ddos attacks: the latest threat to availability. © sombers associates, inc. 2013 2 the anatomy of a...

DDoS Attacks: The LatestThreat to Availability

© Sombers Associates, Inc. 2013 2

The Anatomy of a DDoS Attack


What is a Distributed Denial of Service Attack?

• An attempt to make an Internet service unavailable to its users.

• Saturate the victim machine with external traffic.

• The victim machine:- can’t respond to legitimate traffic, or- is so slow as to be essentially unavailable.

• Address of attacker is spoofed:- Victim machine can’t simply block traffic from a known source.

• Commonly constitutes violations of the laws of nations.


What is a Distributed Denial of Service Attack?

• Malware attacks do not generally pose a threat to availability:- They are aimed at stealing personal information and other data.

• DDoS attacks are a major threat to availability.

• They have been used to take down major sites for days

• They are easy to launch and are difficult to defend.

• Reasons for DDoS attacks:- revenge- competitive


How Can So Much Traffic Be Generated?By Botnets

• Typical attacks generate about 10 gigabits/sec. of malicious traffic.- One Pc can generate about one megabit/sec. of traffic.- It takes about 10,000 PCs to generate 10 gigabits of traffic.- This is a botnet.

• A botnet is a collection of computers:- whose security defenses have been breached.- control is conceded to a third party, the bot master.

• The bot master controls the activities of the compromised computers.


How Can So Much Traffic Be Generated?By Botnets

• More recently, servers have been included in botnets.

• A large server can generate a gigabit/sec. of malicious traffic:- one thousand times that of a PC.

• Ten large servers can generate as much traffic as 10,000 PCs.

• Servers are infected via network vulnerabilities.

• The latest attacks have generated 100 gigabits of malicious data:- combination of infected PCs and servers.


The Anatomy of a DDoS Attack

• DDoS attackers depend upon infecting thousands of PCs.

• A typical infection sequence is:- a user succumbs to a phishing attack (opens a malicious

email or visits a malicious web site).- a Trojan is injected into the machine which opens a “back door.”- a bot infection is inserted into the PC via the back door.- the bot infection establishes a connection with the bot master.


Phishing

• Phishing masquerades as a trusted entity in an electronic communication:

– email, web site.

• Designed to get sensitive information like account numbers, SSNs by:

- tricking users to respond to email.- leading users to a spoofed web site that looks real.

• Emails can also carry malicious executables or point to malicious web sites.

• Malicious executables or malicious web sites can infect the PC:- used to inject a Trojan to create a back door into the PC.

• User training – send them phishing messages that take them to a web site that informs them that they have been lured.


Trojans

• Creates a “back door” allowing unauthorized access to the target computer.

• Main purpose is to make the host system open to access from the Internet.

• Installed via malicious emails or Internet applications.

• Consequences: - controlling the computer system remotely (botnets). - also, keystroke logging, data theft, installing other malware.


The BYOD Conundrum

• Bring Your Own Devices (BYOD) are the new gateways into corporate networks:

- Employees using smart phones, tablets, notebook computers. - Conducting their work at home or on the road. - Connecting outside the corporate firewall to servers and databases.

• Malware can gain access to a company’s network by infecting these devices. • Mobile malware is becoming a greater threat than direct infections of systems.


Android Devices are the Primary Target

• Mobile malware most likely to be installed via malicious apps.

• Android is an open operating system modified by each vendor:- security provisions often bypassed.

• Hundreds of Android app stores not vetted by Google.

• Number of malicious apps has grown 800% over the last year.

• 92% directed at Android devices.

• Apple has tight control over apps:- tests each one thoroughly.- does not allow unvetted apps to be downloaded from the Apple app store.

• Malware can also be downloaded with phishing.


• Android and iOS prevent unauthorized access to privileged OS commands.

• Android device can be modified by user to let apps have access:- rooted device.- necessary to run some apps.

• A rooted Android device can be infected with malware that runs at the operating system level:

- Trojans- keyloggers

• Similarly, an iOS devices can be jail-broken. However:- iOS world is tightly controlled.- several security functions must be bypassed.- cannot be done by the ordinary user.

Jail-Broken and Rooted Devices


• Compromised Wi-Fi hot spots:- coffee shops, airports, hotels.- corporate data is vulnerable whenever an employee logs onto a public Wi-Fi hot spot.- frequently configured so that anyone can see all of the network traffic.- commercially available apps provide network monitoring

capability.

• Poisoned DNS servers:- user must trust the DNS server used by a Wi-Fi hot spot.- hackers can hi-jack a public DNS server.- direct traffic to a malicious web site.- web site can get users private data – passwords, etc.- malware is downloaded to device from the web site.

