Dos

(Denial of Services)

Aamir Wahid

September 23rd 2004

What is DoS Attack

• A DoS attack can disrupts or completely denies service to legitimate users, networks, systems, or other resources.”

• Can last from a few minutes to several days

Types of DoS Bandwidth Consumption

Network FloodingT3 vs. 56K

Amplifying AttackUsing multiple sites for attack

Distributed DoS Attacks

More effective than DoS Attacks Multiple sources for attack Tribe Flood Network, Trinoo, TFN2K

Zombie:A computer that has been implanted with a daemon that puts it under the control of a

malicious hacker without the knowledge of the computer owner.

Some History

DoS Tools: Single-source, single target tools IP source address spoofing Packet amplification (e.g., smurf)

Deployment: Widespread scanning and exploitation via

scripted tools Hand-installed tools and toolkits on compromised

hosts (unix) Use:

Hand executed on source host

BP (Before Pain) – Pre - 1990

The danger grows - 1999

DoS Tools: Multiple-source, single target tools Distributed attack networks (handler/agent) DDoS attacks

Deployment: Hand-selected, hard-coded handlers Scripted agent installation (unix)

DoS Attack in 2000

Example SYN Flood Attack February 5th . 11th, 2000 Yahoo, eBay, CNN, E*Trade, ZDNet, Datek and

Buy.com all hit Attacks allegedly perpetrated by teenagers Used compromised systems at UCSB

•May 4th-20th, 2001•Gibson Research Corporationwww.grc.com/dos/intro.htm

DDoS attack from 474 machines• Completely saturated two T1s• 13-year-old claimed responsibility

Detailed Account of DDoS

DoS Attacks on the Rise

24%27%

38%

0%

5%

10%

15%

20%

25%

30%

35%

40%

1999 2000 2001 2003

Frequency of DoS attacks increased 60% over the last three years…and still rising

Common forms of DoS•Buffer Overflow Attacks

•SYN Attack

•Teardrop Attack

•Smurf Attack

•Viruses

•Physical Infrastructure Attack

Buffer Overflow Attacks

Buffer overflow is an attempt to stuff to much information into a space in a computers memory.

Examples Sending e-mails that have attachments with

256-character file names to Netscape and Microsoft mail programs.

Sending large (ICMP) packets (this can be known as the Ping of Death attack)

What is a SYN Flood?

Send spoofed SYN packets to system System responds with SYN/ACK Never receives final connection Backlog in connection queue

Web servers are particularly vulnerableHow to Detect SYN attack netstat -n -p TCP | grep SYN_RECV | grep :23 | wc -l

Smurf Attack Amplification attack Sends ICMP ECHO to network

Network sends response to victim system

The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion

VirusesComputer viruses, which replicate across a network in various ways, can be viewed as denial-of-service attacks where the victim is not usually specifically targetted but simply a host unlucky enough to get the virus. Depending on the particular virus, the denial of service can be hardly noticeable ranging all the way through disastrous.

Physical Infrastructure Attacks fiber optic cable. This kind of attack is usually mitigated by the fact that traffic can sometimes quickly be rerouted.

Impact of DoS Attacks Loss of Revenue

cont …

Costs of losses from the February 2000 Attacks: $1.2 billion cumulative

Estimated lost business from DDoS attacks at Amazon.com:

$200-300K/hour

Estimated costs of 24-hour outages:Brokerage Firm

$156 million

Cisco $30 millioneBay $4.5 millionAirline $2.1 million

Estimated cost of lost user access from one medium-grade attack:

$23K

Sources: Forrester, Yankee Group, IDC

•Damage to Corporate Image and Brand•Cost of Over-engineering Network Resources•Cost to diagnose and rebuild systems

•Forensic cost estimated by University of Washington to be $22,000 per event

•Violation of service level agreements (SLAs)•Risk of litigation•Increase in insurance protection

Impact of DoS Attacks

Why Defense is Difficult

• SYN packets are part of normal traffic• Source IP addresses can be faked• SYN packets are small• Lengthy timeout period

Possible Defenses

Increase size of connections table Add more servers Trace attack back to source Deploy firewalls employing SYN flood defense

Who Offers a Defense?

PIX by Cisco Firewall-1 by Checkpoint Netscreen 100 by Netscreen AppSafe/AppSwitch by Top Layer

How Bad Can It Get?

Theoretical maximums for attackers using: Analog modem: 87 SYNs/sec ISDN, Cable, DSL: 200 SYNs/sec T1: 2,343 SYNs/sec 474 hacked systems 94,800 SYNs/sec

How Much Do You Need?

Single firewall for attacker with

single ISDN, DSL, or T1 Multiple parallel units for higher bandwidth Transparent. mode permits rapid

deployment

Conclusion

SYN floods are nasty Firewalls with SYN flood defense

can successfully counter attacks Multiple or distributed attacks may

require multiple parallel firewalls

In Summary

Thank You