Download pdf - DDoS Attack

Transcript
Page 1: DDoS Attack

DoS Attack and Mitigation

byGopi Krishnan S

Society for Electronic Transactions & Security

Page 2: DDoS Attack

Denial of Service Attack

● To make the victim server to deny the service to intended clients. It is often done by keeping the server busy in handling meaningless request.

● It is achieved by exhausting either the bandwidth of communication channel or computational resource available on the server.

Page 3: DDoS Attack

Analogy

You are visiting a hotel to have dinner – Hotel has only one server person. When we ask for menu card to order food, the others interrupt the server person and chat unnecessarily.

Result: You are the one with intention to get service, but not getting it; because the server is busy in responding others.

Page 4: DDoS Attack

(D)DoS Attack perspective

● From Server

– Flood Attack

– S(L)ow Attack

– Vulnerability Exploitation Attack

– Non-Vulnerability/Misuse Attack● From Client

– Reflected DDoS Attack

– Spoofed DDoS Attack

– Exploit based (D)DoS Attack

Page 5: DDoS Attack

Flooding Attack

● Flooding attack is a kind of resource exhaustion attack.

● An attacker floods the victim with many packet than it could handle.

● Flooding Attack can be done at various layers of OSI model to take-down different devices.

● Example:

– MAC Flooding, TCP SYN Flood, UDP Flood, SSL Handshake Flood, HTTP Flood

Page 6: DDoS Attack

MAC Flood

● The target is Ethernet switch.

● Hub will broadcast all the packet and results in data leak.

● To devoid potential risk of data leak, an Ethernet switch is used instead of hub.

● MAC flood overflows the buffer of Ethernet switch and makes it acts like a hub, results in data leak.

PkM = (Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff")/ARP(op=2, psrc="0.0.0.0", hwdst="ff:ff:ff:ff:ff:ff"))

Page 7: DDoS Attack

TCP SYN Flood

● The target is any server uses TCP in transport layer.

● Example: HTTP, FTP, SMTP, IRC, etc.

● In TCP Handshake, SYN is the first packet in 3-Way handshake.

● Flooding victim with TCP SYN packet leaves too much of half open connection.

● Attack can be mitigated using TCP SYN Cookie.

PkT = Ether(src=RandMAC(),dst="08:00:27:67:f9:1a")/IP(ttl=32,dst='10.1.1.2')/TCP(sport=RandShort(),dport=80,flags='S')

Page 8: DDoS Attack

UDP Flood

● The target is any server uses UDP in transport layer.

● Example: DNS, TFTP, SysLog, NTP, etc.

● UDP is connectionless – It doesn't maintain any state.

● Flooding victim with UDP overwhelms the application service running on top of OS.

PkU = Ether(src=RandMAC(),dst="08:00:27:67:f9:1a")/IP(ttl=32,dst='10.1.1.2')/UDP(sport=RandShort(),dport=53)

Page 9: DDoS Attack

SSL Flood

● The target is any server uses SSL/TLS to secure the connection.

● Example: HTTPS, SSH, VPN, etc.

● Popularly launched by PushDo botnet.

● During client key exchange in SSL Handshake, a client would send a bogus data instead of sending the valid key.

● To send a valid pre-master secret, the client must compute XY mod N , – no matter RSA or DHE or ECDHE Protocol.

● Can be mitigated by process outsourcing or TLS puzzle.

Page 10: DDoS Attack

HTTP Flood

● The target is Web Server

● Example: Apache, NGINX, IIS

● Popularly launched by LOIC, HOIC, HTTPerf

PkH = Ether(src="0a:00:27:00:00:00",dst="08:00:27:67:f9:1a")/

IP(ttl=32,src='10.1.1.1',dst='10.1.1.2')/TCP(seq=1111,ack=2222,

sport=12098,dport=80)/"GET / HTTP/1.0 \r\n\r\n"

Page 11: DDoS Attack

Non-Vulnerability/Misuse Attack

● Misusing the feature of a system to DoS attack it.

● Example

– HTTP Post flood

– SSL Renegotiation

– TCP Syn Flood → Already covered in flood attack

Page 12: DDoS Attack

HTTP POST Flood

● The target is Web Server – a type of HTTP Flood attack.

● Any server that performs back-end operations with POST data.

● Often web applications process POST data with database.

– Example: Login, Registration, Ticket Booking, etc● Web server and database server tends to execute

expensive operation.

