1 / 18

Internet Threats Denial Of Service Attacks

Internet Threats Denial Of Service Attacks. The Internet And Information Security. “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about the Internet is that you’re connected to everyone else.” Vint Cerf.

mada
Download Presentation

Internet Threats Denial Of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Threats Denial Of Service Attacks

  2. The Internet And InformationSecurity “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about the Internet is that you’re connected to everyone else.” Vint Cerf

  3. Denial Of Service Attack Specifics

  4. Denial Of Service Problems • Exploding in popularity • No skill required • High juvenile ratio • High availability of menu-driven programs available, on multiple platforms • Up and ruining in minutes • Unix, NT, Win95, etc • Programs available via the Internet within HOURS of the identified exploit • Often requires assistance across multiple ISPs • Coordination efforts impossible at best

  5. Denial Of Service Problems • Tracing • Source is almost always hidden, or forged • Need to trace in real time, router by router to find Bad_Guy • High packet rates • Sometimes victims can’t use Internet to complain about or trace the attack • Group accounts or throw-away accounts used • School Labs, piracy dialup, hacked systems

  6. DOS Types“Revenge of the Nerds” • SYN Floods • Mail Bombs • Smurf Attacks • Many, many others

  7. Syn Floods • TCP Handshake required to set up communication • Send- HELLO!(TCP_SYN) • Recv- Yea, What?(TCP_SYN_ACK) • Send- Let’s Talk!(TCP_ACK) • SYN Flood exploits Handshake • Bad_Guy sends TCP_SYN from forged source that doesn’t exist • Victim tries to send a TCP_SYN_ACK, but can’t find the source, so it queues the message • Message is queued for ~75 seconds • Bad-Guy fills up SYN Queue • Victim can’t communicate

  8. DoS Packet FlowSYN Attack SYN packet from Bad_Guy Victim Bad_Guy Where do I send data?

  9. Mail Bombs • Large amounts of email to victim • “FROM” address randomly created • Mail trail is often relayed through several relay systems • Difficult to track origination • One Word: SPAM • Explosion of tools available from Spamming organizations to make this point-and-click, and professionally difficult to trace

  10. Smurf Attacks • Most Recent Attack, also called a “Broadcast Ping Attack” • Broadcast ping • Send a “broadcast_ping_request” to a network/subnet, and everyhost in that network/subnet replies with a “ping_reply” > ping 166.45.1.255 166.45.1.1 is alive 166.45.1.2 is alive 166.45.1.3 is alive …. 166.45.1.255 is alive

  11. Smurf Attacks • Attack • Bad_Guy sends a “broadcast_ping_request”, that looks like it came from “Victim”, and sends it to “Innocent 3rd Party” • Every host on “Innocent 3rd Party”’s network/subnet sends a “broadcast_ping_reply” to the victim • Victim gets hit with a massive ping attack • Good_guy traces the Attack to the “Innocent 3rd Party” • Compensators • Disable Broadcast Ping Replies on your routers • “no ip directed broadcasts” • Deploy monitoring software • Call your ISP • Filter ICMP

  12. Tools available to initiate attacks • How they are being developed so quickly • Hackers are subscribing to “bug lists” used to discuss product bugs • Public Domain Testing software becoming widely available, being used maliciously • Template code to create TCP/IP Packets exist • Their availability and dissemination • Ever try YAHOO? • IRC #DOS channel • Available within hours after bug is reported • Professionally created, updated, etc

  13. Impacts to ISPS • Bandwidth saturation • Dos Attacks affect links that belong to ISPS • Affects multiple customers • T1 backbone ISPs still exist! • Hackers can do much damage on a 28.8 dialup • T3 connected shell accounts in high demand • IRC #shells • Resources required to trace are intense • Educating customer • Tracing attack • Time sensitive issue

  14. MCI’S DosTracker • Reactive • Victim calls in for assistance • DoSTracker installed on Victim Border router • (their connection to our Network) • Proactive • DosTracker installed on Victim router, and “waits” for Attack to come in. Alerts when identified • Not typically used, due to resource issues

  15. MCI’S DoSTracker • DoSTracker watches packets going to Victim, and analyzes them for “DoS Characteristics” • Forged source address • Smurf Attack • Large packet sources • DoSTracker traces identified DoS Packets router by router, interface by interface until it reaches an “edge” (customer or another network).

  16. DoS Path NET B Customer NET C NET A

  17. Migration of attacks • What can we expect for future attacks? • Automation • DoS Engines/Clients • Protocol exposures • Streaming protocols • CUSeeMe, Multi-Cast, UseNet • DNS • Reduction of detection capability • Services being deployed much too quickly for security analysis, compensators and monitoring can be deployed and integrated. • We’ll always be one-two steps behind

  18. Contact Dale DrewinternetMCI Security Engineering703/715-7058ddrew@mci.nethttp://www.security.mci.nethttp://www.security.mci.net/check.html

More Related