CyBerwar and Intelligence       Fall 2011DDoS Attack         Claudia Plantera                               I30033        ...
OutlineDefinitionsTypes of AttackVictims and EffectsCase StudiesDefense                      CyBerwar and Intelligence
Definitions     CyBerwar and Intelligence
Malware “Malware (for "malicious software") is any program or file that is harmful to a computer user. Thus, malware inclu...
Virus “a virus is a program or programming code that replicates by being copied or initiating its copying to another progr...
Worms “Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same...
Trojan“It is a harmful piece of software that looks legitimate.Users are typically tricked into loading and executing iton...
Bot“Bot" is derived from the word "robot" and is anautomated process that interacts with other networkservices. Bots often...
Denial of Service (DOS) Attack      “an attempt to make a     computer resource run out     and make it unavaible to     i...
DDoS Attack DoS Attack      The attacker mounts an attack from      a single host DDoS Attack   The attacker uses many sys...
Zombie Computer   Is a computer connected on the Internet  that has been compromised by cracker,  computer virus or trojan...
Attack    CyBerwar and Intelligence
General Attack Classification  Bandwidth Attack     intended to overflow and consume resources    available to the victim ...
DoS Attack     CyBerwar and Intelligence
Smurf Attack Attacker sends a huge amountof ICMP Echo Requests tovictim Once network links becomeoverloaded, all legitimat...
The Fraggle Similar concept to ICMPflooding  Networked slowed to the pointwhere all valid connections arestopped Achieves ...
SYN Flood       – the client sends a SYN packet to       the server       – the server sends a SYN-ACK       back to the c...
SYN Flood                                        • The half-open connections buffer• The attack occurs by the             ...
DDoS Attack    CyBerwar and Intelligence
How it works Attackers recruits multiple    zombies machinesZombie computers send the  attack packets and recruit  other m...
TrinOO• Affects Windows andmany Unix OS’s                                 •Communication• Attacker scans for             b...
Other attacksTFN and TFN2k                Stacheldraht                           • Smurf attack • Smurf attack            ...
Victim & Damage      CyBerwar and Intelligence
General Victim Classification  Application    Exploit some feature of a specific application in order to    make impossibl...
Symptoms Unusually slow network perfomanceUnavailability of a particular web site Inability to access to any web siteDrama...
Motivation Material gainPersonal reasons (revenge) FamePolitical reasons                             CyBerwar and Intellig...
Damage   Disruptive                           DegradeDeny the victims service          Degrate some portion of ato its cli...
Case Studies     CyBerwar and Intelligence
Estonia            .      Dispute with Russia over the removal of a Soviet-era war memorial, a      giant bronze soldier s...
Georgia          .   In the weeks leading up to the five-day 2008 South Ossetia war, a   DDoS attack directed ifirst to th...
Defence    CyBerwar and Intelligence
Main Problem: Zombie Computers  patches for software defects that were reported and fixed months ago are never installed  ...
Local Solutions   Local filtering     the victim can try to stop the inflitrating IP packets on    the local router by ins...
Global Solutions   improving the security of the entiry Internet    the victim can try to stop the inflitrating IP packets...
