This document discusses distributed denial of service (DDoS) attacks. It begins with an introduction that defines DDoS attacks as attempts to make an online service unavailable by overwhelming it with traffic from multiple compromised sources. The document then covers the basics of DDoS attacks, common symptoms, how they work by exploiting vulnerabilities in systems to create botnets for launching attacks, and various methods like ICMP floods and SYN floods. It also discusses ways to handle DDoS attacks through defenses like firewalls, switches, and routers. The document concludes with preventative and reactive defense mechanisms to detect and respond to attacks.

1. DDOS ATTACKS
Presented By –
Shaurya Gogia
1120562
CO-4

2.  Introduction
 Basics
 Symptoms
 Working
 Methods
 Handling
 Defense Mechanisms
 Bibliography
FLOW OF PRESENTATION

3. • Short for Denial-of-Service, DoS attack is a type of attack on a network that is designed to
bring the network to its knees by flooding it with useless traffic.
• As quoted by NIST Computer Security Incident Handling Guide, “A Denial of Service (DoS) is
an action that prevents or impairs the authorised use of networks, systems, or applications, by
exhausting resources such as Central Processing Units (CPU), memory bandwidth and disk
space.”
INTRODUCTION
1/20

4. • A Distributed Denial of Service (DDoS) attack is an attempt to make an online service
unavailable by overwhelming it with traffic from multiple sources.
• It is one in which a multitude of compromised systems attack a single target, thereby
causing denial of service for users of the targeted system.
• The flood of incoming messages to the target system essentially forces it to shut down,
thereby denying service to the system to legitimate users.
INTRODUCTION
2/20

5. BASICS
• DoS vs DDoS
DoS: when a single host attacks
DDoS: when multiple hosts attacks simultaneously
• The resources which can be attacked are network bandwidth, system resources, application
resources.
• The motives for DDoS consists of efforts to temporarily interrupt services of a host connected
to the Internet.
• The first demonstrated DDoS attack was introduced by well known hacker Khan C. Smith
during a 1998 illegal DEF CON event, which is the world’s largest annual hacker conventions.
3/20

6. SYMPTOMS
The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of
denial-of-service attacks to include:
• Unusually slow network performance
• Unavailability of a particular web site
• Inability to access any web site
• Dramatic increase in the number of spam emails received - (known as e-mail bomb)
• Disconnection of a wireless or wired internet connection
• Long term denial of access to the web or any internet services
4/20

7. WORKING
• In a typical DDoS attack, the assailant begins by exploiting a vulnerability in one
computer system and making it the DDoS master.
• The attack master, also known as the botmaster, identifies and infects other vulnerable
systems with malware i.e. programs which are known as attack tools. These systems are
known as zombies.
• Many zombies together form what we call an army.
• Eventually, the assailant instructs the controlled machines to launch an attack against a
specified target.
5/20

8. 6/20
WORKING

9. • How to find Vulnerable Machines?
1. Random scanning:
infected machines probes IP addresses randomly and finds vulnerable machines and
tries to infect it
creates large amount of traffic
spreads very quickly but slows down as time passes
2. Hit-list scanning:
attacker first collects a list of large number of potentially vulnerable machines before
start scanning
once found a machine attacker infects it and splits the list giving half of the list to the
compromised machine
same procedure is carried for each infected machine.
all machines in the list are compromised in a short interval of time without generating
significant scanning traffic
3. Topological scanning:
uses information contained on the victim machine in order to find new targets
looks for URLs in the disk of a machine that it wants to infect
extremely accurate with performance matching the Hit-list scanning technique
WORKING
7/20

10. WORKING
• How to find Vulnerable Machines?
4. Local subnet scanning:
acts behind a firewall
looks for targets in its own local network
can be used in conjunction with other scanning mechanisms
creates large amount of traffic
5. Permutation scanning:
all machines share a common pseudorandom permutation list of IP addresses
based on certain criteria it starts scanning at some random point or sequentially
coordinated scanning with extremely good performance
randomization mechanism allows high scanning speeds
can be used with hit-list scanning to further improve the performance (partitioned
permutation scanning)
8/20

11. WORKING
• How to propagate Malicious Code?
1. Central source propagation:
this mechanism commonly uses HTTP, FTP, and Remote Procedure Call (RPC)
protocols.
9/20

12. • How to propagate Malicious Code?
2. Back-chaining propagation:
copying attack toolkit can be supported by simple port listeners or by full intruder-
installed Web servers, both of which use the Trivial File Transfer Protocol (TFTP).
WORKING
10/20

13. WORKING
• How to propagate Malicious Code?
3. Autonomous propagation:
transfers the attack toolkit to the newly compromised system at the exact moment
that it breaks into that system
11/20

