Lecture Notes - Computer Science & Engineering

Download Report

Transcript Lecture Notes - Computer Science & Engineering

Denial of Service Attacks
CSCE 201
Reading

Required:

Chapter 4 from textbook
Security Objectives

Confidentiality
Integrity
Availability

Control mechanisms: first line of defense




Identification and authentication
Access control
Denial of Service Attacks




Difficult to prevent
Consequences can be devastating
More-and-more services are web-based
Nation state sponsored attacks


2007 Russia vs. Estonia
Hard to pinpoint the attack source
Availability

Target resource:


Attacker’s aim:


Hardware, software, communication, data, etc.
Reduce availability of resources for authorized users
Attack methods:




Volume-based (overwhelm capacity of the system)
Application-based (overwhelm capacity of the
application)
Cut/disable communication link
Failure of hardware or software
Flooding Resources



Target: application, OS, network appliance, etc.
Operational limits
Computer: limited






# of users
Storage capacity
Processing capacity
# of open connections
Speed of data transmission
Etc.
Network Flooding


Attacker sends so much data that the
communication system cannot handle authorized
requests
Exploits communication protocol weaknesses, e.g.,



Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Internet Control Message Protocol (ICMP)




Ping (requests a destination to return a reply)
Echo ( requests a destination to return the data sent to it)
Destination unreachable (indicates that the destination
cannot be accessed)
Source quench (indicates that the destination is becoming
saturated)
Ping of Death


Attacker floods the victim with ping requests
Limited by the smallest bandwidth on the attack
path
ping
ping
Attacker
reply
ping
ping
Victim
Smurf Attack



Attacker spoofs the source address in the ping
packet to the victim’s address
Attacker broadcast the ping packet to all hosts on
the network
All hosts respond to the victim
ping
broadcast ping
Victim
Attacker
Echo-Chargen


Between two hosts
Chargen: ICMP protocol that generates stream of
packets to test the networks capacity
Attacker
Chargen packet with echo bit on
Echo response
Chargen packet with echo bit on
Echo response
Victim 1
Victim 2
Classical DOS - TCP SYN Flood

TCP client-server protocol – 3 way handshake
Classical DOS - TCP SYN Flood
Attacker
Addressing Failures


Domain Name System (DNS): translates logical
names to addresses
Attack:



Supply incorrect address
Block address
Redirect routing
Blocked Access


Physical blocking
Prevent services from functioning



Software vulnerability
Protocol vulnerability
Manipulate authorization specifications
Physical Security

Attacks against availability




Computer
Connection
Software
Etc.
Tools







Tribal Flood Network (TFN) and TFN2K
Support launching coordinated DOS or DDOS
Hide origin of attacks
Overwhelms the victim computer
Master: controls a fleet of agents
Agents: carry out the attack
Communication between Master and Agents is
protects by:



Encryption
Hide IP address
Randomized packets
How to Detect DOS and DDOS

Centralized system:




Performance degradation
Unusually large volume of work requests
Large number of new clients (malicious agents)
Distributed system:



May be difficult to detect overall performance
degradation
Need to share performance data
Uses valuable communication bandwidth
How to Prevent DOS/DDOS?

Destruction of resources:




Physical security control
Backup system
Redundant communication channel
Flooding




Monitor system performance  reject new requests if
overwhelmed
Check packet header before processing
Understand vulnerable protocols
Time out computationally costly requests and black list
them
Preventing TCP SYN Flooding


Aim: limit the over use of the resources (don’t
really block the malicious requests, just do not use
so much resources)
Methods:



Limit the complexity of handling requests, e.g., micro
block
Limit the need to keep open connections, e.g., use
cookies
Limit the processing at the server’s side, e.g., shorter
timeout window, simplified processing
Next Class
Attend one of these events:
1. Securing the Future for Women in IT,
Wednesday, October 28, 2015 at 5:30 pm, IToLogy, 1301 Gervais St. Suite 200, Columbia SC,
Register at: http://www.techjunto.com/events/966
2. Last Lecture Series, Wednesday, October 28,
Dr. Duncan Buell, Department of Computer Science
and Engineering, 7 pm in the Gressette Room of
Harper College 3rd floor,
https://sc.edu/ofsp/last_lecture_series.shtml