1 McAfee [formerly IntruShield] Denial-of-Service [DoS] Prevention Techniques Revision C Revised on: 18-December-2013
2 2 Contents 1. Overview Types of DoS/DDoS Attacks Volume-based DoS attacks High Volume Attacks on Web Servers Slow HTTP DoS Attacks on Web Servers TCP SYN TCP Full Connect TCP ACK/FIN TCP RST DNS Flood UDP Flood ICMP Flood Non TCP/UDP/ICMP Flood Application Level Flood Exploit-based DoS attacks Using for effective DoS/DDoS Detection Volume-based DoS Attack Detection Threshold-based Attack Detection Learning-based [Statistical Anomaly-based ] Attack Detection Exploit-based DoS Attack Detection Using for effective DoS/DDoS Prevention Statistical Anomaly SYN Cookie Stateful TCP Engine DNS Protect... 15
3 Rate Limiting ACLs Connection Limiting with GTI Integration enabled Custom Reconnaissance Attack Definition Web Server - Denial-of-Service Protection Selecting specific DoS attacks for blocking in the Manager... 17
4 4 1. Overview This document caters to McAfee users in the following categories: You want to have an overview of the types of Denial-of-Service (DoS)/Distributed Denial-of-Service (DDoS) attacks that can detect You would like to know the response action (s) that can be taken against each type of DoS/DDoS attack What Is a Denial of Service Attack? A Denial-of-Service (DoS) attack is a malicious attempt to render a service, system, or network unusable by its legitimate users. Unlike most other hacks, a Denial of Service (DoS) does not require the attacker to gain access or entry into the targeted server. The primary goal of a DoS attack is instead to deny legitimate users access to the service provided by that server. Attackers achieve their DoS objective by flooding the target until it crashes, becomes unreachable from the outside network, or can no longer handle legitimate traffic. The actual volume of the attack traffic involved depends on the type of attack traffic payload used. With crafted payload such as malformed IP fragments, several such packets may be sufficient to crash a vulnerable TCP/IP stack; on the other hand, it may take a very large volume of perfectly conforming IP fragments to overwhelm the defragmentation processing in the same TCP/IP stack. Sophisticated attackers may choose to use a mixture of normal and malformed payloads for a DoS attack. DoS attacks can vary in impact from consuming the bandwidth of an entire network, to preventing service use of a single targeted host, or crashing of a single service on the target host. Most DoS attacks are flood attacks; that is, attacks aimed at flooding a network with TCP connection packets that are normally legitimate, but consume network bandwidth when sent in heavy volume. The headers of malicious packets are typically forged, or spoofed, to fool the victim into accepting the packets as if they are originating from a trusted source. What Is a Distributed Denial of Service Attack? A Distributed Denial-of-Service (DDoS) is a type of DoS attack that is launched from compromised hosts distributed within or across networks. A DDoS attack is coordinated across many systems all controlled by a single attacker, known as a master. Prior to the attack, the master compromises a large number of hosts, typically without their owners knowledge, and installed software that will later enable the coordinated attack. These compromised hosts, called zombies (also called daemons, agents, slaves, or bots), are then used to perform the actual attack. When the master is ready to launch the attack, every available zombie is contacted and instructed to attack a single victim. The master is not a part of the attack, thus tracing the true origin of a DDoS attack is very difficult. As with a DoS attack, packets sent from each zombie may be spoofed to fool the victim into accepting data from the trusted source. DDoS allows the attackers to utilize the network to multiplex low-volume sources into a high-volume stream in order to overwhelm the targets. Through the master-zombie communications, the real attackers can potentially hide their identities behind the zombies. 2. Types of DoS/DDoS Attacks DoS/DDoS attacks can be broadly classified into volume-based or exploit-based attacks.
