CHAPTER 1 DISTRIBUTED DENIAL OF SERVICE

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "CHAPTER 1 DISTRIBUTED DENIAL OF SERVICE"

Transcription

1 1 CHAPTER 1 DISTRIBUTED DENIAL OF SERVICE 1.1 INTRODUCTION Internet has become the infrastructure of the modern society. The Internet architecture focuses on functionality and not the security. Inexperienced users leave their systems vulnerable to compromise. For example, using the vendor supplied default passwords, leaving auto-configure features in default settings, turning off firewalls, etc. makes it easy to gain root or administrator access. The Computer Emergency Response Team (CERT) coordinate center, the center of Internet security expertise, has identified 831 key vulnerabilities in the Internet architecture and suggests that automated tools are being used to exploit these security holes. The magnitude of attacks against major websites suggests that this is true. Regardless of the diligence, effort and resources spent securing against intrusion, Internet connected systems face a consistent and real threat from denial attacks because of two fundamental characteristics of the Internet. 1. The Internet comprises limited and consumable resources. The infrastructure of interconnected systems and networks comprising the Internet is entirely composed of limited resources. Bandwidth, processing power and storage capacities are all common targets for attacks designed to

2 2 o cause some level of service disruption. An abundance of wellengineered resources may raise the bar on the degree an attack tools place even the most abundant resources in range for disruption. 2. Internet security is highly interdependent. Attacks are commonly launched from one or more points on the Internet many cases, the launch point consists of one or more systems that have been subverted by an intruder via a security-related systems. As such, intrusion defense not only helps to protect Internet assets and the mission they support, but it also helps prevent the use of assets to attack other Internet connected networks and systems. Likewise, regardless of how well defended any assets may be, its susceptibility to many types of attacks depends on the state of security on the rest of the global Internet. 1.2 DENIAL OF SERVICE Denial of Service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. DoS attacks are capable of either, crashing the host such that it cannot communicate properly with the rest of the network, or legitimate users.

3 3 A DoS attack is an explicit attempt by attacker to overload the server(s) or network(s) with useless traffic and results in a loss or interruption of all network connectivity and services. A DoS attack can be perpetrated in a number of ways. There are three basic types of attacks: 1. Consumption of computational resources (bandwidth, disk space, CPU time) 2. Disruption of configuration information 3. Disruption of physical network components. Traditionally, these attacks target commercial web sites, electronic mail and Domain Name System (DNS) servers and routing devices that rely on a constant Internet presence and availability of the service is a crucial factor for the success of their business. The primary resources targeted in a DoS attack are the bandwidth, processing capacity and storage capacity of the victim and costs in terms of money and time. It does not normally result in theft of information, damage to databases or security loss. A successful DoS attack can overwhelm the victim yet conceal the evolving Internet services. The attack software is powerful and does not require extensive knowledge to deploy them. The tools for disrupting the services are readily available in the Internet. Attacks mimic the behavior of legitimate users and hence are much harder to detect. The stateless nature of the Internet, dilution of locality in the flooding stream, spoofed source address and capacity of servers to establish large volume of connections undermine the effectiveness of traceback techniques for locating the sources. Consequently DoS attacks are becoming simple to implement, harder to detect and more difficult to trace.

4 4 1.3 DISTRIBUTED DENIAL OF SERVICE Distributed Denial of Service (DDoS) uses DoS as the basic building block. The key feature of DDoS includes distributing the attack across several hosts and coordinating the attack among the hosts. As shown in Figure 1.1 the DDoS attack involves four major components: an Attacker, Master /Handler nodes, Daemon / Agent nodes and a Victim. In order to facilitate DDoS, the attacker needs to have several hundred to several thousand compromised hosts. The process of compromising a host and installing the tool is automated. The attacker orchestrates the attack using a single source machine. It does not directly communicate with (or attack) the victim, but initiates a scan phase in which a large number of machines are probed for a known vulnerability to gain administrator access. These host machines are then compromised and the attack tools are installed in them resulting in a network of Master / Handler nodes under the direct control of the attacker. These Handler nodes in turn search for vulnerable machines, which are then exploited to create Daemon / Agent nodes. The attack software is installed on these Agent nodes and these Agent nodes perform the actual attack. The scan and exploit phases are totally automated processes. The attacker can compromise and install the tool on a single host in under 5 seconds and a large attack network comprising several thousand hosts can be constructed and deployed in under an hour. The time of the onset of the attack, attack type, duration of the attack and victim address are preprogrammed into the attack code. Once the attacker controls enough systems the attack can be launched. The victim is flooded with various types of packets from the Daemons / Agent nodes. The ensuing massive stream of data overwhelms the

5 5 processing capacity of the target system or floods the network bandwidth of the targeted victim or routers, rendering them incapable of providing any services. The attacker controls one or more Handler nodes which in turn controls a number of Agent nodes. DDoS uses this distributed nature of the attack (dilution of locality in the flooding stream), spoofed source addresses and the stateless nature of the Internet to thwart all attempts at discovering the origin of the attack. A successful DDoS attack is one in which the victim is fully overwhelmed and the attacker identity eludes detection. shown in Figure 1.1. The components of a Distributed Denial of Service attack are

6 Figure 1.1 Components of DDoS 6

7 7 The advantages of the DDoS network structure are 1. A single hacker can command hundreds of systems to attack a victim. 2. The attack hosts are replicated and are controlled from a central location. Even if one station is traced and shutdown, the others can continue the attack. This makes it difficult to eliminate or stop an attack. 3. Multi-tiered structure makes it difficult to trace the true origin of the attack, which is the client behind the source machine and not the Handler or Daemons. 1.4 PHASES OF A DDoS ATTACK The five phases of DDoS attack are summarized as below: 1. Scanning Phase The installed DDoS attack software (Bots) scans a large number of computers for security flaws. 2. Exploitation Phase Susceptible hosts are identified and a list of compromised hosts is recorded. 3. Deployment Phase The Handler software is installed in the compromised hosts. It is a special program, capable of controlling multiple Agents. 4. Propagation Phase The Handler in turn scans for vulnerable hosts and compromises them. An Agent / Daemon is a compromised host that is running a special program which generates a stream of packets that is directed towards the

