Frequent Denial of Service Attacks



Similar documents
Abstract. Introduction. Section I. What is Denial of Service Attack?

SECURITY FLAWS IN INTERNET VOTING SYSTEM

Denial Of Service. Types of attacks

Security Technology White Paper

co Characterizing and Tracing Packet Floods Using Cisco R

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Gaurav Gupta CMSC 681

1. Firewall Configuration

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Chapter 28 Denial of Service (DoS) Attack Prevention

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

CS5008: Internet Computing

Denial of Service. Tom Chen SMU

Denial of Service (DoS)

SECURING APACHE : DOS & DDOS ATTACKS - I

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

How To Stop A Ddos Attack On A Website From Being Successful

Strategies to Protect Against Distributed Denial of Service (DD

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Acquia Cloud Edge Protect Powered by CloudFlare

Cloud-based DDoS Attacks and Defenses

Chapter 8 Security Pt 2

CloudFlare advanced DDoS protection

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Safeguards Against Denial of Service Attacks for IP Phones

Brocade NetIron Denial of Service Prevention

Seminar Computer Security

Firewalls and Intrusion Detection

Denial of Service (DoS) Technical Primer

Overview. Firewall Security. Perimeter Security Devices. Routers

A Layperson s Guide To DoS Attacks

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

CMPT 471 Networking II

CS 356 Lecture 16 Denial of Service. Spring 2013

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

CSCE 465 Computer & Network Security

Secure Software Programming and Vulnerability Analysis

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Firewall Firewall August, 2003

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

10 Configuring Packet Filtering and Routing Rules

Denial of Service Attacks

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

A S B

Network Threats and Vulnerabilities. Ed Crowley

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Survey on DDoS Attack Detection and Prevention in Cloud

Implementing Secure Converged Wide Area Networks (ISCW)

A Study of DOS & DDOS Smurf Attack and Preventive Measures

Survey on DDoS Attack in Cloud Environment

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Denial of Service Attacks, What They are and How to Combat Them

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Deployment of Snort IDS in SIP based VoIP environments

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

VALIDATING DDoS THREAT PROTECTION

My FreeScan Vulnerabilities Report

Vulnerabili3es and A7acks

How To Secure Network Threads, Network Security, And The Universal Security Model

2.2 Methods of Distributed Denial of Service Attacks. 2.1 Methods of Denial of Service Attacks

Defense against DoS, flooding attacks

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Guideline on Firewall

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Announcements. No question session this week

Linux MDS Firewall Supplement

Queuing Algorithms Performance against Buffer Size and Attack Intensities

Fifty Critical Alerts for Monitoring Windows Servers Best practices

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Network Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers

How To Classify A Dnet Attack

Chapter 8 Network Security

IPv6 Security Analysis

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

General Network Security

Firewalls Netasq. Security Management by NETASQ

Security: Attack and Defense

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

Firewalls. Network Security. Firewalls Defined. Firewalls

Denial of Service (DOS) Testing IxChariot

IxLoad-Attack: Network Security Testing

Security of IPv6 and DNSSEC for penetration testers

IP Phone Security: Packet Filtering Protection Against Attacks. Introduction. Abstract. IP Phone Vulnerabliities

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

An Analysis of Security Mechanisms in the OSI Model

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Firewalls for small business

Moonv6 Test Suite. IPv6 Firewall Functionality and Interoperablility Test Suite. Technical Document. Revision 0.6

Transcription:

Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as it is considered as one of the most dreaded network based attacks which can leave our system unusable or unreachable. It can happen to any one sitting on the network unprotected.so, a good understanding of the frequent attacks is very important for the common users on a network as it can provides minimal protection to the users from these attacks. In this paper, I have discussed the simple structure of denial of Service attacks and its effects on the victim. This paper also discusses some of the most common forms of these attacks and how they happen. What I am discussing here is clear understanding of DoS (Denial of Service) attacks and the possible prevention as it is well said by our elders Prevention is Better than Cure. 1. Introduction As we go on relying more on networks for rapid transfer of information and faster ways of communication, it becomes important for us to safe guard ourselves from various hazards caused by various other malicious users on the network. Whenever a user connects his system to the network his basic concern is to keep his system safe from malicious attacks.and DoS is one of the attacks of this category that is now bothering the whole Internet community these days.so, it is important that a common user knows what DoS can do. When a user is under DoS attack, his system or his recourses become unreachable to himself and he may even loose the total control of his system. This may happen to any 1

one on the network and this paper gives a reader the basic understanding for most frequent of the DoS attacks. In this paper as we go on, we will be discussing the working of general DoS attacks, the reasons behind the attack and the effects of these attacks on the users. We will also be seeing the most frequently used DoS attacks like Buffer over flow attacks which are attained by sending more and more data to a device than it can actually handle which in turn jams the device and in turn interrupts the device s normal functioning and thus causing the problem to the user of the device. We will also be discussing other TCP/IP based DoS attacks like SYN[4] attacks which uses the TCP connection request SYN[4] to lash up as many resources as possible of a target computer. We will also be discussing other frequent DoS attacks which use TCP/IP for configuring the attacks like LAND attack and Teardrop attack; we will be discussing them in the next couple of pages. We will also discuss how an attacker uses ICMP[1] for making up the attack. When doing this attack the attacker makes use of the most commonly used command ping to launch the attack on the target system which we will discuss in much detail later. The major aim of this paper is to discuss and understand various most frequent DoS attacks and their possible prevention. The rest of this paper is organized as follows. First, the section 2, we discuss the general structure of DoS attack and the various roles involved in it. Here we will also quickly discuss the reasons behind doing the DoS attack.in section 3 will be discussing the most frequent DoS attacks like SYN[4] attack, LAND, Buffer overflow, Teardrop and Smurf attack. Finally in section 4 we will include the conclusion of the paper. 2. Structure of Denial of Service attack The target of most DoS attacks is to render the target machine on the network inaccessible to the legitimate users. If we see the structure of the Denial of Service attack we can divide it into 3 roles: 1) Malicious user (Attacker) 2) Network or System (Medium) 3) User or Users (Victim) 2

Here, we shall discuss each of the 3 roles very briefly. 2.1 Malicious user (Attacker): They are the people who want to affect the network for many reasons. They have more and more accessibility to networks as networks are growing very rapidly. They compromise the network by getting hold of some key security holes missed by the network administrator of that network to launch the possible attack through it. There may be many probable reasons behind launching the attack like: 1) To gain access 2) Economical reasons 3) Political reasons 4) Revenge 5) Sub-cultural status etc. 2.2 Network or System (Medium): The most common targets of the attack are various networks, large or small. The attacker uses these networks as a medium to launch their attacks. The attack may even be directed towards an individual user on the network. After compromising some security holes in the network. 2.3 User or Users (Victim): The Victim is the person who is connected in the effected network and is not able to receive the services which he used to receive. There may be single or multiple victims. In case of a single victim the user s system may be unattainable or unreachable. It may be of many sorts like the system getting crashed or something like that. The figure on the next page gives a better understanding of the working of DoS attacks. The figure 1 shows how the attacker affects multiple users connected on a network.the figure 2 shows how the attacker affects a single user connected on a network. In this case all the remaining connected users will be unaffected and they may be using the service very normally. This attack may be directed to more than two users also 3

Service denied Users Medium Attacker Attack Figure 1 Attack Users Attacker Attack Medium Figure 2 In general various attacks on network fall into any one of the following form: 1) Mail bombing to individuals, lists or domains. 2) Passing the server bogus requests. 3) Typing up CPU cycles, memory or other resources. 4) Misconfiguring the router (occurs accidentally). 4

3. Frequent Denial of Service attacks Although the DoS attacks are becoming a serious threat day by day, the basic intent of the attacks remains the same. As this threat grows on increasing, it becomes important on our part to understand the frequent attacks and how they are actually done. I will be discussing these attacks in this section. Almost all attacks that directly target the host machines have been overcome by the patches in the operating systems. The attacks that use some features of TCP/IP protocol were quite difficult to overcome. TCP/IP is a protocol, the use which cannot be avoided when we are working on a network. And when it causes the major problems, then it is really a hard part to solve. The most common attacks because of this TCP/IP is discusses hereon. 3.1. Smurf attack In Smurf attack the attacker uses the most common ICMP[1] protocol of IP to launch the attack on the target network. Here the attacker uses the ICMP[1] ping command to perform the attack. ICMP[1] is one of the most important protocols in TCP/IP and it is used for DNS resolution, routing, connectivity and many other things. The ICMP[1] protocol uses different messages to identify the purpose of the packet. Let us see a simple message used in ICMP[1] and how it works: 1) First, an ICMP ECHO request packet is sent to a system. 2) Then the receiving machine will return with ICMP ECHO reply packet. In this smurf attack the attacker sends an ECHO request message directed to broadcast addresses. While doing so the attacker gives the source address as the source address of the machine he intends to attack. When this request is received by other machines on the network, all of them respond with ECHO reply to the target machine. As the number of requests are very high and cannot be managed by the amount of buffer allocated by the target machine. The machine experiences DoS and thus been attacked. During the process of this attack, the attacker may also affect other users on the network. The good description of Smurf attack can be seen at[3]. The figure 2 on the next page will explain the attack in much detail. 5

Other Users ICMP ECHO replies to the victim Attacker ICMP ECHO request with spoofed address is sent through t k Network Device Victim inetorgperson2 Router Figure 3 Possible Preventions of the attack: It is very difficult to stop smurf attacks as the attacker is taking the advantage of one of the features of ICMP[1] protocol. 1) One way to stop it is to use Operating Systems that are aware of flooding with ICMP[1], and will begin to drop the packets or block the connection. 2) Disable IP-directed broadcasts at your router [6]. These are just some possible simple preventions and it may not be necessary that they are the best safety measures because when you are connected on a network there is nothing called perfect security system. 3.2 SYN attack As I told before TCP/IP is something which cannot be avoided when on the network and hackers use this as a weakness for launching their dreadful attacks. In 6

SYN[4] attack the hacker uses the connection requests in TCP to launch their intended attack. They use the SYN command here. The attacker sends many fake TCP connection requests (SYN) to target machine and the target machine as usual accepts all of them. Here again the attacker spoofs his source address to escape simple filtering. When target machine receives the request, it as usually allocates the requested resource for the request and sends the SYN acknowledgement. The requests are stored in the target s request table and are processed one after the other and never end as the number of requests is very high. This further avoids it from recognizing the legitimate requests of the later users. Thus the attack is successfully launched. One can easily verify the system is under attack [5] using a simple command on your dos (Disk Operating System here) prompt. netstat n p tcp and you can see the following test: Protocol Local Address Foreign Address State TCP 127.0.0.1:1030 127.0.0.1:1032 ESTABLISHED TCP 127.0.0.1:1032 127.0.0.1:1030 ESTABLISHED TCP 10.57.8.190:21 10.57.14.154:1256 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1257 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1258 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1259 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1260 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1261 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1262 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1263 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1264 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1265 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1266 SYN_RECEIVED TCP 10.57.8.190:4801 10.57.14.221:139 TIME_WAIT Figure 4[5] 7

In the above figure you can easily find out from the stack that you system is under attack. So you can now take the action. Probable prevention techniques: 1) One can prevent this by increasing the buffer size to hold more requests. But here I felt we are really compromising with the security, But we must make some compromises for security sometimes. 2) We can also prevent some attacks by adding patches to the operating system which can detect and remove such SYN requests which are running for more than required predefined period. This has already been implemented in one of the Cisco routers. This defense is called TCP intercept [7]. 3.3 LAND attack: This is one more TCP/IP specific attack. Here the attacker again uses the SYN to attack the target system. Here the attacker uses a spoofed packet with SYN flag.the attacker spoofs the packet to have same destination and source address and this in turn generates the attack. In a simple way to say, the hacker makes the target system respond to itself and binding its resources. This attack in some cases may even crash the target system in case of few operating systems. Probable prevention techniques: 1) There is no complete cure of this attack but it can certainly be prevented if the network administrators of the various networks take necessary care by filtering [2] all outgoing packets from the network which have different source address different from the internal network address. 2) Various vendors are providing different patches for their respective operating system [6]. 3.4 Teardrop attack: This attack again uses the vulnerability in a TCP/IP protocol. Here the attacker exploits fragmentation part of IP. The attacker attacks by sending pairs of identical 8

fragments of the packet which are reassembled when the data packet is received at the receiver s end. These identical fragments cause a considerable confusion in the UDP packet which can create problems like system crash down. 3.6 Buffer Overflow attack: This is most regular attack that can be performed on a vulnerable system. It uses the resource space allocated (or buffer) for various purposes to launch the attack. Normally when we send a request to a system or a personal computer, the network interface card process them one at a time and during this time all the remaining requests are stored in the Buffer until their turn comes up. This is how most of the software and hardware devices work. Now, when an attacker wants to perform the attack on a target, He sends more and more requests or data to a system. And when this amount of data or requests exceeds the limit of the data the target device can handle, the target experiences DoS. This attack can be performed in many ways, but the most frequent attacks use 1) Mail bombing :here the attacker uses 256 character file names, as attachments to be sent to the target. 2) Oversized ping messages in ICMP. Probable prevention techniques: One way to prevent this sort of attack is by using attack sensing devices which disconnect the connection when the target is receiving more pings than it is designed to handle. There are patches available to counter mail bomb attack also; the only thing to do is the administrator must upgrade these patches from the respective venders [6]. 9

4. Conclusion: Network Security has always been a major area of research. The simple reason for this is, because of this network many people in various parts of the world are able to communicate with each other and transfer their important data with less effort in less time. DoS has always been an attack of discussion because of its terrible effect on the network and its user whenever it has struck. In this paper I have discussed how these DoS attacks work, what they can do to the users and what are the possible preventions available. I have not proposed any possible solutions for the various attacks discussed in this paper. I have discussed them because a proper understanding of various DoS attack can help in effectively defending these attacks. I believe a common user must know these attacks to provide the basic security to his system and his resources. Reference: [1] A.Conta and S.Deering, Internet control message protocol (ICMPv6) for the Internet Protocol version 6(IPv6) Specification, RFC2463, Internet Engineering Task Force, Dec 1998. [2] P.Ferguson, D.Senie, Network Ingress Filtering: Defeating Denial of Service Attacks which employs IP Source Address Spoofing, RFC2267, The Internet society, Jan 1998. [3] Craig A.Hugen, The Latest in Denial of Service Attacks: Smurfing description and information to minimize effects, Tue Feb 8 17:47:36 PST 2000.Available at:http://governmentsecurity.org/articles/thelatestindenialofserviceatt ACKSSMURFING.php [4] C.Schuba, I.Krsul, M.Kuhn, G.Spafford, A.Sundram,and D.Zomboni.Analysis of Denial of Service attack on TCP, In proceeding of 1997 IEEE symposium on Security and Privacy, Page 208-223,IEEE Society Press, May 1997. 10

[5] Microsoft: Available at:http://support.microsoft.com/default.aspx?scid=kb;en- S;Q142641&ID=KB;EN-US;Q142641 [6] CERT: Available at: http://www.cert.org/advisories/ca-1998-01.html, http://www.cert.org/advisories/ca-1997-28.html, http://www.cert.org/advisories/ca-2003-09.html [7] CISCO: Available at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/intercpt.htm 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information