1

Network Security Network Security -- DDoSDDoS

What is computer network security and why is importantTypes and Strategies of DDoS AttacksDDoS Attack PreventionConclusion

What is Network SecurityWhat is Network Security

Network Security is a huge topic that can be divided into two categories:- Cryptography- Network Security Services

2

CryptographyCryptography

A process associated with scrambling plaintext (ordinary text, or clear text) into cipher text (a process called encryption), then back again ( a process called decryption)

Network Security ServicesNetwork Security Services

1.SecrecyThe purpose of secrecy is to keep information out of the hands of unauthorized users. 2. AuthenticationIt deals with determining of whom you are talking to before releasing sensitive

information or making a business deal. The sender and the receiver should be able to verify their identity3. Non ReputationIt concerns with signatures. It’s purpose it’s to prove that the customer placed an order

with the correct amount.4. Message IntegrityThe sender and the receiver should be able to verify that the message sent by the sender

and received by the receiver is the correct one and it’s not malicious modified in transit. 5. Denial of Service (DoS) PreventionDoS is a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic.

3

WHY DO WE NEED SECURITY?WHY DO WE NEED SECURITY?

With the rapid development of the Internet , companies build their own LANs and give Internet access to their employees. As a result any Internet user can connect to an insecure LAN.

Computer and Network Security is ImportantTo protect company assets

“Assets” can be any information that is housed on a company’s computers. To gain a competitive advantageFor example no one will use an Internet Banking System if that system is being hacked in the past.To ensure the continuity of the organization. (Some organizations rely on computers for their continuing operations)For the System Administrators and Network Engineers to keep their job.

4

REPORTSREPORTS

February 7-11 2000 The week of the famous attacksCNN, Yahoo, E-Bay, Datek taken down for several hours at a time due to

traffic flooding Trinoo, Tribal Flood Network, TFN2K, and Stacheldrahtsuspected tools used in attacks

May 4th-20th 2001- The attacks on Gibson Research Corporation http://www.grc.comDDoS Attack from 474 machines completely saturated two T1s, and a 13th year old claimed responsibility

DoS Attacks on the Rise

5

Some Reports from CERT (Internet Security Expertise)Some Reports from CERT (Internet Security Expertise)February 28, 2000The CERT received reports indicating intruders are beginning to deploy and utilize windows baseddenial of service agents to launch distributed denial of service attacks.

May 2, 2000In late April 2000, CERT began receiving reports of sites finding a new distributed denial of service (DDOS) tool that is being called "mstream". This tool enables intruders to use multiple Internet-connected systems to launch packet flooding denial of service attacks against one or more target systems.

April 24, 2001The CERT/CC has received reports that a distributed denial-of-service (DDoS) tool named Carko is being installed on compromised hosts.

March 19, 2002The CERT/CC has received reports of social engineering attacks on users of Internet Relay Chat(IRC) and Instant Messaging (IM) services. Intruders trick unsuspecting users into downloading and executing malicious software, which allows the intruders to use the systems as attack platforms for launching distributed denial-of-service (DDoS) attacks. The reports to the CERT/CC indicate that tens of thousands of systems have recently been compromised in this manner.

6

Denial of Service Denial of Service ((DOS) AND Distributed Denial of Service (DDOS)DOS) AND Distributed Denial of Service (DDOS)

A denial of Service (DOS) attack is an incident in which a user or an organization is not able to usethe services of a resource that would normally expect to have.

Resource Services can be-Web Access-E-mail-Network Connectivity…

The bottom line is that the target person or company loses a great deal of time and money

A DDOS (Distributed Denial of Service) attack is a sophisticated attack created by a large number of compromised hosts that are instructed to send useless packets to jam a victim or its Internet connection or both .

Definition and Strategy of DDOS attacksDefinition and Strategy of DDOS attacks

Architecture Of DDoS Attack

7

Architecture of DDOS AttackArchitecture of DDOS Attack

A DDOS Attack uses many computers to launch a coordinate DOS attack against one or more targets.Using client/server technology the penetrator is able to multiply the effectiveness of the DoS significantlyby harnessing the resources of multiple computers which serve attack platforms.

