Vous êtes sur la page 1sur 187

(DISTRIBUTED) DENIAL OF

SERVICE ATTACK

1
DEFINITION

• DENIAL-OF-SERVICE (DOS) ATTACK AIMS AT DISRUPTING THE AUTHORIZED USE OF


NETWORKS, SYSTEMS, OR APPLICATIONS
• BY SENDING MESSAGES WHICH EXHAUST SERVICE PROVIDER’S RESOURCES ( NETWORK
BANDWIDTH, SYSTEM RESOURCES, APPLICATION RESOURCES)

• DISTRIBUTED DENIAL-OF-SERVICE (DDOS) ATTACKS EMPLOY MULTIPLE (DOZENS TO


MILLIONS) COMPROMISED COMPUTERS TO PERFORM A COORDINATED AND WIDELY
DISTRIBUTED DOS ATTACK
• VICTIMS OF (D)DOS ATTACKS
• SERVICE-PROVIDERS (IN TERMS OF TIME, MONEY, RESOURCES, GOOD WILL)
• LEGITIMATE SERVICE-SEEKERS (DEPRIVED OF AVAILABILITY OF SERVICE ITSELF)
• ZOMBIE SYSTEMS(PENULTIMATE AND PREVIOUS LAYERS OF COMPROMISED SYSTEMS IN
DDOS)

2
ANALYZING THE GOAL OF DOS
ATTACKS

• A (D)DOS ATTACK IS DIFFERENT IN GOAL : IWAR, IN


SHORT
• JUST DENY AVAILABILITY
• CAN WORK ON ANY PORT LEFT OPEN
• NO INTENTION FOR STEALING/THEFT OF INFORMATION
• ALTHOUGH, IN THE PROCESS OF DENYING SERVICE
TO/FROM VICTIM, ZOMBIE SYSTEMS MAY BE HIJACKED

3
WHO? WHAT FOR?

 THE ULTERIOR MOTIVE


 EARLIER ATTACKS WERE PROOFS OF CONCEPTS OR SIMPLE PRANKS
 PSEUDO-SUPREMACY FEELING (OF DEFAULTERS) UPON DENYING SERVICES IN LARGE SCALE TO NORMAL PEOPLE
 DOS ATTACKS ON INTERNET CHAT CHANNEL MODERATORS
 EYE-FOR-EYE ATTITUDE
 POLITICAL DISAGREEMENTS
 COMPETITIVE EDGE
 HIRED

 MAJOR LACK OF DATA ON PERPETRATORS AND MOTIVES


 LEVELS OF ATTACKERS
 HIGHLY PROFICIENT ATTACKERS WHO ARE RARELY IDENTIFIED OR CAUGHT
 SCRIPT-KIDDIES

4
WHY SHOULD WE CARE?

• AS PER 2006 CSI/FBI COMPUTER CRIME AND SECURITY SURVEY


• 25% OF RESPONDENTS FACED SOME FORM OF DOS ATTACKS IN PREVIOUS
12 MONTHS. THIS VALUE VARIED FROM 25% TO 40% OVER THE COURSE OF
TIME
• DOS ATTACKS ARE THE 5TH MOST COSTLY FORM OF ATTACKS
• A DOS ATTACK IS NOT JUST MISSING OUT ON THE LATEST SPORTS
SCORES OR TWEETS OR WEATHER REPORTS
• INTERNET IS NOW A CRITICAL RESOURCE WHOSE DISRUPTION HAS
FINANCIAL IMPLICATIONS, OR EVEN DIRE CONSEQUENCES ON HUMAN
SAFETY
• CYBERCRIME AND CYBERWARFARE MIGHT USE OF DOS OR DDOS AS A
POTENTIAL WEAPON TO DISRUPT OR DEGRADE CRITICAL INFRASTRUCTURE
• DDOS ATTACKS ARE A MAJOR THREAT TO THE STABILITY OF THE INTERNET

5
FAST FACTS

• IN FEB 2000, SERIES OF MASSIVE DOS ATTACKS INCAPACITATED SEVERAL HIGH-


VISIBILITY INTERNET E-COMMERCE SITES, INCLUDING YAHOO, EBAY AND E*TRADE
• IN JAN 2001, MICROSOFT’S NAME SEVER INFRASTRUCTURE WAS DISABLED
• 98% LEGITIMATE USERS COULD NOT GET TO ANY MICROSOFT’S SERVERS
• IN SEPT 2001, AN ATTACK BY A UK-BASED TEENAGER ON THE PORT OF
HOUSTON’S WEB SERVER, MADE WEATHER AND SCHEDULING INFORMATION
UNAVAILABLE
• NO SHIPS COULD DOCK AT THE WORLD’S 8TH BUSIEST MARITIME FACILITY DUE TO
LACK OF WEATHER AND SCHEDULING INFORMATION
• ENTIRE NETWORK PERFORMANCE WAS AFFECTED
• IN OCT 2002, ALL DOMAIN NAME SYSTEM SERVERS WERE ATTACKED
• ATTACK LASTED ONLY AN HOUR
• 9 OF THE 13 SERVERS WERE SERIOUSLY AFFECTED
• IN AUG 2009, THE ATTACK ON TWITTER AND FACEBOOK

6
APPROACHES TO DOS ATTACKS

• INTERNET DESIGNED FOR MINIMAL-PROCESSING AND BEST-EFFORT FORWARDING


ANY PACKET
• MAKE SHREWD USE OF FLAWS IN THE INTERNET DESIGN AND SYSTEMS
• UNREGULATED FORWARDING OF INTERNET PACKETS : VULNERABILITY ,FLOODING
• VULNERABILITY ATTACK
• VULNERABILITY : A BUG IN IMPLEMENTATION OR A BUG IN A DEFAULT
CONFIGURATION OF A SERVICE
• MALICIOUS MESSAGES (EXPLOITS) : UNEXPECTED INPUT THAT UTILIZE THE
VULNERABILITY ARE SENT
• CONSEQUENCES :
• THE SYSTEM SLOWS DOWN OR CRASHES OR FREEZES OR REBOOTS
• TARGET APPLICATION GOES INTO INFINITE LOOP
• CONSUMES A VAST AMOUNT OF MEMORY
• EX : PING OF DEATH, TEARDROP ATTACKS, ETC.

7
APPROACHES TO DOS ATTACKS CONT’D ….

• FLOODING ATTACK
• WORK BY SENDING A VAST NUMBER OF MESSAGES WHOSE PROCESSING
CONSUMES SOME KEY RESOURCE AT THE TARGET
• THE STRENGTH LIES IN THE VOLUME, RATHER THAN THE CONTENT
• IMPLICATIONS :
• MAKE THE TRAFFIC LOOK LEGITIMATE
• FLOW OF TRAFFIC IS LARGE ENOUGH TO CONSUME VICTIM’S RESOURCES
• SEND WITH HIGH PACKET RATE
• THESE ATTACKS ARE MORE COMMONLY DDOS
• EX : SYN SPOOFING ATTACK, SOURCE ADDRESS SPOOFING, ETC.

8
CONTENTS

• INTRODUCTION

• CLASSICAL DOS ATTACKS

• FLOODING ATTACKS

• DISTRIBUTED DENIAL-OF-SERVICE (DDOS)

• HOW DDOS ATTACKS ARE WAGED?

• REFLECTOR AND AMPLIFIER ATTACKS

• OTHER DOS ATTACKS

• DETECTING DOS ATTACKS

• APPROACHES TO DEFENSE AGAINST DOS

• RESPONDING TO A DOS ATTACK

• CONCLUSION

9
DDOS ARCHICECTURE

• A DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK IS A COMMON METHOD HACKERS


USE TO TAKE DOWN WEBSITES, EMAIL SERVERS AND OTHER SERVICES WHICH
CONNECT TO THE INTERNET. DDOS ATTACKS ARE SO COMMON THAT IT IS
GUARANTEED THAT THERE ARE SOME HAPPENING RIGHT THIS MOMENT
• A DDOS ATTACK IS A METHOD HACKERS USE TO MAKE A SERVICE INACCESSIBLE. THEY
DO THIS BY FLOODING THE TARGET WITH A HUGE AMOUNT OF TRAFFIC OR REQUESTS
• FAKE INTERNET TRAFFIC IS PASSED ON TO THE TARGET, AND THERE IS SO MUCH OF THIS
FAKE TRAFFIC THAT THE TARGET CANNOT FIND THE RESOURCES TO RESPOND TO
LEGITIMATE TRAFFIC. AND BECAUSE THE ATTACK IS DISTRIBUTED, IT IS IMPOSSIBLE TO
STOP THE ATTACK SIMPLY BY BLOCKING ONE OF THE ATTACKING SOURCES

10
• THOSE WHO PERFORM DDOS ATTACKS USUALLY AMPLIFY THEIR ATTACKS BY TAKING ADVANTAGE
OF A POORLY MANAGED SERVER ON THE INTERNET. SOMEONE MIGHT BE RUNNING A DNS SERVER
THAT IS NOT FULLY SECURE. DNS IS A HELPFUL PROTOCOL THAT ENSURES THE INTERNET AS WE
KNOW IT RUNS THE WAY WE DO. BUT IF MISCONFIGURED, THIS CAN ALSO LEAD TO
AMPLIFICATION OF A DDOS ATTACK
• THE ATTACKER USUALLY HAS A SINGLE COMPUTER FROM WHICH HE OR SHE CAN CONTROL MANY
OTHER HACKED COMPUTERS. THESE HACKED COMPUTERS ARE CAN BE CALLED ZOMBIE BOTS, AND
THEY FORM A BOTNET. A BOTNET IS A GROUP OF COMPUTERS WHICH ARE CONTROLLED BY A
MALICIOUS HACKER. MANY PEOPLE DO NOT REALIZE THAT THEIR COMPUTER IS HACKED AND IS
BEING USED AS A ZOMBIE IN PART OF A BOTNET
• THE ATTACKER SENDS A MESSAGE TO HIS OR HER BOTNET TELLING THEM TO ATTACK TARGET X. BUT
TO MAKE THE ATTACK EVEN MORE POWERFUL, THE BOTNET IS INSTRUCTED TO GO THROUGH A
COMPROMISED SERVER, WHICH AMPLIFIES THE ATTACK

11
12
….
• AT LEAST ONE OF TWO THINGS HAPPEN DURING A SUCCESSFUL DDOS ATTACK:

• THE COMPUTER BEING ATTACKED IS SO OVERWHELMED WITH THE AMOUNT OF FAKE


REQUESTS TO IT THAT IT SLOWS DOWN TO A CRAWL OR WORSE, JUST SHUTS DOWN
ALTOGETHER, OR THE NETWORK IS COMPLETELY USED UP SO COMMUNICATION BETWEEN
THE SERVER AND THE OUTSIDE WORLD IS UNABLE TO TAKE PLACE

• THE SECOND SCENARIO IS WORSE THAN THE FIRST. IF IT IS JUST THE ONE SERVER BEING
TARGETED AND IT GOES OFFLINE, THAT IS BAD. BUT IF THE WHOLE INTERNET CONNECTION
BECOMES CONGESTED FULL OF FAKE TRAFFIC, THEN NO SERVERS USING THAT CONNECTION
CAN OPERATE. THIS MIGHT MEAN EVERY SERVICE BECOMES UNAVAILABLE. IF THE INTERNET
CONNECTION IS SHARED, THEN A SINGLE TARGET CAN AFFECT EVERYONE ON THE SAME
CONNECTION. WHAT THIS MEANS IS THAT IF YOU BUY INTERNET FROM AN ISP, AND THE ISP
HAS ANOTHER CUSTOMER THAT SHARES A SWITCH OR ROUTER WITH YOU, THEN AN ATTACK
ON THAT OTHER CUSTOMER CAN AFFECT YOUR INTERNET CONNECTION

13
• THE LARGEST SINGLE PORTS COMMONLY IN USE ARE 100GBPS
BANDWIDTH PORTS. AND THOSE ARE USUALLY RESERVED FOR THE
INTERNET'S LARGEST PLAYERS. THE LARGEST DDOSES HAVE GONE WELL
BEYOND THIS NUMBER, MEANING THAT A DDOS CAN BE POWERFUL
ENOUGH TO AFFECT EVEN THE LARGEST OF INTERNET COMPANIES
• A DDOS TAKES LITTLE EFFORT FROM THE ATTACKERS POINT OF VIEW,
AND IS INCREDIBLY EFFICIENT AT CAUSING DISRUPTIONS. TIMES AGO
LINODE, ONE OF THE MOST POPULAR VPS PROVIDERS SUFFERED A
TERRIBLE DDOS ATTACK. IT WAS EXTREMELY DISRUPTIVE AND IT COST
LINODE A LOT OF MONEY
14
BOTNET BASED DDOS ATTACK
ARCHITECTURE
• BOTNET BASED DDOS ATTACK NETWORKS FALL UNDER THREE
CATEGORIES :
• THE AGENT-HANDLER,
• IRC-BASED
• WEB BASED MODELS

15
AGENT-HANDLER MODEL
• THE AGENT-HANDLER MODEL OF A DDOS ATTACK COMPRISES
CLIENTS, HANDLERS, AND AGENTS

16
• THE CLIENT IS ONE WITH WHOM THE ATTACKER COMMUNICATES IN
THE DDOS ATTACK SYSTEM
• THE HANDLERS ARE SOFTWARE PACKAGES LOCATED THROUGHOUT
THE INTERNET
• THE CLIENT USES THESE PACKAGES TO COMMUNICATE WITH THE
AGENTS
• THE AGENT SOFTWARE THRIVES IN COMPROMISED SYSTEMS,
EVENTUALLY CONDUCTING THE ATTACK AT THE APPROPRIATE TIME
17
• THE ATTACKER COMMUNICATES WITH ANY OF THE HANDLERS TO IDENTIFY OPERATIONAL AGENTS
AND TO DETERMINE WHEN TO ATTACK OR TO UPGRADE AGENTS
• OWNERS AND USERS OF AGENT SYSTEMS ARE TYPICALLY UNAWARE THAT THEIR SYSTEM HAS BEEN
COMPROMISED AND IS UNDER A DDOS ATTACK
• DEPENDING ON THE CONFIGURATION OF THE DDOS ATTACK NETWORK, AGENTS CAN BE
INSTRUCTED TO COMMUNICATE WITH ONE HANDLER OR WITH MULTIPLE HANDLERS
• ATTACKERS OFTEN ATTEMPT TO INSTALL THE HANDLER SOFTWARE ON A COMPROMISED ROUTER
OR NETWORK SERVER
• THE TARGET TYPICALLY HANDLES LARGE VOLUMES OF TRAFFIC, MAKING MESSAGE IDENTIFICATION
DIFFICULT BETWEEN THE CLIENT AND THE HANDLER AND BETWEEN THE HANDLER AND THE AGENTS.
THE TERMS ―HANDLER‖ AND ―AGENTS‖ ARE SOMETIMES REPLACED WITH ―MASTER‖ AND
―DEMONS,‖ RESPECTIVELY, IN DESCRIPTIONS OF DDOS TOOLS

18
INTERNET RELAY CHAT (IRC) MODEL

• THE ARCHITECTURES OF THE IRC-BASED DDOS ATTACK AND OF THE AGENT–


HANDLER MODEL ARE ALMOST SIMILAR
• INSTEAD OF EMPLOYING A HANDLER PROGRAM THAT IS INSTALLED ON A
NETWORK SERVER, THE CLIENT IS CONNECTED TO THE AGENTS THROUGH AN IRC
COMMUNICATION CHANNEL
• AN IRC CHANNEL BENEFITS AN ATTACKER WITH THE USE OF ―LEGITIMATE‖ IRC
PORTS TO SEND COMMANDS TO AGENTS. THE USE OF LEGITIMATE PORTS
HINDERS THE TRACKING DDOS COMMAND PACKETS
• IRC SERVERS TEND TO HAVE LARGE VOLUMES OF TRAFFIC, ENABLING AN
ATTACKER TO CONCEAL ITS PRESENCE EASILY

19
• THE ATTACKER DOES NOT NECESSARILY MAINTAIN A LIST OF THE
AGENTS BECAUSE IT CAN IMMEDIATELY ENTER THE IRC SERVER AND
VIEW ALL AVAILABLE AGENTS
• THE AGENT SOFTWARE IN THE IRC NETWORK SENDS AND RECEIVES
MESSAGES THROUGH THE IRC CHANNEL AND INFORMS THE
ATTACKER WHEN AN AGENT BECOMES OPERATIONAL.

