Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Information SecurityKeeping our network and systems safe   The Health Clinic
AgendaInformation Security Incident Handling✓   1   The Denial of Service attack    2   Detection and Analysis    3   Cont...
DoSDoS do not are standing for “Department of Something!Denial of Service                          Availability      Some ...
DoSWhat happens when a DoS attack is going on?Networks              Computers               ApplicationsNetwork           ...
Distributed Denial of Service (DDoS)                                How does it work?1                        •   Agents a...
DDoS            The three types of DDoS attacks             •   An UDP service based is used to attack             •   An ...
Detection and AnalysisPrecursors • Reconnaissance activity      Usually a low volume of the traffic      Handlers could ...
Detection and AnalysisIndications  • Network-based DoS against a host  • Network-based DoS against a network  • DoS agains...
Detection and AnalysisAdditional Challenges• Trace the source of attacks• The IP of the handler is not visible• False posi...
Containment, Eradication and RecoveryPerforming containment, gathering and handling evidence forDoS incidents Containment ...
Post-incident RecoveryCorrective and Preventive actions• Hold a lessons learned meeting• Configure firewall rulsets to pre...
Maintaining network securityHow employees can help maintain network security? • Only provide username and password on cert...
References •   Scarfone, K., & Grance, T., & Masone, K. (2008). . Computer Security Incident Handling     Guide, NIST 800-...
Upcoming SlideShare
Loading in …5
×

DoS Attack - Incident Handling

3,667 views

Published on

DoS Attack - Incident handling - A study case

Published in: Lifestyle
  • Be the first to comment

DoS Attack - Incident Handling

  1. 1. Information SecurityKeeping our network and systems safe The Health Clinic
  2. 2. AgendaInformation Security Incident Handling✓ 1 The Denial of Service attack 2 Detection and Analysis 3 Containment, Eradication, and Recovery 4 Post-Incident Recovery 5 Maintaining network security
  3. 3. DoSDoS do not are standing for “Department of Something!Denial of Service Availability Some security threats affect DoS it is about a kind of ? Confidentiality... ! information security attack to the networks, systems and Others impact the Integrity of Information... applications, in order to make them unavailable for the legitimate users. What the DoS is all about? • It is not about to gain unauthorized It is not about Confidentiality or access to a system Integrity. It is about: • It is not about to corrupt data • It is not about to crack any Availability password.
  4. 4. DoSWhat happens when a DoS attack is going on?Networks Computers ApplicationsNetwork OSs are crashed by Application crash byperformance is the action of receiving illegalcompromised malformed TCP/IP requests packetsBroadcasts are sent Applications onon the same Servers establish too Web tier,frequencies than many simultaneous Application tier and login sessionwireless devices Data tier can be affected Too many processor-Network intensive requestscomponents are are mademodified ordestructed Large files are created
  5. 5. Distributed Denial of Service (DDoS) How does it work?1 • Agents are installed on compromised hosts • They perform the attacks DDoS Agents are installed on • They are also called “bots” the hosts • The set of hosts running bots is called “botnet”2 • It is a program that controls the agents Handler instructs • The handler says: the DDoS • When to attack Agents • What to attack • How to attack3 • Bots follow the instructions • Bots attack the targeted victims DDoS Agents attack the victim • The bots could be pre-programmed to attack networks and • Attacker can also communicate with the bots via hosts IRC
  6. 6. DDoS The three types of DDoS attacks • An UDP service based is used to attack • An intermediate host is used to attack the victimReflector • The intermediate host is called ReflectorAttacks • The real source is hidden behide an spoofed address • Loops between Ports 7 (Echo) and 19 (Chargen) • Also it involves sending requests with spoofed source address • Use a whole network of intermediate hostsAmplifier • Uses ICMP and UDP requests to broadcast addressesAttacks • E.g.: DNS recursive attack • Use large number of incomplete connection requests • Prevent new connections from being madeFloods • Examples: SYNFlood and peer-to-peer attacks • Can be used by sending UDP, ICMP and TCP packetsAttacks
  7. 7. Detection and AnalysisPrecursors • Reconnaissance activity  Usually a low volume of the traffic  Handlers could detect preparation for a DoS attack  Changing the security implementation as a Response • Newly released DoS tool  Usually a low volume of the traffic  Investigate the new tool and change the security controls
  8. 8. Detection and AnalysisIndications • Network-based DoS against a host • Network-based DoS against a network • DoS against the Operating System • Layer 7 DoS attack - against an application/service
  9. 9. Detection and AnalysisAdditional Challenges• Trace the source of attacks• The IP of the handler is not visible• False positive alerts• Server crash and service outages resultant fromattacks
  10. 10. Containment, Eradication and RecoveryPerforming containment, gathering and handling evidence forDoS incidents Containment for a DoS incident 1 It usually consists of STOPPING • Correct the Vulnerability the DoS. – It is not too easy! • Implement Filtering based on Stop bleeding the cahracteristics of the attack Try all possible solutions for 2 containing a DoS attack • The ISPs are key partners against the network-based DoS Eradication & Recovery • Hide the target 3 Clean up the house
  11. 11. Post-incident RecoveryCorrective and Preventive actions• Hold a lessons learned meeting• Configure firewall rulsets to prevent reflector attacks• Configure border routers to prevent aplifier attacks• Implement/Configure NIDS and HIDS to detect DoS attacks• Create and maintain a multi-solution containment strategy• Separate critical services• Create a follow-up Report
  12. 12. Maintaining network securityHow employees can help maintain network security? • Only provide username and password on certified websites • Don’t accept any kind of software installation through the Internet • Be aware of the Social Engineering. Email messages can be used for identity theft and phishing • Don’t click on suspicious email attachments • Prefer to use BCC when sending emails to multiple recipients • Emails usually are sent in clear-text format • Don’t forward any email chain letters
  13. 13. References • Scarfone, K., & Grance, T., & Masone, K. (2008). . Computer Security Incident Handling Guide, NIST 800-61, Gaithersburg, MD: National Institute of Standards and Technology. • EC Council (2010). Ethical Hacking and Countermeasures, Threats and Defense Mechanisms, Clifton Park, NY: EC-Council Press.

×