Denial of Service (DoS)

Similar documents
COMPUTER NETWORK SECURITY

Chapter 7. Denial of Service Attacks

Computer Security: Principles and Practice

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

DENIAL OF SERVICE ATTACKS

CSE 565 Computer Security Fall 2018

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Distributed Denial of Service (DDoS)

Network Security Protocols NET 412D

Denial of Service and Distributed Denial of Service Attacks

Configuring attack detection and prevention 1

Denial of Service (DoS) attacks and countermeasures

CSE Computer Security (Fall 2006)

Network Security. Tadayoshi Kohno

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Attack Prevention Technology White Paper

HP High-End Firewalls

CSc 466/566. Computer Security. 18 : Network Security Introduction

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

Basic Concepts in Intrusion Detection

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Configuring attack detection and prevention 1

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

HP High-End Firewalls

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Denial of Service. EJ Jung 11/08/10

Guide to DDoS Attacks November 2017

A Survey of Defense Mechanisms Against DDoS Flooding A

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Chapter 10: Denial-of-Services

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

ELEC5616 COMPUTER & NETWORK SECURITY

CSC 574 Computer and Network Security. TCP/IP Security

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

EE 122: Network Security

Network Security. Chapter 0. Attacks and Attack Detection

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

CSE Computer Security

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Denial of Service, Traceback and Anonymity

The Protocols that run the Internet

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

DDoS Testing with XM-2G. Step by Step Guide

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

DDoS PREVENTION TECHNIQUE

Cloudflare Advanced DDoS Protection

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

DDoS: Coordinated Attacks Analysis

Network Security. Thierry Sans

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

Internet Protocol and Transmission Control Protocol

9. Security. Safeguard Engine. Safeguard Engine Settings

Configuring Flood Protection

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Towards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks

NETWORK SECURITY. Ch. 3: Network Attacks

DDoS and Traceback 1

Different Layers Lecture 20

Technical White Paper June 2016

Web Security. Outline

9th Slide Set Computer Networks

2. INTRUDER DETECTION SYSTEMS

20-CS Cyber Defense Overview Fall, Network Basics

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

ECE 435 Network Engineering Lecture 10

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Gladiator Incident Alert

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

Dixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites

A survey and taxonomy of DoS attacks in cloud computing

Survey of Several IP Traceback Mechanisms and Path Reconstruction

Configuring IP Services

A Software Tool for Network Intrusion Detection

Network Security: Denial of Service (DoS) Tuomas Aura / Aapo Kalliola T Network security Aalto University, Nov-Dec 2011

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

SYN Flood Attack Protection Technology White Paper

Using DNS Service for Amplification Attack

Authors: Mark Handley, Vern Paxson, Christian Kreibich

Prevent DoS using IP source address spoofing

network security s642 computer security adam everspaugh

Detecting Specific Threats

Transcription:

Flood Denial of Service (DoS) Comp Sci 3600 Security

Outline Flood 1 2 3 4 5 Flood 6 7 8

Denial-of-Service (DoS) Attack Flood The NIST Computer Security Incident Handling Guide defines a DoS attack as: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space. The scale of has continued to rise over recent years, by 2016 exceeding a terabit per second! A common attack, which is often easy to execute, and hard to fully prevent extortion: Cyber-extortionists typically begin with a low-level attack and a warning that a larger attack will be carried out if a ransom is not paid

Categories of resources that could be attacked: Flood Network bandwidth Dependent on the capacity of the network links connecting a server to the Internet For most organizations this is their connection to their Internet Service Provider (ISP) Overwhelm any legitimate traffic, denying legitimate users access to the server System resources Aims to overload or crash the network handling software Include temporary buffers used to hold arriving packets, tables of open connections, etc resources Typically involves a number of valid requests, which intentionally consume significant resources (e.g., database query), thus limiting the ability of the server to respond to requests from other users

Varieties of end users as both attackers and victims Broadband users Broadband subscribers Internet service provider (ISP) A Internet service provider (ISP) B Broadband subscribers Broadband users Flood Internet Router Large Company LAN Web Server Medium Size Company LAN Web Server LAN PCs and workstations Figure 7.1 Example Network to Illustrate

Outline Flood 1 2 3 4 5 Flood 6 7 8

Outline Flood 1 2 3 4 5 Flood 6 7 8

Attacks Flood Aim of this attack is to overwhelm the capacity of the network connection to the target organization Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases Example: ping command: use the large company s web server to target the medium-sized company with a lower-capacity network connection with a flooding ping command directed at the Web server in the target company. Source of the attack is clearly identified unless a spoofed address is used, enabling the sender to be DoS ed back, the sender s identity to be known, and to more easily halt the attack.

