Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski



Similar documents
Survey on DDoS Attack Detection and Prevention in Cloud

SECURING APACHE : DOS & DDOS ATTACKS - I

CS5008: Internet Computing

DDoS Protection Technology White Paper

Denial of Service Attacks, What They are and How to Combat Them

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Survey on DDoS Attack in Cloud Environment

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Introduction of Intrusion Detection Systems

CS 356 Lecture 16 Denial of Service. Spring 2013

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Seminar Computer Security

Acquia Cloud Edge Protect Powered by CloudFlare

Denial Of Service. Types of attacks

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

CloudFlare advanced DDoS protection

Firewalls and Intrusion Detection

Gaurav Gupta CMSC 681

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

McAfee Network Security Platform [formerly IntruShield] Denial-of-Service [DoS] Prevention Techniques Revision C Revised on: 18-December-2013

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Chapter 8 Security Pt 2

Denial of Service Attacks

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Denial of Service (DoS)

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Firewalls, Tunnels, and Network Intrusion Detection

Abstract. Introduction. Section I. What is Denial of Service Attack?

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

1. Firewall Configuration

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

CSCI 4250/6250 Fall 2015 Computer and Networks Security

DoS/DDoS Attacks and Protection on VoIP/UC

DDoS Overview and Incident Response Guide. July 2014

Surviving DNS DDoS Attacks. Introducing self-protecting servers

Firewall Firewall August, 2003

How To Protect A Dns Authority Server From A Flood Attack

How To Block A Ddos Attack On A Network With A Firewall

Analysis of Network Packets. C DAC Bangalore Electronics City

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Solution of Exercise Sheet 5

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Secure Software Programming and Vulnerability Analysis

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Chapter 9 Firewalls and Intrusion Prevention Systems

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Computer Security: Principles and Practice

Network Based Intrusion Detection Using Honey pot Deception

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Computer Security DD2395

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Security Type of attacks Firewalls Protocols Packet filter

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Network Security Demonstration - Snort based IDS Integration -

Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks

CHAPTER 1 INTRODUCTION

Network Traffic Monitoring With Attacks and Intrusion Detection System

co Characterizing and Tracing Packet Floods Using Cisco R

How To Classify A Dnet Attack

PROFESSIONAL SECURITY SYSTEMS

TLP WHITE. Denial of service attacks: what you need to know

ΕΠΛ 674: Εργαστήριο 5 Firewalls

1 Introduction. Agenda Item: Work Item:

1 Introduction. Agenda Item: Work Item:

DDoS-blocker: Detection and Blocking of Distributed Denial of Service Attack

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

Overview. Packet filter

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Network attack and defense

Firewalls & Intrusion Detection

How To Protect A Network From Attack From A Hacker (Hbss)

Distributed Denial of Service (DDoS)

Strategies to Protect Against Distributed Denial of Service (DD

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

DDoS Attack and Defense: Review of Some Traditional and Current Techniques

PACKET SIMULATION OF DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK AND RECOVERY

Keywords Attack model, DDoS, Host Scan, Port Scan

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

An Efficient Filter for Denial-of-Service Bandwidth Attacks

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

FIREWALLS IN NETWORK SECURITY

Analysis of a DDoS Attack

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Complete Protection against Evolving DDoS Threats

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Transcription:

Denial of Service attacks: analysis and countermeasures Marek Ostaszewski

DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users - Wikipedia. Types of DoS: Vulnerability attack - malformed packets interact with some network protocol or application weakness present at victim. Flooding attack - sends the victim a large, occasionally continuous, amount of network traffic workload.

DoS Flooding attacks (1) Regular DoS - attacker sends great amount of network traffic to another machine. Condition - the attacker s bandwidth is greater than the victim s.

DoS Flooding attacks (2) Distributed DoS - attacker takes control over a group of computers in the network (bots, zombies, slaves) and uses them to flood the victim.

DoS Flooding attacks (3) Distributed Reflection DoS - attacker sends a constant flow of packets to a certain group of well-known servers. The source address is spoofed and points at the victim. The servers reply to the victim, invoking the flooding effect.

Analysis (1) DoS attack can be detected on two levels: As a flood of one or many connections to the internet, blocking their access and making data transfer impossible; on level of a victim. As a misbehavior, only in case 2 and 3; on level the intermediate nodes (if they are unaware victims). Dealing with DoS on those levels has different goals: Victim: To block accurately the unwanted flood without denying access to legitimate users. Intermediate node: To avoid accusation of partnership in an attack.

