DDoS Attack

Embed Size (px)

Text of DDoS Attack

  1. 1. DoS Attack and Mitigation by GopiKrishnanS SocietyforElectronicTransactions&Security
  2. 2. Denial of Service Attack To make the victim server to deny the service to intended clients. It is often done by keeping the server busy in handling meaningless request. It is achieved by exhausting either the bandwidth of communication channel or computational resource available on the server.
  3. 3. Analogy You are visiting a hotel to have dinner Hotel has only one server person. When we ask for menu card to order food, the others interrupt the server person and chat unnecessarily. Result: You are the one with intention to get service, but not getting it; because the server is busy in responding others.
  4. 4. (D)DoS Attack perspective From Server Flood Attack S(L)ow Attack Vulnerability Exploitation Attack Non-Vulnerability/Misuse Attack From Client Reflected DDoS Attack Spoofed DDoS Attack Exploit based (D)DoS Attack
  5. 5. Flooding Attack Flooding attack is a kind of resource exhaustion attack. An attacker floods the victim with many packet than it could handle. Flooding Attack can be done at various layers of OSI model to take-down different devices. Example: MAC Flooding, TCP SYN Flood, UDP Flood, SSL Handshake Flood, HTTP Flood
  6. 6. MAC Flood The target is Ethernet switch. Hub will broadcast all the packet and results in data leak. To devoid potential risk of data leak, an Ethernet switch is used instead of hub. MAC flood overflows the buffer of Ethernet switch and makes it acts like a hub, results in data leak. PkM = (Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff")/ ARP(op=2, psrc="", hwdst="ff:ff:ff:ff:ff:ff"))
  7. 7. TCP SYN Flood The target is any server uses TCP in transport layer. Example: HTTP, FTP, SMTP, IRC, etc. In TCP Handshake, SYN is the first packet in 3-Way handshake. Flooding victim with TCP SYN packet leaves too much of half open connection. Attack can be mitigated using TCP SYN Cookie. PkT = Ether(src=RandMAC(),dst="08:00:27:67:f9:1a")/ IP(ttl=32,dst='')/ TCP(sport=RandShort(),dport=80,flags='S')
  8. 8. UDP Flood The target is any server uses UDP in transport layer. Example: DNS, TFTP, SysLog, NTP, etc. UDP is connectionless It doesn't maintain any state. Flooding victim with UDP overwhelms the application service running on top of OS. PkU = Ether(src=RandMAC(),dst="08:00:27:67:f9:1a")/ IP(ttl=32,dst='')/ UDP(sport=RandShort(),dport=53)
  9. 9. SSL Flood The target is any server uses SSL/TLS to secure the connection. Example: HTTPS, SSH, VPN, etc. Popularly launched by PushDo botnet. During client key exchange in SSL Handshake, a client would send a bogus data instead of sending the valid key. To send a valid pre-master secret, the client must compute XY modN, no matter RSA or DHE or ECDHE Protocol. Can be mitigated by process outsourcing or TLS puzzle.
  10. 10. HTTP Flood The target is Web Server Example: Apache, NGINX, IIS Popularly launched by LOIC, HOIC, HTTPerf PkH = Ether(src="0a:00:27:00:00:00", dst="08:00:27:67:f9:1a")/ IP(ttl=32,src='',dst='')/ TCP(seq=1111,ack=2222, sport=12098,dport=80)/ "GET / HTTP/1.0 rnrn"
  11. 11. Non-Vulnerability/Misuse Attack Misusing the feature of a system to DoS attack it. Example HTTP Post flood SSL Renegotiation TCP Syn Flood Already covered in flood attack
  12. 12. HTTP POST Flood The target is Web Server a type of HTTP Flood attack. Any server that performs back-end operations with POST data. Often web applications process POST data with database. Example: Login, Registration, Ticket Booking, etc Web server and database server tends to execute expensive operation. It can be prevented by using HASH based interactive puzzle integrated with form submission.
  13. 13. SSL Renegotiation Attack The target is any SSL Application with Renegotiation support. Often launched using THC-SSL-DOS Immediately after establishing a new SSL session, parameters for the SSL session are renegotiated continuously again and again to exhaust the server resource. Apache was vulnerable to this attack; but can be prevented using configuration keyword in apache.conf SSLRenegotiationoff
  14. 14. State-of-Art DDoS mitigation software/systems are developed at SETS HTTP Post Flood mitigation using interactive client-puzzle integrated with HTML form Protection for entire cloud based/individual web hosting using platform/client independent Puzzle R-Proxy service Alleviating SSL attacks using Crypto-chip platform And progressing to mitigate other attacks too.