Upload
lilith333
View
1.103
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
DDoS Attack Claudia Plantera
I300332011.11.18
CyBerwar and Intelligence
Fall 2011
Definitions
Types of Attack
Victims and Effects
Case Studies
Defense
Outline
CyBerwar and Intelligence
Definitions
CyBerwar and Intelligence
“Malware (for "malicious software") is any program or file that is harmful to a computer user. Thus, malware includes computer viruses, worms, Trojan horses, and also spyware, programming that gathers information about a computer user without permission.”
CyBerwar and Intelligence
Malware
“a virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a CD. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are benign or playful in intent and effect and some can be quite harmful, erasing data or causing your hard disk to require reformatting”
CyBerwar and Intelligence
Virus
“Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided.”
CyBerwar and Intelligence
Worms
“It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create back doors to give malicious users access to the system.Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet.”
CyBerwar and Intelligence
Trojan
“Bot" is derived from the word "robot" and is an automated process that interacts with other network services. Bots often automate tasks and provide information or services that would otherwise be conducted by a human being. A typical use of bots is to gather information (such as web crawlers ), or interact automatically with instant messaging (IM), Internet Relay Chat (IRC), or other web interfaces. They may also be used to interact dynamically with websites.Bots can be used for either good or malicious intent. A malicious bot is self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or "botnet.”
CyBerwar and Intelligence
Bot
Denial of Service (DOS) Attack
CyBerwar and Intelligence
“an attempt to make a computer resource run out and make it unavaible to its intended users”
DDoS AttackDoS Attack
The attacker mounts an attack from a single host
DDoS Attack
The attacker uses many systems to simultaneously launch attacks against a remote host
CyBerwar and Intelligence
Zombie Computer Is a computer connected on the Internet that has been compromised by cracker, computer virus or trojan virus and can be used to perform malicious tasks of one sort or another under remote direction
The computer attack is ampliefied:The rate of packetsThe size of packtesThe difficulty to trace back an attack to the
initiating attack
CyBerwar and Intelligence
Attack
CyBerwar and Intelligence
General Attack Classification
intended to overflow and consume resources available to the victim
attempt to exploit a software program design flaw
Bandwidth Attack
Logic Attack
Protocol Attack
take advantage of protocol inherent design
CyBerwar and Intelligence
DoS Attack
CyBerwar and Intelligence
Smurf Attack
CyBerwar and Intelligence
Attacker sends a huge amount of ICMP Echo Requests to victim
Once network links become overloaded, all legitimate traffic will be slowed or stopped
Use of bandwidth consumption to disable a victim's network resources using amplification of the attackers bandwitdh
The Fraggle
CyBerwar and Intelligence
Similar concept to ICMP flooding
Networked slowed to the point where all valid connections are stopped
Achieves a smaller amplication factor
SYN Flood
CyBerwar and Intelligence
– the client sends a SYN packet to the server
– the server sends a SYN-ACK back to the client
– the client sends an ACK back to the server tocomplete the three-way handshake andestablish the connection TCP
SYN Flood
CyBerwar and Intelligence
• The attack occurs by the attackerinitiating a TCP connection to the serverwith a SYN. (using a legitimate or spoofedsource address)
• The server replies with a SYN-ACK
• The client then doesn’t send back a ACK,causing the server to allocate memory forthe pending connection and wait.
• The half-open connections buffer on the victimserver will eventually fill• The system will be unable to accept any newincoming connections until the buffer is emptiedout.• There is a timeout associated with a pendingconnection, so the half-open connections willeventually expire.• The attacking system can continue sendingconnection requesting new connections faster thanthe victim system can expire the pendingconnections.
DDoS Attack
CyBerwar and Intelligence
How it worksAttackers recruits multiple
zombies machines
Zombie computers send the attack packets and recruit other machines
the identity of subverted machine is hide through
spooking of the source address filed in the attack packets
TrinOO
CyBerwar and Intelligence
• Affects Windows and many Unix OS’s• Attacker scans for exploits, gains root, anddownloads Trin00 programs.• Attacker->Master->Daemon hierarchy(One -> More -> Many)• Attacker can telnet into a Master toinitiate commands, which are distributedamongst its Daemons.
