denial-of-service attacks

Denial-of-Service Denial-of-Service AttacksAttacks

Justin SteeleJustin Steele

DefinitionDefinition

““A "denial-of-service" attack is A "denial-of-service" attack is characterized by an explicit attempt characterized by an explicit attempt by attackers to prevent legitimate by attackers to prevent legitimate users of a service from using that users of a service from using that service.”service.”11

Denial-of-service attacks deal with Denial-of-service attacks deal with the issue of availability.the issue of availability.

11 CERT Website

ExamplesExamples

Examples include attempts toExamples include attempts to "flood" a network, thereby preventing "flood" a network, thereby preventing

legitimate network trafficlegitimate network traffic11 disrupt connections between two disrupt connections between two

machines, thereby preventing access to a machines, thereby preventing access to a serviceservice11

prevent a particular individual from prevent a particular individual from accessing a serviceaccessing a service11

disrupt service to a specific system or disrupt service to a specific system or personperson11

11 CERT Website

Types of AttacksTypes of Attacks

Physical Attack Physical Attack Physically destroying components.Physically destroying components.

Configuration Attack Configuration Attack Altering or destroying configuration Altering or destroying configuration

files or information.files or information. Consumption AttackConsumption Attack

Using limited or scarce resources and Using limited or scarce resources and thereby preventing legitimate users thereby preventing legitimate users from using them. from using them.

Physical AttackPhysical Attack

Probably considered the least Probably considered the least interesting to most of us.interesting to most of us.

ExamplesExamples Taking a bat a smashing an ATM, thus Taking a bat a smashing an ATM, thus

denying others the ability to use the ATM.denying others the ability to use the ATM. Snipping or cutting a fiber optic line Snipping or cutting a fiber optic line

therefore preventing communication to a therefore preventing communication to a network or system.network or system.

Intentionally turning off or disabling a Intentionally turning off or disabling a cooling system which results in a machine cooling system which results in a machine overheating and failing.overheating and failing.

Configuration AttackConfiguration Attack Most of us probably don’t think about this Most of us probably don’t think about this

one right away.one right away. ExamplesExamples

Obtaining administrator rights and deleting user Obtaining administrator rights and deleting user accounts.accounts.

Hacking the .htaccess file on a web server and Hacking the .htaccess file on a web server and preventing anyone from viewing the site.preventing anyone from viewing the site.

Changing the default gateway that a DHCP Changing the default gateway that a DHCP Server sends to its clients.Server sends to its clients.

Changing the settings on a machine which Changing the settings on a machine which interferes with its ability to get onto the network.interferes with its ability to get onto the network.

Modifying a domain name’s DNS information.Modifying a domain name’s DNS information.

Consumption AttackConsumption Attack

Perhaps the one most of us think of Perhaps the one most of us think of and probably find the most and probably find the most interesting.interesting.

CERT defines four subtypesCERT defines four subtypes Network ConnectivityNetwork Connectivity Using Your Own Resources Against YouUsing Your Own Resources Against You Other Resource ConsumptionOther Resource Consumption Bandwidth ConsumptionBandwidth Consumption

Network Connectivity Network Connectivity AttackAttack

““Denial-of-service attacks are most frequently Denial-of-service attacks are most frequently executed against network connectivity. The executed against network connectivity. The goal is to prevent hosts or networks from goal is to prevent hosts or networks from communicating on the network.”communicating on the network.”11

““An example of this type of attack is the "SYN An example of this type of attack is the "SYN flood" attack”flood" attack”11

Also known as a Protocol Attack.Also known as a Protocol Attack. This is an example of an “asymmetric attack”This is an example of an “asymmetric attack”

““attacks can be executed with limited resources against attacks can be executed with limited resources against a large, sophisticated site”a large, sophisticated site”11

““an attacker with an old PC and a slow modem may be an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated able to disable much faster and more sophisticated machines or networks.”machines or networks.”11

11 CERT Website

SYN Flood AttackSYN Flood Attack

(Images taken from www.grc.com)

Using Your Own Resources Using Your Own Resources Against You AttackAgainst You Attack

An attacker uses your own resources An attacker uses your own resources against you in unexpected ways.against you in unexpected ways.

An example is a UDP chargen/echo scenarioAn example is a UDP chargen/echo scenario

Other Resource Other Resource Consumption AttackConsumption Attack

Most of us don’t readily consider Most of us don’t readily consider Consumption Attacks.Consumption Attacks.

