![27/42
Detecting Distributed Denial of Service
Attacks by Monitoring the Source IP
addresses
• IP addresses in
DDoS
attack traffic did not
appear before.
[Peng et al. 2003]
• Monitoring the traffic
volume is likely to
create high false
positive
• Monitoring the
percentage of new
IP addresses is very
effective in detecting
the attacks](https://image.slidesharecdn.com/dos-220827104245-bcde82ee/85/DoS-ppt-27-320.jpg)
DoS.ppt
- 1. 1/42 Arab Academy for Banking &Financial Sciences Faculty of Information Systems & Technology - Department of CIS Information System Security Ph.D Prepared by : mohammad nassar Prepared To: Dr. lo’ai tawalbeh Denial of Service Attack (DoS)
- 2. 2/42 Learning Objectives TYPES OF ATTACKS. Definitions of DoS and DDoS attacks . Costs of DoS attacks for victim organizations. Classification of DoS attacks. Strategic Firewall Placement. Default Deny. Detecting DDoS Attacks by Monitoring the Source IP addresses. Example. Conclusion.
- 3. 3/42 TYPES OF ATTACKS Nontechnical attack Technical attack Denial-of-service attack Malicious code Sniffing Spoofing Virus Worm Trojan horse
- 4. 4/42 • A DoS (Denial of Service) attack aims at preventing, for legitimate users, authorized access to a system resource . The attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources • DDoS ( distributed Denial of Service attacks) A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses the multiple computers to send a flood of data packets to the target computer Definitions of DoS and DDoS attacks
- 6. 6/42 INTERNET INSECURITY • Morris worm of 1987 • Password sniffing attacks in 1994 • IP spoofing attacks in 1995 • Denial of service attacks in 1996 • Email borne viruses 1999 • Distributed denial of service attacks 2000 • Fast spreading worms and viruses 2003 • Spam 2004 • … no end in sight • Internet insecurity grows at super-Internet speed • security incidents are growing faster than the Internet (which has • roughly doubled every year since 1988)
- 7. 7/42 Costs of DoS attacks for victim organizations • Denial of Service is currently the most expensive computer crime for victim organizations:
- 8. 8/42 Classification of DoS attacks 1. Bandwidth consumption: Attacks will consume all available network bandwidth 2. Resource starvation: Attacks will consume system resources (mainly CPU, memory, storage space) 3. Programming flaws: Failures of applications or OS components to handle exceptional conditions (i.e. unexpected data is sent to a vulnerable component). 4. Routing and DNS attacks: manipulate routing tables. changing routing tables to route to attacker’s net or black hole. attack to DNS servers, again route to attackers or black hole.
- 9. 9/42 examples Smurf 1. Attacker sends sustained ICMP (availability of host) Echo packets (ping) to broadcast address of the amplifying network, with source address is forged. 2. Since traffic was sent to broadcast address all hosts in the amplifying LAN will answer to the victim’s IP address. Ping of death???
- 10. 10/42 Ping (win XP) C:>ping 64.233.183.103 with 32 bytes of data (yahoo) Reply from 64.233.183.103: bytes=32 time=25ms TTL=245 Reply from 64.233.183.103: bytes=32 time=22ms TTL=245 Reply from 64.233.183.103: bytes=32 time=25ms TTL=246 Reply from 64.233.183.103: bytes=32 time=22ms TTL=246 Ping statistics for 64.233.183.103: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
- 11. 11/42 examples Syn flood TCP three-way handshake: • The client requests a connection by sending a SYN (synchronize) message to the server. • The server acknowledges this request by sending SYN-ACK back to the client, which, • Responds with an ACK, and the connection is established. How it work………??? 1. attacker sends SYN packet to victim forging non-existent IP address 2. victim replies with Syn/Ack but neither receives Ack nor RST from non-existent IP address 3. victim keeps potential connection in a queue in Syn_Recv state, but the queue is small and takes some time to timeout and flush the queue, e.g 75 seconds 4. If a few SYN packets are sent by the attacker every 10 seconds, the victim will never clear the queue and stops to respond.
- 12. 12/42 examples LAND: • The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address as both source and destination. • It uses ports (echo and chargen ports).
- 13. 13/42 Bottleneck • To shut down the company’s connection, a hacker only has to overload this relatively slow part of the line. • To stop DDoS attacks, illegitimate traffic must never be allowed to reach the bottleneck.
- 14. 14/42 ISP Cable connection (Bottleneck) Normal connection Firewall (Bad traffic stopped here)
- 15. 15/42 Strategic Firewall Placement • In the strategic firewall placement method, the company’s firewall is placed on the ISP’s premises. • This means that the line connecting the ISP router to the firewall is very short, and a much higher bandwidth line (ex. Ethernet) can be used for this connection at very little extra cost.
- 16. 16/42 ISP Firewall Ethernet connection Bottleneck Strategic Firewall Placement ISP Firewall (Bad traffic stopped here) Ethernet connection Bottleneck
- 17. 17/42 Strategic Firewall Placement • Firewall remains under the control of the company. • Now the company is able to control exactly which traffic is allowed into the bottleneck part of the connection.
