What is a DoS attack?



Similar documents
Network layer: Overview. Network layer functions IP Routing and forwarding

IP addressing and forwarding Network layer

Chapter 8 Security Pt 2

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Networks: IP and TCP. Internet Protocol

IP - The Internet Protocol

Denial Of Service. Types of attacks

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline

Content Distribution Networks (CDN)

Abstract. Introduction. Section I. What is Denial of Service Attack?

CSCE 465 Computer & Network Security

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

Overview of TCP/IP. TCP/IP and Internet

NETWORK LAYER/INTERNET PROTOCOLS

Chapter 8 Network Security

Denial of Service. Tom Chen SMU

Security Technology White Paper

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Ethernet. Ethernet. Network Devices

TCP Performance Management for Dummies

Firewall Implementation

1. Firewall Configuration

CS5008: Internet Computing

8.2 The Internet Protocol

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

ICOM : Computer Networks Chapter 6: The Transport Layer. By Dr Yi Qian Department of Electronic and Computer Engineering Fall 2006 UPRM

Brocade NetIron Denial of Service Prevention

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Network Layer IPv4. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

Lecture Computer Networks

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Transport Layer Protocols

Internet Architecture and Philosophy

Announcements. No question session this week

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Unix System Administration

CS155: Computer and Network Security

ACHILLES CERTIFICATION. SIS Module SLS 1508

IP address format: Dotted decimal notation:

Attack Lab: Attacks on TCP/IP Protocols

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Internet Protocol: IP packet headers. vendredi 18 octobre 13

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

VLAN und MPLS, Firewall und NAT,

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Компјутерски Мрежи NAT & ICMP

Denial of Service Attacks

Internet Protocols. Background CHAPTER

Subnetting,Supernetting, VLSM & CIDR

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Security vulnerabilities in the Internet and possible solutions

How do I get to

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Solution of Exercise Sheet 5

SECURING APACHE : DOS & DDOS ATTACKS - I

A S B

Network Layer: Network Layer and IP Protocol

Internetworking. Problem: There is more than one network (heterogeneity & scale)

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CS 356 Lecture 16 Denial of Service. Spring 2013

About Firewall Protection

Denial of Service (DoS)

Troubleshooting Tools

[Prof. Rupesh G Vaishnav] Page 1

Classful IP Addressing. Classless Addressing: CIDR. Routing & Forwarding: Logical View of a Router. IP Addressing: Basics

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

Acquia Cloud Edge Protect Powered by CloudFlare

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

Unverified Fields - A Problem with Firewalls & Firewall Technology Today

Network layer" 1DT066! Distributed Information Systems!! Chapter 4" Network Layer!! goals: "

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

CloudFlare advanced DDoS protection

Network Security in Practice

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Innominate mguard Version 6

Protocol Rollback and Network Security

Networking Attacks: Link-, IP-, and TCP-layer attacks. CS 161: Computer Security Prof. David Wagner

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Lecture 6: Network Attacks II. Course Admin

Introduction to Cisco IOS Flexible NetFlow

Gaurav Gupta CMSC 681

Access Control: Firewalls (1)

Host Fingerprinting and Firewalking With hping

co Characterizing and Tracing Packet Floods Using Cisco R

Transport and Network Layer

Transcription:

CprE 592-YG Computer and Network Forensics Log-based Signature Analysis Denial of Service Attacks - from analyst s point of view Yong Guan 3216 Coover Tel: (515) 294-8378 Email: guan@ee.iastate.edu October 9, 2003 2 What is a DoS attack?! A DoS attack can be defined as an attack designed to disrupt or completely deny legitimate users access to networks, servers, services, or other resources. A brief history: o Fall of 1999, Carnegie Mellon CERT Coordination Center released a message that warned of a new type of attack denial of service. o Spring 2000, DoS attacks shut down Yahoo, CNN, and ebay. 1

3 Classification of DoS attacks! Target resource starvation A resource starvation attack attempts to deny service to a particular machine or a particular service on a machine.! Network bandwidth consumption Network bandwidth consumption attacks target an entire network aiming to shut out all legitimate access, both inbound and outbound. 4 Last time, one example - Snork! DoS Resource Starvation! Land Attack Windows NT 4.0, pre-sp4 15:13:59.844659 Protect-50.sawyer.af.mil.135 > Protect-50.sawyer.af.mil.135 : udp 46! Attack mechanism:! Spoofed RPC datagrams to UDP dest port 135:! One RPC server sends bad data to another RPC server. The second server returns a REJECT packet and the first server replies with another REJECT packet and create a loop that is not broken until a packet dropped.! If this spoofed UDP packet is sent to multiple dests, many loops may be created, consuming processor resources and network bandwidth. 2

