1 / 25

NETW4005 Computer Security Lecture 5

Learn about Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, including amplification attacks and defenses, to safeguard your network from resource exhaustion and congestion.

guillermoh
Download Presentation

NETW4005 Computer Security Lecture 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NETW4005Computer SecurityLecture 5 Denial of Service Attacks

  2. Content • DENIAL OF SERVICE • SOURCE ADDRESS SPOOFING • SYN SPOOFING • TYPES OF FLOODING ATTACKS • DDOS • AMPLIFICATION ATTACKS • DNS AMPLIFICATION ATTACKS • DOS ATTACK DEFENSES • ATTACK PREVENTION • RESPONDING TO ATTACKS

  3. 5.1 Denial of Service • (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space. Attacks: • Network bandwidth - relates to the capacity of the network links connecting a server to the wider Internet. • System resources - typically aims to overload or crash its network handling software. • Application resources - aim to overload the capabilities of a server and limit its ability to respond to requests from other users

  4. 5.2 Source Address Spoofing • Use forged source addresses • given sufficient privilege to “raw sockets” • easy to create • Generate large volumes of packets • Directed at target • With different, random, source addresses • Cause same congestion • Responses are scattered across Internet • Real source is much harder to identify

  5. 5.3 SYN Spoofing TCP Connection Handshake • Other common attack • Attacks ability of a server to respond to future connection requests • Overflowing tables used to manage them • Hence an attack on system resource

  6. SYN Spoofing Attack

  7. SYN Spoofing Attack • Attacker often uses either • Random source addresses • Or that of an overloaded server • To block return of (most) reset packets • Has much lower traffic volume • Attacker can be on a much lower capacity link

  8. 5.4 Types of Flooding Attacks • Classified based on network protocol used • ICMP Flood • Uses ICMP packets, eg echo request • Typically allowed through, some required • UDP Flood • Alternative uses UDP packets to some port • TCP SYN Flood • Use TCP SYN (connection request) packets • But for volume attack

  9. 5.5 Distributed Denial of Service Attacks A typical DDoS attack consists of amassing a large number of compromised hosts to send useless packets to jam a victim or its Internet connection or both. Can be done in following ways: • To exploit system design weaknesses such as • ping to death. • Impose computationally intensive tasks on the victim such as encryption and decryption. • Flooding-based DDoS Attack

  10. DDoS Control Hierarchy

  11. Do not rely on particular network protocols or system design weaknesses. • Consist of sufficient number of compromised hosts amassed to send useless packets toward a victim around the same time. • Have become a major threat due to availability of a number of user-friendly attack tools on one hand and lack of effective solutions to defend against them on the other. • The DDoS attacks can be classified into: • Direct Attacks. • Reflector Attacks

  12. 5.5.1 Direct Attacks • Consists of sending a large number of attack packets directly towards a victim. • Source addresses are usually spoofed so the response goes elsewhere. Examples: • TCP-SYN Flooding: The last message of TCP’s 3 way handshake never arrives from source. • Congesting a victim’s incoming link using ICMP messages, RST packets or UDP packets. • Attacks use TCP packets (94%), UDP packets (2%) and • ICMP packets(2%)

  13. 5.5.2 Reflection Attacks • Use normal behavior of network • Attacker sends packet with spoofed source address being that of target to a server • Server response is directed at target • If send many requests to multiple servers, response can flood target • Various protocols e.g. UDP or TCP/SYN • Ideally want response larger than request • Prevent if block source spoofed packets

  14. Reflection Attacks… • Further variation creates a self-contained loop between intermediary and target • Fairly easy to filter and block

  15. 5.6 Amplification Attacks • Amplification attacks are a variant of reflector attacks, that differ in generating multiple response packets for each original packet sent. • This can be achieved by directing the original request to the broadcast address for some network.

  16. As a result, all hosts on that network can potentially respond to the request, generating a flood of responses. • It is only necessary to use a service handled by large numbers of hosts on the intermediate network. • A ping flood using ICMP echo request packets was a common choice, used by the “smurf” DoS program. • The best additional defense against this form of attack is to not allow “directed broadcasts” to be routed into a network from outside.

  17. 7. DNS Amplification Attacks • Use DNS requests with spoofed source address being the target • Exploit DNS behavior to convert a small request to a much larger response • 60 byte request to 512 - 4000 byte response • Attacker sends requests to multiple well connected servers, which flood target • need only moderate flow of request packets • DNS servers will also be loaded

  18. 5.8 DoS Attack Defenses • High traffic volumes may be legitimate • result of high publicity • or to a very popular site, e.g. Olympics etc • Or legitimate traffic created by an attacker • Three lines of defense against (D)DoS: • attack prevention and preemption • attack detection and filtering • attack source traceback and identification

  19. 5.9 Attack Prevention • Block spoofed source addresses • on routers as close to source as possible • still far too rarely implemented • Rate controls in upstream distribution nets • on specific packets types • e.g. some ICMP, some UDP, TCP/SYN • Use modified TCP connection handling • use SYN cookies when table full • or selective or random drop when table full

  20. Attack Prevention…. • Block IP directed broadcasts • Block suspicious services & combinations • Manage application attacks with “puzzles” to distinguish legitimate human requests • Good general system security practices • Use mirrored and replicated servers when high-performance and reliability required

  21. 5.10 Responding to Attacks • Need good incident response plan • with contacts for ISP • needed to impose traffic filtering upstream • details of response process • Have standard filters • Ideally have network monitors and IDS • to detect and notify abnormal traffic patterns

  22. Responding to Attacks… • Identify type of attack • capture and analyze packets • design filters to block attack traffic upstream • or identify and correct system/application bug • Have ISP trace packet flow back to source • may be difficult and time consuming • necessary if legal action desired • Implement contingency plan • Update incident response plan

More Related