Analysis (2): Flood The effect is almost immediate block of internet connection due to traffic that is impossible to handle. The reaction time should be measured in hours. Dealing with DoS in real time is almost impossible; there is no slow start for DoS attack, the flood is immediate and overwhelming. All cases are characterized by network traffic having fixed origin. Even if some of the properties of the generated traffic are spoofed, certain characteristics of the network traffic remain unchanged: TCP/IP packet construction Number of hops Protocols used Startup time

Analysis (3): Misbehavior Acting as intermediate node causes no serious malfunctioning in internet communication, although it can be noticed. Remote control (Distributed DoS) is performed by malicious software, usually a trojan horse. Such activity characterizes itself with: Activity of unauthorized software Unauthorized incoming and outgoing connections Constant flow (Distributed Reflection DoS) is also an anomaly. Usually the flow consists of TCP SYN packets or DNS queries and its characteristics are: The anomalous structure of such flow The source address is spoofed, so the intermediate server witnesses anomalous requests from previously regular source

Countermeasures: Misbehavior Methods Monitoring the system for unauthorized system calls and outgoing/incoming connections on forbidden ports (HIDS). Monitoring the network for prohibited incoming/outgoing connections and unusual bandwidth consumption (NIDS). Support Signature and anomaly-based intrusion detection systems Remarks The model may include receiving information from the victim, that network/computer is a source of a DoS attack. The model may include the scenario of tracking the real attacker, controlling the intermediate node.

Countermeasures: Flood (1) Methods Filtering (on many levels) of malicious traffic: Network traffic needs to be accurately classified, to tell which packets should be discarded. Contact with source of attack, or its provider: The flow can be stopped at its source and a proper investigation can be carried out. Support Both methods require precise information about the source of the flood. An efficient and precise clustering and classification algorithm is needed, to find regularities in analyzed traffic Remarks Mistakes in such classification lead to blocking legitimate users from access to legitimate services - which is the sole purpose of DoS attacks.

Countermeasures: Flood (2) Information about traffic can be gathered using a technique called passive fingerprinting, used for gathering information about an operating system and the topology of its network only on the basis of construction of TCP/IP headers This information then can be analyzed using Context-aware Immune System (CAIS) presented by Mohr, Ryan and Timmis (2003) - their algorithm allows to construct an immune-based memory allowing classification and dynamically reflecting changes in analyzed data. The data to be analyzed using CAIS may be: IP and provider Distance Up time Protocol - specific information (ports, type of protocol, protocol flags)

Solution: CAIS(1) CAIS using passive fingerprinting information: Every parameter of analyzed data is represented by ARB ARBs are created according to principles of immune memory model proposed by Neal Dimensions (classes) are aggregation of ARBs describing similar objects Cross-dimensional links describe connections between parameters present in many classes

Solution: CAIS(2)

Solution: CAIS(3)

Solution: CAIS (4) ARBs are storing information in a compressed form, stimulation level of ARB describes how many values of certain parameter appeared. ARBs are stimulating each other if they describe similar information, this emphasizes relations between them. Every ARB has certain level of resources and a stimulation level, which decreases with time (Decay function). Noise is reduced, and the system keeps only information about traffic that are up to date. Different dimensions (classes) describe different relations between general information, like overview of system (Location, System info) and protocol specific information. Particular information are of specific meaning: Software used for conducting distributed attacks is especially effective in cases of particular operating systems (dedicated). Packets generated for the flooding are usually of narrow set of types, having only certain configuration of flags set Some providers or locations in the network (Russia, China) are more preferably chosen as sources of distributed attack because of their loose security policy.

Solution: CAIS based strategy Filtering - Information about dominant network traffic during flooding can be used for constructing accurate filters. The most active ARBs will provide information about protocol fields and their values. Contacting the source - information about location stored in ARBs could be used to contact The provider of hosts responsible for the flood and apply host own filters. The servers responsible for Reflection DoS. Tracing the real attacker - combination of two previous strategies would be to contact the provider of computers used for the attack and to contact those computer themselves to gather information that can be used to track the responsible for launching the DDoS or DRDoS attack.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information