The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

Slides:



Advertisements
Similar presentations
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
1 Reading Log Files. 2 Segment Format
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG Dearborn,
Computer Security and Penetration Testing
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Definition : Computer Virus A computer program with the characteristic feature of being able to generate copies of itself, and thereby spread. Additionally.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
COEN 252: Computer Forensics Router Investigation.
Lecture 15 Denial of Service Attacks
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Chapter 9 Phase 3: Denial-of-Service Attacks. Fig 9.1 Denial-of-Service attack categories.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Network Monitoring Tool: Wireshark
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
– Chapter 4 – Secure Routing
Chapter 4: Managing LAN Traffic
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
Network Certification Preparation. Module - 5 Basic troubleshooting of IP addressing issues Basic troubleshooting of RIP and IGRP Basic troubleshooting.
© 2002, Cisco Systems, Inc. All rights reserved..
Cisco – Chapter 11 Routers All You Ever Wanted To Know But Were Afraid to Ask.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Distributed Denial of Service Attacks
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
Tracking Rejected Traffic.  When creating Cisco router access lists, one of the greatest downfalls of the log keyword is that it only records matches.
DoS/DDoS attack and defense
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. SANS ‘98 Conference -
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Denial-of-Service Attacks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Cisco Routers Routers collectively provide the main feature of the network layer—the capability to forward packets end-to-end through a network. routers.
Instructor Materials Chapter 7: Access Control Lists
Working at a Small-to-Medium Business or ISP – Chapter 8
FIREWALL configuration in linux
Managing IP Traffic with ACLs
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Filtering Spoofed Packets
Chapter 2: Static Routing
Introduction to Networking
Chapter 4: Access Control Lists (ACLs)
Chapter 2: Static Routing
Firewalls Purpose of a Firewall Characteristic of a firewall
Network-Based Denial of Service Attacks
Presentation transcript:

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider Operations BOF _smurf.ppt

Craig A. Huegen Smurf Attack Description & SupressionNANOG 11 2 Description of “Smurfing” Newest DoS attack Network-based, fills access pipes Uses ICMP echo/reply packets with broadcast networks to multiply traffic Requires the ability to send spoofed packets Abuses “bounce-sites” to attack victims Traffic multiplied by a factor of 50 to 200

Craig A. Huegen Smurf Attack Description & SupressionNANOG 11 3 Description of Smurfing (cont’d)

Craig A. Huegen Smurf Attack Description & SupressionNANOG 11 4 Multiplied Bandwidth Perpetrator has T1 bandwidth available (typically a cracked account), and uses half of it (768 Kbps) to send spoofed packets, half to bounce site 1, half to bounce site 2 Bounce site 1 has a switched co-location network of 80 hosts and T3 connection to net Bounce site 2 has a switched co-location network of 100 hosts and T3 connection to net (384 Kbps * 80 hosts) = 30 Mbps outbound traffic for bounce site 1 (384 Kbps * 100 hosts) = 37.5 Mbps outbound traffic for bounce site 2 Victim is pounded with 67.5 Mbps (!) from half a T1!

Craig A. Huegen Smurf Attack Description & SupressionNANOG 11 5 Profiles of Participants Typical Perpetrators Cracked superuser account on well-connected enterprise network Superuser account on university residence hall network (Ethernet) Typical PPP dial-up account (for smaller targets) Typical Bounce Sites Large co-location subnets Large switched enterprise subnets Typically scanned for large numbers of responding hosts Typical Victims IRC Users, Operators, and Servers Providers who eliminate troublesome users’ accounts

Craig A. Huegen Smurf Attack Description & SupressionNANOG 11 6 Prevention Techniques How to prevent your network from being the source of the attack: Apply filters to each customer network Ingress: Allow only those packets with source addresses within the customer’s assigned netblocks Apply filters to your upstreams Egress: Allow only those packets with source addresses within your netblocks to protect others Ingress: Deny those packets with source addresses within your netblocks to protect yourself This also prevents other forms of attacks as well

Craig A. Huegen Smurf Attack Description & SupressionNANOG 11 7 Prevention Techniques How to prevent being a “bounce site”: Turn off directed broadcasts to subnets with 5 hosts or more Cisco: Interface command “no ip directed-broadcast” Proteon: IP protocol configuration “disable directed-broadcast” Bay Networks: Set a false static ARP address for bcast address Use access control lists (if necessary) to prevent ICMP echo requests from entering your network Probably not an elegant solution; makes troubleshooting difficult Encourage vendors to turn off replies for ICMP echos to broadcast addresses Host Requirements RFC-1122 Section states “An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.” Patches are available for free UNIX-ish operating systems.

Craig A. Huegen Smurf Attack Description & SupressionNANOG 11 8 Prevention Techniques If you do become a bounce site: Trace the traffic streams to the edge of your network, and work with your upstream or peer in order to track the stream further MCI’s DoSTracker tool Manual tracing/logging tips

Craig A. Huegen Smurf Attack Description & SupressionNANOG 11 9 Prevention Techniques How to suppress an attack if you’re the victim: Implement ACL’s at network edges to block ICMP echo responses to your high-visibility hosts, such as IRC servers Again, will impair troubleshooting -- “ping” breaks Will still allow your access pipes to fill Work with upstream providers to determine the help they can provide to you Blocking ICMP echoes for high-visibility hosts from coming through your access pipes Tracing attacks

Craig A. Huegen Smurf Attack Description & SupressionNANOG Prevention Techniques Technical help tips for Cisco routers: BugID CSCdj “fast drop” ACL code This bug fix optimizes the way that packets denied by an ACL are dropped within IOS, reducing CPU utilization for large amounts of denied traffic. First major release of integration is 11.1(14)CA Not available in 11.2 yet, but coming BugID CSCdj ACL logging throttles This bug fix places a throttle in IOS which will allow a user to specify the rate at which logging will take place of packets which match a condition in an ACL where “log” or “log-input” is specified. First maintenance release of integration is 11.1(14.1)CA Not available in 11.2 yet, but coming

Craig A. Huegen Smurf Attack Description & SupressionNANOG References White paper on “smurf” attacks: Ingress filtering: ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-03.txt MCI’s DoSTracker tool: Other DoS attacks: “Defining Strategies to Protect Against TCP SYN Denial of Service Attacks” “Defining Strategies to Protect Against UDP Diagnostic Port Denial of Service Attacks”

Craig A. Huegen Smurf Attack Description & SupressionNANOG Author Craig Huegen -or-

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.