Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Denial of Service, Firewalls, and Intrusion Detection
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Firewalls and Intrusion Detection Systems
Computer Security and Penetration Testing
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Rocky K. C. Chang.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
Lecture 15 Denial of Service Attacks
Chapter 9 Phase 3: Denial-of-Service Attacks. Fig 9.1 Denial-of-Service attack categories.
Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Week 8-1 Week 8: Denial of Service (DoS) What is Denial of Service Attack? –Any attack that causes a system to be unavailability. This is a violation of.
FIREWALL Mạng máy tính nâng cao-V1.
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.
Final Introduction ---- Web Security, DDoS, others
--Harish Reddy Vemula Distributed Denial of Service.
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Distributed Denial of Service Attacks
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.
Denial of Service Attacks
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.
________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
Chapter 7 Denial-of-Service Attacks 7.1. Tấn công từ chối dịch vụ 7.1. Tấn công từ chối dịch vụ Bản chất của tấn công từ chối dịch vụ Bản chất của tấn.
DoS/DDoS attack and defense
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Denial-of-Service Attacks
Comparison of Network Attacks COSC 356 Kyler Rhoades.
NETW4005 Computer Security Lecture 5
DDoS Attacks on Financial Institutions Presentation
Denial of Service Attacks
CSE 4905 Denial of Service Attacks
BINF 711 Amr El Mougy Sherif Ismail
Lab 2: TCP IP Attacks ( Indirect)
Red Team Exercise Part 3 Week 4
Presentation transcript:

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service

Denial of Service  denial of service (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space  attacks network bandwidth network bandwidth system resources system resources application resources application resources  have been an issue for some time

Classic Denial of Service Attacks  can use simple flooding ping  from higher capacity link to lower  causing loss of traffic  source of flood traffic easily identified

Classic Denial of Service Attacks

Source Address Spoofing  use forged source addresses given sufficient privilege to “raw sockets” given sufficient privilege to “raw sockets” easy to create easy to create  generate large volumes of packets  directed at target  with different, random, source addresses  cause same congestion  responses are scattered across Internet  real source is much harder to identify

SYN Spoofing  other common attack  attacks ability of a server to respond to future connection requests  overflowing tables used to manage them  hence an attack on system resource

TCP Connection Handshake

SYN Spoofing Attack

 attacker often uses either random source addresses random source addresses or that of an overloaded server or that of an overloaded server to block return of (most) reset packets to block return of (most) reset packets  has much lower traffic volume attacker can be on a much lower capacity link attacker can be on a much lower capacity link

Types of Flooding Attacks  classified based on network protocol used  ICMP Flood uses ICMP packets, eg echo request uses ICMP packets, eg echo request typically allowed through, some required typically allowed through, some required  UDP Flood alternative uses UDP packets to some port alternative uses UDP packets to some port  TCP SYN Flood use TCP SYN (connection request) packets use TCP SYN (connection request) packets but for volume attack but for volume attack

Distributed Denial of Service Attacks  have limited volume if single source used  multiple systems allow much higher traffic volumes to form a Distributed Denial of Service (DDoS) Attack  often compromised PC’s / workstations zombies with backdoor programs installed zombies with backdoor programs installed forming a botnet forming a botnet  e.g. Tribe Flood Network (TFN), TFN2K

DDoS Control Hierarchy

Reflection Attacks  use normal behavior of network  attacker sends packet with spoofed source address being that of target to a server  server response is directed at target  if send many requests to multiple servers, response can flood target  various protocols e.g. UDP or TCP/SYN  ideally want response larger than request  prevent if block source spoofed packets

Reflection Attacks  further variation creates a self-contained loop between intermediary and target  fairly easy to filter and block

Amplification Attacks

DNS Amplification Attacks  use DNS requests with spoofed source address being the target  exploit DNS behavior to convert a small request to a much larger response 60 byte request to byte response 60 byte request to byte response  attacker sends requests to multiple well connected servers, which flood target need only moderate flow of request packets need only moderate flow of request packets DNS servers will also be loaded DNS servers will also be loaded

DoS Attack Defenses  high traffic volumes may be legitimate result of high publicity, e.g. “slash-dotted” result of high publicity, e.g. “slash-dotted” or to a very popular site, e.g. Olympics etc or to a very popular site, e.g. Olympics etc  or legitimate traffic created by an attacker  three lines of defense against (D)DoS: attack prevention and preemption attack prevention and preemption attack detection and filtering attack detection and filtering attack source traceback and identification attack source traceback and identification

Attack Prevention  block spoofed source addresses on routers as close to source as possible on routers as close to source as possible still far too rarely implemented still far too rarely implemented  rate controls in upstream distribution nets on specific packets types on specific packets types e.g. some ICMP, some UDP, TCP/SYN e.g. some ICMP, some UDP, TCP/SYN  use modified TCP connection handling use SYN cookies when table full use SYN cookies when table full or selective or random drop when table full or selective or random drop when table full

Attack Prevention  block IP directed broadcasts  block suspicious services & combinations  manage application attacks with “puzzles” to distinguish legitimate human requests  good general system security practices  use mirrored and replicated servers when high-performance and reliability required

Responding to Attacks  need good incident response plan with contacts for ISP with contacts for ISP needed to impose traffic filtering upstream needed to impose traffic filtering upstream details of response process details of response process  have standard filters  ideally have network monitors and IDS to detect and notify abnormal traffic patterns to detect and notify abnormal traffic patterns

Responding to Attacks  identify type of attack capture and analyze packets capture and analyze packets design filters to block attack traffic upstream design filters to block attack traffic upstream or identify and correct system/application bug or identify and correct system/application bug  have ISP trace packet flow back to source may be difficult and time consuming may be difficult and time consuming necessary if legal action desired necessary if legal action desired  implement contingency plan  update incident response plan

Summary  introduced denial of service (DoS) attacks  classic flooding and SYN spoofing attacks  ICMP, UDP, TCP SYN floods  distributed denial of service (DDoS) attacks  reflection and amplification attacks  defenses against DoS attacks  responding to DoS attacks