Docstoc

DoS Attacks-s

Document Sample
DoS Attacks-s Powered By Docstoc
					Denial of Service Attacks
Denial of Service Attacks
Flooding attacks
Distributed DoS attacks
Reflector and amplifier attacks
Responding to a DoS attack


涵蓋教科書範圍:Chapter 8 全部

                                  1
            Denial of Service
denial of service (DoS)
an action that prevents or impairs
   the authorized use of networks, systems, or
   applications by exhausting resources
   such as central processing units (CPU),
   memory, bandwidth, and disk space
Attacks on availability of
   network bandwidth
   system resources
   application resources

                                            2
    Classic Denial of Service Attacks





                                        3
Classic Denial of Service Attacks

Successful factors for the attacker
   Own a network connection with high
    capacity
   Send packets to the target
   Avoid being detected
     Forging source address (key factor)
     Decreasing the likelihood of increasing
      network traffics to other hosts


                                                4
        Send Packets to Target
Theoretically, any protocol will work
The larger packets are, the more effective
the attack
Common protocols used
   ICMP Echo request (ping)
   ICMP Destination unreachable
   ICMP Time exceeded (tracert)
   UDP Echo service
   TCP SYN (connection request)
                                         5
                     ICMP Destination Unreachable




                                                                                                                                               6
Copied from http://faculty.valenciacc.edu/wyousif/CCNA/Semester%202%20Prsentations/Presentations/ccna2-mod8-ICMP.ppt#343,12,Unreachable networks
       Source Address Spoofing
use forged source addresses
   given sufficient privilege to “raw sockets”
   easy to create




                                                  7
    Distributed Denial of Service Attacks

have limited volume if single source used
multiple systems allow much higher
traffic volumes to form a Distributed
Denial of Service (DDoS) Attack
often compromised PC’s / workstations
   zombies with backdoor programs installed
   forming a botnet
e.g. Tribe Flood Network (TFN), TFN2K
                                               8
               DDoS Control Hierarchy
                                                            Tribe Flood Network (TFN)




Command-line
program
                     Encrypted
                     Decoy packets
                     Randomized TCP, UDP, ICMP

Trojan horse
               ICMP flood,                       Source address
               SYN flood,                        not forged
               UDP flood,
               ICMP amplification
                                     
                                                                               9
                 Defenses
Defense against single attacking host
   Cooperation between network managers,
    including ISPs
      Security operating center (SOC)
   egress filtering at the border of the ISP
Defense against multiple attacking
hosts
   Prevent systems from being compromised

                                                10
                      Reflection Attacks


Known service
                                                    Do not overwhelm the
Ex: echo
                                                        intermediary
Service creating
larger response
Ex: chargen, DNS,
SNMP, ISAKMP
TCP SYN
                                                             

Must be able to generate high volumes of traffics

                                                                11
         Reflection Attacks
use normal behavior of network
attacker sends packet with spoofed
source address being that of target to a
server
server response is directed at target
if send many requests to multiple servers,
response can flood target
various protocols e.g. UDP or TCP/SYN

                                       12
       Reflection Attacks

ideally want response larger than
request
prevent if block source spoofed packets
further variation creates a self-
contained loop between intermediary
and target
fairly easy to filter and block

                                     13
    Characteristics & Defenses
Must use forged source address
   Lack of backscatter traffics
      Less easier to quantify the traffics
   Collecting evidence requires cooperation
      between ISPs and victim and the intermediary

Defenses
   下列哪些方法可有效預防reflection attack?
      Egress filtering
      參與SOC
      避免主機被入侵
      限制特定的服務

                                                      14
     Amplification Attacks

            Works with ICMP and UDP
            but not with TCP




Defenses: limit ports and block directed broadcasts
                                                      15
                   Smurf Attack

      ICMP Echo        ICMP Echo Reply   Router
                                                  受害者
攻擊者   Request
                  網際網路




                    Router




                                                  16
             Smurf Attack

A ----------> LAN : ICMP Echo Request
   來源位址 = 攻擊目標
   目的位址 = 導向廣播 to LAN
LAN ------> B: ICMP Echo Reply
假設LAN裡面有x台主機會回應ICMP echo request
   Smurf攻擊的放大倍數=?
攻擊成功要素
   LAN的router設定不嚴謹
   LAN裡面的主機會回應目的位址=網路廣播住址的ICMP封包
   攻擊副效應

                                        17
          SYN Spoofing

other common attack
attacks ability of a server to respond to
future connection requests
overflowing tables used to manage
them
hence an attack on system resource


                                        18
TCP Connection Handshake




                           19
SYN Spoofing Attack




                 Host unreachable




                                    20
        SYN Spoofing Attack

attacker often uses either
   random source addresses
   or that of an overloaded server
   to block return of (most) reset packets
has much lower traffic volume
   attacker can be on a much lower capacity
    link


                                               21
                   Defense
SYN Cookies
   Used on FreeBSD/Linux (not default)
   A variant used on Windows
      Whenever TCP connection table overflows

Selective drop (or random drop)
   Assuming that the majority of the table entries
    belong to the attack
Modifying OS parameters
   Size of TCP connection table
   Timeout period
                                                      22
             SYN Cookies
A -----------------> B: SYN
A <----------------- B: SYN/ACK
   SEQ = h(Src_addr, Dest_addr, Src_prt,
    Dest_prt, time, secret)
A -----------------> B: ACK
   ACK-1 ?= h(Src_addr, Dest_addr, Src_prt,
    Dest_prt, time, secret)



                                               23
SYN Flooding Attack Protection (Windows)
   To enable SYN flooding attack protection
      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
      SynAttackProtect = 1
      TcpMaxConnectResponseRetransmissions > 1
   To detect they flooding symptoms
      TcpMaxHalfOpen
      TcpMaxHalfOpenRetried
      TcpMaxPortsExhausted
   To respond
      reducing the time that the server spends on
       connection requests that it cannot acknowledge
                                                            24
Firewall-1 Solution: SYNDefender Relay




            Copied from http://www.checkpoint.com/support/technical/online_ug/miscsec.html#4005


                                                                                           25
Firewall-1 Solution: SYNDefender Gateway




             Copied from http://www.checkpoint.com/support/technical/online_ug/miscsec.html#4005


                                                                                            26
    Firewall-1 Solution:
SYNDefender Passive Gateway




       Copied from http://www.checkpoint.com/support/technical/online_ug/miscsec.html#4005


                                                                                      27
        Summary

那個架構減輕最多server負擔?
當firewall需要重開時,FireWall-1需要
經歷何種風險?




                          28
            DoS Attack Defenses
No 100% secure solution
   high traffic volumes may be legitimate
      result of high publicity, e.g. “slash-dotted”
      or to a very popular site, e.g. Olympics etc
   or be created by an attacker
three lines of defense against (D)DoS:
   attack prevention (and preemption)
   attack detection (and filtering)
   attack response
      source traceback and identification
                                                       29
              Attack Prevention
block spoofed source addresses
   on routers as close to source as possible
   Use the command in some routers
      ip verify unicast reverse-path
   still far too rarely implemented
rate controls in upstream distribution nets
   on specific packets types
   e.g. some ICMP, some UDP, TCP/SYN
use modified TCP connection handling
   use SYN cookies when table full
   or selective or random drop when table full
                                                  30
        Attack Prevention
block IP directed broadcasts
block suspicious services & combinations
manage application attacks with
“puzzles” (CAPTCHA) to distinguish
legitimate human requests
good general system security practices
use mirrored and replicated servers when
high-performance and reliability required
                                      31
           Attack Detection

have standard filters for
   Anti-spoofing, rate limiting, directed
    broadcasts
ideally have network monitors and IDS
   to detect and notify abnormal traffic
    patterns
   It is important to know the normal traffic
    patterns

                                                 32
         Responding to Attacks
0. need good incident response plan
   Contacts with ISP for division of
    responsibility
   needed to impose traffic filtering upstream
   details of response process
1. Identify type of attack
   capture and analyze packets
   design filters to block attack traffic upstream
   or identify and correct system/application
    bug
                                                  33
         Responding to Attacks
2. Have ISP trace packet flow back to source
   may be difficult and time consuming
   necessary if legal action desired
3. Implement contingency plan
   Switch to backup server or start a new one
4. Update incident response plan




                                                 34
              Summary
introduced denial of service (DoS) attacks
classic flooding and SYN spoofing attacks
ICMP, UDP, TCP SYN floods
distributed denial of service (DDoS) attacks
reflection and amplification attacks
defenses against DoS attacks
responding to DoS attacks

                                         35

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:12/22/2011
language:English
pages:35