20
21
IRC SERVER

• IRC (INTERNET RELAY CHAT) IS A PROTOCOL FOR REAL-TIME TEXT MESSAGING BETWEEN
INTERNET-CONNECTED COMPUTERS CREATED IN 1988
• IT IS MAINLY USED FOR GROUP DISCUSSION IN CHAT ROOMS CALLED “CHANNELS”
ALTHOUGH IT SUPPORTS PRIVATE MESSAGES BETWEEN TWO USERS, DATA TRANSFER,
AND VARIOUS SERVER-SIDE AND CLIENT-SIDE COMMANDS
• IRC IS A POPULAR METHOD USED BY BOTNET OWNERS TO SEND COMMANDS TO THE
INDIVIDUAL COMPUTERS IN THEIR BOTNET.
• THIS IS DONE EITHER ON A SPECIFIC CHANNEL, ON A PUBLIC IRC NETWORK, OR ON A
SEPARATE IRC SERVER
• THE IRC SERVER CONTAINING THE CHANNEL(S) THAT ARE USED TO CONTROL BOTS IS
REFERRED TO AS A “COMMAND AND CONTROL” OR C2 SERVER

22
• IRC NETWORKS USE SIMPLE, LOW BANDWIDTH COMMUNICATION
METHODS, MAKING THEM WIDELY USED TO HOST BOTNETS
• THEY TEND TO BE RELATIVELY SIMPLE IN CONSTRUCTION, AND HAVE
BEEN USED WITH MODERATE SUCCESS FOR COORDINATING DDOS
ATTACKS AND SPAM CAMPAIGNS WHILE BEING ABLE TO
CONTINUALLY SWITCH CHANNELS TO AVOID BEING TAKEN DOWN

23
WEB-BASED MODEL

• THE MOST PREFERRED METHOD FOR BOTNET COMMAND AND


CONTROL (C&C) IS THE IRC-BASED MODEL
• WEB-BASED REPORTING AND COMMAND HAS EMERGED OVER THE
PAST FEW YEARS
• A NUMBER OF BOTS IN THE WEB-BASED MODEL SIMPLY REPORT
STATISTICS TO A WEB SITE, WHEREAS OTHERS ARE INTENDED TO BE
FULLY CONFIGURED AND CONTROLLED THROUGH COMPLEX PHP
SCRIPTS AND ENCRYPTED COMMUNICATIONS OVER THE 80/443
PORT AND THE HTTP/HTTPS PROTOCOL

24
THE ADVANTAGES OF WEB-BASED
CONTROLS OVER IRC
• EASE OF SET-UP AND WEBSITE CONFIGURATION
• IMPROVED REPORTING AND COMMAND FUNCTIONS
• LESS BANDWIDTH REQUIREMENT AND THE ACCEPTANCE OF LARGE
BOTNETS FOR THE DISTRIBUTED LOAD
• CONCEALMENT OF TRAFFIC AND HINDRANCE OF FILTERING
THROUGH THE USE OF PORT 80/443
• RESISTANCE TO BOTNET HIJACKING VIA CHAT-ROOM HIJACKING
• EASE OF USE AND OF ACQUISITION
25
BOTNETS BASED DDOS ATTACK TOOLS

• VARIOUS DDOS ATTACK TOOLS ARE KNOWN AND ARCHITECTURES


ARE VERY SIMILAR THAT SOME TOOLS ACTUALLY ORIGINATE FROM
MINOR MODIFICATIONS OF OTHER TOOLS
• THE BOTNET BASED DDOS ATTACK TOOLS ARE CLASSIFIED AS AGENT-
BASED, IRC-BASED, OR WEB-BASED DDOS ATTACK TOOLS

26
AGENT-BASED DDOS ATTACK TOOLS

• AGENT-BASED DDOS ATTACK TOOLS ARE BASED ON THE AGENT– HANDLER DDOS
ATTACK MODEL COMPRISING HANDLERS, AGENTS, AND VICTIMS
• EXAMPLES OF AGENT-BASED DDOS TOOLS ARE TRINOO, TRIBE FLOOD NETWORK
(TFN), TFN2K, STACHELDRAHT, MSTREAM, AND SHAFT
• AMONG THE ABOVE MENTIONED AGENT-BASED DDOS TOOLS, TRINOO IS THE
MOST POPULAR AND THE MOST WIDELY USED FOR ITS CAPABILITY FOR
BANDWIDTH DEPLETION AND FOR LAUNCHING UDP FLOOD ATTACKS AGAINST
ONE OR NUMEROUS INTERNET PROTOCOL (IP) ADDRESSES
• SHAFT IS SIMILAR TO TRINOO IN THAT IT CAN LAUNCH PACKET FLOODING
ATTACKS. SHAFT CAN ALSO CONTROL THE DURATION OF THE ATTACK, AS WELL
AS THE SIZE OF THE FLOODING PACKETS

27
• TFN IS ANOTHER DDOS ATTACK TOOL THAT CAN CONDUCT BANDWIDTH AND
RESOURCE DEPLETION ATTACKS. TFN CAN PERFORM SMURF, UDP FLOODING, TCP SYN
FLOODING, ICMP ECHO REQUEST FLOODING, AND ICMP DIRECTED BROADCAST. TFN2K
[15], AS A DERIVATIVE OF TFN, CAN PERFORM SMURF, SYN, UDP, AND ICMP FLOOD
ATTACKS
• TFN2K HAS THE SPECIAL CAPABILITY OF ADDING ENCRYPTED MESSAGES BETWEEN
ATTACK COMPONENTS. STACHELDRAHT IS A PRODUCT OF PREVIOUS TFN ATTEMPTS.
STACHELDRAHT STRENGTHENS A NUMBER OF TFN‘S WEAK POINTS AND IS CAPABLE OF
IMPLEMENTING SMURF, SYN FLOOD, UDP FLOOD, AND ICMP FLOOD ATTACKS
• MSTREAM IS A SIMPLE POINT-TO-POINT TCP ACK FLOODING TOOL THAT CAN
OVERWHELM FAST-ROUTING ROUTINE TABLES IN SOME SWITCHES

28
IRC-BASED DDOS ATTACK TOOLS

• IRC-BASED DDOS ATTACK TOOLS WERE DEVELOPED AFTER THE EMERGENCE OF AGENT–
HANDLER ATTACK TOOLS
• MORE SOPHISTICATED IRC-BASED TOOLS HAVE BEEN DEVELOPED, AND THESE TOOLS
INCLUDE THE IMPORTANT FEATURES OF SEVERAL AGENT-HANDLER ATTACK TOOLS
• THE TRINITY IS ONE OF THE BEST-KNOWN IRC-BASED DDOS TOOLS ON TOP OF UDP,
TCP SYN, TCP ACK, AND TCP NUL PACKET FLOODS
• THE TRINITY V3 INTRODUCES TCP RANDOM FLAG PACKET FLOODS, TCP FRAGMENT
FLOODS, TCP ESTABLISHED FLOODS, AND TCP RST PACKET FLOODS. ALONG WITH THE
DEVELOPMENT OF THE TRINITY CAME THE MYSERVER , THAT RELY ON EXTERNAL
PROGRAMS TO CONDUCT DOS AND PLAGUE TO SIMULATE TCP ACK AND TCP SYN
FLOODING.

29
• KNIGHT IS ANOTHER LIGHT-WEIGHT AND POWERFUL IRC-BASED
DDOS ATTACK TOOL THAT CAN PERFORM UDP FLOOD ATTACKS AND
SYN ATTACKS. KNIGHT CAN BE CONSIDERED AN URGENT POINTER
FLOODER
• AN IRC-BASED DDOS TOOL BASED ON KNIGHT IS KAITEN , WHICH
CONDUCTS UDP, TCP FLOOD ATTACKS, SYN, AND

30
WEB-BASED DDOS ATTACK TOOLS

• WEB-BASED DDOS ATTACK TOOLS WERE RECENTLY DEVELOPED WITH


THE PURPOSE OF ATTACKING THE APPLICATION LAYER, ESPECIALLY
THE WEB SERVER
• IRC-BASED DDOS ATTACK TOOLS WITH THE HTTP/S FLOODING
FUNCTION ARE USED TO ATTACK A WEB SERVER, THUS PROVING
THAT ATTACKERS ARE INCREASINGLY ADOPTING VARIOUS TOOLS TO
INTRODUCE DDOS ATTACKS

31
• UNLIKE CURRENTLY POPULAR ATTACK TOOLS THAT CAN LAUNCH DDOS ATTACKS,
MOST ORGANIZATIONS ARE UNAWARE OF THE BROAD DEVELOPMENT OVER THE
LAST FEW YEARS AND ARE VULNERABLE TO ATTACKERS, ACCORDING TO THE
ARBOR NETWORKS
• COMMERCIAL SERVICES, ALONG WITH DOWNLOADABLE TOOLS, CAN LAUNCH
ATTACKS FOR A FEE
• APPROXIMATELY 20,000 INFECTED COMPUTERS WITH MULTIPLE TARGETS CAN
DESTROY OVER 90% OF INTERNET SITES [21]. A DDOS ATTACK ON THE
APPLICATION LAYER IS HIGHLY COMPARABLE TO CALLING SOMEONE IN THE
WORLD FROM ONE WEBSITE, WHILE THE WEB SITE INDICATES BEING OUT OF
SERVICE OR DISPLAYS ―THE PAGE CANNOT FOUND

32
• THREE WEB-BASED DDOS ATTACK TOOLS ARE:
• BLACKENERGY
• LOW-ORBIT ION CANNON (LOIC)
• ALDI BOTNET

33
BLACKENERGY

• BLACKENERGY IS A WEB-BASED DDOS BOT USED BY UNIDENTIFIED RUSSIAN


HACKERS. BLACKENERGY EASILY CONTROLS WEB-BASED BOTS THROUGH
MINIMAL SYNTAX AND STRUCTURE, RESULTING IN THE LAUNCH OF VARIOUS
ATTACKS
• ONE OR MORE RUSSIAN HACKERS HAD APPARENTLY DEVELOPED THIS TOOL.
MEANWHILE, MOST BLACKENERGY C&C SYSTEMS ARE SEEN IN MALAYSIA AND IN
RUSSIA, WITH RUSSIAN SITES BEING THE PRIMARY TARGETS
• ONE OF THE MAIN FEATURES THAT BLACKENERGY BOT PROMOTE IN FORUMS IS
THE CAPABILITY TO TARGET MORE THAN ONE IP ADDRESS PER HOST NAME. THIS
TOOL CONTINUES TO BE WIDELY USED TO DENY SERVICES FROM COMMERCIAL
WEB SITES

34
LOW-ORBIT ION CANNON (LOIC)

• THE LOIC IS A BOTNET-BASED DDOS ATTACK TOOL THAT RELEASES


FLOODING IN THE SERVER. THIS FLOODING APPARENTLY RESULTS FROM
THE LARGE VOLUME OF HTTP TRAFFIC
• HOWEVER, THIS TOOL HAS BEEN USED RECENTLY BY AN ANONYMOUS
GROUP TO FACILITATE MALICIOUS TRAFFIC THROUGH THE ZEUS BOTNET,
WHICH IS AN ADVANCED MALWARE PROGRAM THAT CANNOT BE EASILY
REMOVED
• THE HACKER GROUP ADMINISTERED THE LARGEST ATTACK IN 2012
AGAINST FAMOUS WEB SITES, SUCH AS THE DEPARTMENT OF JUSTICE
(DOJ) AND THE FEDERAL BUREAU OF INVESTIGATION (FBI)

35
ALDI BOTNET

• ALDI IS A NEWER INEXPENSIVE DDOS BOT THAT IS GROWING IN


POPULARITY
• RECENT DATA [59] SUGGESTS THAT THERE ARE AT LEAST 50 DISTINCT
ALDI BOT BINARIES THAT HAVE BEEN SEEN IN THE WILD WITH 44
UNIQUE COMMAND & CONTROL (C&C) POINTS
• AS PER ARBOR COMPANY WHICH MONITORS REAL TIME INTERNET
TRAFFIC, THIS BOT IS ACTIVE IN RUSSIA, UKRAINE, US AND GERMANY

36
HOW DO YOU KNOW WHEN A DDOS
ATTACK IS OCCURRING
• THE HARDEST PART ABOUT A DDOS ATTACK IS THAT THERE ARE NO
WARNINGS
• BETWEEN THE TIME IT TAKES FOR YOU TO REALIZE IT’S A DDOS
ATTACK AND THE TIME IT TAKES TO MITIGATE THE DAMAGE, SEVERAL
HOURS CAN GO BY
• THIS MEANS SEVERAL HOURS OF MISSED SERVICE AND INCOME,
WHICH ESSENTIALLY TAKES A MAJOR CUT IN YOUR REVENUE

37
• THE MOST EFFECTIVE WAY TO MITIGATE A DDOS ATTACK IS TO KNOW WHEN IT’S
HAPPENING IMMEDIATELY WHEN THE ATTACK BEGINS. THERE ARE SEVERAL CLUES
THAT INDICATE AN ONGOING DDOS ATTACK IS HAPPENING:
• AN IP ADDRESS MAKES X REQUESTS OVER Y SECONDS
• YOUR SERVER RESPONDS WITH A 503 DUE TO SERVICE OUTAGES
• THE TTL (TIME TO LIVE) ON A PING REQUEST TIMES OUT
• IF YOU USE THE SAME CONNECTION FOR INTERNAL SOFTWARE, EMPLOYEES NOTICE
SLOWNESS ISSUES
• LOG ANALYSIS SOLUTIONS SHOW A HUGE SPIKE IN TRAFFIC
• MOST OF THESE SIGNS CAN BE USED TO AUTOMATE A NOTIFICATION SYSTEM THAT
SENDS AN EMAIL OR TEXT TO YOUR ADMINISTRATORS

38
TOO MANY REQUESTS FOR ONE IP

• YOU CAN TEMPORARILY SET UP THE ROUTER TO SEND TRAFFIC TO NULL ROUTES
FROM SPECIFIC IPS. THIS ESSENTIALLY SENDS THE ATTACKING IP ADDRESSES TO A
VOID OR DEAD END, SO THAT IT CANNOT AFFECT YOUR SERVERS
• THIS IS SOMEWHAT DIFFICULT, BECAUSE YOU CAN EASILY BLOCK A LEGITIMATE IP
ADDRESS AS YOU ATTEMPT TO STOP THE ATTACK
• ANOTHER ISSUE IS THAT THE SOURCE IP IS USUALLY SPOOFED, SO THE CONNECTION IS
NEVER COMPLETED BETWEEN YOUR SERVER AND THE SOURCE MACHINE

• SETTING ALERTS FROM THE FIREWALL OR INTRUSION PREVENTION OR DETECTION


SYSTEM CAN BE TRICKY
• SOME LEGITIMATE BOTS WILL BE PICKED UP AS AN ATTACK
• THE CONFIGURATION AND SETTINGS ALSO DEPEND ON THE SYSTEM THAT YOU HAVE

39

• OVERALL, YOU WANT TO SET AN ALERT TO GO OUT IF A RANGE OF


IP ADDRESSES SENDS TOO MANY CONNECTION REQUESTS OVER A
SMALL WINDOW OF TIME
• IT WILL TAKE SOME TIME AND TWEAKING BEFORE YOU GET THIS
ALERT TO WORK PROPERLY SINCE YOU WILL LEGITIMATELY WANT
SOME BOTS AND SCRIPTS TO RUN THAT COULD SEND A FALSE
POSITIVE TO YOUR ALERT SYSTEM

40
SERVER RESPONDS WITH A 503

• IN WINDOWS, YOU CAN SCHEDULE ALERTS WHEN A SPECIFIC EVENT


HAPPENS IN EVENT VIEWER
• YOU CAN ATTACH ANY TASK TO AN EVENT INCLUDING ERRORS,
WARNINGS, OR ANY OTHER EVENT THAT MIGHT HELP YOU MITIGATE
AN ISSUE BEFORE IT BECOMES A CRITICAL SITUATION
• TO ATTACH A TASK TO A 503 EVENT, YOU FIRST NEED TO FIND THE
EVENT IN EVENT VIEWER. OPEN EVENT VIEWER AND RIGHT-CLICK ON
THE EVENT

41
• THIS OPENS A CONFIGURATION SCREEN WHERE YOU CAN
CONFIGURE THE EVENT TO SEND AN EMAIL TO AN ADMINISTRATOR
OR TO A TEAM OF PEOPLE.

42
TTL TIMES OUT

• YOU CAN MANUALLY PING YOUR SERVERS TO TEST THE BANDWIDTH


AND CONNECTION, BUT THIS DOESN’T HELP WHEN YOU WANT TO
AUTOMATE AN ALERT BEFORE IT’S CRITICAL
• TO HELP AUTOMATE PING ALERTS, SEVERAL SERVICES ON THE WEB OFFER
A WAY TO PING YOUR SITE FROM AROUND THE WORLD. THE SERVICE
PINGS YOUR SITE FROM VARIOUS REGIONS AROUND THE GLOBE AT A
FREQUENCY THAT YOU CONFIGURE
• IF YOU HAVE CLOUD HOSTING, YOU COULD HAVE AN ISSUE IN ONE
REGION BUT NOT ANOTHER, SO THESE PINGING SERVICES HELP YOU
IDENTIFY ISSUES IN CERTAIN LOCATIONS

43
• SOME SITES THAT OFFER PINGING SERVICES
• UPTIMEROBOT
• NUMBER OF SITES YOU CAN MONITOR: 50
REGULARITY OF CHECKS: EVERY 5 MINUTES
METHODS OF ALERTS: E-MAIL, SMS, RSS, TWITTER COMING SOON
• PINGDOM
• NUMBER OF SITES YOU CAN MONITOR: 1
REGULARITY OF CHECKS: USER SET, FROM 1 MINUTE UPWARDS
METHODS OF ALERTS: E-MAIL, SMS (UP TO 20 PER MONTH), PUSH ALERTS VIA IPHONE APP
• INTERNETSEER
• NUMBER OF SITES YOU CAN MONITOR: 1
REGULARITY OF CHECKS: EVERY HOUR
METHODS OF ALERTS: E-MAIL, SMS,
• MONTASTIC
• NUMBER OF SITES YOU CAN MONITOR: 3
REGULARITY OF CHECKS: EVERY 30 MINUTES
METHODS OF ALERTS: E-MAIL, STATUS VIA RSS AND WIDGETS FOR MACS AND PCS
44
• WITH THESE SERVICES, YOUR SITE IS MONITORED 24/7 FOR UPTIME,
SO YOUR IT TEAM CAN RESPOND SHOULD YOUR SERVER EXPERIENCE
ISSUES
• BECAUSE A DDOS ATTACK EATS AWAY AT YOUR BANDWIDTH, THE
PING TIME WILL BE TOO LONG OR TIME OUT. THE SERVICE SENDS AN
ALERT TO YOUR TEAM, SO THEY CAN START MITIGATION TECHNIQUES
AND TROUBLESHOOT THE ISSUE

45
LOG MANAGEMENT SYSTEMS AND
DDOS ATTACK MONITORING
• THIS SOLUTIONS DISPLAY YOUR TRAFFIC STATISTICS ACROSS YOUR
ENTIRE STACK AND HELP YOU IDENTIFY IF THERE ARE ANY ANOMALIES
24/7
• THE ADVANTAGE TO USING THESE LOGS IS THAT YOU CAN NOT ONLY
IDENTIFY TRAFFIC SPIKES, BUT YOU CAN IDENTIFY THE SERVERS AFFECTED,
THE ERRORS RETURNED TO YOUR USERS, AND THE PRECISE DATE AND
TIME THE TRAFFIC SPIKES OCCURRED
• ANALYZING TOOLS DO MUCH MORE THAN JUST TELL YOU THERE IS A
PROBLEM. THEY ALSO TELL YOU THE SERVERS AFFECTED TO SAVE YOU
TROUBLESHOOTING TIME

46
DEALING WITH DDOS

• DEALING WITH A DDOS CAN BE EXPENSIVE AND DIFFICULT


• IF LARGE WELL ESTABLISHED COMPANIES HAVE PROBLEMS DEALING
WITH DDOS ATTACKS THEN YOU CAN BE CERTAIN THAT THEY ARE
USING AN EFFECTIVE METHOD OF CAUSING DISRUPTIONS

47
MITIGATE DDOS

• THE FIRST OPTIONS IS PREVENTATIVE. DO NOT BECOME A TARGET IF YOU CAN HELP IT. THIS MEANS BOTH,
HIDING IP ADDRESSES TO YOUR ESSENTIAL SERVICES, BUT ALSO NOT UPSETTING PEOPLE
• ANOTHER STEP IS TO HAVE A GOOD FIREWALL WHICH WILL DROP CERTAIN TYPES OF TRAFFIC. IF YOU
HAVE A SERVER WHICH DOES NOT HOST WEBSITES, THERE IS NO NEED FOR THE FIREWALL TO ALLOW
CONNECTIONS TO THAT SERVER ON TCP PORT 80. A SYSTEM ADMINISTRATOR SHOULD BE ABLE TO SETUP
AN EFFICIENT FIREWALL WHICH PREVENTS MANY TYPES OF FAKE TRAFFIC
• FINALLY, THE MOST DIFFICULT THING TO DO IS TO PROTECT YOUR NETWORK. THE EASIEST, BUT USUALLY
MOST EXPENSIVE STEP IS TO INCREASE THE BANDWIDTH OF YOUR INTERNET CONNECTION. THE MORE
BANDWIDTH YOUR CONNECTION CAN HANDLE, THE LARGER THE ATTACK MUST BE FOR IT TO MAKE ANY
SORT OF EFFECT
• A SECOND, MORE COST EFFECTIVE METHOD MAY BE TO USE A SPECIFIC DDOS MITIGATION SERVICE. THESE
SERVICES ACT AS A PROXY BETWEEN YOU AND THE INTERNET, AND WHEN YOU BECOME A TARGET OF AN
ATTACK THEY HELP TO FILTER OUT THAT ATTACK TRAFFIC. INSTEAD ALL THEY SEND YOU IS THE LEGITIMATE
TRAFFIC WHICH WAS BOUND TO YOUR SERVER.