8 8 intended victim. There are three common methods of software propagation Central Source propagation, Back Chaining propagation and Autonomous propagation 5. Attack Phase Use multiple compromised Agent / Daemon machines to launch / direct a coordinated attack on a target machine, usually one or more servers, by overwhelming the target machine with a large volume of malicious packets that can cause all / any of the following effect: a. any further work from occurring. b. Trigger errors in the target machine and force it into an unstable state or lock up. c. Exploits errors in the operating system to cause resource starvation and / or thrashing, i.e. to use up all available facilities so no real work can be accomplished. d. Crash the operating system itself. 1.5 SCANNING DDoS attacks tools are commonly deployed on compromised systems. This deployment depends on the presence of exploitable vulnerabilities on the system and the ability of the intruder to exploit those vulnerabilities. Increase in the sophistication and use of automated tools has caused a significant decrease in the time window from when the vulnerability is discovered to when it is widely exploited.

9 9 Searching for vulnerable machines in the Internet can be done by blind targeting or selective targeting. Blind targeting vulnerability searches are usually highly automated and involve little human interaction during the execution of the attack. They also tend to be highly vulnerability-specific, often targeting systems that are vulnerable to one or a small number of particular exploitations like vulnerabilities in the operating system platform or software on a system. Attacks based on selective targeting may or may not incorporate high degrees of automation and may or may not be vulnerability-specific. Selective targeting is generally based on using some criteria other than the target operating system or potentially exploitable vulnerabilities to select a target or target sector for attack. Early DDoS tools, for example, were installed on carefully selected Unix-based hosts. Systems were often manually tested for network connectivity, regular levels of network traffic and available bandwidth before being used as Handlers or Agents in a DDoS network. In order to identify vulnerable machines in the Internet and compromise them a malicious Bot software is used. A Bot is a program that operates automatically as an Agent for a user or another program. The three primary characteristics of a Bot are a remote control mechanism, the implementation of commands and a spreading mechanism to propagate it further. The Bots can be installed on multiple computers to set up Botnets. Botnets are a number of computers that, although their owners are unaware of it, have been set up to forward transmissions to other computers on the network. Botnets can be used in Distributed Denial of Service attacks to identify vulnerable machines and compromise them. The installations typically take about 5 seconds and allow a large number of systems to be compromised quickly.

10 10 The bots enable a remote control mechanism that lets the hacker for commands from the hacker. Typically two types of commands are implemented over the remote control network DDoS attacks and updates. The bots automatically scan whole network ranges for vulnerabilities, primarily in the operating system. Complexity and various problems in the source code make it easy to exploit and install applications. Once the vulnerable computers are identified they are quickly infected with the Bot software and process repeats itself. These bots are forwarded to Handler and Agent nodes by scanning based on either host or vulnerability. Host scanning strategy is further classified as random, hit-list, topological, permutation and local subnet scanning. Vulnerability scanning strategy is further classified as horizontal, vertical, coordinated and stealthy scanning. Once a vulnerable computer is identified the attack software automatically infects the vulnerable computers. 1.6 SOFTWARE PROPAGATION DDoS attack toolkits are commonly deployed on compromised systems. This deployment depends on the presence of exploitable vulnerabilities on the system and the ability of the intruders to exploit those vulnerabilities. The various aspects of DDoS attack propagation are identification and compromise of vulnerable machines and copying the attack toolkit to the compromised system (Agents / Daemons). Once the attack toolkit is copied to a compromised system, the scripts in the attack toolkit control the automated installation of the attack software in the compromised Agent / Daemon. When sufficient number of Agent/ Daemon has been created a DDoS attack can be successfully launched on the victim machine.

11 11 Three popular models of automated attack toolkit propagation are central source propagation, back chaining propagation and autonomous propagation Central Source Propagation As shown in Figure 1.2, in central source propagation of attack software, attack codes reside on a central server or set of servers. In the first step, an attacker searches for and compromises a vulnerable machine and installs an exploit code in it. In the second step a compromised host executes the code which has an instruction to transfer a copy of the attack toolkit from the central server to itself creating a newly compromised Agent. File transfer mechanisms commonly employed to copy the attack toolkit are the Remote Procedure Call (RPC), File Transfer Protocol (FTP) and Hyper Text Transfer Protocols (HTTP). Figure 1.2 Central Source Propagation

12 12 Major disadvantage of this method is that it imposes a large burden on the central server which is also a single point of failure. Its removal prohibits further Agent infection Back Chaining Propagation Figure 1.3 demonstrates the back chaining propagation of attack software. In contrast to central source propagation the attack codes reside in the attack machine which searches for and compromises the vulnerable systems and installs the exploit code in it. Once a system is compromised it executes the code which has an instruction to transfer a copy of the attack toolkit from the attacking host itself. For this to work, the attack tools on the attacking host include some method to accept a connection from and send a file to the victim host. Mechanisms that implement Back Channel file copy range from simple port listeners that copy file contents across the network, Trivial File Transfer Protocol (TFTP), to full intruder-installed web servers. Figure 1.3 Back Chaining Propagation The advantage of back-chaining propagation is that it avoids single point failure present in central source propagation and hence is more survivable than its predecessor.

