denial of service attacks: methods, tools, and defenses prof. mort anvari strayer university at...
TRANSCRIPT
Denial of Service Attacks:Methods, Tools, and
Defenses
Prof. Mort AnvariStrayer University at Arlington
2
Introduction
Basic types of DoS attacks
Evolution of DoS tools
Overview of DoS tools
Defenses
3
What is Denial of Service Attack?
“Attack in which the primary goal is to deny the victim(s) access to a particular resource.” (CERT/CC)
Very vide definition, covers lots of cases
This tutorial covers only subset of all DoS attacks
4
Modes of Denial of Service Attack
Consumption of limited resources Network connectivity Bandwidth consumption Other resources:
Processing time Disk space Lockout of an account
Alteration of configuration information
5
DoS Attacks - Statistics
There are more than 4000 attacks per week
During 2000, 27% of security professionals detected DoS attack against their system
In February 2000 attacks, stream going to one of affected sites was about 800Mb/s
6
DoS Attacks - StatisticsOverall Internet performance degradation
during February 2000 attacksDate PPW PAW CPW
Feb. 7th 5.66 5.98 +5.7%
Feb. 8th 5.53 5.96 +7.8%
Feb. 9th 5.26 6.67 +26.8%
Feb 10th 4.97 4.86 -2.2%
PPW – Performance in previous week
PAW – Performance in attacking week
CPW – Change from previous week
Source:Keynote Systems
DoS Attacks - Basics
Prof. Mort AnvariStrayer University at Arlington
8
DoS Attacks - Basics
Attack has two phases:
Installation of DoS tools
Committing an attack
9
DoS Attacks - Basics
Installation of DoS tools:
Finding a suitable machine: Unprotected ports Vulnerable services Errors in operating systems Trojan horses and worms
Installation of the tool itself Installation of a root-kit
10
DoS Attacks - Basics
Ping of Death
Maximum size of TCP/IP packet is 65536 bytes
Oversized packet may crash, freeze, reboot system
Obsolete
11
DoS Attacks - Basics
Teardrop
IP packet can be broken
Broken packet is reassembled using offset fields
12
DoS Attacks Basics
Teardrop
Overlapping offset fields
Obsolete
13
DoS Attacks - Basics
Syn flood attack
TCP Syn handshake
Finite length of backlog queue
Lots of half-open connections
Partially solved
SYN
ACK
SYNACK
Client
Server
14
DoS Attacks - Basics
UDP flood
UDP echo service
UDP chargen service
Spoofed address Easy prevention
Brute force approach if this one doesn’t work
Victim
AttackerVictim
SpoofedRequest
chargenecho
15
DoS Attacks - Basics
Smurf attack
ICMP packets Broadcast request Spoofed address Two victims Cannot be
easily prevented
Victim
IntermediateSystems
Attacker
16
Evolution of DoS Attacks
Defenses were improved
Technology was improved, as well
Attackers had to improve their techniques for attacks
17
Evolution of DoS Attacks
Packet processing rate is more limiting than bandwidth
CPU can be a limit in SYN flood attack
“Reflected” attacks
Bad packet ICMP Reply
VictimAttacker Intermediate
18
(R)evolution of DoS Attacks
Distributed DoS tools and networks
Client-Server architecture
Open-source approach
Several layers
Difficulties in tracking back the attacker
19
Evolution of DoS Attacks
All of the systems are compromised
Terminology: Client Handler Agent
20
Evolution of DoS Attacks
Implications of DDoS network:
One or two attackers
Small number of clients
Several handlers
Huge number of agents
Humongous traffic
DoS Attacks - Tools
Prof. Mort AnvariStrayer University at Arlington
22
DoS Attacks - Tools
History of DoS tools:
IRC disable tools
Single attack method tools
Distributed tools, with possibility of selecting the type of attack
23
DoS Attacks - Tools
Trinoo
Distributed
UDP flood (brute force)
Menu operated
Agent passwords are sent in plain text form (not encrypted)
24
DoS Attacks - Tools
TFN (Tribal Flood Network)
Multi-type attack
UDP flood
SYN flood
ICMP_ECHOREPLY flood
Smurf
Handler keeps track of its agents in “Blowfish” encrypted file
25
DoS Attacks - Tools
Improved version of TFN
Agent can randomly alternate between the types of attack
Agent is completely silent - handler sends the same command several times, hoping that agent will receive at least one)
TFN2K
26
DoS Attacks - Tools
All communication is encrypted
Random source IP address and port number
Decoy packets (sent to non-target networks)
TFN2K
27
DoS Attacks - Tools
Several levels of protection:Hard-coded password in client Password is needed
to take control over handlerEncrypted communication
between handler and agent
Stacheldraht
28
DoS Attacks - Tools
Stacheldraht
Automated update of agents TCP is used for communication
between client and handler, and ICMP_ECHOREPLY for communication between handler and agent
29
DoS Attacks - Tools
ICMP_ECHOREPLY packets are difficult to stopEach agent has a list of its handlers (Blowfish encrypted) and in case that there is no such list, agent uses several hard-coded IP addressesAgent tests for a possibility of spoofing the source address
Stacheldraht
30
DoS Attacks - Tools
Weakness: it uses rpc command for updateListening on this port can lead to detection of an agent. Drawback is in fact that this can generate a lot of false alarms (rpc is used by legitimate users too)
Stacheldraht
Defenses
32
Defenses
There is no universal solution
There are some preventions that can help in minimizing the damage:Prevention of becoming
the source of an attackPreparations for defending
against an attack
33
Defenses
Disable and filter out chargen and echo servicesDisable and filter out all unused UDP services. Good practice is to block all UDP ports below 900 (excluding some specific ports like DNS)
34
Defenses
Install a filtering router to disable following cases: Do not allow packet to pass through
if it is coming to your network and has a source address from your network
Do not allow packet to pass through if it comes from your network and has a source address that doesn’t belong to your network
35
Defenses
Network administrators should log all information on packets that are dropped
If you are providing external UDP services, monitor them for signs of misuse
36
Defenses
The following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router: 10.0.0.0 to 10.255.255.255 (reserved) 127.0.0.0 to 127.255.255.255 (loopback) 172.16.0.0 to 172.31.255.255 (reserved) 192.168.0.0 to 192.168.255.255
(reserved) 0.0.0.0 and 255.255.255.255 (broadcasts)
37
Defenses
Routers, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installed
System should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, root-kits, back doors, etc.)
38
Defenses
Train your system and network administratorsRead security bulletins like: www.cert.org, www.sans.org, www.eEye.comFrom time to time listen on to attacker community to be informed about their latest achievementsBe in contact with your ISP. In case that your network is being attacked, this can save a lot of time
39
Conclusion
Several examples of large scale DoS attacks (yahoo, eBuy, CERT, FBI, Amazon)
Increased number of consumers with high bandwidth technologies, but with poor knowledge of network security
Easy accessible, easy to use DoS attack tools
No final solution for attacks
40
This tutorial is based on research paper
done for isitworking.com
Isitworking is part of Biopop company, Charlotte, NC, USA
So far, it was presented on:SSGRR 2002w, L’Aquila, ItalyYU-INFO 2002, Kopaonik, Serbia
Denial of Service Attacks:Methods, Tools, and
Defenses
Prof. Mort AnvariStrayer University at Arlington