210 likes | 429 Views
Denial-of-Service Attacks. Justin Steele. Definition. “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.” 1 Denial-of-service attacks deal with the issue of availability. 1 CERT Website.
E N D
Denial-of-Service Attacks Justin Steele
Definition • “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.”1 • Denial-of-service attacks deal with the issue of availability. 1CERT Website
Examples • Examples include attempts to • "flood" a network, thereby preventing legitimate network traffic1 • disrupt connections between two machines, thereby preventing access to a service1 • prevent a particular individual from accessing a service1 • disrupt service to a specific system or person1 1CERT Website
Types of Attacks • Physical Attack • Physically destroying components. • Configuration Attack • Altering or destroying configuration files or information. • Consumption Attack • Using limited or scarce resources and thereby preventing legitimate users from using them.
Physical Attack • Probably considered the least interesting to most of us. • Examples • Taking a bat a smashing an ATM, thus denying others the ability to use the ATM. • Snipping or cutting a fiber optic line therefore preventing communication to a network or system. • Intentionally turning off or disabling a cooling system which results in a machine overheating and failing.
Configuration Attack • Most of us probably don’t think about this one right away. • Examples • Obtaining administrator rights and deleting user accounts. • Hacking the .htaccess file on a web server and preventing anyone from viewing the site. • Changing the default gateway that a DHCP Server sends to its clients. • Changing the settings on a machine which interferes with its ability to get onto the network. • Modifying a domain name’s DNS information.
Consumption Attack • Perhaps the one most of us think of and probably find the most interesting. • CERT defines four subtypes • Network Connectivity • Using Your Own Resources Against You • Other Resource Consumption • Bandwidth Consumption
Network Connectivity Attack • “Denial-of-service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating on the network.”1 • “An example of this type of attack is the "SYN flood" attack”1 • Also known as a Protocol Attack. • This is an example of an “asymmetric attack” • “attacks can be executed with limited resources against a large, sophisticated site”1 • “an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks.”1 1CERT Website
SYN Flood Attack (Images taken from www.grc.com)
Using Your Own Resources Against You Attack • An attacker uses your own resources against you in unexpected ways. • An example is a UDP chargen/echo scenario
Other Resource Consumption Attack • Most of us don’t readily consider Consumption Attacks. • Examples • CPU time • Spawning a large number of processes that bog down the CPU • Consuming “locks” • Intentionally incorrectly logging in a user until security features prevent any more login attempts for that user. • Could include using file or database locks so others can’t access them. • Filling up disk space • Generating excessive email messages • Generating error messages that get logged • Placing files in anonymous ftp server space or open shares
Bandwidth Consumption Attack • The attacker consumes all available bandwidth on a network. • Most often done with ICMP ECHO (Ping) packets, but doesn’t have to be. • The attacker may be using multiple machines to coordinate the attack. • DDoS – Distributed Denial-of-Service • DRDoS – Distributed Reflection Denial-of-Service • DoS – Any type of Denial-of-Service • DDoS & DRDoS are Brute Force Attacks • Filterable vs. Non-filterable Attacks • Filterable Attacks consist of bogus packets or non-critical services which can be blocked by a firewall without affecting the rest of the machine or network. • Non-filterable Attacks consist of packets requesting legitimate services and resources, thus a firewall will not help stop the attack.
Bandwidth Consumption Attack (Images taken from www.grc.com)
DoS versus DDoS (Images taken from www.grc.com)
DDoS Attack (Images taken from www.grc.com)
DRDoS Attack (Images taken from www.grc.com)
DDoS versus DRDoS (Images taken from www.grc.com)
What can we do? • ISP’s • Implement hardware/software settings and filters on routers and machines that limit and bound packets. • Prevent users from spoofing packets (Firewall). • Administrators • Install and use a firewall. • Close all unnecessary ports and turn off all unused services. • Use quotas. • Maintain backups of configuration files. • Install intrusion detection software. • Monitor network traffic. • Evaluate physical security on a routine basis. • Average Jane and John Doe • Don’t download/install software from unknown/unreliable sources. • Install personal firewall/port protection software.
Sources • http://www.cert.org/tech_tips/denial_of_service.html • http://grc.com/dos/drdos.htm • http://grc.com/dos/grcdos.htm • http://www.rbs2.com/ccrime.htm#anchor111666 • http://www.netcraft.com/presentations/interop/dos.html • http://lasr.cs.ucla.edu/ddos/ucla_tech_report_020018.pdf • http://www.cnn.com/2002/TECH/internet/10/23/net.attack/ • http://www.infoworld.com/article/03/01/25/030125hnsqlnet_1.html?s=IDGNS