Outline Flood 1 2 3 4 5 Flood 6 7 8

Flood Use forged source addresses Usually via the raw socket interface on operating systems Makes attacking systems harder to identify Attacker generates large volumes of packets that have the target system as the destination address, but use randomly selected, usually different, source addresses echo response packets, generated in response to those packets reaching the target system, would no longer be reflected back to the source system, but are scattered across the Internet to all the various forged source addresses, as Backscatter traffic. To study this, one can advertise routes to unused IP addresses to monitor attack traffic Finding the attacker requires network engineers to specifically query flow log information from their routers

Outline Flood 1 2 3 4 5 Flood 6 7 8

3-way handshake: SYN, SYN-ACK, ACK Client Server Flood Send SYN (seq = x) Receive SYN-ACK (seq = y, ack = x+1) 1 2 Receive SYN (seq = x) Send SYN-ACK (seq = y, ack = x+1) Send ACK (ack = y+1) 3 Receive ACK (ack = y+1)

SYN Flood Reminder, is connection oriented, and keeps a table of all connections with the server Common DoS attack Attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them Legitimate users are denied access to the server Classified as an attack on system resources, specifically the network handling code in the operating system Attacker generates a number of SYN connection request packets with forged source addresses. Better if spoofed source addresses do not correspond to real IP addresses, since a real computer might respond with a RST (reset) packet to cancel this unknown connection request

SYN Attack Attacker Server Spoofed Client Flood Send SYN with spoofed src (seq = x) 1 Send SYN-ACK (seq = y, ack = x+1) Resend SYN-ACK after timeouts 2 SYN-ACK s to non-existant client discarded Assume failed connection request

versus classic flooding Flood The actual volume of SYN traffic can be comparatively low, nowhere near the maximum capacity of the link to the server. It simply has to be high enough to keep the known connections table filled. Unlike the flooding attack, this means the attacker does not need access to a high-volume network connection.

Outline Flood 1 2 3 4 5 Flood 6 7 8

Attacks Flood Classified based on network protocol used Intent is to overload the network capacity on some link to a server Virtually any type of network packet can be used

Outline Flood 1 2 3 4 5 Flood 6 7 8

Attacks: Flood flood E.g., ping flood using echo request packets Traditionally network administrators allow such packets into their networks because ping is a useful network diagnostic tool More recently, block packets to pass through their firewalls. So, attackers use other packet types that are needed correct operation of /IP Filtering some of these critical packet types would degrade or break normal /IP network behavior. destination unreachable and time exceeded packets are examples of such critical packet types. Further, because these packets include part of some notional erroneous packet that supposedly caused the error being reported, they can be made comparatively large, increasing their effectiveness in flooding the link.

Outline Flood 1 2 3 4 5 Flood 6 7 8

Attacks: Flood flood For example, some servers and routers have diagnostic echo services running Uses packets directed to some port number on the target system Spoofed source addresses are normally used if the attack is generated using a single source system, for the same reasons as with flood. If multiple systems are used for the attack, often the real addresses of the compromised, zombie, systems are used. When multiple systems are used, the consequences of both the reflected flow of packets and the ability to identify the attacker are reduced.

Outline Flood 1 2 3 4 5 Flood 6 7 8

Attacks: Flood SYN flood Sends packets to the target system Total volume of packets is the aim of the attack rather than the system code Effect similar to the attack, but, it is the total volume of packets that is the aim of the attack rather than the system code. Check out python code!

Outline Flood 1 2 3 4 5 Flood 6 7 8

Singe versus multiple attackers Flood All of these flooding attack variants are limited in the total volume of traffic that can be generated if just a single system is used to launch the attack, which is also easy to trace By using multiple systems, the attacker can scale up the volume of attack scale By directing the attack through intermediaries, the attacker is further distanced from the target and significantly harder to locate and identify. Indirect attack types that utilize multiple systems include: Distributed denial-of-service Reflector Amplifier

Distributed Denial of Service D Flood Use of multiple systems to generate Attacker uses a flaw in operating system or in a common application to gain access and installs their program on it (zombie) Large collections of such systems under the control of one attacker s control can be created, forming a botnet

Outline Flood 1 2 3 4 5 Flood 6 7 8

Attacker can use handlers for efficiency and stealth Flood Attacker Handler Zombies Target Agent Zombies Figure 7.4 Attack Architecture

Outline Flood 1 2 3 4 5 Flood 6 7 8

based bandwidth attack Flood An application layer attack is done mainly for specific targeted purposes, including disrupting transactions and access to databases. It requires less resources and often accompanies network layer. For example, large or costly database queries could keep a server busy.

Outline Flood 1 2 3 4 5 Flood 6 7 8

DoS on a server Flood Proxy Server LAN 1 Returns IP address of bob s proxy server DNS Query: biloxi.com INVITE sip:bob@biloxi.com From: sip:alice@atlanta.com 3 2 DNS Server Internet INVITE sip:bob@biloxi.com From: sip:alice@atlanta.com 4 Proxy Server INVITE sip:bob@biloxi.com From: sip:alice@atlanta.com 5 Wireless Network User Agent alice User Agent bob

Outline Flood 1 2 3 4 5 Flood 6 7 8

Hypertext Transfer Protocol () Attacks Flood flood Bombards Web servers with requests Consumes considerable resources Spidering: Bots starting from a given link and following all links on the provided Web site recursively

Hypertext Transfer Protocol () Attacks Flood specs state a blank line indicates the end of request headers and the beginning of the payload, if any. Once the entire request is received, the Web server may then respond by sending the object. sends an incomplete request that does not include the terminating newline sequence. Then, send additional header lines to keep the connection alive, but never send terminating newline sequence. Web server keeps the connection open, expecting more information to complete the request. Eventually consumes Web server s connection capacity Utilizes legitimate traffic, not malformed or buggy Existing intrusion detection and prevention solutions that rely on signatures to detect will generally not recognize Can you easily program a bot to perform this attack?