13 Autonomous Propagation Figure 1.4 demonstrates the autonomous propagation of attack software. The attack toolkit resides in the attack machine. Autonomous propagation does not use an exploit code to copy the attack toolkit. When a vulnerable system is identified the attack toolkit is injected directly into the compromised host during the exploitation phase itself. This eliminates the file retrieval step and reduces the frequency of network traffic needed for Agent mobilization and hence reduces the chances of attack discovery. Figure 1.4 Autonomous Propagation 1.7 DDoS ATTACK METHODS DDoS attack methods are broadly categorized as Flooding attack and logical attack and combinations thereof. Flooding attacks are achieved by the attacker sending a continuous flood of packets to overwhelm the victims system. The high volume of traffic consumes the resources of the targeted system, hitting the CPU cycles, memory, and network bandwidth or packet buffers. A simple bandwidth consumption attack can exploit the throughput limits of servers or network equipment by sending large numbers of small packets and overwhelm the

14 14 available resources. These attacks can cause the system to slow down and jam or result in a complete site shutdown. Logic or Software attacks do not directly exploit weaknesses in Transmission Control Protocol / Internet Protocol (TCP/IP) or network applications. Instead, they use the expected behavior of protocols such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) to the attacker's advantage. The attacker sends a small number of malformed packets designed to exploit a known software bug on the target system. These attacks can be stopped by the installation of software patches which eliminate the vulnerabilities or by adding specialized firewall rules which filter out malformed packets before they reach the system Smurf Attack A Smurf attack is a variety of DDoS attack called amplification attack. Network traffic is amplified through compromised systems before it reaches the victim computer. A Smurf attack accomplishes this by flooding a victim computer with ICMP echo and reply messages. The ping requests are forwarded to a directed broadcast request. The source IP address is spoofed and set to the victim machine address. Computers in the broadcast address domain will receive and reply to the exhausting its bandwidth and bringing it to a halt. The amount of traffic sent by the attacker is multiplied by a factor equal to the number of hosts behind the router that reply to the ICMP echo packets. The effect can be amplified when multiple broadcast domains are used and more computers are involved in the attack. To defend against Smurf attacks all routers and individual hosts

15 15 in a network must be configured to drop ICMP echo requests to broadcast address. Figure 1.5 Ping Broadcast Attack. Figure 1.5 depicts a Smurf attack in progress. The attacker sends a stream of ICMP echo packets to the router. The attacker modifies the packets that replies to the echo packets will be sent to that address. The destination address of the packets is a broadcast address of a Domain.

16 16 If the router is (mis-)configured to forward these broadcasts to hosts on the other side of the router all the hosts in the Broadcast Domain will effectively overwhelm its link bandwidth. Besides the target system, the intermediate router is also a victim and thus also the hosts in Broadcast Domain ICMP Floods and Ping of Death Ping of Death was a popular DDoS attack which targeted hosts with a weak implementation of the TCP/IP stack. The attacker sends an ICMP Echo request packet with a size larger than 65,535 bytes, causing the buffer at the receiver to overflow when the packet was included in the reassemble process. Ping of Death can cause the target system to crash and / or reboot. Older versions of Windows (95/NT4), Macintosh and Linux operating systems and other network devices such as routers were vulnerable to the Ping of Death. Modern operating systems and network devices safely disregard these oversized packets Teardrop Attacks When data are sent across a TCP/IP network, they are fragmented into small fragments. The fragments contain an Offset field in their TCP header that specifies where certain data start and end. In a Teardrop attack, the attacker sends fragments with invalid overlapping values in the Offset field, which may cause the target system to crash when it attempts to reassemble the ack safely disregard such invalid packets.

17 Bonk Attacks The Bonk attack is similar to a Teardrop attack. Instead of sending IP fragments with overlapping Offset values in the TCP header, the Offset values that are too large. As with the Teardrop attack, this may cause the target system to crash Land Attacks During a Land attack, the attacker sends a forged TCP SYN packet with the same source and destination IP address. This confuses systems with outdated versions of the TCP / IP stack because it receives a TCP connection request from itself. This may cause the target system to crash UDP Flood This type of flood exploits the User Datagram Protocol (UDP), a connectionless and non-adaptive protocol that provides a simple and unreliable system for transferring data. UDP protocol does not require a handshake mechanism to establish a connection. This makes it relatively easy to abuse for flood attacks. The potential attacker uses a forged source IP address to send UDP packets to a random port on the target machine. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port. When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If large numbers of such UDP packets are transmitted to ports on the target system, the CPU time, memory and bandwidth required to process these packets may cause the target to become unavailable for legitimate users and the system may crash.

18 18 Packets typically contain randomly forged source address to prevent simple filtering. To minimize the risk of a UDP flood attack, disable all unused UDP services on hosts and block the unused UDP ports at the firewall of the network TCP Flood TCP floods are similar to UDP floods. Attackers use TCP packets instead of UDP packets TCP SYN Flood TCP Synchronous (TCP SYN) Flood attacks try to deplete the computational resources of a server. It exploits the process used in establishing a TCP connection known as "TCP 3 Way Handshake" which is the foundation for every connection established using the TCP protocol. This process requires three packets to be sent between the client and the server to establish a TCP connection: 1. A client requests a connection by sending a SYN (synchronize) packet to the server. The session-establishing packets include a SYN field that identifies the sequence in the message exchange. 2. The server allocates a TCP control block and sends back a SYN/ACK packet back to the client and awaits the client to send an ACK (Acknowledgement) packet for the connection to be established. 3. The client responds with an ACK and the connection is established i.e. Open, allowing traffic from both sides (fullduplex). The connection remains open until the client or the

19 19 host issues a FIN (Finish) or RST (Reset) packet, or the connection times out. As long as the server has not received the ACK, the connection is in half open state, thus consuming TCP control blocks. To create such half open connections the potential attacker can 1. Withhold the ACK from the server or 2. Send SYN packets with spoofed source IP address to the target. The target replies in response with SYN / ACK packets that are however, destined for an incorrect or non-existent host and thus never receive the ACK In both cases, the connections remain in half open state because the target never receives the required ACK packets thus causing the target to run out of TCP control blocks. An attacker can send a number of connection requests very rapidly using spoofed IP address or fail to respond to the reply. Although the packet in the buffer is dropped after a certain period of time without a reply, the effect of many of these bogus connection requests is to make it difficult for legitimate requests for a session to get established. If all resources set aside for half-open connections are reserved, no new connections (legitimate or not) can be made, resulting in denial of service. The technology often used for allocating resources for half open TCP connections involved a queue which was often very short with each entry of the queue being removed upon a completed connection, or upon expiry. When the queue was full, further connections failed. Some systems may malfunction badly or even crash if other operating system functions are starved of resources this way. In general, this problem requires the operating system to