A DDOS is composed of four elementsThe Real AttackerThe Handlers or master compromised hosts, who are capable of controlling multiple agentsThe Attack daemon agents or zombie hosts who are responsible for generating a stream of packets toward the victimThe victim or the target host

Step 1: Recruitment The Attacker chooses the vulnerable agents which will be used to perform the attack

Step 2: Compromise The Attacker exploits the vulnerabilities of the agents and plants the attack code, protecting

it simultaneously from discovery and deactivation.Step 3: Communication

The agents inform the attacker via handlers that they are readyStep 4: Attack

The Attacker commands the onset of the attack

Powerful DDOS toolkitsPowerful DDOS toolkits

Sophisticated and powerful DDOS toolkits are available to potential attackerssuch as

TRINOOTFNSTACHELDRAHTTFN2KMSTREAMSHAFT

8

DDOS ATTACK CLASSIFICATIONDDOS ATTACK CLASSIFICATION

DDoS can be divided in two main classes1) Bandwidth Depletion2) Resource Depletion

DoS Attack Classification

A Bandwidth Depletion attack is design to flood the victim network with unwanted traffic that prevents legitimate traffic from reaching the victim system.A Resource Depletion attack is an attack that is designed to tie up the resources of a victim system

Attack CategoriesAttack Categories

Two General Attack Categories are:1) Direct Attacks Both of them are flooding attacks2) Reflector Attacks

Direct Attack

The Attacker arranges to send out a large number of attack packet directly toward a victim. Attack packets can be TCP,ICMP,UDD or a mixture of them . The source addresses in these attack packets are usually randomly generated (spoofed addresses) and as a result the response packet are send elsewhere in the Internet.

9

Reflector Attack

A Reflector attack is an indirect attack in that intermediate nodes (routers and various servers)better known as reflectors are innocently used as attack launchers.An attacker sends packets that require responses to the reflectors with the packets source addresses set to a victims address. Without realizing that the packets are actually spoofed the reflectors return response packets to the victim according to the types of the attack packet.The packets are reflected in the form of normal packets toward the victim. If the numbers of reflectors are large enough the link of the victim is flooded.

Bandwidth Bandwidth DoSDoS Attack ExampleAttack Example

A standard bandwidth DoS attack model, MS-SQL server worm also known as the Slammer is a self-propagating malicious code that employs multiple vulnerabilities of SQL SERVER Resolution Services (SSRS) providing referral services for multiple server instances running on the same machine

An attacker creates a forged ping message to one instance of the SSRS (SERVER A),using the IP address of another instance (SERVER B) as the sourceThat will cause SERVER A to respond to SERVER B and cause SERVER A and SERVER B to continuously exchange messages.This cycle will endure to consume resources until nothing left.The attack on January 25 2003, resulted in preventing 13000 Bank of America ATM from providing withdraw services and paralyzed large ISP as Korea Freefell.

10

Memory Memory DoSDoS AttackAttackEvery TCP connection establishment requires an allocation of significant memory resources. Typically 280 Bytes on BSD.There is a limit on the number of concurrent TCP half-open connections.The range of the backlog queue size on various Oses is 6 to 128By sending overdosed connection requests with spoofed source addresses to the victim, an attacker can disable all successive connection establishment attempts including those of legitimate users.

DDoSDDoS TYPESTYPESA. FLOOD ATTACK

B. LOGIC OR SOFTWARE ATTACKS

11

The client transmits to the server the SYN bit set. This tells the server that the client wishes to establish a connection and what the starting sequence number will be for the client. The server sends back to the client an acknowledgment (SYN-ACK) and confirms its starting sequence number. The client acknowledges (ACK) receipt of the server's transmission and begins the transfer of data.

FLOOD ATTACKS

TCP SYN Flooding

SYN flooding is a denial-of-service attack that exploits the three-way handshake that TCP/IP uses to establish a connection.

SYN flooding disables a targeted system by creating many half-open connections

The attacker creates many half-open connections by initiating the connections toa server with the SYN number bit.

