Technical White Paper June 2016
|
|
- Milo Sherman
- 6 years ago
- Views:
Transcription
1 TLP:WHITE! Technical White Paper June 2016 GuidetoDDoSAttacks! Authored)by:) Lee)Myers,)Senior)Manager)of)Security)Operations) Christopher)Cooley,)Cyber)Intelligence)Analyst) This MultiCState Information Sharing and Analysis Center (MSCISAC) document is a guide to aid partnersintheirremediationeffortsofdistributeddenialofservice(ddos)attacks.thisguideis not inclusive of all DDoS attack types and references only the types of attacks partners of the MSCISAChavereportedasexperiencing. TABLEOFCONTENTS: Introduction StandardDDoSAttackTypes: SYNFlood... 4 UDPFlood.. 5 ICMPFlood 6 HTTPGETFlood 7 ReflectionDDoSAttackTypes: NTPReflectionAttackwithAmplification. 8 DNSReflectionAttackwithAmplification. 9 WordpressPingbackReflectionAttackwithAmplification 10 SSDPReflectionAttackwithAmplification MicrosoftSQLReflectionAttackwithAmplification GeneralRecommendationsandMitigationStrategies. 13 TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 1
2 TLP:WHITE INTRODUCTION ADenialofService(DoS)attackisanattempttomakeasystemunavailabletotheintendeduser(s), suchaspreventingaccesstoawebsite.asuccessfuldosattackconsumesallavailablenetworkor systemresources,usuallyresultinginaslowdownorservercrash.whenevermultiplesourcesare coordinatinginthedosattack,itbecomesknownasaddosattack. MSCISACregularlyobservestwomethodsofDDoSattacks:StandardandReflection. AStandardDDoSattackoccurswhenattackerssendasubstantialamountofmalformednetwork trafficdirectlytoatargetserverornetwork.oneofthewaysanattackercanaccomplishthisisby using a botnet to send the traffic. A botnet is a large number of victim computers, or zombies, connectedovertheinternet,thatcommunicatewitheachotherandcanbecontrolledfromasingle location. When an attacker uses a botnet to perform the DDoS attack, they send instructions to someorallofthezombiemachinesconnectedtothatbotnet,therebymagnifyingthesizeoftheir attack,makingitoriginatefrommultiplenetworksandpossiblyfrommultiplecountries. Figure1:ExampleStandardDDoSSYNFlood Image!Source:!Center!for!Internet!Security A Reflection DDoS attack occurs when attackers spoof their IP address to pose as the intended victimandthensendlegitimaterequeststolegitimatepubliccfacingservers.theresponsestothese requestsaresenttotheintendedvictimandoriginatefromlegitimateservers. Inadditiontothesemethods,atechniqueusedbyattackerstoincreasetheeffectivenessoftheir attack is called Amplification. Usually used in conjunction with Reflection attacks, Amplification occurswhentheresponsethatissenttothevictimislargerthantherequestthatissentfromthe attacker. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 2
3 TLP:WHITE Figure2:ExampleDNSReflectionDDoSwithAmplification Image!Source:!Center!for!Internet!Security Inadditiontotheuseofbotnets,sometoolsarefreelyavailableonlinethatcyberthreatactorscan usetoperformddosattacks.mostofthesetoolswereoriginallydesignedtobestresstestersand havesincebecomeopensourcetoolsusedtoconductddosattacksbyamateurcyberthreatactors. PopularexamplesofthesetoolsincludetheLowOrbitIonCannon(LOIC)andtheHighOrbitIon Cannon(HOIC).Thesetoolscanbedownloaded,installed,andutilizedbyanyonewhowishestobe apartofanongoingddosattack.withthegoalofconsumingallavailablebandwidthallocatedto the target, the LOIC sends significant amounts of Transmission Control Protocol (TCP) and User DatagramProtocol(UDP)traffic,whiletheHOICspecificallysendsHTTPtraffic.Otherexamplesof toolsthatcanbeusedtoperformddosactivitiesincludemetasploit,pyloris,andslowloris. Figure3:ImageoftheLOICGraphicalUser Image!Source:!en.wikipedia.org WhilethemainpurposebehindaDDoSattackisthemaliciousconsumptionofresources,different attackers may use different techniques to generate the traffic necessary for an effective DDoS. A loneactorwithabotnetattheirdisposalmayusethatbotnettoorchestratetheattacks.however, botnetsarealsoavailableforhire,withoperatorschargingminimalfeesforshortdurationattacks. Agroupofactorsworkingtogethermaychoosetousethesametypeoffreetool,ratherthantrying togainaccesstoabotnet.attacksliketheseareusuallylesssuccessful,asitisdifficulttocoordinate enoughattackersfortheeffecttobenoticeable. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 3
4 TLP:WHITE STANDARDDDoSATTACKTYPES SYNFlood ASYNFloodisoneofthemostcommonformsofDDoSattacksobservedbytheMSCISAC.Itoccurs whenanattackersendsasuccessionoftcpsynchronize(syn)requeststothetargetinanattempt to consume enough resources to make the server unavailable for legitimate users. This works becauseasynrequestopensnetworkcommunicationbetweenaprospectiveclientandthetarget server.whentheserverreceivesasynrequest,itrespondsacknowledgingtherequestandholds the communication open while it waits for the client to acknowledge the open connection. However, in a successful SYN Flood, the client acknowledgment never arrives, thus tying up the server sresourcesuntiltheconnectiontimesout.alargenumberofincomingsynrequeststothe targetserverexhaustsallavailableserverresourcesandresultsinasuccessfulddosattack. To identify a SYN Flood, investigate network logs and locate the TCP SYN flag. Tcpdump or Wiresharkmayworkforthispurpose. o TCPSYNpacketsarenormalandarenotnecessarilyindicativeofmaliciousactivity.Look foralargenumberofsynpacketscomingfrommultiplesourcesoverashortperiod. Ifyouidentifyanattack,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. TohelpminimizetheimpactofsuccessfulSYNFloodattacks,definestrict TCPkeepalive and maximumconnection rulesonallperimeterdevices,suchasfirewallsandproxyservers. Onsomefirewallappliances,youcanenable SYNcookies tohelpmitigatetheeffectsofasyn Flood.EnablingSYNcookiesforcesthefirewalltovalidatetheTCPconnectionbetweenclient and server before traffic is passed to the server. When attackers never send a final acknowledgmentoftheopenconnection,thefirewalldropstheconnection. SlowlorisAttacks:WhileSlowlorisisaDoStoolthatcanbeeasilyaccessedbythreatactors,the