5 Volume-based DoS attacks Volume-based DoS attacks are statistical anomalies in the traffic with respect to the normal distribution and volume of traffic. Significant changes in these levels can indicate malicious behavior. Based on the protocols used, volume-based attacks can be classified into the following categories High Volume Attacks on Web Servers High Volume DoS attacks are designed to overload web servers and exhaust sever capacity with nonessential requests. In recent times, bot operators have found various methods to overload any server with multiple requests with one or several hosts initiating DoS attacks. There are various DoS kits available in the market that can issue such volume attacks. A layer 7 DoS attack is harder to detect than DoS attacks at other layers because such an attack is often perpetrated using an upsurge of normal HTTP requests. The attacker configures bots to launch DoS attacks against particular domains or URLs, and generates high volume of HTTP requests to the server Slow HTTP DoS Attacks on Web Servers In addition to exhausting server capacity by sending a flood of HTTP requests, an attacker can also send requests that remain open for long durations. If connections remain open for prolonged periods, server resources are consumed, overloading the server capacity. Since HTTP is a protocol meant for short connections, any connection open beyond normal duration is assumed to be a slow attack TCP SYN A TCP SYN attack takes place when the attacker sends a large volume of TCP SYN packets using spoofed IP addresses to the target host. This fills up data structures on servers and creates a DOS condition TCP Full Connect A TCP Full connect attack is an attack that has a valid source IP and goes though the full TCP hand-shake process. The attacker uses real PCs with real IPs to generate a TCP Full Connect attack. This is typically done using botnets. Sending TCP full connect attacks from several botnets ties down server resources and creates a DoS condition. TCP full connect usually is a DDoS attack launched from botnets in distributed systems TCP ACK/FIN A TCP ACK/FIN attack takes place when the attacker sends a large volume of TCP ACK/FIN packets intentionally to the target host. This consumes bandwidth and creates a DoS condition TCP RST A TCP RST attack takes place when the attacker sends a large volume of malicious mimicked TCP RST packets aimed to prematurely terminate active TCP sessions. This attack consumes system resources that receive, check and discard the packets, thus causing a DoS condition.
6 DNS Flood Sending a flood of DNS requests to a Server constitutes a DNS Flood attack. Since DNS uses UDP, no hand-shake process is involved. A flood of DNS requests can tie down the resources of a DNS infrastructure and create a DoS condition UDP Flood Sending a flood of UDP attacks to a targeted system constitutes a UDP Flood attack. When communication is established between two UDP services, an UDP Flood attack is initiated by sending a large number of UDP packets to random ports of the targeted system. The targeted system is forced into sending many "Destination Unreachable" ICMP packets, thus consuming its resources and leading to DoS. As UDP does not require any connection setup procedure to transfer data, anyone with network connectivity can launch an attack; no account access is needed. Another example of UDP flood is connecting a host's "chargen" service to the "echo" service on the same or another machine. All affected machines may be effectively taken out of service because of the excessively high number of packets produced. In addition, if two or more hosts are so engaged, the intervening network may also become congested and deny service to all hosts whose traffic traverse that network ICMP Flood This attack involves flooding the network with ICMP Echo Request or Reply packets. A flood of Echo requests to a target system makes the system busy responding to the requests. If there is a flood of Reply packets, then it is very likely that the remote attacker has forged an IP address from within your network and is sending ICMP Echo Request packets to another network. That network replies to the address in the requests, thus starting a request/reply flood between the two networks Non TCP/UDP/ICMP Flood This involves flooding the network with packets other than TCP, UDP, or ICMP. Packets involved in this attack may include IPSec and malformed IP packets (such as IP with bad checksums and inconsistent length) Application Level Flood In recent times, some attackers use expensive queries and rely on software related exploits such as buffer overflows to bring down servers. These attacks cause confusion in the application by causing the disk space to fill in a short span of time or consume all available memory Exploit-based DoS attacks Exploit-based attacks exploit vulnerabilities in the network and its systems. Some well known examples of exploit-based DoS attacks are as follows:
