Transcript Denial of service (DOS)

Denial of Service
(DoS)
Overview
•
•
•
•
•
•
Introduction
Background
Benchmarks and Metrics
Requirements
Summary of Methods
Conclusion
Vijay C Uyyuru
Prateek Arora
Terry Griffin
What is denial of service attack?
• When a denial of service (DoS) attack
occurs, a computer or a network user is
unable to access resources like e-mail and
the Internet. An attack can be directed at
an operating system or at the network.
Denial of Service
DoS
Bad guy
Compromised
host
Victim
Third parties
What is distributed denial of
service?
• A distributed denial of service (DDoS)
attack is accomplished by using the
Internet to break into computers and using
them to attack a network. Hundreds or
thousands of computer systems across
the Internet can be turned into “zombies”
and used to attack another system or
website.
Distributed Denial of Service
• DDoS
Bad guy
Master
agent
Victim (s)
Slave agents
(zombies, bots)
Owned
host
Third parties
Brief history and trends
• DoS attacks started at around early ’90s.
• At the first stage they were quite "primitive",
involving only one attacker exploiting maximum
bandwidth from the victim, denying others the
ability to be served. This was done mainly by
using simple methods of ping floods, SYN floods
and UDP floods.
• These attacks had to be "manually"
synchronized by a lot of attackers in order to
cause an effective damage.
Brief history and trends
• The shift to automating this synchronization,
coordination and generating a parallel massive
attack became public in 1997, with the release of
the first publicly available DDoS attacks tool,
Trinoo.
• In the following years, few more tools were
published – TFN (tribe flood network), TFN2K,
and Stacheldraht ("Barbed wire" in German).
Massive attack on public sites
Massive attack on public sites
• The subject came to public awareness only after
a massive attack on public sites on February
2000. During a period of three days the sites of
Yahoo.com, amazon.com, buy.com, cnn.com &
eBay.com were under attack.
• Analysts estimated that Yahoo! Lost $500,000 in
e-commerce and advertising revenue when it
was knocked offline for three hours.
Interesting Facts
• It turned out that about fifty computers at
Stanford University, and also computers at the
University of California at Santa Barbara, were
amongst the zombie computers sending pings in
these DoS attacks.
• A study during a period of three weeks in
February 2001 showed that there were about
4000 DoS attacks each week. Most DoS attacks
are neither publicized in the news media nor
prosecuted in courts.
How does an attack work?
• One way to attack a company’s network or
website is to flood its systems with
information.
• Web and e-mail servers can only handle a
finite amount of traffic and an attacker
overloads the targeted system with
packets of data.
Impact
• Denial-of service attacks can essentially disable
the computer or the network. Depending on the
nature of the enterprise, this can disable your
organization.
• Some denial-of-service attacks can be executed
with limited resources against a large,
sophisticated site. This type of attack is
sometimes called an “asymmetric attack”.
• For example, an attacker with an old PC and a
slow modem may be able to disable much faster
and more sophisticated machines or network.
Attack classification
•
DoS attacks exploit the asymmetric nature of
certain types of network traffic. One attack
method seeks to cause the target to use more
resources processing traffic than the attacker
does sending the traffic. Another method is to
control multiple attackers. Therefore DoS
attacks can be classified into three categories
1. Bandwidth/Throughput Attacks
2. Protocol Attacks
3. Software Vulnerability Attacks
Bandwidth/Throughput Attacks
•
•
•
•
Ping Flood Attack (ICMP echo)
SYN Flood Attack (DoS attack)
DDoS Attack (Distributed SYN Flood)
UDP Flood Attacks
Ping Flood Attack
• An attempt by an attacker on a high
bandwidth connection to saturate a
network with ICMP echo request packets
in order to slow or stop legitimate traffic
going through the network.
SYN Flood Attack
DDoS Attack
• The idea behind this attack is focusing
Internet connection bandwidth of many
machines upon one or a few machines.
