21
Denial of Service (DoS) Technical Primer Chris McNab Principal Consultant, Matta Security Limited [email protected]

Denail of Service

Tags:

Embed Size (px)

Citation preview

Page 1: Denail of Service

Denial of Service (DoS)Technical Primer

Chris McNab

Principal Consultant, Matta Security Limited

[email protected]

Page 2: Denail of Service

Topics Covered

What is Denial of Service?What is Denial of Service?

Categories and types of Denial of Service attacksCategories and types of Denial of Service attacksDirect Denial of Service attacksDirect Denial of Service attacks

Single-tier attacksSingle-tier attacks Dual-tier attacksDual-tier attacks Triple-tier 'distributed' attacksTriple-tier 'distributed' attacks

Indirect Denial of Service attacksIndirect Denial of Service attacks The LoveBug virusThe LoveBug virus Code Red and Nimda wormsCode Red and Nimda worms

Denial of Service prevention strategies and resourcesDenial of Service prevention strategies and resources

Page 3: Denail of Service

What is Denial of Service?

Denial of Service (refered to as DoS for the remainder of this presentation), is a computer or network state which is induced purposefully by an attacker to inhibit that computer or network's ability to function correctly and provide service.

DoS attacks are launched on the Internet landscape in network form, where the attacking computer sends crafted network packets (TCP, UDP or ICMP) to the target host.

Page 4: Denail of Service

The Underlying DoS Concept

As with any form of 'hack attack', a vulnerability is exploited so that the attacker can change the operating state of a machine. Early Microsoft Windows 95 machines were vulnerable to 'winnuke' and 'ping of death' attacks, where theTCP/IP stack implemented by Microsoft was simple and could not handle large fragmented packets or out-of-bound data correctly. Hackers wrote simple programs that sent crafted out-of-bound and fragmented packets to the target IP address, causing it to crash and display the infamous 'blue screen of death'.

Other attack types take advantage of vulnerabilities at network level with the way that the Internet sends data between networks and responds to certain data..

Page 5: Denail of Service

Direct and Indirect DoS

Internet-based network attacks can be categorised in Internet-based network attacks can be categorised in two ways..two ways..

Direct DoS attack model, where a specific DoS Direct DoS attack model, where a specific DoS system is developed and rolled out by an attacker system is developed and rolled out by an attacker with an aim to take down a specific network or with an aim to take down a specific network or computer.computer.

Indirect DoS attack model, where a worm or virus Indirect DoS attack model, where a worm or virus is at large in the wild, which causes DoS and is at large in the wild, which causes DoS and disruption as a result of its spreading.disruption as a result of its spreading.

Page 6: Denail of Service

Direct DoS Attack Systems

Over the years, direct DoS attack systems have Over the years, direct DoS attack systems have improved -improved -

1990 - 19971990 - 1997 single-tier DoS attack systemssingle-tier DoS attack systems late 1997late 1997 dual-tier DoS attack systemsdual-tier DoS attack systems1998 – 20001998 – 2000 triple-tier DoS attack systemstriple-tier DoS attack systems

An interesting fact is that AllAn interesting fact is that All direct DoS attack direct DoS attack systems originate and were developed by users of systems originate and were developed by users of Internet Relay Chat (IRC) networks, in some cases to Internet Relay Chat (IRC) networks, in some cases to specifically take down IRC servers (with dual & triple-specifically take down IRC servers (with dual & triple-tier attacks).tier attacks).

Page 7: Denail of Service

Direct Single-tier DoS Attacks

– Straightforward 'point-to-point' attackStraightforward 'point-to-point' attack

– Application / system level vulnerabilities abusedApplication / system level vulnerabilities abused

– If no application / system level vulnerabilities exist, If no application / system level vulnerabilities exist, brute force is used by attackers with more brute force is used by attackers with more bandwidth than the victimbandwidth than the victim

– ExamplesExamples•Ping of DeathPing of Death•SYN floodsSYN floods•Other malformed packet attacksOther malformed packet attacks

Page 8: Denail of Service
Page 9: Denail of Service
Page 10: Denail of Service

Protecting Against Direct Single-tier DoS Attacks

Ensuring all relevant security hotfixes and service Ensuring all relevant security hotfixes and service packs are installed on your hosts to prevent packs are installed on your hosts to prevent system level attacks through malformed packets.system level attacks through malformed packets.

