Distributed Denial of Service



Similar documents
Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Denial Of Service. Types of attacks

Denial of Service. Tom Chen SMU

Firewalls and Intrusion Detection

CS 356 Lecture 16 Denial of Service. Spring 2013

Gaurav Gupta CMSC 681

Secure Software Programming and Vulnerability Analysis

CS5008: Internet Computing

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Denial of Service (DoS)

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Distributed Denial of Service (DDoS)

Denial of Service Attacks

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Strategies to Protect Against Distributed Denial of Service (DD

Announcements. No question session this week

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Yahoo Attack. Is DDoS a Real Problem?

Abstract. Introduction. Section I. What is Denial of Service Attack?

SECURING APACHE : DOS & DDOS ATTACKS - I

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

A Layperson s Guide To DoS Attacks

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Survey on DDoS Attack in Cloud Environment

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Survey on DDoS Attack Detection and Prevention in Cloud

DDos. Distributed Denial of Service Attacks. by Mark Schuchter

Denial of Service Attacks: Classification and Response

Security: Attack and Defense

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Network Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

Safeguards Against Denial of Service Attacks for IP Phones

A Flow-based Method for Abnormal Network Traffic Detection

Network Security: A Practical Approach. Jan L. Harrington

co Characterizing and Tracing Packet Floods Using Cisco R

SECURING APACHE : DOS & DDOS ATTACKS - II

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

Analysis of Automated Model against DDoS Attacks

Implementing Secure Converged Wide Area Networks (ISCW)

Chapter 8 Security Pt 2

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

DDoS-blocker: Detection and Blocking of Distributed Denial of Service Attack

Denial of Service Attacks, What They are and How to Combat Them

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Security vulnerabilities in the Internet and possible solutions

A Brief Discussion of Network Denial of Service Attacks. by Eben Schaeffer SE 4C03 Winter 2004 Last Revised: Thursday, March 31

Denial of Service (DoS) Technical Primer

Acquia Cloud Edge Protect Powered by CloudFlare

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

CloudFlare advanced DDoS protection

Frequent Denial of Service Attacks

Depth-in-Defense Approach against DDoS

Security Technology White Paper

A Practical Method to Counteract Denial of Service Attacks

Linux Network Security

How To Classify A Dnet Attack

DDoS Overview and Incident Response Guide. July 2014

DDoS Attack and Defense: Review of Some Traditional and Current Techniques

Seminar Computer Security

AN INFRASTRUCTURE TO DEFEND AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACK. Wan, Kwok Kin Kalman

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

Analysis of IP Spoofed DDoS Attack by Cryptography

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Distributed Denial of Service Attack Tools

#42 D A N T E I N P R I N T. Tackling Network DoS on Transit Networks. David Harmelin

How To Stop A Ddos Attack On A Website From Being Successful

Security Toolsets for ISP Defense

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security - DDoS

General Network Security

Protecting Web Servers from DoS/DDoS Flooding Attacks A Technical Overview. Noureldien A. Noureldien College of Technological Sciences Omdurman, Sudan

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Mitigating Denial-of-Service and Distributed Denial-of-Service Attacks Using Server Hopping Model Using Distributed Firewall

Mitigation of DDoS Attack using a Probabilistic Approach & End System based Strategy. Master of Technology. Computer Science and Engineering

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Classification of DDoS Attacks and their Defense Techniques using Intrusion Prevention System

CMPT 471 Networking II

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

A Framework for Classifying Denial of Service Attacks

Lecture 13 - Network Security

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Honeypots for Distributed Denial of Service Attacks

Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures

INTRODUCTION OF DDOS ALGORITHMS: A SURVEY. S.Nagarjun. Siddhant College of Engineering, Pune

Transcription:

Distributed Denial of Service Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@Csc.LSU.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc7502_04/ Louisiana State University 4 - DDoS - 1 Overview The DoS project's trinoo distributed denial of service attack tool, by David Dittrich A Framework for Classifying Denial of Service Attacks, by Alefiya Hussain, John Heidemann, and Christos Papadopoulos, SIGCOM 2003 Louisiana State University 4 - DDoS - 2