- 18. 18/42 Strategic Firewall Placement • In the old setup, to thwart a DDoS attack, the company had to call the ISP and tell them which kinds of packets to filter. • The company’s internet connection remained inoperative until the ISP was able to complete the company’s request. • When the company controls the firewall, as in strategic firewall placement, they can instead filter unwanted packets almost immediately.
- 19. 19/42 Additional Requirements • Moving the firewall is helpful, but, to completely protect against DDoS attacks, the company also has to change the way its firewall handles inbound connection requests.
- 20. 20/42 Default Deny • Again !!!!!!TCP three-way handshake ……
- 21. 21/42 Spoofed TCP/SYN SYN/ACK Blocked Connection Default Deny • If every TCP/SYN packet is allowed to reach the company server, hackers can flood the company’s server with these packets, and overload the connection. • Instead, the firewall sends back a SYN/ACK packet to the source IP. • Once the firewall sends out the SYN/ACK packet, it only allows a connection from the IP address that sent the original TCP/SYN packet. • A hacker has to have control of that IP address to be able to connect to the company. Firewall Real TCP/SYN SYN/ACK Connection Allowed Server 1 2
- 22. 22/42 Default Deny • Default Deny helps prevent a technique known as “spoofing” IP addresses.
- 23. 23/42 Firewall Capabilities • Maintaining these policies could require a lot of computational power from the firewall. • Firewall may not be able to handle the entire job itself. • The processing work of the firewall can be spread among multiple computers if necessary, and those computers would feed directly into the firewall.
- 24. 24/42 Simulation of Strategic Firewall Placement (NS-2 to simulate DDoS traffic.) DDoS attack Legitimate traffic Router Firewall Target Buildup of packets in queue on high-speed link 1.5 mbps
- 25. 25/42 Simulation of Strategic Firewall Placement • When the link leading up to the firewall is too slow, a DDoS attack basically shuts down the system. • When the link leading up to the firewall is fast enough, the system continues running through a DDoS attack, even after the attack is increased in intensity from 50 to 100 mbps.
- 26. 26/42 How to know if an attack is happening? • Not all disruptions to service are the result of a DOS. There may be technical problems with a particular network. However, the following symptoms could indicate a DoS or DDoS attack: • Unusually slow network performance • Unavailability of a particular web site • Inability to access any web site or any resources • Dramatic increase in the amount of spam received in the account.
- 27. 27/42 Detecting Distributed Denial of Service Attacks by Monitoring the Source IP addresses • IP addresses in DDoS attack traffic did not appear before. [Peng et al. 2003] • Monitoring the traffic volume is likely to create high false positive • Monitoring the percentage of new IP addresses is very effective in detecting the attacks
- 28. 28/42 there are no effective ways to prevent being the victim of a DoS or DDoS attack, but these ways can help: • Install anti-virus software • Install a firewall, • Applying email filters may help manage unwanted traffic How to avoid being part of the problem?
- 29. 29/42 Example (spoofed DoS attack ) • A spoofed DoS attack is a process in which one host (usually a server or router) sends a flood of network traffic to another host .
- 30. 30/42 A&B • B: target machine (Athlon 64 3400+ with 1 GB of RAM). • A: The source machine is a Pentium( 3) 700 with 512 MB of RAM.
- 31. 31/42 Using xxpoof … Why?
- 34. 34/42 Conclusion Denial of Service is currently the most expensive computer crime for victim organizations. Strategic firewall placement allows companies to use the Internet during a DDoS attack, and it allows them to continue receiving the packets they want. Distributed Denial of Service Attacks could be Detected by Monitoring the Source IP. It is easy to generate a successful DDoS attack that bypasses these defenses.
- 35. 35/42 References: • Turban, Efraim; King,davaid;lee Jae;viehland ,Dannis, (2006),electronic Commerce A Managerial Perspective .International Edition ,Prentice Hall • Chatam, W. Rice, J. and Hamilton, J.A. Jr., "Using Simulation to Analyze Denial of Service Attacks" 2004 • Advanced Simulation Technology Conference, April 18 - 24, Arlington, VA,2004 • Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE Transactions on Knowledge and Data Engineering, IEEE Educational Activities Department, vol 40, no 5, (September): pp 1307 – 1315, 2003. • S. Gibson, “Distributed Reflection Denial of Service. Description and analysis of a potent, increasingly prevalent, and worrisome Internet attack,” February 22, 2002, available at http://grc.com/dos/drdos.htm • Smith, R.; Chen, Y; and Bhattacharya, S., “Cascade of Huegen C.A. , “The latest in Denial of Service attacks: smurfing description and information to minimize effects”, Feb 2000, available at http://www.pentics.net/denial-of- service/white-apers/smurf.cgi • United State Computer Emergency Readiness Team (2004) “Understanding Denial-of-Service Attacks” http://www.us- cert.gov/cas/tips/ST04-015.html • Williams, Charles (Dr.), (2001)“Who Goes There? Authentication in the On- Line World”, <http://www.bizforum.org/whitepapers/cylink002.htm