Presentation is loading. Please wait.

Presentation is loading. Please wait.

DENIAL OF SERVICE(DOS) Prepared By: Ram Chandra Bhushan M.Tech(ICT) 10IT61B07 IIT Kharagpur 1.

Published byMelvin Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "DENIAL OF SERVICE(DOS) Prepared By: Ram Chandra Bhushan M.Tech(ICT) 10IT61B07 IIT Kharagpur 1."— Presentation transcript:

1 DENIAL OF SERVICE(DOS) Prepared By: Ram Chandra Bhushan M.Tech(ICT) 10IT61B07 IIT Kharagpur 1

2 Presentation Overview INTRODUCTION –Attack –Where it lies? Overview of DoS –Symptoms and manifestations –Background Information: Denial of Service Attacks –Classification of Denial of Service Attacks –Countermeasures for Denial of Service Attacks –Denial of Service Attacks Shortfalls DDoS (Distributed Denial of service) –Distributed Denial of Service Attacks –Distributed Denial of Service Attack Architecture –Widely Used Distributed Denial of Service Tools Trinoo TFN/TFN2K Stacheldraht Trinoo –How it’s done? –Password protection 2

3 Presentation Overview(Contd..) – Login to Master – Master and Deamon – Master Commands – Deamon Commands DDoS Case Study: GRC.com GRC.com Network Difficulty in getting help GRC’s Infiltration GRC’s Infiltration Network GRC.COM Attack Network Setup GRC.COM Attack Network Attacking Defending Against DDoS Attacks Three Lines of Defence Attack: Detection and filtering Attack: Source Trace back Conclusion Notes and References 3

4 ATTACK Is anything which Causes Harm. As an asset information needs to be secured from attacks. To be secured we need three things to happen –Confidentiality  Hidden from unauthorized access –Integrity  Protected from unauthorized changes –Availability  Available when it is needed 4

5 Where it lies? Attacks broadly categorized in two distinct types: –Cryptanalytic attacks Applies mathematical techniques to obtain the key better than a brute force search(try all possibilities) –Non-cryptanalytic attacks 5

6 Symptoms and manifestations The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of denial-of-service attacks to include: –Unusually slow network performance (opening files or accessing web sites) –Unavailability of a particular web site –Inability to access any web site –Dramatic increase in the number of spam emails received—(this type of DoS attack is considered an e-mail bomb) 6

7 Background Information: Denial of Service Attacks Denial of Service Attack: an attack on a computer or network that prevents legitimate use of its resources. Flooding-based Traditional DOS –One attacker Distributed DOS –Countless attackers DoS Attacks Affect: –Software Systems –Network Routers/Equipments –Servers and End-User PCs 7

8 Classification of DoS Attacks AttackAffected AreaExampleDescription Network Level DeviceRouters, IP Switches, Firewalls Ascend Kill II, “Christmas Tree Packets” Attack attempts to exhaust hardware resources using multiple duplicate packets or a software bug. OS LevelEquipment Vendor OS, End- User Equipment. Ping of Death, ICMP Echo Attacks, Teardrop Attack takes advantage of the way operating systems implement protocols. Application Level AttacksFinger BombFinger Bomb, Windows NT RealServer G2 6.0 Attack a service or machine by using an application attack to exhaust resources. Data Flood (Amplification, Oscillation, Simple Flooding) Host computer or networkSmurf Attack (amplifier attack) UDP Echo (oscillation attack) Attack in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources. Protocol Feature AttacksServers, Client PC, DNS Servers SYN (connection depletion)Attack in which “bugs” in protocol are utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache. 8

9 Countermeasures for DoS Attacks AttackCountermeasure Options ExampleDescription Network Level Device Software patches, packet filtering Ingress and Egress Filtering Software upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network. OS LevelSYN Cookies, drop backlog connections, shorten timeout time SYN CookiesShortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks. Application Level Attacks Intrusion Detection System GuardDog, other vendors. Software used to detect illicit activity. Data Flood (Amplification, Oscillation, Simple Flooding) Replication and Load Balancing Akami/Digital Island provide content distribution. Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks. Protocol Feature Attacks Extend protocols to support security ITEF standard for itrace, DNSSEC Trace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information. 9

10 DoS Shortfalls New distributed server architecture makes it harder for one DoS to take down an entire site. New software protections neutralize existing DoS attacks quickly Service Providers know how to prevent these attacks from effecting their networks. Most current IDS’s detect the current generation of tools. 10

11 Distributed Denial of Service Attacks attack uses many computers to launch a coordinated DoS attack against one or more targets(victim’s n/w). a DDoS master program is installed on one computer using a stolen account Use many sources (“daemons”) for attacking traffic. master program communicates to any number of "agent" programs, installed on computers anywhere on the internet “master” machines to control the daemon or agents attackers The agents, when they receive the command, initiate the attack 11

