What is a Distributed Denial of Service Attack?

Download Report

Transcript What is a Distributed Denial of Service Attack?

Alex Ramos
Denial Of Service
Notice: Use and Disclosure of Data. Limited Data Rights.
This proposal includes data that shall not be disclosed
outside Strayer University and shall not be duplicated,
used, or disclosed–in whole or in part–for any purpose
other than to evaluate this oral presentation.
CIS Network Security
Instructor Professor Mort Anvair
Federal Network Systems, LLC
Federal Network Systems, LLC
July 24, 2004
1
Agenda
•
•
•
•
•
•
•
What is a Denial of Service Attack?
What is a Distributed Denial of Service Attack?
Why Are They Difficult to Protect Against?
Types of Denial of Service Attacks
Tools for Running Denial of Service Attacks
Preventing Denial of Service Attacks
Summary
Federal Network Systems, LLC
2
What is a Denial Of Service Attack?
An attack that is specifically designed to prevent the
normal functioning of a system, and thereby to prevent
lawful access to that system and its data by its
authorized users. DOS can be caused by the
destruction or modification of data, by bringing down
the system, or by overloading the system's servers to
the extent that service to authorized users is delayed or
prevented. www.itsecurity.com/ds.htm
• DoS goals
– Flooding a network to prevent legitimate network traffic
– Disrupting connections between two specific machines
– Preventing a service access to a specific entity or to all individuals
Federal Network Systems, LLC
3
What is a Distributed Denial of Service Attack?
• Use of Several to Thousands of machines to initiate a
Denial of Service attack
• “Zombies” or “User Controlled”
• Yahoo!,eBay, and Amazon were struck with DDoS in
February 2000.
• Most go Unreported
• Most common form of attack on the Internet today
• Recent Study showed more than 12000 DoS (DDoS)
attacks during a 3 week period.
– Actual number is probably higher
Federal Network Systems, LLC
4
Costs of a Distributed Denial of Service Attack
Federal Network Systems, LLC
5
Costs of a Distributed Denial of Service Attack
• Problem: Need a robust and automatic way of
classifying DoS attacks into these two classes:
single- and multi-source.
• Because: Different types of attacks (single- or
multi-source) are handled differently.
• Classification is not easy. For instance, packets
can be spoofed by attacker.
Federal Network Systems, LLC
6
Video Demonstration of a Healthy Network
Federal Network Systems, LLC
7
Video Demonstration of a Distributed Denial of
Service Attack
Federal Network Systems, LLC
8
Video Demonstration of a Distributed Denial of
Service Attack (Reflector Type)
Federal Network Systems, LLC
9
Why Are They Difficult To Protect Against?
•
•
•
•
Minimize the threats but fully Protect
Threats are always there
Trade offs between Security and Functionality
Resources used to Protect against DDOS
– Costly
– Time Consuming
– Restrictive
Federal Network Systems, LLC
10
Types of Denial of Service Attacks?
• Ping of Death
– Sends very Large Ping Packets to a host machine
– Causes the Operating System to hang or crash
– Unix command
• Ping –s 65527 (ip address of the victim’s machine
– DOS command
• Ping –l 65527 (ip address of the victim’s machine)
Federal Network Systems, LLC
11
Types of Denial of Service Attacks?
• SSPing
–
–
–
–
Sends Fragmented oversized ICMP data packets
Victim Computers try to Put the Fragmented data back together
Causes the Operating System to hang or crash
Affects Windows 95, NT, and older versions of the Mac OS
– Protection
• Patches for affected Operating Systems
– Updated version of the TCP/IP stack
Federal Network Systems, LLC
12
Types of Denial of Service Attacks?
• Smurf
– Involves forged ICMP packets sent to a broadcast address
– Symptoms: Everybody connected gets bogged down and
kicked off, attack can last for hours or days.
– Causes the Operating System to hang or crash
– Affects most OS’ and Routers
– Protection
• No real protection
Federal Network Systems, LLC
13
Types of Denial of Service Attacks?
• Land
• Program that sends a TCP SYN packet where the target and
source address are the same and the port numbers are the same
• SYN packets are used to synchronize 2 machines
• Attacking machines exploits the synchronization process by
spoofing the destination pc. So when the destination pc tries to
sync with an address the same as it’s own. It doesn’t know what
to do.
• Affects Most operating systems
• Protection
• Patches for affected Operating Systems
– Updated version of the TCP/IP stack
Federal Network Systems, LLC
14
Types of Denial of Service Attacks?
• SYN Flood
– Attacker violates the 3-way handshake and opens a large
number of half-open TCP/IP Connections.
– Affects most OS
– Causes the Operating System to hang or crash
– Affects Windows 95, NT, and older versions of the Mac OS
– Protection
• Patches for affected Operating Systems
– Updated version of the TCP/IP stack
Federal Network Systems, LLC
15
Tools for Running Denial Of Service Attacks?
•
•
•
•
•
•
Trinoo
Tribal Flood Network
Stacheldraht
Shaft
MStream
Tribal Flood Network 2000
– All the tools are similar in function
– All the tools here are mainly used in Unix type machines
Federal Network Systems, LLC
16
Tools for Running Denial Of Service Attacks?
• Tribal Flood Network 2000
– communicates via TCP (random ports), UDP (random ports), ICMP
(Echo Replies), or all three at random.
– communicates via TCP (random ports), UDP (random ports), ICMP
(Echo Replies), or all three at random. The daemon never
communicates with the master. The master sends all commands
twenty times in order to make sure that they're received. TFN2k also
will send out decoy packets -- messages to random machines so that
it's not clear which machines are clients. Commands are encrypted
using CAST-256 via a password specified at compile time. All packets
are spoofed by default.
– can attack using a SYN attack, UDP Flood, ICMP Flood, or Smurf
attacks. The daemon can be set to randomly alternate between each
attack type.
Federal Network Systems, LLC
17
Preventing Denial of Service Attacks?
• Nothing can be done to entirely prevent DOS
• Minimize the dangers
–
–
–
–
–
–
Effective and Robust Design
Bandwidth Limitations
Keep Systems Patched
Run the least amount of services
Allow only necessary traffic
Block IP addresses
Federal Network Systems, LLC
18
Preventing Denial of Service Attacks?
• Nothing can be done to entirely prevent DOS
• Minimize the dangers
– Effective and Robust Design
– Bandwidth Limitations
• * implement egress and ingress filtering
* implement rate limit on ICMP packets
* implement rate limit on SYN packets
–
–
–
–
Keep Systems Patched
Run the least amount of services
Allow only necessary traffic
Block IP addresses
Federal Network Systems, LLC
19
Simple Demo of what a Filter \ Firewall Does
• Typical Connection
• Denial of Service Attack
• Blocking a Denial of Service Attack
Federal Network Systems, LLC
20
Demonstration of Minimizing Your Computer’s
Vulnerbility
•
•
•
•
•
•
Patch Management
Antivirus
Layered Security
Distributed Resources
Bandwidth Throttling
Physical Security
Federal Network Systems, LLC
21
Summary
•
•
•
•
•
•
What is a Denial of Service Attack?
What is a Distributed Denial of Service Attack?
Why Are They Difficult to Protect Against?
Types of Denial of Service Attacks
Tools for Running Denial of Service Attacks
Preventing Denial of Service Attacks
Federal Network Systems, LLC
22