Академический Документы
Профессиональный Документы
Культура Документы
Denial-of-Service Attacks
Denial-of-Service (DoS)
Attack
The NIST Computer Security Incident Handling
Guide defines a DoS attack as:
An action that prevents or impairs the
authorized use of networks, systems, or
applications by exhausting resources such as
central processing units (CPU), memory,
bandwidth, and disk space.
Denial-of-Service (DoS)
A form of attack on the availability of some
service
Categories of resources that could be attacked
are:
Internet service
provider (ISP) A
Broadband Broadband
users users
Router
Internet
LargeCompany LAN
Medium SizeCompany
LAN
Web Server
LAN PCs
and workstations
Web Server
Send SYN 1
(seq = x)
Receive SYN
(seq = x)
2 Send SYN-ACK
(seq = y, ack = x+1)
Receive SYN-ACK
(seq = y, ack = x+1)
Send ACK 3
(ack = y+1)
Receive ACK
(ack = y+1)
Send SYN 1
with spoofed src
(seq = x)
Send SYN-ACK
2
(seq = y, ack = x+1)
SYN-ACKs to
non-existant client
Resend SYN-ACK discarded
after timeouts
Assume failed
connection
request
UDP flood Uses UDP packets directed to some port number on the
target system
Attacker uses a
flaw in operating Large collections
system or in a of such systems
Use of multiple common under the control
systems to application to of one attackers
generate attacks gain access and control can be
installs their created, forming
program on it a botnet
(zombie)
Attacker
Handler
Zombies
Agent
Zombies
Target
Returns IP
address of bobs 3 2
proxy server Internet
DNS Query:
biloxi.com Proxy
Server
INVITE sip:bob@biloxi.com
From: sip:alice@atlanta.com
Proxy 4
Server
INVITE sip:bob@biloxi.com
INVITE sip:bob@biloxi.com From: sip:alice@atlanta.com
LAN 5
1 From: sip:alice@atlanta.com
Wireless
Network
I P: w.x.y.z
2 From: w.x.y.z.53
To: j.k.l.m:7
I P: a.b.c.d From: w.x.y.z.53 DNS
To: a.b.c.d:1792 Server 2
Loop
Attacker
possible
From: j.k.l.m:7
To: w.x.y.z.53 Victim
1 3
From: j.k.l.m:7
To: w.x.y.z.53 I P: j.k.l.m
I P: a.b.c.d
Zombies
Target
Reflector
intermediaries
Figure7.7Amplification Attack
DNS Amplification Attacks
Use packets directed at a legitimate DNS server as the
intermediary system
Attacker creates a series of DNS requests containing
the spoofed source address of the target system
Exploit DNS behavior to convert a small request to a
much larger response (amplification)
Target is flooded with responses
Basic defense against this attack is to prevent the use
of spoofed source addresses
DoS Attack Defenses
Four lines of defense against DDoS attacks
These attacks cannot be
prevented entirely Attack prevention and preemption
Before attack
High traffic volumes may
be legitimate Attack detection and filtering
High publicity about a specific During the attack
site
Activity on a very popular site
Attack source traceback and
Described as slashdotted, flash identification
During and after the attack
crowd, or flash event
Attack reaction
After the attack
DoS Attack Prevention
Block spoofed source addresses
On routers as close to source as possible