DDoS The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service to a computer or network resource. Resource exhaustion Louisiana State University 4 - DDoS - 3 Resource Exhaustion Disk Space CPU Cycles Memory Network Bandwidth Application Resources TCP Stack Web Connections Louisiana State University 4 - DDoS - 4

What s s the Harm? Financial loss can be difficult to estimate Lost business Bad publicity and damaged reputation 2002 CSI/FBI Survey 40% of reported attacks are DOS Average cost per attack is >$1 million Distributed DOS attacks (February 2000) Amazon, CNN, E-Trade, ebay, etc Estimated losses were several millions to billions of dollars DOS can also be used to cover-up real attacks Nations critical infrastructure is also at risk Louisiana State University 4 - DDoS - 5 DDoS Denial of Service in pervasive networks Power-draining attacks Bandwidth-usage attacks CPU-usage attack Louisiana State University 4 - DDoS - 6

Denial of Service Louisiana State University 4 - DDoS - 7 Why are DOS attacks possible? IP employs an open architecture No authentication of sender s IP address Easy to forge any address, hard to detect offender IP traceback, ingress/egress filters (later) No resource regulation in the network Employ QOS techniques to mitigate impact (later) Louisiana State University 4 - DDoS - 8

Denial of Service Attacks Most involve either resource exhaustion or corruption of the operating system runtime environment. UDP bombing tcp SYN flooding ping of death smurf attack Louisiana State University 4 - DDoS - 9 Types of attacks ping of death: network flood, single very large ping packet, or a flood of large or small ping packets smurf attack: amplified network flood, exploits ICMP and broadcats, pings with faked return address (broadcast address) syn flood: overload the machine instead of the network, exploit connection establishment in TCP Louisiana State University 4 - DDoS - 10

DDoS Exploit protocols vulnerabilities: TCP SYN, ICMP, etc. Flooding-based attacks Single-source attacks Multiple-source attacks Reflector attacks (particular case of multiple-source attacks) Louisiana State University 4 - DDoS - 11 DDoS Tools DDoS: MORE POWERFUL, distributed attack, employs a combination of attacks, can attack one machine or more Examples: Trin00, UDP Tribe Flood Network, (TFN)UDP, ICMP, SYN, Smurf Stacheldracht, UDP, ICMP, SYN, Smurf TFN, 2K UDP, ICMP, SYN, Smurf Shaft, UDP, ICMP, SYN Trinity, UDP, SYN Louisiana State University 4 - DDoS - 12

Direct Attack Louisiana State University 4 - DDoS - 13 Reflector Attack TCP SYN, ICMP, UDP... Louisiana State University 4 - DDoS - 14

Trinoo Attackers take over a set of machines exploiting wellknown holes, install master agents on them. Attacker-machines communication is TCP-based Masters and daemons communication is UDPbased Password authentication Certain commands are also protected Sometime encryption is used (Blowfish) All passwords are protected using crypt, however, most of them are sent in clear over the network Louisiana State University 4 - DDoS - 15 Attack using Trinoo In August 1999, a network of > 2,200 systems took University of Minnesota offline for 3 days Tools found cached at Canadian firm Steps: scan for known vulnerabilities, then attack once host compromised, script the installation of the DDoS master agents According to the incident report: it took about 3 seconds to get root access (in 4 hours, set up about 2,200 agents) Louisiana State University 4 - DDoS - 16

Is Your Computer Used in an Attack? last: shows you what accounts intruders were using, where they were coming from, and when they were in your system. ls: shows their files. ps: shows the sniffer, password cracking program, etc. netstat: shows you the current network connections and ports ifconfig: shows if the ethernet interface was in promiscuous mode, making visible to the intruder's sniffer program all network traffic. YOU WISH THAT WAS TRUE!!!! BUT IT S NOT! Louisiana State University 4 - DDoS - 17 Is Your Computer Used in an Attack? Attackers modify most programs you rely on to get information: You think they re doing what they were supposed to, but they re not Example: ls will not show attacker s files Louisiana State University 4 - DDoS - 18