termslowlorisisalsousedtodescribeatypeofdosattack.slowlorisattacksattempttoestablish multipletcpconnectionsonatargetwebserver,andholdthemopenforaslongaspossibleby sendingpartialrequests,verysimilartoasynflood. VariationofSYNFlood:ESSYN/XSYNFlood An ESSYN Flood, also known as an XSYN Flood, is an attack designed to target entities using stateful firewalls. The attack works when a large number of unique source IP addresses all attempttoopenconnectionswiththetargetdestinationip.eachnewconnectionfromaunique sourceipcreatesanewentryinthefirewallstatetable.thepurposeofthisattackistocreate moreuniqueconnectionsthenthereisspaceforinthefirewall sstatetable.oncethetableisfull, the firewall will not accept any additional inbound connections, denying service to legitimate usersattemptingtoaccessthedestinationip. VariationofSYNFlood:PSHFlood APush(PSH)FloodinvolvessendingalargenumberofTCPpacketswiththePSHbitenabled.The purpose of a PSH packet is to bypass packet buffering, which allows for the efficient transfer of databyensuringpacketsarefilledtothemaximumsegmentsizewhenmultiplepacketsaresent overatcp connection.if thepshbitisenabled, it indicates the packetshould immediately be senttotheapplication.innormalcircumstances,thisdoesnotpresentanissue,howeverwhena significantnumberofpshpacketsaresenttoatargetserver,thereisapotentialtooverloadits resources,creatingadossituation. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 4
5 TLP:WHITE UDPFlood AUDPFloodisverysimilartoaSYNFloodinthatanattackerusesabotnettosendasignificant amountoftraffictothetargetserver.thedifferenceisthatthisattackismuchfaster,andrather thanattemptingtoexhaustserverresources,itseekstoconsumealloftheavailablebandwidthon theserver snetworklink,therebydenyingaccesstolegitimateusers.theattackworksbecausea serverthatreceivesaudppacketonanetworkport,suchas50555/udp,checksforanapplication thatislisteningonthatport.ifnothingislisteningonthatport,itrepliestothesenderoftheudp packetwithaninternetcontrolmessageprotocol(icmp)destinationunreachablepacket.during anattack,alargenumberofudppacketsarrive,eachwithvariousdestinationports.thisforcesthe servertoprocesseachone,andinmostcases,respondtoeachone.thistypeofattackcanquickly leadtotheconsumptionofallavailablebandwidth. ToidentifyaUDPFlood,investigatenetworklogsandlookforalargenumberofinboundUDP packetsoverirregularnetworkportscomingfromalargenumberofsourceipaddresses. o Many legitimate services use UDP for their network traffic. Common UDP ports are 53 (DNS), 88 (Kerberos), 137/138/445 (Windows), and 161 (SNMP). When investigating a DDoSattack,lookforUDPtrafficwithhighnumberednetworkports(1024+). Ifyouidentifyanattack,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. To minimize the effect of UDP Flood attacks, define strict rules on your perimeter network devices,likefirewalls,toallowonlyinboundtrafficonportsthatarerequired. UDPFloodVariantUsingReflection:FraggleDDoSAttack A Fraggle attack is an alternate method of carrying out a UDP Flood attack. In a Fraggle attack,theattackerusesthetarget sipaddressastheirown,whichiscalledspoofing,and then sends UDP echo (port 7) requests to the character generation port (port 19) of the broadcast IP address for a public network on the Internet. The broadcast IP address of a networkwill sendanytrafficthatitreceivestoall otheripaddresseswithinitsnetwork. Therefore,whentheUDPechorequestisreceivedbythebroadcastIPaddress,therequestis thenforwardedontoalllivecomputersonthenetwork.eachofthosecomputersthinkthat these echo requests are coming from the target IP address, and therefore send their responsestothetargetratherthanbacktotheattacker.theresultofthisisalargenumber ofunsolicitedudpcharactergenerationtrafficbeingsenttothetargetoftheddos,resulting intheconsumptionofavailablebandwidth. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 5
6 TLP:WHITE ICMPFlood AnICMPFloodoccurswhenanattackerusesabotnettosendalargenumberofICMPpacketstoa targetserverinanattempttoconsumeallavailablebandwidthanddenylegitimateusersaccess. This attack works when a large number of sources can send enough ICMP traffic to consume all availablebandwidthofthetarget snetwork. Anexampleofthiscouldbethe ping command.thiscommandisprimarilyusedtotestnetwork connectivitybetweentwopointsonanetwork.however,itispossibletosupplythiscommandwith differentvariablestomakethepinglargerinsizeandoccurmoreoften.byusingthesevariables correctly,andwithenoughsourcemachinesinitiatingthetraffic,itispossibletoconsumeallofthe availablebandwidth. To identify an ICMP Flood, investigate network logs and look for a significant amount of inboundicmptrafficfromalargenumberofsources. o Depending on what tool you are using to investigate your logs, you can identify ICMP packets either by the protocol displayed in the graphical user interface, such as with WireShark. When analyzing ICMP traffic you will notice that no port information is available,asicmpdoesnotusenetworkportsliketcporudp. o If you are using a tool that displays the network protocols as numbered values, ICMP is protocol1. o There are also ICMP type and code fields that identify what ICMP traffic is being sent or received.foracompletelistofthesetypesandcodes,pleasesee Ifyouidentifyanattack,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. TomitigatesomeofthedamageofICMPFloodattacks,blockICMPtrafficatperimeternetwork devicessuchasrouters.additionally,setapacketcpercsecondthresholdforicmprequestson perimeter routers. If the amount of inbound ICMP traffic exceeds this threshold, the excess traffic is ignored until the next second. PacketCperCsecond thresholds effectively keep your networkfrombeingoverrunwithicmptraffic. o Note:TheabovestepdoesnotstopadeterminedICMPFlood.Ifthereisenoughinbound traffictoexhaustthebandwidthbetweentheupstreamnetworkproviderandtheperimeter devicefilteringicmp,legitimatetrafficmaybedropped,ordelayedtothepointofados.if this is the case, it isnecessary to contact the upstream network service provider to have ICMPactivitydroppedattheirlevelbeforeitreachesyournetworklink. ICMPFloodVariantUsingReflection:SmurfAttack ASmurfattackisanalternatemethodofcarryingoutanICMPFloodattack.InaSmurfattack, theattackerusesthetarget sipaddressastheirown,whichiscalledspoofing,andthensends ICMP ping requests to the broadcast IP address of a public network on the Internet. The broadcastipaddressofanetworkwillsendanytrafficthatitreceivestoallotheripaddresses within its network. Therefore, when the ICMP ping request is received by the broadcast IP address,itisthenforwardedontoalllivecomputersonitsnetwork.eachofthosecomputers thinkthatthesepingrequestsarecomingfromthetargetipaddressandthereforesendtheir responsestothetargetratherthanbacktotheattacker.theresultofthisisalargenumberof unsolicitedicmppingrepliesbeingsenttothetargetoftheddos,resultingintheconsumption ofavailablebandwidth. