Defensive Measures on DDoS
Download
Report
Transcript Defensive Measures on DDoS
Defensive Measures for
DDoS
By
Farhan Mirza
Contents
Survey Topics
Introduction
Common Target of DoS Attacks
DoS Tools
Defensive Measures & Their Vulnerabilities
Honeypot for DDoS
Honeypot implementation
Issues & Concerns
Conclusion
Survey Topic
Paper
1
Analysis of Denial-of-Service Attacks on Denialof-Service Defensive Measures
Paper
2
Honeypots for Distributed Denial of Service
Attacks
Introduction
DoS attacks
Weapons of Mass Destruction
Paralyze Internet systems with bogus traffic
4th Major Attack in 2001 – Computer Crime & Survey Report
Attacks on Targets
Attacking
tools - More offensive
To discover and filter – More difficult
Powerful automatic scanning & observing
target’s vulnerability
Uses methods - TCP Syn, UDP, ICMP
Flooding etc
Includes Viruses & Worms - MS-SQL Server
Worm, Code Red etc
Code Red Worm Attack
Common Target of DoS attacks
Bandwidth
DOS Attack
Memory DOS Attacks
Computation DOS Attacks
Bandwidth DoS Attacks
Target
- Bandwidth
Example – Slammer (MS-SQL Server Worm)
Self Propagating malicious code
Employs multiple vulnerabilities of SQL Server
Resolution Service
Memory Dos Attacks
Target
– Memory
Backscatter Analysis
(Moore Investigation)
:
94% DoS attacks occurs on TCP Protocol
49% of attacks are TCP Syn attacks targeting 3
way handshake
2% on UDP
2% on ICMP
Memory DoS Attacks
(Cont..)
Every TCP connection establishment requires an allocated
memory resource
Limited number of concurrent TCP half-open connections
Attacker can disable service - Sending overdosed
connection requests with spoofed source addresses
Computation DoS Attacks
Target
– Computational Resources
Example: Database Query Attacks
Sequence of queries requesting DBMS to
execute complex commands, overwhelming the
CPU
Software Bugs & Exploits
Exploit
on 7xx routers – connecting with
Telnet and typing very long passwords
Effects –
Reboot
the router
Deny service to users during reboot period
Connecting with Telnet and
Typing long passwords
Software Bugs & Exploits
(Cont...)
Smurf
DoS Bug – uses ICMP Echo Request
packet with spoofed source address
Effects –
All
machines on the subnet reply directly to
victim’s address
Congestion in the victim’s network connection
DoS Tools
Trin00
TFN
– Tribe Flood Newtork
Stacheldraht – “Barbed Wire”
Trin00
Distributed
attacking tool
Installed on intermediate host using a buffer
overrun bug
Compiled on Linux and Solaris operating
systems
Capable of generating a UDP packets for
attack
Target Ports – 0 to 65534
TFN – Tribe Flood Network
Launch
Distributed Denial of Service attacks
Installed on Intermediate host and based on
buffer overrun bug
Capable of launching ICMP floods, UDP
floods, SYN attacks, Smurf attacks
Compiled on Linux and Solaris operating
systems
Stacheldraht ("barbed wire")
Combines
features of Trin00 and TFN
Capable of producing ICMP flood, SYN flood,
UDP flood, and SMURF attacks
ICMP, UDP and TCP-SYN packets of sizes up
to 1024 bytes against multiple victim hosts
TCP-SYN packets are generated against
random ports taken from selected range of
port numbers
DDoS Pattern
Scanning of large
ranges for potential
vulnerable targets
Setting up of a stolen
account as a repository
for attack tools
Creation of script
to perform the exploit
and to report the results
Choice of a subset of
suitable compromised
servers from the list
Script automated
installation of the needed
tools on the compromised
servers
Optional installation of a
root kit to hide the
compromise
Defensive Measures
System Self Defense
Stop all unnecessary or non-essential system
services and network ports.