20 20 provide correct settings or the network administrator to tune the size of the buffer and the timeout period. 1.8 DDoS TOOLS The DDoS attack tools are designed to bring a single or multiple sites down by flooding the victim with large amounts of network traffic. These amounts of network traffic originate from multiple locations and are remotely controlled by a single client. Each of these attack tools differ in terms of the types of attack they can support and the way the communication is carried out between the client and the Handlers. The tools are used to disrupt the normal network traffic to a host and not to capture data or infiltrate a computer system. Popular DDoS programs / software / tools include FloodNet, Tribal Flood network (TFN), Trin00, Stacheldraht and TFN2K. These programs use a client / server architecture to allow a single attacker to simultaneously direct the attacks by many machines. These attack tools are readily available in the Internet and do not need extensive knowledge to deploy them. Additionally the software hides the break-in and subsequent activities and erases all the evidence. It is also possible to configure the software to disable and uninstall itself when certain conditions are met. Moreover, these tools are not easily traceable because they forge their source addresses by using IP spoofing thus hiding their genuine location. This makes traceback and identification extremely difficult FloodNet It is a Java application that inundates the target with request for nonexistent pages and queries. It uses a form of TCP / IP flooding that attacks

21 21 inbound and outbound data and saturates the processing capability of the target host and the bandwidth of the network. FloodNet is also able to upload messages to server error logs by intentionally asking for a non-existent Uniform Resource Locator (URL). This this This works because of the way many HTTP servers process requests for web pages that do not exist. FloodNet's Java applet asks the targeted server for a directory called, for example, "DDoS_Attacks", but since that or This is a unique way to leave a message on that server. The FloodNet program will cause the desired DDoS effect only when thousands of users are logged in simultaneously, where all their browsers will automatically reload targeted website and cause so much traffic inside the server that any other user attempting to log in will not be able to view the website Trin00 Trin00 was the first and simplest of the DDoS software. Trin00 is essentially a Master / Slave (called Masters and Daemons) program that coordinate with each other to launch a UDP DDoS flood against a victim machine. A stolen account is initially set up by the attacker as a repository for precompiled versions of scanning tools, attack tools, rootkits and sniffers, Trin00 Daemon and Master programs, lists of vulnerable hosts and previously compromised hosts, etc. This would normally be a large system with many

22 22 users, one with little administrative oversight and on a high-bandwidth connection for rapid file transfer. (A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Typically, an attacker installs a rootkit on a computer after first obtaining root-level access, either by exploiting a known vulnerability or by obtaining a password. Once a rootkit is installed, it allows an attacker to mask the ongoing intrusion and maintain privileged access to the computer by circumventing normal authentication and authorization mechanisms. Rootkits can primarily hide applications that steal computing resources or passwords without the knowledge of administrators and users of affected systems. Sniffer is a computer program that can intercept packet passing over a digital network or part of a network and log information about the various fields in the packet). A scan is performed of large ranges of network blocks to identify potential targets and a list of vulnerable systems is created. A script is then executed that performs the exploit, sets up a command shell running under the root account that listens on a TCP port and connects to this port to confirm the success of the exploit. The result is a list of compromised systems ready for setting up the Trin00 Master / Handler nodes. The Master / Handler nodes compile a list of machines that can be compromised. From this list of compromised systems, subsets with the desired architecture are chosen for the Trin00 network. Scripts are run to compromise these vulnerable machines and convert them into the Trin00 Agent / Daemon nodes.

23 23 The installation process is automated with each installation running in the background for maximum multitasking. The result of this automation is the ability for attackers to set up the attack network in a very short time frame on widely dispersed systems whose true owners don't even know that their systems are out of their control. Optionally, a "root kit" is installed on the system to hide the presence of programs, files and network connections. This is more important on the Master system, since these systems are the key to the Trin00 network. One Master can control multiple Daemons. The target and date of the attack is also controlled by the Masters / Handler. The Daemons are the compromised hosts that launch the actual UDP floods against the victim machine. Remote control of the Trin00 Master is accomplished via a TCP connection to port / TCP. Communication from the Trin00 Master to Daemons is via UDP packets on port / UDP. Communication from the Trin00 Daemons and the Master is via UDP packets on port / UDP. The attacker uses the Handler to send commands that control the Agents. The attacker authenticates to the Handler and sends commands to all the Agents to launch a coordinated UDP packet based flooding attack targeted at one or more victim systems and the attack lasts up to a predefined time. The source address of Trin00 packets is not spoofed. Trin00 supports commands that can change the size of packets sent, stop an attack, check the status of an Agent and change the length of the attack. Both the Master and Daemons are password protected to prevent system administrators (or other hacker groups) from being able to take control of the Trin00 network.

24 Tribal Flow Network (TFN) The Tribe Flood Network (TFN) Distributed Denial of Service attack tool is made up of client and Daemon programs, which are capable of launching ICMP flood, SYN flood, UDP flood and Smurf attacks, as well as providing an "on demand" root shell bound to a TCP port. Creation of a "root shell" is an important aspect of TFN attack. On UNIX, the "root" user has control over the machine. An exploit will attempt to obtain a shell prompt from which any command can be entered that will execute with root privileges. In many remote attacks, the attacker will run an exploit script that breaks into the server and establishes a root shell bound to a TCP connection. The attacker can then remotely enter and execute commands in the system. As with Trin00, the method used to install the Master/Daemon will be the same as installing any program on a UNIX system, with all the standard options for concealing the programs and files. The attacker(s) control one or more Masters, each of which can control many Daemons. The Daemons are all instructed to coordinate a packet based attack against one or more victim systems by the Master. Remote control of a TFN network is accomplished via command line execution of the Master program, which can be accomplished using a connection methods like remote shell bound to a TCP port, UDP based client/server remote shells and ICMP based client/server shells, SSH terminal sessions or normal "telnet" TCP terminal sessions. No password is required to run the Master program, although it is necessary to have the IP address list of Daemons in an "iplist" file.

