computer security: principles and practice
DESCRIPTION
Computer Security: Principles and Practice. Chapter 8 – Denial of Service. First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown. Denial of Service. - PowerPoint PPT PresentationTRANSCRIPT
Computer Security: Computer Security: Principles and PracticePrinciples and Practice
First EditionFirst Edition
by William Stallings and Lawrie Brownby William Stallings and Lawrie Brown
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 8 – Chapter 8 – Denial of ServiceDenial of Service
Denial of ServiceDenial of Service
denial of servicedenial of service (DoS) an action that prevents or (DoS) an action that prevents or impairs the authorized use of networks, systems, or impairs the authorized use of networks, systems, or applications by exhausting resources such as central applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and processing units (CPU), memory, bandwidth, and disk spacedisk space
attacksattacks network bandwidthnetwork bandwidth system resourcessystem resources application resourcesapplication resources
have been an issue for some timehave been an issue for some time
Classic Classic Denial of Service AttacksDenial of Service Attacks
can use simple flooding pingcan use simple flooding ping from higher capacity link to lowerfrom higher capacity link to lower causing loss of trafficcausing loss of traffic source of flood traffic easily identifiedsource of flood traffic easily identified
Classic Classic Denial of Service AttacksDenial of Service Attacks
Source Address SpoofingSource Address Spoofing
use forged source addressesuse forged source addresses given sufficient privilege to “raw sockets”given sufficient privilege to “raw sockets” easy to createeasy to create
generate large volumes of packetsgenerate large volumes of packets directed at targetdirected at target with different, random, source addresseswith different, random, source addresses cause same congestioncause same congestion responses are scattered across Internetresponses are scattered across Internet real source is much harder to identifyreal source is much harder to identify
SYN SpoofingSYN Spoofing
other common attackother common attack attacks ability of a server to respond to future attacks ability of a server to respond to future
connection requests connection requests overflowing tables used to manage themoverflowing tables used to manage them hence an attack on system resourcehence an attack on system resource
TCP Connection HandshakeTCP Connection Handshake
SYN Spoofing AttackSYN Spoofing Attack
SYN Spoofing AttackSYN Spoofing Attack
attacker often uses eitherattacker often uses either random source addressesrandom source addresses or that of an overloaded serveror that of an overloaded server to block return of (most) reset packetsto block return of (most) reset packets
has much lower traffic volumehas much lower traffic volume attacker can be on a much lower capacity linkattacker can be on a much lower capacity link
Types of Flooding AttacksTypes of Flooding Attacks
classified based on network protocol usedclassified based on network protocol used ICMP FloodICMP Flood
uses ICMP packets, eg echo requestuses ICMP packets, eg echo request typically allowed through, some requiredtypically allowed through, some required
UDP FloodUDP Flood alternative uses UDP packets to some portalternative uses UDP packets to some port
TCP SYN FloodTCP SYN Flood use TCP SYN (connection request) packetsuse TCP SYN (connection request) packets but for volume attackbut for volume attack
Distributed Distributed Denial of Service AttacksDenial of Service Attacks
have limited volume if single source usedhave limited volume if single source used multiple systems allow much higher traffic multiple systems allow much higher traffic
volumes to form a Distributed volumes to form a Distributed Denial of Denial of Service (DDoS) AttackService (DDoS) Attack
often compromised PC’s / workstationsoften compromised PC’s / workstations zombies with backdoor programs installedzombies with backdoor programs installed forming a botnetforming a botnet
e.g. Tribe Flood Network (TFN), TFN2Ke.g. Tribe Flood Network (TFN), TFN2K
DDoS Control HierarchyDDoS Control Hierarchy
Reflection AttacksReflection Attacks use normal behavior of networkuse normal behavior of network attacker sends packet with spoofed source attacker sends packet with spoofed source
address being that of target to a serveraddress being that of target to a server server response is directed at targetserver response is directed at target if send many requests to multiple servers, if send many requests to multiple servers,