Deploying a personal IDS or firewall system if Deploying a personal IDS or firewall system if you're using a dialup, to identify the sources of you're using a dialup, to identify the sources of attacks and protect in most cases.attacks and protect in most cases.

Page 11: Denail of Service

Direct Dual-tier DoS Attacks

More complex attack modelMore complex attack modelNetwork level vulnerabilities abusedNetwork level vulnerabilities abused

Misconfigured network broadcastsMisconfigured network broadcastsDifficult for victim to trace and identify attackerDifficult for victim to trace and identify attackerExamplesExamples

SmurfSmurf

Page 12: Denail of Service
Page 13: Denail of Service

Protecting Against Direct Dual-tier DoS Attacks

Prevention at the source, ensuring that your Prevention at the source, ensuring that your networks are not misconfigured to be used as networks are not misconfigured to be used as 'smurf amplifiers'.'smurf amplifiers'.

Deploying a network-based IDS to identify DoS Deploying a network-based IDS to identify DoS attempts and identify the attacker himself by attempts and identify the attacker himself by analysing network traffic at the time of the attack.analysing network traffic at the time of the attack.

Ensuring you have a contact detail at your ISP in Ensuring you have a contact detail at your ISP in order to quickly block packets from misconfigured order to quickly block packets from misconfigured networks in the event of a serious attack.networks in the event of a serious attack.

Page 14: Denail of Service

Direct Triple-tier DDoS Attacks

Highly complex attack model, known as Distributed Highly complex attack model, known as Distributed Denial of Service (DDoS).Denial of Service (DDoS).

DDoS exploits vulnerabilities in the very fabric of the DDoS exploits vulnerabilities in the very fabric of the Internet, making it virtually impossible to protect your Internet, making it virtually impossible to protect your networks against this level of attack.networks against this level of attack.

Extremely dangerous attack type. When Yahoo! Came Extremely dangerous attack type. When Yahoo! Came under attack from a DDoS flood network in the summer of under attack from a DDoS flood network in the summer of 2000, it saw over 1Gbit of network traffic being sent to it's 2000, it saw over 1Gbit of network traffic being sent to it's web farm.web farm.

ExamplesExamples TFN2KTFN2K StacheldrahtStacheldraht MstreamMstream

Page 15: Denail of Service

The Components of a DDoS Flood Network

AttackerAttacker Often a hacker with good networking and routing Often a hacker with good networking and routing

knowledge.knowledge. Master serversMaster servers

Handful of backdoored machines running DDoS Handful of backdoored machines running DDoS master software, controlling and keeping track of master software, controlling and keeping track of available zombie hosts.available zombie hosts.

Often master servers exist on very fast Internet Often master servers exist on very fast Internet connections, so that they can quickly process and connections, so that they can quickly process and communicate attack details with zombie hosts.communicate attack details with zombie hosts.

Zombie hostsZombie hosts Thousands of backdoored hosts over the worldThousands of backdoored hosts over the world

Page 16: Denail of Service
Page 17: Denail of Service

Protecting Against Direct Triple-tier DDoS Attacks

– Prevention at the source, ensuring that your hosts Prevention at the source, ensuring that your hosts are not vulnerable to 'point and click' type are not vulnerable to 'point and click' type automated attacks.automated attacks.

– Deployment of network-based IDS to identify -Deployment of network-based IDS to identify -•Master to Zombie DDoS control trafficMaster to Zombie DDoS control traffic•Zombie to Victim flood attack trafficZombie to Victim flood attack traffic

– Ensuring you have a contact detail at your ISP in Ensuring you have a contact detail at your ISP in order to quickly block packets from zombie hosts order to quickly block packets from zombie hosts and networks in the event of a serious attack.and networks in the event of a serious attack.

– Implementation of a security policy defining how Implementation of a security policy defining how your organisation reacts to these threats your organisation reacts to these threats effectively.effectively.

Page 18: Denail of Service

Indirect DoS Attacks

Indirect DoS attacks come about when a worm of virus Indirect DoS attacks come about when a worm of virus is at large in the wild, which causes DoS and disruption is at large in the wild, which causes DoS and disruption as a result of its spreading.as a result of its spreading.