48
• A DDOS IS A PAIN IN THE BUTT BECAUSE IT WORKS. IT'S EASY TO
IMPLEMENT AND DIFFICULT TO MITIGATE !!!!

49
CLASSICAL DOS ATTACKS
• SIMPLEST CLASSICAL DOS ATTACK: FLOODING ATTACK ON AN
ORGANIZATION
• PING FLOOD ATTACK

Service
denied to
legitimate
users

50
PING FLOOD ATTACK
Ping of Death

• USE OF PING COMMAND OPTIONS -N –L

51

Source: learn-networking.com
PING OF DEATH

• THE SIZE OF A CORRECTLY-FORMED IPV4 PACKET INCLUDING THE IP HEADER IS 65,535 BYTES,
INCLUDING A TOTAL PAYLOAD SIZE OF 84 BYTES.
• MANY HISTORICAL COMPUTER SYSTEMS SIMPLY COULD NOT HANDLE LARGER PACKETS, AND
WOULD CRASH IF THEY RECEIVED ONE
• HIS BUG WAS EASILY EXPLOITED IN EARLY TCP/IP IMPLEMENTATIONS IN A WIDE RANGE OF
OPERATING SYSTEMS INCLUDING WINDOWS, MAC, UNIX, LINUX, AS WELL AS NETWORK DEVICES
LIKE PRINTERS AND ROUTERS
• SINCE SENDING A PING PACKET LARGER THAN 65,535 BYTES VIOLATES THE INTERNET PROTOCOL,
ATTACKERS WOULD GENERALLY SEND MALFORMED PACKETS IN FRAGMENTS
• WHEN THE TARGET SYSTEM ATTEMPTS TO REASSEMBLE THE FRAGMENTS AND ENDS UP WITH AN
OVERSIZED PACKET, MEMORY OVERFLOW COULD OCCUR AND LEAD TO VARIOUS SYSTEM
PROBLEMS INCLUDING CRASH
• PING OF DEATH ATTACKS WERE PARTICULARLY EFFECTIVE BECAUSE THE ATTACKER’S IDENTITY
COULD BE EASILY SPOOFED. MOREOVER, A PING OF DEATH ATTACKER WOULD NEED NO DETAILED
52
KNOWLEDGE OF THE MACHINE HE/SHE WAS ATTACKING, EXCEPT FOR ITS IP ADDRESS
METHODS OF MITIGATION

• TO AVOID PING OF DEATCH ATTACKS, AND ITS VARIANTS, MANY SITES BLOCK
ICMP PING MESSAGES ALTOGETHER AT THEIR FIREWALLS. HOWEVER, THIS
APPROACH IS NOT VIABLE IN THE LONG TERM
• FIRSTLY, INVALID PACKET ATTACKS CAN BE DIRECTED AT ANY LISTENING PORT—
LIKE FTP PORTS—AND YOU MAY NOT WANT TO BLOCK ALL OF THESE, FOR
OPERATIONAL REASONS
• MOREOVER, BY BLOCKING PING MESSAGES, YOU PREVENT LEGITIMATE PING USE
– AND THERE ARE STILL UTILITIES THAT RELY ON PING FOR CHECKING THAT
CONNECTIONS ARE LIVE
• THE SMARTER APPROACH WOULD BE TO SELECTIVELY BLOCK FRAGMENTED
PINGS, ALLOWING ACTUAL PING TRAFFIC TO PASS THROUGH UNHINDERED

53
SOURCE ADDRESS SPOOFING

• FALSIFICATION : USE OF FORGED SOURCE IP ADDRESS


• PRIVILEGED ACCESS TO NETWORK HANDLING CODE VIA RAW
SOCKET INTERFACE
• ALLOWS DIRECT SENDING AND RECEIVING OF INFORMATION BY
APPLICATIONS
• NOT NEEDED FOR NORMAL NETWORK OPERATION
• IN ABSENCE OF PRIVILEGE, INSTALL A CUSTOM DEVICE DRIVER ON
THE SOURCE SYSTEM
• ERROR PRONE
• DEPENDENT ON OPERATING SYSTEM VERSION
54
SPOOFING VIA RAW SOCKET
INTERFACE

Difficult to
identify
55
source
SYN SPOOFING

• TAKES ADVANTAGE OF THE THREE-WAY HANDSHAKE THAT OCCURS ANY TIME


TWO SYSTEMS ACROSS THE NETWORK INITIATE A TCP CONNECTION REQUEST
• UNLIKE USUAL BRUTE-FORCE ATTACK, NOT DONE BY EXHAUSTING NETWORK
RESOURCES BUT DONE BY OVERFLOWING THE SYSTEM RESOURCES (TABLES USED
TO MANAGE TCP CONNECTIONS)
• REQUIRE FEWER PACKETS TO DEPLETE
• CONSEQUENCE: FAILURE OF FUTURE CONNECTION REQUESTS ,THEREBY
DENYING ACCESS TO THE SERVER FOR LEGITIMATE USERS
• EXAMPLE: LAND.C SENDS TCP SYN PACKET USING TARGET’S ADDRESS AS SOURCE
AS WELL AS DESTINATION

56
TCP 3-WAY CONNECTION HANDSHAKE
Address,
Port number,
Seq x
Recorded in
a table of
known TCP
connections

Server in
LISTEN State

Vulnerability:
Unbounded ness 57
of LISTEN state
SYN SPOOFING CONT’D ….

58
FACTORS CONSIDERED BY ATTACKER
FOR SYN SPOOFING
• THE NUMBER OF SENT FORGED PACKETS ARE JUST LARGE ENOUGH TO EXHAUST
THE TABLE BUT SMALL AS COMPARED TO A TYPICAL FLOODING ATTACK
• KEEP SUFFICIENT VOLUME OF FORGED REQUESTS FLOWING
• KEEP THE TABLE CONSTANTLY FULL WITH NO TIMED-OUT REQUESTS

• MAKE SURE TO USE ADDRESSES THAT WILL NOT RESPOND TO THE SYN-ACK WITH
A RST
• OVERLOADING THE SPOOFED CLIENT
• USING A WIDE RANGE OF RANDOM ADDRESSES
• A COLLECTION OF COMPROMISED HOSTS UNDER THE ATTACKER'S CONTROL (I.E., A
"BOTNET") COULD BE USED

59
DETECTING SYN SPOOF ATTACK

• AFTER THE TARGET SYSTEM HAS TRIED TO SEND A SYN/ACK PACKET TO THE
CLIENT AND WHILE IT IS WAITING TO RECEIVE AN ACK PACKET, THE EXISTING
CONNECTION IS SAID TO BE HALF OPEN OR HOST IN SYN_RECEIVED STATE
• IF YOUR SYSTEM IS IN THIS STATE, IT MAY BE EXPERIENCING SYN-SPOOF ATTACK
• TO DETERMINE WHETHER CONNECTIONS ON YOUR SYSTEM ARE HALF OPEN, TYPE
NETSTAT –A COMMAND
• THIS COMMAND GIVES A SET OF ACTIVE CONNECTIONS .CHECK FOR THOSE IN
THE STATE SYN_RECEIVED WHICH IS AN INDICATION OF THE THREAT OF SYN
SPOOF ATTACK

60

Source: Fadia (2007)


ANALYSING TRAFFIC

• SPOOFING MAKES IT DIFFICULT TO TRACE BACK TO


ATTACKERS
• ANALYSING FLOW OF TRAFFIC REQUIRED BUT NOT EASY!
• REQUIRES COOPERATION OF THE NETWORK ENGINEERS
MANAGING ROUTERS
• QUERY FLOW INFORMATION: A MANUAL PROCESS

61
CONTENTS

• INTRODUCTION

• CLASSICAL DOS ATTACKS

• FLOODING ATTACKS

• DISTRIBUTED DENIAL-OF-SERVICE (DDOS)

• HOW DDOS ATTACKS ARE WAGED?

• REFLECTOR AND AMPLIFIER ATTACKS

• OTHER DOS ATTACKS

• DETECTING DOS ATTACKS

• APPROACHES TO DEFENSE AGAINST DOS

• RESPONDING TO A DOS ATTACK

• CONCLUSION

62
FLOODING ATTACKS

• GOAL : BOMBARDING LARGE NUMBER OF MALICIOUS PACKETS AT


THE VICTIM, SUCH THAT PROCESSING OF THESE PACKETS CONSUMES
RESOURCES
• ANY TYPE OF NETWORK PACKET CAN BE USED
• ATTACK TRAFFIC MADE SIMILAR TO LEGITIMATE TRAFFIC
• VALID TRAFFIC HAS A LOW PROBABILITY OF SURVIVING THE
DISCARD CAUSED BY FLOOD AND HENCE ACCESSING THE SERVER
• SOME WAYS OF FLOODING :
• TO OVERLOAD NETWORK CAPACITY ON SOME LINK TO A SERVER
• TO OVERLOAD SERVER’S ABILITY TO HANDLE AND RESPOND TO THIS TRAFFIC
• THE LARGER THE PACKET, THE MORE EFFECTIVE THE ATTACK
63
FLOODING ATTACK WITHIN LOCAL
NETWORK
• SIMPLY SENDING INFINITE MESSAGES FROM ONE COMPUTER TO
ANOTHER ON THE LOCAL NETWORK , THEREBY WASTING THE
RESOURCES OF THE RECIPIENT COMPUTER TO RECEIVE AND TACKLE
THE MESSAGES
• THE FOLLOWING CODE (ABC.BAT) SENDS INFINITE MESSAGES TO
VICTIM

64
TYPES OF FLOODING ATTACKS

• CLASSIFIED BASED ON TYPE OF NETWORK PROTOCOL USED TO ATTACK


• ICMP FLOOD
• USES ICMP PACKETS , EX: PING FLOOD USING ECHO REQUEST
• TYPICALLY ALLOWED THROUGH, SOME REQUIRED

• UDP FLOOD
• EXPLOITS THE TARGET SYSTEM’S DIAGNOSTIC ECHO SERVICES TO CREATE AN
INFINITE LOOP BETWEEN TWO OR MORE UDP SERVICES

• TCP SYN FLOOD


• USE TCP SYN (CONNECTION REQUEST PACKETS)

65
UDP FLOOD ATTACK

• A UDP FLOOD IS A TYPE OF DENIAL-OF-SERVICE ATTACK IN WHICH A


LARGE NUMBER OF USER DATAGRAM PROTOCOL (UDP) PACKETS ARE
SENT TO A TARGETED SERVER WITH THE AIM OF OVERWHELMING
THAT DEVICE’S ABILITY TO PROCESS AND RESPOND. THE FIREWALL
PROTECTING THE TARGETED SERVER CAN ALSO BECOME EXHAUSTED
AS A RESULT OF UDP FLOODING, RESULTING IN A DENIAL-OF-SERVICE
TO LEGITIMATE TRAFFIC

66
HOW DOES A UDP FLOOD ATTACK
WORK
• A UDP FLOOD WORKS PRIMARILY BY EXPLOITING THE STEPS THAT A
SERVER TAKES WHEN IT RESPONDS TO A UDP PACKET SENT TO ONE OF
IT’S PORTS. UNDER NORMAL CONDITIONS, WHEN A SERVER RECEIVES A
UDP PACKET AT A PARTICULAR PORT, IT GOES THROUGH TWO STEPS IN
RESPONSE :
• THE SERVER FIRST CHECKS TO SEE IF ANY PROGRAMS ARE RUNNING WHICH
ARE PRESENTLY LISTENING FOR REQUESTS AT THE SPECIFIED PORT
• IF NO PROGRAMS ARE RECEIVING PACKETS AT THAT PORT, THE SERVER
RESPONDS WITH A ICMP (PING) PACKET TO INFORM THE SENDER THAT THE
DESTINATION WAS UNREACHABLE

67
SIMILARITY OF UDP FLOOD

• A UDP FLOOD CAN BE THOUGHT OF IN THE CONTEXT OF A HOTEL


RECEPTIONIST ROUTING CALLS. FIRST, THE RECEPTIONIST RECEIVES A
PHONE CALL WHERE THE CALLER ASKS TO BE CONNECTED TO A SPECIFIC
ROOM. THE RECEPTIONIST THEN NEEDS TO LOOK THROUGH THE LIST OF
ALL ROOMS TO MAKE SURE THAT THE GUEST IS AVAILABLE IN THE ROOM
AND WILLING TO TAKE THE CALL. ONCE THE RECEPTIONIST REALIZES THAT
THE GUEST IS NOT TAKING ANY CALLS, THEY HAVE TO PICK THE PHONE
BACK UP AND TELL THE CALLER THAT THE GUEST WILL NOT BE TAKING
THE CALL. IF SUDDENLY ALL THE PHONE LINES LIGHT UP SIMULTANEOUSLY
WITH SIMILAR REQUESTS THEN THEY WILL QUICKLY BECOME
OVERWHELMED

68
• AS EACH NEW UDP PACKET IS RECEIVED BY THE SERVER, IT GOES THROUGH STEPS IN
ORDER TO PROCESS THE REQUEST, UTILIZING SERVER RESOURCES IN THE PROCESS.
WHEN UDP PACKETS ARE TRANSMITTED, EACH PACKET WILL INCLUDE THE IP ADDRESS
OF THE SOURCE DEVICE
• DURING THIS TYPE OF DDOS ATTACK, AN ATTACKER WILL GENERALLY NOT USE THEIR
OWN REAL IP ADDRESS, BUT WILL INSTEAD SPOOF THE SOURCE IP ADDRESS OF THE
UDP PACKETS, IMPEDING THE ATTACKER’S TRUE LOCATION FROM BEING EXPOSED AND
POTENTIALLY SATURATED WITH THE RESPONSE PACKETS FROM THE TARGETED SERVER
• AS A RESULT OF THE TARGETED SERVER UTILIZING RESOURCES TO CHECK AND THEN
RESPOND TO EACH RECEIVED UDP PACKET, THE TARGET’S RESOURCES CAN BECOME
QUICKLY EXHAUSTED WHEN A LARGE FLOOD OF UDP PACKETS ARE RECEIVED,
RESULTING IN DENIAL-OF-SERVICE TO NORMAL TRAFFIC

69
70
HOW IS A UDP FLOOD ATTACK
MITIGATED
• MOST OPERATING SYSTEMS LIMIT THE RESPONSE RATE OF ICMP PACKETS IN PART TO DISRUPT DDOS
ATTACKS THAT REQUIRE ICMP RESPONSE
• TRADITIONALLY, UDP MITIGATION METHOD ALSO RELIED ON FIREWALLS THAT FILTERED OUT OR
BLOCK MALICIOUS UDP PACKETS. SUCH METHODS ARE NOW BECOMING IRRELEVANT, AS MODERN
HIGH-VOLUME ATTACKS CAN SIMPLY OVERBEAR FIREWALLS, WHICH ARE NOT DESIGNED WITH
OVERPROVISIONING IN MIND
• IF THE UDP FLOOD HAS A VOLUME HIGH ENOUGH TO SATURATE THE STATE TABLE OF THE
TARGETED SERVER’S FIREWALL, ANY MITIGATION THAT OCCURS AT THE SERVER LEVEL WILL BE
INSUFFICIENT AS THE BOTTLENECK WILL OCCUR UPSTREAM FROM THE TARGETED DEVICE
• USING MECHANISM, DESIGNED FOR INLINE TRAFFIC PROCESSING, IDENTIFYING AND FILTERS OUT
MALICIOUS DDOS PACKETS, BASED ON COMBINATION OF FACTORS LIKE IP REPUTATION,
ABNORMAL ATTRIBUTES AND SUSPICIOUS BEHAVIOR

