COMPUTER NETWORK SECURITY

Similar documents
Chapter 7. Denial of Service Attacks

Denial of Service (DoS)

Computer Security: Principles and Practice

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

DENIAL OF SERVICE ATTACKS

Distributed Denial of Service (DDoS)

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

Network Security Protocols NET 412D

CSE 565 Computer Security Fall 2018

CSE Computer Security (Fall 2006)

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Denial of Service and Distributed Denial of Service Attacks

Attack Prevention Technology White Paper

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Network Security: Denial of Service (DoS) Tuomas Aura / Aapo Kalliola T Network security Aalto University, Nov-Dec 2011

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Guide to DDoS Attacks November 2017

Configuring attack detection and prevention 1

CSE Computer Security

Chapter 10: Denial-of-Services

Network Security. Thierry Sans

A Survey of Defense Mechanisms Against DDoS Flooding A

Denial of Service. EJ Jung 11/08/10

CSc 466/566. Computer Security. 18 : Network Security Introduction

Network Security: Denial of Service (DoS) Tuomas Aura T Network security Aalto University, Nov-Dec 2010

ELEC5616 COMPUTER & NETWORK SECURITY

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Denial of Service (DoS) attacks and countermeasures

Network Security. Tadayoshi Kohno

Cloudflare Advanced DDoS Protection

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

DDoS PREVENTION TECHNIQUE

DDoS and Traceback 1

Network Security. Chapter 0. Attacks and Attack Detection

HP High-End Firewalls

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

DDoS Testing with XM-2G. Step by Step Guide

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

Configuring attack detection and prevention 1

Different Layers Lecture 20

Technical White Paper June 2016

Network Security: Denial of Service (DoS) Tuomas Aura (includes material by Aapo Kalliola) T Network security Aalto University, Nov-Dec 2014

Basic Concepts in Intrusion Detection

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Network Security: Denial of Service (DoS) Aapo Kalliola / Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

CNT Computer and Network Security: Denial of Service

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

network security s642 computer security adam everspaugh

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Internet Protocol and Transmission Control Protocol

9. Security. Safeguard Engine. Safeguard Engine Settings

Web Security. Outline

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Network Security: Denial of Service (DoS) Tuomas Aura / Aapo Kalliola T Network security Aalto University, Nov-Dec 2012

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

NETWORK SECURITY. Ch. 3: Network Attacks

CSC 574 Computer and Network Security. TCP/IP Security

DDoS: Coordinated Attacks Analysis

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Using DNS Service for Amplification Attack

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Introduction to Cisco ASA Firewall Services

Network and Internet Vulnerabilities

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

dfence: Transparent Network- based Denial of Service Mitigation

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

HP High-End Firewalls

COMPUTER NETWORK SECURITY

Dixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

MITIGATING DENIAL OF SERVICE ATTACKS IN OLSR PROTOCOL USING FICTITIOUS NODES

DDOS RESILIENCY SCORE (DRS) "An open standard for quantifying an Organization's resiliency to withstand DDoS attacks" Version July

Imma Chargin Mah Lazer

What is Distributed Denial of Service (DDoS)?

TCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

Check Point DDoS Protector Simple and Easy Mitigation

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

Chapter 8 roadmap. Network Security

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

The Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic

Unwanted Traffic: Denial of Service Attacks

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Transcription:

COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (7 th Week)

7. Denial-of-Service Attacks

7.Outline Denial of Service Attacks Flooding Attacks Distributed Denial of Service Attacks Application Based Bandwidth Attacks Reflector and Amplifier Attacks Defenses Against Denial of Service Attacks Responding to a Denial of Service Attack

Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.

Denial-of-Service (DoS) A form of attack on the availability of some service Categories of resources that could be attacked are: Network bandwidth Relates to the capacity of the network links connecting a server to the Internet For most organizations this is their connection to their Internet Service Provider (ISP) System resources Aims to overload or crash the network handling software Application resources Typically involves a number of valid requests, each of which consumes significant resources, thus limiting the ability of the server to respond to requests from other users

Broadband subscribers Internet service provider (I SP) B Broadband subscribers Broadband users Internet service provider (ISP) A Broadband users Internet Router Large Company LAN M edium Size Company LAN Web Server Web Server Figure 7.1 Example Network to I llustrate DoS Attacks LAN PCs and workstations

Classic DoS Attacks Flooding ping command Aim of this attack is to overwhelm the capacity of the network connection to the target organization Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases Source of the attack is clearly identified unless a spoofed address is used Network performance is noticeably affected

Source Address Spoofing Use forged source addresses Usually via the raw socket interface on operating systems Makes attacking systems harder to identify Attacker generates large volumes of packets that have the target system as the destination address Congestion would result in the router connected to the final, lower capacity link Requires network engineers to specifically query flow information from their routers Backscatter traffic Advertise routes to unused IP addresses to monitor attack traffic (Honeynet Project)

SYN Spoofing Common DoS attack Attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them Thus legitimate users are denied access to the server Hence an attack on system resources, specifically the network handling code in the operating system

Client Server Send SYN (seq = x) Receive SYN-ACK (seq = y, ack = x+1) Send ACK (ack = y+1) 1 2 3 Receive SYN (seq = x) Send SYN-ACK (seq = y, ack = x+1) Receive ACK (ack = y+1) Figure 7.2 TCP Three-Way Connection Handshake

