Presentation is loading. Please wait.

Presentation is loading. Please wait.

 A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such.

Published byAugustine Dixon Modified over 9 years ago

Similar presentations

Presentation on theme: " A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such."— Presentation transcript:

1

2  A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units, memory, bandwidth, or disk space.  Examples: › Using all available network bandwidth by generating unusually large volumes of traffic › Sending malformed TCP/IP packets to a server so that its operating system will crash › Sending illegal requests to an application to crash it › Making many processor-intensive requests so that the server’s processing resources are full › Consuming all available disk space by creating many large files

3  Network bandwidth is so large for most organizations that a single attacking machine cannot cause a network DoS.  DDoS attacks coordinate an attack among many computers  Lack of availability of computing and network services causes significant disruption an major financial lost  Two types of components: › Agents: which run on compromised hosts and perform the actual attacks (bots) › Handler: which is a program that controls the agents, telling them when, what, and how to attack.

4 A host sends many requests with a spoofed source address to a service on an intermediate host The host generates a reply to each request and sends these replies to the spoofed address Examples of reflector services: echo, chargen, DNS, SNMP, ISAKMP Reflector Attacks Involves sending requests (such as ICMP or UDP) with a spoofed source address to an expected broadcast address hoping that many hosts will receive and it and respond to it. Example: DNS recursion attack Amplifier Attacks Makes a resource unavailable by initiating large numbers of incomplete connection requests. Overwhelms the capacity and prevents new connections from being made. Examples: Peer-to-peer attack, synflood attack Flood Attacks

5  Talk with the organizations ISPs about how they handle network-based DoS attacks › Filtering or limiting traffic, blocking a particular source IP address or ICMP messages, providing logs, retracing attacks to their source  Consider participating in a coordinated response to a widespread DDoS attack that affects many organizations › Exchange information regarding such an attack with a centralized incident response entity  Deploy and configure intrusion detection and prevention software to prevent DoS traffic › Network behavior analysis software can identify unusual traffic flows

6  Perform ongoing resource monitoring to establish baselines of network bandwidth utilization  Internet Health Monitoring: when a network- based DoS occurs, incident responders could use Web sites to attempt to determine if similar attacks are currently affecting other organizations  Meet with network infrastructure administrators › Adjust logging of a certain type of activity  Maintain local copies of any information that may be useful in handling DoS incidents

7  Configure the network perimeter to deny all incoming and outgoing traffic that is not explicitly permitted › Block services that are used in DoS attacks (ex. Echo) › Perform egress and ingress filtering to block spoofed packets › Block traffic from unassigned IP address ranges › Make certain firewall rules and router ACL’s are written and sequenced properly › Limit incoming and outgoing ICMP traffic › Block outgoing connections to common IRC, P2P services if the usage is not permitted.  Implement Rate limiting for certain protocols (ex. ICMP)  Disable unneeded services  Ensure that networks and systems are not running near max. capacity so minor DoS attacks can’t occur easily.

8  Precursors: › DoS attacks are often preceded by reconnaissance activity – a low volume of the traffic that will be used in the actual attack - to determine which attacks may be effective › A newly released DoS tool  Responses: › Example: Alter firewall rulesets to block a particular protocol from being used › Investigate the new tool and alter security controls accordingly

9 Network-based DoS against a particular host User reports of system unavailability Unexplained connection losses Increased Network bandwidth utilization Large number of connections to a single host Asymmetric network traffic pattern Network-based DoS against a network Firewall and router log entries Packets with unusual source addressed Packets with nonexistent destination addresses Network Intrusion detection alerts User reports of system and network unavailablity DoS against the operating system or application of a particular host User reports of system and application unavailability Operating system log entries Network and host intrusion detection alerts Packets with unusual source addresses

10  Correct the vulnerability or weakness that is being exploited › Patch the OS › Block unnecessary services  Implement filtering based on the characteristic of the attack › Temporarily block certain requests (ICMP) › Rate limiting  Have the ISP implement filtering  Relocate the target  Attack the attackers (not recommended)

11  Identify the source of the attack from observed traffic (very difficult)  Trace attacks back through ISPs (easier if attack is ongoing)  Review Log Entries (Some may be overwritten depending on logging practices)

12  Configure firewall rulesets to prevent reflector attacks › Reject suspicious combinations of source and destination ports  Configure border routers to prevent amplifier attacks › Do not forward directed broadcasts  Determine how ISP can assist  Configure security software  Perimeter security – deny all incoming and outgoing traffic not expressly permitted  Create a containment strategy that includes several solutions in sequence

13  Viruses – designed to self-replicated › Compiled viruses: executed by the operating system  File Infector viruses: Attach themselves to an executable program  Boot Sector viruses: Infects the master boot record of a hard drive or removable media › Interpreted viruses: executed by an application (most common)  Macro viruses: Attach themselves to application documents  Script viruses: Similar to a macro but written in a language understood by the OS