71
WHAT IS A SYN FLOOD ATTACK

• A SYN FLOOD (HALF OPEN ATTACK) IS A TYPE OF DENIAL-OF-SERVICE


(DDOS) ATTACK WHICH AIMS TO MAKE A SERVER UNAVAILABLE TO
LEGITIMATE TRAFFIC BY CONSUMING ALL AVAILABLE SERVER
RESOURCES. BY REPEATEDLY SENDING INITIAL CONNECTION REQUEST
(SYN) PACKETS, THE ATTACKER IS ABLE TO OVERWHELM ALL AVAILABLE
PORTS ON A TARGETED SERVER MACHINE, CAUSING THE TARGETED
DEVICE TO RESPOND TO LEGITIMATE TRAFFIC SLUGGISHLY OR NOT
AT ALL

72
HOW DOES A SYN FLOOD ATTACK
WORK?
• SYN FLOOD ATTACKS WORK BY EXPLOITING THE HANDSHAKE PROCESS OF
A TCP CONNECTION. UNDER NORMAL CONDITIONS, TCP CONNECTION EXHIBITS
THREE DISTINCT PROCESSES IN ORDER TO MAKE A CONNECTION.
• FIRST, THE CLIENT SENDS A SYN PACKET TO THE SERVER IN ORDER TO INITIATE THE
CONNECTION.
• THE SERVER THAN RESPONDS TO THAT INITIAL PACKET WITH A SYN/ACK PACKET, IN
ORDER TO ACKNOWLEDGE THE COMMUNICATION.
• FINALLY, THE CLIENT RETURNS AN ACK PACKET TO ACKNOWLEDGE THE RECEIPT OF THE
PACKET FROM THE SERVER. AFTER COMPLETING THIS SEQUENCE OF PACKET SENDING
AND RECEIVING, THE TCP CONNECTION IS OPEN AND ABLE TO SEND AND RECEIVE
DATA

73
74
• TO CREATE DENIAL-OF-SERVICE, AN ATTACKER EXPLOITS THE FACT THAT AFTER AN
INITIAL SYN PACKET HAS BEEN RECEIVED, THE SERVER WILL RESPOND BACK WITH
ONE OR MORE SYN/ACK PACKETS AND WAIT FOR THE FINAL STEP IN THE
HANDSHAKE. HERE’S HOW IT WORKS:
• THE ATTACKER SENDS A HIGH VOLUME OF SYN PACKETS TO THE TARGETED SERVER,
OFTEN WITH SPOOFED IP ADDRESSES.
• THE SERVER THEN RESPONDS TO EACH ONE OF THE CONNECTION REQUESTS AND
LEAVES AN OPEN PORT READY TO RECEIVE THE RESPONSE
• WHILE THE SERVER WAITS FOR THE FINAL ACK PACKET, WHICH NEVER ARRIVES, THE
ATTACKER CONTINUES TO SEND MORE SYN PACKETS. THE ARRIVAL OF EACH NEW SYN
PACKET CAUSES THE SERVER TO TEMPORARILY MAINTAIN A NEW OPEN PORT
CONNECTION FOR A CERTAIN LENGTH OF TIME, AND ONCE ALL THE AVAILABLE PORTS
HAVE BEEN UTILIZED THE SERVER IS UNABLE TO FUNCTION NORMALLY.

75
76
• IN NETWORKING, WHEN A SERVER IS LEAVING A
CONNECTION OPEN BUT THE MACHINE ON THE OTHER
SIDE OF THE CONNECTION IS NOT, THE CONNECTION IS
CONSIDERED HALF OPEN. IN THIS TYPE OF DDOS ATTACK,
THE TARGETED SERVER IS CONTINUOUSLY LEAVING
OPEN CONNECTIONS AND WAITING FOR EACH
CONNECTION TO TIMEOUT BEFORE THE PORTS BECOME
AVAILABLE AGAIN. THE RESULT IS THAT THIS TYPE OF
ATTACK CAN BE CONSIDERED A “HALF-OPEN ATTACK”
77
A SYN FLOOD CAN OCCUR IN THREE
DIFFERENT WAYS:
• DIRECT ATTACK: A SYN FLOOD WHERE THE IP ADDRESS IS NOT SPOOFED IS KNOWN AS A DIRECT ATTACK. IN THIS ATTACK,
THE ATTACKER DOES NOT MASK THEIR IP ADDRESS AT ALL. AS A RESULT OF THE ATTACKER USING A SINGLE SOURCE DEVICE
WITH A REAL IP ADDRESS TO CREATE THE ATTACK, THE ATTACKER IS HIGHLY VULNERABLE TO DISCOVERY AND MITIGATION. IN
ORDER TO CREATE THE HALF-OPEN STATE ON THE TARGETED MACHINE, THE HACKER PREVENTS THEIR MACHINE FROM
RESPONDING TO THE SERVER’S SYN-ACK PACKETS. THIS IS OFTEN ACHIEVED BY FIREWALL RULES THAT STOP OUTGOING
PACKETS OTHER THAN SYN PACKETS OR BY FILTERING OUT ANY INCOMING SYN-ACK PACKETS BEFORE THEY REACH THE
MALICIOUS USERS MACHINE. IN PRACTICE THIS METHOD IS USED RARELY (IF EVER), AS MITIGATION IS FAIRLY
STRAIGHTFORWARD – JUST BLOCK THE IP ADDRESS OF EACH MALICIOUS SYSTEM. IF THE ATTACKER IS USING A BOTNET SUCH
AS THE MIRAI BOTNET THEY WON’T CARE ABOUT MASKING THE IP OF THE INFECTED DEVICE

• SPOOFED ATTACK: A MALICIOUS USER CAN ALSO SPOOF THE IP ADDRESS ON EACH SYN PACKET THEY SEND IN ORDER TO
INHIBIT MITIGATION EFFORTS AND MAKE THEIR IDENTITY MORE DIFFICULT TO DISCOVER. WHILE THE PACKETS MAY BE
SPOOFED, THOSE PACKETS CAN POTENTIALLY BE TRACED BACK TO THEIR SOURCE. IT’S DIFFICULT TO DO THIS SORT OF
DETECTIVE WORK BUT IT’S NOT IMPOSSIBLE, ESPECIALLY IF INTERNET SERVICE PROVIDERS (ISPS) ARE WILLING TO HELP.

• DISTRIBUTED ATTACK (DDOS): IF AN ATTACK IS CREATED USING A BOTNET THE LIKELIHOOD OF TRACKING THE ATTACK BACK
TO ITS SOURCE IS LOW. FOR AN ADDED LEVEL OF OBFUSCATION, AN ATTACKER MAY HAVE EACH DISTRIBUTED DEVICE ALSO
SPOOF THE IP ADDRESSES FROM WHICH IT SENDS PACKETS. IF THE ATTACKER IS USING A BOTNET SUCH AS THE MIRAI BOTNET,
THEY GENERALLY WON’T CARE ABOUT MASKING THE IP OF THE INFECTED DEVICE

78
• BY USING A SYN FLOOD ATTACK, A BAD ACTOR CAN ATTEMPT TO CREATE
DENIAL-OF-SERVICE IN A TARGET DEVICE OR SERVICE WITH SUBSTANTIALLY LESS
TRAFFIC THAN OTHER DDOS ATTACKS. INSTEAD OF VOLUMETRIC ATTACKS, WHICH
AIM TO SATURATE THE NETWORK INFRASTRUCTURE SURROUNDING THE TARGET,
SYN ATTACKS ONLY NEED TO BE LARGER THAN THE AVAILABLE BACKLOG IN THE
TARGET’S OPERATING SYSTEM. IF THE ATTACKER IS ABLE TO DETERMINE THE SIZE
OF THE BACKLOG AND HOW LONG EACH CONNECTION WILL BE LEFT OPEN
BEFORE TIMING OUT, THE ATTACKER CAN TARGET THE EXACT PARAMETERS NEEDED
TO DISABLE THE SYSTEM, THEREBY REDUCING THE TOTAL TRAFFIC TO THE
MINIMUM NECESSARY AMOUNT TO CREATE DENIAL-OF-SERVICE

79
HOW IS A SYN FLOOD ATTACK
MITIGATED
• SYN FLOOD VULNERABILITY HAS BEEN KNOWN FOR A LONG TIME AND A
NUMBER OF MITIGATION PATHWAYS HAVE BEEN UTILIZED. A FEW APPROACHES
INCLUDE:
• INCREASING BACKLOG QUEUE
• EACH OPERATING SYSTEM ON A TARGETED DEVICE HAS A CERTAIN NUMBER OF HALF-
OPEN CONNECTIONS THAT IT WILL ALLOW. ONE RESPONSE TO HIGH VOLUMES OF
SYN PACKETS IS TO INCREASE THE MAXIMUM NUMBER OF POSSIBLE HALF-OPEN
CONNECTIONS THE OPERATING SYSTEM WILL ALLOW. IN ORDER TO SUCCESSFULLY
INCREASE THE MAXIMUM BACKLOG, THE SYSTEM MUST RESERVE ADDITIONAL MEMORY
RESOURCES TO DEAL WITH ALL THE NEW REQUESTS. IF THE SYSTEM DOES NOT HAVE
ENOUGH MEMORY TO BE ABLE TO HANDLE THE INCREASED BACKLOG QUEUE SIZE,
SYSTEM PERFORMANCE WILL BE NEGATIVELY IMPACTED, BUT THAT STILL MAY BE BETTER
THAN DENIAL-OF-SERVICE

80
• RECYCLING THE OLDEST HALF-OPEN TCP CONNECTION
• ANOTHER MITIGATION STRATEGY INVOLVES OVERWRITING THE OLDEST HALF-OPEN
CONNECTION ONCE THE BACKLOG HAS BEEN FILLED. THIS STRATEGY REQUIRES THAT THE
LEGITIMATE CONNECTIONS CAN BE FULLY ESTABLISHED IN LESS TIME THAN THE BACKLOG
CAN BE FILLED WITH MALICIOUS SYN PACKETS. THIS PARTICULAR DEFENSE FAILS WHEN THE
ATTACK VOLUME IS INCREASED, OR IF THE BACKLOG SIZE IS TOO SMALL TO BE PRACTICAL.

• SYN COOKIES
• THIS STRATEGY INVOLVES THE CREATION OF A COOKIE BY THE SERVER. IN ORDER TO AVOID
THE RISK OF DROPPING CONNECTIONS WHEN THE BACKLOG HAS BEEN FILLED, THE SERVER
RESPONDS TO EACH CONNECTION REQUEST WITH A SYN-ACK PACKET BUT THEN DROPS THE
SYN REQUEST FROM THE BACKLOG, REMOVING THE REQUEST FROM MEMORY AND LEAVING
THE PORT OPEN AND READY TO MAKE A NEW CONNECTION. IF THE CONNECTION IS A
LEGITIMATE REQUEST, AND A FINAL ACK PACKET IS SENT FROM THE CLIENT MACHINE BACK TO
THE SERVER, THE SERVER WILL THEN RECONSTRUCT (WITH SOME LIMITATIONS) THE SYN
BACKLOG QUEUE ENTRY. WHILE THIS MITIGATION EFFORT DOES LOSE SOME INFORMATION
ABOUT THE TCP CONNECTION, IT IS BETTER THAN ALLOWING DENIAL-OF-SERVICE TO OCCUR 81
TO LEGITIMATE USERS AS A RESULT OF AN ATTACK.
MITIGATION

• SOME COMPANY MITIGATES THIS TYPE OF ATTACK IN PART BY


STANDING BETWEEN THE TARGETED SERVER AND THE SYN FLOOD.
WHEN THE INITIAL SYN REQUEST IS MADE, THE DEFENSE MECHANISM
HANDLES THE HANDSHAKE PROCESS, WITHHOLDING THE
CONNECTION WITH THE TARGETED SERVER UNTIL THE TCP
HANDSHAKE IS COMPLETE. THIS STRATEGY TAKES THE RESOURCE
COST OF MAINTAINING THE CONNECTIONS WITH THE BOGUS SYN
PACKETS OFF THE TARGETED SERVER

82
SYN COOKIE

• BY SPECIFICALLY CALCULATING THE TCP SEQUENCE NUMBER WITH A SPECIFIC,


SECRET MATH FUNCTION IN THE SYN-ACK RESPONSE, THE SERVER DOES NOT
NEED TO MAINTAIN THIS STATE TABLE
• ON RECEIPT OF THE ACK FROM THE CLIENT, THE TCP SEQUENCE NUMBER IS
CHECKED AGAINST THE FUNCTION TO DETERMINE IF THIS IS A LEGITIMATE REPLY
• IF THE CHECK IS SUCCESSFUL, THEN THE SERVER WILL CREATE THE TCP SESSION
AND THE USER CONNECTION WILL PROCEED AS NORMAL
• IF THE ACK RESPONSE IS NOT CORRECT THE TCP SESSION IS NOT CREATED. THE
EFFECT IS THAT SYN FLOODS WILL NO LONGER CONSUME RESOURCES ON
SERVERS OR LOAD BALANCERS

83
84
SHOULD I IMPLEMENT SYN COOKIES

• IN GENERAL TERMS, IMPLEMENTING THIS TYPE OF CODE ON SERVERS IS A BAD


IDEA
• THE CPU REQUIREMENT TO DELIVER THE MATHEMATICS FOR THE FUNCTION
CALCULATION IS BEYOND THE CAPACITY OF X86 SERVERS (AND THEIR OS’S) TO
RELIABLY COMPUTE ON A REAL TIME BASIS
• THE CPU IMPACT MAY RESULT IN SERVERS NOT ABLE TO DELIVER APPLICATIONS
OR, AT BEST, TO WORK MUCH MORE SLOWLY IN EVERY CIRCUMSTANCE
• THE MOST COMMON IMPLEMENTATION IS ON LOAD BALANCER AND DDOS
APPLIANCES, WITH DEDICATED CPU AND OS THAT CAN PROCESS HUGE VOLUMES
OF TCP SEQUENCE CALCULATIONS WITHOUT LOSS OF PERFORMANCE

85
• SYN COOKIES IS A SIMPLE DDOS DEFENSE TODAY, AND PROBABLY SUITABLE FOR
ALL INTERNET HOSTING INCLUDING MAIL SERVER AND CORPORATE WEB SERVERS
• ANY DDOS ATTACKS WILL SIMPLY OVERRUN YOUR INTERNET CONNECTIONS
WITH VOLUME SINCE A 100 MB ETHERNET CONNECTION IS NOW VERY SMALL
COMPARED TO, FOR EXAMPLE, 500 COMPROMISED DESKTOPS WITH AN AVERAGE
200 KBS OF BANDWIDTH EACH LAUNCHING AN ATTACK WILL SATURATE YOUR
100MBS LINK AND THERE IS NOTHING YOU CAN DO
• BUT A SYN ATTACK CAN BE ACCOMPLISHED WITH A 2MBS DSL LINE AND IS
UNLIKELY TO OVERRUN YOUR BANDWIDTH (SINCE A SYN PACKET IS 64 BYTES)

86
ALTERNATIVES TO SYN COOKIES

• YOU DON’T HAVE TO USE SYN COOKIES TO DEFEND AGAINST A SYN FLOOD
BECAUSE MOST MODERN FIREWALLS WILL MONITOR THE STATE TABLE, AND
DISCARD CONNECTIONS ONCE A HIGH WATER MARK HAS BEEN REACHED
• SMARTER FIREWALLS WILL LOOK AT SYN PACKETS PER SECOND PER PROTOCOL
AND START TO FLAG AN ATTACK PLUS START TO PURGE HALF OPEN
CONNECTIONS TO ENSURE RESOURCE AVAILABILITY
• BUT THEY OFTEN DO NOT HAVE INTELLIGENT ROUTINES AND MAY ACTUALLY
DISCARD GOOD TCP SESSIONS, ESPECIALLY WITH HIGH VOLUME ATTACKS) AND
THUS CAUSE A DEGRADED SERVICE WHILE THE ATTACK CONTINUES

87
PING FLOOD ATTACK CONT’D ….

• GENERALLY USELESS ON LARGER NETWORKS OR WEBSITES

88
PING FLOOD (ICMP FLOOD)

• PING FLOOD, ALSO KNOWN AS ICMP FLOOD, IS A COMMON DENIAL OF


SERVICE (DOS) ATTACK IN WHICH AN ATTACKER TAKES DOWN A VICTIM’S COMPUTER
BY OVERWHELMING IT WITH ICMP ECHO REQUESTS, ALSO KNOWN AS PINGS.
• THE ATTACK INVOLVES FLOODING THE VICTIM’S NETWORK WITH REQUEST PACKETS,
KNOWING THAT THE NETWORK WILL RESPOND WITH AN EQUAL NUMBER OF REPLY
PACKETS
• ADDITIONAL METHODS FOR BRINGING DOWN A TARGET WITH ICMP REQUESTS
INCLUDE THE USE OF CUSTOM TOOLS OR CODE, SUCH AS HPING AND SCAPY
• THIS STRAINS BOTH THE INCOMING AND OUTGOING CHANNELS OF THE NETWORK,
CONSUMING SIGNIFICANT BANDWIDTH AND RESULTING IN A DENIAL OF SERVICE.