response can flood targetresponse can flood target various protocols e.g. UDP or TCP/SYNvarious protocols e.g. UDP or TCP/SYN ideally want response larger than requestideally want response larger than request prevent if block source spoofed packetsprevent if block source spoofed packets
Reflection AttacksReflection Attacks
further variation creates a self-contained loop further variation creates a self-contained loop between intermediary and targetbetween intermediary and target
fairly easy to filter and blockfairly easy to filter and block
Amplification AttacksAmplification Attacks
DNS Amplification AttacksDNS Amplification Attacks
use DNS requests with spoofed source use DNS requests with spoofed source address being the targetaddress being the target
exploit DNS behavior to convert a small exploit DNS behavior to convert a small request to a much larger responserequest to a much larger response 60 byte request to 512 - 4000 byte response60 byte request to 512 - 4000 byte response
attacker sends requests to multiple well attacker sends requests to multiple well connected servers, which flood targetconnected servers, which flood target need only moderate flow of request packetsneed only moderate flow of request packets DNS servers will also be loadedDNS servers will also be loaded
DoS Attack DefensesDoS Attack Defenses
high traffic volumes may be legitimatehigh traffic volumes may be legitimate result of high publicity, e.g. “slash-dotted”result of high publicity, e.g. “slash-dotted” or to a very popular site, e.g. Olympics etcor to a very popular site, e.g. Olympics etc
or legitimate traffic created by an attackeror legitimate traffic created by an attacker three lines of defense against (D)DoS:three lines of defense against (D)DoS:
attack prevention and preemptionattack prevention and preemption attack detection and filteringattack detection and filtering attack source traceback and identificationattack source traceback and identification
Attack PreventionAttack Prevention
block spoofed source addressesblock spoofed source addresses on routers as close to source as possibleon routers as close to source as possible still far too rarely implementedstill far too rarely implemented
rate controls in upstream distribution netsrate controls in upstream distribution nets on specific packets types on specific packets types e.g. some ICMP, some UDP, TCP/SYNe.g. some ICMP, some UDP, TCP/SYN
use modified TCP connection handlinguse modified TCP connection handling use SYN cookies when table fulluse SYN cookies when table full or selective or random drop when table fullor selective or random drop when table full
Attack PreventionAttack Prevention
block IP directed broadcastsblock IP directed broadcasts block suspicious services & combinationsblock suspicious services & combinations manage application attacks with “puzzles” to manage application attacks with “puzzles” to
distinguish legitimate human requestsdistinguish legitimate human requests good general system security practicesgood general system security practices use mirrored and replicated servers when use mirrored and replicated servers when
high-performance and reliability requiredhigh-performance and reliability required
Responding to AttacksResponding to Attacks
need good incident response planneed good incident response plan with contacts for ISP with contacts for ISP needed to impose traffic filtering upstreamneeded to impose traffic filtering upstream details of response processdetails of response process
have standard filters have standard filters ideally have network monitors and IDSideally have network monitors and IDS
to detect and notify abnormal traffic patternsto detect and notify abnormal traffic patterns
Responding to AttacksResponding to Attacks
identify type of attackidentify type of attack capture and analyze packets capture and analyze packets design filters to block attack traffic upstreamdesign filters to block attack traffic upstream or identify and correct system/application bugor identify and correct system/application bug
have ISP trace packet flow back to sourcehave ISP trace packet flow back to source may be difficult and time consumingmay be difficult and time consuming necessary if legal action desirednecessary if legal action desired
implement contingency planimplement contingency plan update incident response planupdate incident response plan
SummarySummary
introduced denial of service (DoS) attacksintroduced denial of service (DoS) attacks classic flooding and SYN spoofing attacksclassic flooding and SYN spoofing attacks ICMP, UDP, TCP SYN floodsICMP, UDP, TCP SYN floods distributed denial of service (DDoS) attacksdistributed denial of service (DDoS) attacks reflection and amplification attacksreflection and amplification attacks defenses against DoS attacksdefenses against DoS attacks responding to DoS attacksresponding to DoS attacks