14  Worms – self-replicating programs that are completely self- contained. › Network Service Worms: spread by exploiting a vulnerability in a network service associated with an OS or an application › Mass Mailing Worms: Similar to email-borne viruses but are self-contained instead of infecting an existing file.  Trojan Horses – non-replicating programs that appear to be benign but actually have a hidden malicious purpose  Others: › Malicious Mobile Code › Blended Attack (Ex: Nimda worm) › Tracking Cookies › Attacker Tools:  Backdoors  Keystroke Loggers  Rootkits  Web browser plug-ins › Non-Malware Threats:  Social Engineering  Phishing  Virus Hoaxes

15  Use Antivirus Software  Prevent the installation of Spyware  Block suspicious files  Filtering Spam  Limit the use of nonessential programs with file transfer capabilities (IM, P2P,etc.)  Educate users about email attachments  Eliminate Open Window Shares  Use Web Browser Security to Limit Mobile Code  Prevent open relaying of email  Configure email clients to act more securely

16  Precursor: › An alert warns of new malicious code that targets software the organization uses › Antivirus software detects and disinfects or quarantines infected file  Response › Research new virus, Update antivirus software, configure email clients to block emails with certain characteristics › Determine how it entered the system and what vulnerability it was attempting to exploit

17 Antivirus software alerts of infected files Sudden increase in the number of emails being sent and received Deleted, corrupted, or inaccessible files System instability and crashed A virus that spreads through email infects a host Unexpected dialog boxes, requesting permission to do something Unusual graphics, such as overlapping or overlaid message boxes Network connections between the host and some unknown system Sudden increase in the number of emails being sent and received Malicious mobile code on a Web site exploits vulnerabilities on a host Original source of the message is not an authoritative computer security group, but a government agency or an official person. No links to outside sources Tone and terminology attempt to invoke panic or sense of urgency Urges recipients to delete certain files and forward the message on A user receives a virus hoax message

18  Identifying and Isolating other infected hosts › Performing port scans › Use antivirus scanning and cleaning tools › Review logs  Send unknown malicious code to antivirus vendors  Configuring email servers and clients to block emails  Blocking particular hosts  Shutting down email servers  Isolate networks from the internet  Disabling services, possibly connectivity

19  Forensic Identification › Antivirus software, spyware detection, content filtering  Active Identification › Used to identify which hosts are currently infected › Deploying patches, updates, running a disinfection utility  Manual Identification › Most labor-intensive › IT staff identify infections by using information on the malware and the signs of an infection

20  Make users aware of malicious code issues – Education!!  Read antivirus bulletins  Use antivirus software and update regularly  Configure software to block suspicious files  Eliminate open window shares  Contain malicious code incidents as fast as possible  Deploy host-based intrusion detection and prevention systems

21  An unauthorized access incident occurs when a person gains access to resources that the person was not intended to have. It is typically gained through the exploitation of operating system or application vulnerabilities, the acquisition of usernames and passwords, or social engineering.  Examples: › Guessing or cracking passwords › Viewing or copying sensitive data › Running a packet sniffer on a workstation to capture usernames and passwords › Using an unattended, logged-in workstation without permission

22 Network Security Put all publicly accessible services on secured DMZ network segments Use private IP addresses for all hosts on internal networks Host Security Perform regular vulnerability assessments to identify serious risks Run services with least privileges Require hosts to lock idle screens automatically Authentication and Authorization Create a good password policy Require sufficiently strong authentication Implement Physical Security

23  Precursors: › Users report possible social engineering attacks  Response: Give advice to all users on how to handle social engineering attempts › A person or system may observe a failed physical access attempt  Response: Detain the person. Strengthen physical and computer security controls if necessary

24 Root compromise of a host Unusual traffic to and from the host System configuration changes Modification of critical files Unexplained account usage New files or directories with unusual names Physical Intruder User reports of network or system unavailability System status changes Hardware is completely or partially missing Unauthorized new hardware Unauthorized data modification Ex: Defacing web server Increased resource utilization User reports of data modification Modifications to critical files

25  Isolate the affected systems › Perform port scans for backdoors  Disable the affected service  Eliminate the attacker’s route into the environment  Disable user accounts that may have been compromised  Enhance physical security measures  When unauthorized access is suspected, make a full image backup of the system

26  A multiple component incident is a single incident that encompasses two or more incidents  Example: › Malicious code spread through email compromises an internal workstation › An attacker uses the infected workstation to compromise additional workstations and servers › An attacker uses one of the compromised hosts to launch a DDoS attack against another organization

27 Preparation, Detection, & Analysis Conduct exercises in which the incident response team reviews scenarios of multiple component incidents Difficult to assess because components may or may not be related, incidents may not be known Containment, Eradication, & Recovery Better to contain the initial incident and then search for signs of other components & then handle the most urgent need first Unauthorized access incidents most likely have multiple components

28

Download ppt " A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Incident Handling COEN 250.

Incident Handling COEN 250.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Computer Viruses.

Computer Viruses.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Objectives  Give examples of common network.

Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Objectives  Give examples of common network.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Network security policy: best practices

Network security policy: best practices
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Similar presentations

Ads by Google