Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Denial of Service Attacks Dina Katabi nms.csail.mit.edu/~dina.

Published byNathan Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Security Denial of Service Attacks Dina Katabi nms.csail.mit.edu/~dina."— Presentation transcript:

1 Network Security Denial of Service Attacks Dina Katabi dk@mit.edu nms.csail.mit.edu/~dina

2 Announcements  DP2 extension until Sunday 5pm  Online evaluation is open at http://web.mit.edu/subjectevaluation http://web.mit.edu/subjectevaluation

3 Attacker’s Goals  Makes a service inaccessible  Links, servers, routing, etc.  Hide  Maximize damage for little work on the side of the attacker

4 Attacker Wants to Hide  Spoof the source (IP address, email account,...)  Indirection  Reflector attacks: E.g., Smurf Attack gateway Attacker Victim ICMP Echo Req Src: Victim’s addr Dest: brdct addr

5 Attacker Wants to Hide  Spoof the source (IP address, email account,...)  Indirection  Reflector attacks: E.g., Smurf Attack gateway Attacker Victim ICMP Echo Reply Dest: Victim

6 Increase Damage  Go Fully Distributed  Use a Botnet Master Daemon Victim Unidirectional commands Attack traffic Coordinating communication Attacker Master Daemon

7 Trinoo Transcript Connection to port (default 27665/tcp) attacker$ telnet 10.0.0.1 27665 Trying 10.0.0.1 Connected to 10.0.0.1 Escape character is '^]'. Kwijibo Connection closed by foreign host.... attacker$ telnet 10.0.0.1 27665 Trying 10.0.0.1 Connected to 10.0.0.1 Escape character is '^]'. Betaalmostdone trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/] trinoo>

8 Trin00 Commands  dos - command to initiate a DoS against the targeted address  mdos - sends command to attack three IP addresses, sequentially  die – shut down the master  mdie - if correct password specified, packet is sent out to all daemon nodes to shutdown  mping – ping sent to all nodes in the deamon list  killdead – delete deamon nodes from list that didn’t reply to ping  bcast – gives a list of all active daemons  mstop – Attempts to stop an active DoS attack. Never implemented by the author(s), but the command is there

9 Attacks

10 Attacks on Bandwidth  Brute force attack  Attacker sends traffic to consume link bandwidth

11 Defending against bandwidth attacks is hard  Should drop packets before the bottleneck, i.e., at ISP  But  ISPs are not willing to deploy complex filters for each client  ISPs have no strong incentive; they charge clients for traffic  Big companies defend themselves by using very high bandwidth access links ISP network Victim network Bottleneck Link

12 Attacks on TCP

13 TCP SYN Flood TCP DoS Attacks: Client Server SYN C SYN S, ACK C ACK S Listening Store data Wait Connected

14 TCP SYN Flood TCP DoS Attacks: C S SYN C1 Listening Store data SYN C2 SYN C3 SYN C4 SYN C5

15 TCP SYN Flood  Usually targets connection memory  Too many half-open connections  Potential victim is any TCP-based server such as a Web server, FTP server, or mail server  To check for SYN flood attacks  Run netstat -s |grep "listenqueue overflows“ and check whether many connections are in "SYN_RECEIVED"  How can the server deal with it?  Server times out half-open connection  SYN cookies and SYN caches prevent spoofed IP attacks TCP DoS Attacks:

16 SYN Cookie  Ensures source IP is not spoofed  Server delay resource reservation until it checks that the client can receive a packet at the claimed source address SYN SYNACK (seq s =cookie) ACK (seq s =cookie+1) C S No state is stored. Initialize TCP seq number to a random cookie Check seq to ensure client received cookie

17 Attacks on Routers

18 Routing Protocols Attacks on Routers: X Z Y B A Routing Info X  A, Cost 1 Y  X  A, Cost 2 Z  X  A, Cost 2 B  Y  X  A, Cost 3

19 Attacks on Routing Table  Attacker needs to get access to a router  Attacks  Prefix hijacking by announcing a more desirable route  Z can lie about its route to A  Overload routers CPU by too many routing churns  Overload the routing table with too many routes  Causes router to run out of memory or CPU power for processing routes  E.g., AS7007 Attacks on Routers: X Z Y B A Routing Info Y  Z  A, Cost 2 Z  A, Cost 1 B  Y  Z  A, Cost 3

