Denial of Service Attack Detection and Mitigation

McDonald 1 Denial of Service Attack Detection and Mitigation Clayton McDonald November 1, 2007 CET3752a: Introduction to Telephony McDonald 2 Table of Contents Page # 1. 2. 3. 4. 5. 6. 9. 10. 11. Contents Title Page Table of Contents Abstract Overview of Denial of Service Attacks General Denial of Service Attack Types Denial of Service Attack Detection Denial of Service Prevention and Response Conclusion References McDonald 3 Abstract With the rise of technology came the rise of people who would use it immorally and illegally to their own gains. That being said, one of the oldest and still most successful methods of attacking a network is a Denial-of-Service (DOS) attack. The reason for the continued resilience of the DOS attack is that the technology and attackers have continued to get better. But, the network administrator has not be neglected either. Through the advancement of network equipment new security methods and other practices have been derived to help the administrator protect the network. So until one side finds a much larger distinctive advantage network administrators will continue to have to fight with perpetrators of DOS attacks, as well as having to continue to create better and better network practices for defending themselves. McDonald 4 Overview of Denial of Service Attacks A Denial-of-Service (DOS) attack is an attack in which the attacker attempts to prevent actual users from accessing system resources, services or from accessing the network period. This is done through two basic methods (other more sophisticated attacks spawn from these two) flooding the network or attacking a specific vulnerability. In the past we have seen many examples of DOS attacks i.e. the worm that was used to attack the Microsoft servers. Although that attack was unsuccessful, there are That being said not all attacks that deny In most cases the DOS Also DOS attacks many more attacks everyday. services or resources to users are a DOS attack. attack is merely a component of a much bigger attack. are not always immediate once they have begun, for instance if a “hacker” were to break in and use part of a systems hard disk to store illegal copies of software, the user may not notice. But, this too is a DOS attack because sooner or later the user will be denied the hard disk space being taken by the “hacker”, thus denying the user the system resource. McDonald 5 General Attack Types A vulnerability attack is an attack that looks for a specific protocol or software weakness and tries to exploit it. This weakness can be from poor software testing, lack of patching or even from an over all lack of poor planning in development. Once the attacker is successfully inside your computer they use up system resources such as memory, CPU or hard disk space. the computer. The end result is generally an overwhelming slowing of “Popular examples are the land attack, Neptune or Transmission Control Protocol synchronization (TCP SYN) flag, the ping o’ death, and the targa3 attacks.” A flood attack is an attack in which the attacker sends a large amount of network traffic to the victim, sometimes continually. This traffic mixes with the victims own traffic, thus creating a bottle neck effect and causing the network traffic to timeout or “die”. As this attack persists the network itself will try to correct the situation my extending the retransmission time over and over in the hopes that all the excess traffic will timeout. Unfortunately this just furthers the “Such an attackers plan because the legitimate traffic times out as well. attack requires no software vulnerability or other specific conditions. To saturate network links, queues, and processors with workload anywhere in the network, the attack can use a range of protocols, including Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), and TCP, through tools such as stream2, synhose, synk7, synsend, and hping2.” McDonald 6 Attack Detection Symptoms of Attacks There are several ways to detect a DOS attack while it is happening. Those way are generally through monitoring the router, whether it be by examining CPU utilization and by using access lists to detect attacks. Since all DOS attacks must come through the router on its way to the network, the router is the first place to detect an incoming or current DOS attack. as: “1. Your router is seeing an unusually high number of ARP requests. 2. Your NAT/PAT address-translation tables have a large number of entries. 3. Your router's IP Input, ARP Input, IP Cache Ager, and CEF processes are using abnormally high amounts of memory. 4. Your router's ARP, IP Input, CEF, and IPC processes are running at a much higher CPU utilization rate.” There are several ways to detect an attack on the router such Examining CPU Utilization One of the first and easiest ways of detecting a DOS attack is to monitor the CPU usage. This can be with some deviation of the sh McDonald processes cpu history command (depending on the manufacturer of the router). Using this command will display the total cpu usage of the This will also 7 router in one minute, one hour and three day formats. display the maximum cpu usage (marked by an *) and the average cpu usage measuered in one second periods (marked by a #). Example: Router# show processes cpu history <-- One minute output omitted --> 6665776865756676676666667667677676766666766767767666566667 6378016198993513709771991443732358689932740858269643922613 100 90 80 ** * * * * * * * * 70 * * ****# * ** ***** *** **** ****** * *** *** 60 #***##*##*#***#####*#*###*****#*###*#*#*##*#*#**#*##***** 50 ########################################################* 40 ######################################################### 30 ######################################################### 20 ######################################################### 10 ######################################################### 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% McDonald 8 Using ACLs to Detect DOS Attacks One of the most useful tools for detecting DOS attacks in a router is using access lists (ACL’s). Access lists are a set of rules that govern what traffic is allowed on the network and how the traffic moves once it is there. Thus ACL’s can be used to filter out traffic that is commonly Although it is not necessary for a network associated with DOS attacks. administrator to add the deny ip any any command, it will help the network administrator keep track of all the traffic that is blocked on the router. Example: Router(config)# remark Insert other ACL statements here Router(config)# access-list 100 deny ip any 192.1.1.0 0.0.0.0 Router(config)# access-list 100 deny ip any 192.1.1.255 0.0.0.0 Router(config)# access-list 100 deny ip any 192.1.2.0 0.0.0.0 Router(config)# access-list 100 deny ip any 192.1.2.255 0.0.0.0 Router(config)# access-list 100 permit icmp any host 192.1.2.9 echo-reply Router(config)# access-list 100 deny icmp any any echo Router(config)# access-list 100 deny icmp any any echo-reply Router(config)# access-list 100 deny udp any any eq echo Router(config)# access-list 100 deny udp any eq echo any Router(config)# access-list 100 permit tcp any host 192.1.1.1 eq 80 established Router(config)# access-list 100 permit tcp any host 192.1.1.1 eq 80 Router(config)# access-list 100 permit tcp any host 192.1.1.2 eq 25 established Router(config)# access-list 100 permit tcp any host 192.1.1.2 eq 25 McDonald Router(config)# remark Insert other ACL statements here Router(config)# access-list 100 deny ip any any Router(config)# interface ethernet1 Router(config-if)# ip access-group 100 in 9 Prevention and Response Since any organization is susceptible to DOS attacks and no matter what organization it is, a DOS attack will cause it to lose money and time. Every organization is encouraged to use preventative measures to help save them from possible attacks. following: 1. Use access list to block known methods of attack a. This will also stop users on the network from inadvertently starting them by mistake as well 2. Install available patches to protect workstations against missed attacks 3. Disable network services that are not needed or used 4. Use quota systems to limit the amount of resources a system can use to prevent massive CPU usage by a DOS attack 5. Establish normal levels of network usage and monitor the network for spikes 6. Continually reconsider security with consideration to physical equipment 7. Constantly monitor changes to system configuration files Possible preventative practices are the 8. Regularly maintain backup. McDonald 10 Both of high priority data and of machines that can be placed in service to replace an attacked machine. 9. Maintain rigorous password policies on length, characters, and life span of all passwords on the network McDonald 11 Conclusion DOS attacks are a matter of everyday life within a network. This being said, network administrators should keep in mind they are not alone. There are past experiences and each other to rely on for methods of defending themselves against attacks. That being said, attacks are continually getting better and smarter everyday and so must the network administrators as well. The best defense to any attack is knowledge. So network administrators must keep up with the latest technology and practices to help protect company’s systems and their jobs. McDonald 12 Work Cited 1. Glenn Carl, George Kesidis, Richard R. Brooks, and Suresh Rai, "Denial of Service Attack-Detection Techniques." Distributed Systems Online. 01 Nov 2006. IEEE Computer Society. 24 Oct 2007 . 2. "Denial of Service Attacks." CERT Coordination Center. 01 Jan 2001. CERT. 24 Oct 2007 . 3. Richard, Deal. "Cisco Router Firewall Security." DoS Protection. 22 OCT 2004. Cisco. 30 Oct 2007 .