89
• ATTACKS CAN THEREFORE BE BROKEN DOWN INTO THREE CATEGORIES, BASED ON THE TARGET
AND HOW ITS IP ADDRESS IS RESOLVED
• A TARGETED LOCAL DISCLOSED PING FLOOD TARGETS A SINGLE COMPUTER ON A LOCAL
NETWORK. AN ATTACKER NEEDS TO HAVE PHYSICAL ACCESS TO THE COMPUTER IN ORDER TO
DISCOVER ITS IP ADDRESS. A SUCCESSFUL ATTACK WOULD RESULT IN THE TARGET COMPUTER
BEING TAKEN DOWN
• A ROUTER DISCLOSED PING FLOOD TARGETS ROUTERS IN ORDER TO DISRUPT COMMUNICATIONS
BETWEEN COMPUTERS ON A NETWORK. IT IS RELIANT ON THE ATTACKER KNOWING THE INTERNAL
IP ADDRESS OF A LOCAL ROUTER. A SUCCESSFUL ATTACK WOULD RESULT IN ALL COMPUTERS
CONNECTED TO THE ROUTER BEING TAKEN DOWN
• A BLIND PING FLOOD INVOLVES USING AN EXTERNAL PROGRAM TO UNCOVER THE IP ADDRESS OF
THE TARGET COMPUTER OR ROUTER BEFORE EXECUTING AN ATTACK

90
• NOTE THAT IN ORDER FOR A PING FLOOD TO BE SUSTAINED, THE
ATTACKING COMPUTER MUST HAVE ACCESS TO MORE BANDWIDTH
THAN THE VICTIM. THIS LIMITS THE ABILITY TO CARRY OUT A DOS
ATTACK, ESPECIALLY AGAINST A LARGE NETWORK
• ADDITIONALLY, A DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK
EXECUTED WITH A THE USE OF A BOTNET HAS A MUCH GREATER
CHANCE OF SUSTAINING A PING FLOOD AND OVERWHELMING A
TARGET’S RESOURCES

91
METHODS OF MITIGATION

• RECONFIGURING YOUR PERIMETER FIREWALL TO DISALLOW PINGS


WILL BLOCK ATTACKS ORIGINATING FROM OUTSIDE YOUR
NETWORK, ALBEIT NOT INTERNAL ATTACKS
• STILL, THE BLANKET BLOCKING OF PING REQUESTS CAN HAVE
UNINTENDED CONSEQUENCES, INCLUDING THE INABILITY TO
DIAGNOSE SERVER ISSUES
• PROTECTION AGAINST ICMP FLOODS BY LIMITING THE SIZE OF PING
REQUESTS AS WELL AS THE RATE AT WHICH THEY CAN BE ACCEPTED.

92
SMURF ATTACK

• A SMURF ATTACK IS A DISTRIBUTED DENIAL-OF-SERVICE (DDOS)


ATTACK IN WHICH AN ATTACKER ATTEMPTS TO FLOOD A TARGETED
SERVER WITH INTERNET CONTROL MESSAGE PROTOCOL (ICMP) PACKETS
• BY MAKING REQUESTS WITH THE SPOOFED IP ADDRESS OF THE
TARGETED DEVICE TO ONE OR MORE COMPUTER NETWORKS, THE
COMPUTER NETWORKS THEN RESPOND TO THE TARGETED SERVER,
AMPLIFYING THE INITIAL ATTACK TRAFFIC AND POTENTIALLY
OVERWHELMING THE TARGET, RENDERING IT INACCESSIBLE
• THIS ATTACK VECTOR IS GENERALLY CONSIDERED A SOLVED
VULNERABILITY AND IS NO LONGER PREVALENT.

93
HOW DOES A SMURF ATTACK WORK

• WHILE ICMP PACKETS CAN BE UTILIZED IN A DDOS ATTACK,


NORMALLY THEY SERVE VALUABLE FUNCTIONS IN NETWORK
ADMINISTRATION
• UNFORTUNATELY, BECAUSE THE ICMP PROTOCOL DOES NOT INCLUDE
A HANDSHAKE, HARDWARE DEVICES RECEIVING REQUESTS ARE
UNABLE TO VERIFY IF THE REQUEST IS LEGITIMATE

94

• FIRST THE SMURF MALWARE BUILDS A SPOOFED PACKET THAT HAS ITS SOURCE
ADDRESS SET TO THE REAL IP ADDRESS OF THE TARGETED VICTIM.
• THE PACKET IS THEN SENT TO AN IP BROADCAST ADDRESS OF A ROUTER OR FIREWALL,
WHICH IN TURN SENDS REQUESTS TO EVERY HOST DEVICE ADDRESS INSIDE THE
BROADCASTING NETWORK, INCREASING THE NUMBER OF REQUESTS BY THE NUMBER
OF NETWORKED DEVICES ON THE NETWORK.
• EACH DEVICE INSIDE THE NETWORK RECEIVES THE REQUEST FROM THE BROADCASTER
AND THEN RESPONDS TO THE SPOOFED ADDRESS OF THE TARGET WITH AN ICMP
ECHO REPLY PACKET.
• THE TARGET VICTIM THEN RECEIVES A DELUGE OF ICMP ECHO REPLY PACKETS,
POTENTIALLY BECOMING OVERWHELMED AND RESULTING IN DENIAL-OF-SERVICE TO
LEGITIMATE TRAFFIC.

95
HOW CAN A SMURF ATTACK BE
MITIGATED
• SEVERAL MITIGATION STRATEGIES FOR THIS ATTACK VECTOR HAVE
BEEN DEVELOPED AND IMPLEMENTED OVER THE YEARS, AND THE
EXPLOIT IS LARGELY CONSIDERED SOLVED. ON A LIMITED NUMBER OF
LEGACY SYSTEMS, MITIGATION TECHNIQUES MAY STILL NEED TO BE
APPLIED
• A SIMPLE SOLUTION IS TO DISABLE IP BROADCASTING ADDRESSES AT
EACH NETWORK ROUTER AND FIREWALL. OLDER ROUTERS ARE LIKELY
TO ENABLE BROADCASTING BY DEFAULT, WHILE NEWER ROUTERS
WILL LIKELY ALREADY HAVE IT DISABLED

96
FRAGGLE ATTACK

• IS SIMILAR TO A SMURF ATTACK


• THE MALICIOUS PACKET IS A USER DATAGRAM PROTOCOL (UDP)
ECHO PACKET INSTEAD OF AN ICMP ECHO PACKET

97
DNS FLOOD

• DNS FLOOD IS A TYPE OF DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK IN WHICH


THE ATTACKER TARGETS ONE OR MORE DOMAIN NAME SYSTEM (DNS) SERVERS
BELONGING TO A GIVEN ZONE, ATTEMPTING TO HAMPER RESOLUTION OF RESOURCE
RECORDS OF THAT ZONE AND ITS SUB-ZONES
• DNS SERVERS ARE THE “ROADMAP” OF THE INTERNET, HELPING REQUESTORS FIND THE
SERVERS THEY SEEK. A DNS ZONE IS A DISTINCT PORTION OF THE DOMAIN NAME
SPACE IN THE DOMAIN NAME SYSTEM (DNS). FOR EACH ZONE, ADMINISTRATIVE
RESPONSIBILITY IS DELEGATED TO A SINGLE SERVER CLUSTER
• IN A DNS FLOOD ATTACK THE OFFENDER TRIES TO OVERBEAR A GIVEN DNS SERVER (OR
SERVERS) WITH APPARENTLY VALID TRAFFIC, OVERWHELMING SERVER RESOURCES AND
IMPEDING THE SERVERS’ ABILITY TO DIRECT LEGITIMATE REQUESTS TO ZONE
RESOURCES

98
ATTACK DESCRIPTION

• DNS FLOODS ARE SYMMETRICAL DDOS ATTACKS


• THESE ATTACKS ATTEMPT TO EXHAUST SERVER-SIDE ASSETS (E.G.,
MEMORY OR CPU) WITH A FLOOD OF UDP REQUESTS, GENERATED BY
SCRIPTS RUNNING ON SEVERAL COMPROMISED BOTNET MACHINES
• A DNS FLOOD ATTACK IS CONSIDERED A VARIANT OF THE UDP FLOOD
ATTACK, SINCE DNS SERVERS RELY ON THE UDP PROTOCOL FOR NAME
RESOLUTION, AND IS A LAYER 7 ATTACK
• WITH UDP-BASED QUERIES (UNLIKE TCP QUERIES), A FULL CIRCUIT IS
NEVER ESTABLISHED, AND THUS SPOOFING IS MORE EASILY
ACCOMPLISHED

99
100
• TO ATTACK A DNS SERVER WITH A DNS FLOOD, THE ATTACKER RUNS A SCRIPT , GENERALLY FROM
MULTIPLE SERVERS. THESE SCRIPTS SEND MALFORMED PACKETS FROM SPOOFED IP ADDRESSES
• SINCE LAYER 7 ATTACKS LIKE DNS FLOOD REQUIRE NO RESPONSE TO BE EFFECTIVE, THE ATTACKER
CAN SEND PACKETS THAT ARE NEITHER ACCURATE NOR EVEN CORRECTLY FORMATTED
• THE ATTACKER CAN SPOOF ALL PACKET INFORMATION, INCLUDING SOURCE IP AND MAKE IT
APPEAR THAT THE ATTACK IS COMING FROM MULTIPLE SOURCES. RANDOMIZED PACKET DATA ALSO
HELPS OFFENDERS TO AVOID COMMON DDOS PROTECTION MECHANISMS, WHILE ALSO LIKE IP
FILTERING (E.G., USING LINUX IPTABLES) COMPLETELY USELESS
• ANOTHER COMMON TYPE OF DNS FLOOD ATTACK IS DNS NXDOMAIN FLOOD ATTACK, IN WHICH
THE ATTACKER FLOODS THE DNS SERVER WITH REQUESTS FOR RECORDS THAT ARE NONEXISTENT
OR INVALID
• THE DNS SERVER EXPENDS ALL ITS RESOURCES LOOKING FOR THESE RECORDS, ITS CACHE FILLS
WITH BAD REQUESTS, AND IT EVENTUALLY HAS NO RESOURCES TO SERVE LEGITIMATE REQUESTS

101
METHODS OF MITIGATION

• LARGE LAYER 3 ATTACKS LIKE DNS FLOODS ARE VERY DIFFICULT FOR
ON-PREMISES SOLUTIONS TO MITIGATE
• USE OF CLOUD SECURITY LIKE WAF
• CONFIGURING MECHANISM TO LIMIT THE NUMBER OF DNS PACKETS
AND THE RATE OF PACKETS
• LIMIT THE LOCATIONS WHERE THIS DNS PACKETS COME FROM

102
UPD AMPLIFICATION

• ONE OF THE REASONS UDP AMPLIFICATION CAN GENERATE SUCH ENORMOUS


DDOS ATTACKS IS BECAUSE UDP TRAFFIC DOES NOT REQUIRE A CONNECTION
BETWEEN TWO DEVICES BEFORE SENDING INFORMATION
• SINCE UDP IS CONNECTIONLESS, THE SERVER WILL BLINDLY SEND ITS RESPONSE
TO THE VICTIM’S COMPUTER, EVEN THOUGH THE ORIGINAL REQUEST CAME FROM
THE ATTACKER
• CYBER CRIMINALS HAVE FOUND UDP SERVICES THAT WILL SEND REPLIES THAT ARE
FAR LARGER THAN THE INITIAL REQUEST
• THESE KIND OF ATTACKS WILL MOST LIKELY CONTINUE, SINCE THERE ARE MANY
UDP SERVICES OUT THERE THAT COULD BE MANIPULATED BY ATTACKERS

103
NTP AMPLIFICATION

• NTP AMPLIFICATION IS A TYPE OF DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK IN WHICH THE
ATTACKER EXPLOITS PUBLICALLY-ACCESSIBLE NETWORK TIME PROTOCOL (NTP) SERVERS TO
OVERWHELM THE TARGETED WITH USER DATAGRAM PROTOCOL (UDP) TRAFFIC
• NETWORK TIME PROTOCOL (NTP) IS ONE OF THE OLDEST NETWORK PROTOCOLS, AND IS USED BY
INTERNET-CONNECTED MACHINES TO SYNCHRONIZE THEIR CLOCKS. IN ADDITION TO CLOCK
SYNCHRONIZATION, OLDER VERSIONS OF NTP SUPPORT A MONITORING SERVICE THAT ENABLES
ADMINISTRATORS TO QUERY A GIVEN NTP SERVER FOR A TRAFFIC COUNT. THIS COMMAND, CALLED
“MONLIST,” SENDS THE REQUESTER A LIST OF THE LAST 600 HOSTS THAT CONNECTED TO THE
QUERIED SERVER
• IN THE MOST BASIC TYPE OF NTP AMPLIFICATION ATTACK, AN ATTACKER REPEATEDLY SENDS THE
“GET MONLIST” REQUEST TO AN NTP SERVER, WHILE SPOOFING THE REQUESTING SERVER’S IP
ADDRESS TO THAT OF THE VICTIM SERVER. THE NTP SERVER RESPONDS BY SENDING THE LIST TO THE
SPOOFED IP ADDRESS.
• THIS RESPONSE IS CONSIDERABLY LARGER THAN THE REQUEST, AMPLIFYING THE AMOUNT OF
TRAFFIC DIRECTED AT THE TARGET SERVER AND ULTIMATELY LEADING TO A DEGRADATION OF
SERVICE FOR LEGITIMATE REQUESTS. 104
AN NTP AMPLIFICATION ATTACK CAN BE
BROKEN DOWN INTO FOUR STEPS:
• THE ATTACKER USES A BOTNET TO SEND UDP PACKETS WITH SPOOFED
IP ADDRESSES TO A NTP SERVER WHICH HAS ITS MONLIST COMMAND
ENABLED. THE SPOOFED IP ADDRESS ON EACH PACKET POINTS TO THE
REAL IP ADDRESS OF THE VICTIM.
• EACH UDP PACKET MAKES A REQUEST TO THE NTP SERVER USING ITS
MONLIST COMMAND, RESULTING IN A LARGE RESPONSE
• THE SERVER THEN RESPONDS TO THE SPOOFED ADDRESS WITH THE
RESULTING DATA.
• THE IP ADDRESS OF THE TARGET RECEIVES THE RESPONSE AND THE
SURROUNDING NETWORK INFRASTRUCTURE BECOMES OVERWHELMED
WITH THE DELUGE OF TRAFFIC, RESULTING IN A DENIAL-OF-SERVICE 105
• AS A RESULT OF THE ATTACK TRAFFIC LOOKING LIKE LEGITIMATE TRAFFIC COMING
FROM VALID SERVERS, MITIGATING THIS SORT OF ATTACK TRAFFIC WITHOUT
BLOCKING REAL NTP SERVERS FROM LEGITIMATE ACTIVITY IS DIFFICULT. BECAUSE UDP
PACKETS DO NOT REQUIRE A HANDSHAKE, THE NTP SERVER WILL SEND LARGE
RESPONSES TO THE TARGETED SERVER WITHOUT VERIFYING THAT THE REQUEST IS
AUTHENTIC. THESE FACTS COUPLED WITH A BUILT-IN COMMAND, WHICH BY DEFAULT
SENDS A LARGE RESPONSE, MAKES NTP SERVERS AN EXCELLENT REFLECTION SOURCE 106
FOR DDOS AMPLIFICATION ATTACKS
METHODS OF MITIGATION

• FOR AN INDIVIDUAL OR COMPANY RUNNING A WEBSITE OR SERVICE, MITIGATION OPTIONS ARE


LIMITED. THIS COMES FROM THE FACT THAT THE INDIVIDUAL’S SERVER, WHILE IT MIGHT BE THE
TARGET, IS NOT WHERE THE MAIN EFFECT OF A VOLUMETRIC ATTACK IS FELT. DUE TO THE HIGH
AMOUNT OF TRAFFIC GENERATED, THE INFRASTRUCTURE SURROUNDING THE SERVER FEELS THE
IMPACT MOREOVER, THE SHEER VOLUME OF DDOS TRAFFIC COULD EASILY OVERWHELM EVEN THE
MOST RESILIENT OF NETWORK INFRASTRUCTURES. AS A RESULT, MITIGATION IS ACHIEVED
THROUGH A COMBINATION OF OVERPROVISIONING AND TRAFFIC FILTERING
• THE INTERNET SERVICE PROVIDER (ISP) OR OTHER UPSTREAM INFRASTRUCTURE PROVIDERS MAY NOT
BE ABLE TO HANDLE THE INCOMING TRAFFIC WITHOUT BECOMING OVERWHELMED
• AS A RESULT, THE ISP MAY BLACKHOLE ALL TRAFFIC TO THE TARGETED VICTIM’S IP ADDRESS,
PROTECTING ITSELF AND TAKING THE TARGET’S SITE OFF-LINE. MITIGATION STRATEGIES, ASIDE
FROM OFFSITE PROTECTIVE SERVICES LIKE CLOUDFLARE DDOS PROTECTION, ARE MOSTLY
PREVENTATIVE INTERNET INFRASTRUCTURE SOLUTIONS

107

• DISABLE MONLIST - REDUCE THE NUMBER OF NTP SERVERS WHICH SUPPORT THE MONLIST
COMMAND
• A SIMPLE SOLUTION TO PATCHING THE MONLIST VULNERABILITY IS TO DISABLE THE COMMAND. ALL
VERSION OF THE NTP SOFTWARE PRIOR TO VERSION 4.2.7 ARE VULNERABLE BY DEFAULT. BY
UPGRADING A NTP SERVER TO 4.2.7 OR ABOVE, THE COMMAND IS DISABLED, PATCHING THE
VULNERABILITY. IF UPGRADING IS NOT POSSIBLE, FOLLOWING THE US-CERT INSTRUCTIONS WILL
ALLOW A SERVER’S ADMIN TO MAKE THE NECESSARY CHANGES
• SOURCE IP VERIFICATION – STOP SPOOFED PACKETS LEAVING THE NETWORK
• BECAUSE THE UDP REQUESTS BEING SENT BY THE ATTACKER’S BOTNET MUST HAVE A SOURCE IP
ADDRESS SPOOFED TO THE VICTIM’S IP ADDRESS, A KEY COMPONENT IN REDUCING THE
EFFECTIVENESS OF UDP-BASED AMPLIFICATION ATTACKS IS FOR INTERNET SERVICE PROVIDERS (ISPS)
TO REJECT ANY INTERNAL TRAFFIC WITH SPOOFED IP ADDRESSES
• IF A PACKET IS BEING SENT FROM INSIDE THE NETWORK WITH A SOURCE ADDRESS THAT MAKES IT
APPEAR LIKE IT ORIGINATED OUTSIDE THE NETWORK, IT’S LIKELY A SPOOFED PACKET AND CAN BE
DROPPED. CLOUDFLARE HIGHLY RECOMMENDS THAT ALL PROVIDERS IMPLEMENT INGRESS 108
FILTERING, AND AT TIMES WILL REACH OUT TO ISPS WHO ARE UNKNOWINGLY TAKING PART IN
DDOS ATTACKS (IN VIOLATION OF BCP38) AND HELP THEM REALIZE THEIR VULNERABILITY
• THE COMBINATION OF DISABLING MONLIST ON NTP SERVERS AND
IMPLEMENTING INGRESS FILTERING ON NETWORKS WHICH
PRESENTLY ALLOW IP SPOOFING IS AN EFFECTIVE WAY TO STOP THIS
TYPE OF ATTACK BEFORE IT REACHES ITS INTENDED NETWORK
• WITH A PROPERLY CONFIGURED FIREWALL AND SUFFICIENT
NETWORK CAPACITY IT'S TRIVIAL TO BLOCK REFLECTION ATTACKS
SUCH AS NTP AMPLIFICATION ATTACKS

