Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Slides:



Advertisements
Similar presentations
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Outline Definition Point-to-point network denial of service
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Examining IP Header Fields
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
Lecture 15 Denial of Service Attacks
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Guide to TCP/IP, Third Edition
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Clouseau: A practical IP spoofing defense through route-based filtering Jelena Mirkovic, University of Delaware Nikola Jevtic,
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
--Harish Reddy Vemula Distributed Denial of Service.
Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
TCP/IP Vulnerabilities
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
Distributed Denial of Service Attacks
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:
________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
Chapter 7 Denial-of-Service Attacks 7.1. Tấn công từ chối dịch vụ 7.1. Tấn công từ chối dịch vụ Bản chất của tấn công từ chối dịch vụ Bản chất của tấn.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
DoS/DDoS attack and defense
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
Lecture 16 Page 1 CS 239, Spring 2007 Designing Performance Experiments: An Example CS 239 Experimental Methodologies for System Software Peter Reiher.
MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Denial-of-Service Attacks
Lecture 18 Page 1 CS 236 Online Prolog to Lecture 18 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Outline Basics of network security Definitions Sample attacks
Error and Control Messages in the Internet Protocol
Lab 2: TCP IP Attacks ( Indirect)
Outline Basics of network security Definitions Sample attacks
Outline The spoofing problem Approaches to handle spoofing
Outline Basics of network security Definitions Sample attacks
Outline Why is DDoS hard to handle?
Presentation transcript:

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014

Lecture 22 Page 2 Advanced Network Security Outline Reflector attacks Shrew attacks Crossfire attacks

Lecture 22 Page 3 Advanced Network Security Reflector Attacks A type of DDoS attack that addresses issue of asymmetry Use a third party site to change a small attack message to a big one Relies on IP spoofing Can make use of several different protocols for reflection

Lecture 22 Page 4 Advanced Network Security A Reflector Attack Attacker Target Reflector SYN SYN/ACK Spoofing the IP address of the target

Lecture 22 Page 5 Advanced Network Security The Attack Multiplied

Lecture 22 Page 6 Advanced Network Security Why Is This Helpful to the Attacker? Packets arrive at target with many source IP addresses –Which are legitimate –Makes it harder to defend The reflector’s response might be bigger than the attacker’s request –Leading to amplification

Lecture 22 Page 7 Advanced Network Security Common Types of Reflectors DNS servers –Small requests can give large results –100X amplification factor NTP –A protocol flaw made reflector attacks worthwhile –Can amplify 200X Some DHT implementations

Lecture 22 Page 8 Advanced Network Security The Core Reflector Problem Attackers can spoof target IP address May be difficult to detect attackers –Attackers can use botnets to hide traffic volume Reflectors cannot easily distinguish between legitimate and illegitimate requests –Large number of possible reflectors Victim’s provider ISP can see the attack but can do little about it

Lecture 22 Page 9 Advanced Network Security Defending Against Reflector Attacks Cut down on IP spoofing –That’s often hard Make reflecting sites less available –Most DNS servers are only intended for local use, anyway Change reflector site behavior –Either in protocol or site Research approaches

Lecture 22 Page 10 Advanced Network Security One Research Approach - RAD Basic idea: reflected messages are replies to request If the target remembers what he requested He knows what replies he should see Drop “unexpected” replies

Lecture 22 Page 11 Advanced Network Security RAD Deployment Choices Local –Only sees the false replies –Validate replies correspond to requests –Reply volume may overwhelm a local defense –Only requires local cooperation Core –Can see all traffic –Validate that packets correspond to source AS –Requires core cooperation

Lecture 22 Page 12 Advanced Network Security Local RAD Validate that replies correspond to a request Most reflectable protocols have a repeated field from the request in the reply –Initial sequence number between SYN and SYN/ACK –ID number in DNS query and DNS response –ID and sequence number in ICMP ECHO and ICMP ECHOREPLY Place a message authentication code (MAC) in these fields Validate the reply’s MAC, proving the reply corresponds to a legitimate request

Lecture 22 Page 13 Advanced Network Security What Is In the MAC? Create MAC with 512-bit SHA-1 Use src. IP, dest. IP, src. port, dest. port, a counter and a 384-bit secret –IP addresses and ports allow us to generate different MACs for different destinations and data flows –Counter allows us to generate different MACs for the same destination over time –Secret is unique to source

Lecture 22 Page 14 Advanced Network Security Using Local RAD Sender Gateway Reflector Attacker Internet REQ + MAC RPL + MAC BAD REQ BAD RPL No correct MAC!

