DDoS Attacks: The Latest Threat to Availability. © Sombers Associates, Inc. 2013 2 The Anatomy of a DDoS Attack.

Slides:

Advertisements

Similar presentations

DMZ (De-Militarized Zone)

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.

Cyber X-Force-SMS alert system for threats.

System and Network Security Practices COEN 351 E-Commerce Security.

Introduction to Security Computer Networks Computer Networks Term B10.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

Threats To A Computer Network

Computer Security and Penetration Testing

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Web server security Dr Jim Briggs WEBP security1.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

A Guide to major network components

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Norman SecureSurf Protect your users when surfing the Internet.

Introduction to Honeypot, Botnet, and Security Measurement

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

Hacker Zombie Computer Reflectors Target.

Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)

Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Introduction to ITE Chapter 9 Computer Security. Why Study Security?  This is a huge area for computer technicians.  Security isn’t just anti-virus.

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

--Harish Reddy Vemula Distributed Denial of Service.

EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Malicious Software.

DoS/DDoS attack and defense

Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.

Role Of Network IDS in Network Perimeter Defense.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

DDoS Attacks on Financial Institutions Presentation

Instructor Materials Chapter 7 Network Security

Cyber security and Computer Misuse

Security in mobile technologies

Presentation transcript:

DDoS Attacks: The Latest Threat to Availability

© Sombers Associates, Inc The Anatomy of a DDoS Attack

© Sombers Associates, Inc What is a Distributed Denial of Service Attack? An attempt to make an Internet service unavailable to its users. Saturate the victim machine with external traffic. The victim machine: - can’t respond to legitimate traffic, or - is so slow as to be essentially unavailable. Address of attacker is spoofed: - Victim machine can’t simply block traffic from a known source. Commonly constitutes violations of the laws of nations.

© Sombers Associates, Inc What is a Distributed Denial of Service Attack? Malware attacks do not generally pose a threat to availability: - They are aimed at stealing personal information and other data. DDoS attacks are a major threat to availability. They have been used to take down major sites for days They are easy to launch and are difficult to defend. Reasons for DDoS attacks: - revenge - competitive

© Sombers Associates, Inc How Can So Much Traffic Be Generated? By Botnets Typical attacks generate about 10 gigabits/sec. of malicious traffic. - One Pc can generate about one megabit/sec. of traffic. - It takes about 10,000 PCs to generate 10 gigabits of traffic. - This is a botnet. A botnet is a collection of computers: - whose security defenses have been breached. - control is conceded to a third party, the bot master. The bot master controls the activities of the compromised computers.

© Sombers Associates, Inc How Can So Much Traffic Be Generated? By Botnets More recently, servers have been included in botnets. A large server can generate a gigabit/sec. of malicious traffic: - one thousand times that of a PC. Ten large servers can generate as much traffic as 10,000 PCs. Servers are infected via network vulnerabilities. The latest attacks have generated 100 gigabits of malicious data: - combination of infected PCs and servers.

© Sombers Associates, Inc The Anatomy of a DDoS Attack DDoS attackers depend upon infecting thousands of PCs. A typical infection sequence is: - a user succumbs to a phishing attack (opens a malicious or visits a malicious web site). - a Trojan is injected into the machine which opens a “back door.” - a bot infection is inserted into the PC via the back door. - the bot infection establishes a connection with the bot master.

© Sombers Associates, Inc Phishing Phishing masquerades as a trusted entity in an electronic communication: – , web site. Designed to get sensitive information like account numbers, SSNs by: - tricking users to respond to . - leading users to a spoofed web site that looks real. s can also carry malicious executables or point to malicious web sites. Malicious executables or malicious web sites can infect the PC: - used to inject a Trojan to create a back door into the PC. User training – send them phishing messages that take them to a web site that informs them that they have been lured.

© Sombers Associates, Inc Trojans Creates a “back door” allowing unauthorized access to the target computer. Main purpose is to make the host system open to access from the Internet. Installed via malicious s or Internet applications. Consequences: - controlling the computer system remotely (botnets). - also, keystroke logging, data theft, installing other malware.

© Sombers Associates, Inc The BYOD Conundrum Bring Your Own Devices (BYOD) are the new gateways into corporate networks: - Employees using smart phones, tablets, notebook computers. - Conducting their work at home or on the road. - Connecting outside the corporate firewall to servers and databases. Malware can gain access to a company’s network by infecting these devices. Mobile malware is becoming a greater threat than direct infections of systems.

© Sombers Associates, Inc Android Devices are the Primary Target Mobile malware most likely to be installed via malicious apps. Android is an open operating system modified by each vendor: - security provisions often bypassed. Hundreds of Android app stores not vetted by Google. Number of malicious apps has grown 800% over the last year. 92% directed at Android devices. Apple has tight control over apps: - tests each one thoroughly. - does not allow unvetted apps to be downloaded from the Apple app store. Malware can also be downloaded with phishing.

