Slide - network systems lab @ sfu

Download Report

Transcript Slide - network systems lab @ sfu

Distributed Denial of Service Attacks
Distributed Denial of
Service Attacks
Darius Law
CMPT 471
1
Distributed Denial of Service Attacks
What is DDOS?
• Distributed denial-of-service attack is one in
which a multitude of compromised systems
attack a single target, thereby causing denialof-service for users of the targeted system
• Forces system to shutdown by flooding with
incoming messages, thereby denying services
to legitimate users
CMPT 471
2
Distributed Denial of Service Attacks
Distributed…
• Distributed computing is a method of computer
processing in which different parts of a program
run simultaneously on two or more computers
that are communicating with each other over a
network.
• Major advantages of using a distributed denialof-service attack
– Generate more traffic
– Multiple machines attacking harder to turn off
– Each attack machine is stealthier, making it harder
to track and shutdown
CMPT 471
3
Distributed Denial of Service Attacks
Types of DOS attacks
• Exercising software bug that causes the
software running the service to fail
• Sending enough data to consume all
available network resources
• Sending data in such a way as to
consume a particular resource needed
by the service
CMPT 471
4
Distributed Denial of Service Attacks
How do DDOS attacks work?
• A hacker first exploits a vulnerable computer
system making it the DDOS “master”
– “Master” computer communicates and loads on
cracking tools to thousands of other compromised
systems on the internet
• All computers can then be instructed to
launch one of many flood attacks to specified
target
CMPT 471
5
Distributed Denial of Service Attacks
SYN Flood
• SYN packet initiates TCP/IP connection
– SYN flood consumes all available slots in
server’s TCP connection table
– Exploits basic weakness of TCP/IP protocol
– Prevents other users from establishing new
connections
• HTTP particularly vulnerable to SYN
flood attack
CMPT 471
6
Distributed Denial of Service Attacks
SYN Flood (2)
•
•
TCP/IP Protocol requires 3-step process
The originator of the connection (such as a web
browser) initiates the connection by sending a
packet having the SYN flag set in the TCP header
(referred to as a “SYN packet”).
•
The receiver responds by sending back to the
originator a packet that has the SYN and ACK flags
set (a “SYN/ACK packet”)
•
The originator acknowledges receipt of the 2nd
packet by sending to the receiver a third packet
with only the ACK flag set (an “ACK packet”).
CMPT 471
7
Distributed Denial of Service Attacks
SYN Flood (3)
• During SYN flood, attacker sends large
number of SYN packets alone without
ACK packet response
CMPT 471
8
Distributed Denial of Service Attacks
SYN Flood (4)
• Connection table fills up rapidly with
incomplete connections, crowding
legitimate traffic
CMPT 471
9
Distributed Denial of Service Attacks
Responding to DDOS attacks
• Increasing size of network table seems
most straightforward but may not be
configurable
• Spare servers to be placed in service
during an attack
– Very expensive to have idle equipment
CMPT 471
10
Distributed Denial of Service Attacks
Prevention
• Most DDOS attacks use forged source address to lie
about where they are being sent
• Manufacturers of firewalls/network security devices
developed variety of defense methods
– SYN threshold: establish limit of incomplete transactions,
then start discarding
– SYN defender: when SYN packet received, firewall
synthesizes the final ACK packet in step 3, so no need to wait
for actual ACK packet from originator
– SYN Proxy: firewall synthesizes and sends SYN/ACK packet
back to originator, and waits for final ACK packet. After
firewall receives ACK packet from originator, firewall “replays”
3-step sequence to receiver.
CMPT 471
11
Distributed Denial of Service Attacks
DDOS attack tools
•
•
•
•
Tribal flood network
Trin00
TFN2K
Stacheldraht
CMPT 471
12
Distributed Denial of Service Attacks
Sources
What is denial of service;
http://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci213591,00.h
tml
Distributed Denial of Service Attacks;
http://www.linuxsecurity.com/resource_files/intrusion_detection/ddoswhitepaper.html
Distributed Denial of Service Attack Tools;
http://documents.iss.net/whitepapers/ddos.pdf
How a ‘denial of service’ attack works; http://www.news.com/2100-1017236728.html
DDOS; http://chinese-school.netfirms.com/computer-article-denial-of-service.html
CMPT 471
13