1 / 48

Denial of Service Attacks

Denial of Service Attacks. Denial of service ( DOS ). Too many requests for a particular web site “ clog the pipe ” so that no one else can access the site.

haruko
Download Presentation

Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Denial of Service Attacks

  2. Denial of service ( DOS ) • Too many requests for a particular web site “clog the pipe” so that no one else can access the site

  3. Possible impacts:May reboot your computer, Slows down computers-Certain sites, Applications become inaccessible **you are off. Denial of service ( DOS )

  4. What is Denial of Service Attack? • “Attack in which the primary goal is to deny the victim(s) access to a particular resource.”

  5. What is Denial of Service Attack? • A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.

  6. Case 1: Code Red • Exploited buffer overflow error in IIS • Several different versions • Date-based • 1-19th: attempted to infect random IPs • 20-28th: attack whitehouse.gov • After 28th: dormant • At peak more than 2,000 new hosts were infected each minute

  7. Case 2: Sapphire/Slammer • Fastest virus spread in history • Exploited buffer overflow in MS SQL Server • Used UDP instead of TCP • Allowed faster spread – no response needed • Limited only by bandwidth • Problems affected customers, ex. automatic cash machines

  8. How to take down a restaurant Restauranteur Saboteur

  9. O.K., Mr. Smith Table for four at 8 o’clock. Name of Mr. Smith. Saboteur vs. Restauranteur Restauranteur Saboteur

  10. Restauranteur No More Tables! Saboteur

  11. Categories of DOS attack • Bandwidth attacks • Protocol exceptions • Logic attacks

  12. Bandwidth attacks • A bandwidth attack is the oldest and most common DoS attack. In this approach, the malicious hacker saturates a network with data traffic. A vulnerable system or network is unable to handle the amount of traffic sent to it and subsequently crashes or slows down, preventing legitimate access to users.

  13. Protocol exceptions • A protocol attack is a trickier approach, but it is becoming quite popular. Here, the malicious attacker sends traffic in a way that the target system never expected.

  14. Logic attacks • The third type of attack is a logic attack. This is the most advanced type of attack because it involves a sophisticated understanding of networking.

  15. Samples • Ping of Death • Smurf & Fraggle • Land attack • Synchronous Flooding

  16. PING OF DEATH A Ping of Death attack uses Internet Control Message Protocol (ICMP) ping messages. Ping is used to see if a host is active on a network. It also is a valuable tool for troubleshooting and diagnosing problems on a network. As the following picture, a normal ping has two messages:

  17. PING OF DEATH • BUT • With a Ping of Death attack, an echo packet is sent that is larger than the maximum allowed size of 65,536 bytes. The packet is broken down into smaller segments, but when it is reassembled, it is discovered to be too large for the receiving buffer. Subsequently, systems that are unable to handle such abnormalities either crash or reboot. • You can perform a Ping of Death from within Linux by typing ping –f –s 65537. • Note the use of the –f switch. This switch causes the packets to be sent as quickly as possible. Often the cause of a DoS attack is not just the size or amount of traffic, but the rapid rate at which packets are being sent to a target. Tools:- -Jolt -SPing-ICMP Bug -IceNewk

  18. Smurf and Fraggle A Smurf attack is another DoS attack that uses ICMP. Here, a request is sent to a network broadcast address with the target as the spoofed source. When hosts receive the echo request, they send an echo reply back to the target. sending multiple Smurf attacks directed at a single target in a distributed fashion might succeed in crashing it.

  19. Smurf and Fraggle • If the broadcast ping cannot be sent to a network, a Smurf amplifier is used. A Smurf amplifier is a network that allows the hacker to send broadcast pings to it and sends back a ping response to his target host on a different network. NMap provides the capability to detect whether a network can be used as a Smurf amplifier.

  20. Smurf and Fraggle • A variation of the Smurf attack is a Fraggle attack, which uses User Datagram Protocol (UDP) instead of ICMP. Fraggle attacks work by using the CHARGEN and ECHO UDP programs that operate on UDP ports 19 and 7. Both of these applications are designed to operate much like ICMP pings; they are designed to respond to requesting hosts to notify them that they are active on a network.

  21. LAND Attack • In a LAND attack, a TCP SYN packet is sent with the same source and destination address and port number. When a host receives this abnormal traffic, it often either slows down or comes to a complete halt as it tries to initiate communication with itself in an infinite loop. Although this is an old attack (first reportedly discovered in 1997), both Windows XP with service pack 2 and Windows Server 2003 are vulnerable to this attack. HPing can be used to craft packets with the same spoofed source and destination address.

  22. هنگامی که قربانی در حالتSYN_Receivedقرار دارد، منتظر دریافت بسته ی SYN/ACK است در حالی که ACK دریافت می کند SYN_RECIEVED مهاجم SYN قربانی SYN_RECIEVED ACK Waiting for SYN/ACK Not ACK LAND Attack

  23. هنگامی که قربانی SYN را دریافت می کند، شماره ترتیب را به روز کرده، ACK می فرستد، سپس بسته ای با شماره ترتیب مشابه دریافت می کند و آن را با همان شماره ترتیب برای فرستنده می فرستد تا توسط او اصلاح شود چون شماره ترتیب هرگز به روز نمی شود، قربانی دچار حلقه بی نهایت می شود! LAND Attack امنیت در شبکه های کامپوتری (دکتر بهروز ترک لادانی 1386)‏

  24. SN=x SYN مهاجم قربانی SN=y ACK SN=y ACK Waiting for updated SN LAND Attack

  25. Synchronous flood • A SYN flood is one of the oldest and yet still most effective DoS attacks. As a review of the three-way handshake, TCP communication begins with a SYN, a SYN-ACK response, and then an ACK response. When the handshake is complete, traffic is sent between two hosts.

