Alex Ramos
22
1 Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal includes data that shall not be disclosed outside Strayer University and shall not be duplicated, used, or disclosed–in whole or in part–for any purpose other than to evaluate this oral presentation. July 24, 2004 Alex Ramos Denial Of Service Federal Network Systems, LLC
description
Alex Ramos. Denial Of Service. - PowerPoint PPT Presentation
Transcript of Alex Ramos
1Federal Network Systems, LLC
CIS Network SecurityInstructor Professor Mort Anvair
Notice: Use and Disclosure of Data. Limited Data Rights. This proposal includes data that shall not be disclosed outside Strayer University and shall not be duplicated, used, or disclosed–in whole or in part–for any purpose other than to evaluate this oral presentation.
July 24, 2004
Alex Ramos Denial Of Service
Federal Network Systems, LLC
2Federal Network Systems, LLC
Agenda
• What is a Denial of Service Attack?• What is a Distributed Denial of Service Attack?• Why Are They Difficult to Protect Against?• Types of Denial of Service Attacks• Tools for Running Denial of Service Attacks• Preventing Denial of Service Attacks• Summary
3Federal Network Systems, LLC
What is a Denial Of Service Attack?
An attack that is specifically designed to prevent the normal functioning of a system, and thereby to prevent lawful access to that system and its data by its authorized users. DOS can be caused by the destruction or modification of data, by bringing down the system, or by overloading the system's servers to the extent that service to authorized users is delayed or prevented. www.itsecurity.com/ds.htm
• DoS goals
– Flooding a network to prevent legitimate network traffic
– Disrupting connections between two specific machines
– Preventing a service access to a specific entity or to all individuals
4Federal Network Systems, LLC
What is a Distributed Denial of Service Attack?
• Use of Several to Thousands of machines to initiate a Denial of Service attack
• “Zombies” or “User Controlled”• Yahoo!,eBay, and Amazon were struck with DDoS in
February 2000.• Most go Unreported• Most common form of attack on the Internet today• Recent Study showed more than 12000 DoS (DDoS)
attacks during a 3 week period.– Actual number is probably higher
5Federal Network Systems, LLC
Costs of a Distributed Denial of Service Attack
6Federal Network Systems, LLC
Costs of a Distributed Denial of Service Attack
• Problem: Need a robust and automatic way of classifying DoS attacks into these two classes: single- and multi-source.
• Because: Different types of attacks (single- or multi-source) are handled differently.
• Classification is not easy. For instance, packets can be spoofed by attacker.
7Federal Network Systems, LLC
Video Demonstration of a Healthy Network
8Federal Network Systems, LLC
Video Demonstration of a Distributed Denial of Service Attack
9Federal Network Systems, LLC
Video Demonstration of a Distributed Denial of Service Attack (Reflector Type)
10Federal Network Systems, LLC
Why Are They Difficult To Protect Against?
• Minimize the threats but fully Protect• Threats are always there• Trade offs between Security and Functionality• Resources used to Protect against DDOS
– Costly– Time Consuming– Restrictive
11Federal Network Systems, LLC
Types of Denial of Service Attacks?
• Ping of Death– Sends very Large Ping Packets to a host machine– Causes the Operating System to hang or crash– Unix command
• Ping –s 65527 (ip address of the victim’s machine
– DOS command• Ping –l 65527 (ip address of the victim’s machine)
12Federal Network Systems, LLC
Types of Denial of Service Attacks?
• SSPing– Sends Fragmented oversized ICMP data packets– Victim Computers try to Put the Fragmented data back together– Causes the Operating System to hang or crash– Affects Windows 95, NT, and older versions of the Mac OS
– Protection• Patches for affected Operating Systems
– Updated version of the TCP/IP stack
13Federal Network Systems, LLC
Types of Denial of Service Attacks?
• Smurf– Involves forged ICMP packets sent to a broadcast address– Symptoms: Everybody connected gets bogged down and
kicked off, attack can last for hours or days.– Causes the Operating System to hang or crash– Affects most OS’ and Routers
– Protection• No real protection
14Federal Network Systems, LLC
Types of Denial of Service Attacks?
• Land• Program that sends a TCP SYN packet where the target and
source address are the same and the port numbers are the same
• SYN packets are used to synchronize 2 machines
• Attacking machines exploits the synchronization process by spoofing the destination pc. So when the destination pc tries to sync with an address the same as it’s own. It doesn’t know what to do.
• Affects Most operating systems
• Protection
• Patches for affected Operating Systems– Updated version of the TCP/IP stack
15Federal Network Systems, LLC
Types of Denial of Service Attacks?
• SYN Flood– Attacker violates the 3-way handshake and opens a large
number of half-open TCP/IP Connections.– Affects most OS– Causes the Operating System to hang or crash– Affects Windows 95, NT, and older versions of the Mac OS
– Protection• Patches for affected Operating Systems
– Updated version of the TCP/IP stack
16Federal Network Systems, LLC
Tools for Running Denial Of Service Attacks?
• Trinoo• Tribal Flood Network • Stacheldraht • Shaft • MStream• Tribal Flood Network 2000
– All the tools are similar in function– All the tools here are mainly used in Unix type machines
17Federal Network Systems, LLC
Tools for Running Denial Of Service Attacks?
• Tribal Flood Network 2000– communicates via TCP (random ports), UDP (random ports), ICMP
(Echo Replies), or all three at random.
– communicates via TCP (random ports), UDP (random ports), ICMP (Echo Replies), or all three at random. The daemon never communicates with the master. The master sends all commands twenty times in order to make sure that they're received. TFN2k also will send out decoy packets -- messages to random machines so that it's not clear which machines are clients. Commands are encrypted using CAST-256 via a password specified at compile time. All packets are spoofed by default.
– can attack using a SYN attack, UDP Flood, ICMP Flood, or Smurf attacks. The daemon can be set to randomly alternate between each attack type.
18Federal Network Systems, LLC
Preventing Denial of Service Attacks?
• Nothing can be done to entirely prevent DOS• Minimize the dangers
– Effective and Robust Design– Bandwidth Limitations– Keep Systems Patched– Run the least amount of services– Allow only necessary traffic– Block IP addresses
19Federal Network Systems, LLC
Preventing Denial of Service Attacks?
• Nothing can be done to entirely prevent DOS• Minimize the dangers
– Effective and Robust Design– Bandwidth Limitations
• * implement egress and ingress filtering* implement rate limit on ICMP packets* implement rate limit on SYN packets
– Keep Systems Patched– Run the least amount of services– Allow only necessary traffic– Block IP addresses
20Federal Network Systems, LLC
Simple Demo of what a Filter \ Firewall Does
• Typical Connection
• Denial of Service Attack
• Blocking a Denial of Service Attack
21Federal Network Systems, LLC
Demonstration of Minimizing Your Computer’s Vulnerbility
• Patch Management• Antivirus• Layered Security• Distributed Resources• Bandwidth Throttling• Physical Security
22Federal Network Systems, LLC
Summary
• What is a Denial of Service Attack?• What is a Distributed Denial of Service Attack?• Why Are They Difficult to Protect Against?• Types of Denial of Service Attacks• Tools for Running Denial of Service Attacks• Preventing Denial of Service Attacks
