Denial of Service

Bryan OemlerWeb Enhanced Information

ManagementMarch 22nd, 2011

Introduction

• A Constant threat to the web based providers• Resources of servers limited• Damaging effect on targets

• Goal: Drown out all legitimate traffic to server– Consume resources of servers– Monopolize the CPU– Mimic legitimate traffic to server• Method: Combine computing power over internet– Distribute the Denial of Service Attack (DDoS)

DoS in the news• Attacks on WordPress Mar 4th, 2011– Largest in History– Multiple Data Centers unable to handle load– Collateral damage for single target

• Anonymous attacks on MasterCard, Visa Dec 8th 2010– Individuals organizing DoS attack– Social Networking – Personal Computers launched DoS

• Twitter, Facebook attacks Aug 5th, 2009– Flood of emails– Target was individual using social networking tools

Botnet

• Network of infected computers– Computers Hijacked with malware– Contacted and controlled by perpetrator of

attacks– Target victim with requests

• Added Obfuscation and Computing Power– Large network of personal and corporate

computers– Source looks legitimate to victim

IP spoofing

• Packets are sent out with a forged return IP address– Hides source of attacks

• Complete TCP Connection cannot be formed– Victim host responds to random IP

http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/1041907

SYN Flood

• Critical Mass of Connection packets– TCP connections started with

SYN(Synchronization) packet. – Server responds but never receives

acknowledgement – Attacker creates many half open connections– Connections open use up server memory– Attacker monopolizes server with open

connections

TCP Connection vs Spoofed Packet

http://www.understandingcomputers.ca/articles/grc/drdos_copy.html

Reflection Attacks

• “Reflect” requests off innocent servers– Return IP Address forged on to packet intended

target of attack– Attacker sends packet to diverse set of hosts– Hosts act as middle man for the attack

• Tracking packets task more difficult– Indirect path from attacker to victim– Rely on records of intermediate hosts

Reflection Attack

http://www.understandingcomputers.ca/articles/grc/drdos_copy.html

Full HTTP Requests

• Requests require greater amount of CPU time– Databases queries– Complex calculations– Files access

• Attacks hidden through Botnet– Infected computers appear to be legitimate users– Botnets sufficiently large

Final Observations

• Extremely Potent– Capable of knocking even largest companies offline

• Costly to victims– Services denied to e-commerce websites, public safety

• Increasing risk of attacks– More tools and resources moving online

• High collateral damage– Information interdependent – Hosts attacked or being used to attack

References• http://www.computerworld.com/s/article/9200521/Update_MasterCard

_Visa_others_hit_by_DDoS_attacks_over_WikiLeaks• http://www.reuters.com/article/2010/12/10/uk-wikileaks-cyberwarfare-a

mateur-idUSLNE6B902T20101210?feedType=RSS&feedName=everything&virtualBrandChannel=11563

• http://staff.washington.edu/dittrich/misc/ddos/• http://www.understandingcomputers.ca/articles/grc/drdos_copy.html• http://www.cis.udel.edu/~sunshine/publications/ccr.pdf• http://www.sans.org/security-resources/idfaq/trinoo.php• http://www.pcmag.com/article2/0,2817,2381486,00.asp• http://www.nytimes.com/2009/08/08/technology/internet/

08twitter.html?_r=2&hpw