25 25 Communication from the TFN Master to Daemons is accomplished via ICMP_ECHOREPLY packets. There is no TCP or UDP based communication between the Master and Daemons at all. Both the Master and the Daemon must be run as root. The Master program requires the iplist be available, so finding a Master will get the list of Daemons. Recent installations of TFN Daemons have added Blowfish encryption of the iplist file to make the task of determining the Daemons much harder TFN2K Similar to TFN, TFN2K is also a two-component attack system comprising of Masters and Daemons. It can run on both Unix and Windows NT systems and executes as the root or administrator permitting the attacker to verify that the Master is running as well as update the Master software. Masters exploit the resources of a number of Agents in order to coordinate an attack against one or more designated targets. The Master instructs its Agents to attack a list of designated targets. The Agents respond by flooding the targets with a barrage of packets comprising TCP-SYN, UDP, ICMP-PING, or BROADCAST PING (Smurf) packet flood. Multiple Agents, coordinated by the Master, can work in tandem during this attack to disrupt access to the target. Master-to-Agent communications are encrypted and may be intermixed with any number of decoy packets. Both Master-to-Agent communications and the attacks themselves can be sent via randomized TCP, UDP and ICMP packets. Additionally, the Master can spoof its IP address. These facts significantly complicate the development of effective and efficient countermeasures for TFN2K.

26 26 Packet headers between Master and Agent are randomized, with the exception of ICMP, which always uses a type code of ICMP_ECHOREPLY (ping response). Unlike its predecessors, the TFN2K Daemon is completely silent; it does not acknowledge the commands it receives. Instead, the Masters issues each command 20 times, relying on probability that the Daemon will receive at least one. The command packets may be interspersed with any number of decoy packets sent to random IP addresses. TFN2K commands are not string-based as they are in TFN and Stacheldraht. TFN2K commands are of the form "+<id>+<data>" where <id> is a single byte denoting a particular command and <data> represents the command's parameters. All commands are encrypted using a key-based CAST-256 algorithm. The key is defined at compile time and is used as a password when running the TFN2K client. Some significant features of TFN2K: 1. TFN2K modifies the Master and Agent process names at compile time from one installation to the next. This allows TFN2K to masquerade as a normal process on the Agent and may not be readily visible to simple inspection of the process list. 2. The UDP packet length is three bytes longer than the actual length of the packet. 3. The TCP header length is always zero. In legitimate TCP packets, this value is never zero.

27 Stacheldraht Stacheldraht gained prominence because of its alleged involvement in the 2000 outbreak of DDoS attacks against prominent web sites such as Yahoo and Amazon. Stacheldraht code combines the most harmful features of Trin00 and TFN and uses an encrypted TCP packet to connect and communicate between attacker and Masters / Handlers and encrypted ICMP packets to talk to the Agents / Daemons. The Stacheldraht network is made up of one or more Handlers and a large set of Agents. The attackers use an encrypting "telnet alike" program to connect to and communicate with the Handlers. Each Handler can control many Agents. Unlike Trin00, which uses UDP for communication between Handlers and Agents, or the original Tribe Flood Network, which uses ICMP for communication between the Handler and Agents, Stacheldraht uses TCP and ICMP. Remote control of a Stacheldraht network is accomplished using a simple Agent that uses symmetric key encryption for communication between itself and the Handler. The Agent accepts a single argument, the address of the Handler to which it should connect. It then connects using a TCP port (default 16660/TCP). After connecting to the Handler, the Agent is prompted for a password. This password is a standard crypt() encrypted password, which is then Blowfish encrypted using the pass phrase "<authentication>" before being sent over the network to the Handler (all communication between the Agent and Handler is Blowfish encrypted with this pass phrase). In addition to finding an active Handler, the Agent performs a test to see if the network on which the Agent is running allows packets to exit

28 28 with forged source addresses. It does this by sending out an ICMP_ECHO packet with a forged IP address of " ", an ID of 666 and the IP address of the Agent system in the data field of the ICMP packet. The Type of Service field is set to 7 on this particular packet, while others have a Type of Service value of 0. If the Master receives this packet, it replies to the IP address embedded in the packet with an ICMP_ECHOREPLY packet containing an ID of 1000 and the word "spoofworks" in the data field. If the Agent receives this packet, it sets a spoof_level of 0 (can spoof all 32 bits of IP address). If it times out before receiving a spoof reply packet, it sets a spoof_level of 3 (can only spoof the final octet). Stacheldraht also supports automated remote update of its Agents via a Remote File Copy (rcp) command thus enabling the attacker to continually change the port passwords and command values; Stacheldraht can launch different types of attacks such as ICMP floods, UDP floods and SYN floods. Stacheldraht also has an update feature that makes it possible to automatically replace the Agents with new versions and start them. (Note : rcp is a connectivity command which copies files between a source machine and a system running the remote shell service Daemon (rshd). The rcp command can also be used for third-party transfers. The command can be executed from a system to copy files between two other computers that are running the rshd). 1.9 DDoS DEFENSE The following are some simple steps which can be taken by any organization to effectively protect its resources against DDoS exploitation.

