Lecture 4Denial of Service Attack

Cryptographic attacksSometimes referred as cryptanalysis based

attacks• There is no random weakness discovery in this

case. The attack is designed by analyzing at the theoretical level the algorithms used in securing a system.

• So any software package can be a target and this makes almost impossible to direct handle by an supervisor.

• Also to analyze and modify all used software to increase the resistance of this type of attacks is heavily and most of the cases inefficient from economic point of view.

• Only where the security is the primary target not the money we have this (e.g. NSA, Pentagon, CIA etc)

DDOS Risk assessment• First quiz’s

– How important network connectivity is in your daily business model– How much it would cost to lose it– Which services are more important than others– The costs of added latency, or complete loss of connectivity, to your key

services• The first step in risk assessment is making a list of business-related

activities that depend on constant Internet access. Each item on the list should be evaluated for:– Alternative solutions that do not require Internet access– Frequency of the activity– Estimated cost if the activity cannot be performed

• In addition to costs relating directly to loss of connectivity, there may be hidden costs of a DDoS attack from handling extreme traffic loads, or diverting staff attention to mitigate the problem.

SYN flood attack

• The Web server maintains a data structure for each SYN request waiting for a response back and becomes bogged down as more traffic floods in.

• The result is that legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections.

DDOS – ICMP

• Reminder: The Internet Control Message Protocol (ICMP) is an IP-level protocol for the exchange of control packets between a router and a host or between hosts. The ECHO packet requires the recipient to respond with an echo reply to check that communication is possible between entities.

Direct DDOS

• Here the attacker is able to implant zombie software on a number of sites distributed throughout the Internet.

• Usually, the DDoS attack involves two levels of zombie machines: master and slave.

• The hosts of both types have been infected with malicious code.

• The attacker coordinates and triggers the master zombies, which in turn coordinate and trigger the slave zombies.

• The use of two levels of zombies makes it more difficult to trace the attack back to its source and provides for a more resilient network of attackers.

Direct DDOS

Reflector based DDOS attacks

Handling TCP syn

• Timeout: The reserved buffer for any TCP open connection is released after a determined time. This approach will give problems to clients with low broadband availability. As result any attacker that will have a better broadband can use the attack without having problems

• Random Dropping: After reaching a pre-seted load level the server will begin to random close connection. Unfortunately this may affect legitimated clients also. As result the method is less feasible than the previous one. Also if the user have a good speed in opening new connection the algorithm is inefficient.

ICMP echo request block• Usually the echo is not required so blocking it at the local network level will improve the

efficiency of the communication.Unused network services disabling It will be a good idea to deactivate all unused services. Usually the admin supervise the

offered services. As result the hacker will have an advantage if will attack an active but unused service.

Client Puzzles• The main idea is to use a puzzle that must be solve by client before the connection

establishment. In fact the target is to slow as much as possible the attacker.• The puzzle is received by the client from the server before the connection start

effectively.• The puzzle complexity may vary

ISP requirements• Network address agility. Can the provider readdress portions of the

network to counter an attack? This will not completely stop a DDoS attack but may be helpful in cases where an attacker is using DDoS as a masking activity to cover an existing penetration into your network

• Topological changes. Can the provider facilitate compartmentalizing your network in order to keep some of your business functioning, even in the face of a DDoS attack?

• Traffic capture/analysis. Can your provider gather samples of network traffic upstream from your interface to them? This should be full-packet captures, not just headers-only or the output of tcpdump with its standard output captured to a file. Full-packet captures may be required to preserve evidence in case of legal action, or they may improve understanding of the attack itself.

• Flow logging. Similar to traffic capture, flow logging is another thing that should be done both inside and outside of your network to provide unfiltered information and for comparison.

Infrastructure ACLs

• Edge “shield” in place• Not perfect, but a very effective first round

of defense– Can you apply iACLs everywhere? – What about packets that you cannot filter with iACLs?– Hardware limitations

• Next step: secure the control/management planes per box

“outside” “outside”

telnet snmp

Core

References• http://www.google.com/url?sa=t&rct=j&q=datacenter%20security

%20design%20examplee%20ppt&source=web&cd=10&ved=0CHEQFjAJ&url=http%3A%2F%2Fwww.nanog.org%2Fmeetings%2Fnanog36%2Fpresentations%2Fgreene.ppt&ei=6usCT8rmAsfQ4QSN6_GCDw&usg=AFQjCNHw7IRd4CrNra6tKN-R_3Dfp7D_Ig&cad=rja

• http://www.us-cert.gov/cas/tips/ST04-015.html• http://www.csoonline.com/article/515614/ddos-attacks-are-back-and-bigger-than-before-• William Stallings, Cryptography and Network Security, Fourth Edition, 2005, Prentice Hall• Mirkovic, J., and Relher, P. "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms."

ACM SIGCOMM Computer Communications Review, April 2004. • http://searchsecurity.techtarget.com/magazineContent/Information-Security-magazine-online-Oct

ober-2011• http://staff.washington.edu/dittrich/misc/ddos/• Jelena Mirkovic, ven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack

and Defense Mechanisms, Prentice Hall, 2005http://cr.yp.to/syncookies.html

• http://www.ietf.org/rfc/rfc2267.txt• http://en.wikipedia.org/wiki/Client_Puzzle_Protocol• http://www.managementlink.com/index.php/help-and-information/business-glossaries/

Network-Security-Glossary-10/M/Malformed-packet-attack-8152/• http://www.cert.org/octave/• http://www.ietf.org/rfc/rfc2196.txt• www.cisco.com/go/safe/• www.commoncriteria.nl/• https://www.owasp.org• http://www.first.org/cvss

Any highway have his own police force