7 7 Attack Name Peer-to-peer attacks Application-level floods Distributed Reflective Amplification DoS (DrDoS) Description Attackers have found a way to exploit vulnerabilities in peer-to-peer servers to initiate DDoS attacks. Peer-to-peer attacks differ from botnet attacks in that there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master", instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-topeer network and to connect to the victim's website instead. A moderately large peer-to-peer attack will involve about 750,000 connections hitting a target web server in short order. Several DoS-causing exploits such as buffer overflow exploit applications running on servers and fill its disk space or consume all available memory or CPU time. In such attacks, the attacker spoofs communication to a network protocol at a victim IP address, causing the protocol on the victim server to respond to the spoofed target. There are usually multiple victims and one primary target. The victim is the intermediary server that is used to reflect attack traffic. The campaign is almost always directed at the primary target. 3. Using for effective DoS/DDoS Detection McAfee provides an integrated hardware and software solution, which delivers comprehensive protection from known, first strike (unknown), DoS, and DDoS attacks from several hundred Mbps to multi-gigabit speeds. The architecture employs a combination of threshold-based and selflearning, profile-based detection techniques to detect DoS and DDoS attacks. With threshold-based detection, you, as a network administrator, can configure data traffic limits to ensure your servers will not become unavailable due to overload. These thresholds are selected based on coverage of different DDoS attacks and on the availability of statistics that will help the users to configure them. Meanwhile, self-learning methodologies enable to study the patterns of network usage and traffic over time; thus understanding the wide variety of lawful, though unusual, usage patterns that may occur during legitimate network operations. The learning algorithm takes into account sudden bursts that is common in all network traffic, and differentiates it from the real onset of DDoS traffic. In addition to learning the intensity behavior, it also learns the correlational behavior of different types of packets, which reliably captures TCP/IP protocol behavior, route configuration, and so on. Highly accurate DoS detection techniques are essential because popular Web sites and networks do experience legitimate and sometimes unexpected traffic surges during external events, or for a particularly compelling new program, service, or application. The combination of these two techniques yields the highest accuracy of detection for the full spectrum of DoS and DDoS attacks, when hundreds or even thousands of hosts are co-opted by a malicious programmer to strike against a single victim Volume-based DoS Attack Detection detects volume-based DoS attacks through threshold-based and statistical anomaly-based methods. Often a combination of these two methods is used.
8 Threshold-based Attack Detection The threshold method involves specifying the count and interval thresholds while configuring a DoS policy in the Network Security Manager. When the threshold is crossed, the DoS attack is detected. Threshold value and interval can be customized in the Network Security Manager for threshold attacks, such as: Inbound Link Utilization (Bytes/Sec) Too High Too Many Inbound ICMP Packets Too Many Inbound IP Fragments Too Many Inbound Large ICMP packets Too Many Inbound Large UDP packets Too Many Inbound Rejected TCP Packets Too Many Inbound TCP Connections Too Many Inbound TCP SYNs Too Many Inbound UDP Packets Learning-based [Statistical Anomaly-based ] Attack Detection A new Sensor runs for its first 48 hours in learning mode. After 48 hours are complete, the Sensor automatically changes to detection mode, having established a baseline of the normal traffic pattern for the network, or a long-term profile. The assumption is that no DoS attack takes place during those first 48 hours. After moving to detection mode, the Sensor continues to gather statistical data and update its long-term profile. In this way, the long-term profile evolves with the network. The Sensor also builds short time profiles with a time window of a few minutes. Learning mode profiles can be customized at the Sensor level. Sub-interfaces and individual CIDR hosts within a VLAN tag or CIDR block can be created and protected against DoS attacks with specific learning mode settings. This is useful in preventing a server in your DMZ or other location from being shut down by a DoS attack. A separate profile is created for each resource. The Statistical method uses statistical data gathered over a time window to create normal short-term and long-term profiles. DoS attacks are detected when there are anomalies between the traffic pattern in normal profiles and network traffic. Statistical anomalies in traffic are monitored by the Sensor with reference to learned data on normal traffic. A new Sensor runs for its first 48 hours in learning mode. After 48 hours are complete, the Sensor automatically changes to detection mode, having established a baseline of the normal traffic pattern for the network, or a long-term profile. The assumption is that no DoS attack takes place during those first 48 hours. After moving to detection mode, the Sensor continues to gather statistical data and update its long-term profile. In this way, the long-term profile evolves with the network. The Sensor uses the following checks and counter checks to ensure accuracy of detection: Counter profile contamination
