ddos attack definitivo

DDoS Attack Claudia Plantera

I300332011.11.18

CyBerwar and Intelligence

Fall 2011

Definitions

Types of Attack

Victims and Effects

Case Studies

Defense

Outline

CyBerwar and Intelligence

Definitions

CyBerwar and Intelligence

“Malware (for "malicious software") is any program or file that is harmful to a computer user. Thus, malware includes computer viruses, worms, Trojan horses, and also spyware, programming that gathers information about a computer user without permission.”

CyBerwar and Intelligence

Malware

“a virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a CD. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are benign or playful in intent and effect and some can be quite harmful, erasing data or causing your hard disk to require reformatting”

CyBerwar and Intelligence

Virus

“Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided.”

CyBerwar and Intelligence

Worms

“It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create back doors to give malicious users access to the system.Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet.”

CyBerwar and Intelligence

Trojan

“Bot" is derived from the word "robot" and is an automated process that interacts with other network services. Bots often automate tasks and provide information or services that would otherwise be conducted by a human being. A typical use of bots is to gather information (such as web crawlers ), or interact automatically with instant messaging (IM), Internet Relay Chat (IRC), or other web interfaces. They may also be used to interact dynamically with websites.Bots can be used for either good or malicious intent. A malicious bot is self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or "botnet.”

CyBerwar and Intelligence

Bot

Denial of Service (DOS) Attack

CyBerwar and Intelligence

“an attempt to make a computer resource run out and make it unavaible to its intended users”

DDoS AttackDoS Attack

The attacker mounts an attack from a single host

DDoS Attack

The attacker uses many systems to simultaneously launch attacks against a remote host

CyBerwar and Intelligence

Zombie Computer Is a computer connected on the Internet that has been compromised by cracker, computer virus or trojan virus and can be used to perform malicious tasks of one sort or another under remote direction

The computer attack is ampliefied:The rate of packetsThe size of packtesThe difficulty to trace back an attack to the

initiating attack

CyBerwar and Intelligence

Attack

CyBerwar and Intelligence

General Attack Classification

intended to overflow and consume resources available to the victim

attempt to exploit a software program design flaw

Bandwidth Attack

Logic Attack

Protocol Attack

take advantage of protocol inherent design

CyBerwar and Intelligence

DoS Attack

CyBerwar and Intelligence

Smurf Attack

CyBerwar and Intelligence

Attacker sends a huge amount of ICMP Echo Requests to victim

Once network links become overloaded, all legitimate traffic will be slowed or stopped

Use of bandwidth consumption to disable a victim's network resources using amplification of the attackers bandwitdh

The Fraggle

CyBerwar and Intelligence

Similar concept to ICMP flooding

Networked slowed to the point where all valid connections are stopped

Achieves a smaller amplication factor

SYN Flood

CyBerwar and Intelligence

– the client sends a SYN packet to the server

– the server sends a SYN-ACK back to the client

– the client sends an ACK back to the server tocomplete the three-way handshake andestablish the connection TCP

SYN Flood

CyBerwar and Intelligence

• The attack occurs by the attackerinitiating a TCP connection to the serverwith a SYN. (using a legitimate or spoofedsource address)

• The server replies with a SYN-ACK

• The client then doesn’t send back a ACK,causing the server to allocate memory forthe pending connection and wait.

• The half-open connections buffer on the victimserver will eventually fill• The system will be unable to accept any newincoming connections until the buffer is emptiedout.• There is a timeout associated with a pendingconnection, so the half-open connections willeventually expire.• The attacking system can continue sendingconnection requesting new connections faster thanthe victim system can expire the pendingconnections.

DDoS Attack

CyBerwar and Intelligence

How it worksAttackers recruits multiple

zombies machines

Zombie computers send the attack packets and recruit other machines

the identity of subverted machine is hide through

spooking of the source address filed in the attack packets

TrinOO

CyBerwar and Intelligence

• Affects Windows and many Unix OS’s• Attacker scans for exploits, gains root, anddownloads Trin00 programs.• Attacker->Master->Daemon hierarchy(One -> More -> Many)• Attacker can telnet into a Master toinitiate commands, which are distributedamongst its Daemons.

