GVHD: TS.

Phạm Văn Tính

SVTH: Đoàn Bảo Trung
Phạm Văn Nam
Tô Thị Thùy Trang
Nguyễn Thị Bích Thủy1
Contents

1
3 Overview

2 DoS attack types

3 DoS attack tools

4 DoS prevention

5
3 Demo

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 2/51

 Overview

 DoS stands for Denial of Service, is an

explicit attempt to make a computer
resource unavailable, an attacker attempts
to prevent legitimate users from accessing
information or services

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 3/51

 Goal of DoS
 The goal of DoS is not to gain unauthorized access to
machines or data,but to prevent legitimate users of a
service from using it
 Attackers may:
 Attempt to flood a network, thereby preventing
legitimate network traffic
 Attempt to disrupt connections between two machines,
thereby preventing access to a service
 Attempt to prevent a particular individual from
accessing a service
 Attempt to disrupt service to a specific system or
person

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 4/51

 Types of denial of service attacks
 There are two general
forms of DoS attacks:
 crash services
 flood services.
 Popularly, the attacks
are divided into three
classes:
 bandwidth attacks,
 protocol attacks, and
 logic attacks.

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 5/51

 Denial of Service attack types

1
3 Nuke attack 6
3 Buffer Overflow Attack

2 Teardrop Attack 7 Smurf Attack

3 Ping of flood 8
3 SYN Attack

4 UDP Flood 9 Land Attack

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 6/51

 Nuke attack

 A Nuke is an old denial-of-service attack

against computer networks consisting of
fragmented or otherwise invalid ICMP
packets sent to the target, achieved by
using a modified ping utility to
repeatedly send this corrupt data, thus
slowing down the affected computer
until it comes to a complete stop.

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 7/51

 Nuke attack (Cont.)

 A specific example of a nuke attack that

gained some prominence is the WinNuke,
which exploited the vulnerability in the
NetBIOS handler in Windows 95, Windows
NT and Windows 3.1x. A string of out-of-
band data was sent to TCP port 139 of the
victim's machine, causing it to lock up and
display a Blue Screen of Death (BSOD).

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 8/51

Nuke attack (Cont.)

 Ping of death: Ping of death is caused by an

attacker deliverately sending a ping packet, normally
64 bytes, that is larger than the 65,535 bytes. Many
computer systems cannot handle an IP packet larger
than the maximum IP packet size of 65,535, and
often causes computer systems crash. It is illegal to
send a ping packet of size greater than 65,535, but a
packet of such size can be sent if it is fragmented.

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 9/51

Nuke attack (Cont.): Ping of death

Normal

Attack

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 10/51

 Teardrop attack

 This DoS attack affects Windows 3.1, 95 and

NT machines. It also affects Linux versions
previous to 2.0.32 and 2.1.63.
 IP requires that a packet that is too large for
the next router to handle should be divided
into fragments
 The attacker's IP puts a confusing offset value
in the second or later fragment
 If the receiving operating system is not able to
aggregate the packets accordingly, it can
crash the system
 It is a UDP attack, which uses overlapping
offset fields to bring down hosts

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 11/51

Teardrop attack

1-9
1-5 6-9

Normal

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 12/51

Teardrop attack

1-6 4-9

Teardrop attack

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 13/51

 Ping of Flood

 Ping of flood is caused by

an attacker overwhelming
the victim's network with
ICMP Echo Request (ping)
packets. This is a fairly
easy attack to perform
without extensive network
knowledge as many ping
utilities support this
operation. A flood of ping
traffic can consume
singificant bandwidth on
low to mid-speed
networks bringing down a
network to a crawl.

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 14/51

Ping of Flood

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 15/51

 UDP flooding

 UDP flood attack can be initiated by sending a large

number of UDP packets to random ports on a remote
host. As a result, the distant host will:
 Check for the application listening at that port;
 See that no application listens at that port;
 Reply with an ICMP Destination Unreachable packet.
 Thus, for a large number of UDP packets, the victimized
system will be forced into sending many ICMP packets,
eventually leading it to be unreachable by other clients.
The attacker may also spoof the IP address of the UDP
packets, ensuring that the excessive ICMP return packets
do not reach him, and anonymizing the attacker's
network location(s).