Outline Flood 1 2 3 4 5 Flood 6 7 8

Attacks Flood Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system When intermediary responds, the response is sent to the target Reflects the attack off the intermediary (reflector) Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary The basic defense against these is blocking spoofed-source packets

using SYN Flood A variant of reflection attack uses SYN packets and exploits the normal three-way handshake used to establish a connection. The attacker sends a number of SYN packets with spoofed source addresses to the chosen intermediaries. In turn the intermediaries respond with a SYN-ACK packet to the spoofed source address, which is actually the target system. The attacker uses this attack with a number of intermediaries, to avoid detection and bandwidth constraints. The aim is to generate high enough volumes of packets to flood the link to the target system. The target system will respond with a RST packet for any that get through, but by then the attack has already succeeded in overwhelming the target s network link.

DNS reflection attack exploits recursive DNS Flood Normal on left Normal User From: a.b.c.d:1792 To: w.x.y.z.53 1 IP: a.b.c.d IP: w.x.y.z 2 From: w.x.y.z.53 To: a.b.c.d:1792 Attacker IP: a.b.c.d DNS Server Attack on right (port 7 is echo) IP: w.x.y.z DNS Server From: j.k.l.m:7 To: w.x.y.z.53 1 Loop possible 3 From: j.k.l.m:7 To: w.x.y.z.53 From: w.x.y.z.53 To: j.k.l.m:7 2 IP: j.k.l.m Victim Figure 7.6 DNS Attack

Outline Flood 1 2 3 4 5 Flood 6 7 8

attack Flood Like reflection, also involve sending a packet with a spoofed source address for the target system to intermediaries. However, intermediary amplifies either the number or size of the attackers messages Example: Send a ping flood to the broadcast address on a large subnetwork, with the source address spoofed as the victim s

attack Flood Broadcast to intermediaries who performs reflection attack Attacker Zombies Reflector intermediaries Target Figure 7.7 Attack

DNS Attacks Flood Example: Use packets directed at a legitimate DNS server as the intermediary system, with the source address spoofed as the victim s Attacker creates a series of DNS requests containing the spoofed source address of the target system Exploit DNS behavior to convert a small request to a much larger response of a big DNS resource record (amplification) Target is flooded with larger responses Basic defense against this attack is to prevent the use of spoofed source addresses

Denial-of-service as a service Flood Some vendors provide so-called booter or stresser services, which have simple web-based front ends, and accept payment over the web. Marketed and promoted as stress-testing tools, they can be used to perform unauthorized denial-of-service, and allow technically unsophisticated attackers access to sophisticated attack tools without the need for the attacker to understand their use.

Outline Flood 1 2 3 4 5 Flood 6 7 8

DoS Flood These cannot be prevented entirely High traffic volumes may be legitimate High publicity about a specific site Activity on a very popular site Described as slashdotted, flash crowd, or flash event Four areas of defense Attack prevention and preemption: Before the attack, coming up next slides Attack detection and filtering: During the attack, coming up next class Attack source traceback and identification: During and after the attack, coming up this semester Attack reaction: After the attack, briefly discuss today

Outline Flood 1 2 3 4 5 Flood 6 7 8

DoS Flood Block spoofed source addresses on routers as close to source as possible (i.e., ISP block addresses outgoing that they don t own) Filters may be used to ensure path back to the claimed source address is the one being used by the current packet Filters must be applied to traffic before it leaves the ISP s network or at the point of entry to their network Use modified connection handling code SYN cookie: encrypt in a cookie to send to client, what would have been stored it connection table, and legitimate client responds with an ACK packet containing the incremented sequence number and cookie, which allows the server to then continue the connection Drop an entry for an incomplete connection from the connections table when it overflows

DoS Flood Block IP directed broadcasts Block suspicious services and combinations Manage application with a captchas to distinguish legitimate human requests Good general system security practices Use mirrored and replicated servers when high-performance and reliability is required Antispoofing, directed broadcast, and rate limiting filters should be implemented Ideally have network monitors and IDS to detect and notify abnormal traffic patterns

Outline Flood 1 2 3 4 5 Flood 6 7 8

Responding to Flood Good Incident Plan, example Details on how to contact technical personal for ISP Needed to impose traffic filtering upstream Details of how to respond to the attack

Responding to Flood 1 Identify type of attack Capture and analyze packets Design filters to block attack traffic upstream Or identify and correct system/application bug 2 Have ISP trace packet flow back to source May be difficult and time consuming Necessary if planning legal action 3 Implement contingency plan Switch to alternate backup servers Commission new servers at a new site with new addresses 4 Update incident response plan Analyze the attack and the response for future handling

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback