denial of service attacks: methods, tools, and defenses
DESCRIPTION
Denial of Service Attacks: Methods, Tools, and Defenses. Prof. Mort Anvari Strayer University at Arlington. Introduction. Basic types of DoS attacks Evolution of DoS tools Overview of DoS tools Defenses. What is Denial of Service Attack?. - PowerPoint PPT PresentationTRANSCRIPT
Denial of Service Attacks:Methods, Tools, and
Defenses
Prof. Mort AnvariStrayer University at Arlington
2
Introduction
Basic types of DoS attacksEvolution of DoS toolsOverview of DoS toolsDefenses
3
What is Denial of Service Attack?
“Attack in which the primary goal is to deny the victim(s) access to a particular resource.” (CERT/CC)Very vide definition, covers lots of casesThis tutorial covers only subset of all DoS attacks
4
Modes of Denial of Service Attack
Consumption of limited resources Network connectivity Bandwidth consumption Other resources:
Processing time Disk space Lockout of an account
Alteration of configuration information
5
DoS Attacks - StatisticsThere are more than 4000 attacks per weekDuring 2000, 27% of security professionals detected DoS attack against their systemIn February 2000 attacks, stream going to one of affected sites was about 800Mb/s
6
DoS Attacks - StatisticsOverall Internet performance degradation
during February 2000 attacksDate PPW PAW CPWFeb. 7th 5.66 5.98 +5.7%Feb. 8th 5.53 5.96 +7.8%Feb. 9th 5.26 6.67 +26.8%Feb 10th 4.97 4.86 -2.2%PPW – Performance in previous week
PAW – Performance in attacking week
CPW – Change from previous week
Source:Keynote Systems
DoS Attacks - Basics
Prof. Mort AnvariStrayer University at Arlington
8
DoS Attacks - BasicsAttack has two phases:
Installation of DoS tools Committing an attack
9
DoS Attacks - BasicsInstallation of DoS tools: Finding a suitable machine:
Unprotected ports Vulnerable services Errors in operating systems Trojan horses and worms
Installation of the tool itself Installation of a root-kit
10
DoS Attacks - BasicsPing of Death
Maximum size of TCP/IP packet is 65536 bytes
Oversized packet may crash, freeze, reboot system
Obsolete
11
DoS Attacks - BasicsTeardrop
IP packet can be broken Broken packet is reassembled
using offset fields
12
DoS Attacks BasicsTeardrop
Overlapping offset fields
Obsolete
13
DoS Attacks - BasicsSyn flood attack
TCP Syn handshake
Finite length of backlog queue
Lots of half-open connections
Partially solved
SYN
ACK
SYNACK
Client
Server
14
DoS Attacks - BasicsUDP flood
UDP echo service UDP chargen service Spoofed address Easy prevention Brute force approach
if this one doesn’t work
Victim
AttackerVictim
SpoofedRequest
chargenecho
15
DoS Attacks - BasicsSmurf attack
ICMP packets Broadcast request Spoofed address Two victims Cannot be
easily prevented
Victim
IntermediateSystems
Attacker
16
Evolution of DoS Attacks
Defenses were improvedTechnology was improved, as wellAttackers had to improve their techniques for attacks
17
Evolution of DoS Attacks
Packet processing rate is more limiting than bandwidthCPU can be a limit in SYN flood attack“Reflected” attacks
Bad packet ICMP Reply
VictimAttacker Intermediate
18
(R)evolution of DoS Attacks
Distributed DoS tools and networks
Client-Server architecture Open-source approach Several layers Difficulties in tracking back the attacker
19
Evolution of DoS Attacks
All of the systems are compromised
Terminology: Client Handler Agent
20
Evolution of DoS Attacks
Implications of DDoS network:
One or two attackers
Small number of clients
Several handlers Huge number of agents
Humongous traffic
DoS Attacks - Tools
Prof. Mort AnvariStrayer University at Arlington
22
DoS Attacks - ToolsHistory of DoS tools:
IRC disable tools Single attack method tools Distributed tools,
with possibility of selecting the type of attack
23
DoS Attacks - ToolsTrinoo
Distributed UDP flood (brute force) Menu operated Agent passwords are sent in plain text form
(not encrypted)
24
DoS Attacks - ToolsTFN (Tribal Flood Network)
Multi-type attack UDP flood SYN flood ICMP_ECHOREPLY flood Smurf
Handler keeps track of its agents in “Blowfish” encrypted file
25
DoS Attacks - Tools
Improved version of TFNAgent can randomly alternate between the types of attackAgent is completely silent - handler sends the same command several times, hoping that agent will receive at least one)
TFN2K
26
DoS Attacks - Tools
All communication is encryptedRandom source IP address and port numberDecoy packets (sent to non-target networks)
TFN2K
27
DoS Attacks - Tools
Several levels of protection:Hard-coded password in client Password is needed
to take control over handlerEncrypted communication
between handler and agent
Stacheldraht
28
DoS Attacks - ToolsStacheldraht
Automated update of agents TCP is used for communication
between client and handler, and ICMP_ECHOREPLY for communication between handler and agent
29
DoS Attacks - Tools
ICMP_ECHOREPLY packets are difficult to stopEach agent has a list of its handlers (Blowfish encrypted) and in case that there is no such list, agent uses several hard-coded IP addressesAgent tests for a possibility of spoofing the source address
Stacheldraht
30
DoS Attacks - Tools
Weakness: it uses rpc command for updateListening on this port can lead to detection of an agent. Drawback is in fact that this can generate a lot of false alarms (rpc is used by legitimate users too)
Stacheldraht
Defenses
32
DefensesThere is no universal solutionThere are some preventions that can help in minimizing the damage:Prevention of becoming
the source of an attackPreparations for defending
against an attack
33
DefensesDisable and filter out chargen and echo servicesDisable and filter out all unused UDP services. Good practice is to block all UDP ports below 900 (excluding some specific ports like DNS)
34
DefensesInstall a filtering router to disable following cases: Do not allow packet to pass through
if it is coming to your network and has a source address from your network
Do not allow packet to pass through if it comes from your network and has a source address that doesn’t belong to your network
35
DefensesNetwork administrators should log all information on packets that are droppedIf you are providing external UDP services, monitor them for signs of misuse
36
DefensesThe following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router: 10.0.0.0 to 10.255.255.255 (reserved) 127.0.0.0 to 127.255.255.255 (loopback) 172.16.0.0 to 172.31.255.255 (reserved) 192.168.0.0 to 192.168.255.255
(reserved) 0.0.0.0 and 255.255.255.255 (broadcasts)
37
DefensesRouters, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installedSystem should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, root-kits, back doors, etc.)
38
DefensesTrain your system and network administratorsRead security bulletins like: www.cert.org, www.sans.org, www.eEye.comFrom time to time listen on to attacker community to be informed about their latest achievementsBe in contact with your ISP. In case that your network is being attacked, this can save a lot of time
39
ConclusionSeveral examples of large scale DoS attacks (yahoo, eBuy, CERT, FBI, Amazon)Increased number of consumers with high bandwidth technologies, but with poor knowledge of network securityEasy accessible, easy to use DoS attack toolsNo final solution for attacks
40
This tutorial is based on research paper done for isitworking.comIsitworking is part of Biopop company, Charlotte, NC, USASo far, it was presented on:SSGRR 2002w, L’Aquila, ItalyYU-INFO 2002, Kopaonik, Serbia
Denial of Service Attacks:Methods, Tools, and
Defenses
Prof. Mort AnvariStrayer University at Arlington