Transcript Presentation_Bryan_Oemler

Denial of Service
Bryan Oemler
Web Enhanced Information
Management
March 22nd, 2011
Introduction
• A Constant threat to the web based providers
• Resources of servers limited
• Damaging effect on targets
• Goal: Drown out all legitimate traffic to server
– Consume resources of servers
– Monopolize the CPU
– Mimic legitimate traffic to server
• Method: Combine computing power over internet
– Distribute the Denial of Service Attack (DDoS)
DoS in the news
• Attacks on WordPress Mar 4th, 2011
– Largest in History
– Multiple Data Centers unable to handle load
– Collateral damage for single target
• Anonymous attacks on MasterCard, Visa Dec 8th 2010
– Individuals organizing DoS attack
– Social Networking
– Personal Computers launched DoS
• Twitter, Facebook attacks Aug 5th, 2009
– Flood of emails
– Target was individual using social networking tools
Botnet
• Network of infected computers
– Computers Hijacked with malware
– Contacted and controlled by perpetrator of
attacks
– Target victim with requests
• Added Obfuscation and Computing Power
– Large network of personal and corporate
computers
– Source looks legitimate to victim
IP spoofing
• Packets are sent out with a forged return IP address
– Hides source of attacks
• Complete TCP Connection cannot be formed
– Victim host responds to random IP
http://www.techrepublic.com/article/exploring-the-anatomy-of-a-datapacket/1041907
SYN Flood
• Critical Mass of Connection packets
– TCP connections started with
SYN(Synchronization) packet.
– Server responds but never receives
acknowledgement
– Attacker creates many half open connections
– Connections open use up server memory
– Attacker monopolizes server with open
connections
TCP Connection vs Spoofed Packet
http://www.understandingcomputers.ca/articles/grc/drd
os_copy.html
Reflection Attacks
• “Reflect” requests off innocent servers
– Return IP Address forged on to packet intended
target of attack
– Attacker sends packet to diverse set of hosts
– Hosts act as middle man for the attack
• Tracking packets task more difficult
– Indirect path from attacker to victim
– Rely on records of intermediate hosts
Reflection Attack
http://www.understandingcomputers.ca/articles/grc/drd
os_copy.html
Full HTTP Requests
• Requests require greater amount of CPU time
– Databases queries
– Complex calculations
– Files access
• Attacks hidden through Botnet
– Infected computers appear to be legitimate users
– Botnets sufficiently large
Final Observations
• Extremely Potent
– Capable of knocking even largest companies offline
• Costly to victims
– Services denied to e-commerce websites, public safety
• Increasing risk of attacks
– More tools and resources moving online
• High collateral damage
– Information interdependent
– Hosts attacked or being used to attack
References
• http://www.computerworld.com/s/article/9200521/Update_MasterCard_
Visa_others_hit_by_DDoS_attacks_over_WikiLeaks
• http://www.reuters.com/article/2010/12/10/uk-wikileaks-cyberwarfareamateuridUSLNE6B902T20101210?feedType=RSS&feedName=everything&virtualB
randChannel=11563
• http://staff.washington.edu/dittrich/misc/ddos/
• http://www.understandingcomputers.ca/articles/grc/drdos_copy.html
• http://www.cis.udel.edu/~sunshine/publications/ccr.pdf
• http://www.sans.org/security-resources/idfaq/trinoo.php
• http://www.pcmag.com/article2/0,2817,2381486,00.asp
• http://www.nytimes.com/2009/08/08/technology/internet/08twitter.html
?_r=2&hpw