IT Attacks
Denial of Service (DoS) Main goal of the attack is the disruption of
service Intrusion
Intension is simply to get access to system and to circumvent certain barriers
Information Theft Main goal of attack is access to restricted,
sensitive information Modification
Attacker tries to alter information.
![Page 4: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/4.jpg)
Definition of DoS
WWW Security FAQ (http://www.w3.org/Security/FAQ) … an attack designed to render a computer or network
incapable of providing normal services …
J.D. Howard (http://www.cert.org) … Denial-of-service can be conceived to include both
intentional and unintentional assaults on a system's availability. The most comprehensive perspective would be that regardless of the cause, if a service is supposed to be available and it is not, then service has been denied ...
![Page 5: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/5.jpg)
Definition of DDoS
WWW Security FAQ (http://www.w3.org/Security/FAQ) … A Distributed
Denial of Service attack uses many computer to launch a coordinated DoS attack against one or more targets. …
![Page 6: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/6.jpg)
DoS attack Classification System Attacked
Router Firewall Load-balancer Individual web server Supporting services (i.e. database servers)
Part of the system attacked Hardware failure OS or TCP/IP stack of host/router Application level (i.e. web server, database servers)
Bug or overload Bugs Overload
![Page 7: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/7.jpg)
DoS attack Classification
Example Cisco 7xxx routers with IOS/700 Software
version 4.1(1)/4.1(2) Jolt2 – targeting most Microsoft Windows
Systems (98/NT4/2000) MIIS version 4.0/5.0 Smurf SYN Flood Apache MIME flooding/Apache Sioux Attack
![Page 8: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/8.jpg)
DDoS tools
Trinoo Known to the first DDoS tools UDP flooding
Tribe Flood Network (TFN) Trinoo’s UDP flooding, TCP SYN and ICMP flood
TFN2K Encrypted communication between components TARGA attack
stacheldraht ICMP, UDP and TCP SYN flooding Update to agents automatically
![Page 9: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/9.jpg)
DDoS Protection Environment
Linux Kernel Immune to
Teardrop, TARGA
tcp_syn_cookie enabled against SYN flood attack
Load Balancer Linux Virtual
Server against overload attack
![Page 10: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/10.jpg)
DDoS Protection Environment ipchains Firewall
Only port 80 is reachable directly Only ICMP host unreachable messages are
accepted Class Based Queuing
Function of the Linux kernel Setup different traffic queues Determines what packets to put in what queue Assign a bandwidth to each of the queue
![Page 11: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/11.jpg)
DDoS Protection Environment Traffic Monitor
Monitor Thread 1: monitors in and out packet Thread 2: checks the hashtable Thread 3: server thread
Manager Analyzes the supplied data Sorts the IPs in one of several classes, class
1 through class 4
![Page 12: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/12.jpg)
Test 1: http-attack using http_load and static html database
![Page 13: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/13.jpg)
DDoS attacks are substantial threat to today’s Internet infrastructure
Solution to the problem of handling massive http overload requests is based on class based routing and active traffic monitoring
Conclusion
![Page 14: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/14.jpg)
DDoS attack by using reflector Reflector
Any IP host that will return a packet if it receives request
All web server, DNS server, router
ICMP Victim eventually receive
“huge” number of message and clogging every single path to victim from the rest of the Internet
![Page 15: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/15.jpg)
Defense against Reflector
Ingress filtering Traffic generated by reflector
Our pick Reflector enable filtering
Require widespread deployment of filtering Deploy trace back mechanism
Enormous deployment difficulties IDS
Widespread deployment of security technology
![Page 16: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/16.jpg)
Filtering out reflector replies IP
version, header length TOS/DSCP length ID fragments TTL, protocol, checksum source destination
![Page 17: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/17.jpg)
Filtering out reflector replies ICMP
Request/response Generated ICMP messages
TCP source port SYN ACK RST guessable sequence number T/TCP
![Page 18: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/18.jpg)
Filtering out reflector replies UDP DNS
DNS reply DNS recursive query
SNMP HTTP proxy server Gnutella (TCP application) Other UPD application
![Page 19: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/19.jpg)
Implications of reflector attacks for traceback A major advantage to attackers in
using reflectors in DDOS attack is difficult traceback
Low volume flows – SPIE HTTP proxies Logging Reverse ITRACE
![Page 20: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/20.jpg)
Conclusion
DDoS attack by using reflector have a several significant threat
Most major threats areTCP guessable sequence numberDNS query to name serverGnutella
![Page 21: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/21.jpg)
Defender vs. Attacker
Defense against attack Increase the resources of the defender Introduce authentication
Goal of attacker Waste resource of defender Keep the defender from learning attacker’s
identity Formal method are good way to addressing
problems.
![Page 22: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/22.jpg)
Station to Station protocol
Station to station protocol is a protocol that was makes use of the Diffie-Hellman protocol together with digital signatures in order to exchange and authenticate keys between two principals.
:
: , ( ( , ))
: ( ( , ))
A
B B A
A B
X
X X XK B
X XK A
A B
B A E S
A B E S
![Page 23: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/23.jpg)
Station to Station protocol1, 1
1 2 1
1 1 1 1
1 1 2 1 1 2
2 2
: preeexp storename ||
||
storeonce ,storename ,accept
: preexp , sign , exp , encrypt ||
, ( ( , )) ||
checkname , retrivevenonce , exp , decrypt , checksig , accept
: sign , encrypt |
A
B B A
X
X X XK B
A B
B A
E S
A B
2 2 2 2 3
|
( ( , )) ||
checkname , retrivevenonce , decrypt , checksig , accept
A BX XK AE S
![Page 24: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/24.jpg)
Station to Station protocol
Compute the attack cost functions and the protocol engagement cost functions for each accept events
Compute the attack cost functions and the message processing cost functions for each verification event
![Page 25: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/25.jpg)
Station to Station protocol
It is vulnerable to DOS attack in several placesFirst messageIntruder could mount Lowe’s attack
SolutionCookie exchangeLowe’s attack – including the identity of
intended receiver
![Page 26: Distributed Denial-of-Services (DDoS)](https://reader036.vdocument.in/reader036/viewer/2022062409/56814ab3550346895db7c7d9/html5/thumbnails/26.jpg)
Conclusion
This framework shows how existing tools and methods could be modified against DoS attack.