denial of service attacks
DESCRIPTION
Denial of Service Attacks. Denial of service ( DOS ). Too many requests for a particular web site “ clog the pipe ” so that no one else can access the site. - PowerPoint PPT PresentationTRANSCRIPT
Denial of Service Attacks
Denial of service ( DOS )
- Too many requests for a particular web site “clog the pipe” so that no one else can access the site
Possible impacts:May reboot your computer, Slows down computers-Certain sites, Applications become inaccessible
**you are off.
Denial of service ( DOS )
What is Denial of Service Attack?
• “Attack in which the primary goal is to deny the victim(s) access to a particular resource.”
• A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.
What is Denial of Service Attack?
6
Case 1: Code Red
• Exploited buffer overflow error in IIS• Several different versions• Date-based
– 1-19th: attempted to infect random IPs– 20-28th: attack whitehouse.gov– After 28th: dormant
• At peak more than 2,000 new hosts were infected each minute
7
Case 2: Sapphire/Slammer
• Fastest virus spread in history• Exploited buffer overflow in MS SQL Server• Used UDP instead of TCP
– Allowed faster spread – no response needed– Limited only by bandwidth
• Problems affected customers, ex. automatic cash machines
How to take down a restaurant
Saboteur
Restauranteur
Saboteur vs. Restauranteur
Saboteur
RestauranteurTable for fourat 8 o’clock. Name of Mr. Smith.
O.K.,Mr. Smith
Saboteur
Restauranteur
No More Tables!
Categories of DOS attack• Bandwidth attacks • Protocol exceptions • Logic attacks
Bandwidth attacks
• A bandwidth attack is the oldest and most common DoS attack. In this approach, the malicious hacker saturates a network with data traffic. A vulnerable system or network is unable to handle the amount of traffic sent to it and subsequently crashes or slows down, preventing legitimate access to users.
Protocol exceptions
• A protocol attack is a trickier approach, but it is becoming quite popular. Here, the malicious attacker sends traffic in a way that the target system never expected.
Logic attacks
• The third type of attack is a logic attack. This is the most advanced type of attack because it involves a sophisticated understanding of networking.
Samples• Ping of Death• Smurf & Fraggle• Land attack• Synchronous Flooding
PING OF DEATH A Ping of Death attack uses Internet Control Message
Protocol (ICMP) ping messages. Ping is used to see if a host is active on a network. It also is a valuable tool for troubleshooting and diagnosing problems on a network. As the following picture, a normal ping has two messages:
• BUT• With a Ping of Death attack, an echo packet is sent that is
larger than the maximum allowed size of 65,536 bytes. The packet is broken down into smaller segments, but when it is reassembled, it is discovered to be too large for the receiving buffer. Subsequently, systems that are unable to handle such abnormalities either crash or reboot.
• You can perform a Ping of Death from within Linux by typing ping –f –s 65537.
• Note the use of the –f switch. This switch causes the packets to be sent as quickly as possible. Often the cause of a DoS attack is not just the size or amount of traffic, but the rapid rate at which packets are being sent to a target.
Tools:- -Jolt -SPing-ICMP Bug -IceNewk
PING OF DEATH
Smurf and Fraggle
A Smurf attack is another DoS attack that uses ICMP. Here, a request is sent to a network broadcast address with the target as the spoofed source. When hosts receive the echo request, they send an echo reply back to the target. sending multiple Smurf attacks directed at a single target in a distributed fashion might succeed in crashing it.
• If the broadcast ping cannot be sent to a network, a Smurf amplifier is used. A Smurf amplifier is a network that allows the hacker to send broadcast pings to it and sends back a ping response to his target host on a different network. NMap provides the capability to detect whether a network can be used as a Smurf amplifier.
Smurf and Fraggle
• A variation of the Smurf attack is a Fraggle attack, which uses User Datagram Protocol (UDP) instead of ICMP. Fraggle attacks work by using the CHARGEN and ECHO UDP programs that operate on UDP ports 19 and 7. Both of these applications are designed to operate much like ICMP pings; they are designed to respond to requesting hosts to notify them that they are active on a network.
Smurf and Fraggle
LAND Attack
• In a LAND attack, a TCP SYN packet is sent with the same source and destination address and port number. When a host receives this abnormal traffic, it often either slows down or comes to a complete halt as it tries to initiate communication with itself in an infinite loop. Although this is an old attack (first reportedly discovered in 1997), both Windows XP with service pack 2 and Windows Server 2003 are vulnerable to this attack.
HPing can be used to craft packets with the same spoofed source and destination address.
SYN_Received هنگامی که قربانی در حالت• SYN/ACKقرار دارد، منتظر دریافت بسته ی
دریافت می کندACKاست در حالی که
مهاجمSYN_RECIEVED
Waiting for SYN/ACKNot ACK
SYN
ACKSYN_RECIEVED
قربانی
LAND Attack
بهروز ) دکتر کامپوتری های شبکه در امنیتالدانی (1386ترک
را دریافت می کند، SYN هنگامی که قربانی• می ACKشماره ترتیب را به روز کرده،
فرستد، سپس بسته ای با شماره ترتیب مشابه دریافت می کند و آن را با همان شماره
ترتیب برای فرستنده می فرستد تا توسط او اصالح شود
چون شماره ترتیب هرگز به روز نمی شود، •قربانی دچار حلقه بی نهایت می شود!