29 29 1. Limit Spoofing by configuring the firewall to disallow any outgoing packet whose source address does not reside on the protected network. 2. Configure the Internet Service Provider (ISP) and routers to do egress filtering, i.e., monitor and potentially restrict the flow of information outbound from one network to another, to ensure that unauthorized or malicious traffic does not exit the internal network and reach the Internet. 3. Disallow unnecessary ICMP, TCP and UDP traffic. Typically only ICMP type 3 (Destination Unreachable) packets should be allowed. 4. If ICMP cannot be blocked, disallow unsolicited (or all) ICMP_ECHOREPLY packets. 5. Disallow UDP and TCP, except on a specific list of ports. 6. Take measures to ensure that systems do not allow intruders to install DDoS attack tools in them. Without proper planning and forethought, a sustained DDoS attack can find an organization without the necessary resources or procedures to deal with the attack. It is essential to ensure that the response procedures are clear and that enough resource, both people and technology, are available to effectively handle the attack. The resources needed to deal with an attack should already be in place when an attack occurs. More bandwidth, additional load balanced servers and support staff should be ready to be deployed in the live environment when the need arises.

30 CONCLUSION The Internet has revolutionized the way companies communicate and conduct business. Its remarkable growth is already translating into significant financial rewards for the Internet based business sectors. At the same time, with every opportunity comes a measure of risk. By nature, the Web is public, distributed, connected and highly dynamic subject to phenomenal growth in terms of infrastructure, the number of people online, as well as the sheer volume and types of applications running across and beyond generation of skilled hackers armed with sophisticated tools who enjoy the thrill of pushing security boundaries. DDoS attacks are one of the hardest security threats to address. They do not attempt to compromise sensitive information on servers such as passwords, user data and credit card information, but endeavors to misuse and tie up the transit network resources and computational resources of the target system. Even for hardened Internet-based companies the loss of revenue due to unavailability caused by a DDoS attack can be devastating. The Cooperative Association for Internet Data Analysis (CAIDA) reports that only 2% of DDoS attacks lasted greater than five hours and1% of attacks lasted more than ten hours.90% of DDoS attacks lasted for one hour or less, of which 50% of the attacks lasted less than ten minutes. 90% of the attacks were TCP based attacks and around 40% reached rates of 500 packets per second (pps) or greater. There is no simple solution to mitigate the risk of these attacks, but there are strategies that can help to minimize the impact of a large scale DDoS attack. The following chapter discusses some of the mechanisms proposed by researchers to mitigate the effects of a DDoS attack.

Gaurav Gupta CMSC 681

Gaurav Gupta CMSC 681 Gaurav Gupta CMSC 681 Abstract A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing Denial of Service for users of the

More information

Abstract. Introduction. Section I. What is Denial of Service Attack?

Abstract. Introduction. Section I. What is Denial of Service Attack? Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss

More information

Denial Of Service. Types of attacks

Denial Of Service. Types of attacks Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service

More information

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method

More information

Denial of Service. Tom Chen SMU tchen@engr.smu.edu

Denial of Service. Tom Chen SMU tchen@engr.smu.edu Denial of Service Tom Chen SMU tchen@engr.smu.edu Outline Introduction Basics of DoS Distributed DoS (DDoS) Defenses Tracing Attacks TC/BUPT/8704 SMU Engineering p. 2 Introduction What is DoS? 4 types

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals Denial of Service Attacks Notes derived from Michael R. Grimaila s originals Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident

More information

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Hands-On Ethical Hacking and Network Defense - Second Edition. Chapter 2 - TCP/IP Concepts Review

Hands-On Ethical Hacking and Network Defense - Second Edition. Chapter 2 - TCP/IP Concepts Review Objectives After reading this chapter and completing the exercises, you will be able to: Overview of TCP/IP Describe the TCP/IP protocol stack Explain the basic concepts of IP addressing Explain the binary,

More information

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview

More information

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Keyur Chauhan 1,Vivek Prasad 2 1 Student, Institute of Technology, Nirma University (India) 2 Assistant Professor,

More information

IBM Security Services Stacheldraht DDoS Malware MSS Threat Research Group

IBM Security Services Stacheldraht DDoS Malware MSS Threat Research Group IBM Security Services Stacheldraht DDoS Malware MSS Threat Research Group By John Kuhn, Senior Threat Researcher June 02, 2014 Executive Overview/Key Findings In today's fast paced world of internet security

More information

CIT 480: Securing Computer Systems. TCP/IP Security

CIT 480: Securing Computer Systems. TCP/IP Security CIT 480: Securing Computer Systems TCP/IP Security Topics 1. Internet Protocol (IP) 2. IP Spoofing and Other Vulnerabilities 3. ICMP 4. Transmission Control Protocol (TCP) 5. TCP Session Hijacking 6. UDP

More information

Denial of Service (DoS)

Denial of Service (DoS) Intrusion Detection, Denial of Service (DoS) Prepared By:Murad M. Ali Supervised By: Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT), Amman s campus-2006 Denial of Service (DoS) What is DoS

More information

SECURING APACHE : DOS & DDOS ATTACKS - I

SECURING APACHE : DOS & DDOS ATTACKS - I SECURING APACHE : DOS & DDOS ATTACKS - I In this part of the series, we focus on DoS/DDoS attacks, which have been among the major threats to Web servers since the beginning of the Web 2.0 era. Denial

More information

SECURING APACHE : DOS & DDOS ATTACKS - II

SECURING APACHE : DOS & DDOS ATTACKS - II SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,

More information

Brocade NetIron Denial of Service Prevention

Brocade NetIron Denial of Service Prevention White Paper Brocade NetIron Denial of Service Prevention This white paper documents the best practices for Denial of Service Attack Prevention on Brocade NetIron platforms. Table of Contents Brocade NetIron

More information

TCP/IP Concepts Review. A CEH Perspective

TCP/IP Concepts Review. A CEH Perspective TCP/IP Concepts Review A CEH Perspective 1 Objectives At the end of this unit, you will be able to: Describe the TCP/IP protocol stack For each level, explain roles and vulnerabilities Explain basic IP

More information

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW) Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet

More information

Distributed Denial of Service Attack Tools

Distributed Denial of Service Attack Tools Distributed Denial of Service Attack Tools Introduction: Distributed Denial of Service Attack Tools Internet Security Systems (ISS) has identified a number of distributed denial of service tools readily

