An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Distributed Denial-of-Services (DDoS) Ho Jeong AN CSE 525 – Adv. Networking Reading Group #8.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Firewalls and Intrusion Detection Systems
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.
John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Lecture 15 Denial of Service Attacks
1 ICMP – Using Ping and Trace CCNA Semester
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Chapter 6: Packet Filtering
DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
The complete picture Linux Network Management. End to End Connection Being able to describe the end to end connection sequence is a useful thing Very.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Distributed Denial of Service Attacks
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
02/25/02DDoS/Traceback-Characterisation Ozgur Ozturk 1 DDoS/Traceback Paper Group # 23: Characterization Ozgur Ozturk CSE W02 Internet Technologies.
DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
DoS/DDoS attack and defense
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
1 Figure 4-11: Denial-of-Service (DoS) Attacks Introduction  Attack on availability  Act of vandalism Single-Message DoS Attacks  Crash a host with.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Denial-of-Service Attacks
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Domain 4 – Communication and Network Security
Error and Control Messages in the Internet Protocol
Defending Against DDoS
Filtering Spoofed Packets
Introduction to Networking
ICMP – Using Ping and Trace
Defending Against DDoS
DDoS Attack and Its Defense
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson

DDOS

Traceback ITRACE (Bellovin) – uses ICMP messages from routers to trace path back to source. However, these ICMP packets occur with low probability, so a high volume flow is needed to trace back all the routers. SPIE (Snoeren) – Source Path Isolation Engine records sets of hashes of packets traversing a given router. Can trace path even on low volume flows.

Reflectors A reflector is any IP host that returns a packet if sent a packet. Examples: SYN  SYN/ACK, ICMP, etc… Lots of reflectors on the internet. Attacker can program slaves to use millions of them. Hard to block since packets come from an extremely diffuse base.

DDOS with Reflectors

Tracing when reflectors are used Easy for victim to ID reflectors since SRC IP is real. However, hard to trace back to slaves since reflectors are given victim’s IP as the source. Also involves cooperation from the reflector’s operator for analysis. Hard to use ITRACE since flow is low-volume for any given reflector (flow is diffused through many reflectors). Can use SPIE.

Defenses Against Reflectors Ingress filtering. Can block all incoming packets except from known good IPs. (Not useful for public/commercial sites.) Timing or pattern match filtering (possible). Software on reflector to allow victim to trace back to slave. (Not practical, difficult/impossible to deploy.)

Filtering Techniques Stateless, since attack creates too much bogus state. Filtering done at ISP end (or sufficiently far enough away from victim to keep bandwidth available).

Filtering IP Packets Can filter IP SRC/DST if “bad” reflectors are known. IP TOS/DSCP possible if attack traffic non- premium. Fragments – possible to throw these out unless victim needs them (NFS, AFS, GRE, etc...) Conclusion: Too few headers to make filtering at the IP level very useful.

Filtering ICMP Can filter out echo requests/replies. Can stop smurf attacks. Harder to suppress other ICMP messages since these are needed for tearing down state (host unreachable), traceroute (time exceeded).

Filtering TCP Can block source port 80 to block most DDOS attacks that use web servers as reflectors. Downside: won’t be able to connect to any external web servers. Block RST. Causes victim to keep more state than usual (may be acceptable tradeoff). Block SYN/ACK. Causes victim to lose all remote services (may be acceptable if all traffic is outgoing).

Filtering TCP cont. Any other TCP packet type means slave must establish a connection with the reflector, so SRC address cannot be forged (thus slave is easily traceable). UNLESS... Reflector’s TCP stack has guessable sequence numbers. Can use ACK splitting to amplify traffic.

Filtering TCP summary Can be effective if victim is willing to endure loss of contact to external servers and doesn’t mind maintaining more state than usual. However, this won’t work if attacker can find a large number of reflectors with poorly implemented TCP stacks (guessable TCP sequence numbers).

Filtering UDP Attackers can use DNS as a reflector (send forged DNS queries so that reply goes to victim). Countermeasure: block DNS except from a small set of servers. Use internal DNS servers. However, if victim is a DNS server for a particular zone, then attacker can submit queries of the form bogus.victim.com, which causes recursive queries back to victim. Countermeasure: none!

Using proxies Attacker can use proxies (ex: http proxy) as a reflector. This would be effective except that it requires a non-spoofed source address, so slaves can be identified.

Gnutella Attacker can mount proxy attack without being traced. Using Gnutella “push” directive, request can propagate through Gnutella network being separated from client (slave). Victim can trace back to Gnutella server. Operator of Gnutella server can trace back to immediate neighbor, etc... Conclusion: virtually impossible to trace the chain of Gnutella servers back to slave.

Summary Reflectors make DDOS attacks much more diffuse and harder to prevent. Can guard against some DDOS reflector attacks if victim is willing to forgo some services. TCP guessable sequence numbers, recursive DNS queries, and Gnutella “push” directive present major threats (no known defenses).

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.