• Communication between Master->Daemonthrough a password-protected cleartextUDP-based protocol.
• Daemons attack the target with a UDP orTCP packet bombardment.
Other attacks
CyBerwar and Intelligence
• Smurf attack• The Fraggle• SYN flood
All three at once
TFN and TFN2k Stacheldraht
• Smurf attack• The Fraggle• SYN flood
Encrypted communication bw the attacker and the MastersThe Agents can upgrade their code automatically
Victim & Damage
CyBerwar and Intelligence
General Victim Classification
Exploit some feature of a specific application in order to make impossible the use of the resource
Application
CyBerwar and Intelligence
The access to the target machine is impossible because its communication mechianisms are overloading or disabling.
Host
Network
The incoming bandwidth of the target network is consumed
Infrastructure
Target some distributed service that is crucial for global internet operation or operation of a subnetwork
SymptomsUnusually slow network perfomance
Unavailability of a particular web site
Inability to access to any web site
Dramatic increase in the number of spam email
CyBerwar and Intelligence
MotivationMaterial gain
Personal reasons (revenge)
Fame
Political reasons
CyBerwar and Intelligence
Damage
CyBerwar and Intelligence
Deny the victim's service to its clients. In the case of recoverable attacks, the victim can recover as soon as the influx of the attack is stopped, but if is non recoverable it requires some human interventions.
Disruptive Degrade
Degrate some portion of a victim's resources. Since this kind of attack doesn't lead to total service disruption, it coul remain undected for a significant period of time.
Case Studies
CyBerwar and Intelligence
.
ROK&US
CyBerwar and Intelligence
The botnet fooled Estonian network routers into continuously resending useless packets of information to one another, rapidly flooding the infrastructure used to conduct all online business in the country.
Dispute with Russia over the removal of a Soviet-era war memorial, a giant bronze soldier statue, from the center of Tallinn .
●Bank websites became unreachable, paralyzing most of Estonia's financial activity. ●Press sites also came under attack, in an attempt to disable news sources.● ISPs were overwhelmed, blacking out internet access for significant portions of the population.
●NATO stablished the alliance's cyber defense research center in Tallinn in 2008.●Motivated Estonia to call on the European Union to make cyber attacks a criminal offense.
Estonia
.
ROK&US
CyBerwar and Intelligence
Several Russian blogs, forums, and websites spread a Microsoft Windows batch script that was designed to attack Georgian websites.
In the weeks leading up to the five-day 2008 South Ossetia war, a DDoS attack directed ifirst to the Website of the Georgian president
The effects was the Georgians could not connect to any outside news or information sources and could not send email out of the country. The aim of the attack was to prevent Georgians from learning what was going on
Georgia’s banking operations were paralyzed. Credit card systems shut down, followed by the mobile phone system.
Georgia
Defence
CyBerwar and Intelligence
Main Problem: Zombie Computers
patches for software defects that were reported and fixed months ago are never installed
anti-virus tools are not kept up to date
the computer owners give away control of their computers by indiscriminately running unknown programs.
CyBerwar and Intelligence
Local Solutions
the victim can try to stop the inflitrating IP packets on the local router by installing a filter to detect them
Local filtering
CyBerwar and Intelligence
Systems administrators must make a series of changes to lead the traffic to the new IP address, once the IP change is completed, all internet routers will been informed ad edge routers will drop the attacking packets.
Changing IPs
Creating client bottlnecksThe aim is creating bottleneck process on the zombie computers, such as solving puzzle or requiring to answer a random questions to the attacking computer before establishing the connection. In this way the attacking ability is limited because those strategies consume computtational power, limiting attacker in the number of connection requests it can make at the same time
Global Solutions
the victim can try to stop the inflitrating IP packets on the local router by installing a filter to detect them
improving the security of the entiry Internet
CyBerwar and Intelligence
to prevent the accomulation if a critical mass of attacking packets in time. A victim can send information that it has detected an attack, and the filters can stop attacking packets earlier preventing it to spread
Using globally coordinate filters
Tracing the source of IP address
to trace the intruders' path back to zombie computers and stop their attacks.
Thank you
CyBerwar and Intelligence