More information

TCP/IP Concepts Review. Ed Crowley

TCP/IP Concepts Review. Ed Crowley TCP/IP Concepts Review Ed Crowley 1 Objectives At the end of this unit, you will be able to: Describe the TCP/IP protocol stack For each level, explain roles and vulnerabilities Explain basic IP addressing

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

1. Firewall Configuration

1. Firewall Configuration 1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets

More information

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall. Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and

More information

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Threat Paper Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Federal Computer Incident Response Center 7 th and D Streets S.W. Room 5060 Washington,

More information

Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640 Contents Topic 1: Analogy... 2 TCP/IP: Understanding the Layers... 2 Topic 2: Module Introduction... 4 Topic 3: Domain Name System Basics... 5 Introduction to Domain Name System... 5 DNS Zones... 6 DNS

More information

Frequent Denial of Service Attacks

Frequent Denial of Service Attacks Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as

More information

TCP/IP Concepts Review. A CEH Perspective

TCP/IP Concepts Review. A CEH Perspective TCP/IP Concepts Review A CEH Perspective 1 Objectives At the end of this unit, you will be able to: Describe the TCP/IP protocol stack For each level, explain roles and vulnerabilities Explain basic IP

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding? Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

More information

Today s outline. CSE 127 Computer Security. NAT, Firewalls IDS DDoS. Basic Firewall Concept. TCP/IP Protocol Stack. Packet Filtering.

Today s outline. CSE 127 Computer Security. NAT, Firewalls IDS DDoS. Basic Firewall Concept. TCP/IP Protocol Stack. Packet Filtering. CSE 127 Computer Security Fall 2011 More on network security Todays outline NAT, Firewalls IDS DDoS Chris Kanich (standing in for Hovav) [some slides courtesy Dan Boneh & John Mitchell] TCP/IP Protocol

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

SECURITY FLAWS IN INTERNET VOTING SYSTEM

SECURITY FLAWS IN INTERNET VOTING SYSTEM SECURITY FLAWS IN INTERNET VOTING SYSTEM Sandeep Mudana Computer Science Department University of Auckland Email: smud022@ec.auckland.ac.nz Abstract With the rapid growth in computer networks and internet,

More information

DDoS Attack Types: Glossary of Terms

DDoS Attack Types: Glossary of Terms DDoS Attack Types: Glossary of Terms This Distributed Denial of Service (DDoS) attack glossary is intended to provide a high level overview of the various DDoS attack types and typical DDoS attack characteristics.

More information

Security Technology White Paper

Security Technology White Paper Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques

More information

2.2 Methods of Distributed Denial of Service Attacks. 2.1 Methods of Denial of Service Attacks

2.2 Methods of Distributed Denial of Service Attacks. 2.1 Methods of Denial of Service Attacks Distributed Denial of Service Attacks Felix Lau Simon Fraser University Burnaby, BC, Canada V5A 1S6 fwlau@cs.sfu.ca Stuart H. Rubin SPAWAR Systems Center San Diego, CA, USA 92152-5001 srubin@spawar.navy.mil

More information

Strategies to Protect Against Distributed Denial of Service (DD

Strategies to Protect Against Distributed Denial of Service (DD Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

A1.1.1.11.1.1.2 1.1.1.3S B

A1.1.1.11.1.1.2 1.1.1.3S B CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security

More information

10 Configuring Packet Filtering and Routing Rules

10 Configuring Packet Filtering and Routing Rules Blind Folio 10:1 10 Configuring Packet Filtering and Routing Rules CERTIFICATION OBJECTIVES 10.01 Understanding Packet Filtering and Routing 10.02 Creating and Managing Packet Filtering 10.03 Configuring

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CYBER ATTACKS EXPLAINED: PACKET CRAFTING CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure

More information

Trends in Denial of Service Attack Technology

Trends in Denial of Service Attack Technology Trends in Denial of Service Attack Technology CERT Coordination Center Kevin J. Houle, CERT/CC George M. Weaver, CERT/CC In collaboration with: Neil Long Rob Thomas v1.0 October 2001 CERT and CERT Coordination

More information

Denial of Service Attacks

Denial of Service Attacks 2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

More information

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate

More information

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Session Hijacking Exploiting TCP, UDP and HTTP Sessions Session Hijacking Exploiting TCP, UDP and HTTP Sessions Shray Kapoor shray.kapoor@gmail.com Preface With the emerging fields in e-commerce, financial and identity information are at a higher risk of being

More information

About Firewall Protection

About Firewall Protection 1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote

More information

A Layperson s Guide To DoS Attacks

A Layperson s Guide To DoS Attacks A Layperson s Guide To DoS Attacks A Rackspace Whitepaper A Layperson s Guide to DoS Attacks Cover Table of Contents 1. Introduction 2 2. Background on DoS and DDoS Attacks 3 3. Types of DoS Attacks 4

More information

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks Sau Fan LEE (ID: 3484135) Computer Science Department, University of Auckland Email: slee283@ec.auckland.ac.nz Abstract A denial-of-service

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures

Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures Taxonomies of Distributed Denial of Service Networks, s, Tools, and Countermeasures Stephen Specht Ruby Lee sspecht@princeton.edu rblee@princeton.edu Department of Electrical Engineering Princeton Architecture

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013 the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point

More information

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin 2008 Course Technology Learning Objectives Describe packets and packet filtering

More information

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls

More information

Technical White Paper June 2016

Technical White Paper June 2016 Technical White Paper June 2016 Guide to DDoS Attacks Authored by: Lee Myers, Senior Manager of Security Operations Christopher Cooley, Cyber Intelligence Analyst This Multi- State Information Sharing

More information

Yahoo Attack. Is DDoS a Real Problem?