• Communication between Master->Daemonthrough a password-protected cleartextUDP-based protocol.

• Daemons attack the target with a UDP orTCP packet bombardment.

Other attacks

CyBerwar and Intelligence

• Smurf attack• The Fraggle• SYN flood

All three at once

TFN and TFN2k Stacheldraht

• Smurf attack• The Fraggle• SYN flood

Encrypted communication bw the attacker and the MastersThe Agents can upgrade their code automatically

Victim & Damage

CyBerwar and Intelligence

General Victim Classification

Exploit some feature of a specific application in order to make impossible the use of the resource

Application

CyBerwar and Intelligence

The access to the target machine is impossible because its communication mechianisms are overloading or disabling.

Host

Network

The incoming bandwidth of the target network is consumed

Infrastructure

Target some distributed service that is crucial for global internet operation or operation of a subnetwork

SymptomsUnusually slow network perfomance

Unavailability of a particular web site

Inability to access to any web site

Dramatic increase in the number of spam email

CyBerwar and Intelligence

MotivationMaterial gain

Personal reasons (revenge)

Fame

Political reasons

CyBerwar and Intelligence

Damage

CyBerwar and Intelligence

Deny the victim's service to its clients. In the case of recoverable attacks, the victim can recover as soon as the influx of the attack is stopped, but if is non recoverable it requires some human interventions.

Disruptive Degrade

Degrate some portion of a victim's resources. Since this kind of attack doesn't lead to total service disruption, it coul remain undected for a significant period of time.

Case Studies

CyBerwar and Intelligence

.

ROK&US

CyBerwar and Intelligence

The botnet fooled Estonian network routers into continuously resending useless packets of information to one another, rapidly flooding the infrastructure used to conduct all online business in the country.

Dispute with Russia over the removal of a Soviet-era war memorial, a giant bronze soldier statue, from the center of Tallinn  .

●Bank websites became unreachable, paralyzing most of Estonia's financial activity. ●Press sites also came under attack, in an attempt to disable news sources.● ISPs were overwhelmed, blacking out internet access for significant portions of the population.

●NATO stablished the alliance's cyber defense research center in Tallinn in 2008.●Motivated Estonia to call on the European Union to make cyber attacks a criminal offense.

Estonia

.

ROK&US

CyBerwar and Intelligence

Several Russian blogs, forums, and websites spread a Microsoft Windows batch script that was designed to attack Georgian websites.

In the weeks leading up to the five-day 2008 South Ossetia war, a DDoS attack directed ifirst to the Website of the Georgian president

The effects was the Georgians could not connect to any outside news or information sources and could not send email out of the country. The aim of the attack was to prevent Georgians from learning what was going on

Georgia’s banking operations were paralyzed. Credit card systems shut down, followed by the mobile phone system.

Georgia

Defence

CyBerwar and Intelligence

Main Problem: Zombie Computers

patches for software defects that were reported  and fixed months ago are never installed

anti-virus tools are not kept up to date

the computer owners give away control of their computers by indiscriminately running unknown programs.

CyBerwar and Intelligence

Local Solutions

the victim can try to stop the inflitrating IP packets on the local router by installing a filter to detect them

Local filtering

CyBerwar and Intelligence

Systems administrators must make a series of changes to lead the traffic to the new IP address, once the IP change is completed, all internet routers will been informed ad edge routers will drop the attacking packets.

Changing IPs

Creating client bottlnecksThe aim is creating bottleneck process on the zombie computers, such as solving puzzle or requiring to answer a random questions to the attacking computer before establishing the connection. In this way the attacking ability is limited because those strategies consume computtational power, limiting attacker in the number of connection requests it can make at the same time

Global Solutions

the victim can try to stop the inflitrating IP packets on the local router by installing a filter to detect them

improving the security of the entiry Internet

CyBerwar and Intelligence

to prevent the accomulation if a critical mass of attacking packets in time. A victim can send information that it has detected an attack, and the filters can stop attacking packets earlier preventing it to spread

Using globally coordinate filters

Tracing the source of IP address

to trace the intruders' path back to zombie computers and stop their attacks.

Thank you

CyBerwar and Intelligence