Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Similar documents
Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

CSE 565 Computer Security Fall 2018

Configuring attack detection and prevention 1

DDoS Testing with XM-2G. Step by Step Guide

Chapter 7. Denial of Service Attacks

Configuring attack detection and prevention 1

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

COMPUTER NETWORK SECURITY

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

NETWORK SECURITY. Ch. 3: Network Attacks

Computer Security: Principles and Practice

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Network Security. Thierry Sans

Attack Prevention Technology White Paper

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

HP High-End Firewalls

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Denial of Service (DoS)

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

ELEC5616 COMPUTER & NETWORK SECURITY

DENIAL OF SERVICE ATTACKS

Denial of Service and Distributed Denial of Service Attacks

20-CS Cyber Defense Overview Fall, Network Basics

Cloudflare Advanced DDoS Protection

Network Security. Chapter 0. Attacks and Attack Detection

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

ECE 435 Network Engineering Lecture 23

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

HP High-End Firewalls

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

Imma Chargin Mah Lazer

Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

A Software Tool for Network Intrusion Detection

H3C SecPath Series High-End Firewalls

Configuring Flood Protection

Denial of Service (DoS) attacks and countermeasures

Chapter 10: Denial-of-Services

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Network Security. Tadayoshi Kohno

DDoS: Coordinated Attacks Analysis

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

ECE 435 Network Engineering Lecture 23

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

Network Security. Network Vulnerabilities

Muhammad Farooq-i-Azam CHASE-2006 Lahore

History Page. Barracuda NextGen Firewall F

CSc 466/566. Computer Security. 18 : Network Security Introduction

Chapter 8 roadmap. Network Security

9. Security. Safeguard Engine. Safeguard Engine Settings

In a DoS attack, an attacker with malicious intent

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

Threat Pragmatics & Cryptography Basics. PacNOG July, 2017 Suva, Fiji

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Are You Fully Prepared to Withstand DNS Attacks?

CSC 574 Computer and Network Security. TCP/IP Security

MITIGATING DDOS ATTACK IN CLOUD ENVIRONMENT WITH PACKET FILTERING USING IPTABLES

Network Security Protocols NET 412D

The Protocols that run the Internet

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

Anti-DDoS. User Guide (Paris) Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

Introduction to Computer Security

Denial of Service. EJ Jung 11/08/10

DDOS RESILIENCY SCORE (DRS) "An open standard for quantifying an Organization's resiliency to withstand DDoS attacks" Version July

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

CS Paul Krzyzanowski

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

IBM i Version 7.3. Security Intrusion detection IBM

Anatomy and Mechanism of DOS attack

Introduction to Cisco ASA Firewall Services

Anti-DDoS. User Guide. Issue 05 Date

IxLoad-Attack TM : Network Security Testing

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

HP Load Balancing Module

PROTECTING INFORMATION ASSETS NETWORK SECURITY

- כ (Overview of Internet Security Technology - DDoS Attacks) ( ) Abstract( ) OS, DoS (Distributed DoS: DDoS).

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

OSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

network security s642 computer security adam everspaugh

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

DOMAIN NAME SECURITY EXTENSIONS

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

vserver vserver virtserver-name no vserver virtserver-name Syntax Description

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University

Computer Security and Privacy

Detecting Specific Threats

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Analysis of Blended-mode DoS Attack Xin-Yang Ou, Hua Zhang

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

CSE Computer Security (Fall 2006)

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

DDoS PREVENTION TECHNIQUE

Transcription:

Denial of Service Eduardo Cardoso Abreu - e.abreu@fe.up.pt Federico Matteo Bencic - up201501013@fe.up.pt Pavel Alexeenko - ei11155@fe.up.pt

Index What is Denial of Service (DoS)? DoS vs DDoS (Distributed DoS) Types of attacks Network interface layer Network layer Transport layer Application layer Programming component: Slowloris script

What is DoS? «A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.» NIST Computer Security Incident Handling Guide

And what is DDoS?