9 9 Source IP classification. See section Statistical Anomaly. Countering Profile Contamination The goal behind the long-term profile is to define normal traffic levels. The Sensor can identify anomalous spikes in traffic with reference to the defined normal levels. The Sensor also uses the gathered statistical data to calculate short-term profiles (statistical data averaged over a time window of a few minutes). If a short-term profile that includes DoS attack data is used to update the long-term profile, it contaminates the long-term profile. uses the following countermeasures to help prevent contamination: When in detection mode, the Sensor temporarily ceases updating the long-term profile if too many statistical anomalies are seen over a short period. The Sensor uses percentile measure. A few large spikes in the short-term data will probably upset a simple average, but are less likely to affect a percentile measure. For example, imagine a group of four students taking an exam with percentile measure ranges of 0-29, 30-49, and for judging the effectiveness of the exam. Let us say three of the students receive grades of 95%, 93%, and 92% and the fourth receives a grade of 0%. The average score is only 70% but three of the four students are still in the range. The teacher can therefore use the percentile ranges as a valid measure for judging the effectiveness of the exam Exploit-based DoS Attack Detection Exploit attack are manifested in attack signatures, which the uses to detect specific exploit attacks. A signature is a profile of an attack. Detection of specific attacks is possible through signatures. Network Security Platform also uses exploit signatures for DoS attacks that are not caused by traditional means such as volume overload. For example, the HTTP: Microsoft IIS...SLASH... DenialofService exploit identifies a single request that prevents older IIS servers from responding to clients until they are restarted. The Sensor uses signatures to perform different levels of traffic processing and analysis. Network Security Platform signatures operate on a framework of Flows, Protocol parsing and Packet searches to detect vulnerability based DoS attacks and attacks using DDoS attack tools. For example, s detection mechanisms enable a signature to identify every HTTP traffic flow, every HTTP traffic flow using the GET mechanism, every HTTP traffic flow using GET with /cgi-bin/calendar.pl as the path and even every GET with that path and a parameter named month with a value of February". supports the aggregation of multiple signatures into every attack. Each signature within an attack can be more or less specific to identify everything from generic network activity that affects a given platform in a particular way to a specific piece of code that has very specific and identifiable effects. Based on their specificity and severity, signatures are assigned different confidence and 2severity values.
10 10 When a network event occurs that matches an existing attack, several signatures. 4. Using for effective DoS/DDoS Prevention Once DoS/DDoS attacks have been detected, offers the following methods to block various types of DoS Attacks. You can click on the hyperlinks to view related information: Attack Recommendation Comments TCP SYN TCP Full Connect TCP ACK/FIN/RST SYN Cookies Statistical Anomaly Statistical Anomaly Connection Limiting with GTI Integration enabled Stateful TCP Statistical Anomaly You can configure SYN cookies in the Network Security Manager to accurately block all attack traffic, while allowing all legitimate traffic. TCP SYN or TCP FIN inbound or outbound attacks can be blocked by configuring the TCP SYN or FIN Volume too high policy to block such attacks, in both inbound and outbound traffic using the IPS Policy Editor. When used within an enterprise, ACLs can be configured in the Network Security Manager to allow traffic only from known sources. Configuring SYN cookies is more effective and deterministic compared to Statistical Anomaly. When used within an enterprise, ACLs can be configured in the Network Security Manager to allow traffic only from known sources. You can define a threshold value to limit the connection rate or the number of active connections. In addition to this, you can also define rules to limit access based on the external hosts reputation and geo-location. Statistical anomaly is based on data learnt over a time window. For immediate prevention of connection based DoS attacks, Connection Limiting would be more effective. This attack can be blocked by setting the TCP Flow Violation to DENY_NO_TCB in the Network Security Manager. TCP SYN or TCP FIN inbound or outbound attacks can be
11 11 Attack Recommendation Comments blocked by configuring the TCP SYN or FIN Volume too high policy to block such attacks, in both inbound and outbound traffic using the IPS Policy Editor. TCP RST attacks can be blocked by configuring the TCP RST Volume too high policy to block such attacks, in both inbound and outbound traffic using the IPS Policy Editor. Alternatively, TCP RST flood can be blocked by setting the TCP Flow. McAfee recommends that you use stateful TCP to prevent these attacks. DNS Flood UDP Flood DNS Protect Statistical Anomaly Connection Limiting with GTI Integration enabled Statistical Anomaly Rate Limiting You can mitigate DNS flood attacks by using DNS Spoof protection feature that can be enabled through CLI commands on the Sensor. UDP Flood attacks can also be blocked by configuring the UDP Packet Volume too high policy to block such attacks, in both inbound and outbound traffic using the IPS Policy Editor. You can define a threshold value to limit the connection rate or the number of active connections. In addition to this, you can also define rules to limit access based on the external hosts reputation and geo-location. Statistical anomaly is based on data learnt over a time window. If performance with TCP is acceptable, use DNS Protect, which is more deterministic. For immediate prevention of connection based DoS attacks, Connection Limiting would be more effective. UDP Flood attacks can be blocked by configuring the UDP Packet Volume too high policy to block such attacks, in both inbound and outbound traffic using the IPS Policy Editor. ACLs can be configured in the Network Security Manager to block UDP traffic that is not expected to be
12 12 Attack Recommendation Comments seen with the network. Connection Limiting with GTI Integration enabled You can define a threshold value to limit the connection rate or the number of active connections. In addition to this, you can also define rules to limit access based on the external hosts reputation and geo-location. ICMP Flood Statistical Anomaly Rate Limiting Connection Limiting with GTI Integration enabled Statistical anomaly is based on data learnt over a time window. For immediate prevention of connection based DoS attacks, Connection Limiting would be more effective. ICMP Flood attacks can be blocked by configuring the ICMP Packet Volume too high and ICMP Echo Request or Reply Volume too high policies to block such attacks, in both inbound and outbound traffic using the IPS Policy Editor. ACLs can be configured in the Network Security Manager to block ICMP traffic that is not expected to be seen with the network. You can define a threshold value to limit the connection rate or the number of active connections. In addition to this, you can also define rules to limit access based on the external hosts reputation and geo-location. Statistical anomaly is based on data learnt over a time window. For immediate prevention of connection based DoS attacks, Connection Limiting would be more effective. Non TCP/UDP/ICMP Flood Statistical Anomaly Non TCP/UDP/ICMP attacks can be blocked by configuring the Non-TCP-UDP-ICMP Volume too high policy to block such attacks, in both inbound and outbound traffic using the IPS Policy Editor. Exploit DoS attacks Application Level Network Security Platform Signatures Custom Reconnaissance Attack Exploit attacks can be blocked by configuring policies to block the exploit attacks (more than 3000) listed in the IPS Policy Editor, for both inbound and outbound traffic. Use correlated attack definition, which is based on the individual attack definitions. For example, custom
14 14 The Sensor blocks all packets with source IPs in the bins that occupy a large percentage of the shortterm traffic together with a significantly higher percentage of short-term traffic than historically seen. This combats attacks that are initiated from a handful of networks with authentic source IP addresses. The Sensor does not block packets with source IPs in the bins that occupy a small percentage of the IP space and represent a high percentage of the long-term traffic. This protects against blocking hosts that are known to be good. The exception to the third criterion is when the traffic also meets the second criterion. In other words, source IPs from the good bins are blocked if their short-term traffic level is significantly higher than their peak long-term level. This combats attacks that are initiated from good hosts that have recently been compromised. Source IP classification is more effective than using devices such as firewalls that limits the rate of SYN packets on the network to block DoS attacks. The key difference in such an approach and Network Security Platform is that a rate-limiting device blocks traffic randomly. Good traffic has the same probability of being blocked as attack traffic. On the other hand, source IP classification used by Network Security Platform attempts to differentiate good traffic from attack traffic, so attack traffic is more likely to be blocked. Note: The Statistical anomaly method is effective in preventing most attacks; however, there are some chances of false positives SYN Cookie In a SYN flood attack, Server resources are targeted to consume TCP memory by sending SYN, and after the Server responds with a SYN+ACK, force the Server to hold state information while waiting for the Client s ACK message. As the Server maintains state for half-open connections, Server resources are constrained. The Server may no longer be able to accept TCP connections, resulting in a DoS condition. uses a specific choice of initial TCP number as a defense against SYN flood attacks. With SYN cookies enabled in the Network Security Manager, whenever a new connection request arrives at a server, the server sends back a SYN+ACK with an Initial Sequence Number (ISN) uniquely generated using the information present in the incoming SYN packet and a secret key. If the connection request is from a legitimate host, the server gets back an ACK from the host. If the connection request is not from a legitimate host, a TCP session is not created, and a potential DoS condition is prevented Stateful TCP Engine Sensor has a built-in TCP stack that follows the state required for TCP protocol. Sensor uses the TCP state to prevent out of context packets and packets without a valid state. The TCP stateful engine can be used effectively to drop spoofed TCP RST, TCP FIN, TCP ACK floods.
