Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law

Distributed Denial of Service Attacks CMPT What is DDOS? Distributed denial-of-service attack is one in which a multitude of compromised systems attack a single target, thereby causing denial- of-service for users of the targeted system Forces system to shutdown by flooding with incoming messages, thereby denying services to legitimate users

Distributed Denial of Service Attacks CMPT Distributed… Distributed computing is a method of computer processing in which different parts of a program run simultaneously on two or more computers that are communicating with each other over a network. Major advantages of using a distributed denial- of-service attack –Generate more traffic –Multiple machines attacking harder to turn off –Each attack machine is stealthier, making it harder to track and shutdown

Distributed Denial of Service Attacks CMPT Types of DOS attacks Exercising software bug that causes the software running the service to fail Sending enough data to consume all available network resources Sending data in such a way as to consume a particular resource needed by the service

Distributed Denial of Service Attacks CMPT How do DDOS attacks work? A hacker first exploits a vulnerable computer system making it the DDOS “master” –“Master” computer communicates and loads on cracking tools to thousands of other compromised systems on the internet All computers can then be instructed to launch one of many flood attacks to specified target

Distributed Denial of Service Attacks CMPT SYN Flood SYN packet initiates TCP/IP connection –SYN flood consumes all available slots in server’s TCP connection table –Exploits basic weakness of TCP/IP protocol –Prevents other users from establishing new connections HTTP particularly vulnerable to SYN flood attack

Distributed Denial of Service Attacks CMPT SYN Flood (2) TCP/IP Protocol requires 3-step process The originator of the connection (such as a web browser) initiates the connection by sending a packet having the SYN flag set in the TCP header (referred to as a “SYN packet”). The receiver responds by sending back to the originator a packet that has the SYN and ACK flags set (a “SYN/ACK packet”) The originator acknowledges receipt of the 2nd packet by sending to the receiver a third packet with only the ACK flag set (an “ACK packet”).

Distributed Denial of Service Attacks CMPT SYN Flood (3) During SYN flood, attacker sends large number of SYN packets alone without ACK packet response

Distributed Denial of Service Attacks CMPT SYN Flood (4) Connection table fills up rapidly with incomplete connections, crowding legitimate traffic

Distributed Denial of Service Attacks CMPT Responding to DDOS attacks Increasing size of network table seems most straightforward but may not be configurable Spare servers to be placed in service during an attack –Very expensive to have idle equipment

Distributed Denial of Service Attacks CMPT Prevention Most DDOS attacks use forged source address to lie about where they are being sent Manufacturers of firewalls/network security devices developed variety of defense methods –SYN threshold: establish limit of incomplete transactions, then start discarding –SYN defender: when SYN packet received, firewall synthesizes the final ACK packet in step 3, so no need to wait for actual ACK packet from originator –SYN Proxy: firewall synthesizes and sends SYN/ACK packet back to originator, and waits for final ACK packet. After firewall receives ACK packet from originator, firewall “replays” 3-step sequence to receiver.

Distributed Denial of Service Attacks CMPT DDOS attack tools Tribal flood network Trin00 TFN2K Stacheldraht

Distributed Denial of Service Attacks CMPT Sources What is denial of service; html html Distributed Denial of Service Attacks; whitepaper.html whitepaper.html Distributed Denial of Service Attack Tools; How a ‘denial of service’ attack works; htmlhttp:// html DDOS;