Transcript Simulation and Analysis of DDos Attacks

Simulation and Analysis of
DDos Attacks
2012 – International Conference on Emerging Trends in Science, Engineering and Technology
Poongothai, M
Department of Information Technology
,Institute of Road and Transport
Technology,
Erode Tamilnadu, India
Speaker: 101061555
Sathyakala, M
Department of Information Technology
,Institute of Road and Transport
Technology,
Erode Tamilnadu, India
鍾國君
1
Outline
Introduction to DDos Attack
 DDos Attack Architecture
 Advantages of DDos Attack
 Four Phase of bot installation
 DDos Attack Methods
 DDos Defenses
 Simulation
 Conclusion

2
Intruduction to DDos Attack

Distributed Denial of Service(DDos)
◦ Overloads the targeted server with useless
traffic, crashes the server and leaves it unable
to properly communicate with the legitimate
users.
◦ Consume mainly the victim’s bandwidth,
processing capacity and storage capacity.
◦ May need human intervention to resume.
3
DDos Attack Architecture
4
Advantages of DDos Attack

Simple
◦ No sophisticated mechanisms.
◦ A single hacker can do.

Difficult to trace
◦ Multi-tiered structure.
◦ IP source spoofing.
5
Advantages of DDos Attack

Similar to legitimate traffic
◦ Attack streams from numerous machines
converge near the victim.

Robust
◦ Attacks will continue even if one node is dead.
6
Four Phase of Bot Installation

What is Bot?
◦ A program that automatically operates as an
user or another program.
◦ Installed in the internal-node computers
called “handlers” or “agents”.
◦ Wait for the hacker to initiate the attack
remotely.
7
Four Phase of Bot Installation

1.Scanning
◦ Installed bots scan lots of computers for
security flaws.

2.Exploitation
◦ Susceptible hosts are found and
compromised hosts are listed.
8
Four Phase of Bot Installation

3.Deployment
◦ The “handler software” is installed in the
compromised hosts.

4.Propagation
◦ Handler then scans for vulnerable hosts and
compromises them, called “agents/Daemon”.
9
DDos Attack Methods

Methods
◦ Smurf Floods
 Floods the network with ICMP ECHO requests
with the victim’s address, then the victim will filled
with ping responses.
◦ ICMP Floods
 The Attacker generates lots of ICMP ECHO
packets directed at the victim. Finally, the victim is
busy replying all the ECHO requests.
10
DDos Attack Methods
◦ UDP/TCP Floods
 Send a large number of UDP/TCP packets to the
victim and tie up the available network bandwidth.
◦ TCP SYN Floods
 Not to give the final ACK packet and make the
victim waste the allocated buffer.
11
DDos Attack Methods
12
DDos Attack Methods

Dynamics
◦
◦
◦
◦
◦
◦
Application attacks
Protocol attacks
Operating system attacks
Host attacks
Network attacks
Infrastructure attacks
13
DDos Defense

Classification
◦ Preventive
 Eliminate the vulnerabilities in the system and
prevent the attacker from gaining a group of
zombie machines.
◦ Survival
 Increase the victim’s sources for surviving during
the attack.
◦ Responsive
 Control the attack streams from influencing the
victim.
14
DDos Defense

Strategy
◦ Agent identification
 who is attacking?
◦ Rate limiting
 Impose a rate limit on the incoming streams.
◦ Filtering
 Filter out the attack streams.
◦ Reconfiguration
 Change the topology of the networks near the
victim.
15
DDos Defense

Countermeasures
◦ Path isolation
 Routers isolate traffic path, and this information can
be used to deploy filters on the path.
◦ Privileged customer
 Customers used to communicate with the server
will have the first priority.
16
DDos Defense
◦ Traffic baselining
 Filter the traffic when some traffic parameter
exceed their expected value.
◦ Resource multiplication
 More resources are deployed to sustain large
attacks.
◦ Legitimate traffic inflation
 Multiply the legitimate traffic.
17
Simulation

Three considerations
◦ DDos attack traffic
◦ Legitimate traffic
◦ Network topology

Software used - NS2
◦ Can replicate threats of interests in a secure
environment.
18
Simulation
19
Conclusion

Evolution in intruder tools will continue.

Even if the system/network is robust,
others may be not. Thus, the security
issue still exists.
20