This way it is possible to use a large array
of smaller (or “weaker”) widely distributed
computers to create the big flood effect.
UDP Flood Attacks
• UDP protocol is a connectionless unreliable
protocol which doesn't require session
negotiation between client and server
application. UDP provides easy to use interface
for producing large quantity of packets.
• A common attack which exploits UDP simply
floods the network with UDP packets destined to
a victim's host. Due to the relative simplicity of
this protocol an attacker can produce large
bandwidth capacity with relatively small effort.
Protocol Attacks
• Smurf Attack
• DNS name server Attack
Smurf Attack
• In this attack, spoofed IP packets containing
ICMP Echo-Request with a source address
equal to that of the attacked system and a
broadcast destination address are sent to the
intermediate network.
• Sending a ICMP Echo Request to a broadcast
address triggers all hosts included in the
network to respond with an ICMP response
packet, thus creating a large mass of packets
which are routed to the victim's spoofed
address.
Smurf Attack (contd.)
DNS name server Attack
• The most common method seen involves an intruder
sending a large number of UDP-based DNS
requests to a Nameserver using a spoofed source
IP address. Any Nameserver response is sent back
to the spoofed IP address as the destination.
• In this scenario, the spoofed IP address represents
the victim of the denial of service attack. The
Nameserver is an intermediate party in the attack.
The true source of the attack is difficult for an
intermediate or a victim site to determine due to the
use of spoofed source addresses.
Software Vulnerability Attacks
• Land Attack
• Ping of Death Attack
• Fragmentation Attack and Teardrop Attack
Land Attack
• In this attack, an attacker sends spoofed TCP SYN packets, with the
same source and destination addresses as the victim's host
address.
• In some TCP/IP stack implementations those kinds of packets may
cause the victim's host to crash.
• Any remote user that can send spoofed packets to a host can crash
or "hang" that host.
• Possible solution for this attack is to block IP-spoofed packets.
Attacks like those of the Land tool rely on the use of forged packets,
that is, packets where the attacker deliberately falsifies the origin
address. With the current IP protocol technology, it is impossible to
eliminate IP-spoofed packets. However, you can reduce the
likelihood of your site's networks being used to initiate forged
packets by filtering outgoing packets that have a source address
different from that of your internal network.
Ping of Death Attack
• Ping of Death is an attempt by an attacker
to crash, reboot or freeze a system by
sending an illegal ICMP (over IP) packet to
the host under attack.
• The TCP/IP specification allows for a
maximum packet size of up to 65536
octets. In some TCP stack implementation
encountering packets of greater size may
cause the victim's host to crash.
Teardrop Attack
•
A normal packet is sent. A second packet is sent which has a fragmentation
offset claiming to be inside the first fragment. This second fragment is too
small to even extend outside the first fragment. This may cause an
unexpected error condition to occur on the victim host which can cause a
buffer overflow and possible system crash on many operating systems.
•
Teardrop attacks target a vulnerability in the way fragmented IP packets are
reassembled. Fragmentation is necessary when IP Datagrams are larger
than the maximum transmission unit (MTU) of a network segment across
which the Datagrams must traverse. In order to successfully reassemble
packets at the receiving end, the IP header for each fragment includes an
offset to identify the fragment's position in the original un-fragmented
packet. In a Teardrop attack, packet fragments are deliberately fabricated
with overlapping offset fields causing the host to hang or crash when it tries
to reassemble them.
How to handle DoS
•
Protecting – Among the aspects of protecting our systems and our
business, are looking at network design, discussing our agreement with
your ISP, putting detection mechanisms and a response plan in place, and
perhaps taking out an insurance policy. Proper preparation is essential for
effective detection and reaction. Unfortunately, some sites begin their cycle
with detection and reaction, triggering preparation steps after a “lessons
learned” experience.
