Presentation_Sharmistha_Roy

Download Report

Transcript Presentation_Sharmistha_Roy

Adversarial challenges in Web
Based Services
Denial of Service
Sharmistha Roy
What is Denial of Service?
Attempts to make a Web resources unavailable to
legitimate users
 Attacks flooding a network , creating congestion and
blocking
 Disrupting connections between two machines
Why are such attacks launched?
 Purpose is often to knock web services off
 Hacker may need to masquerade as a server or
workstation and needs to remove that machine from
the network

A typical Website configuration
Vulnerable points
 The Router
 The Firewall
 The Load
Balancer
 The Webserver
 The Backend
Database
servers
Other Vulnerabilities….

Part of system attacked—A malicious packet could
disrupt functioning of CPU or network card or can overload
ethernet link, based on limitation of hardware

OS or TCP/IP stack—Definite limitations of protocol can
be exploited to launch attacks, example SYN attacks.


Bugs or overload—Bugs in a system make it open to
attack but they can be fixed, fundamental limitations of
protocols require system wide changes which are difficult to
implement.
Example of Cisco 7xxx routers where a long password would
lead to buffer overflow attscks
DdoS Attacks
•Attacker uses client
tools that controls
handlers which in
turn launch daemons.
•Client tools like scanners help in identifying
vulnerabilities
•A script is run on a set
of vulnerable machines.
•From this set of compromised machines DdoS
handlers and daemons
Are created.
•This script production is
automated so that it can
be produced in more
systems to compromise many
systems in short span of time
Defenses against DoS and
DdoS
General Requirements of Defense
framework:
 The framework has to be general since
attacks can be over multiple platforms.
 Security holes should not be exploitable
by DoS attacks. Instead fault tolerance
and confidentiality should be built in so
that an attack can be foiled.
Case study of a classic DoS
attack
The attack on GRC.com in Jan11 2004 flooded the two T-1
trunks connecting the Verio aggregate router to the GRC
internal router.
Valid webservice requests were not able to reach the
webserver after competing with bogus packets, so the
webserver was knocked off
Analysis of the DoS attack
case



Most of the SYN/ACK packets had BGP address 179,
and other port no.s like 23(telnet), 22(ssh), 53(dns)
and 80(http)..
This showed that attacker had spoofed IP address of
GRC.com and used that to bounce off several
webservers , towards GRC.com
The fanning effect of malicious packets leaving the
attacker m/c, reflecting from several webservers
towards GRC.com flooded the network and took it off
air for several hours.
A comprehensive solution for
a Website



Use Linux kernel 2.6 as base for all systems
as backlog queue for system is 128 entries
and TCP SYN cookies is enabled.
Linux Virtual Server as Load Balancer for
max. performance and protection against
overload
IP tables firewall—Filter incoming packets
against security rules.
A comprehensive solution for
a Website(contd..)

Class based Queuing and Traffic
Monitor—


Queues of packets are formed, each queue
assigned a priority and bandwidth.
Overload conditions are detected by the
Traffic Monitor and packets from a source
with more load are relegated to queue of
lower priority.
Evaluation of Performance
Tests



Webserver was attacked by 8 hosts
Attack was done by TCP SYN floods
--Handled by Linux SYN cookies/backlog
queue
HTTP overloading and ICMP flooding
--Handled by Class Based
Queuing/Traffic Monitoring
References

Frank Kargl, Joern Maier, Michael Weber; Protecting web servers from
Distributed Denial of Service Attacks, Proceedings of the 10th international
conference on World Wide Web WWW '01 , Publisher: ACM Press

Wang, B.-T.; Schulzrinne, H.; Analysis of Denial-of-Service Attacks on
Denial-of-Service Defensive Measures
Global Telecommunications conference 2003,GLOBECOM ’03, IEEE,
Volume 3, 1-5 Dec. 2003 Page(s):1339 - 1343 vol.3
Thank You!