Week 8-1

Week 8: Denial of Service (DoS)

• What is Denial of Service Attack?– Any attack that causes a system to be

unavailability. This is a violation of security policy.

• A DoS attack can have an impact on commerce, industry, aviation, health care

Week 8-2

Week 8: Denial of Service (DoS)

• Types of DoS Attacks– Stopping local services (process kill, process

crash, sys reconfig)– Exhausting local resources (forking

processes to fill process table, filling up file system)

– Remotely stopping services (Malformed packet attack via Land, Ping of Death, Jolt2, Buffer Overflow )

– Remotely exhausting resources (SYN flood, Smurf, DDoS)

• How DoS Works?

Week 8-3

Week 8: Denial of Service (DoS)

• Hacking Tool: Ping of Death– Sending oversized ping pkt (> 64KB ). Some TCP/IP

implementations crash

• Hacking Tool: SSPing (Malformed ICMP pkt causes server to hang)

• Hacking Tool: Land – Send spoofed pkt with IPsrc=IPdest, PortSrc=

PortDest. Unexpected event Causes system crash

• Hacking Tool: Smurf– Directed Broadcast attack via sending ping to a

broadcast address but using a spoofed source address.

Week 8-4

Week 8: Denial of Service (DoS)

• Hacking Tool: SYN Flood (send several SYN pkts using spoofed unknown source address. Fills up connection queue)

• Hacking Tool: CPU Hog • Hacking Tool: Win Nuke (Send garbage

to an open file sharing machine on TCP port 139. system crashes)

• Hacking Tool: RPC Locator

Week 8-5

SYN Flood Countermeasure

• Increase size of connection queue• Decrease connection establishment timeout

period• Detect and employ SYNcookie to use

cryptographic challenge for legitimate users.

• Have connection queue at a threshhold.• Use NIDS

Week 8-6

Week 8: Denial of Service (DoS)

• Hacking Tool: Jolt2 – Send a stream of pkt fragments none

with fragment offset = 0. Affects Windows OS

• Hacking Tool: Bubonic • Hacking Tool: Targa

Week 8-7

Distributed DoS

• Attacker uses zombies to launch DoS attacks.

• Most zombies are taken over using buffer overflow attacks or related exploits.

• Zombies wait for command from attacker using a client tool to launch simultaneous attack.

Week 8-8

Week 8: Denial of Service (DoS)

• Tools for Running DDoS Attacks • Hacking Tool: Trinoo • Hacking Tool: WinTrinoo • Hacking Tool: TFN (Tribe Flood

Network)• Hacking Tool: TFN2K (DDo • Hacking Tool: Stacheldraht –

combines features of TFN and Trin00

Week 8-9

Week 8: Denial of Service (DoS)

• Hacking Tool: Shaft • Hacking Tool: mstream • DDoS Attack Sequence

Week 8-10

Week 8: Denial of Service (DoS)

• Preventing DoS Attack– Use anti-spoof filters on routers– Disable directed-broadcast at border router.– Use find DDOS, a tool distributed by US

Govt.– Get zombie zapper

• DoS Scanning Tools eg. IDS like Snort to give early warning

• Find_ddos

Week 8-11

Week 8: Denial of Service (DoS)

• SARA • DDoSPing • RID • Zombie Zapper

Week 8-12

Week 8: Denial of Service (DoS)

• Summary