Week5 CS-P
Computer Security Fundamentals
by Chuck Easttom
Chapter 4 Denial of Service Attacks
*
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Chapter 4 Objectives
- Understand how DoS attacks are accomplished
- Know how certain DoS attacks work
- Protect against DoS attacks
- Defend against specific DoS attacks
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Understand how denial-of-service (DoS) attacks are accomplished.
Know how certain DoS attacks work, such as SYN flood, Smurf, and DDoS.
Take specific measures to protect against DoS attacks.
Know how to defend against specific DoS attacks.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Introduction
- Denial-of-Service Attacks
- One of the most common types of attacks
- Prevent legitimate users from accessing the system
- Know how it works
- Know how to stop it
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Second only to virus/worm attacks are denial-of-dervice attacks.
The goal is to prevent legitimate users from accessing a system.
You must understand how it works and how to stop it.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Introduction (cont.)
- Computers have physical limitations
- Number of users
- Size of files
- Speed of transmission
- Amount of data stored
- Exceed any of these limits and the computer will cease to respond
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Computers have physical limitations
Number of simultaneous users
Size of files
Speed of data transmission
Amount of data stored
Exceed any of these operational limits and the computer will cease to respond appropriately.
Only so many cars can go on the highway. If more are allowed, then the safety, speed, and other qualities of highway traffic suffer.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Overview
- LOIC
- GUI
- Easy to use
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
These are all free tools available on the Internet.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Overview (cont)
- XOIC
- GUI
- Easy to use
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
These are all free tools available on the Internet.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Overview (cont.)
- Common Tools Used for DoS
- TFN and TFN2K
- Can perform various protocol floods.
- Master controls agents.
- Agents flood designated targets.
- Communications are encrypted.
- Communications can be hidden in traffic.
- Master can spoof its IP.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
These are all free tools available on the Internet.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Overview (cont.)
- Common Tools Used for DoS
- Stacheldracht
- Combines Trinoo with TFN
- Detects source address forgery
- Performs a variety of attacks
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
The next slide shows Stacheldracht on the Symantec site.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Stacheldracht on the Symantec site
Overview (cont.)
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
This slide shows Stacheldracht on the Symantec site.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Overview (cont.)
- DoS Weaknesses
- The flood must be sustained.
- Whenmachines are disinfected, the attack stops.
- Hacker’s own machine are at risk of discovery.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Hacker must successfully spoof the source IP.
The flood must be sustained.
In a DDoS, as soon as victims’ machines are disinfected, the attack stops.
In a single attack, the hacker’s own machine is at risk of discovery.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks
- TCP SYN Flood Attack
- Hacker sends out a SYN packet.
- Receiver must hold space in buffer.
- Bogus SYNs overflow buffer.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
TCP SYN Flood Attack
Hacker sends out a SYN packet, which wants to open a connection.
By law (IETF RFC 793), the receiver must respond within a certain period of time with a SYN ACK, holding space in its buffer for the final ACK.
The hacker never sends the final ACK but sends more illegitimate SYNs.
While the receiving system keeps resources open for the ACKs, the bogus SYNs overflow the buffer or overwrite legitimate SYNs already in the buffer.
You might draw the three–way handshake on the board. TCP is a huge topic.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- Methods of Prevention
- SYN Cookies
- Initially no buffer is created.
- Client response is verified using a cookie.
- Only then is the buffer created.
- Resource-intensive.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
SYN Cookies
This saves the buffer overflow attack.
At first, upon receipt of a SYN, no buffer is created.
Receiver sends SynAck containing hashed information in the header.
It then receives Ack and checks for confirmation of hash in header.
Only then is the buffer created, avoiding allocating resources for false Syns.
However, this is resource-intensive.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- Methods of Prevention
- RST Cookies
- Sends a false SYNACK back
- Should receive an RST in reply
- Verifies that the host is legitimate
- Not compatible with Windows 95
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
RST Cookies
Sends a false SYNACK back.
Should receive an RST back if original SYN were legitimate.
Can now accept connections from that host because it is legitimate.
Easier to implement but not compatible with Windows 95. Still not the easiest method to use.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- Methods of Prevention
- Stack Tweaking
- Complex method
- Alters TCP stack
- Makes attack difficult but not impossible
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Check the information in the FYI on page 92.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- Smurf IP Attack
- Hacker sends out ICMP broadcast with spoofed source IP.
- Intermediaries respond with replies.
- ICMP echo replies flood victim.
- The network performs a DDoS on itself.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Smurf IP Attack
Hacker sends out an ICMP broadcast with a spoofed source IP.
Hacker sends out ping packets.
Spoofed source IP is that of actual victim.
Intermediaries, who are broadcast recipients, respond to ICMP with replies.