Other Mobile Threats


DDoS Strategies


DDoS StrategiesThe Internet Protocol Suite

• Application Layer – used by applications for network communications (FTP, SMTP).

• Transport Layer – end-to-end message transfer (TCP, UDP)

• Internet Layer – best-efforts datagram transmission between hosts (IP)

• Link Layer – local network topology (routers, switches, hubs, firewalls).


DDoS StrategiesAttacks Occur at Various Levels

• Network Level:- Network is bombarded with traffic.- Consumes all available bandwidth needed by legitimate requests.

• Infrastructure Level:- Network devices such as firewalls, routers, maintain state in

internal tables.- Fill state tables of network devices.- Network devices cannot handle legitimate traffic.

• Application Level: - Invoke application services:- Consume processing and disk resources.- Illegitimate logins.- Searches (if attacker has obtained user names, passwords).



• ICMP Flood:- Internet Control Message Protocol (ICMP) returns error messages.- Attacker sends messages to random ports.- Most ports will not be used.- Victim system must respond with “port unreachable.”- Victim system so busy responding with ICMP messages that it can’t handle legitimate traffic.

• Ping Attack- ICMP attack in which victim is flooded with pings.- Victim must respond with ping-response messages.



• SYN Flood:- Attacker begins the initiation of a connection.- Sends a SYN connection request.- Server assigns resources to connection, responds with SYN-ACK.- Attacker never sends ACK to complete the connection.- Spoofed client ignores SYN-ACK since it did not send SYN.- Victim holds resources for three minutes awaiting connection completion.- Victim runs out of resources, cannot make legitimate connections.

• GET/POST Flood:- Commands to retrieve and update data.- Use extensive compute and disk resources of computer.- Typically needs user names, passwords.- Consumes all resources of server.


DDoS StrategiesAmplified Attacks

• The most vicious kind of attack:- Generates a great deal of attack data with little effort.

• Example – DNS Reflection:- Depends upon DNS Open Resolvers.- Will respond to any DNS request, no matter from where it comes.- Send DNS URL request with spoofed IP address of victim.- DNS sends URL response (IP address of URL) to victim.- Typical request message is 30 bytes.- Typical response message is 3,000 bytes.- 100 times amplification.

• Publicly available toolkit – itsoknoproblembro – to launch DNS attacks.

• Open DNS Resolvers were supposed to be phased out:- Still 27 million Open Resolvers on the Internet.- Their IP addresses have all been published.


Major DDoS AttacksSome Examples


September, 2012 – The online banking web sites of six major U.S. banks are taken downfor days by Distributed Denial of Service (DDoS) attacks.

• The Izz ad-Din al-Qassam Cyber Warriors vowed to attack major U.S. banks.

• The attacks will continue until the video “Innocence of Muslims” is removed from the the Internet.

• September 2012 - DDoS attacks are launched against Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank, and PNC Bank.

• The attacks take down their online banking portals for a day.

• Attacks followed against Capital One, SunTrust Banks, and Regions Financial.

• The 70 gigabit/second attacks used hundreds of thousands of volunteer computers and infected servers.

• December 2012 – Attacks were repeated for several days against all banks.

• Intelligence officials say that cyber attacks and cyber espionage have surpassed terrorism as the top security threat facing the U.S.

Major U.S. Banks


History’s Largest DDoS Attack

• Spamhaus is a spam-filtering site:- provides a blacklist of IP addresses for email spammers.- used by spam-filtering vendors, ISPs, corporations.

• Blocked CyberBunker:- CyberBunker claims to host anything but terrorism, child pornography.

• CyberBunker launched a 300 gigabit/sec. attack against Spamhaus:- lasted for ten days.

• Spamhaus enlisted CloudFlare to help it weather the attack:- CloudFare spread the malicious load across its 23 data centers.- scrubbed the data and fed only legitimate data to Spamhaus.

• CyberBunker extended its attack to CloudFlare.


Summary


Botnets

• Until recently, DDoS attacks were in the 10 gbps range:- infected PC botnets.

• Islamic hackers – 100 gbps:- used tens of thousands of volunteered PCs.- added infected servers.

• CyberBunker – 300 gbps:- used PC/server botnet.- used DNS refection.


Mitigation

• DDoS attacks are easy to launch, difficult to defend.

• Firewalls and intrusion-prevention (IPV) systems can be overwhelmed.

• Spread load across several data centers to scrub data.

• Use the services of a DDoS mitigation company that can scrub data over several data centers.

- Prolexic- Tata- AT&T- Verisign

• Include DDoS attacks in your Business Continuity Plan.

ddos attacks: the latest threat to availability. © sombers associates, inc. 2013 2 the anatomy of a...

Documents

malicious traffic

sombers associates

ddos attack slide

ddos attacks

malicious email

malicious web sites

availability slide

gigabits of traffic