15 DNS Protect DNS Protect feature in sensor can be used to protect DNS Servers from DoS spoof attack by forcing the DNS clients to use TCP instead of UDP as their transport protocol. Since TCP uses three-way-handshake, it is comparatively tough to launch spoofed attacks when TCP is used. You can set the DNS protection mode, add to, or delete existing DNS Spoof protection IP addresses from the protected server list using CLI commands Rate Limiting Rate limiting is used to control the rate of egress (traffic going out) traffic sent through the ports of a Sensor. When deployed in inline mode, Sensor permits rate limiting of traffic by limiting the bandwidth of the traffic that goes through the Sensor ports. Traffic that is less than or equal to the specified bandwidth value is allowed, whereas traffic that exceeds the bandwidth value is dropped. The Sensor uses the token bucket approach for rate limiting traffic. An Administrator can set appropriate values in the Manager to prevent DoS by setting Sensor port specific bandwidth limits that are relevant for preventing DoS in a particular network. You can rate-limit by protocol such as P2P, HTTP and ICMP as by TCP ports, UDP ports, and IP Protocol Number. provides rate limiting configuration at individual sensor ports. For example, if 1A-1B is a port-pair, traffic management is configured separately for 1A and 1B. Traffic Management configuration for a port applies to egress traffic only. In the Manager, every rate limiting queue of a Sensor is uniquely identified by a name. The traffic management queues are configured based on Protocol, TCP ports, UDP ports, and IP Protocol Number. You can create multiple queues for each port of the sensor. The traffic management configuration in the Manager must be followed by a configuration update to the sensor. Rate limiting option is available as one of the traffic management options in the Manager. Rate limiting is very effective when applied in a specific context with full knowledge of the nature of traffic in a particular network. Rate limiting needs to be applied carefully as it might drop legitimate traffic as well ACLs You can also use ACLs to prevent DoS attacks. ACLs can be created for a combination of any source IP addresses, destination IP addresses, specified CIDR blocks, destination protocol/port, by TCP/UDP port, by ICMP type, and by IP protocol for the Sensor as a whole and per individual port pair. ACL can be used to mitigate DoS attacks by creating ACLs specific to the nature of traffic in a network. For instance, if you are aware of what protocols are normally seen in your network, you can configure ACL to drop the type of traffic that is not normally expected in your network. Permit, Drop or Deny response action can be set while enabling intrusion prevention matching a configured rule. When used within an enterprise, ACL Permit can be configured from all know CIDRs.
16 Connection Limiting with GTI Integration enabled You can define a threshold value to limit the number of connections/ per second or the number of active connections to prevent connection based DoS attacks. The Sensor provides the ability to define threshold values to limit number of connections (three-way TCP handshakes) a host can establish. The number of connections or connection rate that is less than or equal to the defined threshold value is allowed. When this number is exceeded, the subsequent connections are dropped. This helps in minimizing the connection-based DoS attacks on server. The threshold value is defined as the number of connections/second or active connections. For example, if you define 1 connection/sec as the threshold value then, there are 10 connections in the 1st second, all the other connections from the 2nd to the 10th second will be dropped. On the other hand, if you have 1 connection for each second, all the 10 connections till the 10th second will be allowed. This is also known as Traffic sampling. You can define the Connection Limiting rules of the following types: Protocol - use this to limit TCP/UDP/ICMP active connections or connection rate from a host. GTI - In this case, the Sensor integrates with McAfee GTI IP Reputation to obtain the reputation score and geo-location of the external host. Therefore, use this to define connection limiting rules for traffic to/from external hosts based on reputation and geo-location of the external hosts Custom Reconnaissance Attack Definition You can create custom signature-based attack definitions to prevent exploit based DoS attacks. Using the Custom Attack Editor, you can define correlated attacks using these individual attack definitions. For example, custom attacks that check for URI can be further correlated to test for multiple occurrences in a defined time interval to raise a correlated attack. The correlation methods supported are: Brute Force Host Sweep Port Scan Service Sweep Finger Printing When traffic passing through the Sensor exceeds the threshold count set for the custom reconnaissance attack within a configured Interval, the Sensor raises an alert to the Manager. You can then opt to take the response actions such as blocking or quarantining the host Web Server - Denial-of-Service Protection Attacks on web servers can either target the infrastructure or target a particular URL/path which results in overloading of web servers or exceeding the server capacity. Since it is hard to distinguish bot traffic, you can use to configure different response actions based on a threshold, and revert with a challenge to determine whether the HTTP requests originated from valid browsers or bots.
