Embed Size (px)
DESCRIPTION
Ddos Attacks. Ali Kapucu July 29 th 2013. Who is your Speaker?. Ali Kapucu Network Design Engineer at KSU Penetration Tester Information Security Consultant CS Master Student. Agenda. DDoS Definition DDoS Motivations DDoS Flavors Standard Attacks Botnets Sophisticated attacks - PowerPoint PPT Presentation
Citation preview
DDOS ATTACKS
Ali Kapucu July 29th 2013
Who is your Speaker?
• Ali Kapucu• Network Design Engineer at KSU• Penetration Tester• Information Security Consultant• CS Master Student
Agenda
• DDoS Definition• DDoS Motivations• DDoS Flavors– Standard Attacks– Botnets– Sophisticated attacks– DDoS Flavors- Future (now)
• How to defend
DDoS Definition?
DoS - DDoS Definition???• Denial of Service attacks attempt to negate
service by – exhausting the resources at the victim side (such as network
bandwidth, CPU, memory, etc.) ,– forcing victim equipment into non operational state – hijacking victim equipment/resources for malicious goals.
• Distributed Denial of Service (DDoS) attack is a special case of the DoS when multiple distributed network nodes (zombies) are used to multiply DoS effect.
15 fat men trying to get through a revolving door at the same time
Basically DDoS Definition???
DDoS Motivations?
• DDoS is act of taking down a service• Political
– Groups like Lulzsec and Anonymous have repeatedly brought down popular websites of corporations and governments
• Monetary – money talk– Telephony DDoS is used frequently to hold corporations to
ransom• International “relations”
– Iran has targeted US with DDOS attacks repeatedly• No longer a kids game
DDoS Flavors“Classic” DDoS, a.k.a Floods
SYN Flooding, UDP Bombs, Fragment Flood, direct/indirect ARP Floods
Still work great, however less savvy Countermeasures include in network devices, rate
limiting, proxy techniques (syn cookies) Botnets
Slightly More advanced Stateful TCP (three way handshake only) DNS Request flooding Fragments that add up almost full packets.
DDoS ExamplesSYN Flood
AttackerServer B
A->B:SYN
B->A: SYN & ACK
Creates a connection object
A->B:SYN
B->A: SYN & ACK
Creates a connection object
Unused address A
Send large number of SYN packets with a spoofed source address. Initiate creation of the large number connection objects.
Botnets• The term bot is short for robot. Criminals distribute
malicious software (also known as malware) that can turn your computer into a bot (also known as a zombie). When this occurs, your computer can perform automated tasks over the Internet, without you knowing it.
• Criminals typically use bots to infect large numbers of computers. These computers form a network, or a botnet.
• Criminals use botnets to send out spam email messages, spread viruses, attack computers and servers, and commit other kinds of crime and fraud. If your computer becomes part of a botnet, your computer might slow down and you might inadvertently be helping criminals.
• They used to communicate with through IRC channels
• Nowadays analyzing botnets very difficult because their communication went to http level.
• The Dutch police found a 1.5 million node botnet
• Telenor – Norwegian ISP – disbanded a 10.000 node botnet
Botnets
Botnets
Volunteer soldiers
DDoS Flavors Application Level DDoS
Much more intelligent Target flaws upper layer OSI Stack Typically less bandwidth intensive
Slowloris Focused on design flaws in HTTP spec. Hold connections
open indefinitely Selective URL attacks
Hit slowest responding URL/page on website. Vary the URL for each request so that there is no discernable pattern.
Reverse Proxies Can be slowed down to 1/8th of their speed with repeated
cache misses Multi Layer attacks
Zero window + HTTP get get flooding in one session
New Rock Star - DNS Amplifications
During the DDoS
DDoS FlavorsTelephony DDoS
Many different types Used for extortion of call centers
SIP Flooding Similar to DNS flooding
IVR walking Call 800 number Navigate the menu for days on end Never talk to a person
Bounce Attacks Use misconfigured SBC to send spoofed invites that cause
RTP floods on target.
How to DefendDevelop a checklist for standard operating
proceduresBe friendly with your ISP Identify and prioritize critical servicesMake sure critical systems have sufficient capacity You should/must/have to know Network map,
diagrams, connection type, capacities. Implement bogus ip addresses block list.Service screening from firewall to edge router.Separate your services. Do not keep all the services
under the “server”Be smart
DDoS Flavors- FutureSmartphone revolution puts us at roughly 2001
security time frame1000`s of mobile malware apps available Mobile botnets are a real thing today alreadyCarriers struggling with basic visibility into core 3G
and LTE networksStructure of 3G/LTE places trust in handset.
Handset can dictate throughput, features, bearers etc
3G/4G core is a ripe target for DDoS
Questions???
Thanks
