DDoS Attack
0 likes749 views
The document discusses denial of service (DoS) attacks and methods of mitigation. It describes various types of DoS attacks including flooding attacks like TCP SYN floods and UDP floods that exhaust server bandwidth or resources. Other attacks discussed include HTTP floods, SSL handshake floods, and attacks that exploit vulnerabilities or misuse features like HTTP POST floods and SSL renegotiation attacks. State-of-the-art mitigation techniques mentioned include DoS mitigation software developed by the Society for Electronic Transactions & Security that use techniques like client puzzles to protect against various application layer attacks.
DDoS Attack
- 1. DoS Attack and Mitigation by Gopi Krishnan S Society for Electronic Transactions & Security
- 2. Denial of Service Attack ● To make the victim server to deny the service to intended clients. It is often done by keeping the server busy in handling meaningless request. ● It is achieved by exhausting either the bandwidth of communication channel or computational resource available on the server.
- 3. Analogy You are visiting a hotel to have dinner – Hotel has only one server person. When we ask for menu card to order food, the others interrupt the server person and chat unnecessarily. Result: You are the one with intention to get service, but not getting it; because the server is busy in responding others.
- 4. (D)DoS Attack perspective ● From Server – Flood Attack – S(L)ow Attack – Vulnerability Exploitation Attack – Non-Vulnerability/Misuse Attack ● From Client – Reflected DDoS Attack – Spoofed DDoS Attack – Exploit based (D)DoS Attack
- 5. Flooding Attack ● Flooding attack is a kind of resource exhaustion attack. ● An attacker floods the victim with many packet than it could handle. ● Flooding Attack can be done at various layers of OSI model to take-down different devices. ● Example: – MAC Flooding, TCP SYN Flood, UDP Flood, SSL Handshake Flood, HTTP Flood
- 6. MAC Flood ● The target is Ethernet switch. ● Hub will broadcast all the packet and results in data leak. ● To devoid potential risk of data leak, an Ethernet switch is used instead of hub. ● MAC flood overflows the buffer of Ethernet switch and makes it acts like a hub, results in data leak. PkM = (Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff")/ ARP(op=2, psrc="0.0.0.0", hwdst="ff:ff:ff:ff:ff:ff"))
- 7. TCP SYN Flood ● The target is any server uses TCP in transport layer. ● Example: HTTP, FTP, SMTP, IRC, etc. ● In TCP Handshake, SYN is the first packet in 3-Way handshake. ● Flooding victim with TCP SYN packet leaves too much of half open connection. ● Attack can be mitigated using TCP SYN Cookie. PkT = Ether(src=RandMAC(),dst="08:00:27:67:f9:1a")/ IP(ttl=32,dst='10.1.1.2')/ TCP(sport=RandShort(),dport=80,flags='S')
- 8. UDP Flood ● The target is any server uses UDP in transport layer. ● Example: DNS, TFTP, SysLog, NTP, etc. ● UDP is connectionless – It doesn't maintain any state. ● Flooding victim with UDP overwhelms the application service running on top of OS. PkU = Ether(src=RandMAC(),dst="08:00:27:67:f9:1a")/ IP(ttl=32,dst='10.1.1.2')/ UDP(sport=RandShort(),dport=53)
- 9. SSL Flood ● The target is any server uses SSL/TLS to secure the connection. ● Example: HTTPS, SSH, VPN, etc. ● Popularly launched by PushDo botnet. ● During client key exchange in SSL Handshake, a client would send a bogus data instead of sending the valid key. ● To send a valid pre-master secret, the client must compute XY mod N , – no matter RSA or DHE or ECDHE Protocol. ● Can be mitigated by process outsourcing or TLS puzzle.
- 10. HTTP Flood ● The target is Web Server ● Example: Apache, NGINX, IIS ● Popularly launched by LOIC, HOIC, HTTPerf PkH = Ether(src="0a:00:27:00:00:00", dst="08:00:27:67:f9:1a")/ IP(ttl=32,src='10.1.1.1',dst='10.1.1.2')/ TCP(seq=1111,ack=2222, sport=12098,dport=80)/ "GET / HTTP/1.0 rnrn"
- 11. Non-Vulnerability/Misuse Attack ● Misusing the feature of a system to DoS attack it. ● Example – HTTP Post flood – SSL Renegotiation – TCP Syn Flood → Already covered in flood attack
- 12. HTTP POST Flood ● The target is Web Server – a type of HTTP Flood attack. ● Any server that performs back-end operations with POST data. ● Often web applications process POST data with database. – Example: Login, Registration, Ticket Booking, etc ● Web server and database server tends to execute expensive operation. ● It can be prevented by using HASH based interactive puzzle integrated with form submission.
- 13. SSL Renegotiation Attack ● The target is any SSL Application with Renegotiation support. ● Often launched using THC-SSL-DOS ● Immediately after establishing a new SSL session, parameters for the SSL session are renegotiated continuously again and again to exhaust the server resource. ● Apache was vulnerable to this attack; but can be prevented using configuration keyword in apache.conf – SSLRenegotiation off
- 14. State-of-Art DDoS mitigation software/systems are developed at SETS ● HTTP Post Flood mitigation using interactive client-puzzle integrated with HTML form ● Protection for entire cloud based/individual web hosting using platform/client independent Puzzle R-Proxy service ● Alleviating SSL attacks using Crypto-chip platform ● And progressing to mitigate other attacks too.