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 6
7 TLP:WHITE HTTPGETFlood An HTTP GET Flood occurs when an attacker, or attackers, generate a significant number of continuoushttpgetrequestsforatargetwebsiteinanattempttoconsumeenoughresourcesto maketheserverunavailableforlegitimateusers.inthiscase,theattackingipaddressesneverwait for a response from the target server, despite the server attempting to respond to all incoming requests.thisresultsinconnectionsbeingleftopenonthewebserver.alargeenoughnumberof incoming HTTP GET requests to the target web server eventually exhausts all available server resourcesandresultsinasuccessfulddosattack. To identify an HTTP GET Flood, investigate network logs and look for a large number of inboundtrafficfromasignificantnumberofsourceipaddresseswithadestinationportof80 and a protocol of TCP. The packet data should also begin with GET. We recommend using eithertcpdumporwireshark. o HTTP GET requests are normal and are not on their own indicative of malicious activity. LookforalargenumberofidenticalGETrequestscomingfromalargenumberofsources overashortperiod.thesamesourceipaddressesshouldrecsendthesamegetrequests rapidly. If you identify an attack, leverage a DDoS mitigation service provider for the best results in mitigatingthisactivity. It is difficult to set up proactive security measures to block against this attack, as legitimate trafficisusedtocarryitout.often,ratebasedprotectionsarenotsufficienttoblockthisattack, andthesourceipaddressesoftheattackarepartofalargebotnet,soblockingeverysourceip isnotefficientandmayincludelegitimateusers. o OnesolutionthatmayhelpmitigatethistypeofattackistouseaWebApplicationFirewall (WAF).HTTPFloodsoftenexhibittrendsthatacorrectlyconfiguredWAFfiltersandblocks withoutblockinglegitimateaccesstothewebserver. HTTPGETFloodVariation:HTTPPOSTFlood AnotherHTTPFloodincorporatestheuseoftheHTTPPOSTrequestinsteadofGET.This attackworksbecauseitforcesthewebservertoallocatemoreresourcesinresponsetoeach inboundrequest.alargenumberoftheserequestscouldtieupenoughserverresourcesas todenylegitimateusersaccesstothewebserver. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 7
8 TLP:WHITE REFLECTIONDDoSATTACKTYPES NTPReflectionAttackwithAmplification A Network Time Protocol (NTP) reflection attack occurs when the attacker uses traffic from a legitimatentpservertooverwhelmtheresourcesofthetarget.ntpisusedtosynchronizeclocks on networked machines and runs over port 123/UDP. An obscure command, monlist, allows a requestingcomputertoreceiveinformationregardingthelast600connectionstothentpserver. Anattackercanspoofthetarget sipaddressandsendamonlistcommandtorequestthatthentp server send a large amount of information to the target. These responses typically have a fixed packetsizethatcanbeidentifiedacrossalargenumberofreplies.sincetheresponsefromthentp serverislargerthantherequestsentfromtheattacker,theeffectoftheattackisamplified.when anattackerspoofsthetarget sipaddressandthensendsthemonlistcommandtoalargenumberof InternetCfacing NTP servers, the amplified responses are sent back to the target. This eventually resultsintheconsumptionofallavailablebandwidth. ToidentifyaNTPReflectionAttackwithAmplification,investigateyournetworklogsandlook forinboundtrafficwithasourceportof123/udpandaspecificpacketsize. Onceidentified,trytoleverageyourupstreamnetworkserviceproviderandprovidethemwith theattackingipaddressesandthepacketsizesusedintheattack.upstreamprovidershavethe abilitytoplaceafilterattheirlevelthatforcesinboundntptraffic,usingthespecificpacket sizethatyouareexperiencing,todrop. Along with remediating inbound attacks, take the following preventative measures to ensure thatyourntpserversarenotusedtoattackothers. o If you are unsure whether or not your NTP server is vulnerable to being utilized in an attack,followtheinstructionsavailableatopenntp:hxxp://openntpproject.org/. o Upgrade NTP servers to version or later, which removes the monlist command entirely,orimplementaversionofntpthatdoesnotutilizethemonlistcommand,suchas OpenNTPD. o If you are unable to upgrade your server, disable the monlist query feature by adding disablemonitor toyourntp.conffileandrestartingthentpprocess. o ImplementfirewallrulesthatrestrictunauthorizedtraffictotheNTPserver. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 8