Lecture 22 Page 15 Advanced Network Security Core RAD Local RAD can be overwhelmed by sheer traffic volume Move filtering farther from the target, into the core Core RAD: –Have edge ASes mark all their outbound traffic –Have core nodes validate marks If a invalid mark is detected, drop the packet

Lecture 22 Page 16 Advanced Network Security Marking the Packets in Core RAD Generate a HMAC using the source address, destination address, packet contents and a secret key –Source and Destination prevent replays of one valid packet to many targets –Packet contents makes it easier to detect replays Place the HMAC into the IP ID field

Lecture 22 Page 17 Advanced Network Security Core RAD in Operation Sender Edge AS Reflector Attacker Core AS PKTPKT + MAC BAD PKT

Lecture 22 Page 18 Advanced Network Security Core RAD and DNS Reflector Attacks

Lecture 22 Page 19 Advanced Network Security RAD Lessons Local RAD –Provides a defense that only requires local cooperation –Limited by local bandwidth or ISPs bandwidth Core RAD –Provides nearly complete protection –Requires core ASes to participate –Core ASes can sell as a service

Lecture 22 Page 20 Advanced Network Security Shrew Attacks Classic DDoS attacks have high volume Which makes their presence pretty obvious And requires lots of attacker resources Shrew attacks deny service more stealthily, requiring fewer resources

Lecture 22 Page 21 Advanced Network Security TCP and Packet Losses TCP responds to losses by assuming they are caused by congestion –Detected by packets not ACKed –Due to timeout waiting for the ACK TCP’s response is to send less data The more losses, the less data sent Length of timeouts defined in the TCP protocol

Lecture 22 Page 22 Advanced Network Security Causing the Shrew Attacks Send brief bursts of high volume traffic At specifically chosen intervals To match timeouts of TCP’s expectation of ACK delivery The bursts cause ACKs to be dropped The other party thinks that there’s persistent congestion and backs off

Lecture 22 Page 23 Advanced Network Security Effect of a Shrew Attack The attacker’s average sending rate isn’t too high –E.g., ~900 Kbps The target’s sending rate drops to near zero –Because he keeps missing ACKs at critical moments

Lecture 22 Page 24 Advanced Network Security Handling Shrew Attacks Hard to detect this shrew behavior using existing methods –So figuring out that someone is doing it isn’t too likely Randomizing the TCP wait time helps But good choices don’t match nicely with behavior in face of real congestion

Lecture 22 Page 25 Advanced Network Security Crossfire Attacks Traditional DDoS flooding attacks involve sending packets to the target You could instead send packets “across” the target’s nearby networks Congest those networks without ever sending packets to the target at all

Lecture 22 Page 26 Advanced Network Security The Crossfire Concept Cut off a part of the Internet (the target area) that contains your victim (the public server) By congesting a set of target links Create the congestion by sending from your attack machines to decoy servers you set up near the target links

Lecture 22 Page 27 Advanced Network Security Crossfire Effectiveness Can seriously degrade performance in the attacked area While targeting a relatively low number of links –10-50, in the original experiments With sufficient attack nodes, each need only send a few Mbps

Lecture 22 Page 28 Advanced Network Security Crossfire Countermeasures Difficult to defend against Either design networks with higher internal connectivity Or get ISPs and core providers to work together quickly and closely Neither is ideal

Lecture 22 Page 29 Advanced Network Security Conclusion There are many interesting variations of DDoS attacks More are discovered all the time Most real world attacks aren’t exotic But only because they don’t need to be If we can stop the basic ones, we’ll need to tackle the advanced ones

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.