Yahoo Attack. Is DDoS a Real Problem? Is DDoS a Real Problem? Yes, attacks happen every day One study reported ~4,000 per week 1 On a wide variety of targets Tend to be highly successful There are few good existing mechanisms to stop them

More information

Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS) Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by

More information

DDoS Protection Technology White Paper

DDoS Protection Technology White Paper DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of

More information

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2

More information

DDos. Distributed Denial of Service Attacks. by Mark Schuchter

DDos. Distributed Denial of Service Attacks. by Mark Schuchter DDos Distributed Denial of Service Attacks by Mark Schuchter Overview Introduction Why? Timeline How? Typical attack (UNIX) Typical attack (Windows) Introduction limited and consumable resources (memory,

More information

Safeguards Against Denial of Service Attacks for IP Phones

Safeguards Against Denial of Service Attacks for IP Phones W H I T E P A P E R Denial of Service (DoS) attacks on computers and infrastructure communications systems have been reported for a number of years, but the accelerated deployment of Voice over IP (VoIP)

More information

ICMP Protocol and Its Security

ICMP Protocol and Its Security Lecture Notes (Syracuse University) ICMP Protocol and Its Security: 1 ICMP Protocol and Its Security 1 ICMP Protocol (Internet Control Message Protocol Motivation Purpose IP may fail to deliver datagrams

More information

Chapter 28 Denial of Service (DoS) Attack Prevention

Chapter 28 Denial of Service (DoS) Attack Prevention Chapter 28 Denial of Service (DoS) Attack Prevention Introduction... 28-2 Overview of Denial of Service Attacks... 28-2 IP Options... 28-2 LAND Attack... 28-3 Ping of Death Attack... 28-4 Smurf Attack...

More information

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015 Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan April 23, 2015 1 / 24 Secure networks Before the advent of modern telecommunication network,

More information

Security: Attack and Defense

Security: Attack and Defense Security: Attack and Defense Aaron Hertz Carnegie Mellon University Outline! Breaking into hosts! DOS Attacks! Firewalls and other tools 15-441 Computer Networks Spring 2003 Breaking Into Hosts! Guessing

More information

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS , pp-29-33 Available online at http://www.bioinfo.in/contents.php?id=55 A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS SHUCHI JUYAL 1 AND RADHIKA PRABHAKAR 2 Department of Computer Application,

More information

Denial of Service (DoS) Technical Primer

Denial of Service (DoS) Technical Primer Denial of Service (DoS) Technical Primer Chris McNab Principal Consultant, Matta Security Limited chris.mcnab@trustmatta.com Topics Covered What is Denial of Service? Categories and types of Denial of

More information

Chapter 7 Protecting Against Denial of Service Attacks

Chapter 7 Protecting Against Denial of Service Attacks Chapter 7 Protecting Against Denial of Service Attacks In a Denial of Service (DoS) attack, a Routing Switch is flooded with useless packets, hindering normal operation. HP devices include measures for

More information

Analysis of Computer Network Attacks

Analysis of Computer Network Attacks Analysis of Computer Network Attacks Nenad Stojanovski 1, Marjan Gusev 2 1 Bul. AVNOJ 88-1/6, 1000 Skopje, Macedonia Nenad.stojanovski@gmail.com 2 Faculty of Natural Sciences and Mathematics, Ss. Cyril

More information

OSI Transport layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

OSI Transport layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) OSI Transport layer Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 1 Transmission Control Protocol (TCP) IP can only be used to send datagrams chunks or streams of information

More information

Modern Denial of Service Protection

Modern Denial of Service Protection Modern Denial of Service Protection What is a Denial of Service Attack? A Denial of Service (DoS) attack is generally defined as a network-based attack that disables one or more resources, such as a network

More information

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper Details: Introduction When computers in a private network connect to the Internet, they physically

More information

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24 Introduction to Computer Networks Lecture24 Network security (continued) Key distribution Secure Shell Overview Authentication Practical issues Firewalls Denial of Service Attacks Definition Examples Key

More information

Network Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers

Network Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers Network Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers Abstract Hang Chau DoS/DDoS attacks are a virulent, relatively new type of Internet attacks, they have caused some biggest web

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Reconnaissance

More information

Networks: IP and TCP. Internet Protocol

Networks: IP and TCP. Internet Protocol Networks: IP and TCP 11/1/2010 Networks: IP and TCP 1 Internet Protocol Connectionless Each packet is transported independently from other packets Unreliable Delivery on a best effort basis No acknowledgments

More information

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router

More information

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno CSE 490K Lecture 14 Botnets and Spam Tadayoshi Kohno Some slides based on Vitaly Shmatikov s Botnets! Botnet = network of autonomous programs capable of acting on instructions Typically a large (up to

More information

83-10-41 Types of Firewalls E. Eugene Schultz Payoff

83-10-41 Types of Firewalls E. Eugene Schultz Payoff 83-10-41 Types of Firewalls E. Eugene Schultz Payoff Firewalls are an excellent security mechanism to protect networks from intruders, and they can establish a relatively secure barrier between a system

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

Mitigation of DDoS Attack using a Probabilistic Approach & End System based Strategy. Master of Technology. Computer Science and Engineering

Mitigation of DDoS Attack using a Probabilistic Approach & End System based Strategy. Master of Technology. Computer Science and Engineering Mitigation of DDoS Attack using a Probabilistic Approach & End System based Strategy A thesis submitted in partial fulfillment of the requirements for the degree of Master of Technology in Computer Science

More information

Firewalls Netasq. Security Management by NETASQ

Firewalls Netasq. Security Management by NETASQ Firewalls Netasq Security Management by NETASQ 1. 0 M a n a g e m e n t o f t h e s e c u r i t y b y N E T A S Q 1 pyright NETASQ 2002 Security Management is handled by the ASQ, a Technology developed

More information

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ

More information

Attack and Defense Techniques

Attack and Defense Techniques Network Security Attack and Defense Techniques Anna Sperotto (with material from Ramin Sadre) Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attacks! Many different

More information