Attacker Server Spoofed Client Send SYN with spoofed src (seq = x) 1 Send SYN-ACK (seq = y, ack = x+1) 2 Resend SYN-ACK after timeouts SYN-ACK s to non-existant client discarded Assume failed connection request Figure7.3 TCP SYN Spoofing Attack

Flooding Attacks Classified based on network protocol used Intent is to overload the network capacity on some link to a server Virtually any type of network packet can be used ICMP flood Ping flood using ICMP echo request packets Traditionally network administrators allow such packets into their networks because ping is a useful network diagnostic tool UDP flood Uses UDP packets directed to some port number on the target system TCP SYN flood Sends TCP packets to the target system Total volume of packets is the aim of the attack rather than the system code

Distributed Denial of Service DDoS Attacks Use of multiple systems to generate attacks Attacker uses a flaw in operating system or in a common application to gain access and installs their program on it (zombie) Large collections of such systems under the control of one attacker s control can be created, forming a botnet

Best-known DDoS tools Network Stresser - http://networkstresser.com (120GB/seconds) Beta Booter - http://betabooter.com (100GB/seconds) Critical Booter - https://critical-boot.com (90GB/seconds) Stressed Stresser - https://str3ssed.me Poly Stresser - http://polystress.com Exo Stresser - http://exostress.in Data Booter - http://databooter.com Insta Booter - http://instabooter.com Z Stresser - http://zstress.net Top Booter - http://topbooter.com

Attacker Handler Zombies Agent Zombies Target Figure 7.4 DDoS Attack Architecture

DNS Server Returns IP address of bob s proxy server 3 2 Internet DNS Query: biloxi.com Proxy Server Proxy Server INVITE sip:bob@biloxi.com From: sip:alice@atlanta.com 4 LAN 1 INVITE sip:bob@biloxi.com From: sip:alice@atlanta.com INVITE sip:bob@biloxi.com From: sip:alice@atlanta.com 5 Wireless Network User Agent alice User Agent bob Figure 7.5 SIP INVITE Scenario

Hypertext Transfer Protocol (HTTP) Based Attacks HTTP flood Attack that bombards Web servers with HTTP requests Consumes considerable resources Spidering Bots starting from a given HTTP link and following all links on the provided Web site in a recursive way Slowloris Attempts to monopolize by sending HTTP requests that never complete Eventually consumes Web server s connection capacity Utilizes legitimate HTTP traffic Existing intrusion detection and prevention solutions that rely on signatures to detect attacks will generally not recognize Slowloris

Reflection Attacks Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system When intermediary responds, the response is sent to the target Reflects the attack off the intermediary (reflector) Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary The basic defense against these attacks is blocking spoofed-source packets

Norm al User From : a.b.c.d:1 7 9 2 To: w.x.y.z.5 3 1 I P: w.x.y.z DNS Server I P: a.b.c.d 2 From : w.x.y.z.5 3 To: a.b.c.d:1 7 9 2 I P: w.x.y.z DNS Server From : w.x.y.z.5 3 To: j.k.l.m :7 2 Attacker I P: a.b.c.d From : j.k.l.m :7 To: w.x.y.z.5 3 1 Loop possible 3 From : j.k.l.m :7 To: w.x.y.z.5 3 I P: j.k.l.m Vict im Figure 7.6 DNS Reflection Attack

Attacker Zombies Target Reflector intermediaries Figure 7.7 Amplification Attack

DNS Amplification Attacks Use packets directed at a legitimate DNS server as the intermediary system Attacker creates a series of DNS requests containing the spoofed source address of the target system Exploit DNS behavior to convert a small request to a much larger response (amplification) Target is flooded with responses Basic defense against this attack is to prevent the use of spoofed source addresses

DoS Attack Defenses These attacks cannot be prevented entirely High traffic volumes may be legitimate High publicity about a specific site Activity on a very popular site Described as slashdotted, flash crowd, or flash event Four lines of defense against DDoS attacks Attack prevention and preemption Before attack Attack detection and filtering During the attack Attack source traceback and identification During and after the attack Attack reaction After the attack

DoS Attack Prevention Block spoofed source addresses On routers as close to source as possible Filters may be used to ensure path back to the claimed source address is the one being used by the current packet Filters must be applied to traffic before it leaves the ISP s network or at the point of entry to their network Use modified TCP connection handling code Cryptographically encode critical information in a cookie that is sent as the server s initial sequence number Legitimate client responds with an ACK packet containing the incremented sequence number cookie Drop an entry for an incomplete connection from the TCP connections table when it overflows

DoS Attack Prevention Block IP directed broadcasts Block suspicious services and combinations Manage application attacks with a form of graphical puzzle (captcha) to distinguish legitimate human requests Good general system security practices Use mirrored and replicated servers when highperformance and reliability is required

Responding to DoS Attacks Good Incident Response Plan Details on how to contact technical personal for ISP Needed to impose traffic filtering upstream Details of how to respond to the attack Antispoofing, directed broadcast, and rate limiting filters should have been implemented Ideally have network monitors and IDS to detect and notify abnormal traffic patterns

Responding to DoS Attacks Identify type of attack Capture and analyze packets Design filters to block attack traffic upstream Or identify and correct system/application bug Have ISP trace packet flow back to source May be difficult and time consuming Necessary if planning legal action Implement contingency plan Switch to alternate backup servers Commission new servers at a new site with new addresses Update incident response plan Analyze the attack and the response for future handling

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback