Transcript Distributed Denial of Service Attacks

Distributed Denial
of Service Attacks
Shankar Saxena
Veer Vivek Kaushik
Agenda
• Introduction and Famous Attacks
• How Attack Takes Place
• Types of DDOS Attacks
• Smurfing
• UDP Flooding
• TCP SYN Flooding
Introduction
• Causes service to be unusable or
unavailable
• Coordinated mass scale attack from
compromised computers
• Exhaust bandwidth, router
processing, network stack resource
• Hard to detect at firewall level
Famous Attacks
• February 2000
• Yahoo, Ebay, Amazon websites attacked
• Yahoo received packet traffic which some
websites receive in 1 year
• 1 billion dollars
• October 2002
• 7 of 13 DNS root servers attacked
• Attack on internet itself
Scanning (Step 1)
•
Port Scanning
•
•
Search for open ports
NMap


Send packets to target to interact
TCP Connect, TCP SYN, UDP,
• Software Vulnerabilities
•
•
Common & Default Configuration Weaknesses
Nessus


Plugin
Windows, Backdoor, File Sharing, Firewalls, Mail
Servers
Stack based Buffer overflow (Step 2)
• Attacker chooses most vulnerable machines.
• Buffer overflow occurs when attacker store too
much data in undersize buffer.
• Attacker precisely tune the amount and
content of data.
• Attacker overwrites the return pointer with his
own , which points to his code.
Normal Stack
Bottom of
memory
Fill Direction
Buffer(Local
variable)
Return
pointer
Function
arguments
Smashed Stack
Bottom of
memory
Fill direction
Buffer(Local
variable)
Attacker
machine code
New pointer
Function arg
Top of memory
Rootkit & Attack (Step 3)
• Rootkit
• To get back into compromised system
• Replace system file with there Trojan version
•Attack
•Instruct compromised systems to attack
•Various flooding methods
DDoS attack
Kinds of Attacks
• Smurfing
• UDP Flooding
• TCP Syn Flooding
Smurfing
• Attacker sends packet to Network amplifier
with return address spoofed to victim IP
address
• Attacking packets are typically ICMP echo
request
• This request generate ICMP echo reply which
will flood the victim
TCP SYN Attack
• Exploits Three way handshaking protocol.
• Large number of bogus TCP Sync request are
sent to victim in order to tie up its resources.
• No Ack+Syn responses are returned, Server
run out of memory resources
TCP SYN Attack
UDP Flooding
• Connectionless protocol
• No 3 way handshaking is required
• Large number of UDP packets saturate the Network
and deplete the bandwidth.
DDoS Counter Measures
• Egress filtering
•
•
Scanning packets for certain criteria
Spoofed address
• Close all unneeded ports
• Be More aware
•
•
•
Install new patches
Check server logs
Test scanning tools on your system
Thanks
Queries?