Countermeasures to Denial-of
Download
Report
Transcript Countermeasures to Denial-of
By Steve Shenfield
COSC 480
Definition
Incidents
Damages
Defense Mechanisms
• Firewalls/Switches/Routers
• Routing Techniques (Blackholing/Sinkholing)
• Clean Pipes
• Intrusion Prevention Systems(IPS)
Conclusion
Denial-of-Service
A malicious attempt by a single person
or a group of people to cause the victim,
site, or node to deny service to its
customers.
• ex) inability to login to an account
or access a website
Targeted resources: bandwidth, CPU, memory,
disk capacity, or any combination
September 1996 - the very first DoS attack
occurred against Panix(New York ISP) using SYN
flood
January 2001 - first major attack involving DNS
servers against Register.com
February 2007 - over 10,000 online game servers
attacked by group RUS
December 2010 - a group called “Anonymous”
successfully attacked Mastercard.com, PayPal,
and Visa.com but failed against Amazon.com
70
60
50
40
2007
2008
2009
30
20
10
0
10 9 17
12 12 20
21 20 23
25 21 29
52 50 64
Password
Sniffing
Financial
Fraud
Zombies
Denial of
Service
Virus
2009 CSI Computer Crime and Security Survey
185 Respondents
How much does a successful DoS
attack cost?
• Estimated at $122,000 per attack in 2004
• Up to 32 hours for security personal to
counteract damages done
Interruption to services may negatively
impact customer satisfaction and trust
Financial Fraud
$21,124,750
Virus (Worms/Spyware)
$8,391,800
System Penetration by Outsider
$6,875,000
Denial of Service
$2,888,600
Zombies within Organization
$2,869,600
Sabotage of Data or Networks
$1,056,000
Telecom Fraud
$600,000
Password Sniffing
$168,100
Blackmail
$160,000
0
CSI 2007 Computer Crime and
Security Survey
10
Millions
Year = 2007
Total Losses ≈45.6 million
20
194 Respondents
For Users
• Install system security mechanisms
• Protect yourself from being a zombie
For Businesses
• Security companies can guard a client’s
network
ex) Prolexis Technologies
Firewalls
Pros
Will prevent simple flood attacks
• ex) SYN flood
Able to allow or deny protocols, ports, or
IP addresses
Cons
Unable to prevent more complex
attacks
Switches & Routers
Pros
Both have the ability to limit data rate
Both have network Access Control Lists
• ACLs are custom router filters
• Able to filter both inbound and outbound
traffic
Cons
Most can be easily overwhelmed
Blackholing
Attempts to mitigate the impact of an
attack
Redirects traffic from attacked DNS or
IP address to a “black hole”
• Then all traffic will be dropped
Must know IP address of attacker or
else legitimate traffic will be dropped as
well
Sinkholing
Routes suspicious traffic to a valid IP
address where it can be analyzed
Capturing traffic and analyzing it can be
done with a sniffer
• Traffic found to be malicious is rejected
Cons
Unable to react to severe attacks as
effectively as blackholing
Clean Pipes
Best used when deployed inside ISP
When an attack occurs, traffic is diverted
to a cleaning center in the ISP
• Here the traffic is “cleaned” by specialized
filtering devices and malicious activity is
removed
• Only legitimate traffic is passed to the
destination
Intrusion Prevention System(IPS)
Monitors network traffic for malicious
activity
• Scans both inbound and outbound
• Searches for suspicious patterns known as
signatures or rules
System logs malicious activity and will
attempt to stop it
What have we learned?
• DoS Definition
• Brief History of Notable Attacks
• Damages/Losses for a Business
• Protect yourself from becoming a Zombie
• Defense Mechanisms
http://cisco.com/web/about/ac123/ac147/archived_issued/ipj_74/dos_attacks.html
http://docs.google.com/viewer?a=v&q=cache:Gs5vmKHFfpUJ:p
athmaker.biz/whitepapers/CSISurvey2009.pdf
http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf
www.tik.ee.ethz.ch/~ddosvax/talks/ddos_td.pdf
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.csoroundtable.org/knowledge/there-business-caseit-security
http://en.wikipedia.org/wiki/Intrusion_prevention_system
http://csdl2.computer.org/comp/mags/ic/2009/06/mic200906001
0.pdf