Examples of worms and viruses which have caused Examples of worms and viruses which have caused indirect DoS in this fashion -indirect DoS in this fashion -

The Love BugThe Love BugCode Red and Code Red IICode Red and Code Red IINimdaNimda

Page 19: Denail of Service

DoS Prevention Strategies

– Create a security policy covering DoS responseCreate a security policy covering DoS response

– Prepare for 100% bandwidth consumption, Prepare for 100% bandwidth consumption, implement back-up lines for data and voice implement back-up lines for data and voice communications in the event of a DoS attackcommunications in the event of a DoS attack

– Ensure your Internet-based network security is at Ensure your Internet-based network security is at a good level to prevent compromises and misuse a good level to prevent compromises and misuse of your networks and bandwidthof your networks and bandwidth

– Embrace Intrusion Detection Systems (IDS) to Embrace Intrusion Detection Systems (IDS) to identify DoS traffic and even the attacker in most identify DoS traffic and even the attacker in most casescases

– Establish good communication channels between Establish good communication channels between you and your ISP to block DoS attacks at Internet-you and your ISP to block DoS attacks at Internet-levellevel

Page 20: Denail of Service

DoS Prevention Resources

The following sites provide guidance when configuring firewalls, The following sites provide guidance when configuring firewalls, IDS and border routers to prevent DoS attacks from being effective IDS and border routers to prevent DoS attacks from being effective --

http://www.nipc.govhttp://www.nipc.govNIPC DoS toolsNIPC DoS tools

http://www.cert.orghttp://www.cert.orgCERT DoS informationCERT DoS information

http://razor.bindview.comhttp://razor.bindview.comRAZOR 'zombie zapper'RAZOR 'zombie zapper'

http://staff.washington.edu/dittrich/misd/ddos/http://staff.washington.edu/dittrich/misd/ddos/Dave Dittrich's DDoS web siteDave Dittrich's DDoS web site

Page 21: Denail of Service

The EndThanks for Listening!

Chris McNab

Principal Consultant, Matta Security Limited

[email protected]


Mastering Service in the Service of Others

Mastering Service in the Service of Others

Business
Capítulo 11 DoS - Denial of Service DDoS - Distributed Denial of Service DRDoS - Distributed Reflection Denial of Service

Capítulo 11 DoS - Denial of Service DDoS - Distributed Denial of Service DRDoS - Distributed Reflection Denial of Service

Documents
Customer Service Transportation/Logistic Strategy Customer Service Definitions Elements of Customer Service Estimating the Benefits of Service Estimating

Customer Service Transportation/Logistic Strategy Customer Service Definitions Elements of Customer Service Estimating the Benefits of Service Estimating

Documents
Service Marketing Strategy. Essentials of Service Marketing

Service Marketing Strategy. Essentials of Service Marketing

Marketing
hotsaucc.files.wordpress.com · service failure service desiun service encounter service quality What is the meaning of' the term 'moment-of-truth' Il) a service ... Propose fivc

hotsaucc.files.wordpress.com · service failure service desiun service encounter service quality What is the meaning of' the term 'moment-of-truth' Il) a service ... Propose fivc

Documents
Service Innovation and Design Challenges of Service Innovation and Design New Service Development Processes Types of Service Innovations Stages in Service

Service Innovation and Design Challenges of Service Innovation and Design New Service Development Processes Types of Service Innovations Stages in Service

Documents
SERVICE WORKS - Gazsurfgazsurf.com/images/pdf/service-works.pdf · One of the leading categories of GazSurf service works is technical service of ... service and operational manuals

SERVICE WORKS - Gazsurfgazsurf.com/images/pdf/service-works.pdf · One of the leading categories of GazSurf service works is technical service of ... service and operational manuals

Documents
Oberseminar: Multimediale Kommunikation Thema: Quality of Service, Class of Service

Oberseminar: Multimediale Kommunikation Thema: Quality of Service, Class of Service

Documents
Challenges of Service Design & New Service Development

Challenges of Service Design & New Service Development

Documents
The Theosophical Order of Service: the ideal of altruistic service

The Theosophical Order of Service: the ideal of altruistic service

Documents
Denial Of Service Attacksgabriel/files/DDOSFIST2004.pdfOctober’ 2004 by gaby@tau.uab.es Denial Of service attacks 6 Denial Of service attacks III Definitions: Denial Of Service (DOS)