109
DNS AMPLIFICATION ATTACK

• THIS DDOS ATTACK IS A REFLECTION-BASED VOLUMETRIC DISTRIBUTED DENIAL-OF-


SERVICE (DDOS) ATTACK IN WHICH AN ATTACKER LEVERAGES THE FUNCTIONALITY OF
OPEN DNS RESOLVERS IN ORDER TO OVERWHELM A TARGET SERVER OR NETWORK
WITH AN AMPLIFIED AMOUNT OF TRAFFIC, RENDERING THE SERVER AND ITS
SURROUNDING INFRASTRUCTURE INACCESSIBLE
• ALL AMPLIFICATION ATTACKS EXPLOIT A DISPARITY IN BANDWIDTH CONSUMPTION
BETWEEN AN ATTACKER AND THE TARGETED WEB RESOURCE. WHEN THE DISPARITY IN
COST IS MAGNIFIED ACROSS MANY REQUESTS, THE RESULTING VOLUME OF TRAFFIC
CAN DISRUPT NETWORK INFRASTRUCTURE. BY SENDING SMALL QUERIES THAT RESULT
IN LARGE RESPONSES, THE MALICIOUS USER IS ABLE TO GET MORE FROM LESS.
• BY MULTIPLYING THIS MAGNIFICATION BY HAVING EACH BOT IN A BOTNET MAKE
SIMILAR REQUESTS, THE ATTACKER IS BOTH OBFUSCATED FROM DETECTION AND
REAPING THE BENEFITS OF GREATLY INCREASED ATTACK TRAFFIC
110
• AS A RESULT OF EACH BOT MAKING REQUESTS TO OPEN DNS RESOLVERS
WITH A SPOOFED IP ADDRESS, WHICH HAS BEEN CHANGED TO THE REAL
SOURCE IP ADDRESS OF THE TARGETED VICTIM, THE TARGET THEN
RECEIVES A RESPONSE FROM THE DNS RESOLVERS
• IN ORDER TO CREATE A LARGE AMOUNT OF TRAFFIC, THE ATTACKER
STRUCTURES THE REQUEST IN A WAY THAT GENERATES AS LARGE A
RESPONSE FROM THE DNS RESOLVERS AS POSSIBLE. AS A RESULT, THE
TARGET RECEIVES AN AMPLIFICATION OF THE ATTACKER’S INITIAL TRAFFIC,
AND THEIR NETWORK BECOMES CLOGGED WITH THE SPURIOUS TRAFFIC,
CAUSING A DENIAL-OF-SERVICE.
111
112
A DNS AMPLIFICATION CAN BE BROKEN
DOWN INTO FOUR STEPS
• THE ATTACKER USES A COMPROMISED ENDPOINT TO SEND UDP PACKETS WITH
SPOOFED IP ADDRESSES TO A DNS RECURSOR. THE SPOOFED ADDRESS ON THE
PACKETS POINTS TO THE REAL IP ADDRESS OF THE VICTIM
• EACH ONE OF THE UDP PACKETS MAKES A REQUEST TO A DNS RESOLVER, OFTEN
PASSING AN ARGUMENT SUCH AS “ANY” IN ORDER TO RECEIVE THE LARGEST
RESPONSE POSSIBLE
• AFTER RECEIVING THE REQUESTS, THE DNS RESOLVER, WHICH IS TRYING TO BE
HELPFUL BY RESPONDING, SENDS A LARGE RESPONSE TO THE SPOOFED IP
ADDRESS
• THE IP ADDRESS OF THE TARGET RECEIVES THE RESPONSE AND THE
SURROUNDING NETWORK INFRASTRUCTURE BECOMES OVERWHELMED WITH THE
DELUGE OF TRAFFIC, RESULTING IN A DENIAL-OF-SERVICE 113
• WHILE A FEW REQUESTS IS NOT ENOUGH TO TAKE DOWN
NETWORK INFRASTRUCTURE, WHEN THIS SEQUENCE IS MULTIPLIED
ACROSS MULTIPLE REQUESTS AND DNS RESOLVERS, THE
AMPLIFICATION OF DATA THE TARGET RECEIVES CAN BE SUBSTANTIAL.
EXPLORE MORE TECHNICAL DETAILS ON REFLECTION ATTACKS

114
MITIGATE DNS AMPLIFICATION ATTACK

• REDUCE THE TOTAL NUMBER OF OPEN DNS RESOLVERS


• AN ESSENTIAL COMPONENT OF DNS AMPLIFICATION ATTACKS IS ACCESS TO
OPEN DNS RESOLVERS. BY HAVING POORLY CONFIGURED DNS RESOLVERS
EXPOSED TO THE INTERNET, ALL AN ATTACKER NEEDS TO DO TO UTILIZE A
DNS RESOLVER IS TO DISCOVER IT. IDEALLY, DNS RESOLVERS SHOULD ONLY
PROVIDE THEIR SERVICES TO DEVICES THAT ORIGINATE WITHIN A TRUSTED
DOMAIN. IN THE CASE OF REFLECTION BASED ATTACKS, THE OPEN DNS
RESOLVERS WILL RESPOND TO QUERIES FROM ANYWHERE ON THE INTERNET,
ALLOWING THE POTENTIAL FOR EXPLOITATION. RESTRICTING A DNS
RESOLVER SO THAT IT WILL ONLY RESPOND TO QUERIES FROM TRUSTED
SOURCES MAKES THE SERVER A POOR VEHICLE FOR ANY TYPE OF
AMPLIFICATION ATTACK.

115
• SOURCE IP VERIFICATION – STOP SPOOFED PACKETS LEAVING NETWORK
• BECAUSE THE UDP REQUESTS BEING SENT BY THE ATTACKER’S BOTNET MUST HAVE A
SOURCE IP ADDRESS SPOOFED TO THE VICTIM’S IP ADDRESS, A KEY COMPONENT IN
REDUCING THE EFFECTIVENESS OF UDP-BASED AMPLIFICATION ATTACKS IS FOR
INTERNET SERVICE PROVIDERS (ISPS) TO REJECT ANY INTERNAL TRAFFIC WITH SPOOFED
IP ADDRESSES.IF A PACKET IS BEING SENT FROM INSIDE THE NETWORK WITH A SOURCE
ADDRESS THAT MAKES IT APPEAR LIKE IT ORIGINATED OUTSIDE THE NETWORK, IT’S
LIKELY A SPOOFED PACKET AND CAN BE DROPPED. CLOUDFLARE HIGHLY RECOMMENDS
THAT ALL PROVIDERS IMPLEMENT INGRESS FILTERING, AND AT TIMES WILL REACH OUT
TO ISPS WHO ARE UNKNOWINGLY TAKING PART IN DDOS ATTACKS AND HELP THEM
REALIZE THEIR VULNERABILITY.

116
• WITH A PROPERLY CONFIGURED FIREWALL AND SUFFICIENT
NETWORK CAPACITY, IT'S TRIVIAL TO BLOCK REFLECTION ATTACKS
SUCH AS DNS AMPLIFICATION ATTACKS

117
LOW AND SLOW ATTACK

• A LOW AND SLOW ATTACK IS A TYPE OF DOS OR DDOS ATTACK THAT RELIES ON
A SMALL STREAM OF VERY SLOW TRAFFIC WHICH CAN TARGET APPLICATION OR
SERVER RESOURCES
• UNLIKE MORE TRADITIONAL BRUTE-FORCE ATTACKS, LOW AND SLOW ATTACKS
REQUIRE VERY LITTLE BANDWIDTH AND CAN BE HARD TO MITIGATE, AS THEY
GENERATE TRAFFIC THAT IS VERY DIFFICULT TO DISTINGUISH FROM NORMAL
TRAFFIC
• BECAUSE THEY DON’T REQUIRE A LOT OF RESOURCES TO PULL OFF, LOW AND
SLOW ATTACKS CAN BE SUCCESSFULLY LAUNCHED USING A SINGLE COMPUTER;
TWO OF THE MOST POPULAR TOOLS FOR LAUNCHING A LOW AND SLOW
ATTACK ARE CALLED SLOWLORIS AND R.U.D.Y

118
HOW DOES A LOW AND SLOW
ATTACK WORK?
• LOW AND SLOW ATTACKS TARGET THREAD-BASED WEB SERVERS
WITH THE AIM OF TYING UP EVERY THREAD WITH SLOW REQUESTS,
THEREBY PREVENTING GENUINE USERS FROM ACCESSING THE
SERVICE. THIS IS ACCOMPLISHED BY TRANSMITTING DATA VERY
SLOWLY, BUT JUST FAST ENOUGH TO PREVENT THE SERVER FROM
TIMING OUT

119
SIMILARITY

• THINK OF A 4-LANE BRIDGE WITH A TOLLBOOTH FOR EACH LANE.


DRIVERS PULL UP TO THE TOLLBOOTH, HAND OVER A BILL OR A HANDFUL
OF COINS, AND THEN DRIVE ACROSS THE BRIDGE, OPENING UP THE LANE
TO THE NEXT DRIVER. NOW IMAGINE FOUR DRIVERS SHOWING UP AT
ONCE AND OCCUPYING EVERY OPEN LANE WHILE THEY EACH SLOWLY
HAND PENNIES OVER TO THE TOLLBOOTH OPERATOR, ONE COIN AT A
TIME, CLOGGING UP ALL AVAILABLE LANES FOR HOURS AND
PREVENTING OTHER DRIVERS FROM GETTING THROUGH. THIS INCREDIBLY
FRUSTRATING SCENARIO IS VERY SIMILAR TO HOW A LOW AND SLOW
ATTACK WORKS.

120
….

• ATTACKERS CAN USE HTTP HEADERS, HTTP POST REQUESTS, OR TCP TRAFFIC TO
CARRY OUT LOW AND SLOW ATTACKS. HERE ARE 3 COMMON ATTACK EXAMPLES:
• THE SLOWLORIS TOOL CONNECTS TO A SERVER AND THEN SLOWLY SENDS PARTIAL
HTTP HEADERS. THIS CAUSES THE SERVER TO KEEP THE CONNECTION OPEN SO THAT IT
CAN RECEIVE THE REST OF THE HEADERS, TYING UP THE THREAD.
• ANOTHER TOOL CALLED R.U.D.Y. (R-U-DEAD-YET?) GENERATES HTTP POST REQUESTS TO
FILL OUT FORM FIELDS. IT TELLS THE SERVERS HOW MUCH DATA TO EXPECT, BUT THEN
SENDS THAT DATA IN VERY SLOWLY. THE SERVER KEEPS THE CONNECTION OPEN
BECAUSE IT IS ANTICIPATING MORE DATA
• YET ANOTHER TYPE OF LOW AND SLOW ATTACK IS THE SOCKSTRESS ATTACK, WHICH
EXPLOITS A VULNERABILITY IN THE TCP/IP 3-WAY HANDSHAKE, CREATING AN
INDEFINITE CONNECTION.

121
HOW TO STOP A LOW AND SLOW
ATTACK
• THE RATE DETECTION TECHNIQUES USED TO STOP TRADITIONAL DDOS ATTACKS
WON’T PICK UP ON A LOW AND SLOW ATTACK
• ONE WAY TO MITIGATE A LOW AND SLOW ATTACK IS TO UPGRADE YOUR
SERVER AVAILABILITY; THE MORE CONNECTIONS YOUR SERVER CAN
SIMULTANEOUSLY MAINTAIN, THE MORE DIFFICULT IT WILL BE FOR AN ATTACK TO
CLOG YOUR SERVER. THE PROBLEM WITH THIS APPROACH IS THAT AN ATTACKER
CAN ATTEMPT TO SCALE THEIR ATTACK TO MEET YOUR SERVER’S AVAILABILITY
• ANOTHER SOLUTION IS REVERSE-PROXY BASED PROTECTION, WHICH WILL
MITIGATE LOW AND SLOW ATTACKS BEFORE THEY EVER REACH YOUR ORIGIN
SERVER.

122
APPLICATION LAYER DDOS ATTACK

• APPLICATION LAYER ATTACKS OR LAYER 7 (L7) DDOS ATTACKS REFER


TO A TYPE OF MALICIOUS BEHAVIOR DESIGNED TO TARGET THE
“TOP” LAYER IN THE OSI MODEL WHERE COMMON INTERNET
REQUESTS SUCH AS HTTP GET AND HTTP POST OCCUR
• THESE LAYER 7 ATTACKS, IN CONTRAST TO NETWORK LAYER ATTACKS
SUCH AS DNS AMPLIFICATION, ARE PARTICULARLY EFFECTIVE DUE TO
THEIR CONSUMPTION OF SERVER RESOURCES IN ADDITION TO
NETWORK RESOURCES.

123
HOW DO APPLICATION LAYER ATTACKS
WORK?
• THE UNDERLYING EFFECTIVENESS OF MOST DDOS ATTACKS COMES
FROM THE DISPARITY BETWEEN THE AMOUNT OF RESOURCES IT TAKES
TO LAUNCH AN ATTACK RELATIVE TO THE AMOUNT OF RESOURCES IT
TAKES TO ABSORB OR MITIGATE ONE
• WHILE THIS IS STILL THE CASE WITH L7 ATTACKS, THE EFFICIENCY OF
AFFECTING BOTH THE TARGETED SERVER AND THE NETWORK
REQUIRES LESS TOTAL BANDWIDTH TO ACHIEVE THE SAME DISRUPTIVE
EFFECT; AN APPLICATION LAYER ATTACK CREATES MORE DAMAGE
WITH LESS TOTAL BANDWIDTH

124
• TO EXPLORE WHY THIS IS THE CASE, LET'S TAKE A LOOK AT THE DIFFERENCE IN RELATIVE RESOURCE
CONSUMPTION BETWEEN A CLIENT MAKING A REQUEST AND A SERVER RESPONDING TO THE
REQUEST. WHEN A USER SENDS A REQUEST LOGGING INTO AN ONLINE ACCOUNT SUCH AS A
GMAIL ACCOUNT, THE AMOUNT OF DATA AND RESOURCES THE USER’S COMPUTER MUST UTILIZE
ARE MINIMAL AND DISPROPORTIONATE TO THE AMOUNT OF RESOURCES CONSUMED IN THE
PROCESS OF CHECKING LOGIN CREDENTIALS, LOADING THE RELEVANT USER DATA FROM A
DATABASE, AND THEN SENDING BACK A RESPONSE CONTAINING THE REQUESTED WEBPAGE
• EVEN IN THE ABSENCE OF A LOGIN, MANY TIMES A SERVER RECEIVING A REQUEST FROM A CLIENT
MUST MAKE DATABASE QUERIES OR OTHER API CALLS IN ORDER TO PRODUCE A WEBPAGE. WHEN
THIS DISPARITY IS MAGNIFIED AS A RESULT OF MANY DEVICES TARGETING A SINGLE WEB
PROPERTY LIKE DURING A BOTNET ATTACK, THE EFFECT CAN OVERWHELM THE TARGETED SERVER,
RESULTING IN DENIAL-OF-SERVICE TO LEGITIMATE TRAFFIC. IN MANY CASES SIMPLY TARGETING AN
API WITH A L7 ATTACK IS ENOUGH TO TAKE THE SERVICE OFFLINE

125
WHY IS IT DIFFICULT TO STOP
APPLICATION LAYER DDOS ATTACKS?
• DISTINGUISHING BETWEEN ATTACK TRAFFIC AND NORMAL TRAFFIC IS DIFFICULT,
ESPECIALLY IN THE CASE OF A APPLICATION LAYER ATTACK SUCH AS A BOTNET
PERFORMING A HTTP FLOOD ATTACK AGAINST A VICTIM’S SERVER. BECAUSE EACH
BOT IN A BOTNET MAKES SEEMINGLY LEGITIMATE NETWORK REQUESTS THE
TRAFFIC IS NOT SPOOFED AND MAY APPEAR “NORMAL” IN ORIGIN
• APPLICATION LAYER ATTACKS REQUIRE AN ADAPTIVE STRATEGY INCLUDING THE
ABILITY TO LIMIT TRAFFIC BASED ON PARTICULAR SETS OF RULES, WHICH MAY
FLUCTUATE REGULARLY. TOOLS SUCH AS A PROPERLY CONFIGURED WAF CAN
MITIGATE THE AMOUNT OF BOGUS TRAFFIC THAT IS PASSED ON TO AN ORIGIN
SERVER, GREATLY DIMINISHING THE IMPACT OF THE DDOS ATTEMPT.