Security Mechanisms Normally, not a single silver bullet Develop multiple layers of defense Employ as many layers of defense as needed risk, resource profiles Castle, moat, drawbridge, mountain-top lookout, perimeter wall, inner wall, ruler decoy etc. Firewall, resource managers, app. Level security, logging, antivirus, remote backups, egress filters Louisiana State University 4 - DDoS - 19 Security Analogy Louisiana State University 4 - DDoS - 20

Victim network Intermediate network Source network Defenses Attack is observed close to victim Attack must be stopped close to the source Intermediate network used to traceback the attack Reactive (after the attack) and proactive (prevents the attack) methods Louisiana State University 4 - DDoS - 21 Two Security Philosophies Super Protection very expensive, could be broken Prevention Power of punishment Louisiana State University 4 - DDoS - 22

Defense Methods at Victim Intrusion detection and firewall: detect packets that look like attacks (known attack signature). Make the attack costly for attacker: for example have clients to solve puzzles if they want to access server's resources Increase server resources: distributed clusters Louisiana State University 4 - DDoS - 23 Intermediate Network IP traceback: where is the attack coming from (forensics) Push-back mechanism Route-based packet filtering We will look at these methods class. Louisiana State University 4 - DDoS - 24

Classifying Denial of Service Attacks Louisiana State University 4 - DDoS - 25 Single-Source Louisiana State University 4 - DDoS - 26

Multiple sources Louisiana State University 4 - DDoS - 27 Reflector Louisiana State University 4 - DDoS - 28

Attack Classification Methods Analyze header content Transient ramp-up behavior Spectral characteristics Louisiana State University 4 - DDoS - 29 Header Analysis Source address can be easily spoofed Use other header fields: Fragment identification field (ID) Time-to-live field (TTL) OS usually sequentially increments ID field for each successive packet Assuming routes remain relatively stable, TTL value will remain constant Louisiana State University 4 - DDoS - 30

Header Analysis (cont.) Estimate the number of attackers by counting the number of distinct ID sequences present in attack Packets are considered to belong to the same ID sequence if : ID values are separated by less than an idgap (=16) TTL are the same Louisiana State University 4 - DDoS - 31 Ramp-up Behavior If multi-source attack, ramp-up of the attacks intensity noticed because of Variation in path latency Weak synchronization of local clocks at zombies No ramp-up usually indicates single source attack Cannot robustly identify single-source attacks. Louisiana State University 4 - DDoS - 32

Spectral Characteristics Attack streams have markedly different spectral content that varies depending on number of attackers Single source attacks have a linear cumulative spectrum due to dominant frequencies spread across the spectrum. Multi-source attacks shift spectrum to lower frequencies. Use quintile, F(p), as a numerical method of comparing power spectral graphs. Compare the F(60%) values of attacks: 240-296Hz single source 142-210Hz multiple source Louisiana State University 4 - DDoS - 33 Applications of Classifying DDoS Automating Attack Detection: useful in selecting the appropriate response mechanism. Modeling Attacks: help in understanding DDoS dynamics and design better attack detection and response mechanisms. Inferring DoS Activity in the Internet: approximate attack prevalence; requires increasing the size and duration of the monitored region. Louisiana State University 4 - DDoS - 34

Summary DDoS tools Defenses Classification of attacks Louisiana State University 4 - DDoS - 35 Thursday: IP Traceback Next Lecture A: Practical Network Support for IP Traceback. Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson. SIGCOMM 2000. B: Advanced and Authenticated Marking Schemes for IP Traceback. Dawn X. Song, Adrian Perrig. Proceedings IEEE Infocomm 2001 Louisiana State University 4 - DDoS - 36

Thank You! Louisiana State University 4 - DDoS - 37

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information