20 Countering Routing Table Attacks  Authenticate peer routers  Secure BGP [Kent et al]  Every ISP sign their advertisements creating a chain of accountability (e.g., Y sends { X: {A} X } Y  Too many signatures  too slow  With no authentication needs a few usec; authentication needs 2 orders of magnitude more time Attacks on Routers:

21 DoS Attacks on Web Servers

22 Attacks that Mimic Legitimate Traffic  Attacker compromises many machines causing them to flood victim with HTTP requests  Attacked resources  DB and Disk bandwidth  Socket buffers, processes, …  Dynamic content, password checking, etc.  Hard to detect; attack traffic is indistinguishable from legitimate traffic DoS Attacks on Servers: GET LargeFile.zip DO LongDBQuery

23 CAPTCH-Based Solution Suspected attack! To access www.foo.com enter the above letters:  Need to ensure:  Cheap ways to send test and check answer  Some people can’t or don’t want to answer graphical tests but are legitimate users (e.g., Blind users)

24 Detection

25 Detection Issues  Detecting What?  Detecting the offending packets  Some attack characteristics (e.g., how many zombies)  The occurrence of an attack  Offline vs. realtime  Realtime detection may help in throttling the attack while forensics might help in suing the attacker  Detection cost  Can attacker mount an attack on the detection mechanism? How would that affect the protected system?

26 Network Intrusion Detection  NIDS box monitors traffic entering and leaving your network  In contrast to firewalls, NIDS are passive XP Linux Win98 Linux Win95Mac NT

27 Approaches to Intrusion Detection 1. Signature Based: Keeps a DB of known attack signatures and matches traffic against DB (e.g., Bro, Snort)  Pros  Easy to understand the outcome  More accurate in detecting known attacks  Cons  Can’t discover new attacks 2. Anomaly Based: Matches traffic against a model of normal traffic and flags abnormalities (e.g., EMERALD)  Pros  Can deal with new attacks  Cons  Modeling normal. it is hard to describe what is normal  Limits new applications  Less accurate detection of known attacks 3. Hybrid: Matches against DB of known attacks. If no match, it checks for anomaly

28 Evasion Problem in NIDS  Consider scanning traffic for a particular string (“USER root”)  Easiest: scan for the text in each packet  No good: text might be split across multiple packets  Okay, remember text from previous packet  No good: out-of-order delivery  Okay, fully reassemble byte stream  Costs state ….  …. and still evadable Source: Vern Paxson

29 Evading Detection Via Ambiguous TCP Retransmission Sender Receiver NIDS 15 hops 20 hops

30 Evading Detection Via Ambiguous TCP Retransmission Attacker Receiver n r r NIDS n or r? TTL=17, seq=1 TTL=23, seq=1 Timed out

31 Evading Detection Via Ambiguous TCP Retransmission Attacker Receiver n r r NIDS n or r? i or o? TTL=17, seq=1 TTL=23, seq=1 o i o TTL=21, seq=2 TTL=15, seq=2 Timed out

32 Evading Detection Via Ambiguous TCP Retransmission Attacker Receiver n r r NIDS n or r? i or o? o c or t? TTL=17, seq=1 TTL=23, seq=1 o i o TTL=21, seq=2 TTL=15, seq=2 Timed out o c o TTL=20, seq=3 TTL=19, seq=4 Timed out t t TTL=27, seq=4 noot? niot? rooc? nooc? nioc? riot? root? …

33 Bypassing NIDS  Evasion  Insertion  DoS it  Hack it  Cause many false alarms until admin stops paying attention

Download ppt "Network Security Denial of Service Attacks Dina Katabi nms.csail.mit.edu/~dina."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1.1 Operating System Concepts An Introduction to DDoS And the “Trinoo” Attack Tool Acknowledgement: Ray Lam, Ivan Wong.

1.1 Operating System Concepts An Introduction to DDoS And the “Trinoo” Attack Tool Acknowledgement: Ray Lam, Ivan Wong.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
An Introduction to DDoS And the “Trinoo” Attack Tool Prepared by Ray Lam, Ivan Wong July 10, 2003.

An Introduction to DDoS And the “Trinoo” Attack Tool Prepared by Ray Lam, Ivan Wong July 10, 2003.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Similar presentations

Ads by Google