9 TLP:WHITE DNSReflectionAttackwithAmplification A Domain Name System (DNS) Reflection attack occurs when the attacker manipulates the DNS systemtosendanoverwhelmingamountoftraffictothetarget.dnsserversresolveipaddresses todomainnamesallowingtheaverageinternetusertotypeaneasilyremembereddomainname into their Internet browser, rather than remembering the IP addresses of websites. A DNS Reflection attack occurs when an attacker spoofs the victim s IP address and sends DNS name lookuprequeststopublicdnsservers.thednsserverthensendstheresponsetothetargetserver, andthesizeoftheresponsedependsontheoptionsspecifiedbytheattackerintheirnamelookup request.togetthemaximumamplification,theattackercanusetheword ANY intheirrequest, whichreturnsallknowninformationaboutadnszonetoasinglerequest.whenanattackerspoofs atarget sipaddressandsendsdnslookuprequeststoalargenumberofpublicdnsservers,the amplifiedresponsesaresentbacktothetargetandwilleventuallyresultintheconsumptionofall availablebandwidth.! ToidentifyifaDNSReflectionAttackwithAmplificationisoccurring,investigatenetworklogs andlookforinbounddnsqueryresponseswithnomatchingdnsqueryrequests. o DNSqueriesarenormalandarethemselvesnotindicativeofanattack. Ifyouidentifyanattack,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. Along with remediating inbound attacks, disable DNS recursion, if possible, by following the guidelinesprovidedbyyourdnsservervendor(bind,microsoft,etc.).indoingso,thisensures thatyourdnsserversarenotusedtoattackothers. o InstructionsfordisablingrecursioncanalsobefoundatTeamCymru: cymru.org/services/resolvers/instructions.html. o TodiscoverifanyofyourpublicDNSserversmaybeusedtoattackothers,usethefreetest atopenresolverproject.org. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 9
10 TLP:WHITE WordpressPingbackReflectionAttackwithAmplification WordPressisapopularContentManagementSystem(CMS)thatisusedtodevelopandmaintain websitesandblogs.afunctionofwordpresssitesiscalledthepingbackfeature,whichisusedto notifyotherwordpresswebsitesthatyouhaveputalinktotheirwebsiteonyoursite.sitesusing WordPressautomatethisprocess,andmaintainautomatedlistslinkingbacktositesthatlinkto them. These pingbacks are sent as Hypertext Transfer Protocol (HTTP) POST requests to the /xmlrpc.phppage,whichisusedbywordpresstocarryoutthepingbackprocess.bydefault,this featuredownloadstheentirewebpagethatcontainsthelinkthattriggeredthepingbackprocess. AnattackercanlocateanynumberofWordPresswebsitesandthensendpingbackrequeststoeach ofthemwiththeurlofthetargetwebsite,resultingineachofthosewordpresswebsitessending requeststothetargetserverrequestingthedownloadofthewebpage.alargenumberofrequests todownloadthewebpagecaneventuallyoverloadthetargetwebserver.! To identify a WordPress Pingback Reflection attack with Amplification, investigate your network logs and look for a large number of inbound TCP traffic over port 80 from a large number of sources. The traffic appears as HTTP GET requests for random values such as? = thisrequestbypassesthecacheandforcesafullcpagereloadforevery packet.! Ifyouidentifyanattack,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. Atthetimeofthiswriting,thereisnowaytopreventthisinboundtrafficasonitsownitis normalwebtraffic.however,thereisawaytoensurethatyourwordpresswebsitesarenot usedto attack others. To do this, WordPress offers a tool that is available for downloadthat disables the pingback feature of XMLRPC. Download the tool at the following link: hxxp://wordpress.org/plugins/disablecxmlcrpccpingback/. o Alternatively, you can create a plugin for the website that adds a filter that manually disables the pingback function of XMLRPC. An example of this plugin can be found at hxxps://blog.cisecurity.org/wordpresscpingbackcfeaturecbeingcusedcincddoscattacks/ TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 10
11 TLP:WHITE SSDPReflectionAttackwithAmplification TheSimpleServiceDiscoveryProtocol(SSDP)iscommonlyusedforthediscoveryofUniversalPlug andplay(upnp)devices.upnpisaseriesofnetworkingprotocolsthatallowsnetworkingdevices to discover and connect with one another, without user intervention. Using SSDP, Simple Object Access Protocol (SOAP) is used to deliver control messages to UPnP devices. A SSDP reflection attackoccurswhenanattackerspoofsthevictim sipaddressandsendscraftedsoaprequeststo open UPnP devices on the Internet. These devices then send their responses to that victim IP address.dependingonhowtheattackercraftedtherequest,theresponsecouldbeamplifiedbya factorof30fromasinglerequest. According to OpenSSDPProject.org, there are over 80 million devices on the Internet that are vulnerabletoupnpandssdprelatedexploits.whenanattackerspoofsavictim sipaddressand sends crafted SOAP requests over SSDP to a large number of public UPnP devices, the amplified responses are sent back to the victim, eventually resulting in the consumption of all available bandwidth. To identify if an SSDP Reflection Attack with Amplification is occurring, investigate network logsandlookforinboundsourceport1900/udp(ssdp)trafficfromalargenumberofsource IPaddresses. Onceanattackisidentified,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. Along with remediating inbound attacks, take the following preventative measures to ensure thatyourupnpdevicesarenotusedtoattackothers. o Ifyouareunsureifanydevicesonyournetworkcouldbeemployedinanattack,followthe o instructionsavailableatopenssdptocheck:hxxp://openssdpproject.org/ It is also recommended to block outbound port 1900/UDP traffic at your border routers, andrestrictupnptotheinternalnetworkifrequired. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 11
12 TLP:WHITE MicrosoftSQLReflectionAttackwithAmplification Microsoft(MS)StructuredQueryLanguage(SQL)isapopularapplicationusedtomanagerelational databases.databaseserversusingmssqlaresometimesleftonexternalipaddressessothatthey can be accessed remotely over the Internet. A MS SQL reflection attack occurs when an attacker spoofsthetarget sipaddressandthensendscraftedrequeststopubliccfacingmssqlserversusing themssqlserverresolutionprotocol(mccsqlr),whichlistensonport1434/udp.theresponse fromthedatabaseservercontainsinformationaboutthedatabaseinstancesrunningontheserver aswellashowtoconnecttoeachone.dependingontheconfigurationofthedatabaseserver,and the number of database instances on the server, the response to the client request could be amplifiedbyafactorof25forasinglerequest. AttackerscansendscriptedMCCSQLRrequests,spoofingthetarget sipaddress,toalargenumber of publiccfacing MS SQL servers. The amplified responses are sent back to the target, possibly resultingintheconsumptionofallofthetarget savailablebandwidth. ToidentifyifaMSSQLReflectionAttackwithAmplificationisoccurring,investigatenetwork