  26. Synchronous flood but in our case the using of the syn flood for the 3 way handshaking is taking another deal, that is the attacker host will send a flood of syn packet but will not respond with an ACK packet. The TCP/IP stack will wait a certain amount of time before dropping the connection, a syn flooding attack will therefore keep the syn_received connection queue of the target machine filled.

  27. With a SYN flood attack, these rules are violated. Instead of the normal three-way handshake, an attacker sends a packet from a spoofed address with the SYN flag set but does not respond when the target sends a SYN-ACK response. A host has a limited number of half-open (embryonic) sessions that it can maintain at any given time. After those sessions are used up, no more communication can take place until

  28. Synchronous flood • the half-open sessions are cleared out. This means that no users can communicate with the host while the attack is active. SYN packets are being sent so rapidly that even when a half-open session is cleared out, another SYN packet is sent to fill up the queue again.

  29. Synchronous flood • SYN floods are still successful today for three reasons: 1) SYN packets are part of normal, everyday traffic, so it is difficult for devices to filter this type of attack. 2) SYN packets do not require a lot of bandwidth to launch an attack because they are relatively small. 3) SYN packets can be spoofed because no response needs to be given back to the target. As a result, you can choose random IP addresses to launch the attack, making filtering difficult for security administrators.

  30. “TCP connection, please.” “TCP connection, please.” “O.K. Please send ack.” “O.K. Please send ack.” Return to our Restaurant Buffer

  31. IP Packet options در این روش برخی از فیلد های انتخابی بسته به صورت تصادفی تغییر داده می شوند و بسته حاصل برای قربانی ارسال می شود. بیت های مربوط به کیفیت خدمات یکمی شوند باعث بالا رفتن زمان پردازش CPU می شود

  32. Tear drop در این حمله بسته ی IP در اثر یک افراز غلط، به قطعه هایی تقسیم می شود که همپوشانی دارند قربانی نمی تواند این بسته را دوباره از قطعه هایش بسازد باعث می شود سیستم "صفحه ی آبی مرگ" را مشاهده کند و در نتیجه باید reboot شود

  33. Tear drop

  34. A new Classification • Now we may categorize the DOS in to 3 parts depending on the number of characters: • Single-tier DoSAttacks • Dual-tier DoSAttacks • Triple-tier DDoS Attacks

  35. Single-tier DoSAttacks • Straightforward 'point-to-point' attack, that means we have 2 actors: hacker and victim. • Examples • Ping of Death • SYN floods • Other malformed packet attacks

  36. Single-tier DoSAttacks

  37. Dual-tier DoS Attacks • More complex attack model • Difficult for victim to trace and identify attacker • Examples • Smurf

  38. Dual-tier DoS Attacks

  39. Triple-tier DDoS Attacks • Highly complex attack model, known as Distributed Denial of Service (DDoS). • DDoS exploits vulnerabilities in the very fabric of the Internet, making it virtually impossible to protect your networks against this level of attack. • Examples • TFN2K • Stacheldraht • Mstream

  40. Components of a DDoS Flood Network • Attacker • Often a hacker with good networking and routing knowledge. • Master servers • Handful of backdoored machines running DDoS master software, controlling and keeping track of available zombie hosts. • Zombie hosts • Thousands of backdoored hosts over the world

  41. Triple-tier DDoS Attacks

  42. Results expected • Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise. • Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an "asymmetric attack“. For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks.

  43. Defense

  44. Internet Service Providers • Deploy source address anti-spoof filters (very important!). • Turn off directed broadcasts. • Develop security relationships with neighbor ISPs. • Develop traffic volume monitoring techniques.

  45. High loaded machines • Look for too much traffic to a particular destination. • Learn to look for traffic to that destination at your border routers (access routers, peers, exchange points, etc.). • Can we automate the tools – too many queue drops on an access router will trigger source detection. • Disable and filter outall unused UDP services.

  46. Also • Routers, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installed • System should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, back doors, etc.)

  47. Also • Train your system and network administrators • Read security bulletins like: www.cert.org, www.sans.org, www.eEye.com • From time to time listen on to attacker community to be informed about their latest achievements. • Be in contact with your ISP. In case that your network is being attacked, this can save a lot of time

  48. references [.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.htmlArticle by Christopher Klaus, including a "solution". [.2.] http://jya.com/floodd.txt2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane[.3.] http://www.fc.net/phrack/files/p48/p48-14.htmlIP-spoofing Demystified by daemon9 / route / infinityfor Phrack Magazine [.4.]http://www.gao.gov/new.items/d011073t.pdf [.5.]http://www.cl.cam.ac.uk/~rc277/ [.6.]http://www.cert.org/reports/dsit_workshop.pdf [.7.]http://staff.washington.edu/dittrich/misc/tfn.analysis

More Related