18 18 In these circumstances, you can choose to mitigate risks by modifying your existing IPS policy and swiftly block such attacks. You can achieve this by filtering just Trin00 attack signatures from the signature set in your IPS policy editor. To filter just Trin00 attack signatures in your IPS policy editor: 1. On the Attacks tab, specify Attack Name as Trin00 and click Apply. All attack signatures that have Trin00 in their name will be filtered. To make your selection broader and select say, DoS attacks that are exploit-based using UDP protocol, follow these steps: 2. In the top-right section of this window, click Advanced Display Filtering and New Filter. The Display Filter window opens, where you can specify filtering criteria. 3. Specify a name for your filter, example Exploit-UDP DoS attacks only. 4. Specify the following criteria: a. Select Attack Category. b. Set the condition as Equals and Exploit. c. Select Attack Name. d. Set the condition as Contains and enter UDP e. Click (+), set the condition as Contains, and enter DoS. To complete the policy configuration: 5. Make sure all these attacks are enabled for blocking. 6. Next, apply this policy to your Sensor or interface in the Protection Profile page. 7. To update this policy change in your Sensor, go to Deploy Pending Changes and perform a configuration update. This ensures that the DDoS attacks that you selected are blocked with the intended response actions. For support information, visit mysupport.mcafee.com. Copyright 2013 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
NSP DoS Prevention Techniques Revision D McAfee Network Security Platform COPYRIGHT Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com
Denial-of-Service McAfee Network Security Platform COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,
Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
Denial of Service Attacks Notes derived from Michael R. Grimaila s originals Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident
Deciphering Detection Techniques: Part III Denial of Service Detection By Dr. Fengmin Gong, Chief Scientist, McAfee Network Security Technologies Group January 2003 networkassociates.com Table of Contents
DoS/DDoS Attacks and Protection on VoIP/UC Presented by: Sipera Systems Agenda What are DoS and DDoS Attacks? VoIP/UC is different Impact of DoS attacks on VoIP Protection techniques 2 UC Security Requirements
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE firstname.lastname@example.org www.cloudflare.com
Modern Denial of Service Protection What is a Denial of Service Attack? A Denial of Service (DoS) attack is generally defined as a network-based attack that disables one or more resources, such as a network
Threat Paper Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Federal Computer Incident Response Center 7 th and D Streets S.W. Room 5060 Washington,
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
White Paper Brocade NetIron Denial of Service Prevention This white paper documents the best practices for Denial of Service Attack Prevention on Brocade NetIron platforms. Table of Contents Brocade NetIron
Enabling Precise Defense against New DDoS Attacks 1 Key Points: DDoS attacks are more prone to targeting the application layer. Traditional attack detection and defensive measures fail to defend against
CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure
MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001
Introducing self-protecting servers Background The current DNS environment is subject to a variety of distributed denial of service (DDoS) attacks, including reflected floods, amplification attacks, TCP
TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)
Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan April 23, 2015 1 / 24 Secure networks Before the advent of modern telecommunication network,
CSE 127 Computer Security Fall 2011 More on network security Todays outline NAT, Firewalls IDS DDoS Chris Kanich (standing in for Hovav) [some slides courtesy Dan Boneh & John Mitchell] TCP/IP Protocol
: DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s
Application DDoS Mitigation Revision A 2014, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Volumetric vs. Application Denial of Service Attacks... 3 Volumetric DoS Mitigation...