Thank you     CyBerwar and Intelligence
Upcoming SlideShare
Loading in …5
×

Ddos attack definitivo

1,216 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,216
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
98
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Ddos attack definitivo

  1. 1. CyBerwar and Intelligence Fall 2011DDoS Attack Claudia Plantera I30033 2011.11.18
  2. 2. OutlineDefinitionsTypes of AttackVictims and EffectsCase StudiesDefense CyBerwar and Intelligence
  3. 3. Definitions CyBerwar and Intelligence
  4. 4. Malware “Malware (for "malicious software") is any program or file that is harmful to a computer user. Thus, malware includes computer viruses, worms, Trojan horses, and also spyware, programming that gathers information about a computer user without permission.” CyBerwar and Intelligence
  5. 5. Virus “a virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document. Viruses can be transmitted as attachments to an e- mail note or in a downloaded file, or be present on a CD. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are benign or playful in intent and effect and some can be quite harmful, erasing data or causing your hard disk to require reformatting” CyBerwar and Intelligence
  6. 6. Worms “Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided.” CyBerwar and Intelligence
  7. 7. Trojan“It is a harmful piece of software that looks legitimate.Users are typically tricked into loading and executing iton their systems. After it is activated, it can achieve anynumber of attacks on the host, from irritating the user(popping up windows or changing desktops) to damagingthe host (deleting files, stealing data, or activating andspreading other malware, such as viruses). Trojans arealso known to create back doors to give malicious usersaccess to the system.Unlike viruses and worms, Trojans do not reproduce byinfecting other files nor do they self-replicate. Trojansmust spread through user interaction such as opening ane-mail attachment or downloading and running a filefrom the Internet.” CyBerwar and Intelligence
  8. 8. Bot“Bot" is derived from the word "robot" and is anautomated process that interacts with other networkservices. Bots often automate tasks and provideinformation or services that would otherwise beconducted by a human being. A typical use of bots is togather information (such as web crawlers ), or interactautomatically with instant messaging (IM), InternetRelay Chat (IRC), or other web interfaces. They mayalso be used to interact dynamically with websites.Bots can be used for either good or malicious intent. Amalicious bot is self-propagating malware designed toinfect a host and connect back to a central server orservers that act as a command and control (C&C)center for an entire network of compromised devices,or "botnet.” CyBerwar and Intelligence
  9. 9. Denial of Service (DOS) Attack “an attempt to make a computer resource run out and make it unavaible to its intended users” CyBerwar and Intelligence
  10. 10. DDoS Attack DoS Attack The attacker mounts an attack from a single host DDoS Attack The attacker uses many systems to simultaneously launch attacks against a remote host CyBerwar and Intelligence
  11. 11. Zombie Computer Is a computer connected on the Internet that has been compromised by cracker, computer virus or trojan virus and can be used to perform malicious tasks of one sort or another under remote direction The computer attack is ampliefied: The rate of packets The size of packtes The difficulty to trace back an attack to the initiating attack CyBerwar and Intelligence
  12. 12. Attack CyBerwar and Intelligence
  13. 13. General Attack Classification Bandwidth Attack intended to overflow and consume resources available to the victim Logic Attack attempt to exploit a software program design flaw Protocol Attack take advantage of protocol inherent design CyBerwar and Intelligence
  14. 14. DoS Attack CyBerwar and Intelligence
  15. 15. Smurf Attack Attacker sends a huge amountof ICMP Echo Requests tovictim Once network links becomeoverloaded, all legitimate trafficwill be slowed or stopped Use of bandwidth consumptionto disable a victims networkresources using amplification ofthe attackers bandwitdh CyBerwar and Intelligence
  16. 16. The Fraggle Similar concept to ICMPflooding Networked slowed to the pointwhere all valid connections arestopped Achieves a smalleramplication factor CyBerwar and Intelligence
  17. 17. SYN Flood – the client sends a SYN packet to the server – the server sends a SYN-ACK back to the client – the client sends an ACK back to the server to complete the three-way handshake and establish the connection TCP CyBerwar and Intelligence
  18. 18. SYN Flood • The half-open connections buffer• The attack occurs by the on the victimattacker server will eventually fillinitiating a TCP connection to • The system will be unable tothe server accept any newwith a SYN. (using a legitimate incoming connections until theor spoofed buffer is emptiedsource address) out. • There is a timeout associated• The server replies with a SYN- with a pendingACK connection, so the half-open connections will• The client then doesn’t send eventually expire.back a ACK, • The attacking system cancausing the server to allocate continue sendingmemory for connection requesting newthe pending connection and connections faster thanwait. the victim system can expire the pending connections. CyBerwar and Intelligence
  19. 19. DDoS Attack CyBerwar and Intelligence