LAND Attack
قربانی
مهاجم
Waiting for updated SN
SYN
ACK
SN=x
SN=y
SN=yACK
LAND Attack
Synchronous flood• A SYN flood is one of the oldest and yet still most effective DoS
attacks. As a review of the three-way handshake, TCP communication begins with a SYN, a SYN-ACK response, and then an ACK response. When the handshake is complete, traffic is sent between two hosts.
but in our case the using of the syn flood for the 3 way handshaking is taking another deal, that is the attacker host will send a flood of syn packet but will not respond with an ACK packet. The TCP/IP stack will wait a certain amount of time before dropping the connection, a syn flooding attack will therefore keep the syn_received connection queue of the target machine filled.
Synchronous flood
With a SYN flood attack, these rules are violated. Instead of the normal three-way handshake, an attacker sends a
packet from a spoofed address with the SYN flag set but does not respond when the target sends a SYN-ACK response. A host has a limited number of half-open
(embryonic) sessions that it can maintain at any given time. After those sessions are used up, no more communication
can take place until
• the half-open sessions are cleared out. This means that no users can communicate with the host while the attack is active. SYN packets are being sent so rapidly that even when a half-open session is cleared out, another SYN packet is sent to fill up the queue again.
Synchronous flood
• SYN floods are still successful today for three reasons:
1) SYN packets are part of normal, everyday traffic, so it is difficult for devices to filter this type of attack.
2) SYN packets do not require a lot of bandwidth to launch an attack because they are relatively small.
3) SYN packets can be spoofed because no response needs to be given back to the target. As a result, you can choose random IP addresses to launch the attack, making filtering difficult for security administrators.
Synchronous flood
Return to our Restaurant
“TCP connection, please.”
“O.K. Please send ack.”
“TCP connection, please.”
“O.K. Please send ack.”
Buffer
IP Packet optionsدر این روش برخی از فیلد های انتخابی بسته •
به صورت تصادفی تغییر داده می شوند و .بسته حاصل برای قربانی ارسال می شود
می یکبیت های مربوط به کیفیت خدمات •شوند
می شودCPUباعث باال رفتن زمان پردازش •
Tear drop در اثر یک افراز غلط، IP در این حمله بسته ی•
به قطعه هایی تقسیم می شود که همپوشانی دارند
قربانی نمی تواند این بسته را دوباره از قطعه •هایش بسازد
" صفحه ی آبی مرگباعث می شود سیستم "• شودrebootرا مشاهده کند و در نتیجه باید
Tear drop
A new Classification• Now we may categorize the DOS in to 3 parts
depending on the number of characters:– Single-tier DoS Attacks– Dual-tier DoS Attacks– Triple-tier DDoS Attacks
Single-tier DoS Attacks– Straightforward 'point-to-point' attack, that means
we have 2 actors: hacker and victim.– Examples
• Ping of Death• SYN floods• Other malformed packet attacks
Single-tier DoS Attacks
Dual-tier DoS Attacks– More complex attack model– Difficult for victim to trace and identify attacker– Examples
• Smurf
Dual-tier DoS Attacks
Triple-tier DDoS Attacks– Highly complex attack model, known as Distributed Denial
of Service (DDoS).– DDoS exploits vulnerabilities in the very fabric of the
Internet, making it virtually impossible to protect your networks against this level of attack.
– Examples• TFN2K• Stacheldraht• Mstream
Components of a DDoS Flood Network
– Attacker• Often a hacker with good networking and routing
knowledge.– Master servers
• Handful of backdoored machines running DDoS master software, controlling and keeping track of available zombie hosts.
– Zombie hosts• Thousands of backdoored hosts over the world
Triple-tier DDoS Attacks
Results expected
• Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise.
• Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an "asymmetric attack“. For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks.
Defense
Internet Service Providers• Deploy source address anti-spoof filters (very
important!).• Turn off directed broadcasts.• Develop security relationships with neighbor ISPs.• Develop traffic volume monitoring techniques.
High loaded machines• Look for too much traffic to a particular destination.• Learn to look for traffic to that destination at your
border routers (access routers, peers, exchange points, etc.).
• Can we automate the tools – too many queue drops on an access router will trigger source detection.
• Disable and filter out all unused UDP services.
Also
• Routers, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installed
• System should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, back doors, etc.)
• Train your system and network administrators• Read security bulletins like:
www.cert.org, www.sans.org, www.eEye.com• From time to time listen on to attacker
community to be informed about their latest achievements.
• Be in contact with your ISP. In case that your network is being attacked, this can save a lot of time
Also
references [.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
Article by Christopher Klaus, including a "solution".
[.2.] http://jya.com/floodd.txt2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane
[.3.] http://www.fc.net/phrack/files/p48/p48-14.htmlIP-spoofing Demystified by daemon9 / route / infinityfor Phrack Magazine
[.4.]http://www.gao.gov/new.items/d011073t.pdf [.5.]http://www.cl.cam.ac.uk/~rc277/
[.6.]http://www.cert.org/reports/dsit_workshop.pdf
[.7.]http://staff.washington.edu/dittrich/misc/tfn.analysis