● It can be prevented by using HASH based interactive puzzle integrated with form submission.

Page 13: DDoS Attack

SSL Renegotiation Attack

● The target is any SSL Application with Renegotiation support.

● Often launched using THC-SSL-DOS

● Immediately after establishing a new SSL session, parameters for the SSL session are renegotiated continuously again and again to exhaust the server resource.

● Apache was vulnerable to this attack; but can be prevented using configuration keyword in apache.conf

– SSLRenegotiation off

Page 14: DDoS Attack

State-of-Art DDoS mitigation software/systems are developed at SETS● HTTP Post Flood mitigation using interactive client-puzzle

integrated with HTML form

● Protection for entire cloud based/individual web hosting using platform/client independent Puzzle R-Proxy service

● Alleviating SSL attacks using Crypto-chip platform

● And progressing to mitigate other attacks too.


Recommended

Our My first DDoS attack - O'Reilly Mediaassets.en.oreilly.com/1/event/74/Our First DDoS attack Presentation... · Our My first DDoS attack ... my base_packages puppet module class
Our My first DDoS attack - O'Reilly Mediaassets.en.oreilly.com/1/event/74/Our First DDoS attack Presentation... · Our My first DDoS attack ... my base_packages puppet module class Documents
Attack Spotlight: Multi-vector DDoS Attacks
Attack Spotlight: Multi-vector DDoS Attacks Technology
ATLAS Q3 2014 DDoS Attack Trends
ATLAS Q3 2014 DDoS Attack Trends Technology
How to Mitigate DDoS Attack?
How to Mitigate DDoS Attack? Technology
Ddos attack definitivo
Ddos attack definitivo Technology
SNMP Reflected Amplification DDoS Attack Mitigation
SNMP Reflected Amplification DDoS Attack Mitigation Documents
26. a Taxonomy of Ddos Attack and Ddos Defense Mechanisms
26. a Taxonomy of Ddos Attack and Ddos Defense Mechanisms Documents
DDOS Attack
DDOS Attack Documents
DDOS ATTACK DETECTION IN TELECOMMUNICATION NETWORK …
DDOS ATTACK DETECTION IN TELECOMMUNICATION NETWORK … Documents
Ddos ve bootnet Attack
Ddos ve bootnet Attack Documents
2016 DDoS ATTACK TRENDS - F5 Networks · 2018-07-23 · 4 2016 DDoS ATTACK TRENDS 2016 DDoS ATTACK TRENDS STATEFUL ATTACKS NOW THE MAJORITY During the DDoS media heyday of 2012–2014,
2016 DDoS ATTACK TRENDS - F5 Networks · 2018-07-23 · 4 2016 DDoS ATTACK TRENDS 2016 DDoS ATTACK TRENDS STATEFUL ATTACKS NOW THE MAJORITY During the DDoS media heyday of 2012–2014, Documents
ICMPv6 ECHO REQUEST DDoS ATTACK DETECTION FRAMEWORK …eprints.usm.my › 31820 › 1 › REDHWAN_MOHAMMED_AHMED_SAAD... · ICMPv6 ECHO REQUEST DDoS ATTACK DETECTION FRAMEWORK USING
ICMPv6 ECHO REQUEST DDoS ATTACK DETECTION FRAMEWORK …eprints.usm.my › 31820 › 1 › REDHWAN_MOHAMMED_AHMED_SAAD... · ICMPv6 ECHO REQUEST DDoS ATTACK DETECTION FRAMEWORK USING Documents
DDoS Attack Mitigation Guide FortiDDoS
DDoS Attack Mitigation Guide FortiDDoS Documents
DDOS WEAPONS & ATTACK VECTORS - A10 Networks
DDOS WEAPONS & ATTACK VECTORS - A10 Networks Documents
CDNetworks Q2 2017 DDoS Attack Trends Report Attack... · CDNetworks Q2 2017 DDoS Attack Trends Report ... hacking group “Armada Collective ... attacks were included in addition
CDNetworks Q2 2017 DDoS Attack Trends Report Attack... · CDNetworks Q2 2017 DDoS Attack Trends Report ... hacking group “Armada Collective ... attacks were included in addition Documents
DNS DDoS Attack and Risk
DNS DDoS Attack and Risk Technology
Q3 2013 Global DDoS Attack Report
Q3 2013 Global DDoS Attack Report Technology
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack Technology