1 / 25

Denial of Service Attacks

Denial of Service Attacks. Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt. Denial of Service Attacks. A distributed denial of service attack involves overloading a company’s Internet connection with more traffic than it can handle.

brenna
Download Presentation

Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt

  2. Denial of Service Attacks • A distributed denial of service attack involves overloading a company’s Internet connection with more traffic than it can handle. • Once the connection is overloaded, the company is unable to function on the Internet.

  3. Denial of Service Attacks • Banks, academic institutions, and small businesses have become dependent on the Internet for even the most fundamental of daily functions. • Therefore, the cost of a disruption in service and the subsequent recovery can be truly enormous.

  4. Denial of Service Attacks • Distributed Denial of Service Attacks are one of the most difficult security threats. • Network administrators typically cannot stop a DDoS attack without contacting the ISP. • Failure to stop a DDoS attack can result in a complete network overload and shutdown.

  5. Denial of Service Attacks • Any skilled hacker can gain control of a large number of proxy computer systems and use them to flood a targeted server. • It is virtually impossible to discover the identity of the hacker. • Once the targeted server is flooded, it will shut down, thereby halting even the legitimate traffic of the organization.

  6. Physical Layout • Because there is a large physical distance between the ISP router and the company network that an ISP services, the ISP usually has to use cheaper, low-bandwidth cable for this part of the connection. • This is typically the slowest part of the connection line, and it is called a “bottleneck”.

  7. Bottleneck • To shut down the company’s connection, a hacker only has to overload this relatively slow part of the line. • To stop DDoS attacks, illegitimate traffic must never be allowed to reach the bottleneck.

  8. Normal connection Cable connection (Bottleneck) Firewall (Bad traffic stopped here) ISP

  9. Strategic Firewall Placement • In the strategic firewall placement method, the company’s firewall is placed on the ISP’s premises. • This means that the line connecting the ISP router to the firewall is very short, and a much higher bandwidth line (ex. Ethernet) can be used for this connection at very little extra cost.

  10. Strategic Firewall Placement ISP ISP Ethernet connection Ethernet connection Bottleneck Firewall Firewall (Bad traffic stopped here) Bottleneck

  11. Strategic Firewall Placement • Firewall remains under the control of the company. • Now the company is able to control exactly which traffic is allowed into the bottleneck part of the connection.

  12. Strategic Firewall Placement • Attack packets are dropped before they can reach the bottleneck. • A hacker could still run a denial of service attack, but would require a huge amount of bandwidth to overwhelm the system.

  13. Strategic Firewall Placement • In the old setup, to thwart a DDoS attack, the company had to call the ISP and tell them which kinds of packets to filter. • The company’s internet connection remained inoperative until the ISP was able to complete the company’s request. • When the company controls the firewall, as in strategic firewall placement, they can instead filter unwanted packets almost immediately.

  14. Additional Requirements • Moving the firewall is helpful, but, to completely protect against DDoS attacks, the company also has to change the way its firewall handles inbound connection requests.

  15. Default Deny • The changes deal with how the company’s firewall handles inbound connections. • When a computer wants to connect to the company’s server, it sends a packet called a TCP/SYN packet requesting the connection. • The normal response to this packet is a SYN/ACK packet from the company’s server, acknowledging that the connection is open.

  16. Default Deny Firewall Spoofed TCP/SYN SYN/ACK 1 Blocked Connection • If every TCP/SYN packet is allowed to reach the company server, hackers can still flood the company’s server with these packets, and overload the connection. • Instead, the firewall sends back a SYN/ACK packet that only looks like it came from the company’s server. Real TCP/SYN 2 SYN/ACK Connection Allowed Spoofed TCP/SYN 3 SYN/ACK Server Blocked Connection Spoofed TCP/SYN SYN/ACK 4 Blocked Connection

  17. Default Deny • Once the firewall sends out the SYN/ACK packet, it only allows a connection from the IP address that sent the original TCP/SYN packet. • A hacker has to have control of that IP address to be able to connect to the company.

  18. Default Deny • This helps prevent a technique known as “spoofing” IP addresses. • Spoofing allows a hacker to send the server connection requests from IP addresses that he is not actually using. • The default deny policy prevents hackers from using multiple spoofed addresses at once, and using them to flood the network.

  19. Firewall Capabilities • Maintaining these policies could require a lot of computational power from the firewall. • Firewall may not be able to handle the entire job itself. • The processing work of the firewall can be spread among multiple computers if necessary, and those computers would feed directly into the firewall.

  20. Simulation of Strategic Firewall Placement • Used network simulation program NS-2 to simulate DDoS traffic. • Red – legitimate packets • Blue – DDoS attack packets

  21. Simulation of Strategic Firewall Placement DDoS attack Buildup of packets in queue on high-speed link Router 1.5 mbps Target Legitimate traffic Firewall

  22. Simulation Results

  23. Simulation of Strategic Firewall Placement • When the link leading up to the firewall is too slow, a DDoS attack basically shuts down the system. • When the link leading up to the firewall is fast enough, the system continues running through a DDoS attack, even after the attack is increased in intensity from 50 to 100 mbps.

  24. Conclusion • Strategic firewall placement allows companies to use the Internet during a DDoS attack, and it allows them to continue receiving the packets they want.

  25. Sources • S. Gibson, “Distributed Reflection Denial of Service. Description and analysis of a potent, increasingly prevalent, and worrisome Internet attack,” February 22, 2002, http://grc.com/dos/drdos.htm • Smith, R.; Chen, Y; and Bhattacharya, S., “Cascade of Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE Transactions on Knowledge and Data Engineering, IEEE Educational Activities Department, vol 40, no 5, (September): pp 1307 – 1315, 2003. • Chatam, W. Rice, J. and Hamilton, J.A. Jr.,  "Using Simulation to Analyze Denial of Service Attacks"  2004 Advanced Simulation Technology Conference, April 18 - 24, Arlington, VA

More Related