Denial of Service Attacks

Denial of Service Attacks

Denial of service ( DOS )

- Too many requests for a particular web site “clog the pipe” so that no one else can access the site

Possible impacts:May reboot your computer, Slows down computers-Certain sites, Applications become inaccessible

**you are off.

Denial of service ( DOS )

What is Denial of Service Attack?

• “Attack in which the primary goal is to deny the victim(s) access to a particular resource.”

• A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.

What is Denial of Service Attack?

6

Case 1: Code Red

• Exploited buffer overflow error in IIS• Several different versions• Date-based

– 1-19th: attempted to infect random IPs– 20-28th: attack whitehouse.gov– After 28th: dormant

• At peak more than 2,000 new hosts were infected each minute

7

Case 2: Sapphire/Slammer

• Fastest virus spread in history• Exploited buffer overflow in MS SQL Server• Used UDP instead of TCP

– Allowed faster spread – no response needed– Limited only by bandwidth

• Problems affected customers, ex. automatic cash machines

How to take down a restaurant

Saboteur

Restauranteur

Saboteur vs. Restauranteur

Saboteur

RestauranteurTable for fourat 8 o’clock. Name of Mr. Smith.

O.K.,Mr. Smith

Saboteur

Restauranteur

No More Tables!

Categories of DOS attack• Bandwidth attacks • Protocol exceptions • Logic attacks

Bandwidth attacks

• A bandwidth attack is the oldest and most common DoS attack. In this approach, the malicious hacker saturates a network with data traffic. A vulnerable system or network is unable to handle the amount of traffic sent to it and subsequently crashes or slows down, preventing legitimate access to users.

Protocol exceptions

• A protocol attack is a trickier approach, but it is becoming quite popular. Here, the malicious attacker sends traffic in a way that the target system never expected.

Logic attacks

• The third type of attack is a logic attack. This is the most advanced type of attack because it involves a sophisticated understanding of networking.

Samples• Ping of Death• Smurf & Fraggle• Land attack• Synchronous Flooding

PING OF DEATH A Ping of Death attack uses Internet Control Message

Protocol (ICMP) ping messages. Ping is used to see if a host is active on a network. It also is a valuable tool for troubleshooting and diagnosing problems on a network. As the following picture, a normal ping has two messages:

• BUT• With a Ping of Death attack, an echo packet is sent that is

larger than the maximum allowed size of 65,536 bytes. The packet is broken down into smaller segments, but when it is reassembled, it is discovered to be too large for the receiving buffer. Subsequently, systems that are unable to handle such abnormalities either crash or reboot.

• You can perform a Ping of Death from within Linux by typing ping –f –s 65537.

• Note the use of the –f switch. This switch causes the packets to be sent as quickly as possible. Often the cause of a DoS attack is not just the size or amount of traffic, but the rapid rate at which packets are being sent to a target.

Tools:- -Jolt -SPing-ICMP Bug -IceNewk

PING OF DEATH

Smurf and Fraggle

A Smurf attack is another DoS attack that uses ICMP. Here, a request is sent to a network broadcast address with the target as the spoofed source. When hosts receive the echo request, they send an echo reply back to the target. sending multiple Smurf attacks directed at a single target in a distributed fashion might succeed in crashing it.

• If the broadcast ping cannot be sent to a network, a Smurf amplifier is used. A Smurf amplifier is a network that allows the hacker to send broadcast pings to it and sends back a ping response to his target host on a different network. NMap provides the capability to detect whether a network can be used as a Smurf amplifier.

Smurf and Fraggle

• A variation of the Smurf attack is a Fraggle attack, which uses User Datagram Protocol (UDP) instead of ICMP. Fraggle attacks work by using the CHARGEN and ECHO UDP programs that operate on UDP ports 19 and 7. Both of these applications are designed to operate much like ICMP pings; they are designed to respond to requesting hosts to notify them that they are active on a network.

Smurf and Fraggle

LAND Attack

• In a LAND attack, a TCP SYN packet is sent with the same source and destination address and port number. When a host receives this abnormal traffic, it often either slows down or comes to a complete halt as it tries to initiate communication with itself in an infinite loop. Although this is an old attack (first reportedly discovered in 1997), both Windows XP with service pack 2 and Windows Server 2003 are vulnerable to this attack.

HPing can be used to craft packets with the same spoofed source and destination address.

SYN_Received هنگامی که قربانی در حالت• SYN/ACKقرار دارد، منتظر دریافت بسته ی

دریافت می کندACKاست در حالی که

مهاجمSYN_RECIEVED

Waiting for SYN/ACKNot ACK

SYN

ACKSYN_RECIEVED

قربانی

LAND Attack

بهروز ) دکتر کامپوتری های شبکه در امنیتالدانی (1386ترک

را دریافت می کند، SYN هنگامی که قربانی• می ACKشماره ترتیب را به روز کرده،

فرستد، سپس بسته ای با شماره ترتیب مشابه دریافت می کند و آن را با همان شماره

ترتیب برای فرستنده می فرستد تا توسط او اصالح شود

چون شماره ترتیب هرگز به روز نمی شود، •قربانی دچار حلقه بی نهایت می شود!

