Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Published byEvan Baldwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014."— Presentation transcript:

1 Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014

2 Lecture 22 Page 2 Advanced Network Security Outline Reflector attacks Shrew attacks Crossfire attacks

3 Lecture 22 Page 3 Advanced Network Security Reflector Attacks A type of DDoS attack that addresses issue of asymmetry Use a third party site to change a small attack message to a big one Relies on IP spoofing Can make use of several different protocols for reflection

4 Lecture 22 Page 4 Advanced Network Security A Reflector Attack Attacker Target Reflector SYN SYN/ACK Spoofing the IP address of the target

5 Lecture 22 Page 5 Advanced Network Security The Attack Multiplied

6 Lecture 22 Page 6 Advanced Network Security Why Is This Helpful to the Attacker? Packets arrive at target with many source IP addresses –Which are legitimate –Makes it harder to defend The reflector’s response might be bigger than the attacker’s request –Leading to amplification

7 Lecture 22 Page 7 Advanced Network Security Common Types of Reflectors DNS servers –Small requests can give large results –100X amplification factor NTP –A protocol flaw made reflector attacks worthwhile –Can amplify 200X Some DHT implementations

8 Lecture 22 Page 8 Advanced Network Security The Core Reflector Problem Attackers can spoof target IP address May be difficult to detect attackers –Attackers can use botnets to hide traffic volume Reflectors cannot easily distinguish between legitimate and illegitimate requests –Large number of possible reflectors Victim’s provider ISP can see the attack but can do little about it

9 Lecture 22 Page 9 Advanced Network Security Defending Against Reflector Attacks Cut down on IP spoofing –That’s often hard Make reflecting sites less available –Most DNS servers are only intended for local use, anyway Change reflector site behavior –Either in protocol or site Research approaches

10 Lecture 22 Page 10 Advanced Network Security One Research Approach - RAD Basic idea: reflected messages are replies to request If the target remembers what he requested He knows what replies he should see Drop “unexpected” replies

11 Lecture 22 Page 11 Advanced Network Security RAD Deployment Choices Local –Only sees the false replies –Validate replies correspond to requests –Reply volume may overwhelm a local defense –Only requires local cooperation Core –Can see all traffic –Validate that packets correspond to source AS –Requires core cooperation

12 Lecture 22 Page 12 Advanced Network Security Local RAD Validate that replies correspond to a request Most reflectable protocols have a repeated field from the request in the reply –Initial sequence number between SYN and SYN/ACK –ID number in DNS query and DNS response –ID and sequence number in ICMP ECHO and ICMP ECHOREPLY Place a message authentication code (MAC) in these fields Validate the reply’s MAC, proving the reply corresponds to a legitimate request

13 Lecture 22 Page 13 Advanced Network Security What Is In the MAC? Create MAC with 512-bit SHA-1 Use src. IP, dest. IP, src. port, dest. port, a counter and a 384-bit secret –IP addresses and ports allow us to generate different MACs for different destinations and data flows –Counter allows us to generate different MACs for the same destination over time –Secret is unique to source

14 Lecture 22 Page 14 Advanced Network Security Using Local RAD Sender Gateway Reflector Attacker Internet REQ + MAC RPL + MAC BAD REQ BAD RPL No correct MAC!

15 Lecture 22 Page 15 Advanced Network Security Core RAD Local RAD can be overwhelmed by sheer traffic volume Move filtering farther from the target, into the core Core RAD: –Have edge ASes mark all their outbound traffic –Have core nodes validate marks If a invalid mark is detected, drop the packet

16 Lecture 22 Page 16 Advanced Network Security Marking the Packets in Core RAD Generate a HMAC using the source address, destination address, packet contents and a secret key –Source and Destination prevent replays of one valid packet to many targets –Packet contents makes it easier to detect replays Place the HMAC into the IP ID field

17 Lecture 22 Page 17 Advanced Network Security Core RAD in Operation Sender Edge AS Reflector Attacker Core AS PKTPKT + MAC BAD PKT

18 Lecture 22 Page 18 Advanced Network Security Core RAD and DNS Reflector Attacks

19 Lecture 22 Page 19 Advanced Network Security RAD Lessons Local RAD –Provides a defense that only requires local cooperation –Limited by local bandwidth or ISPs bandwidth Core RAD –Provides nearly complete protection –Requires core ASes to participate –Core ASes can sell as a service

20 Lecture 22 Page 20 Advanced Network Security Shrew Attacks Classic DDoS attacks have high volume Which makes their presence pretty obvious And requires lots of attacker resources Shrew attacks deny service more stealthily, requiring fewer resources

21 Lecture 22 Page 21 Advanced Network Security TCP and Packet Losses TCP responds to losses by assuming they are caused by congestion –Detected by packets not ACKed –Due to timeout waiting for the ACK TCP’s response is to send less data The more losses, the less data sent Length of timeouts defined in the TCP protocol

22 Lecture 22 Page 22 Advanced Network Security Causing the Shrew Attacks Send brief bursts of high volume traffic At specifically chosen intervals To match timeouts of TCP’s expectation of ACK delivery The bursts cause ACKs to be dropped The other party thinks that there’s persistent congestion and backs off

23 Lecture 22 Page 23 Advanced Network Security Effect of a Shrew Attack The attacker’s average sending rate isn’t too high –E.g., ~900 Kbps The target’s sending rate drops to near zero –Because he keeps missing ACKs at critical moments

24 Lecture 22 Page 24 Advanced Network Security Handling Shrew Attacks Hard to detect this shrew behavior using existing methods –So figuring out that someone is doing it isn’t too likely Randomizing the TCP wait time helps But good choices don’t match nicely with behavior in face of real congestion

25 Lecture 22 Page 25 Advanced Network Security Crossfire Attacks Traditional DDoS flooding attacks involve sending packets to the target You could instead send packets “across” the target’s nearby networks Congest those networks without ever sending packets to the target at all

26 Lecture 22 Page 26 Advanced Network Security The Crossfire Concept Cut off a part of the Internet (the target area) that contains your victim (the public server) By congesting a set of target links Create the congestion by sending from your attack machines to decoy servers you set up near the target links

27 Lecture 22 Page 27 Advanced Network Security Crossfire Effectiveness Can seriously degrade performance in the attacked area While targeting a relatively low number of links –10-50, in the original experiments With sufficient attack nodes, each need only send a few Mbps

28 Lecture 22 Page 28 Advanced Network Security Crossfire Countermeasures Difficult to defend against Either design networks with higher internal connectivity Or get ISPs and core providers to work together quickly and closely Neither is ideal

29 Lecture 22 Page 29 Advanced Network Security Conclusion There are many interesting variations of DDoS attacks More are discovered all the time Most real world attacks aren’t exotic But only because they don’t need to be If we can stop the basic ones, we’ll need to tackle the advanced ones

Download ppt "Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014."

Similar presentations

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,

NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Examining IP Header Fields

Examining IP Header Fields
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

Similar presentations

Ads by Google