12 DDoS Architecture 12

13 Widely Used DDoS Programs Trinoo –attacker uses TCP; masters and daemons use UDP; password authentication Tribe Flood Network –attacker uses shell to invoke master; masters and daemons use ICMP ECHOREPLY TFN2K stacheldraht (barbed wire) –attacker uses encrypted TCP connection to master; masters and daemons use TCP and ICMP ECHO REPLY; rcp used for auto- update. 13

14 Trinoo Discovered in August 1999 First DDoS Tool widely available. Daemons found on Solaris 2.x systems Attack a system in University of Minnesota Victim unusable for 2 days Uses UDP flooding attack strategy. TCP connectivity between master and hosts. UDP connectivity between master and agents. Trinoo is famous for allowing attackers to leave a message in a folder called cry_baby. The file is self replicating and is modified on a regular basis as long as port 80 is active. 14

15 How it's done? Using a compromised host, attacker compiles a list of machines that can be compromised. As soon as the list of machines that can be compromised has been compiled, scripts are run to compromise them and convert them into the Trinoo Masters or Daemons. A new script is written to automatically install the trinoo daemon on the selected systems. Some systems will fail to install, but all successful installations create the attacking network One Master can control multiple Daemons. The Daemons are the compromised hosts that launch the actual UDP floods against the victim machine. The DDoS attack is launched when the attacker issues a command on the Master hosts. The Masters instruct every Daemon to start a DoS attack against the IP address specified in the command. 15

16 How it's done? (Contd..) Remote control to the master is set up via TCP port 27665. The master system can communicate with the agents via UDP on port 27444 and the agents send responses to the master on UDP port 31335. Master and Agents are password protected. Commands are three bit letters in binary won’t show up as strings 16 AttackerMasterDaemon Port 27665 TCP UDP Port 27444 Port 31335

17 Password protection Password used to prevent administrators or other hackers to take control Encrypted password compiled into master and daemon using crypt() Default passwords –“l44adsl” – trinoo daemon password –“gOrave” – trinoo master server startup –“betaalmostdone” – trinoo master remote interface password –“killme” – trinoo master password to control “mdie” command 17

18 Login to master Telnet to port 27665 of the host with master Enter password “betaalmostdone” Warn if others try to connect the master Commands and execution: [root@r2 root]# telnet r1 27665 Trying 192.168.249.201... Connected to r1.router (192.168.249.201). Escape character is '^]'. betaalmostdone trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/] trinoo> 18

19 Master and daemon Communicate by UDP packets Command line format –arg1 password arg2 Default password is “l44adsl” When daemon starts, it sends “HELLO” to master Master maintains list of daemon 19

20 Master commands dos IP –DoS the IP address specified –“aaa l44adsl IP” sent to each daemon mdos –DoS the IPs simultaneously mtimer N –Set attack period to N seconds bcast –List all daemons’ IP mdie password –Shutdown all daemons killdead –Invite all daemons to send “HELLO” to master –Delete all dead daemons from the list 20

21 Daemon commands Not directly used; only used by master to send commands to daemons Consist of 3 letters –Avoid exposing the commands by using Unix command “strings” on the binary aaa password IP –DoS specified IP bbb password N –Set attack period to N seconds rsz password N –Set attack packet size to N bytes 21

22 DDoS Case Study: GRC.com Gibson Research Corporation Provides free internet security testing software: Shields Up, LeakTest, etc. Attacked in May 2001 by a DDoS attack. May 4, 2001, GRC.COM Dropped Off of the Internet. GRC identified that it was the victim of a DoS Attack GRC Firewall and Router were able to stop flood traffic from affecting GRC equipment, but lines were completely used up. 22

23 GRC.com Network 23 Verio Router Internet GRC.COM Firewall Router 100Mbps

24 Difficulty in Getting Help Stopping DDoS Attacks GRC contacts Earthlink but receives no help. GRC contact @Home (over 100 @Home PCs were identified as hosts for the attack). @Home however did not want to help. FBI unable to help GRC either. GRC then receives an anonymous e-mail in their web-based Spyware drop box which contains the “Zombie” (DDoS Daemon). 24

25 GRC.COM Case Study: GRC’s Infiltration GRC sets up “Sitting Duck” dummy computer running DDoS daemon to see what happens (see next slide). “Sitting Duck” successfully connects to IRC chat server, gets instructions to attack a system in Finland. GRC disables the packet generation feature of “Sitting Duck” so no malicious packets will be sent. GRC writes an IRC chat Zombie to enter IRC servers where hackers communicate/trade Zombie DDoS tools. GRC communicates with hackers to “lay off”. 25

26 GRC’s Infiltration Network 26

27 GRC.COM Attack Network Setup 27

28 GRC.COM Attack Network Attacking 28 Verio Router T1 Trunk Internet IRC Servers Attacker 1. Attacker issues command to attack GRC.COM 2. Each DDoS daemon begins to attack the selected website. GRC.COM