126
MITIGATE APPLICATION LAYER ATTACKS

• ONE METHOD IS TO IMPLEMENT A CHALLENGE TO THE DEVICE MAKING


THE NETWORK REQUEST IN ORDER TO TEST WHETHER OR NOT IT IS A
BOT. THIS IS DONE THROUGH A TEST MUCH LIKE THE CAPTCHA TEST
COMMONLY FOUND WHEN CREATING AN ACCOUNT ONLINE. BY
GIVING A REQUIREMENT SUCH AS A JAVASCRIPT COMPUTATIONAL
CHALLENGE, MANY ATTACKS CAN BE MITIGATED
• OTHER AVENUES FOR STOPPING HTTP FLOODS INCLUDE THE USE OF A
WEB APPLICATION FIREWALL, MANAGING AND FILTERING TRAFFIC
THROUGH AN IP REPUTATION DATABASE, AND THROUGH ON-THE-FLY
NETWORK ANALYSIS BY ENGINEERS
127
HTTP FLOOD

• HTTP FLOOD IS A TYPE OF DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK IN WHICH THE
ATTACKER EXPLOITS SEEMINGLY-LEGITIMATE HTTP GET OR POST REQUESTS TO ATTACK A WEB
SERVER OR APPLICATION
• HTTP FLOOD ATTACKS ARE VOLUMETRIC ATTACKS, OFTEN USING A BOTNET “ZOMBIE ARMY”—A
GROUP OF INTERNET-CONNECTED COMPUTERS, EACH OF WHICH HAS BEEN MALICIOUSLY TAKEN
OVER, USUALLY WITH THE ASSISTANCE OF MALWARE LIKE TROJAN HORSES
• A SOPHISTICATED LAYER 7 ATTACK, HTTP FLOODS DO NOT USE MALFORMED PACKETS, SPOOFING
OR REFLECTION TECHNIQUES, AND REQUIRE LESS BANDWIDTH THAN OTHER ATTACKS TO BRING
DOWN THE TARGETED SITE OR SERVER
• AS SUCH, THEY DEMAND MORE IN-DEPTH UNDERSTANDING ABOUT THE TARGETED SITE OR
APPLICATION, AND EACH ATTACK MUST BE SPECIALLY-CRAFTED TO BE EFFECTIVE. THIS MAKES HTTP
FLOOD ATTACKS SIGNIFICANTLY HARDER TO DETECT AND BLOCK

128
129
ATTACK DESCRIPTION

• WHEN AN HTTP CLIENT LIKE A WEB BROWSER “TALKS” TO AN APPLICATION OR SERVER, IT SENDS
AN HTTP REQUEST – GENERALLY ONE OF TWO TYPES OF REQUESTS: GET OR POST. A GET REQUEST
IS USED TO RETRIEVE STANDARD, STATIC CONTENT LIKE IMAGES WHILE POST REQUESTS ARE USED
TO ACCESS DYNAMICALLY GENERATED RESOURCES
• THE ATTACK IS MOST EFFECTIVE WHEN IT FORCES THE SERVER OR APPLICATION TO ALLOCATE THE
MAXIMUM RESOURCES POSSIBLE IN RESPONSE TO EACH SINGLE REQUEST. THUS, THE PERPETRATOR
WILL GENERALLY AIM TO INUNDATE THE SERVER OR APPLICATION WITH MULTIPLE REQUESTS THAT
ARE EACH AS PROCESSING-INTENSIVE AS POSSIBLE
• FOR THIS REASON HTTP FLOOD ATTACKS USING POST REQUESTS TEND TO BE THE MOST
RESOURCE-EFFECTIVE FROM THE ATTACKER’S PERSPECTIVE; AS POST REQUESTS MAY INCLUDE
PARAMETERS THAT TRIGGER COMPLEX SERVER-SIDE PROCESSING. ON THE OTHER HAND, HTTP GET-
BASED ATTACKS ARE SIMPLER TO CREATE, AND CAN MORE EFFECTIVELY SCALE IN
A BOTNET SCENARIO

130
THERE ARE TWO VARIETIES OF HTTP
FLOOD ATTACKS:
• HTTP GET ATTACK - IN THIS FORM OF ATTACK, MULTIPLE COMPUTERS OR OTHER
DEVICES ARE COORDINATED TO SEND MULTIPLE REQUESTS FOR IMAGES, FILES, OR
SOME OTHER ASSET FROM A TARGETED SERVER. WHEN THE TARGET IS INUNDATED
WITH INCOMING REQUESTS AND RESPONSES, DENIAL-OF-SERVICE WILL OCCUR TO
ADDITIONAL REQUESTS FROM LEGITIMATE TRAFFIC SOURCES.
• HTTP POST ATTACK - TYPICALLY WHEN A FORM IS SUBMITTED ON A WEBSITE, THE
SERVER MUST HANDLE THE INCOMING REQUEST AND PUSH THE DATA INTO A
PERSISTENCE LAYER, MOST OFTEN A DATABASE. THE PROCESS OF HANDLING THE FORM
DATA AND RUNNING THE NECESSARY DATABASE COMMANDS IS RELATIVELY INTENSIVE
COMPARED TO THE AMOUNT OF PROCESSING POWER AND BANDWIDTH REQUIRED TO
SEND THE POST REQUEST. THIS ATTACK UTILIZES THE DISPARITY IN RELATIVE RESOURCE
CONSUMPTION, BY SENDING MANY POST REQUESTS DIRECTLY TO A TARGETED SERVER
UNTIL IT'S CAPACITY IS SATURATED AND DENIAL-OF-SERVICE OCCURS

131
METHODS OF MITIGATION

• HTTP FLOOD ATTACKS ARE VERY DIFFICULT TO DIFFERENTIATE FROM VALID TRAFFIC BECAUSE THEY USE STANDARD URL
REQUESTS. THIS MAKES THEM ONE OF THE MOST ADVANCED NON-VULNERABILITY SECURITY CHALLENGES FACING SERVERS
AND APPLICATIONS TODAY

• TRADITIONAL RATE-BASED DETECTION IS INEFFECTIVE IN DETECTING HTTP FLOOD ATTACKS, SINCE TRAFFIC VOLUME IN HTTP
FLOODS IS OFTEN UNDER DETECTION THRESHOLDS

• THE MOST HIGHLY-EFFECTIVE MITIGATION MECHANISM RELY ON A COMBINATION OF TRAFFIC PROFILING METHODS,
INCLUDING IDENTIFYING IP REPUTATION, KEEPING TRACK ABNORMAL ACTIVITY AND EMPLOYING PROGRESSIVE SECURITY
CHALLENGES (E.G., ASKING TO PARSE JAVASCRIPT). ONE METHOD IS TO IMPLEMENT A CHALLENGE TO THE REQUESTING
MACHINE IN ORDER TO TEST WHETHER OR NOT IT IS A BOT, MUCH LIKE A CAPTCHA TEST COMMONLY FOUND WHEN
CREATING AN ACCOUNT ONLINE. BY GIVING A REQUIREMENT SUCH AS A JAVASCRIPT COMPUTATIONAL CHALLENGE, MANY
ATTACKS CAN BE MITIGATED

• ANOTHER SOLUTION RELIES ON A UNIQUE CLIENT CLASSIFICATION ENGINE THAT ANALYZES AND CLASSIFIES ALL INCOMING
SITE TRAFFIC. THIS ANTI-DDOS SOLUTION IS SPECIFICALLY DESIGNED TO TRANSPARENTLY IDENTIFY MALICIOUS BOT TRAFFIC—
STOPPING ALL HTTP FLOODS AND OTHER APPLICATION LAYER (OSI LAYER 7) DDOS ATTACKS

• OTHER AVENUES FOR STOPPING HTTP FLOODS INCLUDE THE USE OF A WEB APPLICATION FIREWALL (WAF), MANAGING AN IP
REPUTATION DATABASE IN ORDER TO TRACK AND SELECTIVELY BLOCK MALICIOUS TRAFFIC, AND ON-THE-FLY ANALYSIS BY
ENGINEERS

132
CONTENTS

• INTRODUCTION

• CLASSICAL DOS ATTACKS

• FLOODING ATTACKS

• DISTRIBUTED DENIAL-OF-SERVICE (DDOS)

• HOW DDOS ATTACKS ARE WAGED?

• REFLECTOR AND AMPLIFIER ATTACKS

• OTHER DOS ATTACKS

• DETECTING DOS ATTACKS

• APPROACHES TO DEFENSE AGAINST DOS

• RESPONDING TO A DOS ATTACK

• CONCLUSION

133
DISTRIBUTED DENIAL-OF-SERVICE

• ATTACKER USES MULTIPLE COMPROMISED USER WORK STATIONS/PCS


FOR DOS BY:
• UTILISING VULNERABILITIES TO GAIN ACCESS TO THESE SYSTEMS
• INSTALLING MALICIOUS BACKDOOR PROGRAMS , THEREBY MAKING ZOMBIES
• CREATING BOTNETS: LARGE COLLECTION OF ZOMBIES UNDER THE CONTROL OF
ATTACKER
• GENERALLY, A CONTROL HIERARCHY IS USED TO CREATE BOTNETS
• HANDLERS: THE INITIAL LAYER OF ZOMBIES THAT ARE DIRECTLY CONTROLLED BY
THE ATTACKER
• AGENT SYSTEMS: SUBORDINATE ZOMBIES THAT ARE CONTROLLED BY HANDLERS
• ATTACKER SENDS A SINGLE COMMAND TO HANDLER, WHICH THEN
AUTOMATICALLY FORWARDS IT TO ALL AGENTS UNDER ITS CONTROL
• EXAMPLE: TRIBE FLOOD NETWORK (TFN), TFN2K

134
DDOS CONTROL HIERARCHY

• EXAMPLE: TRIBE FLOOD NETWORK (TFN)


Command-line
• RELIED ON LARGE NUMBER OF COMPROMISED SYSTEMS AND
program
LAYERED COMMAND STRUCTURE

Trojan Program
135
CONTENTS

• INTRODUCTION
• CLASSICAL DOS ATTACKS
• FLOODING ATTACKS
• DISTRIBUTED DENIAL-OF-SERVICE (DDOS)
• HOW DDOS ATTACKS ARE WAGED?
• REFLECTOR AND AMPLIFIER ATTACKS
• OTHER DOS ATTACKS
• (D)DOS ATTACK TRENDS
• DETECTING DOS ATTACKS
• APPROACHES TO DEFENSE AGAINST DOS
• RESPONDING TO A DOS ATTACK
• CONCLUSION

136
HOW DDOS ATTACKS ARE WAGED ?

• RECRUITMENT OF THE AGENT NETWORK


• CONTROLLING THE DDOS AGENT NETWORK
• USE OF APPROPRIATE TOOLKITS
• USE OF IP SPOOFING

137
Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
RECRUITMENT OF THE AGENT
NETWORK
• SCANNING
• BREAKING INTO VULNERABLE MACHINES
• MALWARE PROPAGATION

138

Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
SCANNING

• FIND SUFFICIENTLY LARGE NUMBER OF VULNERABLE MACHINES


• MANUAL OR SEMI-AUTOMATIC OR COMPLETELY AUTOMATIC PROCESS
• TRINOO: DISCOVERY AND COMPROMISE IS MANUAL BUT ONLY INSTALLATION IS
AUTOMATED
• HTTP://STAFF.WASHINGTON.EDU/DITTRICH/MISC/TRINOO.ANALYSIS.TXT
• SLAMMER-,MYDOOM- : AUTOMATED PROCESS

• RECRUIT MACHINES THAT HAVE SUFFICIENTLY GOOD CONNECTIVITY


• NETBLOCK SCANS ARE INITIATED SOMETIMES
• BASED ON RANDOM OR EXPLICIT RATIONALE

• EXAMPLES OF SCANNING TOOLS : IRC BOT , WORMS

139

Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
SCANNING USING IRC BOT

140

Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)


SCANNING USING WORMS

• POPULAR METHOD OF RECRUITING DDOS AGENTS


• SCAN/INFECT CYCLE REPEATS ON BOTH THE INFECTED AND INFECTING MACHINES
• WORMS SPREAD EXTREMELY FAST BECAUSE OF THEIR PARALLEL PROPAGATION PATTERN
• WORMS CHOICE OF ADDRESS FOR SCANNING
• RANDOM
• RANDOM WITHIN A SPECIFIC RANGE OF ADDRESSES
• USING HITLIST
• USING INFORMATION FOUND ON INFECTED MACHINES

• WORMS ARE OFTEN NOT COMPLETELY CLEANED UP


• SOME INFECTED MACHINES MIGHT CONTINUE SERVING AS DDOS AGENTS INDEFINITELY!
• CODE RED – INFECTED HOSTS STILL EXIST IN THE INTERNET

141

Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
SCANNING USING WORMS CONT’D ….

142
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
BREAKING INTO VULNERABLE
MACHINES

• MOST VULNERABILITIES PROVIDE


AN ATTACKER WITH
ADMINISTRATIVE ACCESS TO
SYSTEM
• ATTACKER UPDATES HIS DDOS
TOOLKIT WITH NEW EXPLOITS
• PROPAGATION VECTORS

143

Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
MALWARE PROPAGATION

• PROPAGATION WITH CENTRAL REPOSITORY OR CACHE APPROACH


• ADVANTAGE FOR DEFENDER: CENTRAL REPOSITORIES CAN BE EASILY
IDENTIFIED AND REMOVED
• EX: TRINOO , SHAFT ETC

144

Source: www.cert.org/archive/pdf/DoS_trends.pdf
MALWARE PROPAGATION METHODS
CONT’D….

TFTP
• BACK CHAINING/PULL APPROACH

• AUTONOMOUS/PUSH APPROACH

145

Source: www.cert.org/archive/pdf/DoS_trends.pdf
CONTROLLING DDOS AGENT
NETWORK
• ATTACKER COMMUNICATES WITH AGENTS USING “MANY-TO-MANY”
COMMUNICATION TOOLS
• TWOFOLD-PURPOSE FOR ATTACKER
• TO COMMAND THE BEGINNING/ENDING AND SPECIFICS OF ATTACK
• TO GATHER STATISTICS ON AGENT BEHAVIOUR

• STRATEGIES FOR ESTABLISHING CONTROL


• DIRECT COMMAND CONTROL
• INDIRECT COMMAND CONTROL

Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
DIRECT COMMANDS CONTROL

147
Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
DRAWBACKS OF DIRECT
COMMAND CONTROL
• IF ONE MACHINE IS CAPTURED, THE WHOLE DDOS NETWORK COULD
BE IDENTIFIED
• ANY ANOMALOUS EVENT ON NETWORK MONITOR COULD BE EASILY
SPOTTED
• BOTH HANDLERS AND AGENTS NEED TO BE READY ALWAYS TO
RECEIVE MESSAGES
• OPENING PORTS AND LISTENING TO THEM
• EASILY CAUGHT

148

Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
INDIRECT COMMAND CONTROL

Where is the handler ?

149

Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
ADVANTAGES OF IRC TO ATTACKER

• SERVER IS MAINTAINED BY OTHERS


• THE CHANNEL(HANDLER) NOT EASILY RECOGNISABLE AMIDST
THOUSANDS OF OTHER CHANNNELS
• EVEN THOUGH CHANNEL IS DISCOVERED, IT CAN BE REMOVED ONLY
THROUGH COOPERATION OF THE SERVER’S ADMINISTRATORS
• BY TURNING COMPROMISED HOSTS TO ROGUE IRC SERVERS,
ATTACKERS ARE A STEP AHEAD IN CONCEALING THEIR IDENTITY

150

Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
DDOS ATTACK TOOLKITS

• SOME POPULAR DDOS PROGRAMS


• TRINOO,TFN,STACHELDRAHT,SHAFT,TFN2K,MSTREAM,TRINITY,PHATBOT

• BLENDED THREAT TOOLKITS: INCLUDE SOME (ALL) OF THE FOLLOWING COMPONENTS


• WINDOWS NETWORK SERVICE PROGRAM
• SCANNERS
• SINGLE-THREADED DOS PROGRAMS
• AN FTP SERVER
• AN IRC FILE SERVICE
• AN IRC DDOS BOT
• LOCAL EXPLOIT PROGRAMS
• REMOTE EXPLOIT PROGRAMS
• SYSTEM LOG CLEANERS

151

Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
DDOS ATTACK TOOLKITS CONT’D ….

• TROJAN HORSE OPERATING SYSTEMS PROGRAM REPLACEMENTS


• SNIFFERS

• PHATBOT IMPLEMENTS A LARGE PERCENTAGE OF THESE FUNCTIONS


IN A SINGLE PROGRAM

152

Source: Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2005)
CONTENTS

• INTRODUCTION

• CLASSICAL DOS ATTACKS

• FLOODING ATTACKS

• DISTRIBUTED DENIAL-OF-SERVICE (DDOS)

• HOW DDOS ATTACKS ARE WAGED?

