Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Denial of Service Attacks

Similar presentations


Presentation on theme: "Distributed Denial of Service Attacks"— Presentation transcript:

1 Distributed Denial of Service Attacks

2 Potential Damage of DDoS Attacks
The Problem: Massive distributed DoS attacks have the potential to severely decrease backbone availability and can virtually detach a network from the Internet.

3 Motives for DDoS Attacks
Cyber warfare: Prevent information exchange A means to blackmail a company or even country and cause image and money loss Youthful mischief and desire to feel the power “to rule the world“ Proof of technical excellence to “the world“ and oneself Outbreak of worms from Internet security research ;-) ??

4 What Are DDoS Tools? Clog victim’s network. Use many sources (“daemons”) for attacking traffic. Use “master” machines to control the daemon attackers. At least 4 different versions in use: TFN, TFN2K, Trinoo, Stacheldraht.

5 How They Work Daemon Master Daemon Daemon Daemon Daemon Real Attacker
Victim

6 How They Talk Trinoo: attacker uses TCP; masters and daemons use UDP; password authentication TFN(Tribe Flood Network): attacker uses shell to invoke master; masters and daemons use ICMP ECHOREPLY, TCP SYN flood, ICMP Broadcast (smurf) Stacheldraht(barbed wire): attacker uses encrypted TCP connection to master; masters and daemons use TCP and ICMP ECHO REPLY; rcp used for auto-update and generation

7 Deploying DDOS Attackers seem to use standard, well-known holes (i.e., rpc.ttdbserver, amd, rpc.cmsd, rpc.mountd, rpc.statd). attacks on flaws of remote buffer overflows They appear to have “auto-hack” tools – point, click, and invade. Lesson: practice good computer hygiene.

8 Detecting DDOS Tools Most current IDS’s detect the current generation of tools. They work by looking for DDoS control messages. Naturally, these will change over time; in particular, more such messages will be properly encrypted.

9 What Can ISPs Do? Deploy source address anti-spoof filters (very important!). Turn off directed broadcasts. no ip directed-broadcast (A Cisco interface) Develop security relationships with neighbor ISPs. Set up mechanism for handling customer security complaints. Develop traffic volume monitoring techniques.

10 Traffic Volume Monitoring – an example
Look for too much traffic to a particular destination. Learn to look for traffic to that destination at your border routers (access routers, peers, exchange points, etc.). Can we automate the tools – too many queue drops on an access router will trigger source detection?

11 References http://www.cert.org/reports/dsit_workshop.pdf
Dave Dittrich’s analyses: Scanning tool:


Download ppt "Distributed Denial of Service Attacks"

Similar presentations


Ads by Google