© Sombers Associates, Inc Android and iOS prevent unauthorized access to privileged OS commands. Android device can be modified by user to let apps have access: - rooted device. - necessary to run some apps. A rooted Android device can be infected with malware that runs at the operating system level: - Trojans - keyloggers Similarly, an iOS devices can be jail-broken. However: - iOS world is tightly controlled. - several security functions must be bypassed. - cannot be done by the ordinary user. Jail-Broken and Rooted Devices

© Sombers Associates, Inc Compromised Wi-Fi hot spots: - coffee shops, airports, hotels. - corporate data is vulnerable whenever an employee logs onto a public Wi-Fi hot spot. - frequently configured so that anyone can see all of the network traffic. - commercially available apps provide network monitoring capability. Poisoned DNS servers: - user must trust the DNS server used by a Wi-Fi hot spot. - hackers can hi-jack a public DNS server. - direct traffic to a malicious web site. - web site can get users private data – passwords, etc. - malware is downloaded to device from the web site. Other Mobile Threats

© Sombers Associates, Inc DDoS Strategies

© Sombers Associates, Inc DDoS Strategies The Internet Protocol Suite Application Layer – used by applications for network communications (FTP, SMTP). Transport Layer – end-to-end message transfer (TCP, UDP) Internet Layer – best-efforts datagram transmission between hosts (IP) Link Layer – local network topology (routers, switches, hubs, firewalls).

© Sombers Associates, Inc DDoS Strategies Attacks Occur at Various Levels Network Level: - Network is bombarded with traffic. - Consumes all available bandwidth needed by legitimate requests. Infrastructure Level: - Network devices such as firewalls, routers, maintain state in internal tables. - Fill state tables of network devices. - Network devices cannot handle legitimate traffic. Application Level: - Invoke application services: - Consume processing and disk resources. - Illegitimate logins. - Searches (if attacker has obtained user names, passwords).

© Sombers Associates, Inc DDoS Strategies Attacks Occur at Various Levels ICMP Flood: - Internet Control Message Protocol (ICMP) returns error messages. - Attacker sends messages to random ports. - Most ports will not be used. - Victim system must respond with “port unreachable.” - Victim system so busy responding with ICMP messages that it can’t handle legitimate traffic. Ping Attack - ICMP attack in which victim is flooded with pings. - Victim must respond with ping-response messages.

© Sombers Associates, Inc DDoS Strategies Attacks Occur at Various Levels SYN Flood: - Attacker begins the initiation of a connection. - Sends a SYN connection request. - Server assigns resources to connection, responds with SYN-ACK. - Attacker never sends ACK to complete the connection. - Spoofed client ignores SYN-ACK since it did not send SYN. - Victim holds resources for three minutes awaiting connection completion. - Victim runs out of resources, cannot make legitimate connections. GET/POST Flood: - Commands to retrieve and update data. - Use extensive compute and disk resources of computer. - Typically needs user names, passwords. - Consumes all resources of server.

© Sombers Associates, Inc DDoS Strategies Amplified Attacks The most vicious kind of attack: - Generates a great deal of attack data with little effort. Example – DNS Reflection: - Depends upon DNS Open Resolvers. - Will respond to any DNS request, no matter from where it comes. - Send DNS URL request with spoofed IP address of victim. - DNS sends URL response (IP address of URL) to victim. - Typical request message is 30 bytes. - Typical response message is 3,000 bytes times amplification. Publicly available toolkit – itsoknoproblembro – to launch DNS attacks. Open DNS Resolvers were supposed to be phased out: - Still 27 million Open Resolvers on the Internet. - Their IP addresses have all been published.

© Sombers Associates, Inc Major DDoS Attacks Some Examples

© Sombers Associates, Inc September, 2012 – The online banking web sites of six major U.S. banks are taken down for days by Distributed Denial of Service (DDoS) attacks. The Izz ad-Din al-Qassam Cyber Warriors vowed to attack major U.S. banks. The attacks will continue until the video “Innocence of Muslims” is removed from the the Internet. September DDoS attacks are launched against Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank, and PNC Bank. The attacks take down their online banking portals for a day. Attacks followed against Capital One, SunTrust Banks, and Regions Financial. The 70 gigabit/second attacks used hundreds of thousands of volunteer computers and infected servers. December 2012 – Attacks were repeated for several days against all banks. Intelligence officials say that cyber attacks and cyber espionage have surpassed terrorism as the top security threat facing the U.S. Major U.S. Banks

© Sombers Associates, Inc History’s Largest DDoS Attack Spamhaus is a spam-filtering site: - provides a blacklist of IP addresses for spammers. - used by spam-filtering vendors, ISPs, corporations. Blocked CyberBunker: - CyberBunker claims to host anything but terrorism, child pornography. CyberBunker launched a 300 gigabit/sec. attack against Spamhaus: - lasted for ten days. Spamhaus enlisted CloudFlare to help it weather the attack: - CloudFare spread the malicious load across its 23 data centers. - scrubbed the data and fed only legitimate data to Spamhaus. CyberBunker extended its attack to CloudFlare.

© Sombers Associates, Inc Summary

© Sombers Associates, Inc Botnets Until recently, DDoS attacks were in the 10 gbps range: - infected PC botnets. Islamic hackers – 100 gbps: - used tens of thousands of volunteered PCs. - added infected servers. CyberBunker – 300 gbps: - used PC/server botnet. - used DNS refection.

© Sombers Associates, Inc Mitigation DDoS attacks are easy to launch, difficult to defend. Firewalls and intrusion-prevention (IPV) systems can be overwhelmed. Spread load across several data centers to scrub data. Use the services of a DDoS mitigation company that can scrub data over several data centers. - Prolexic - Tata - AT&T - Verisign Include DDoS attacks in your Business Continuity Plan.