- The return address that is associated with the SYN would not be a valid address.- The server would send a SYN-ACK back to an invalid address that would not exist or

respond. Using available programs, the hacker would transmit many SYN packets withfalse return addresses to the server.

- The server would respond to each SYN with an acknowledgment and then sit there with the connection half-open waiting for the final acknowledgment to come back.

Result:- The system under attack may not be able to accept legitimate incoming network connections so that

users cannot log onto the system. Each operating system has a limit on the number of connections it can accept. In addition, the SYN flood may exhaust system memory, resulting in a system crash. The net result is that the system is unavailable or nonfunctional.

12

Smurf Attack:Smurf Attack:

– Smurf AttackAmplification attackSends ICMP ECHO to network

Network sends response to victim system

The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion

•The attacker wants a result of tons of ping replies flooding the host they intend to exploit. This attack causes a DoS.

13

UDP Flood Attack:UDP Flood Attack:

UDP Flood Attack: UDP is a connectionless protocol and it does not require any connection setup procedure to transfer data. A UDP Flood attack is possible when an attacker sends a UDP packet to a randomport on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port. When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on victim, the system will go down.http://www.cert.org/advisories/CA-1996-01.html

Attacks similar to Trinno are:

- TFN (Tribal Flood Network),

- Stacheldraht

14

Logic or Software AttacksLogic or Software AttacksPing of Death:An attacker sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to victim. Since the received ICMP echo request packet is bigger than the normal IP packet size, the victim cannot reassemble the packets. The OS may be crashed or rebooted as a result.

ping -l 65510 your.host.ip.address

http://www.insecure.org/sploits/ping-o-death.html

Teardrop:An attacker sends two fragments that cannot be reassembled properly by manipulating the offset value of packet and cause reboot or halt of victim system. Many other variants such as targa, SYNdrop, Boink, Nestea Bonk, TearDrop2 and NewTear are available.

http://www.cert.org/advisories/CA-1997-28.html

Land:

An attacker sends a forged packet with the same source and destination IP address. The victim system will be confused and crashed or rebooted

http://www.cert.org/advisories/CA-1997-28.html

15

Echo/Chargen:

The character generator (chargen) service is designed to simply generate a stream of characters. It is primarily used for testing purposes. Remote users/intruders can abuse this service by exhausting system resources. Spoofed network sessions that appear to come from that local system's echo service can be pointed at the chargen service to form a "loop." This session will cause huge amounts of data to be passed in an endless loop that causes heavy load to the system.When this spoofed session is pointed at a remote system's echo service, this denial of service attack will cause heavy network traffic/overhead that considerably slows your network down.It should be noted that an attacker does not need to be on your subnet to perform this attack as he/she can forge the source addresses to these services with relative ease.

Defending MeasuresDefending MeasuresA. System Self DefenseB. Packet Filtering

A lot of defensive measures exist, but few of them are effective under DDoS.Actually some of them are vulnerable to DoS themselves.Defending can be very difficult because the syn packets are part of normal traffic, and the source IP can be fake.A. System Self Defense1. Reduce the number of targets that can be attacked. Stop all unnecessary or non-

essential system services or network ports.2. Increase the difficulty of TCP Syn attacks by :

a. Enlarging the length of backlog queueb. Reduce the time-out period in order to cope with more simultaneous half-

open connection

16

B. Packet Filtering

It deals on how to continuously monitor TCP/IP traffic in a network, looking for irregularityin packet behavior. Once a packet is determined as being malicious, the monitor agent will either discard it or reset any pending connection request.

1. Ingress FilteringISPs take actions against DoS/DDoS that include:

- Eliminating routing of spoofed packets by discarding any packet that contains any RFC 1918 or reserved IP address RFC 3330 in the IP source ordestination address

Drop packets with IP addresses outside the range of a customer’s network, so they canprevent attackers from using forge source addresses to launch a DoS attack.

The weaknesses of applying ingress filtering technique is that, it does nothing to addressflooding attacks that originate from valid IP addresses.

