Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 13 -- Dearborn,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 13 -- Dearborn,"— Presentation transcript:

1 Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 13 -- Dearborn, MI -- June 9, 1998 980609_dos.ppt

2 Craig A. Huegen Network-Based Denial of Service AttacksNANOG 13 2 Trends Significant increase in network-based Denial- of-Service attacks over the last year Attackers’ growing accessibility to networks Growing number of organizations connected to networks Vulnerability Most networks have not implemented spoof prevention filters Very little protection currently implemented against attacks

3 Craig A. Huegen Network-Based Denial of Service AttacksNANOG 13 3 Profiles of Participants Tools of the Trade Anonymity Internet Relay Chat Cracked super-user account on enterprise network Super-user account on university residence hall network “Throw-away” PPP dial-up accounts Typical Victims IRC Users, Operators, and Servers Providers who eliminate troublesome users’ accounts

4 Craig A. Huegen Network-Based Denial of Service AttacksNANOG 13 4 Goals of Attacks Prevent another user from using network connection “Smurf” and “Fraggle” attacks, “pepsi” (UDP floods), ping floods Disable a host or service “Land”, “Teardrop”, “NewTear”, “Bonk”, “Boink”, SYN flooding, “Ping of death” Traffic monitoring Sniffing

5 Craig A. Huegen Network-Based Denial of Service AttacksNANOG 13 5 “Smurf” and “Fraggle” Very dangerous attacks Network-based, fills access pipes Uses ICMP echo/reply (smurf) or UDP echo (fraggle) packets with broadcast networks to multiply traffic Requires the ability to send spoofed packets Abuses “bounce-sites” to attack victims Traffic multiplied by a factor of 50 to 200 Low-bandwidth source can kill high-bandwidth connections Similar traffic content to ping, UDP flooding but more dangerous due to traffic multiplication

6 Craig A. Huegen Network-Based Denial of Service AttacksNANOG 13 6 “Smurf” (cont’d)

7 Craig A. Huegen Network-Based Denial of Service AttacksNANOG 13 7 Prevention Techniques How to prevent your network from being the source of the attack: Apply filters to each customer network Apply filters to your upstreams This removes the possibility of your network being used as an attack source for many attacks which rely on anonymity (source spoof)

8 Craig A. Huegen Network-Based Denial of Service AttacksNANOG 13 8 Prevention Techniques (cont’d) How to prevent being a “bounce site” in a “Smurf” or “Fraggle” attack: Turn off directed broadcasts to networks: Cisco: Interface command “no ip directed-broadcast” As of 12.0, this is default (CSCdj31162) Proteon: IP protocol configuration “disable directed-broadcast” Bay Networks: Set a false static ARP address for bcast address 3Com: SETDefault -IP CONTrol = NoFwdSubnetBcast Use access control lists (if necessary) to prevent ICMP echo requests from entering your network Configure host machines to not reply to broadcast ICMP echos

9 Craig A. Huegen Network-Based Denial of Service AttacksNANOG 13 9 Prevention Techniques (cont’d) Unicast RPF checking & CEF Inter-provider Cooperation Network Operations Centers should publish proper procedures for getting filters put in place and tracing started IOPS working group

10 Craig A. Huegen Network-Based Denial of Service AttacksNANOG 13 10 References Detailed “Smurf” and “Fraggle” information http://www.quadrunner.com/~chuegen/smurf/ Ingress filtering RFC 2276 Other DoS attacks See expanded presentation at http://www.quadrunner.com/~chuegen/smurf/980513_dos

11 Craig A. Huegen Network-Based Denial of Service AttacksNANOG 13 11 Author Craig Huegen Questions?

Download ppt "Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 13 -- Dearborn,"

Similar presentations

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.

Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.

Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...

1 © 1999, Cisco Systems, Inc. Course Number Presentation_ID ISP Security Issues in today’s Internet It’s not a nice place anymore...
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Chapter 9 Phase 3: Denial-of-Service Attacks. Fig 9.1 Denial-of-Service attack categories.

Chapter 9 Phase 3: Denial-of-Service Attacks. Fig 9.1 Denial-of-Service attack categories.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google