logs and look for inbound source port 1434/UDP (MCCSQLR) traffic from a large number of source IP addresses. In some instances, it may be possible to identify a particular payload signature. Ifyouidentifyanattack,trytoleverageyourupstreamproviderinorderforthemtomitigate theactivitybeforeitreachesyournetwork. If possible, block inbound connections to port 1434/UDP or filter connections to allow only trustedipaddresses. Alongwithmitigatinginboundattacks,takethefollowingstepstopreventyourMSSQLserver frombeingusedasareflectorinattacksagainstothers: o UseingressandegressfiltersonfirewallstoblockSQLserverports.Port1434/UDPshould be open only if there is an identified need for the service. If the port is open, it is recommendedthattrafficbefilteredtoallowonlytrustedipaddresses. o SQLserversthathaveonlyonedatabaseinstancerunningdonotneedtorunMSCSQLR.If youarerunningonlyonedatabaseinstance,disablemscsqlr. o As of Microsoft SQL Server 2008 the feature is disabled by default. However, earlier versionsrequireadministratorstodisablethisservicemanually.ifyouarerunninganolder versionofthesoftwareandthereisnotaneedformscsqlr,disableit.ifitisdetermined thatmscsqlrisneeded,consideraddinganadditionallayerofsecurity,suchasrequiring authenticationviasshorvpn,infrontoftheservice. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 12
13 TLP:WHITE GENERALRECOMMENDATIONSANDMITIGATIONSTRATEGIES The recommendations for DDoS attacks vary depending on what type of attack you are experiencing.however,thefollowinggenericrecommendationsareguidelinesforddosmitigation, whichreducetheimpactofattemptedddosattacks,andenableyoutorespondtosuccessfulddos attacksmorequicklywhentheydooccur. Establish and maintain effective partnerships with your upstream network service provider andknowwhatassistancetheymaybeabletoprovideyouintheeventofaddosattack.inthe case of a DDoS attack, the faster a provider can implement traffic blocks and mitigation strategiesattheirlevel,thesooneryourserviceswillbecomeavailableforlegitimateusers. ConsideralsoestablishingrelationshipswithcompanieswhoofferDDoSmitigationservices. If you are experiencing a DDoS attack, provide the attacking IP addresses to your upstream networkserviceprovidersotheycanimplementrestrictionsattheirlevel.keepinmindthat Reflection DDoS attacks typically originate from legitimate public servers. It is important to ascertaintowhomanipbelongstowhenexaminingnetworklogsduringanattack.usetools suchastheamericanregistryforinternetnumbers(arin)( thesourceipsinvolvedintheattack.otherwise,youmayblocktrafficfromlegitimatenetworks orservers. Enable firewall logging of accepted and denied traffic to determine where the DDoS may be originating. Define strict TCP keepalive and maximum connection on all perimeter devices, such as firewallsandproxyservers.thisrecommendationassistswithkeepingsynfloodattacksfrom beingsuccessful. Considerportandpacketsizefilteringbytheupstreamnetworkserviceprovider. Establish and regularly validate baseline traffic patterns (volume and type) for publiccfacing websites. Applyallvendorpatchesafterappropriatetesting. Configurefirewallstoblock,asaminimum,inboundtrafficsourcedfromIPaddressesthatare reserved(0/8),loopback(127/8),private(rfc1918blocks10/8,172.16/12,and /16), unassigneddhcpclients( /16),multicast( /4)andotherwiselistedinrfc 5735.ThisconfigurationshouldberequestedattheISPlevelaswell. TunepublicCfacingserverprocessestoallowtheminimumamountofprocessesorconnections necessarytoeffectivelyconductbusiness. Configurefirewallsandintrusiondetection/preventiondevicestoalarmontrafficanomalies. Configure firewalls only to accept traffic detailed in your organization s security policy as requiredforbusinesspurposes. Consider setting up OutCofCBand access, Internet and telephony, to an incident management roomtoensureconnectionintheeventofaddosattackthatdisruptsnormalconnectivity.! AbouttheMultiSStateInformationSharingandAnalysisCenter(MSSISAC): TheMSCISACisthefocalpointforcyberthreatprevention,protection,responseandrecoveryfor the nation's state, local, tribal, and territorial (SLTT) governments. The MSCISAC 24x7 cyber security operations center provides realctime network monitoring, early cyber threat warnings andadvisories,vulnerabilityidentificationandmitigationandincidentresponse. Formoreinformationpleasevisithttp://msisac.cisecurity.org/ TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 13
Guide to DDoS Attacks November 2017
This Multi-State Information Sharing and Analysis Center (MS-ISAC) document is a guide to aid partners in their remediation efforts of Distributed Denial of Service (DDoS) attacks. This guide is not inclusive
More informationChapter 7. Denial of Service Attacks
Chapter 7 Denial of Service Attacks DoS attack: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU),
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition Network Attacks Denial of service Attacks Introduction: What is DoS? DoS attack is an attempt (malicious or selfish) by an attacker to cause
More informationINTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
INTRODUCTION: DDOS ATTACKS 1 DDOS ATTACKS Though Denial of Service (DoS) and Distributed Denial of Service (DDoS) have been common attack techniques used by malicious actors for some time now, organizations
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 8 Denial of Service First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Denial of Service denial of service (DoS) an action
More informationTable of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1
Table of Contents 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1 i 1 Intrusion Detection Statistics Overview Intrusion detection is an important network
More informationDENIAL OF SERVICE ATTACKS
DENIAL OF SERVICE ATTACKS Ezell Frazier EIS 4316 November 6, 2016 Contents 7.1 Denial of Service... 2 7.2 Targets of DoS attacks... 2 7.3 Purpose of flood attacks... 2 7.4 Packets used during flood attacks...