DoS vs DDoS Efficiency Harder to detect

TCP/IP Model

Network interface layer

Physical attack Causing physical damage Solutions are putting the medium or the node in a safe environment Also having two or more physical external connection

Chattering host CSMA Attacker communicates when others communicate, making them back up Solution in using multiple collision domains (i.e.: Network switch)

Network layer

ARP spoofing Attacker MAC address associated to some other IP address The victim data is routed to the fake address Solution in static ARP tables and monitoring software

Smurf attack Send an echo request with a spoofed source address, belonging to the victim (Reflection attack) The unwitting accomplices respond to the victim IP Solution in network filtering for the accomplices For the targets, drop echo packets or use CAR, Cisco s solution

Ping of death Sends malformed ping packet to the victim Some OS weren t designed to handle large packets and crash when reassembling the packet fragments Solution in checking incoming fragments offset and length (in host or in firewall)

Teardrop attack Exploits reassembly of fragmented IP packets Some (old) OS crash when they receive a fragment which offset overlaps with others Solution in updating the OS

Transport layer

UDP storm Attacker sends a spoofed packet (with the victim IP address) to another victim small service A chain reaction is triggered where both victims send chargen responses to each other Solution in turning off small services or create a firewall rule against it

SYN Flooding Using spoofed addresses, the attacker sends SYNs without ever completing the 3-way handshake When the victim memory is filled, new connections are rejected, denying service to legit clients Solution by using SYN Cookies, that works by not saving the connection data, sends it to the client, restoring it in the final ACK

Application layer

DNS Cache poisoning DNS records may contain other records The attacker DNS can associate fake IPs with URLs like paypal.com, which can be used in credential harvesting (phishing) Solution by updating to only accept additional records from the same domain, or using DNSSEC, to check if it should be trusted

DNS Flooding Many DNS servers are available to public queries The attacker can send spoofed queries (using the victim IP) with verbose responses, generating immense traffic Effectiveness is increased using DDoS due to not being easily recognized by the firewall Solution in not avoid general public DNS

Starvation of available sessions on the web server The attacker keeps sessions at halt using never-ending transmissions Programming component: Slowloris.pl Script available on https://github.com/llaera/slowloris.pl

How does it work? Slowloris works by making partial HTTP connections to the host. The TCP connection made by Slowloris during the attack is a full connection which is a legitimate TCP connection.

Targets Some of the eligible targets (Single process thread based servers): Apache 1.x Apache 2.x dhttpd Resistant implementations: Hiawatha IIS lighttpd Squid NGINX

Implementation Valid GET request GET / HTTP/1.0[CRLF] User-Agent: Wget/1.10.2 (Red Hat modified)[crlf] Accept: */*[CRLF] Host: 192.168.0.103[CRLF] Connection: Keep-Alive[CRLF][CRLF]

How does it Slowloris do? my $primarypayload = "GET /$rand HTTP/1.1\r\n". "Host: $sendhost\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;. NET CLR 1.1.4322;.NET CLR 2.0.503l3;.NET CLR 3.0.4506.2152;.NET CLR 3.5.30729; MSOffice 12)\r\n". "Content-Length: 42\r\n";

Let us see it then :D

Some usefull stuff Slowloris is mostly undetected by IDS due to the fact that it does not send malformed request. Furthermore, if the web server is frequently used, slowloris needs to wait for all the HTTP connections to become available. As soon as the attacker stops the execution of the script the resources are released and the web server becomes available.

Protection Hardware load balancers The load balancer can be configured accept only full HTTP connections. A firewall Using firewall rules to limit the number of connections from a particular host. A different timeout configuration Lowering the timeout makes it harder for slowloris to harvest connections. Modules against slowloris e.g mod_slowloris for apache http://sourceforge.net/projects/mod-antiloris/

Thank you for your attention. Any questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback