DOS Attack PPT
Description:1. Denial of Service Attacks
2. What Are DDoS Tools?
Clog victim’s network.
Use many sources (“daemons”) for attacking traffic.
Use “master” machines to control the daemon attackers.
At least 4 different versions in use: TFN, TFN2K, Trinoo, Stacheldraht.
Denial-of-service (DoS) attack aims at disrupting the authorized use of networks, systems, or applications
by sending messages which exhaust service provider’s resources ( network bandwidth, system resources, application resources)
Distributed denial-of-service (DDoS) attacks employ multiple (dozens to millions) compromised computers to perform a coordinated and widely distributed DoS attack
Victims of (D)DoS attacks
service-providers (in terms of time, money, resources, good will)
legitimate service-seekers (deprived of availability of service itself)
Zombie systems(Penultimate and previous layers of compromised systems in DDoS)
4. Analyzing the goal of DoS attacks
A (D)DoS attack is different in goal : iWar, in short
Just deny availability
Can work on any port left open
No intention for stealing/theft of information
Although, in the process of denying service to/from victim, Zombie systems may be hijacked
5. Who? What for?
The ulterior motive
Earlier attacks were proofs of concepts or simple pranks
Pseudo-supremacy feeling (of defaulters) upon denying services in large scale to normal people
DoS attacks on Internet chat channel moderators
Major lack of data on perpetrators and motives
Levels of attackers
Highly proficient attackers who are rarely identified or caught
6. Why should we care?
As per 2006 CSI/FBI Computer Crime and Security Survey
25% of respondents faced some form of DoS attacks in previous 12 months. This value varied from 25% to 40% over the course of time
DoS attacks are the 5th most costly form of attacks
A DoS attack is not just missing out on the latest sports scores or Tweets or weather reports
Internet is now a critical resource whose disruption has financial implications, or even dire consequences on human safety
Cybercrime and cyberwarfare might use of DoS or DDoS as a potential weapon to disrupt or degrade critical infrastructure
DDoS attacks are a major threat to the stability of the Internet
7. Fast facts
In Feb 2000, series of massive DoS attacks incapacitated several high-visibility Internet e-commerce sites, including Yahoo, Ebay and E*trade
In Jan 2001, Microsoft’s name sever infrastructure was disabled
98% legitimate users could not get to any Microsoft’s servers
In Sept 2001, an attack by a UK-based teenager on the port of Houston’s Web server, made weather and scheduling information unavailable
No ships could dock at the world’s 8th busiest maritime facility due to lack of weather and scheduling information
Entire network performance was affected
In Oct 2002, all Domain Name System servers were attacked
Attack lasted only an hour
9 of the 13 servers were seriously affected
In Aug 2009, the attack on Twitter and Facebook
8. How They Talk
Trinoo: attacker uses TCP; masters and daemons use UDP; password authentication.
TFN: attacker uses shell to invoke master; masters and daemons use ICMP ECHOREPLY.
Stacheldraht: attacker uses encrypted TCP connection to master; masters and daemons use TCP and ICMP ECHO REPLY; rcp used for auto-update.
9. Deploying DDOS
Attackers seem to use standard, well-known holes (i.e., rpc.ttdbserver, amd, rpc.cmsd, rpc.mountd, rpc.statd).
They appear to have “auto-hack” tools – point, click, and invade.
Lesson: practice good computer hygiene.
10. Detecting DDOS Tools
Most current IDS’s detect the current generation of tools.
They work by looking for DDOS control messages.
Naturally, these will change over time; in particular, more such messages will be properly encrypted. (A hacker PKI?)
11. What are the Strong Defenses?
There aren’t any…
12. What Can ISPs Do?
Deploy source address anti-spoof filters (very important!).
Turn off directed broadcasts.
Develop security relationships with neighbor ISPs.
Set up mechanism for handling customer security complaints.
Develop traffic volume monitoring techniques.
13. Traffic Volume Monitoring
Look for too much traffic to a particular destination.
Learn to look for traffic to that destination at your border routers (access routers, peers, exchange points, etc.).
Can we automate the tools – too many queue drops on an access router will trigger source detection?
14. Can We Do Better Some Day?
ICMP Traceback message.
Enhance newer congestion control techniques, i.e., RED.
Warning – both of these are untested ideas. The second is a research topic.
15. ICMP Traceback
For a very few packets (about 1 in 20,000), each router will send the destination a new ICMP message indicating the previous hop for that packet.
Net traffic increase at endpoint is about .1% -- probably acceptable.
Issues: authentication, loss of traceback packets, load on routers.
16. Enhanced Congestion Control
Define an attack as “too many packets drops on a particular access line”.
Send upstream node a message telling it to drop more packets for this destination.
Traditional RED+penalty box works on flows; this works on destination alone.
Issues: authentication, fairness, effect on legitimate traffic, implementability, etc.