Transcript CIS 450 – Network Security

CIS 450 – Network
Security
Chapter 6 – Denial of Service Attacks
 Definition – an attack through which a person
can render a system unstable or significantly
slow down the system for legitimate users by
overloading the resources so no one else can
access it
 Can be deliberate or accidental
 Most operating systems, routers, and network
components that have to process packets at
some level are vulnerable to DoS attacks
Types of DoS Attacks
 Crashing a system or network


Send victim unexpected data or packets that
causes the system to crash or reboot (Sasser
worm)
Can render a system inaccessible with a
couple of packets
 Flooding the system or network


Attacker floods the network much more
information/packets that it can handle
More work for attacker
Types of DoS Attacks
 Distributed DoS Attack (DDoS)



A traditional DoS attack involves a single
machine launching the attack
In DDoS an attacker breaks into several
machines, or coordinates with several friends,
to launch an attack against a target machine
or network at the same time
More difficult to block or detect
 Things can be done to minimize DoS threat
but almost impossible to be 100% safe
Types of DoS Attacks
 Ping of Death



Affects Most Operating Systems
Technically speaking, the Ping of Death attack involved
sending IP packets of a size greater than 65,535 bytes to the
target computer. IP packets of this size are illegal, but
applications can be built that are capable of creating them.
Carefully programmed operating systems could detect and
safely handle illegal IP packets, but some failed to do this.
ICMP (Internet Control Message Protocol) ping utilities often
included large-packet capability and became the namesake
of the problem, although UDP and other IP-based protocols
also could transport Ping of Death.
Operating system vendors quickly devised patches to avoid
the Ping of Death. Still, many Web sites today block ICMP
ping messages at their firewalls to avoid similar denial of
service attacks.
Types of DoS Attacks
 SSPing



Microsoft Windows 95 & NT
The attack is designed to crash your
system by sending invalid IP fragments at
it. Receiving system locks when it tries to
put fragments together.
Defense


Most firewalls will automatically filter out
these packets.
Microsoft security patches
Types of DoS Attacks
 Land Exploit
 Most operating systems
 A SYN packet in which the source address and port
are the same as the destination
 Relies on the use of forged packets, that is, packets
where the attacker deliberately falsifies the origin
address
 Defense
 Apply vendor patches
 Install filtering on your routers that requires packets
leaving your network to have a source address from
your internal network. This type of filter prevents a
source IP spoofing attack from your site by filtering all
outgoing packets that contain a source address from a
different network
Types of DoS Attacks
 Smurf
 Involves forged ICMP packets sent to a broadcast
address
 Most OSs and routers
http://www.networkcommand.com/docs/smurf.
html
 SYN Flood



Most Operating Systems
http://www.networkcommand.com/docs/synflood.doc
Types of DoS Attacks
 CPU Hog
 Microsoft NT
 Win Nuke
 Most Microsoft OSs
 Test if your machine is vulnerable http://www.jtan.com/resources/winnuke.html
 RPC Locator
 Microsoft NT
 http://support.microsoft.com/default.aspx?scid=http://s
upport.microsoft.com:80/support/kb/articles/q193/2/33.
asp&NoWebContent=1
Types of DoS Attacks
 Jolt2
 Operating Systems: Numerous
 http://www.bindview.com/Support/RAZOR/Advis
ories/2000/adv_Jolt2.cfm
 Bubonic
 Operating System: Windows 98/2000
 Microsoft Incomplete TCP/IP Packet
Vulnerability


Operating System: Windows NT/ME/9x
http://www.microsoft.com/technet/security/bulletin/
MS00-091.mspx
Types of DoS Attacks
 HP Openview Node Manager SNMP DOS
Vulnerability

Operating System: Various
 NetScreen Firewall DOS Vulnerability
Operating Systems: Various Net Screen
Screen OSs
 http://www.secureroot.com/security/advisories/
9790497270.html

Tools for Running Attacks
 DOS Attacks

Master List


http://www.cotse.com/dos.htm
Targa

http://www.cotse.com/sw/dos/misc/targa.c
 DDOS Attacks



Tribal Flood Network 2000 (TFN2K)
Trinoo, http://www.donkboy.com/html/stuff.htm
Satcheldraht
Preventing DoS Attacks
 Effective Robust Design
 Build redundancy and robustness into system
 Have multiple connections to the Internet and
connections from multiple geographic locations
 Have services at different locations
 The more machines and connections a company
has the harder it is for an effective Dos Attack
 Bandwidth Limitations
 Limit your bandwith based on protocol
 Keep Systems Patched
 Run the least amount of services
 Windows 2000 server has 100 services
Preventing DoS Attacks
 Allow only necessary traffic
 Concentrates on your perimeter – mainly
your router and firewall
 Make sure that your firewall allows only
necessary traffic in and out of your network
 Most routers have firewall rulesets that you
can add to the IOS. Can provide backup and
checking for the firewall and help unload
some filtering from the firewall
 Block IP addresses
Preventing DDoS Attacks
 Keep the network secure
 Install Intrusion Detection System

Networked-based



Host-based


A passive device that sits on the network and sniffs all packets
crossing a given network segment
Looks for signatures that indicate a possible attack and sets off
alarms on questionable behavior
Runs on an individual server and actively reviews the audit log
looking for possible indications of an attack
IDS technologies


Pattern matching – database of signatures of known attacks. Sets
off alarm for a given pattern.
Anomaly detection – determines what is normal for a network and
any traffic that is not normal is flagged as suspicious
Preventing DDoS Attacks
 Use scanning tools
 Run zombie tools