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor
Chapter 1 Load Balancing 57 Understanding Slow Start When you configure a NetScaler to use a metric-based LB method such as Least Connections, Least Response Time, Least Bandwidth, Least Packets, or Custom
Technology Blueprint Defend Against Denial of Service (DOS and DDOS) Attacks Protect each IT service layer against exploitation and abuse LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Keyur Chauhan 1,Vivek Prasad 2 1 Student, Institute of Technology, Nirma University (India) 2 Assistant Professor,
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks
VALIDATING DDoS THREAT PROTECTION Ensure your DDoS Solution Works in Real-World Conditions WHITE PAPER Executive Summary This white paper is for security and networking professionals who are looking to
Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion
FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker
CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic
Distributed Denial of Service Attack Tools Introduction: Distributed Denial of Service Attack Tools Internet Security Systems (ISS) has identified a number of distributed denial of service tools readily
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets
Application Note Revision B McAfee Network Security Platform Managing Latency in IPS Networks Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
Session Hijacking Exploiting TCP, UDP and HTTP Sessions Shray Kapoor email@example.com Preface With the emerging fields in e-commerce, financial and identity information are at a higher risk of being
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
TrusGuard DPX: Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls...
(DoS) What Can be DoSed? First Internet DoS Attack The TCP State Diagram SYN Flooding Anti-Spoofing Better Data Structures Attacking Compact Data Structures Generic Solution SYN Cookies It s Not Perfect
& Preventing (Distributed Denial of Service) A Report For Small Business According to a study by Verizon and the FBI published in 2011, 60% of data breaches are inflicted upon small organizations! Copyright
Secure Software Programming and Vulnerability Analysis Christopher Kruegel firstname.lastname@example.org http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (email@example.com) Suvesh Pratapa (firstname.lastname@example.org) Modified by
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
SonicOS Using SYN Flood Protection in SonicOS Enhanced Introduction This TechNote will describe SYN Flood protection can be activated on SonicWALL security appliance to protect internal networks. It will
Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:email@example.com Abstract Denial of Service is a well known term in network security world as
Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline
Laboratory for Computer Security Education 1 Attack Lab: Attacks on TCP/IP Protocols Copyright c 2006-2010 Wenliang Du, Syracuse University. The development of this document is funded by the National Science
UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04 REVISED 23 FEBRUARY 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation
Project4 EDoS Instructions 1 Project 4: (E)DoS Attacks Secure Systems and Applications 2009 Ben Smeets (C) Dept. of Electrical and Information Technology, Lund University, Sweden Introduction A particular
Chapter 7 Protecting Against Denial of Service Attacks In a Denial of Service (DoS) attack, a Routing Switch is flooded with useless packets, hindering normal operation. HP devices include measures for
Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks Sau Fan LEE (ID: 3484135) Computer Science Department, University of Auckland Email: firstname.lastname@example.org Abstract A denial-of-service
A Very Incomplete Diagram of Network Attacks TCP/IP Stack Reconnaissance Spoofing Tamper DoS Internet Transport Application HTTP SMTP DNS TCP UDP IP ICMP Network/Link 1) HTML/JS files 2)Banner Grabbing
Network Security Attack and Defense Techniques Anna Sperotto (with material from Ramin Sadre) Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attacks! Many different
Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection
M series Release Notes Network Security Platform 7.5 Revision B Contents About this document New features Resolved issues Known issues Installation instructions Product documentation About this document
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
White paper Combating DoS/DDoS Attacks Using Cyberoam Eliminating the DDoS Threat by Discouraging the Spread of Botnets www.cyberoam.com Introduction Denial of Service (DoS) and Distributed Denial of Service
Application Denial of Service Is it Really That Easy? Shay Chen Agenda Introduction to Denial of Service Attacks Application Level DoS Techniques Case Study Denial of Service Testing Mitigation Summary
Network Security Attack and Defense Techniques Anna Sperotto, Ramin Sadre Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attack Taxonomy Many different kind of