ExamplesExamples CPU timeCPU time

Spawning a large number of processes that bog down the Spawning a large number of processes that bog down the CPU CPU

Consuming “locks”Consuming “locks” Intentionally incorrectly logging in a user until security Intentionally incorrectly logging in a user until security

features prevent any more login attempts for that user.features prevent any more login attempts for that user. Could include using file or database locks so others can’t Could include using file or database locks so others can’t

access them.access them. Filling up disk spaceFilling up disk space

Generating excessive email messagesGenerating excessive email messages Generating error messages that get loggedGenerating error messages that get logged Placing files in anonymous ftp server space or open sharesPlacing files in anonymous ftp server space or open shares

Bandwidth Consumption Bandwidth Consumption AttackAttack

The attacker consumes all available bandwidth on a The attacker consumes all available bandwidth on a network.network.

Most often done with ICMP ECHO (Ping) packets, Most often done with ICMP ECHO (Ping) packets, but doesn’t have to be.but doesn’t have to be.

The attacker may be using multiple machines to The attacker may be using multiple machines to coordinate the attack.coordinate the attack. DDoS – Distributed Denial-of-ServiceDDoS – Distributed Denial-of-Service DRDoS – Distributed Reflection Denial-of-ServiceDRDoS – Distributed Reflection Denial-of-Service DoS – Any type of Denial-of-ServiceDoS – Any type of Denial-of-Service

DDoS & DRDoS are Brute Force AttacksDDoS & DRDoS are Brute Force Attacks Filterable vs. Non-filterable AttacksFilterable vs. Non-filterable Attacks

Filterable Attacks consist of bogus packets or non-critical Filterable Attacks consist of bogus packets or non-critical services which can be blocked by a firewall without services which can be blocked by a firewall without affecting the rest of the machine or network.affecting the rest of the machine or network.

Non-filterable Attacks consist of packets requesting Non-filterable Attacks consist of packets requesting legitimate services and resources, thus a firewall will not legitimate services and resources, thus a firewall will not help stop the attack.help stop the attack.

Bandwidth Consumption Bandwidth Consumption Attack Attack


DoS versus DDoS DoS versus DDoS


DDoS AttackDDoS Attack


DRDoS AttackDRDoS Attack


DDoS versus DRDoSDDoS versus DRDoS


What can we do?What can we do? ISP’sISP’s

Implement hardware/software settings and filters on routers Implement hardware/software settings and filters on routers and machines that limit and bound packets.and machines that limit and bound packets.

Prevent users from spoofing packets (Firewall).Prevent users from spoofing packets (Firewall). AdministratorsAdministrators

Install and use a firewall.Install and use a firewall. Close all unnecessary ports and turn off all unused services.Close all unnecessary ports and turn off all unused services. Use quotas.Use quotas. Maintain backups of configuration files.Maintain backups of configuration files. Install intrusion detection software.Install intrusion detection software. Monitor network traffic.Monitor network traffic. Evaluate physical security on a routine basis.Evaluate physical security on a routine basis.

Average Jane and John DoeAverage Jane and John Doe Don’t download/install software from unknown/unreliable Don’t download/install software from unknown/unreliable

sources.sources. Install personal firewall/port protection software.Install personal firewall/port protection software.

SourcesSources http://www.cert.org/tech_tips/denial_of_service.htmlhttp://www.cert.org/tech_tips/denial_of_service.html http://grc.com/dos/drdos.htmhttp://grc.com/dos/drdos.htm http://grc.com/dos/grcdos.htmhttp://grc.com/dos/grcdos.htm http://www.rbs2.com/ccrime.htm#anchor111666http://www.rbs2.com/ccrime.htm#anchor111666 http://www.netcraft.com/presentations/interop/http://www.netcraft.com/presentations/interop/

dos.htmldos.html http://lasr.cs.ucla.edu/ddos/http://lasr.cs.ucla.edu/ddos/

ucla_tech_report_020018.pdfucla_tech_report_020018.pdf http://www.cnn.com/2002/TECH/internet/10/23/http://www.cnn.com/2002/TECH/internet/10/23/

net.attack/net.attack/ http://www.infoworld.com/article/http://www.infoworld.com/article/

03/01/25/030125hnsqlnet_1.html?s=IDGNS03/01/25/030125hnsqlnet_1.html?s=IDGNS

denial-of-service attacks

Documents