5 Last time, another example SYN flood! DoS Resource Starvation! SYN Flood! TCP three-way handshake: SYN -> SYN-ACK -> ACK! Use good packet in a bad way (instead of bad packet)! Trace! See next slide Last time, another example SYN flood (cont.) [**] Unknown FTP access [**] 04/27 20:08:51.848175 210.104.180.1:3299 > xxx.xxx.xxx.189:21 TCP TTL: 45 TOS:0x0 ID:33389 DF **S***** Seq: 0xF883F9 Ack: 0x0 Win: 0x7D78 TCP options =>MSS: 1460 SackOK TS: 34460833 0 NOP WS: 0 6 04/27 20:08:51.870167 xxx.xxx.xxx.189:21 > 210.104.180.1:3299 TCP TTL: 64 TOS:0x0 ID:95 DF **S***A* Seq: 0x5BA70BF Ack: 0xF883FA Win: 0x4470 TCP options =>MSS: 1460 04/27 20:08:54.480821 xxx.xxx.xxx.189:21 > 210.104.180.1:3299 TCP TTL: 64 TOS:0x0 ID:96 DF **S***A* Seq: 0x5BA70BF Ack: 0xF883FA Win: 0x4470 TCP options =>MSS: 1460 04/27 20:09:01.666058 210.104.180.1:3299 > xxx.xxx.xxx.189:21 TCP TTL: 236 TOS:0x0 ID:34629 ****R*** Seq: 0xF883F9 Ack: 0x0 Win: 0x0 00 00 00 00 00 00 3

Last time, another example SYN flood (cont.) 7 Source address was spoofed: TTL difference 10 seconds elapsed between the time when xxx.xxx.xxx.189 sent SYN-ACK and the time RST was received. 8 TCP: TCP segment format 0 4 10 16 24 31 Source Port Destination Port Sequence Number Header Length Reserved Acknowledgement Number U RG A CK P SH R ST S YN F IN Window Size Checksum Options Urgent Pointer Padding Data Figure 8.20 4

9 TCP: TCP segment format (cont.) " Source / Destination Ports (16b unsinged int): the source and sink port numbers of transport user " Sequence (Acknowledgement) Numbers (32b unsigned int): number of first byte sent (expected from other side) in the segment to other side Initial Sequence Number (ISN) by sender (ISN + 1) (SYN)» ISN is (must) be chosen at random. Acknowledgement Number is byte expected next (ACK) " Header Length: in 32b words " Reserved (0) TCP: TCP segment format (cont.) 10 " Flags: URG: urgent pointer is valid ACK: Acknowledgement number is valid PSH: deliver data received by receiving TCP immediately RST: Receving TCP must abort connection SYN: Connection Request with ISN = SN; FIN: Sender has no more data to send to receiving TCP;» shutdown(sd, 1) /* C */; " ( Advertised ) Window Size: amount of data receiver is willing to accept. Credit of data " Urgent Pointer (if URG flag is set) points to last byte of urgent data; any data from beginning of segment to UP are urgent 5

IP Datagram Format IP protocol version number header length (words) Type of Service Time-to-Leave max number remaining hops (decremented at each router) Upper layer protocol to deliver payload to ICMP=1, TCP=6, UDP=17, OSPF=89, etc. 32 bits ver head. type of length len service fragment 16-bit identifier flgs offset time to upper Internet live layer checksum 32 bit source IP address 32 bit destination IP address Options (if any) data (variable length, typically a TCP or UDP segment) total datagram length (bytes) 11 fragmentation / reassembly minimum fragment size = 576 Options timestamp, record route taken, specify list of routers to visit, etc. IP Datagram Format (cont.) 12 " IPversion [0.0..3] 4 = current, 6 = next generation IP IPng or IPv6, 5 = ST2 (a Real-Time stream protocol) " Header Length [0.4..7] in 32bit words " Type of Service [0.8..15] (preferences 4b, priorities 3b): min delay, min $cost, max throughput, max reliability; most routers ignore ToS; OSPF can use it; DiffServ uses it as» differentiated Service (DS) Field (6 bits)» other two bits used by ECN (Early Congestion Notification). " Total Length [0.16..31] in bytes 2 16 " Id, Flags, Offset [1.0..31] used in fragmentation " Time To Live (TTL) [2.0..7] maximum number of hops DG can be forwarded. 6

13 Small Footprint DoS! With the attack, one packet can kill certain process that listen promiscuously on a network and make network monitoring ineffective.! Example: By crafting a packet with an IP version of 0 and header length of 0, the attack can crash certain version of TCPdump.! Anyone can see this packet should not exist. Packet irregularities: IP version 0, IP header length 0, protocol field 4 (IP in IP encapsulation)! How it works? Upon receiving an IP packet with protocol 4 and ihl=0, TCPdump enters an infinite loop within ip_print() from file print_ip.c.! See trace on transparency. 14 Telnet DoS attack! No need to kill to harm! No shutdown the network, no completely deny service to a particular machine or port.! Just want to make things a little slower. (Time-sensitive data transmission)! By sending many many Control-D (0x04) characters, the target machine cannot cleanly close the connection with a FIN packet and is forced to resort to sending RST packet.! This attack may come from a malicious attacker or a careless user who happens to sit on the keyboard in the wrong place at the wrong time.! Attack against old SunOS and Solaris! How it works?! Setup a connection to the telnet (23/TCP) on the victim machine and negotiate telnet options, and then send a continual stream of ^D characters.! See trace on transparency. 7

Summary of Resource Starvation DoS attacks 15! Causing RS DOS attacks is not that hard. It could happen for completely legitimate reasons.! Ask the guy streaming audio from your file server to stop for a while and see how much better your system performs.! Several points:! Source address in most DoS attacks are spoofed.! Look for packets that are unusual.! So far, all these DoS attacks have just one target. Next, we comes to a new class of DoS attacks that affect entire network target bandwidth utilization. 16 DoS attacks Bandwidth Consumption! To consume bandwidth so that no legitimate data can be processed, much bogus data need be generated to flood the network # Impossible to generate tremendous number of packets from attacker s workstation # Amplification method: one packet generates many response. (DDOS)! Exception: Normal traffic may have the same effect to cause a huge problem. (9/11, CNN website) # This is called slashshot effect. # As long as there are finite resources, there will always be a way to exceed those resources. 8

17 Internet Control Message Protocol (ICMP) " ICMP [RFC 792] is a sibling protocol with IP and it is used by hosts, routers, gateways to communicate network-level information among each other. " ICMP is a Request / Reply protocol. " Services: ECHO Request / Reply (ping) Timestamp Request / Reply (ping) Redirect (from router to source host) Destination unreachable (protocol, port, or host) TTL exceeded (stop datagram endless cycling ) Checksum failed Reassembly failed Cannot fragment ICMP (cont.) 18 " ICMP is used by hosts, routers, gateways to communicate networklevel information error reporting: unreachable host, network, port, protocol echo request/reply (used by ping) " network-layer above IP: ICMP msgs carried in IP datagrams " ICMP message: type, code plus first 8 bytes of IP datagram causing error " ping " traceroute Type Code description 0 0 echo reply (ping) 3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion control - not used) 5 x redirects 8 0 echo request (ping) 9 0 route advertisement 10 0 router discovery 11 0 TTL expired 12 0 bad IP header 13 0 timestamp request, + 17 0 addrmask request, + 9

19 Smurf Attacks! Smurf uses the broadcast IP to amplify one packet into many.! Sending a stream of ICMP echo request packets from spoofed IP addresses to an open network broadcast address. All the hosts on the destination subnet will send ICMP echo replies to the spoofed source address.! A few hundred packets can generate thousands of packets that can deny service to targeted networks.! See trace in transparency. 20 Echo-Chargen Looping Attacks! UDP port 7: echo port It echoes the received packet back to the source.! UDP port 19: character generator Upon receiving a packet, it replies with a random string of characters.! If an attacker finds these ports available, one spoofed packet can generate many thousands of additional packets.! The chargen port generates characters to the echo port, which echoes them back to the chargen port, which gernrates characters to the echo port, and so on. Consume CPU cycles and network bandwidth Syslog: June 4 18::23:14 router inetd[204]: chargen/udp:eco/dup loop request REFUSED from 192.168.1.3 10

21 Spoofed DNS queries - DoomDNS! UDP does not perform authentication of the packet received.! DoomDNS sends odd queries to BIND servers that can elicit many responses from the server. When successful, 20-30 of these packets can generate 400-500 responses. Consume CPU cycles and network bandwidth! Use spoofed source IP address Syslog: Apr 21 18::23:14 s1 named[13168]: refused query on non-query socket from 192.168.1.3.2018 Apr 21 18::23:56 s1 named[13168]: refused query on non-query socket from 192.168.1.3.2018 Apr 21 18::45:14 s1 named[13168]: refused query on non-query socket from 192.168.1.3.2018 Apr 21 19::10:11 s1 named[13168]: refused query on non-query socket from 192.168.1.3.2018 Apr 21 19::23:35 s1 named[13168]: refused query on non-query socket from 192.168.1.3.2018 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information