Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Similar documents
Distributed Denial of Service (DDoS)

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Computer Security: Principles and Practice

Chapter 7. Denial of Service Attacks

DENIAL OF SERVICE ATTACKS

Denial of Service and Distributed Denial of Service Attacks

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

COMPUTER NETWORK SECURITY

Denial of Service. EJ Jung 11/08/10

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

CSE 565 Computer Security Fall 2018

Configuring attack detection and prevention 1

Configuring attack detection and prevention 1

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

DDoS PREVENTION TECHNIQUE

DDoS Testing with XM-2G. Step by Step Guide

DDoS and Traceback 1

Chapter 10: Denial-of-Services

Denial of Service (DoS)

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Configuring Flood Protection

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

A Software Tool for Network Intrusion Detection

Denial of Service (DoS) attacks and countermeasures

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

A Study on Intrusion Detection Techniques in a TCP/IP Environment

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Attack Prevention Technology White Paper

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

CSc 466/566. Computer Security. 18 : Network Security Introduction

NETWORK SECURITY. Ch. 3: Network Attacks

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

DDoS Mitigation & Case Study Ministry of Finance

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

HP High-End Firewalls

Network Security Protocols NET 412D

An Efficient and Practical Defense Method Against DDoS Attack at the Source-End

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Protection Against Distributed Denial of Service Attacks

SYN Flood Attack Protection Technology White Paper

network security s642 computer security adam everspaugh

Computer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Denial of Service, Traceback and Anonymity

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

HP High-End Firewalls

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Distributed Denial-of-Service Attack Prevention using Route-Based Distributed Packet Filtering. Heejo Lee

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Basic Concepts in Intrusion Detection

Security System and COntrol 1

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

20-CS Cyber Defense Overview Fall, Network Basics

Distributed Denial of Service (DDoS)

CE Advanced Network Security Botnets

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

Detecting Specific Threats

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Data Sheet. DPtech Anti-DDoS Series. Overview. Series


The Protocols that run the Internet

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Master s Thesis. Detection and Defense Method against Distributed SYN Flood Attacks

Cloudflare Advanced DDoS Protection

EE 122: Network Security

A Rate-Limiting System to Mitigate Denial of Service Attacks

CSE Computer Security (Fall 2006)

Network Security. Thierry Sans

Next Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.

Network Security (and related topics)

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Anatomy and Mechanism of DOS attack

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet

Sun Mgt Bonus Lab 2: Zone and DoS Protection on Palo Alto Networks Firewalls 1

Firewalls, Tunnels, and Network Intrusion Detection

Computer and Network Security

Anti-DDoS. User Guide. Issue 05 Date

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Masafumi OE Youki Kadobayashi Suguru Yamaguchi Nara Institute Science and Technology, JAPAN

EFFECT OF HALF-OPEN CONNECTION LIFETIME IN DEFENDING AGAINST DDOS ATTACK

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

DDOS Attack Prevention Technique in Cloud

Chapter 8 roadmap. Network Security

Transcription:

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Paper by Rocky K C Chang, The Hong Kong Polytechnic University Published in the October 2002 issue of IEEE Communications Magazine Report & Critique by James Gaskell 10 October 2011 CS 577 Prof Robert E Kinicki Worcester Polytechnic Institute

Abstract The focus of the paper is the Flooding-Based Distributed Denial-of-Service Attack. Flooding-Based is implied by the Distributed Attack and is soon dropped and is replaced everywhere with the simpler DDoS term. DDoS is described as a very serious threat. In Feb, 2000, ebay, Amazon and Yahoo! were taken down. So the author intends to: 1. Describe, via a tutorial, how a DDoS works 2. Describe current common solutions, 3. Look at newer, more comprehensive defenses. 2

Effect of the Attack The basis of the attack is to harness the vast resources of the Internet to overwhelm a selected victim. The core idea is to have various masters place malicious code in many, many unprotected computers sitting in homes all around the country (world) that will, upon command, unleash a torrent of requests (or other messages) to the victim s server. Thoughtfully, the author does not give any information about how to accomplish this step! Once the attack is unleashed, there are two basic effects: 1. The sheer volume of incoming requests overloads the ability of the victim s server to handle the requests. 2. In a SYN attack (to be described later), the resources of the victim s server are exhausted by (1) having a client start a connection (to which the server allocates resources), but then (2) not allow the connection to complete and (3) having the server sit often for many seconds for a time-out to occur at the server s end and (4) to finally allow the server to release those resources so other connections can be made. 3

Attack Hierarchy One or more Attackers begin the process. The Attacker installs small programs in unprotected computers that are open to the Internet. These computers are called Masters or Handlers. The purpose of these Masters is to infect other (and more numerous) computers called, variously, Agents, Daemons or Zombies. Then, at some point, the Attackers instruct the Masters to instruct the Agents to begin flooding the Internet with their pre-ordained packets. While the general idea of how the process works is described in the paper, no details are provided (Thank goodness!). Direct v Reflected Attacks A Reflector in an attack is simply a computer with access to the Internet whose address is known to the Attacker (via ping?); it does not need to be infected. The Reflector IP address is then spoofed into an attack packet as the source address. When it later gets an unexpected message from the Victim, it makes its normal reply (usually error message) back to the Victim, further using up bandwidth at the Victim s node. 4

Types of Packets UDP (User Datagram Protocol) ICMP (Internet Control Message Protocol) TCP (Transmission Control Protocol) TCP SYN-ACK (TCP w/forged SYN addresses) TCP RST (TCP w/forged Resets) How Many Packets? Microsoft Win 2000 Advanced Server BSD 9 second release Unspecified, but from graph, approx 100 secs. Linux (2.2.29-19) 309 sec For a Win2K server that allows 10K half-open connections, 1100 requests/second will stall the server. Special note: In a SYN-ACK attack, the attacking node AUTOMATICALLY sends out additional requests when its SYNs are not ACKed. General Flooding 1.544 Mb/s will jam a T1. That s 5K pings/sec. Or, for an echo request w/long echoes, many fewer. 5

Defenses 1. Prevent Masters & Agents from ever being initialized. Microsoft, Symantec, McAfee, etc. Firewalls. Possibly being able to snoop traffic on the Internet for Master/Agent probes and back-trace any found. 2. After the fact tracing. IP Traceback allows finding the source even when the source address in the IP header is false. xxxx 3. Have ISPs drop out-going packets whose source address is not in the ISP s realm. Good luck. 4. Have a victim know it s being attacked. Not always that clear! 5. Once an attack is underway, try to develop a signature of the attack packets. NPSR ( Normal packet survival ratio) No documentation of any reasonable successes. 6. The Victim manually notifies up-stream ISPs to block packets with the offending signature. Needs ISP cooperation Needs a good signature Needs procedures in place before-the-fact. 6

A New Approach: An Internet Firewall Two approaches, both employing distributed nodes within the Internet to (1) detect attacks and (2) do local packet filtering. 1. Route-based Packet Filtering (RPF) Compares source IP address, destination IP address & BGP (Border Gateway Protocol) routing information to detect suspicious packets and drop them. Recent changes in routing might cause legal packets to be dropped. This would necessitate a change to the BGP messaging. Even if implemented, the problem is not eliminated but only reduced. The resulting reduced traffic is still easily crippling. Also, packets from to and from Reflectors will never be detected. 2. Distributed Attack Detection (DAD) Uses a wide area set of Detection Systems (DSs) Significant deviation from normal. Placed in strategic locations Local and Global detection An inter-ds communication system 7

Questions? Ideas? Comments? 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback