• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
DoS/DDoS
 

DoS/DDoS

on

  • 364 views

describes about DoS/DDoS attacks, popular methods of carrying the attack and some mitigation techniques.

describes about DoS/DDoS attacks, popular methods of carrying the attack and some mitigation techniques.

Statistics

Views

Total Views
364
Views on SlideShare
364
Embed Views
0

Actions

Likes
0
Downloads
38
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 3 security objectives: IntegrityConfidentiality Availability. DoS targets availability.DoS is not used to gain unauthorized entry or information, just to mess it up.
  • Anonymous group did a DoS attack on MasterCard.com as a punishment for blockade of WikiLeaks bank transactions.

DoS/DDoS DoS/DDoS Presentation Transcript

  • Saikiran Boga (B10010) Vihari Piratla (B10030) Vivek Vishwakarma (B10038)
  •  Attack against availability  Not used to gain unauthorized entry, just to mess it up  Wikipedia: “In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.”  Targets are sites or services hosted on high-profile webserver such as banks, credit card payment gateways or even root nameservers
  •  Any attack against availability is Denial of Service attack  Distributed DoS attack is DoS attack using multiple systems simultaneously to flood the bandwidth or resources of a targeted system  Mount attack from single machine => DoS  Uses multiple compromised systems (for example botnets) => DDoS  DDoS is harder to track and shut down
  •  Anti-competition business practices  Register your dissent!  Richard Stallman has stated DoS is a form of „Internet Street Protest‟  Punishment for undesired actions  DoS attack in online games to retaliate your competitor
  •  A worm called MyDoom started propagating which had a real target in mind - www.sco.com.  Targeting Microsoft Windows, became fastest spreading e-mail worm, estimated one million computers around the world  By January 2004 rapid spread of worm slows overall internet performance by 10%, average webpage load time by 50%, and responsible for 1 in 10 e-mails at this time  As February 1 arrives millions infected computers launch a Denial Of Service (DOS) attack against SCO  SCO Group offered a reward of $250,000 for information leading to arrest the worm‟s creator  Damage and total cost estimates from MyDoom are still in progress, but CEI now estimates the total may exceed $ 4 billion, making it one of the most costly cyber attacks on record
  •  Two general form of DoS –  Those who crash services  Those who flood services
  •  Consumption of computational resources such as bandwidth, disk space or processor time  Disruption of configuration information such as routing information  Disrupting physical network component or obstructing communication media between the intended users and the victim  Most DoS attack involves IP address spoofing so location of the attacking machines cannot easily be identified  Etc.
  •  Internet control Message Protocol (ICMP) flood.  Distributed attack.  RUDY.  Unintentional Denial of Service.  Peer-to-peer attacks.
  •  A smurf attack is one particular variant of a flooding DoS attack on the public Internet.  Works on the mechanism of flooding the victim‟s bandwidth.  Relies on broadcasting or misconfigured devices.  Attacker sends large number of ICMP echo requests to a broadcast address.  All the messages sent to the broadcast address have the source address spoofed to that of the victims IP address.  All the reply messages target and flood the victim‟s address.
  •  Used in identifying misconfigured networks and take appropriate actions.  Similar attacks:  Ping flood: sending the victim large number of ping packets.  Ping of death: sending malformed packet leading to victims system crash.
  •  Multiple systems flooding the bandwidth or resources of a targeted system, usually a single server or multiple servers.  Result of multiple compromised systems(ex: a botnet) flooding the targeted system with traffic.  Stacheldraht tool is an example of DDoS.  Client program is used by the attacker to connect to handlers which are compromised systems.  These handlers are then used to send commands to zombie agents, which carry the DDoS attacks.
  • Advantages:  Multiple machines can generate more attack traffic than one machine.  Turning off multiple machines is harder compared to turning off a single machine.  Each machine attack may be a stealthier attack, making hard to track and shutdown.  Mere purchase of more bandwidth doesn‟t help, since the attacker can easily add more attack machines.
  •  Attacks web applications by starvation of available sessions on the web server.  Keeps sessions at halt using never-ending POST transmissions and sending arbitrarily large content length header value.  Similar to Slowloris  Keeps server busy with less resources.  Sends partial HTTP requests, and continues to send subsequent headers at regular intervals to keep sockets from closing.  Slow HTTP post: After the establishment of the connection through headers, the actual content is sent at very low rates, thus keeping the session open for prolonged time.
  •  Situation where a website ends up denied not due to a deliberate attack by a single individual or a group of individuals, but simple due to spike in popularity of the website or a particular resource.  Usually due to potentially hundreds of thousands of users clicking some particular link in a span of few hours, showing similar effect to that of a DDoS attack.  Occurs on a site that is less-prepared for to server large number of users.  Ex: Massive number of would-be youtube.com users accidentally typing utube.com
  •  Done through exploiting bugs in peer-to-peer servers.  Usually and most of the attacks exploit DC++.  Attacker doesn‟t need to communicate with the client it want to attack.  Attacker plays the role of a puppet master.  Instructs the clients in large peer-to-peer network to connect to the victims website.  Typically a webserver can handle few hundred connections before performance degrades.
  •  Server fails instantly under five or six connections per second.  Easy to identify using signatures, but the number of IP addresses to be blocked becomes huge.  Blocking through the use of signatures require the establishment of connection, then transfer of signature, detection of the signature and finally turning down the connection. Even this might utilize large number of resources.  Can be prevented by specifying the allowable ports.
  •  SYN flood  Permanent DoS attack  Applications level floods  Nuke  Slow Read Attack  Telephony DoS attack
  • • • • • Tough to detect, premises on the TCP response timeout calculation vulnerabilities. Selection of timeout has to balance between 1. If set too low then spurious retransmissions as packets doomed lost and 2. Set too high unnecessary wait long for a lost packet. minRTO was observed to be optimal at 1 sec [RFC2988] Shrew attack contains short pulses of outages that will effectively decrease the throughput and transmitting at the lowest possible speed.
  • • • • The throughput of such a attack is RL/T where R is the max capacity of the channel, L >RTT and T>minRTO, rtt is of order 10100ms and T is >= 1sec and hence lesser the RTT more effective the attack is. In general the channel capacity is reduced to 1/10 th. These are very tough to detect for their very nature of passiveness.
  • • Firewall can be a one stop solution for many of these attacks. • Firewall is the network filters which decides whether to allow or discard a packet. • Effectively written firewalls can be tolerant to aggressive attacks like SYN floods (connection-full firewalls). • Botnets can be detected with Passive OS finger priniting. • Running malware detection on the computer periodically can reduce the vulnerability.
  • • • Some stateful firewalls, like OpenBSD's pf packet filter, can act as a proxy for connections: the handshake is validated (with the client) instead of simply forwarding the packet to the destination. One basic obvious rule that should be made and works very well for some of the DoS attacks is to keep count for the number of requests from a single client arriving at a server, along with tracking of the state of the connection.
  • • • • SYN flood can be mitigated by setting up a SYN proxy which sits before the webserver and forward the request to the web server only when the ACK is received by the firewall. To make sure that firewall itself doesn't run out of resources we first do ping to see whether the address is up or exists, if exists then it lets the firewall wait for it, or else will just remove that address. Blacklisting the IP addresses can help in future processing of requests.
  • It is tough to detect the low rate DOS attacks with pattern detection, as they are not aggresive and look quite normal. • It is possible to detect this attack with some known patterns of packet acknowledgement. like shrew attack. • Many variants of TCP congestion protocol like TCP Tahoe and Reno, TCP vegas, TCP cubic. None resistant to this. Fair queuing in the routers, can recover 90% of the throughput. 1.
  • 1. Randomizing timeout: 1. 2. randomizing minRTO. (uniformly choosing minRTO between (a,b) ) changing it can affect the congestion, as 1 sec is an optimal value chosen. [RFC2988] RTO = max (minRTO, SRTT + max (G, 4RTTVAR)), RTO could be chosen uniformly at random from a range that depends upon minRTO and SRTT+ max (G, 4RTTVAR). For instance, we could choose RTO to be in the range between 80% and 120% of max (minRTO, SRTT + max (G, 4RTTVAR)). Doing this would imply that the timeouts at different times of a TCP session would be different. This could prevent the DoS attacker from ever