Download presentation
Presentation is loading. Please wait.
Published byAlejandro Newlove Modified over 9 years ago
2
Internet Threats Denial Of Service Attacks
3
“The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about the Internet is that you’re connected to everyone else.” Vint Cerf The Internet And Information Security
4
Denial Of Service Attack Specifics
5
Denial Of Service Problems Exploding in popularity –No skill required High juvenile ratio –High availability of menu-driven programs available, on multiple platforms Up and ruining in minutes Unix, NT, Win95, etc Programs available via the Internet within HOURS of the identified exploit –Often requires assistance across multiple ISPs Coordination efforts impossible at best
6
Denial Of Service Problems Tracing –Source is almost always hidden, or forged Need to trace in real time, router by router to find Bad_Guy –High packet rates Sometimes victims can’t use Internet to complain about or trace the attack –Group accounts or throw-away accounts used School Labs, piracy dialup, hacked systems
7
DOS Types “Revenge of the Nerds” SYN Floods Mail Bombs Smurf Attacks Many, many others
8
Syn Floods TCP Handshake required to set up communication –Send- HELLO! (TCP_SYN) –Recv- Yea, What? (TCP_SYN_ACK) –Send- Let’s Talk! (TCP_ACK) SYN Flood exploits Handshake –Bad_Guy sends TCP_SYN from forged source that doesn’t exist –Victim tries to send a TCP_SYN_ACK, but can’t find the source, so it queues the message –Message is queued for ~75 seconds –Bad-Guy fills up SYN Queue –Victim can’t communicate
9
DoS Packet Flow SYN Attack SYN packet from Bad_Guy Where do I send data? Bad_Guy Victim
10
Mail Bombs Large amounts of email to victim –“FROM” address randomly created –Mail trail is often relayed through several relay systems Difficult to track origination One Word: SPAM –Explosion of tools available from Spamming organizations to make this point-and-click, and professionally difficult to trace
11
Smurf Attacks Most Recent Attack, also called a “Broadcast Ping Attack” Broadcast ping –Send a “broadcast_ping_request” to a network/subnet, and everyhost in that network/subnet replies with a “ping_reply” > ping 166.45.1.255 166.45.1.1 is alive 166.45.1.2 is alive 166.45.1.3 is alive …. 166.45.1.255 is alive
12
Smurf Attacks Attack –Bad_Guy sends a “broadcast_ping_request”, that looks like it came from “Victim”, and sends it to “Innocent 3rd Party” –Every host on “Innocent 3rd Party”’s network/subnet sends a “broadcast_ping_reply” to the victim –Victim gets hit with a massive ping attack –Good_guy traces the Attack to the “Innocent 3rd Party” Compensators –Disable Broadcast Ping Replies on your routers “no ip directed broadcasts” –Deploy monitoring software –Call your ISP –Filter ICMP
13
Tools available to initiate attacks How they are being developed so quickly –Hackers are subscribing to “bug lists” used to discuss product bugs –Public Domain Testing software becoming widely available, being used maliciously –Template code to create TCP/IP Packets exist Their availability and dissemination –Ever try YAHOO? –IRC #DOS channel –Available within hours after bug is reported Professionally created, updated, etc
14
Impacts to ISPS –Bandwidth saturation Dos Attacks affect links that belong to ISPS Affects multiple customers –T1 backbone ISPs still exist! Hackers can do much damage on a 28.8 dialup T3 connected shell accounts in high demand –IRC #shells –Resources required to trace are intense Educating customer Tracing attack –Time sensitive issue
15
MCI’S DosTracker Reactive –Victim calls in for assistance –DoSTracker installed on Victim Border router (their connection to our Network) Proactive –DosTracker installed on Victim router, and “waits” for Attack to come in. Alerts when identified Not typically used, due to resource issues
16
MCI’S DoSTracker –DoSTracker watches packets going to Victim, and analyzes them for “DoS Characteristics” Forged source address Smurf Attack Large packet sources –DoSTracker traces identified DoS Packets router by router, interface by interface until it reaches an “edge” (customer or another network).
17
DoS Path Customer NET A NET B NET C
18
Migration of attacks What can we expect for future attacks? –Automation DoS Engines/Clients –Protocol exposures Streaming protocols –CUSeeMe, Multi-Cast, UseNet DNS –Reduction of detection capability Services being deployed much too quickly for security analysis, compensators and monitoring can be deployed and integrated. –We’ll always be one-two steps behind
19
Contact Dale Drew internetMCI Security Engineering 703/715-7058 ddrew@mci.net http://www.security.mci.net http://www.security.mci.net/check.html
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.