ICMP echo replies flood victim because of spoofed source IP.
The network can perform a DDoS on one of its own!
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
CERT listing on Smurf attacks
DoS Attacks (cont.)
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
CERT, a great source of information, has this listing on smurf attacks.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- Protection against Smurf attacks
- Guard against Trojans.
- Have adequate AV software.
- Utilize proxy servers.
- Ensure routers don’t forward ICMP broadcasts.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- UDP Flood Attack
- Hacker sends UDP packets to a random port
- Generates illegitimate UDP packets
- Causes system to tie up resources sending back packets
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
UDP Flood Attack
Hacker sends UDP packets to a random port.
Because there is no service waiting on that port, system generates ICMP packet as “destination unreachable.”
A flood of illegitimate UDP packets can cause a system to tie up resources sending back ICMP packets.
Standard DoS attack; slows down by tying up system resources.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- ICMP Flood Attack
- Floods – Broadcasts of pings or UDP packets
- Nukes – Exploit known bugs in operating systems
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Another standard DoS attack.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- The Ping of Death (PoD)
- Sending a single large packet.
- Most operating systems today avoid this vulnerability.
- Still, keep system patched.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Most systems today do not have this vulnerability anymore.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- Teardrop Attack
- Hacker sends a fragmented message
- Victim system attempts to reconstruct message
- Causes system to halt or crash
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Teardrop Attack
Hacker sends a fragmented message. The header has been crafted to instruct the receiving system to reassemble the packets in one of two ways:
- To overlap the fragments, perhaps crashing the target
- To leave a gap in the message, with the same result
Fragmentation is used when the packets must pass along various media types with differing MTUs, which may necessitate fragmenting or chopping up larger packets.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- Land Attack
- Simplest of all attacks
- Hacker sends packet with the same source and destination IP
- System “hangs” attempting to send and receive message
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Very easy.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
DoS Attacks (cont.)
- Echo/Chargen Attack
- Echo service sends back whatever it receive.s
- Chargen is a character generator.
- Combined, huge amounts of data form an endless loop.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Echo/Chargen Attack
Echo is a small service that sends back whatever it receives.
Chargen is a character generator.
A combination of these two UDP services causes a constant loop of large amounts of data, slowing down the system.
Small services are an interesting topic; there are others as well. They are usually for testing purposes.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Distributed Denial of Service (DD0S)
- Routers communicate on port 179
- Hacker tricks routers into attacking target
- Routers initiate flood of connections with target
- Target system becomes unreachable
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Cisco border routers and others communicate using the BGP Protocol on port 179.
This attack uses the routers as the “man-in-the-middle.”
It could also use other devices on the network.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Real-World Examples
- MyDoom
- Worked through e-mail
- Slammer
- Spread without human intervention
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
MyDoom
Virus/worm that repeatedly mailed itself to all entries in a victim’s address book each time the e-mail was opened.
A logic bomb then caused all these hosts to attack www.sco.com at a predetermined time.
Students may remember this one.
Slammer
Fastest-spreading worm ever.
Scanned for MS SQL Server Desktop Engine.
Then exploited a commonly known flaw in that system.
It was particularly vicious because it spread without human intervention.
Its destruction could have been avoided; the patch for this flaw was released weeks before the attack.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
How to Defend Against DoS Attacks
- In addition to previously mentioned methods
- Configure your firewall to
- Filter out incoming ICMP packets.
- Egress filter for ICMP packets.
- Disallow any incoming traffic.
- Use tools such as NetStat and others.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
In addition to previously mentioned methods
Configure your firewall to filter out incoming ICMP packets.
Also configure your firewall to egress filter for ICMP packets.
Configure your firewall to disallow any incoming traffic (extreme).
Use tools such as NetStat and others.
Egress filtering is not in the text, but it should not be ignored. You may be a man in the middle and not realize it if you do not filter what is going out of your network! Court cases have established precedents that would allow you to be sued for not doing “due diligence” to control your own network.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
How to Defend Against DoS Attacks (cont.)
- Disallow traffic not originating within the network.
- Disable all IP broadcasts.
- Filter for external and internal IP addresses.
- Keep AV signatures updated.
- Keep OS and software patches current.
- Have an Acceptable Use Policy.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Configure internal routers to disallow traffic that did not originate within the network.
Disable all IP broadcasts.
Filter for external and internal IP addresses on the right side of the router.
Keep AV signatures updated.
Keep OS and software patches current.
Have Acceptable Use Policy that clearly disallows certain behavior.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*
Summary
- DoS attacks are common.
- DoS attacks are unsophisticated.
- DoS attacks are devastating.
- Your job is constant vigilance.
© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks
*