• REFLECTOR AND AMPLIFIER ATTACKS

• OTHER DOS ATTACKS

• DETECTING DOS ATTACKS

• APPROACHES TO DEFENSE AGAINST DOS

• RESPONDING TO A DOS ATTACK

• CONCLUSION

153
REFLECTOR AND AMPLIFIER ATTACKS

• UNLIKE DDOS ATTACKS, THE INTERMEDIARIES ARE NOT COMPROMISED


• R & A ATTACKS USE NETWORK SYSTEMS FUNCTIONING NORMALLY
• GENERIC PROCESS:
• A NETWORK PACKET WITH A SPOOFED SOURCE ADDRESS IS SENT TO A SERVICE RUNNING
ON SOME NETWORK SERVER
• A RESPONSE TO THIS PACKET IS SENT TO THE SPOOFED ADDRESS(VICTIM) BY SERVER
• A NUMBER OF SUCH REQUESTS SPOOFED WITH SAME ADDRESS ARE SENT TO VARIOUS
SERVERS
• A LARGE FLOOD OF RESPONSES OVERWHELM THE TARGET’S NETWORK LINK

• SPOOFING UTILISED FOR REFLECTING TRAFFIC


• THESE ATTACKS ARE EASIER TO DEPLOY AND HARDER TO TRACE BACK

154
REFLECTION ATTACKS

• DIRECT IMPLEMENTATION OF THE GENERIC PROCESS EXPLAINED BEFORE


• REFLECTOR : INTERMEDIARY WHERE THE ATTACK IS REFLECTED
• MAKE SURE THE PACKET FLOW IS SIMILAR TO LEGITIMATE FLOW

• ATTACKER’S PREFERENCE: RESPONSE PACKET SIZE > ORIGINAL REQUEST SIZE


• VARIOUS PROTOCOLS SATISFYING THIS CONDITION ARE PREFERRED
• UDP, CHARGEN, DNS, ETC

• INTERMEDIARY SYSTEMS ARE OFTEN HIGH-CAPACITY NETWORK SERVERS/ROUTERS


• LACK OF BACKSCATTER TRAFFIC
• NO VISIBLE SIDE-EFFECT
• HARD TO QUANTIFY

155
REFLECTION ATTACK USING TCP/SYN

• EXPLOITS THREE-WAY HANDSHAKE USED TO ESTABLISH TCP


CONNECTION
• A NUMBER OF SYN PACKETS SPOOFED WITH TARGET’S ADDRESS ARE SENT
TO THE INTERMEDIARY

• FLOODING ATTACK BUT DIFFERENT FROM SYN SPOOFING ATTACK


• CONTINUED CORRECT FUNCTIONING IS ESSENTIAL
• MANY POSSIBLE INTERMEDIARIES CAN BE USED
• EVEN IF SOME INTERMEDIARIES SENSE AND BLOCK THE ATTACK, MANY
OTHER WON’T

156
FURTHER VARIATION

• ESTABLISH SELF-CONTAINED LOOP(S) BETWEEN THE INTERMEDIARY


AND THE TARGET SYSTEM USING DIAGNOSTIC NETWORK SERVICES
(ECHO,CHARGEN )
Large UDP
• FAIRLY EASY TO FILTER AND BLOCK
Packet+
spoofed
source

157
AMPLIFICATION ATTACKS

• DIFFER IN INTERMEDIARIES GENERATE MULTIPLE RESPONSE PACKETS


FOR EACH ORIGINAL PACKET SENT

158
AMPLIFICATION ATTACKS POSSIBILITIES

• UTILIZE SERVICE HANDLED BY LARGE NUMBER OF HOSTS ON


INTERMEDIATE NETWORK
• A PING FLOOD USING ICMP ECHO REQUEST PACKETS
• EX: SMURF DOS PROGRAM

• USING SUITABLE UDP SERVICE


• EX: FRAGGLE PROGRAM

• TCP SERVICE CANNOT BE USED

159
DEFENSE FROM AMPLIFICATION ATTACK

• NOT TO ALLOW DIRECTED BROADCASTS TO BE ROUTED INTO A


NETWORK FROM OUTSIDE
SMURF DOS PROGRAM

• TWO MAIN COMPONENTS


• SEND SOURCE-FORGED ICMP ECHO PACKET REQUESTS FROM REMOTE LOCATIONS
• PACKETS DIRECTED TO IP BROADCAST ADDRESSES

• IF THE INTERMEDIARY DOES NOT FILTER THIS BROADCAST TRAFFIC, MANY OF THE MACHINES ON
THE NETWORK WOULD RECEIVE AND RESPOND TO THESE SPOOFED PACKETS
• WHEN ENTIRE NETWORK RESPONDS, SUCCESSFUL SMURF DOS HAS BEEN PERFORMED ON THE
TARGET NETWORK

• BESIDES VICTIM NETWORK, INTERMEDIARY NETWORK MIGHT ALSO SUFFER


• SMURF DOS ATTACK WITH SINGLE/MULTIPLE INTERMEDIARY(S)
• ANALYZE NETWORK ROUTERS THAT DO NOT FILTER BROADCAST TRAFFIC
• LOOK FOR NETWORKS WHERE MULTIPLE HOSTS RESPOND

161

Source: http://www.cert.org/advisories/CA-1998-01.html
DNS AMPLIFICATION ATTACKS

• DNS SERVERS IS THE INTERMEDIARY SYSTEM


• EXPLOIT DNS BEHAVIOR TO CONVERT A SMALL REQUEST TO A MUCH LARGER
RESPONSE
• 60 BYTE REQUEST TO 512 – 4000 BYTE RESPONSE

• SENDING DNS REQUESTS WITH SPOOFED SOURCE ADDRESS BEING THE TARGET
TO THE CHOSEN SERVERS
• ATTACKER SENDS REQUESTS TO MULTIPLE WELL CONNECTED SERVERS, WHICH
FLOOD TARGET
• MODERATE FLOW OF PACKETS FROM ATTACKER IS SUFFICIENT
• TARGET OVERWHELMED WITH AMPLIFIED RESPONSES FROM SERVER

162
CONTENTS

• INTRODUCTION

• CLASSICAL DOS ATTACKS

• FLOODING ATTACKS

• DISTRIBUTED DENIAL-OF-SERVICE (DDOS)

• HOW DDOS ATTACKS ARE WAGED?

• REFLECTOR AND AMPLIFIER ATTACKS

• OTHER DOS ATTACKS

• DETECTING DOS ATTACKS

• APPROACHES TO DEFENSE AGAINST DOS

• RESPONDING TO A DOS ATTACK

• CONCLUSION

163
TEARDROP

• THIS DOS ATTACK AFFECTS WINDOWS 3.1, 95 AND NT MACHINES AND LINUX VERSIONS PREVIOUS
TO 2.0.32 AND 2.1.63
• TEARDROP IS A PROGRAM THAT SENDS IP FRAGMENTS TO A MACHINE CONNECTED TO THE
INTERNET OR A NETWORK
• TEARDROP EXPLOITS AN OVERLAPPING IP FRAGMENT BUG
• THE BUG CAUSES THE TCP/IP FRAGMENTATION RE-ASSEMBLY CODE TO IMPROPERLY HANDLE
OVERLAPPING IP FRAGMENTS
• A 4000 BYTES OF DATA IS SENT AS
• LEGITIMATELY (BYTES 1-1500) (BYTES 1501 – 3000) (BYTES 3001-4500)
• OVERLAPPING (BYTES 1-1500) (BYTES 1501 – 3000) (BYTES 1001-3600)

• THIS ATTACK HAS NOT BEEN SHOWN TO CAUSE ANY SIGNIFICANT DAMAGE TO SYSTEMS
• THE PRIMARY PROBLEM WITH THIS IS LOSS OF DATA

164
Source: Fadia (2007)
CYBERSLAM

• DDOS ATTACK IN A DIFFERENT STYLE


• ZOMBIES DO NOT LAUNCH A SYN FLOOD OR ISSUE DUMMY PACKETS
THAT WILL CONGEST THE WEB SERVER’S ACCESS LINK
• ZOMBIES FETCH FILES OR QUERY SEARCH ENGINE DATABASES AT THE
WEB SERVER
• FROM THE WEB SERVER’S PERSPECTIVE, THESE ZOMBIE REQUESTS LOOK
EXACTLY LIKE LEGITIMATE REQUESTS
• SO THE SERVER ENDS UP SPENDING LOT OF ITS TIME SERVING
ZOMBIES,CAUSING DOS TO LEGITIMATE USERS

165
Source: Kandula (2005)
TECHNIQUES TO COUNTER CYBERSLAM

• PASSWORD AUTHENTICATION
• CUMBERSOME TO MANAGE FOR A SITE LIKE GOOGLE
• ATTACKER MIGHT SIMPLY DDOS THE PASSWORD CHECKING MECHANISM

• COMPUTATIONAL PUZZLES
• COMPUTATION BURDEN QUITE HEAVY COMPARED TO SERVICE PROVIDED

• GRAPHICAL PUZZLES
• KILL-BOTS SUGGESTED IN [KANDULA 2005]

166
Source: Kandula (2005)
ATTACK TREE: DOS AGAINST DNS

Source: Cheung (2006)

167
HOW TO PROTECT DNS FROM (D)DOS ?

• MULTIPLE SCATTERED NAME SERVERS


• ANYCAST ROUTING
• MULITPLE NAME SERVERS SHARING COMMON IP ADDRESS

• OVER-PROVISIONING OF HOST RESOURCES AND NETWORK CAPACITY


• DIVERSITY
• DNS SOFTWARE IMPLEMENTATION, OS, HARDWARE PLATFORMS

• TSIG : THE TRANSACTION SIGNATURE


• USE OF DEDICATED MACHINES

168
Source: Cheung (2006)
CONTENTS

• INTRODUCTION

• CLASSICAL DOS ATTACKS

• FLOODING ATTACKS

• DISTRIBUTED DENIAL-OF-SERVICE (DDOS)

• HOW DDOS ATTACKS ARE WAGED?

• REFLECTOR AND AMPLIFIER ATTACKS

• OTHER DOS ATTACKS

• DETECTING DOS ATTACKS

• APPROACHES TO DEFENSE AGAINST DOS

• RESPONDING TO A DOS ATTACK

• CONCLUSION

169
DOS DETECTION TECHNIQUES

• DETECTOR’S GOAL: TO DETECT AND DISTINGUISH MALICIOUS PACKET TRAFFIC FROM


LEGITIMATE PACKET TRAFFIC
• FLASH CROWDS: HIGH TRAFFIC VOLUMES MAY ALSO BE ACCIDENTAL AND LEGITIMATE
• HIGHLY PUBLICISED WEBSITES: (UNPREDICTABLE) SLASHDOT NEWS AGGREGATION SITE
• MUCH-AWAITED EVENTS: (PREDICTABLE) OLYMPICS, SOCCER ETC.

• THERE IS NO INNATE INTERNET MECHANISM FOR PERFORMING MALICIOUS TRAFFIC


DISCRIMINATION
• ONCE DETECTED, VULNERABILITY ATTACKS ARE EASY TO BE ADDRESSED
• IF VULNERABILITY ATTACKS VOLUME IS SO HIGH THAT IT MANIFESTS AS FLOODING
ATTACK, VERY DIFFICULT TO HANDLE

170
Source: Carl (2006)
VULNERABILITY ATTACK DETECTION
TECHNIQUES
 DETECTION TECHNIQUES CAN BE INSTALLED LOCALLY OR REMOTELY
 LOCALLY : DETECTORS PLACED AT POTENTIAL VICTIM RESOURCE OR AT A
ROUTER OR FIREWALL WITHIN THE VICTIM’S SUBNETWORK
 REMOTELY: TO DETECT PROPAGATING ATTACKS

 ATTACK DEFINED BY DETECTION METHODS: AN ABNORMAL AND


NOTICEABLE DEVIATION OF SOME STATISTIC OF THE MONITORED
NETWORK TRAFFIC WORKLOAD
 PROPER CHOICE OF STATISTIC IS CRUTIAL

171
Source: Cheung (2006)
STATISTICAL DETECTION METHODS

• ACTIVITY PROFILING: MONITORING NETWORK PACKET’S HEADER


INFORMATION
• BACKSCATTER ANALYSIS

• SEQUENTIAL CHANGE-POINT DETECTION


• CHI-SQUARE/ENTROPY DETECTOR

• WAVELET ANALYSIS
• CUSUM AND WAVELET APPROACHES

172
Source: Cheung (2006)
BACKSCATTER

173

http://www.caida.org/data/passive/network_telescope.xml
BACKSCATTER CONT’D ….

• GENERALLY, SOURCE ADDRESSES CHOSEN AT RANDOM FOR


SPOOFING BASED FLOODING ATTACKS
• UNSOLICITED VICTIM’S RESPONSES ARE EQUI-PROBABLY DISTRIBUTED
(BACKSCATTERED) ACROSS THE ENTIRE INTERNET ADDRESS SPACE
• RECEIVED BACKSCATTER EVIDENCE OF PRESENCE OF ATTACKER

174
Source: Moor (2006)
BACKSCATTER ANALYSIS
• BACKSCATTER ANALYSIS USED TO
QUANTIFY THE PREVALENCE OF
DOS ATTACKS AND IDENTIFY THE
TYPE OF ATTACK
• ASSUMPTIONS :
• ADDRESS UNIFORMITY
• RELIABLE DELIVERY
• ONE RESPONSE GENERATED FOR
EVERY PACKET IN AN ATTACK

• BACKSCATTER HYPOTHESIS
• UNSOLICITED PACKETS OBSERVED
BY THE MONITOR REPRESENT
175
BACKSCATTER
Source: Moor (2006)
QUANTIFICATION USING BACKSCATTER
Network Telescope : Monitoring block of n IP addresses
Probability of a given host receiving at least one unsolicited
response from victim during an attack of m packets
Probability of n hosts receiving at least one unsolicited
response from victim during an attack of m packets
Expected # of backscatter packets given an attack of m
packets at a single host
Expected # of backscatter packets given an attack of m
packets at n hosts
Average arrival rate of unsolicited responses
(R’ is the measured avg. inter-arrival backscatter rate R is the
extrapolated attack rate in pps) 176

Moor (2006)
WHAT TYPES OF MACHINES ARE
ATTACKED?

177

Moor (2006)
CONTENTS

• INTRODUCTION

• CLASSICAL DOS ATTACKS

• FLOODING ATTACKS

• DISTRIBUTED DENIAL-OF-SERVICE (DDOS)

• HOW DDOS ATTACKS ARE WAGED?

• REFLECTOR AND AMPLIFIER ATTACKS

• OTHER DOS ATTACKS

• DETECTING DOS ATTACKS

• APPROACHES TO DEFENSE AGAINST DOS

• RESPONDING TO A DOS ATTACK

• CONCLUSION

178
DEFENSES AGAINST DOS ATTACKS

• DOS ATTACKS CANNOT BE PREVENTED ENTIRELY


• IMPRACTICAL TO PREVENT THE FLASH CROWDS WITHOUT
COMPROMISING NETWORK PERFORMANCE
• THREE LINES OF DEFENSE AGAINST (D)DOS ATTACKS
• ATTACK PREVENTION AND PREEMPTION
• ATTACK DETECTION AND FILTERING
• ATTACK SOURCE TRACEBACK AND IDENTIFICATION

179
ATTACK PREVENTION

• LIMIT ABILITY OF SYSTEMS TO SEND SPOOFED PACKETS


• FILTERING DONE AS CLOSE TO SOURCE AS POSSIBLE BY ROUTERS/GATEWAYS
• REVERSE-PATH FILTERING ENSURE THAT THE PATH BACK TO CLAIMED SOURCE IS SAME
AS THE CURRENT PACKET’S PATH
• EX: ON CISCO ROUTER “IP VERIFY UNICAST REVERSE-PATH” COMMAND

• RATE CONTROLS IN UPSTREAM DISTRIBUTION NETS


• ON SPECIFIC PACKET TYPES
• EX: SOME ICMP, SOME UDP, TCP/SYN
• USE MODIFIED TCP CONNECTION HANDLING
• USE SYN-ACK COOKIES WHEN TABLE FULL
• OR SELECTIVE OR RANDOM DROP WHEN TABLE FULL

180
ATTACK PREVENTION CONT’D ….

• BLOCK IP BROADCASTS
• BLOCK SUSPICIOUS SERVICES & COMBINATIONS
• MANAGE APPLICATION ATTACKS WITH “PUZZLES” TO DISTINGUISH
LEGITIMATE HUMAN REQUESTS
• GOOD GENERAL SYSTEM SECURITY PRACTICES
• USE MIRRORED AND REPLICATED SERVERS WHEN HIGH PERFORMANCE
AND RELIABILITY REQUIRED

181
OCTOBER 2009

• 6TH ANNUAL NATIONAL CYBERSECURITY AWARENESS MONTH


• ONE OF THE THEMES: SHARED RESPONSIBILITY

182
RESPONDING TO ATTACKS

• NEED GOOD INCIDENT RESPONSE PLAN


• WITH CONTACTS FOR ISP
• NEEDED TO IMPOSE TRAFFIC FILTERING UPSTREAM
• DETAILS OF RESPONSE PROCESS

• HAVE STANDARD ANTISPOOFING, RATE LIMITING, DIRECTED


BROADCAST LIMITING FILTERS
• IDEALLY HAVE NETWORK MONITORS AND IDS
• TO DETECT AND NOTIFY ABNORMAL TRAFFIC PATTERNS

183
RESPONDING TO ATTACKS CONT’D ….

• IDENTIFY THE TYPE OF ATTACK


• CAPTURE AND ANALYZE PACKETS
• DESIGN FILTERS TO BLOCK ATTACK TRAFFIC UPSTREAM
• IDENTIFY AND CORRECT SYSTEM APPLICATION BUGS
• HAVE ISP TRACE PACKET FLOW BACK TO SOURCE
• MAY BE DIFFICULT AND TIME CONSUMING
• NECESSARY IF LEGAL ACTION DESIRED
• IMPLEMENT CONTINGENCY PLAN
• UPDATE INCIDENT RESPONSE PLAN

184
CONTENTS

• INTRODUCTION

• CLASSICAL DOS ATTACKS

• FLOODING ATTACKS

• DISTRIBUTED DENIAL-OF-SERVICE (DDOS)

• HOW DDOS ATTACKS ARE WAGED?

• REFLECTOR AND AMPLIFIER ATTACKS

• OTHER DOS ATTACKS

• DETECTING DOS ATTACKS

• APPROACHES TO DEFENSE AGAINST DOS

• RESPONDING TO A DOS ATTACK

• CONCLUSION

185
CONCLUSION

• (D)DOS ATTACKS ARE GENUINE THREATS TO MANY INTERNET USERS


• ANNOYING < L < DEBILITATING ; L = LOSSES
• LEVEL OF LOSS IS RELATED TO MOTIVATION AS WELL SHIELDING ATTEMPTS FROM THE DEFENDER
• ATTACKERS TAKING ADVANTAGE OF IGNORANCE OF THE VICTIMS W.R.T. (D)DOS ATTACKS

• DEFENSIVE MEASURES MIGHT NOT ALWAYS WORK


• NEITHER THREAT NOR DEFENSIVE METHODS ARE STATIC

• PROGNOSIS FOR DDOS


• INCREASE IN SIZE
• INCREASE IN SOPHISTICATION
• INCREASE IN SEMANTIC DDOS ATTACKS
• INFRASTRUCTURE ATTACKS

• DDOS ARE SIGNIFICANT THREATS TO THE FUTURE GROWTH AND STABILITY OF INTERNET

186
THANK YOU!

QUESTIONS ?
187