  20. 20. How it works Attackers recruits multiple zombies machinesZombie computers send the attack packets and recruit other machines the identity of subverted machine is hide through spooking of the source address filed in the attack packets
  21. 21. TrinOO• Affects Windows andmany Unix OS’s •Communication• Attacker scans for between Master-exploits, gains root, and >Daemondownloads Trin00 through a password-programs. protected cleartext• Attacker->Master- UDP-based protocol.>Daemon hierarchy(One -> More -> Many) • Daemons attack the• Attacker can telnet target with a UDP orinto a Master toinitiate commands, TCP packetwhich are distributed bombardment.amongst its Daemons. CyBerwar and Intelligence
  22. 22. Other attacksTFN and TFN2k Stacheldraht • Smurf attack • Smurf attack • The Fraggle • The Fraggle • SYN flood • SYN flood Encrypted All three at once communication bw the attacker and the Masters The Agents can upgrade their code automatically CyBerwar and Intelligence
  23. 23. Victim & Damage CyBerwar and Intelligence
  24. 24. General Victim Classification Application Exploit some feature of a specific application in order to make impossible the use of the resource Host The access to the target machine is impossible because its communication mechianisms are overloading or disabling. Network The incoming bandwidth of the target network is consumed Infrastructure Target some distributed service that is crucial for global internet operation or operation of a subnetwork CyBerwar and Intelligence
  25. 25. Symptoms Unusually slow network perfomanceUnavailability of a particular web site Inability to access to any web siteDramatic increase in the number of spam email CyBerwar and Intelligence
  26. 26. Motivation Material gainPersonal reasons (revenge) FamePolitical reasons CyBerwar and Intelligence
  27. 27. Damage Disruptive DegradeDeny the victims service Degrate some portion of ato its clients. victims resources. SinceIn the case of recoverable this kind of attackattacks, the victim can doesnt lead to totalrecover as soon as the service disruption, it coulinflux of the attack is remain undected for astopped, but if is non significant period ofrecoverable it requires time.some humaninterventions. CyBerwar and Intelligence
  28. 28. Case Studies CyBerwar and Intelligence
  29. 29. Estonia . Dispute with Russia over the removal of a Soviet-era war memorial, a giant bronze soldier statue, from the center of  Tallinn. The botnet fooled Estonian network routers into continuously resending useless packets of information to one another, rapidly flooding the infrastructure used to conduct all online business in the country. ● Bank websites became unreachable, paralyzing most of Estonias financial activity. ● Press sites also came under attack, in an attempt to disable news ROK&US sources. ● ISPs were overwhelmed, blacking out internet access for significant portions of the population. ● NATO stablished the alliances cyber defense research center in Tallinn in 2008. ● Motivated Estonia to call on the European Union to make cyber attacks a criminal offense. CyBerwar and Intelligence
  30. 30. Georgia . In the weeks leading up to the five-day 2008 South Ossetia war, a DDoS attack directed ifirst to the Website of the Georgian president Several Russian blogs, forums, and websites spread a Microsoft Windows batch script that was designed to attack Georgian websites. The effects was the Georgians could not connect to any outside ROK&US news or information sources and could not send email out of the country. The aim of the attack was to prevent Georgians from learning what was going on Georgia’s banking operations were paralyzed. Credit card systems shut down, followed by the mobile phone system. CyBerwar and Intelligence
  31. 31. Defence CyBerwar and Intelligence
  32. 32. Main Problem: Zombie Computers patches for software defects that were reported and fixed months ago are never installed anti-virus tools are not kept up to date the computer owners give away control of their computers by indiscriminately running unknown programs. CyBerwar and Intelligence
  33. 33. Local Solutions Local filtering the victim can try to stop the inflitrating IP packets on the local router by installing a filter to detect them Changing IPs Systems administrators must make a series of changes to lead the traffic to the new IP address, once the IP change is completed, all internet routers will been informed ad edge routers will drop the attacking packets. Creating client bottlnecks The aim is creating bottleneck process on the zombie computers, such as solving puzzle or requiring to answer a random questions to the attacking computer before establishing the connection. In this way the attacking ability is limited because those strategies consume computtational power, limiting attacker in the number of connection requests it can make at the same time CyBerwar and Intelligence
  34. 34. Global Solutions improving the security of the entiry Internet the victim can try to stop the inflitrating IP packets on the local router by installing a filter to detect them Using globally coordinate filters to prevent the accomulation if a critical mass of attacking packets in time. A victim can send information that it has detected an attack, and the filters can stop attacking packets earlier preventing it to spread Tracing the source of IP address to trace the intruders path back to zombie computers and stop their attacks. CyBerwar and Intelligence
  35. 35. Thank you CyBerwar and Intelligence

×