29 Defending Against DDoS Attacks The biggest barrier in defending against DDoS attacks is the lack of economic incentives for Internet users to cooperate. Sample research by icsa.net shows that less than 15 percent of all corporate users are filtering source IP addresses. An even smaller percentage of Internet service providers – less than 8 percent – are doing this type of filtering. Improving the security of all relevant devices User-level traffic control Block certain types of packets: Block packets by source address: Derive attack signatures for the harmful packets IP Tracing Server level traffic Monitor and Class Based Queuing 29

30 Three lines of defense: 1.Attack prevention - before the attack 2.Attack detection and filtering - during the attack 3.Attack source traceback - during and after the attack Attack prevention Protect hosts from installation of masters and agents by attackers Scan hosts for symptoms of agents being installed Monitor network traffic for known message exchanges among attackers, masters, agents Inadequate and hard to deploy 30

31 Attack detection and filtering Detection –Identify DDoS attack and attack packets Filtering –Classify normal and attack packets –Drop attack packets Can be done in 4 places –Victim’s network –Victim’s ISP network –Further upstream ISP network –Attack source networks 31

32 Attack source trace back Identify actual origin of packet Without relying on source IP of packet 2 approaches –Routers record info of packets –Routers send additional info of packets to destination Source traceback cannot stop ongoing DDoS attack –Cannot trace origins behind firewalls, NAT (network address translators) –More to do for reflector attack (attack packets from legitimate sources) 32

33 Conclusion DDoS attacks are complex and serious problem - affecting not only a victim but the victim’s legitimate clients DDoS defense approaches are numerous - need to learn how to combine the approaches to completely solve the problem Internet community must cooperate to counter threat - global deployment of defense mechanisms 33

34 References 1.Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001. 2.Kargl, Frank, Joern Maier, and Michael Weber. Protecting Web Servers from Distributed Denial of Service Attacks. WWW10, May 1-5 Hong Kong. ACM 1-58113-348-0/01/0005. 3.Stein, Lincoln. The World Wide Web Security FAQ, Version 3.1.2, February 4, 2002. http://www.s3.org/security/faq/ - visited on October 1, 2002. http://www.s3.org/security/faq/ 4.Dittrich, David. The DoS Project’s “trinoo” Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt – visited on October 1, 2002http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt 5.Dittrich, David. The “Tribe Flood Network” Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt – visited on October 1, 2002http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt 6.Dittrich, David. The “stacheldraht” Distributed Denial of Service Attack Tool. University of Washington, December 31, 1999. http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt – visited on October 1, 2002http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt 7.Gibson, Steve. The Strange Tale of the Denial of Service Attacks Against GRC.com. Gibson Research Corporation, March 5, 2002. http://grc.com/dos/grcdos.htmhttp://grc.com/dos/grcdos.htm 8.Daniels, Thomas E. and Eugene H. Spafford. Network Traffic Tracking Systems: Folly in the Large? Center for Education and Research in Information Assurance and Security (CERIAS). Lafayette, IN, ©2001. 9.R. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” Oct. 2002 34

35 Thank You 35

Download ppt "DENIAL OF SERVICE(DOS) Prepared By: Ram Chandra Bhushan M.Tech(ICT) 10IT61B07 IIT Kharagpur 1."

Similar presentations

Denial of Service By: Samarth Shah and Navin Soni.

Denial of Service By: Samarth Shah and Navin Soni.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1.1 Operating System Concepts An Introduction to DDoS And the “Trinoo” Attack Tool Acknowledgement: Ray Lam, Ivan Wong.

1.1 Operating System Concepts An Introduction to DDoS And the “Trinoo” Attack Tool Acknowledgement: Ray Lam, Ivan Wong.
Distributed Denial-of-Services (DDoS) Ho Jeong AN CSE 525 – Adv. Networking Reading Group #8.

Distributed Denial-of-Services (DDoS) Ho Jeong AN CSE 525 – Adv. Networking Reading Group #8.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
An Introduction to DDoS And the “Trinoo” Attack Tool Prepared by Ray Lam, Ivan Wong July 10, 2003.

An Introduction to DDoS And the “Trinoo” Attack Tool Prepared by Ray Lam, Ivan Wong July 10, 2003.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).

Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).
1 Protecting Web Servers from Distributed Denial of Service Attacks Frank Kargl, Joern Maier, Michael Weber WWW10, May 1-5, 2001, Hong Kong ACM 1-58113-348-0/01/0005.

1 Protecting Web Servers from Distributed Denial of Service Attacks Frank Kargl, Joern Maier, Michael Weber WWW10, May 1-5, 2001, Hong Kong ACM /01/0005.

Similar presentations

Ads by Google