1. Presented By :
Sakshi Yadav (00915002712)
Soumya Bhatnagar (02315002712)
Khushboo Goyal (03515002712)
Jaskaran Singh (13315002712)
B.Tech (CSE)
UNDER THE GUIDANCE OF
MS. AMITA YADAV

2. * A network attack with a destructive motivation
disrupting a service of a victim by adding an excessively
high load to the victim’s services.
* When more than one system is put into use for
implementing the attack, it is known as a DDoS or
“Distributed” Denial of Service.
* These kinds of attacks can force even bigger websites
on the internet offline.

3. * In distributed reflection denial-of-service
(DRDoS) attacks, an adversary aims to
exhaust the victim’s bandwidth.
* The client machine fools other servers on
the internet into believing that the victim
is requesting data from the servers where
in fact it is the client spoofing his IP
address to that of the victim.

5. An attack can be amplified by using several protocols such
as DNS, NTP, SNMP, CharGen etc. which have some specific
commands that elicit a large response to a relatively
small request query.

6. The Amplification Factor
UDP-based Amplification Attacks
Protocol Bandwidth Amplification Factor
Classic SNMP 1700
NTP 556.9
CharGen 358.8
DNS up to 179
QOTD 140.3
Quake Network Protocol 63.9
BitTorrent 4.0 - 54.3
SSDP 30.8
Kad 16.3
SNMPv2 6.3
Steam Protocol 5.5
NetBIOS 3.8

7. OBJECTIVES
1. Constructing DNS Amplification attacks in testable environments to gauge all
possible adverse effects.
2. Designing countermeasures against the DNS Amplification attack along with
detailed analysis of the existing algorithms.
3. Constructing NTP Amplification attacks in testable environments to gauge all
possible adverse effects.
4. Designing countermeasures against the NTP Amplification attack along with detailed
analysis of the existing algorithms.
5. Constructing SNMP Amplification attacks in testable environments to gauge all
possible adverse effects.
6. Designing countermeasures against the SNMP Amplification attack along with
detailed analysis of the existing algorithms.

8. DNS Amplification Attack
Using DIG command to send ‘ANY’ type request

9. Capturing outgoing and incoming DNS packets using TCPDUMP
Size of the request packet : 39 bytes
Size of the response packet : 388 bytes
Amplification : 388/39 = approx 10 times the request

10. Network traffic in a system during DNS attack

11. NTP ATTACK
Sending monlist request to an NTP server by running python script which sends
response to spoofed IP address

12. Capturing outgoing NTP v2 packets using TCPDUMP
Size of the request packet is 8 bytes. In response to this 8 byte packet, a server
sends a record of last 600 IP addresses it has accessed. Hence, by using just 8
byte of request, one can generate a huge response.

13. *SNMP stands for Simple Network Management Protocol.
*‘getBulk’ query issues ‘getnext’ responses requests which requests instances from a
remote entity.

14. • function packet_handler(Packet p)
• {
• r = range including p.source_IP using binary
search
• if r not found then
• accept(p) and return
• q = queue of r
• if not q.empty or r.sent+p.size > r.limit then
• if q.size < q.max size then
• q.push(p)
• steel(p)
• else drop(p)
• else
• r.sent + = p.size
• accept(p)
• }
function timer_handler
{
for all ranges r do
r.sent=0; finished=false
q = queue of r
while not q.empty and not finished do
p=q.front()
if r.sent + p.size < r.limit then
send(p)
q.pop()
r.sent += p.size
else finished=true
}

15. SELF DESIGNED ALGORITHM
Input: Incoming packet msg from client
1. while (true)
2. receive msg
3. set tempBuf = msg
4. msg.checkSize(tempBuf)
5. if tempBuf.size > limit
6. set tbuf.Category=Large
7. else
8. set tbuf.Category=Small
9. end if
10. return(tbuf)
11. R=Random(low, high)
12. if(mbuf.bufferFull>FulfilmentLevel[i])
13. Flag=false
14. if(checkProbability(R,i) is true)
15. Flag=true
16. else
17. Tbuf is Queued into Mbuf
18. end if
19. If(flag is true)
20. Drop msg
21. tbuf=0
22. end if

16. Mitigation results
Client sending legitimate normal and large packets

17. Imitating server on windows
Server accepting legitimate packets with size within the limit and queuing bigger
size packets. It drops packets with probability less than a threshold value.

18. *Carried out the attacks in a testable
environment
*Proposed a defense mechanism to thwart the
ulterior motives and malicious intents of
attackers unleashing Distributed Reflection
Denial of Service attacks
*The model has been designed for DNS, NTP &
SNMP attacks

19. *