1 / 19

563.9.4 More on Denial of Service

563.9.4 More on Denial of Service. Presented by: Lili Rasouli University of Illinois Spring 2006. Definition. Attack on a network Floods the network with useless trafic Exploits limitations in the TCP/IP protocols Like viruses, DoS attacks are highly adaptive. Definition.

mark-lynch
Download Presentation

563.9.4 More on Denial of Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 563.9.4 More on Denial of Service Presented by: Lili Rasouli University of Illinois Spring 2006

  2. Definition Attack on a network • Floods the network with useless trafic • Exploits limitations in the TCP/IP protocols • Like viruses, DoS attacks are highly adaptive

  3. Definition • A loss of service to users, not a virus but a method • An incident in which a user or organization is deprived of the services of a resource they would normally expect to have. • A denial of service attack can sometimes happen accidentally

  4. Overview • Frequency • Common Forms • Further Consequences of DoS attacks • Backscatter: a technique for detecting DoSs • Conclusions

  5. Extremely frequent FBI’ s annual report(2004), 1/5 of respondents experienced a DoS attack (500 organizations provided information) Cost was over $26 million The most costly cybercrime A quantitative estimate of worldwide DoS attack frequency found 12,000 attacks over a three-week period in 2001. Frequency of DoS Attacks

  6. Common Forms: • Buffer Overflow Attacks • Send more traffic to a network address than the programmers anticipated for its buffers • E.g., send e-mail messages that have attachments with 256-character file names to Netscape and Microsoft mail programs • SYN Attack • hand shaking

  7. Common Forms • Teardrop Attack • Exploits the way that the Internet Protocol requires a packet that is too large for the next router to handle be divided into fragments. • The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system • The attacker's IP puts a confusing offset value in the second or later fragment. • If the receiving operating system does not have a plan for this situation, it can cause the system to crash.

  8. Common Forms • Smurf Attack • The attacker • Sends an IP ping (or "echo my message back to me") request to a receiving site • The ping packet • Specifies that it be broadcast to a number of hosts within the receiving site's local network • Indicates that the request is from another site, the target site that is to receive the denial of service (spoofing the return address). • As a result • Lots of ping replies flooding back to the victim, which will no longer be able to receive or distinguish real traffic.

  9. Common Forms • Viruses • Replicate across a network in various ways • Can be viewed as denial-of-service attacks where the victim is not usually specifically targeted but simply a host unlucky enough to get the virus • Depending on the particular virus, the denial of service can be hardly noticeable ranging all the way through disastrous.

  10. Common Forms • Unintentional/non-malicious DoS attacks • Popular website posts a prominent link to a second, less well-prepared site (e.g., a news story) • Result: a significant proportion of the primary site's regular users - potentially hundreds of thousands of people - click that link in the space of a few hours, having the same effect on the target website as a DDoS attack • News sites and link sites - sites whose primary function is to provide links to interesting content elsewhere on the Internet - are most likely to cause this phenomenon.

  11. Backscatter Technique • Main Idea: • Many DDoS attack use IP spoofing • IP address is chosen randomly from legal IPs • Vast number of attack packets, so sooner or later each possible IP address is used in some attack packet • Set a network of machines with no real user or service • Should never receive any legitimate traffic • Response packet will get returned to supposed sender

  12. Backscatter • Any packet that the setup network is going to receive would be part of an attack • Can see which machine in the internet is under attack • Figure out the size, duration of the attack

  13. Caveats • The result does not capture data on attacks that did not use generally randomized IP spoofing • Attack packets that would not generate responses are not represented in the data • Congestion causes the dropping of an unknown number of attack packets and responses to those attacks Reported numbers are underestimations of the actual DDoS activity

  14. Backscatter

  15. Result • Over the three-week period, 12,805 separate attacks were observed on more than 5000 different targets in more than 2,000 DNS domain • Largest observed attack contained more than 600,000 packets per second • The duration of most attacks was short: 50% lasted less than 10 minutes 80% lasted less than 30 minutes 90% lasted less than one hour • TCP was the most popular protocol to use in the attacks http://www.caida.org/publications/papers/2001/BackScatter/usenixsecurity01.pdf

  16. Further Consequences of DoS attacks • Problems in the network 'branches' around the actual computer being attack • E.g., the bandwidth of a router between the Internet and a LAN may be consumed by a DoS, thus the entire network will be disrupted • If conducted on a sufficiently large scale, a DoS attack can compromise entire geographical swathes of Internet connectivity • Without the attacker's knowledge or intent - With the ``help” of incorrectly configured or flimsy network infrastructure equipment

  17. Well-known DDoS tools • Trinoo: - Master/ slave program - Made up of a master server + trinoo daemon ("ns.c"). - The attacker(s) control one or more "master" servers - Master server can control many "daemons" - The daemons are all instructed to coordinate a packet based attack against one or more victim systems. The network: attacker(s)-->master(s)-->daemon(s)-->victim(s)

  18. Well-known DDoS tools • Stacheldraht : - Barbed wire - Trinoo + TFN - Encryption of communication between the attacker and stacheldraht - Encryption of communication between the attacker and stacheldraht • Made up of one or more handler programs + a large set of agents -The attacker uses an encrypting "telnet alike" program to connect to and communicate with the handlers The network: client(s)-->handler(s)-->agent(s)-->victim(s)

  19. Conclusions • DoSs attacks are an every-day threat for computer networks • Come in many different flavors • Almost impossible to prevent • Hard even to detect • Backscatter Technique presented here has severe limitations

More Related