defending against denial of service attacks

1

Defending Against Denial of Service Attacks

Presented By: Jordan Deveroux

2

I. What are Denial of Service Attacks and what makes the internet vulnerable to them?

II. How do these attacks occur?III.How do we defend against such

attacks?IV.What are the ethical implications of

Denial of Service Attacks and their effect on our society ?

Outline

3

Denial of Service (Dos)- An attack that is trying to deny access by legitimate users to shared resources or services

Distributed Denial of Service (DDoS)- A denial of service attack where the traffic comes from multiple sources

Denial of Service Attacks

Attacker

Victim

Zombies

5

Zombies

• Malicious Payload is Installed• Communication

takes place on IRC channels• Software

contains a flooding mechanism• Software can be

updated by attacker

6

IP Spoofing- creating an IP packet with false information, often a false address.

Multipath routing makes packet tracing difficult

No centralized Internet authority

Internet Vulnerabilities

7





Outline

8

1. Consumes a host’s resources CPU Memory

2. Consumes network bandwidth Legitimate traffic is unable to go

through

Attack Power- level of resources consumed at the victim by the attack

What does DoS Attack?

9

Protocol-BasedApplication-BasedDistributed Reflector Infrastructure Attacks

Categories of Bandwidth Attacks

Protocol-Based: SYN Flood

11

Protocol-Based: ICMP Flood

INTERNET

ATTACKER VICTIM

INTERMEDIARYNETWORK

12

Application-Based: HTTP Flood

Attacking web servers with many http requests

Used in DDoS because it requires a genuine IP

Multiple ways to flood using this method

Application Based:SIP FLOOD

VOIP Attack Flood proxy

servers with many invite packets

Affects not only proxy servers but legitimate callers

Distributed Reflector Attacks

15

Disable Critical components of the Internet

Significant Attack power is required to successfully execute an infrastructure attack

These types of attacks are why we need a globally-cooperative defense effort

Infrastructure Attacks

16





Outline

17

Attack PreventionAttack DetectionAttack Source Identification

Attack Reaction

Four Categories of Defense

18

Attack Prevention: Ingress/Egress Filtering

19

Router Based Packet Filtering Possible if Tier 1 ISPs are involved

SAVE Protocol Needs to be universally deployed

These Techniques prevent IP spoofing and filter traffic before it reaches the target, but need wide adoption to be effective

Other Attack Prevention Techniques

20

Easy to detect Differentiate between flash crowds

and DoS attack Rely on certain assumptions

Attack Detection Techniques: DoS-attack-specific Anomaly-based

Attack Detection Techniques

21

Dos-Specific

MULTOPS SYN Detection Kolmogorov Test Spectral Analysis Time Series

Analysis

Anomaly-Based Need to build a normal

profile Block irregular traffic Difficult to determine

all normal traffic Lightweight Intrusion

Detection System (LISYS)

The only way to detect a DDoS effectively and early is to monitor features attackers can’t change or are really difficult to change, (e.g. : Percent of new IP’s)

22

Tracking IP traffic is difficult to do

Active IP traceback technique Probabilistic traceback technique

Hash-Based IP traceback

Attack Source Identification

23

Attack Reaction Techniques

24

Bottleneck Resource Management Fix Software-Based Vulnerabilities History-Based IP Filtering

Intermediate Network Reaction Harder to track the greater the distance Controller-Agent Scheme

Source End Reaction D-WARD

Attack Reaction Techniques

25

Most of these are DoS defense Limited progress made on DDoS Attacker resources often surpass

victim’s resources Defenses are limited due to lack of

central control of the internet We need to increase the reliability of

global network infrastructure Most effective is to block attack close

to source

Conclusion on Defense Techniques

26





Outline

27

Security knowledge of users is decreasing while attacks are becoming more and more sophisticated

In 1988, 6 attacks were reported In 2003, 137, 529 attacks were reported CSI/FBI survey shows on average 35% percent who

participate suffered DoS attacks Vulnerabilities have increased to 35x the number

reported in 1995 Only 4 out of 1127 customer-based system attacks

used spoofed addresses in 2004

Growth of DoS and DDoS attacks

28

Implementing defense schemes are expensive

Lack of economic incentive Personal users Internet Service Providers

Don’t want to spend money to protect someone else’s network

What’s taking so long?

“Code Red” Worm (2001) 300,000 zombie army to launch DoS against

White House website Distributed Reflector Attack (2002)

Brought down www.grc.com Internet DNS Root Servers (2002)

SYN Flood and ICMP Flood All 13 DNS root servers were attacked at the

same time Total Attack Volume: 900 Mb/s Most queries answered but some parts of

internet experienced congestion or were unreachable

Blaster Worm (2003) Exploited vulnerability in RPC SYN Flood against windowsupdate.com

30

These attacks can have lasting effects, including monetary damages

Used as a political statement Wikileaks fiasco (2010)

Operation : Payback Mastercard, PostFinance, Paypal

Ethics

31

Survery of Network Based Defense Mechanisms Countering the DoS and DDoS Problems (Peng, Leckie, Ramamohanarao)

www.cert.org

http://www.pcmag.com/article2/0,2817,2374023,00.asp

References

http://www.cert.org/

defending against denial of service attacks

Documents

denial of service ddos

distributed reflector

outlinedenial of service

ethical implications

attack power level

internet vulnerable

ip packet

dos attackrely