1 / 11

Distributed Denial of Service Attacks

Distributed Denial of Service Attacks. Potential Damage of DDoS Attacks. The Problem: Massive distributed DoS attacks have the potential to severely decrease backbone availability and can virtually detach a network from the Internet. Motives for DDoS Attacks.

matthew
Download Presentation

Distributed Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Denialof Service Attacks

  2. Potential Damage of DDoS Attacks • The Problem: Massive distributed DoS attacks have the potential to severely decrease backbone availability and can virtually detach a network from the Internet.

  3. Motives for DDoS Attacks • Cyber warfare: Prevent information exchange • A means to blackmail a company or even country and cause image and money loss • Youthful mischief and desire to feel the power “to rule the world“ • Proof of technical excellence to “the world“ and oneself • Outbreak of worms from Internet security research ;-) • ??

  4. What Are DDoS Tools? • Clog victim’s network. • Use many sources (“daemons”) for attacking traffic. • Use “master” machines to control the daemon attackers. • At least 4 different versions in use: TFN, TFN2K, Trinoo, Stacheldraht.

  5. How They Work Daemon Master Daemon Daemon Daemon Daemon Real Attacker Victim

  6. How They Talk • Trinoo: attacker uses TCP; masters and daemons use UDP; password authentication • TFN(Tribe Flood Network): attacker uses shell to invoke master; masters and daemons use ICMP ECHOREPLY, TCP SYN flood, ICMP Broadcast (smurf) • Stacheldraht: attacker uses encrypted TCP connection to master; masters and daemons use TCP and ICMP ECHO REPLY; rcp used for auto-update and generation

  7. Deploying DDOS • Attackers seem to use standard, well-known holes (i.e., rpc.ttdbserver, amd, rpc.cmsd, rpc.mountd, rpc.statd). • attacks onflaws of remote buffer overflows • They appear to have “auto-hack” tools – point, click, and invade. • Lesson: practice good computer hygiene.

  8. Detecting DDOS Tools • Most current IDS’s detect the current generation of tools. • They work by looking for DDoS control messages. • Naturally, these will change over time; in particular, more such messages will be properly encrypted. (A hacker PKI?)

  9. What Can ISPs Do? • Deploy source address anti-spoof filters (very important!). • Turn off directed broadcasts. • Develop security relationships with neighbor ISPs. • Set up mechanism for handling customer security complaints. • Develop traffic volume monitoring techniques.

  10. Traffic Volume Monitoring – an example • Look for too much traffic to a particular destination. • Learn to look for traffic to that destination at your border routers (access routers, peers, exchange points, etc.). • Can we automate the tools – too many queue drops on an access router will trigger source detection?

  11. References • http://www.cert.org/reports/dsit_workshop.pdf • Dave Dittrich’s analyses: • http://staff.washington.edu/dittrich/misc/trinoo.analysis • http://staff.washington.edu/dittrich/misc/tfn.analysis • http://staff.washington.edu/dittrich/misc/stacheldraht.analysis • Scanning tool: http://www.fbi.gov/nipc/trinoo.htm

More Related