Reduce the timeout period for simultaneous half
open connections
Vulnerability:
Reconfiguration may delay, or even deny, legitimate
access
Lead to a potential increase in resource usage
Packet Filtering
Most
popular defensive mechanism
Selectively screens out suspicious or
malicious packets
Itself a deformed DoS
Vulnerability:
If manipulated or abused - Most convenient way
to accomplish DOS attack
Packet Filtering
Types
(Cont…)
of Packet Filtering
Egress/Ingress
Manages
the flow inside and outside the network
Ingress - Used to block packets with spoofed source
address
Egress - manages the flow of traffic as it leaves a
network
Vulnerability
Effective
only if used in large-scale applications
Packet Filtering
(Cont…)
Firewalls
Victims
network mechanism
Enable a form of protection against SYN Flooding
Examine packets and maintain connection and state
information of session traffic
Configured as a relay, as a semi-transparent gateway
Vulnerability
Cause
delays for every connection
Flood of 14k packets/sec can disable even specialized
firewalls
IP Traceback
Effective
& aggressive way to terminate DoS
attacks at their sources
Vulnerability:
Doesn’t locate the attacker, if attacker is
attacking from reflectors
State Monitoring
Uses software agents to continuously monitor TCP/IP
traffic in a network
RealSecure –
Monitors local network for SYN packets that are not
acknowledged for a period of time defined by the users
Vulnerabilities:
Need to maintain tremendous states to determine
malicious packets and consume system resources
Resource Allocation Control
Way to prevent exhaustion of the victim’s
resources to limit the resource allocation and
usage for each user or service
Class Based Queuing –
Configures different traffic priority queues and rules that
determine which packets should be put into which
queue
Vulnerability:
In case of DoS attacks - Cannot determine which packet
belong to the same users or service for sharing some
quota or resources
Congestion Control
Network Congestion - Reduction in network throughput
Pushback
Mechanism for defending against DDoS attacks
To identify most of the malicious packets, based on
Aggregate-based Congestion Control
Vulnerability:
Not an effective method to block bad traffic under
typical DDoS attack
Cannot differentiate good and bad traffic and will drop
them equally
Active Networks
Programs can perform customized computations
and manipulations
Allow users to inject customized programs into the
nodes of the network
Active edge-Tagging –
One of the example, which tags the actual source IP
address into the active networks layer header for each
incoming packets from the hosts with first-hop routers
Vulnerability:
AN poses serious security threats as it is designed to
run executable codes on remote hosts
Bandwidth Overhead of
Defensive Measures
Memory Overhead of
Defensive Measures
Computational Overhead of
Defensive Measures
Attacks on Defensive Measures
Assumption
Reality
Firewalls - invincible and
power unlimited resources
Firewalls - still limited and
causes the single-failure point or
bottleneck
Network Congestion - control
messages delivered to
destination efficiently and
successfully
Network Congestion - the
control messages dropped or
lost during transmission
Defensive devices - will not be
targeted by attacker
Defensive devices – Many are
vulnerable to attack
Network devices - Trustworthy Network Devices - Control
and control messages will not messages might be tampered,
be tampered, eavesdropped or eavesdropped or forged
forged
Honeypot for DDoS
Vantages
of System:
Defending the operational network with high
probability against DDoS & new variant
Trapping attacker to record the compromise to
help in legal action against attacker
Devised
System:
Implemented to lures the hacker to believe he
successfully compromised the system
To learn the tactics, tools, methods and motive
of an attacker in order to secure the system
Characterization
Should
be a replica of operational system
Consists of similar systems and application
Services such as Web, Mail, FTP, DNS
should be accessible for attacker
Must be located in DMZ
Local Network Protection
Must
be located in another zone protected
with Firewall
Encrypted Transmission - Inside the LAN
Clients run trusted OS
Services are managed by an indirect
authentication method – Kerberos
Detecting Systems like host based IDS &
vulnerability scanner must be running
Honeypot Implementation in Organization
View for an Attacker
Issues To Be Resolved
Attack
must be detectable
Attack packets must be actively directed to
the Honeypot
Honeypot must be able to simulate the
organization’s network infrastructure
Concerns & Issues
Not a good idea in real operational environment
Require expertise
Small configuration mistake or loophole will create a
disaster
Difficult to identify regular user and attacker in most of the
cases
Uses DDoS signature type method while authentication –
Not as effective especially for first time authentication
Hard to identify culprit – Attacker using compromised
system
VPN and PKI as proposed – How both the environment
work
Conclusion
Like a Game - Attacking and defending of
networks
Defensive Measure are not always secure and
valuable data is at risk with small effort of attacker
Honeypot – Promising tool for luring attacker for
DDoS attack
To secure our network – Defensive measures with
proper knowledge and expertise are required