LAND Attack

قربانی

مهاجم

Waiting for updated SN

SYN

ACK

SN=x

SN=y

SN=yACK

LAND Attack

Synchronous flood• A SYN flood is one of the oldest and yet still most effective DoS

attacks. As a review of the three-way handshake, TCP communication begins with a SYN, a SYN-ACK response, and then an ACK response. When the handshake is complete, traffic is sent between two hosts.

but in our case the using of the syn flood for the 3 way handshaking is taking another deal, that is the attacker host will send a flood of syn packet but will not respond with an ACK packet. The TCP/IP stack will wait a certain amount of time before dropping the connection, a syn flooding attack will therefore keep the syn_received connection queue of the target machine filled.

Synchronous flood

With a SYN flood attack, these rules are violated. Instead of the normal three-way handshake, an attacker sends a

packet from a spoofed address with the SYN flag set but does not respond when the target sends a SYN-ACK response. A host has a limited number of half-open

(embryonic) sessions that it can maintain at any given time. After those sessions are used up, no more communication

can take place until

• the half-open sessions are cleared out. This means that no users can communicate with the host while the attack is active. SYN packets are being sent so rapidly that even when a half-open session is cleared out, another SYN packet is sent to fill up the queue again.

Synchronous flood

• SYN floods are still successful today for three reasons:

1) SYN packets are part of normal, everyday traffic, so it is difficult for devices to filter this type of attack.

2) SYN packets do not require a lot of bandwidth to launch an attack because they are relatively small.

3) SYN packets can be spoofed because no response needs to be given back to the target. As a result, you can choose random IP addresses to launch the attack, making filtering difficult for security administrators.

Synchronous flood

Return to our Restaurant

“TCP connection, please.”

“O.K. Please send ack.”

“TCP connection, please.”

“O.K. Please send ack.”

Buffer

IP Packet optionsدر این روش برخی از فیلد های انتخابی بسته •

به صورت تصادفی تغییر داده می شوند و .بسته حاصل برای قربانی ارسال می شود

می یکبیت های مربوط به کیفیت خدمات •شوند

می شودCPUباعث باال رفتن زمان پردازش •

Tear drop در اثر یک افراز غلط، IP در این حمله بسته ی•

به قطعه هایی تقسیم می شود که همپوشانی دارند

قربانی نمی تواند این بسته را دوباره از قطعه •هایش بسازد

" صفحه ی آبی مرگباعث می شود سیستم "• شودrebootرا مشاهده کند و در نتیجه باید

Tear drop

A new Classification• Now we may categorize the DOS in to 3 parts

depending on the number of characters:– Single-tier DoS Attacks– Dual-tier DoS Attacks– Triple-tier DDoS Attacks

Single-tier DoS Attacks– Straightforward 'point-to-point' attack, that means

we have 2 actors: hacker and victim.– Examples

• Ping of Death• SYN floods• Other malformed packet attacks

Single-tier DoS Attacks

Dual-tier DoS Attacks– More complex attack model– Difficult for victim to trace and identify attacker– Examples

• Smurf

Dual-tier DoS Attacks

Triple-tier DDoS Attacks– Highly complex attack model, known as Distributed Denial

of Service (DDoS).– DDoS exploits vulnerabilities in the very fabric of the

Internet, making it virtually impossible to protect your networks against this level of attack.

– Examples• TFN2K• Stacheldraht• Mstream

Components of a DDoS Flood Network

– Attacker• Often a hacker with good networking and routing

knowledge.– Master servers

• Handful of backdoored machines running DDoS master software, controlling and keeping track of available zombie hosts.

– Zombie hosts• Thousands of backdoored hosts over the world

Triple-tier DDoS Attacks

Results expected

• Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise.

• Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an "asymmetric attack“. For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks.

Defense

Internet Service Providers• Deploy source address anti-spoof filters (very

important!).• Turn off directed broadcasts.• Develop security relationships with neighbor ISPs.• Develop traffic volume monitoring techniques.

High loaded machines• Look for too much traffic to a particular destination.• Learn to look for traffic to that destination at your

border routers (access routers, peers, exchange points, etc.).

• Can we automate the tools – too many queue drops on an access router will trigger source detection.

• Disable and filter out all unused UDP services.

Also

• Routers, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installed

• System should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, back doors, etc.)

• Train your system and network administrators• Read security bulletins like:

www.cert.org, www.sans.org, www.eEye.com• From time to time listen on to attacker

community to be informed about their latest achievements.

• Be in contact with your ISP. In case that your network is being attacked, this can save a lot of time

Also

references [.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html

Article by Christopher Klaus, including a "solution".

[.2.] http://jya.com/floodd.txt2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane

[.3.] http://www.fc.net/phrack/files/p48/p48-14.htmlIP-spoofing Demystified by daemon9 / route / infinityfor Phrack Magazine

[.4.]http://www.gao.gov/new.items/d011073t.pdf [.5.]http://www.cl.cam.ac.uk/~rc277/

[.6.]http://www.cert.org/reports/dsit_workshop.pdf

[.7.]http://staff.washington.edu/dittrich/misc/tfn.analysis