SECURING APACHE : DOS & DDOS ATTACKS - I



Similar documents
Abstract. Introduction. Section I. What is Denial of Service Attack?

Denial of Service Attacks

Denial Of Service. Types of attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

Seminar Computer Security

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

co Characterizing and Tracing Packet Floods Using Cisco R

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Denial of Service (DoS)

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

SECURING APACHE : DOS & DDOS ATTACKS - II

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

A Study of DOS & DDOS Smurf Attack and Preventive Measures

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

1. Firewall Configuration

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

DDoS Protection Technology White Paper

Strategies to Protect Against Distributed Denial of Service (DD

How To Stop A Ddos Attack On A Website From Being Successful

Survey on DDoS Attack in Cloud Environment

Distributed Denial of Service (DDoS)

SECURITY FLAWS IN INTERNET VOTING SYSTEM

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Announcements. No question session this week

Safeguards Against Denial of Service Attacks for IP Phones

Gaurav Gupta CMSC 681

Frequent Denial of Service Attacks

Modern Denial of Service Protection

Survey on DDoS Attack Detection and Prevention in Cloud

Security Technology White Paper

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Firewalls and Intrusion Detection

Project 4: (E)DoS Attacks

Denial of Service Attacks

Denial of Service Attacks, What They are and How to Combat Them

How To Protect A Dns Authority Server From A Flood Attack

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Chapter 7 Protecting Against Denial of Service Attacks

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

How To Defend Against A Distributed Denial Of Service Attack (Ddos)

TLP WHITE. Denial of service attacks: what you need to know

Chapter 8 Security Pt 2

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS

Denial of Service (DoS) Technical Primer

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

CS5008: Internet Computing

A S B

Network attack and defense

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Denial of Service. Tom Chen SMU

Chapter 28 Denial of Service (DoS) Attack Prevention

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

Yahoo Attack. Is DDoS a Real Problem?

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Attack and Defense Techniques

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

Network Bandwidth Denial of Service (DoS)

McAfee Network Security Platform [formerly IntruShield] Denial-of-Service [DoS] Prevention Techniques Revision C Revised on: 18-December-2013

Network Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers

CSCE 465 Computer & Network Security

Defense against DoS, flooding attacks

Brocade NetIron Denial of Service Prevention

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Content Distribution Networks (CDN)

How To Prevent DoS and DDoS Attacks using Cyberoam

Secure Software Programming and Vulnerability Analysis

DDoS-blocker: Detection and Blocking of Distributed Denial of Service Attack

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

Keywords Attack model, DDoS, Host Scan, Port Scan

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

VALIDATING DDoS THREAT PROTECTION

Attack Lab: Attacks on TCP/IP Protocols

How To Block A Ddos Attack On A Network With A Firewall

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

DoS/DDoS Attacks and Protection on VoIP/UC

Network Security - DDoS

2.2 Methods of Distributed Denial of Service Attacks. 2.1 Methods of Denial of Service Attacks

Overview. Firewall Security. Perimeter Security Devices. Routers

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Transcription:

SECURING APACHE : DOS & DDOS ATTACKS - I In this part of the series, we focus on DoS/DDoS attacks, which have been among the major threats to Web servers since the beginning of the Web 2.0 era. Denial of Service (DoS) attacks The goal of a Denial of Service (DoS) attack is to disrupt some legitimate activity, such as browsing Web pages, email functionality or the transfer of money from your bank account. It could even shutdown the whole Web server. This denial-of-service effect is achieved by sending messages to the target machine such that the message interferes with its operation and makes it hang, crash, reboot, or do useless work. In a majority of cases, the attacker s aim is to deprive clients of desired server functionality. One way to interfere with legitimate operations is to exploit vulnerabilities on the target machine or application, by sending specially crafted requests targeting the given vulnerability (usually done with tools like Metasploit). Another way is to send a vast number of messages, which consume some key resource of the target machine, such as bandwidth, CPU time, memory, etc. The target application, machine, or network spends all of its critical resources on handling the attack traffic, and cannot attend to legitimate clients. Of course, to generate such a vast number of requests, the attacker must possess a very powerful machine with a sufficiently fast processor and a lot of available

network bandwidth. For the attack to be successful, it has to overload the target s resources. This means that an attacker s machine must be able to generate more traffic than a target, or its network infrastructure, can handle. Attack scenario Here is a simple scenario: an attacker sends a large number of requests to a Web server for example, a website that hosts HD image files at a particular URL, saywww.example.com/images/hd_images.html. Let s also assume that this page contains about 50-60 images. Now, every time a user reloads this page, it consumes a large portion of the Web server s bandwidth. Now, here, an attacker could design a separate HTML page, with an iframeembedded in it, like what s shown below: <html> <iframe src=http://www.example.com/images/hd_images.html width=2 height=2></iframe> </html> Let s suppose that instead of a single iframe, the attacker copies and pastes the above code 1,000 times in the same page, and also adds a meta refresh tag as follows: <html> <head> <meta http-equiv="refresh" content="2"> </head> <iframe src=http://www.example.com/images/hd_images.html width=2 height=2></iframe> <iframe src=http://www.example.com/images/hd_images.html width=2 height=2></iframe> : : : (1000 times) </html>