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 16/51

 Buffer Overflow Attack

 Buffer overflow occurs any time the program writes

more information into the buffer than the space
allocated in the memory
 The attacker can overwrite the data that controls
the program execution path and hijack the control
of the program to execute the attacker’s code
instead of the process code
 Sending email messages that have attachments with
256-character file names can cause buffer overflow

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 17/51

 Smurf Attack
 Smurf attach exploits the target by sending repeated
ping request to broadcast address of the target
network. The ping request packet often uses forged IP
address (return address), which is the target site that
is to receive the denial of service attack. The result
will be lots of ping replies flooding back to the
innocent, spoofed host. If number of hosts replying to
the ping request is large enough, the network will no
longer be able to receive real traffic.

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 18/51

 192.168.1. 192.168.12.1
192.168.12.12
3 2
192.168.12.12
192.168.12.12

192.168.12.12
192.168.12.12
192.168.12.12

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 19/51

SYN Floods

When establishing a session between TCP client

and server, a hand-shaking message exchange
occurs between a server and client. A session
setup packet contains a SYN field that identifies
the sequence in the message exchange. An
attacker may send a flood of connection request
and do not respond to the replies, which leaves
the request packets in the buffer so that
legitimate connection request can't be
accommodated

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 20/51

SYN Floods

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 21/51

 Land attack
 This DoS attack affects Windows 95/NT machines and
various flavors of UNIX, including SunOS, several BSD
UNIX versions and networked Macintosh machines.
 The Land Denial of Service attack works by sending a
spoofed packet with the SYN flag - used in a
"handshake" between a client and a host - set from a
host to any port that is open and listening. If the
packet is programmed to have the same destination
and source IP address, when it is sent to a machine,
via IP spoofing, the transmission can fool the machine
into thinking it is sending itself a message, which,
depending on the operating system, will crash the
machine.
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 22/51
Land attack

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 23/51

 DoS Tool: Jolt2
 Allows remote attackers to cause a denial of service
attack against
 Windows-based machines Causes the target machines
to consume 100% of the CPU time on processing the
illegal packets
 Not Windows-specific. Cisco routers and other
gateways may be vulnerable

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 24/51

 DoS Tool: Bubonic.c
 Bubonic.c is a DoS exploit that can be run against
Windows 2000 machines
 It works by randomly sending TCP packets with
random settings with the goal of increasing the load of
the machine, so that it eventually crashes

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 25/51

 DoS Tool: Land and LaTierra
 IP spoofing in combination with the opening of a TCP
connection
 Both IP addresses, source, and destination, are
modified to be the same—the address of the
destination host
 This results in sending the packet back to itself,
because the addresses are the same

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 26/51

 DoS Tool: Nemesy
 Nemesy application generates random packets
(protocol,port,etc)
 Its presence means that your computer is infected
with malicious software and is insecure

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 27/51

 DoS Tool: Crazy Pinger
 This tool could send large packets of ICMP to a
remote target network

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 28/51

 DoS Tool: UDP Flood
 UDPFlood is UDP
packet sender
 It sends out UDP
packets to the specified
IP and port at a
controllable rate
 Packets can be made
from a typed text
string; a given number
of random bytes or
data from a file
 It is useful for server
testing

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 29/51

 Preventing Denial of Service Attacks

 Make the Most of your Services

Protecting your services from attack is similar to
tuning your services for maximum performance. The
greater the load you can handle, the more resilient
you are. Things change slightly when the attack alters
the profile of your service.

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 30/51

 Preventing Denial of Service Attacks

 Detect DoS Attacks

 Monitor Hosts with a High Number of Failed
Flows and/or New Flows
 Look for Unwelcome Hosts
 Limit Flood Attacks
 Restrict the Bandwidth Used by Violating Hosts
 Limit the Rate of New Traffic Flows to or from
One Host
 Limit the Amount of ICMP Traffic

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 31/51

Demo

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 32/51

33