14. • How to perform DDoS?
 After constructing the attack network, intruders use handler (master) machines to
specify type of attack and victim’s address
 They wait for appropriate time to start the attack
1. either by remotely activating the attack to “wake up” simultaneously
2. or by programming ahead of time
 The agent machines (slaves) then begin sending a stream of attack packets to the victim
 The victim’s system is flooded with useless load and exhaust its resources
 The legitimate users are denied services due to lack of resources
 The DDoS attack is mostly automated using specifically crafted attacking tools like
Fapi, Trinoo, Tribe Flood Network (TFN & TFN2K), Mstream, Omega, Trinity,
Derivatives, myServer, and Plague etc.
WORKING
12/20

15. 13/20

16. METHODS
1. Internet Control Message Protocol (ICMP) Flood
• relies on misconfigured network devices that allow packets to be sent to all computer hosts
on a particular network via the broadcast address of the network
• the perpetrators will send large numbers of IP packets with the source address faked to
appear to be the address of the victim.
• the network's bandwidth is quickly used up, preventing legitimate packets from getting
through to their destination.
• Also known as Smurf Attack.
2. SYN Flood
• occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address
• Each of these packets is handled like a connection request, causing the server to spawn
a half-open connection
• These half-open connections saturate the number of available connections the server is able
to make
14/20

17. METHODS
3. Teardrop attacks
• send mangled IP fragments with overlapping, over-sized payloads to the target machine
• can crash various operating systems because of a bug in their TCP/IP fragmentation re-
assembly code
4. Peer-to-peer attacks
• there is no botnet and the attacker does not have to communicate with the clients it subverts
• the attacker acts as a "puppet master," instructing clients of large peer-to-peer file
sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's
website instead
• several thousand computers may aggressively try to connect to a target website
15/20

18. HANDLING
1. Firewalls
• Firewalls can be set up to have simple rules such as to allow or deny protocols, ports or IP
addresses
• Simple attacks can be handled by simple rules but not complex attacks.
2. Switches
• Most switches have some rate-limiting and ACL capability
• Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed
binding (TCP splicing),deep packet inspection and Bogon filtering (bogus IP filtering) to
detect and remediate denial-of-service attacks through automatic rate filtering and WAN
Link failover and balancing
3. Routers
• Routers have some rate-limiting and ACL capability.
• They are manually set.
16/20

19. 4. Application front end hardware
• intelligent hardware placed on the network before traffic reaches the servers
• analyzes data packets as they enter the system, and then identifies them as priority, regular, or
dangerous
5. DDS based defense
• DoS Defense System (DDS) is able to block connection-based DoS attacks and those with
legitimate content but bad intent.
• can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based
attacks (such as ICMP floods and SYN floods)
HANDLING
17/20

20. DEFENSE MECHANISMS
1. Preventive defense
• try to eliminate the possibility of DDoS attacks altogether
• enable potential victims to endure the attack without denying services to
legitimate clients
• hosts should guard against illegitimate traffic from or toward the machine.
• keeping protocols and software up-to-date
• regular scanning of the machine to detect any "anomalous" behavior
• monitoring access to the computer and applications, and installing security
patches, firewall systems, virus scanners, and intrusion detection systems
automatically
• sensors to monitor the network traffic and send information to a server in order to
determine the "health" of the network
18/20

21. 2. Reactive defense or Early Warning Systems
• try to detect the attack and respond to it immediately
• they restrict the impact of the attack on the victim
• there is the danger of characterizing a legitimate connection as an attack
• The main detection strategies are
1. Signature detection
search for patterns (signatures) in observed network traffic that match known
attack signatures from a database
easily and reliably detect known attacks, but they cannot recognize new attacks
the signature database must always be kept up-to-date in order to retain the
reliability of the system
2. Anomaly detection
compare the parameters of the observed network traffic with normal traffic
new attacks can be detected
in order to prevent a false alarm, the model of "normal traffic" must always be
kept updated and the threshold of categorizing an anomaly must be properly
adjusted
3. Hybrid systems
combine both these methods
update the signature database with attacks detected by anomaly detection
an attacker can fool the system by characterizing normal traffic as an attack i.e. an
Intrusion Detection System (IDS) becomes an attack tool
DEFENSE MECHANISMS
19/20

22. BIBLIOGRAPHY
• “Distributed Denial of Service Attacks”, The Internet Protocol Journal - Volume 7,
Number 4 by Charalampos Patrikakis, Michalis Masikos, and Olga Zouraraki
National Technical University of Athens
• www.google.com
• www.wikipedia.com
• http://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack
• http://www.digitalattackmap.com/understanding-ddos
• www.arbornetworks.com
20/20

23. THANK YOU !