Transcript Denial of Service

Denial of Service
A comparison of DoS schemes
Kevin LaMantia
COSC 316
Introduction
•
•
•
•
•
•
What DoS is
Symptoms of an attack
Methods of attack
Types of Attacks
How to defend
Conclusion
What is a Denial of Service attack?
• An attack on a network that is designed to bring
the network to its knees by flooding it with
useless traffic
• Two general forms of attacks:
1. Those that crash services
2. Those that flood services
Symptoms of a DoS Attack
• United States Computer Emergency Readiness Team (US-CERT)
lists possible symptoms of a DoS attack:
▫
▫
▫
▫
▫
Usually slow network performance
Unavailability of a particular web site
Inability to access any web site
Dramatic increase in the number of spam emails received (email bomb)
Disconnection of a wireless internet connection
• DoS attacks can also lead to problem’s in the network branches
around the actual computer being attacked
▫ Ex: The bandwidth of a router between the Internet and a LAN may be
consumed by an attack, compromising not only the intended computer,
but also the entire network or other computers on the LAN
• Attacks can be very large and compromise Internet connectivity for
an entire geographical region
Methods of Attack
• A DoS attack can be perpetrated in a number of
ways, five basic ways are:
1. Consumption of computational resources, such as
bandwidth, memory, disk space, or processor time
2. Disruption of configuration information, such as
routing information
3. Disruption of state information, such as unsolicited
resetting of TCP sessions
4. Disruption of physical network components
5. Obstructing the communication media between the
intended users and the victim so that they can no
longer communicate adequately
Methods of Attack Continued…
• A DoS attack may include execution of malware
intended to:
▫ Max out the processor’s usage, preventing any
work from occurring
▫ Trigger errors in the microcode of the machine
▫ Trigger errors in the sequencing of instructions, so
as to force the computer into an unstable state or
lock-up
▫ Exploit errors in the OS, causing resource
starvation
▫ Crash the OS itself
Smurf Attack
• An attack in which large numbers of Internet
Control Message Protocol (ICMP) packets with the
intended victim’s spoofed source IP are broadcast to
a computer network using an IP Broadcast address
• Most devices on a network will respond, by default,
to the source IP address
▫ If there are a lot of machines on a network, it will
cause the victim’s computer to be flooded with traffic
Ping of Death
• A type of attack on a computer that involves
sending a malformed or otherwise malicious
ping to a computer
• How it works:
▫ Historically many computer systems couldn’t
handle a ping packet, normally 56 bytes, larger
than the maximum IPv4 packet size of 65,535
bytes
▫ This would cause the system to crash
Ping Flood
• Based on sending the victim an overwhelming
number of ping packets, usually using the “ping”
command from Unix-like hosts
• It is much less capable of overwhelming a target
if the attack comes from a Windows system
▫ Does not allow packet sizes greater then 65500
• Primary requirement to launch this attack
▫ Having a greater bandwidth than the victim
Nuke
• An old DoS attack that consisted of fragmented or invalid
ICMP packets sent to a target
• Achieved by using a modified ping utility to repeatedly send
this corrupt data
• Slowed down the affected computer until it comes to a
complete stop
• Example:
▫ WinNuke
 Exploited a vulnerability in the NetBIOS handler in Windows 95
 Locked up victims computer causing Blue Screen of Death
SYN Flood
• An attack that sends a succession of SYN
(Synchronize) requests to a target’s system in an
attempt to consume enough server resources to
make the system unresponsive to legitimate traffic
• How it works:
▫ It corrupts the TCP three-way handshake
▫ Doesn’t respond back to the client with the ACK code
or spoofing the source IP address in the SYN causing
the server to send the SYN_ACK to a false IP
▫ Causes the server to wait for acknowledgement for
some time
▫ Causes congestion by using up resources until no new
connections can be made
Distributed DoS (DDoS)
• Occurs when multiple systems flood the bandwidth
or resources of a targeted system
▫ i.e., Botnet
• Using multiple machines make it harder for to track
and shut down the attacker
▫ Merely purchasing more bandwidth won’t always work
for defense since the attacker might be able to add
more attack machines
• A system may be compromised with a trojan,
allowing the attacker to download a zombie agent, or
the trojan may contain one
Distributed DoS continued…
• These collections of system compromisers are
known as botnets
• Script kiddies use these to deny the availability
of well known websites to legitimate users
• More sophisticated attackers could use DDoS for
the purposes of extortion
• Video:
▫ http://www.youtube.com/watch?v=0VutW15kEZ
M
How to Defend
• Unfortunately, there are no effective ways to prevent
being the victim of a DoS or DDoS attack
• There are steps you can take to reduce the likelihood
that an attacker will use your computer to attack
other computers
▫ Install and maintain anti-virus software
▫ Install a firewall, and configure it to restrict traffic
coming into and leaving your computer
▫ Follow good security practices for distributing your
email address. Applying email filters may help you
manage unwanted traffic
Conclusion
•
•
•
•
•
What DoS is
The Symptoms of an attack
Methods of Attack
Different Types of Attacks
How to Defend from Attacks
Questions?
Works Cited
• Google Ideas. (2013). Understanding Distributed Denial of Service
Attacks. Retrieved from Youtube.com:
http://www.youtube.com/watch?v=0VutW15kEZM
• McDowell, M. (n.d.). Understanding Denial-of-Service Attacks.
Retrieved from US-CERT.gov: http://www.uscert.gov/ncas/tips/ST04-015
• Webopedia. (n.d.). DoS attack. Retrieved from webopedia.com:
http://www.webopedia.com/TERM/D/DoS_attack.html
• Wikipedia. (n.d.). Denial of Service. Retrieved from Wikipedia:
http://en.wikipedia.org/wiki/Denial-ofservice_attack#Methods_of_attack