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (7 th Week) 7. Denial-of-Service Attacks 7.Outline Denial of Service Attacks Flooding Attacks Distributed Denial of Service Attacks Application Based
More informationWHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks
WHITE PAPER 2017 DDoS of Things SURVIVAL GUIDE Proven DDoS Defense in the New Era of 1 Tbps Attacks Table of Contents Cyclical Threat Trends...3 Where Threat Actors Target Your Business...4 Network Layer
More informationDenial of Service. Serguei A. Mokhov SOEN321 - Fall 2004
Denial of Service Serguei A. Mokhov SOEN321 - Fall 2004 Contents DOS overview Distributed DOS Defending against DDOS egress filtering References Goal of an Attacker Reduce of an availability of a system
More informationCloudflare Advanced DDoS Protection
Cloudflare Advanced DDoS Protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationPROTECTING INFORMATION ASSETS NETWORK SECURITY
PROTECTING INFORMATION ASSETS NETWORK SECURITY PAUL SMITH 20 years of IT experience (desktop, servers, networks, firewalls.) 17 years of engineering in enterprise scaled networks 10+ years in Network Security
More informationsnoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection
Snoc DDoS Protection Fast Secure Cost effective sales@.co.th www..co.th securenoc Introduction Snoc 3.0 Snoc DDoS Protection provides organizations with comprehensive protection against the most challenging
More informationDenial of Service (DoS)
Flood Denial of Service (DoS) Comp Sci 3600 Security Outline Flood 1 2 3 4 5 Flood 6 7 8 Denial-of-Service (DoS) Attack Flood The NIST Computer Security Incident Handling Guide defines a DoS attack as:
More informationDistributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationImma Chargin Mah Lazer
Imma Chargin Mah Lazer How to protect against (D)DoS attacks Oliver Matula omatula@ernw.de #2 Denial of Service (DoS) Outline Why is (D)DoS protection important? Infamous attacks of the past What types
More informationDDoS PREVENTION TECHNIQUE
http://www.ijrst.com DDoS PREVENTION TECHNIQUE MADHU MALIK ABSTRACT A mobile ad hoc network (MANET) is a spontaneous network that can be established with no fixed infrastructure. This means that all its
More informationERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016
Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds
More informationAttack Prevention Technology White Paper
Attack Prevention Technology White Paper Keywords: Attack prevention, denial of service Abstract: This document introduces the common network attacks and the corresponding prevention measures, and describes
More informationVERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 3 3RD QUARTER 2017 Complimentary report supplied by CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2017 4 DDoS
More informationWEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING
WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING A STRONG PARTNER COMPANY Link11 - longstanding security experience Link11 is a European IT security provider, headquartered in Frankfurt, Germany
More informationA Software Tool for Network Intrusion Detection
A Software Tool for Network Intrusion Detection 4th Biennial Conference Presented by: Christiaan van der Walt Date:October 2012 Presentation Outline Need for intrusion detection systems Overview of attacks
More informationChapter 10: Denial-of-Services
Chapter 10: Denial-of-Services Technology Brief This chapter, "Denial-of-Service" is focused on DoS and Distributed Denial-of-Service (DDOS) attacks. This chapter will cover understanding of different
More informationExit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz
Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble Distributed Denial-of-Service (DDoS) Attacks
More informationVERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 1ST QUARTER 2017 Complimentary report supplied by CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q1 2017 4 DDoS
More informationPing of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods
Ping of death Land attack Teardrop Syn flood Smurf attack DOS Attack Methods Ping of Death A type of buffer overflow attack that exploits a design flaw in certain ICMP implementations where the assumption
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationDenial of Service and Distributed Denial of Service Attacks
Denial of Service and Distributed Denial of Service Attacks Objectives: 1. To understand denial of service and distributed denial of service. 2. To take a glance about DoS techniques. Distributed denial
More informationAre You Fully Prepared to Withstand DNS Attacks?