Such a page, when loaded, will send the same request 1,000 times every 2 seconds, and will consume a lot of the Web server s bandwidth. Thus, the target server will not be able to respond to other clients, and eventually, legitimate clients will be denied services from the server. Now let us assume that an attacker would like to launch a DoS attack on example.com by bombarding it with numerous messages. Also assume that example.com has abundant resources and considerable bandwidth (which is most often the case). It is then difficult for the attackers to generate a sufficient number of messages from a single machine (as in the above scenario) to overload those resources. However, imagine the consequences if they got 100,000 machines under their control, in order to simultaneously generate requests to example.com. Each of the attacking machines (compromised machines that have been infected by malicious code) may be only moderately provisioned (have a slow processor and be on a mere modem link), but together, they form a formidable attack network which, with proper use, could overwhelm even a well-provisioned victim site. This is a distributed denial-of-service (DDoS) attack, and the machines under the attacker s control are termed as zombies/agents. Distributed denial-of-service (DDoS) attacks In a typical DDoS attack, the attacker s army consists of master zombies and slave zombies. The attacker coordinates and orders master zombies and they, in turn, coordinate and trigger slave zombies. More specifically, the attacker sends an attack command to the master zombies, and activates all attack processes on those machines, which are in hibernation, waiting for the appropriate command to wake up and start attacking. Then the master zombies duplicate the attack commands to each of their slave zombies, ordering them to mount a DDoS attack against the victim. In this way, the

zombie systems begin to send a large volume of packets to the victim, flooding it with useless loads, and exhausting its resources. Figure 1: A typical DDoS attack In DDoS attacks, spoofed source IP addresses are used in the packets of the attack traffic. Attackers prefer to use such counterfeit source IP addresses for two major reasons: first, to hide the identity of the zombies, so that the victim cannot trace the attack back to them. The second reason is to discourage any attempt by the victim to filter out the malicious traffic. Types of DoS attacks Though there are numerous flavours of DoS attacks, here we ll discuss only those which affect the Web server and Web applications. TCP SYN flooding attacks DoS attacks often exploit stateful network protocols, because these protocols consume resources to maintain state. TCP SYN flooding is one such attack, and had a wide impact on many systems. When a client attempts to establish a TCP

connection to a server, the client first sends a SYN message to the server. The server acknowledges this by sending a SYN-ACK message to the client. The client completes establishing of the connection by responding with an ACK message. The connection between the client and the server is then open, and service-specific data can be exchanged between them. The abuse occurs at the half-open state when the server is waiting for the client s ACK message, after sending the SYN-ACK message to the client. The server needs to allocate memory to store information about the half-open connection, and this memory will not be released until the server either receives the final ACK message, or the half-open connection expires (times out). Attackers can easily create half-open connections by spoofing source IPs in SYN messages, or ignoring SYN-ACKs. The consequence is that the final ACK message will never be sent to the victim. Because the victim normally only allocates a limited amount of space in its process table, too many half-open connections will soon fill the space. Even though the half-open connections will eventually expire due to their timeout, zombies can aggressively send spoofed TCP SYN packets, requesting connections at a much higher rate than the expiration rate. Finally, the victim will be unable to accept any new incoming connections, and thus cannot provide services. ICMP Smurf attacks The Internet Control Message Protocol (ICMP) is used to handle errors and exchange control messages. ICMP can be used to determine if a machine on the Internet is responding. To do this, an ICMP echo request packet is sent to a host. If a host receives the packet, that host will return an ICMP echo reply packet. A common implementation of this process is the pingapplication.

In this attack, spoofed IP packets containing ICMP echo requests, with a source address like that of the target system, and a broadcast destination address, are sent to the intermediate network. (Broadcast addresses are specially allocated addresses within all network subnets, used to broadcast messages to the whole network. All hosts within a given subnet receive packets sent to these broadcast addresses and in some cases ICMP protocol, for instance respond to them.) Sending the ICMP echo request to a broadcast address triggers all hosts in the network to respond with an ICMP response packet to the spoofed address (the victim s), thus creating a large mass of packets which are routed to the victim s address. Networks may include up to hundreds of hosts; hence, one attack echo request results in hundreds of packets flooding the victim s site. UDP flooding attacks By patching or redesigning the implementation of TCP and ICMP protocols, current networks and systems have incorporated new security features to prevent TCP and ICMP attacks. Nevertheless, attackers may simply send a large amount of UDP packets towards a victim. Since an intermediate network can deliver higher volumes of traffic than the victim network can handle, the flooding traffic can exhaust the victim s connection resources. Pure flooding can be done with any type of packets. Attackers can also choose to flood service requests so that the victim cannot handle all requests with its constrained resources (i.e., service memory or CPU cycles). UDP flooding is similar to flash crowds that occur when a large number of users try to access the same server simultaneously. Distributed Reflected Denial of Service (DRDoS) attacks Unlike typical DDoS attacks, in the case of DRDoS attacks, the army of the attacker consists of master zombies, slave zombies, and reflectors. This resembles typical

DDoS attacks up to a particular point. The attackers have control over master zombies, which, in turn, have control over slave zombies. The difference in this type of attack is that slave zombies are led by master zombies to send a stream of packets with the victim s IP address as the source IP address, to other, uninfected machines (known as reflectors), causing these machines to connect to the victim. Thus, the reflectors send the victim a greater volume of traffic, because they see the victim as requesting it. Therefore, in DRDoS attacks, the attack is mounted by non-compromised machines, which mount the attack without being aware of the hostile intent. Figure 2: A typical DRDoS attack Comparing the two scenarios of DDoS attacks, we should note that a DRDoS attack is more detrimental than a typical DDoS attack, because a DRDoS attack has more machines to share the attack the attack is more distributed and so creates a greater volume of traffic.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information