2. Egress FilteringEgress Filtering is a source-network mechanism. It prevents one’s network frombeing the source of forged communications used in DoS attacks These filtersanalyze packets as they are forwarded to their intended destination, looking forforged (spoofed) IP addresses. Since any particular network is assigned a specificsubset of IP addresses, any packet containing an invalid IP address is assumed tobe spoofed, and the filter drops such packets. This ensures that only IP packetswith valid source IP addresses leave the network and thus protects the outsidefrom spoofed packets.

WeaknessDoes not protect the network from attack but it only keeps an attacker from using the network to perform a DDoSCannot detect internal spoofed IPs.

17

C. Firewall

18

FirewallFirewall- A firewall is used to secure the network of an organization. It is a device that

attempts to prevent unauthorized access to a network. It is usually located at the boundary where a private network interfaces with the external world

- A firewall can block the arrival of potentially malicious TCP connection request at the destination host’s packets

- It is used as a request proxy that answers the requests on its behalf, or as a TCP connection request monitor

The negative points are :a. The firewall causes new delays for every connection, including those for legitimate users.b. A firewall might be vulnerable by itself.c. A specialized firewall can be disabled by a flood of 14000 packets per second

State MonitoringState Monitoring

D. State Monitoring:

Some software agents are used to determine whether or not a packet is malicious

RealSecure monitors the local network for SYN packets that are notacknowledged for a period of time defined by the users.

Synkill supports a finite state machine that classifies IP addresses as good or bad.

Unicast RPF examines all packets received at the input interface to make surethat the source address and the source interface pair is in a special routing table.

WATCHER maintains multiple decentralized counters that are exchangedperiodically among the neighbors of the suspected router. \

19

State MonitoringState Monitoring

TDSAM describes flow behavior by classifying individual profiles as either short-term or long-term components.

All of these software agents need to maintain tremendous states to determinewhether or not a packet is malicious. Hence, they are vulnerable to DoS attacks.

Congestion ControlCongestion Control

E. Congestion Control

- Pushback is a router-based solution against bandwidth attacks, which employs the concept of aggregate-based congestion control to identify most of the malicious packets.

- It uses the destination prefix as a congestion signature to distinguish and protect the legitimate traffic within the aggregate

- It adds rate-limiting functionality to the routers to detect and drop suspicious packets-Pushback notifies the upstream routers to rate limiting packets destined to a victim

order to let other legitimate traffic move

- However, pushback cannot block effectively bad traffic under a DDoS attack that is uniformly distributed on inbound links

It cannot distinguish between good and bad traffic going to the destination, and will drop them equally

(Aggregate: Is a set of packets with a common feature)

20

Other Defense ApproachesOther Defense Approaches

TracebackD-WardNetBouncerSecure Overlay Services (SOS)Proof of WorkHop-Count Filtering…

ConclusionsConclusionsDDos attacks are very difficult to defend against but following the defensive measures mentioned will greatly reduce the chances of the network to be used as source or as the victim in a DDoS attack.Network engineers should be updated about the new attacking tools, and with the new defending techniques. They should always be in an alert situationA lot of money are spend daily in computer network security, and they will be spend in the future. Computer Network Security is a subject that will always keep be in the headline news.

21

ReferencesReferencesAnalysis of Denial-of-Service Attacks on Denial-of-Service Defensive - Measures Bao-Tung Wang, Henning SchulzrinneDefending against Flooding-Based Distributed Denial-of-Service Attacks - Rocky K. C. Chang, The Hong Kong Polytechnic UniversityOn the Defense of the Distributed Denial of Service - Attacks: An On–Off Feedback Control Approach – Yong Xiong, SteveLiu, and PeterSun, Member, IEEEProtocol Scrubbing: Network Security Through Transparent Flow Modification David Watson, Matthew Smart, G. Robert Malan, Member, IEEE, and FarnamJahanian, Member, IEEEWhat Is Computer Security? - Matt Bishop, bishop@cs.ucdavis.eduAn Active Network-Based Intrusion Detection and Response Systems – Han-Pang Hang and Chia Ming ChangDos Attacks and Defense Mechanism: A Classification – Christos Douligenis, Aikaterini MitrokotsaComputer Network 4th Edition – A.TanenbaumDr. Christos Panayiotou Lecture Noteshttp://www.cert.orghttp://www.cisco.com