Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service Attacks and Countermeasures Analysis Dang Nguyen Duc School of Engineering (2001816)

Similar presentations


Presentation on theme: "Denial of Service Attacks and Countermeasures Analysis Dang Nguyen Duc School of Engineering (2001816)"— Presentation transcript:

1 Denial of Service Attacks and Countermeasures Analysis Dang Nguyen Duc School of Engineering (2001816)

2 2 Contents 1. Introduction 2. What is DoS attacks? 3. Well-known DoS attacks 4. Intermediate countermeasures 5. Protocols against DoS 6. Conclusion 7. References

3 3 1.Introduction We are at war, not at risk. DoS is very simple but powerful attack To defeat attack, we need to analyze it We need intermediate solutions We need long-term solutions (make use of cryptogra phic primitives)

4 4 2.1. What is DoS attack?  attempts to flood a network, thereby preventing legitimate network traffic  attempts to disrupt connections between two machines, thereby preventing access to a service  attempts to prevent a particular individual from accessing a service  attempts to disrupt to a specific system or person.

5 5 2.1.Distributed DoS

6 6 2.2. Modes of attacks Consumption of limited or non-renewable Resources: network connectivity, bandwidth, etc. Destruction or Alteration of Configuration Information Physical Destruction or Alteration of Network Components

7 7 3.1. Smurf attack (ping of death)

8 8 3.1. SYN flood SourceDestination Listen SYN_RECVDD CONNECTED SYN n SYN m, ACK n+1 SYN m+1 AttackerVictim Listen SYN_RECVDD SYN n SYN m, ACK n+1 SYN n+1 Port flooding occurs

9 9 3.1. UDP flood (fraggle) Similar to Smurf attack UDP echo messages always expects UDP reply mess ages

10 10 Distributed DoS attacks Trinoo Tribe Flood Network (TFN) Stacheldraht Shaft TFN2K

11 11 4. Intermediate countermeasures Software patches Secure host computer from hacking, trojan horse, vir us, back door,… Configure router to deny spoofed source address Reduce time-out of half-open connections Increase resources for half-open connections (backl og) Close unused TCP/UDP port Firewall Etc.

12 12 5.1. Why IPsec not work? Too many design goals High complexity Provide authentication but introduce another attack: abuse resources for expensive operations (i.e. expon entiation)

13 13 5.2. Client Puzzle Client commits its resources into solving the puzzle Server does not store state data or perform expensive computation Puzzle Solution Server verifies the solution If it accepts, it may now commit resources to expensive parts of the authentication

14 14 5.2. Client Puzzle (cont.) Creating a puzzle and verifying puzzle ’ s solution is inexpensive for the server The cost of solving the puzzle is easy to adjust from zero to impossible (i.e. when server ’ s resource is getting exhausted, server should increase the difficulty level). It is not possible to precompute solutions While client is solving the puzzle, the server does not need to store the solution or other client specific data. The same puzzle may be given to several clients. Knowing the solution of one or more clients does not help a new client in solving the puzzle A client can reuse a puzzle by creating several instances of it

15 15 5.2. Puzzle by hash function Hash function is simplest cryptographic primitive, free of charg e H(Ns, x) = 0 k y Ns: Server’s Nonce (Puzzle) X : solution to puzzle Y: anything K : difficulty level Client find x by brute-force method Unique solution H(client_id, Nc, Ns, x) = 0 k y Nc : Client’s nonce client_id : Client identity

16 16 5.2. Authentication protocol Client verifies signature on Ns, k. It then generates a nonce Nc and find solution x by brute-force method: h(client_id, Ns, Nc, x) = 0 k y Client sends following message Server periodically decides difficulty level k, generates nonce Ns and sends following message together with its signature Ns, k, sign(Ns, k) Client_id, Ns, Nc, x Server verifies that Ns is recently in use and client_id, Ns, Nc not used before, and checks that h(client_id, Ns, Nc, x) = 0 k y If it accepts, server now commit resources for expensive operation. Server also stores client_id, Ns, Nc while Ns is recently in use. Client Hello Server in idle state during client solving puzzle Sever

17 17 6. Conclusion Analyze attacks and countermeasures Client Puzzle using hash function We are behind attackers Combination of countermeasures is required

18 18 7. References [1] http://www.cert.orghttp://www.cert.org [2] Jussipekka Leiwo, Towards Network Denial of Service Resistant Protocols. [3] Christoph L. Schuba, Ivan V.Krusl, Markus G. Kuhn, et al., Analysis of a Denial of Service Attack on TCP. [4] Felix Lau, Stuart H. Rubin, Michael H. Smith, Ljiljana Trajkovic, Distributed Denial of Service. [5] Tuomas Aura, Pekka Nikander, Jussipekka Leiwo, DoS-Resistant Authentication with Client Puzzles. [6] Pasi Eronen, Denial of Service In Public Key Protocols. [7] Douglas E. Comer, Internetworking with TCP/IP, Principles, Protocols, and Architectures – Volume 1, Fourth Edition [8] RFC(s) [9] David Dittrich et al, The distributed denial of service attack tool series. [10] Niels Ferguson and Bruce Schneier, A Cryptographic Evaluation of IPsec.


Download ppt "Denial of Service Attacks and Countermeasures Analysis Dang Nguyen Duc School of Engineering (2001816)"

Similar presentations


Ads by Google