WHITE PAPER Are You Fully Prepared to Withstand DNS Attacks? Fortifying Mission-Critical DNS Infrastructure Are You Fully Prepared to Withstand DNS Attacks? Fortifying Mission-Critical DNS Infrastructure
More informationComprehensive datacenter protection
Comprehensive datacenter protection There are several key drivers that are influencing the DDoS Protection market: DDoS attacks are increasing in frequency DDoS attacks are increasing in size DoS attack
More informationSecBlade Firewall Cards Attack Protection Configuration Example
SecBlade Firewall Cards Attack Protection Configuration Example Keywords: Attack protection, scanning, blacklist Abstract: This document describes the attack protection functions of the SecBlade firewall
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationData Sheet. DPtech Anti-DDoS Series. Overview. Series
Data Sheet DPtech Anti-DDoS Series DPtech Anti-DDoS Series Overview DoS (Denial of Service) leverage various service requests to exhaust victims system resources, causing the victim to deny service to
More informationPrevent DoS using IP source address spoofing
Prevent DoS using IP source address spoofing MATSUZAKI maz Yoshinobu 06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 1 ip spoofing creation of IP packets with source addresses
More informationThreat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:
Threat Pragmatics 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: Issue Date: Revision: 1 Target Many sorts of targets: Network infrastructure Network services Application services User
More informationDDoS and Traceback 1
DDoS and Traceback 1 Denial-of-Service (DoS) Attacks (via Resource/bandwidth consumption) malicious server legitimate Tecniche di Sicurezza dei Sistemi 2 TCP Handshake client SYN seq=x server SYN seq=y,
More informationMemcached amplification: lessons learned. Artyom Gavrichenkov
Memcached amplification: lessons learned Artyom Gavrichenkov 1.7 Typical amplification attack Most servers on the Internet send more data to a client than they receive UDP-based servers
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationLayer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers
Layer 4: UDP, TCP, and others based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Concepts application set transport set High-level, "Application Set" protocols deal only with how handled
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationMemcached amplification: lessons learned. Artyom Gavrichenkov
Memcached amplification: lessons learned Artyom Gavrichenkov 1.7 Typical amplification attack Most servers on the Internet send more data to a client than they receive UDP-based servers
More informationConfiguring Flood Protection
Configuring Flood Protection NOTE: Control Plane flood protection is located on the Firewall Settings > Advanced Settings page. TIP: You must click Accept to activate any settings you select. The Firewall
More informationRadware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017
Radware DefensePro DDoS Mitigation Release Notes Software Version 8.13.01 Last Updated: December, 2017 2017 Cisco Radware. All rights reserved. This document is Cisco Public. Page 1 of 9 TABLE OF CONTENTS
More informationResources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can
Resources and Credits Denial of Service COMP620 Information on Denial of Service attacks can be found on Wikipedia. Graphics and some text in these slides was taken from the Wikipedia site The textbook
More informationTOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS
TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS 1 Introduction Your data and infrastructure are at the heart of your business. Your employees, business partners, and
More informationSam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF
Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF Who am I? Sam Pickles Senior Engineer for F5 Networks WAF Specialist and general security type Why am I here? We get to see the pointy end of a lot of
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationIntrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks
Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks So we are proposing a network intrusion detection system (IDS) which uses a Keywords: DDoS (Distributed Denial
More informationCheck Point DDoS Protector Simple and Easy Mitigation
Check Point DDoS Protector Simple and Easy Mitigation Jani Ekman janie@checkpoint.com Sales Engineer DDoS Protector 1 (D)DoS Attacks 2 3 4 DDoS Protector Behavioral DoS Protection Summary 2 What is an
More informationArbor Solution Brief Arbor Cloud for Enterprises
Arbor Solution Brief Arbor Cloud for Enterprises Integrated DDoS Protection from the Enterprise to the Cloud About Arbor Networks Arbor Networks Inc., the cyber security division of NETSCOUT, helps secure
More informationDDoS Testing with XM-2G. Step by Step Guide
DDoS Testing with XM-G Step by Step Guide DDoS DEFINED Distributed Denial of Service (DDoS) Multiple compromised systems usually infected with a Trojan are used to target a single system causing a Denial
More information20-CS Cyber Defense Overview Fall, Network Basics
20-CS-5155 6055 Cyber Defense Overview Fall, 2017 Network Basics Who Are The Attackers? Hackers: do it for fun or to alert a sysadmin Criminals: do it for monetary gain Malicious insiders: ignores perimeter
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationNISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks
NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks Background This NISCC technical note is intended to provide information to enable organisations in the UK s Critical
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationUsing DNS Service for Amplification Attack
Using DNS Service for Amplification Attack Outline Use DNS service to achieve load balancing for a server cluster Carry out an amplification attack by taking advantage of DNS service Enforce firewall rules
More informationDDOS RESILIENCY SCORE (DRS) "An open standard for quantifying an Organization's resiliency to withstand DDoS attacks" Version July
DDOS RESILIENCY SCORE (DRS) "An open standard for quantifying an Organization's resiliency to withstand DDoS attacks" Version 1.01.01 17 July 2017... Text is available under the GNU Free Documentation
More informationDDoS: Coordinated Attacks Analysis
DDoS: Coordinated Attacks Analysis This article will cover some concepts about a well-known attack named DDoS (Distributed Denial-of-Service) with some lab demonstrations as a Proof of Concept with countermeasures.
More informationEnhancing DDoS protection TAYLOR HARRIS SECURITY ENGINEER
Enhancing DDoS protection TAYLOR HARRIS SECURITY ENGINEER Overview DDoS Evolution Typical Reactive/Proactive Mitigation Challenges and Obstacles BGP Flowspec Automated Flowspec Mitigation 2 DDoS Evolution
More informationDenial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu
Denial of Service Denial of Service Ozalp Babaoglu Availability refers to the ability to use a desired information resource or service A Denial of Service attack is an attempt to make that information
More informationDoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors
DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors 1 Table of Content Preamble...3 About Radware s DefensePro... 3 About Radware s Emergency Response Team
More informationContents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks
Contents Denial-of-Service Attacks Flooding Attacks Distributed Denial-of Service Attacks Reflector Against Denial-of-Service Attacks Responding to a Denial-of-Service Attacks 2 Denial-of-Service Attacks
More informationBest Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies
Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies In order to establish a TCP connection, the TCP three-way handshake must be completed. You can use different accept policies
More informationDoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action
DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action 1 Table of Content Preamble...3 About Radware s DefensePro... 3 About Radware s Emergency Response
More informationRouting Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security
Routing Security DDoS and Route Hijacks Merike Kaeo CEO, Double Shot Security merike@doubleshotsecurity.com DISCUSSION POINTS Understanding The Growing Complexity DDoS Attack Trends Packet Filters and
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationAnti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.