•
Detecting – Our ability to detect attacks directly affects our ability to react
appropriately and to limit damages. Among the approaches we can take are
instituting procedures for analyzing logs and using automated intrusion
detection systems.
•
Reacting – Reaction steps, hopefully put in place as part of preparing for an
attack, include following our response plan, implementing specific steps
based on the type of attack, calling our ISP, enabling backup links, moving
content, and more. Technical steps include traffic limiting, blocking, and
filtering.
Summary
Dos Attack Types
Flood Attacks
Logic / Software
Attacks
Summary
Flood Attacks
TCP SYN
Flood Attack
Smurf IP
Attack
UDP Flood
Attack
ICMP Flood
Attack
Summary
TCP SYN
Flood Attack
Taking advantage of the flaw of TCP three-way handshaking behavior, an attacker makes
connection requests aimed at the victim server with packets with unreachable source
addresses. The server is not able to complete the connection requests and, as a result, the
victim wastes all of its network resources. A relatively small flood of bogus packets will tie
up memory, CPU, and applications, resulting in shutting down a server.
Graphic: http://www.narizone.it/sezioni/firewall/Immagini/SYN_sequence.gif
Summary
Smurf IP
Attack
An attacker sends forged ICMP echo
packets to broadcast addresses of
vulnerable networks. All the systems
on these networks reply to the victim
with ICMP echo replies. This rapidly
exhausts the bandwidth available to
the target, effectively denying its
services to legitimate users.
Summary
UDP Flood
Attack
UDP is a connectionless protocol and it does not require any connection setup procedure to
transfer data. A UDP Flood Attack is possible when an attacker sends a UDP packet to a
random port on the victim system. When the victim system receives a UDP packet, it will
determine what application is waiting on the destination port. When it realizes that there is no
application that is waiting on the port, it will generate an ICMP packet of destination
unreachable to the forged source address. If enough UDP packets are delivered to ports on
victim, the system will go down.
Summary
ICMP Flood
Attack
icmp
icmp
icmpicmp
icmpicmp
icmp icmp
icmp
An ICMP flood occurs when ICMP pings overload a system with so many echo
requests that the system expends all its resources responding until it can no
longer process valid network traffic.
Summary
Dos Attack Types
Flood Attacks
Logic / Software
Attacks
Summary
Logic / Software
Attacks
Ping of Death
Teardrop
Land
Echo/Chargen
Summary
Ping of Death
Expected Packet Size
Actual Packet Size
An attacker sends an ICMP ECHO request packet that is much larger than the
maximum IP packet size to victim. Since the received ICMP echo request packet
is bigger than the normal IP packet size, the victim cannot reassemble the
packets. The OS may be crashed or rebooted as a result.
Summary
Teardrop
An attacker sends two fragments that cannot be reassembled properly by manipulating the
offset value of packet and cause reboot or halt of victim system. Many other variants such as
targa, SYNdrop, Boink, Nestea Bonk, TearDrop2 and NewTear are available.
Summary
Land
198.215.34.56 198.215.34.56
An attacker sends a forged packet with the same source and destination
IP address. The victim system will be confused and crashed or rebooted
Summary
Echo/Chargen
• The character generator (CharGen) service is designed is primarily used for
testing purposes.
• Remote users/intruders can abuse this service by exhausting system resources.
• Spoofed network sessions that appear to come from that local system's echo
service can be pointed at the CharGen service to form a "loop."
• This session will cause huge amounts of data to be passed in an endless loop that
causes heavy load to the system.
• When this spoofed session is pointed at a remote system's echo service, this
denial of service attack will cause heavy network traffic/overhead that considerably
slows your network down.
Conclusion / Question
What makes DoS attacks possible?
Conclusion
• Susceptibility to attacks could be alleviated with
better Internet Architectures (goal of class).
• Don’t leave all the decision making to the
machines on either end of a connection
• Provide ‘intelligent’ support along the path (e.g.
No Blind forwarding of packets)
• Create “Hardened” networks
Questions