Denial Of Service Attacksgabriel/files/DDOSFIST2004.pdfOctober’ 2004 by [email protected] Denial Of service attacks 6 Denial Of service attacks III Definitions: Denial Of Service (DOS)

Documents
Holy Communion Order of Service and Service of The Word

Holy Communion Order of Service and Service of The Word

Documents
Service dimensions of service quality impacting customer

Service dimensions of service quality impacting customer

Documents
Denial of Service - Service Provider Overview

Denial of Service - Service Provider Overview

Technology
The Service Catalog: Cornerstone of Service Management

The Service Catalog: Cornerstone of Service Management

Technology
Service Learning Describe service learning. Define and identify community needs. Understand components of service learning. Describe the goals of service

Service Learning Describe service learning. Define and identify community needs. Understand components of service learning. Describe the goals of service

Documents
Service Tax - Taxability of Service

Service Tax - Taxability of Service

Law
Paid Time Off/Paid Parental Leave Programs & …...7-8 years of service 9-10 years of service 11-15 years of service 16-19 years of service 20+ years of service Annual Number of PTO

Paid Time Off/Paid Parental Leave Programs & …...7-8 years of service 9-10 years of service 11-15 years of service 16-19 years of service 20+ years of service Annual Number of PTO

Documents
Menu of Service Opportunities. The Menu of Service Opportunities is a recommended list of service priorities for clubs and districts. The Menu of Service

Menu of Service Opportunities. The Menu of Service Opportunities is a recommended list of service priorities for clubs and districts. The Menu of Service

Documents
Quality of Service and Denial of Service - Swincaia.swin.edu.au/ripqos/20030827-qos-dos.pdf · Quality of Service and Denial of Service ... – network congestion • QoS is only

Quality of Service and Denial of Service - Swincaia.swin.edu.au/ripqos/20030827-qos-dos.pdf · Quality of Service and Denial of Service ... – network congestion • QoS is only

Documents
FUNERAL PLANNING GUIDE - Capuchin … PLANNING GUIDE C-2 VIGIL SERVICE Time of service _____ Presider _____ Form of Vigil Service Word Service _____ …

FUNERAL PLANNING GUIDE - Capuchin … PLANNING GUIDE C-2 VIGIL SERVICE Time of service _____ Presider _____ Form of Vigil Service Word Service _____ …

Documents
Order of service for Advent Carol Service

Order of service for Advent Carol Service

Documents
Jurisdiction and Service of Process – Summary of Service

Jurisdiction and Service of Process – Summary of Service

Documents
PUBLIC SERVICE (1995) - Public Service Act 13 of 1995 ... SERVICE (1995) - Public Service Act... · Public Service Act 13 of 1995 Amendment of Schedules 1 and 2 to Public Service

PUBLIC SERVICE (1995) - Public Service Act 13 of 1995 ... SERVICE (1995) - Public Service Act... · Public Service Act 13 of 1995 Amendment of Schedules 1 and 2 to Public Service

Documents
ANALYSIS OF PRE-SERVICE AND IN-SERVICE VIEWS OF EVOLUTION ... · ANALYSIS OF PRE-SERVICE AND IN-SERVICE VIEWS OF EVOLUTION OF SERBIAN TEACHERS ... Abstract – We analysed the potential

ANALYSIS OF PRE-SERVICE AND IN-SERVICE VIEWS OF EVOLUTION ... · ANALYSIS OF PRE-SERVICE AND IN-SERVICE VIEWS OF EVOLUTION OF SERBIAN TEACHERS ... Abstract – We analysed the potential

Documents
Improving Service Design & Service Transition Phases of

Improving Service Design & Service Transition Phases of

Documents
The Experience of Community Service. Experience of Community Service

The Experience of Community Service. Experience of Community Service

Documents
Key competences of Service / Service System innovation

Key competences of Service / Service System innovation

Documents
s3.amazonaws.com€¦ · Web viewFebruary 6 - Service of Holy CommunionFebruary 13- Service of the WordFebruary 20- Service of Holy CommunionFebruary 27- Service of the Word ANNUAL

s3.amazonaws.com€¦ · Web viewFebruary 6 - Service of Holy CommunionFebruary 13- Service of the WordFebruary 20- Service of Holy CommunionFebruary 27- Service of the Word ANNUAL

Documents
customer service of sai service

customer service of sai service

Documents