Issue 11 Date 2018-05-28 HUAWEI TECHNOLOGIES CO., LTD. Copyright Huawei Technologies Co., Ltd. 2019. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any
More informationRussian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall
Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall 1 U.S. and U.K. authorities last week alerted the public to an on-going effort to exploit network infrastructure devices including
More information(Distributed) Denial-of-Service. in theory and in practice
(Distributed) Denial-of-Service in theory and in practice About SURFnet National Research and Education Network (NREN) Founded in 1986, incorporated 1988 > 11000km dark-fibre network Shared ICT innovation
More informationTESTING DDOS DEFENSE EFFECTIVENESS AT 300 GBPS SCALE AND BEYOND
TEST REPORT TESTING DDOS DEFENSE EFFECTIVENESS AT 300 GBPS SCALE AND BEYOND Ixia BreakingPoint DDoS Defense Test Methodology Report TABLE OF CONTENTS EXECUTIVE SUMMARY... 3 WHAT IS A DDOS ATTACK... 5 DDOS
More informationUDP-based Amplification Attacks and its Mitigations
UDP-based Amplification Attacks and its Mitigations Yoshiaki Kasahara kasahara@nc.kyushu-u.ac.jp 1/21/2014 APAN 37th in Bandung, Indonesia 1 Summary If you have servers with global IP addresses 1. Make
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationInternet Security: Firewall
Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationWar Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy
War Stories from the Cloud: Rise of the Machines Matt Mosher Director Security Sales Strategy The Akamai Intelligent Platform The Platform 175,000+ Servers 2,300+ Locations 750+ Cities 92 Countries 1,227+
More informationVERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 5, ISSUE 1 1ST QUARTER 2018 Complimentary report supplied by CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q1 2018 4 DDoS
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationTowards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks
Towards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks N S ABOUZAKHAR, A GANI, E SANCHEZ, G MANSON The Centre for Mobile Communications
More informationMcAfee Network Security Platform
Revision B McAfee Network Security Platform (8.1.7.5-8.1.3.43 M-series Release Notes) Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product
More informationASA Access Control. Section 3
[ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look
More informationAn Analysis of DrDoS SYN Reflection Attacks
A Prolexic White Paper An Analysis of DrDoS SYN Reflection Attacks Part III of the DrDoS White Paper Series The SYN reflection attack methodology, a type of Distributed Denial of Service (DDoS) attack
More informationELEC5616 COMPUTER & NETWORK SECURITY
ELEC5616 COMPUTER & NETWORK SECURITY Lecture 17: Network Protocols I IP The Internet Protocol (IP) is a stateless protocol that is used to send packets from one machine to another using 32- bit addresses
More informationIntroduction to DDoS Attacks
Introduction to DDoS Attacks Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter 2015 MCNC General Use v1.0 DDoS in the News July 2015 2015 MCNC General Use v1.0 DDoS
More informationDDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ
DDoS attack patterns across the APJ cloud market Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ www.cloudsec.com/tw DDoS attacks from Q1 2014 to Q1 2016 Each dot represents an individual
More informationConfiguring IP Services
This module describes how to configure optional IP services. For a complete description of the IP services commands in this chapter, refer to the Cisco IOS IP Application Services Command Reference. To
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationProtecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper
Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges
More informationCheck Point DDoS Protector Introduction
Check Point DDoS Protector Introduction Petr Kadrmas SE Eastern Europe pkadrmas@checkpoint.com Agenda 1 (D)DoS Trends 2 3 4 DDoS Protector Overview Protections in Details Summary 2 (D)DoS Attack Methods
More informationGlobal Information Assurance Certification Paper
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without
More informationDenial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu
Denial of Service Denial of Service Ozalp Babaoglu Availability refers to the ability to use a desired information resource or service A Denial of Service attack is an attempt to make that information
More informationDenial of Service, Traceback and Anonymity
Purdue University Center for Education and Research in Information Assurance and Security Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS Network
More informationTDC DoS Protection Service Description and Special Terms
TDC DoS Protection Service Description and Special Terms Table of contents 1 Purpose of this Product-Specific Appendix... 3 2 Service description... 3 2.1 Attack detection... 3 2.1.1 Managed Objects...
More informationSIMPLE SERVICE DISCOVERY PROTOCOL BASED DISTRIBUTED REFLECTIVE DENIAL OF SERVICE ATTACK
SIMPLE SERVICE DISCOVERY PROTOCOL BASED DISTRIBUTED REFLECTIVE DENIAL OF SERVICE ATTACK Gursewak Singh 1, Bohar Singh 2 1 Computer Science and Application, Govt College Sri Muktsar sahib 2 Computer Science
More informationTCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems
TCP Overview Revisited TCP modern loss recovery 15-441 Computer Networking Other Transport Issues, Attacks and Security Threats, Firewalls TCP options TCP interactions TCP modeling Workload changes TCP
More informationBIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?
BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja? Tarmo Mamers Heigo Mansberg Network Firewall Imagery stackexchange.com Network Firewall Functions Network Firewall Traffic OUTSIDE INSIDE INBOUND
More informationCorrigendum 3. Tender Number: 10/ dated
(A premier Public Sector Bank) Information Technology Division Head Office, Mangalore Corrigendum 3 Tender Number: 10/2016-17 dated 07.09.2016 for Supply, Installation and Maintenance of Distributed Denial
More informationIntegrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution
Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution (Layer 3/4 and Layer 7) Delivering best-in-class network and web application security to the modern enterprise
More informationW is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation
W is a Firewall firewall = wall to protect against fire propagation Internet Security: Firewall More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationDDoS Beasts and How to Fight Them. Artyom Gavrichenkov
DDoS Beasts and How to Fight Them Artyom Gavrichenkov Timeline of ancient history First attacks: 1999-2000 2005: STRIDE model by Microsoft Spoofing Identity Tampering with Data Repudiation
More information