Академический Документы
Профессиональный Документы
Культура Документы
2
Classification of DoS Attacks
Attack Affected Area Description
Network Level Routers, IP Attack attempts to exhaust hardware resources
Device Switches, Firewalls using multiple duplicate packets or a software
bug.
OS Level Equipment Vendor Attack takes advantage of the way operating
OS, End-User systems implement protocols.
Equipment.
Application Level Finger Bomb Attack a service or machine by using an
Attacks application attack to exhaust resources.
Data Flood Host computer or Attack in which massive quantities of data are
(Amplification, network sent to a target with the intention of using up
Simple Flooding) bandwidth/processing resources.
Protocol Feature Servers, Client PC, Attack in which “bugs” in protocol are utilized to
Attacks DNS Servers take down network resources. Methods of
attack include: IP address spoofing, and
Page 3
corrupting DNS server cache.
Service Denial Attacks
• One of the reasons we want security services to be fault-tolerant is to
make service-denial attacks less attractive, more difficult, or both.
• These attacks are often used as part of a larger attack plan. For
example, one might swamp a host to take it temporarily offline, and
then get another machine on the same LAN to assume its identity for
a while.
4
Service Denial Attacks(cont…)
• A powerful defense against service denial is to prevent the opponent
mounting a selective attack.
• Where this isn’t possible, and the opponent knows where to attack,
then there are some types of service-denial attacks which can be
stopped by redundancy and resilience mechanisms, and others
which can’t.
• An opponent can send a large number of connection requests and
prevent anyone else establishing a connection.
• Finally, where a more vulnerable fall back system exists, a common
technique is to force its use by a service denial attack.
5
Service Denial Attacks(cont…)
• A typical attack nowadays is to use a false terminal, or a bug inserted
into the cable between a genuine terminal and a branch server, to
capture card details, and then write these details to the magnetic
stripe of a card whose chip has been destroyed .
• In the same way, burglar alarms that rely on network connections for
the primary response and fall back to alarm bells may be very
vulnerable if the network can be interrupted by an attacker: now that
online alarms are the norm, few people pay attention any more to
alarm bells.
6
DoS Shortfalls
• DoS attacks are unable to attack large bandwidth websites – one
upstream client cannot generate enough bandwidth to cripple major
megabit websites.
• New distributed server architecture makes it harder for one DoS to
take down an entire site.
• New software protections neutralize existing DoS attacks quickly
• Service Providers know how to prevent these attacks from effecting
their networks.
7
DoS Basics
• What is Internet?
• What resources you access through Internet?
• Who uses those resources?
• Good vs Bad Users
• Denial-of-Service attack
• DoS attack is a malicious attempt by a single person or a group of people to
cause the victim, site, or node to deny service to its customers.
• DoS vs DDoS
• DoS: when a single host attacks
• DDos: when multiple hosts attacks simultaneously
8
DDoS Architecture
Client Client
Agents
9
DDos Attack Description
• DDos Attack
• build a network of computers
discover vulnerable sites or hosts on the network
exploit to gain access to these hosts
install new programs (known as attack tools) on the
compromised hosts
hosts that are running these attack tools are known as zombies
many zombies together form what we call an army
10
DDos Attack Description (cont..,)
• How to find Vulnerable Machines?
Random scanning:
infected machines probes IP addresses randomly and finds
vulnerable machines and tries to infect it
creates large amount of traffic
spreads very quickly but slows down as time passes
• Hit-list scanning
attacker first collects a list of large number of potentially vulnerable
machines before start scanning
once found a machine attacker infects it and splits the list giving half of
the list to the compromised machine
same procedure is carried for each infected machine.
all machines in the list are compromised in a short interval of time
without generating significant scanning traffic
11
DDos Attack Description (cont..,)
• Topological scanning
uses information contained on the victim machine in order to
find new targets
looks for URLs in the disk of a machine that it wants to infect
extremely accurate with performance matching the Hit-list
scanning technique
• Local subnet scanning
acts behind a firewall
looks for targets in its own local network
creates large amount of traffic
12
DDos Attack Description (cont..,)
• Permutation scanning
all machines share a common pseudorandom permutation list of IP
addresses
based on certain criteria it starts scanning at some random point
or sequentially
coordinated scanning with extremely good performance
randomization mechanism allows high scanning speeds
13
DDos Attack Propagation
How to propagate Malicious Code?
• Central source propagation:
this mechanism commonly uses HTTP, FTP, and remote-procedure call
(RPC) protocols
14
DDos Attack Propagation (cont..,)
How to propagate Malicious Code?
• Back-chaining propagation:
• copying attack toolkit can be supported by simple port
listeners or by full intruder-installed Web servers, both of
which use the Trivial File Transfer Protocol (TFTP)
15
DDos Attack Propagation
• How to propagate Malicious Code?
• Autonomous propagation
transfers the attack toolkit to the newly compromised system
at the exact moment that it breaks into that system
16
DDos Attack Taxonomy
• There are mainly two kinds of DDoS attacks
Typical DDoS attacks, and
Distributed Reflector DoS (DRDoS) attacks
• Typical DDoS Attacks
17
DDos Attack Taxonomy
• DRDoS Attacks
slave zombies send a stream of packets with the victim's IP address as the
source IP address to other uninfected machines (known as reflectors)
the reflectors then connects to the victim and sends greater volume of
traffic, because they believe that the victim was the host that asked for it
the attack is mounted by non-compromised machines without being
aware of the action
18
DDoS Attack Types
19
Defense Mechanisms
• No fail-safe solution available to counter DDoS attacks
The attackers manage to discover other weaknesses of the protocols
They exploit the defense mechanisms in order to develop attacks
They discover methods to overcome these mechanisms
Or they exploit them to generate false alarms and to cause catastrophic
consequences.
• There are two approaches to defense
• Preventive defense
• Reactive defense
20
Modern Techniques in Defending
• Right now there is no 100% effective defense mechanism
• Developers are working on DDoS diversion systems
• e.g. Honeypots
21
Modern Techniques in Defending
• Honeypots
• low-interaction honeypots
emulating services and operating systems
easy and safe to implement
attackers are not allowed to interact with the basic operating
system, but only with specific services
• high-interaction honeypots
Honey-net is not a software solution that can be installed on a
computer but a whole architecture
it is a network that is created to be attacked
every activity is recorded and attackers are being trapped
a Honey-wall gateway allows incoming traffic, but controls
outgoing traffic using intrusion prevention technologies
22
Modern Techniques in Defending(cont..,)
• Route Filter Techniques
when routing protocols were designed, developers did not focus
on security, but effective routing mechanisms and routing loop
avoidance
by gaining access to a router, attackers could direct the traffic over
bottlenecks, view critical data, and modify them
routing filters are necessary for preventing critical routes and
subnetworks from being advertised and suspicious routes from
being incorporated in routing tables
attackers do not know the route toward critical servers and
suspicious routes are not used
• Two route filter techniques
• blackhole routing
• sinkhole routing
23
Modern Techniques in Defending
• Route Filter Techniques
filtering on source address
best technique if we knew each time who the attacker is
filtering on services
filter based on UDP port or TCP connection or ICMP messages
24