Denial of Service
description
Transcript of Denial of Service
![Page 1: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/1.jpg)
Denial of Service
![Page 2: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/2.jpg)
Distributed Denial Of Service?
![Page 3: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/3.jpg)
Distributed Denial Of Service?
![Page 4: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/4.jpg)
Unlike other forms of computer attacks, goal isn’t access or theft of information or services
The goal is to stop the service from operatingo To deny service to legitimate userso Slowing down may be good enough
This is usually a temporary effect that passes as soon as the attack stops
Denial of Service Attacks
![Page 5: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/5.jpg)
Lots of waysoCrash the machineoOr put it into an infinite loopoCrash routers on the path to the machineoUse up a key machine resourceoUse up a key network resourceoDeny another service needed for this one (DNS)
Using up resources is the most common approach
How Can a Service Be Denied?
![Page 6: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/6.jpg)
FloodsCongestion control exploitsUnexpected header valuesInvalid contentInvalid fragmentsLarge packetsImpersonation attacks
High-level Attack Categorization
![Page 7: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/7.jpg)
Simple Denial of Service
7
![Page 8: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/8.jpg)
One machine tries to bring down another machine
There is a fundamental problem for the attacker:o The attack machine must be “more powerful”
than the target machine to overload it ORo Attacker uses approaches other than flooding
The target machine might be a powerful server
Simple Denial of Service
![Page 9: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/9.jpg)
Sometimes generating a request is cheaper than formulating a response e.g. sending a bogus packet is cheaper than decrypting this packet and checking that it’s bogus
If so, one attack machine can generate a lot of requests, and effectively multiply its power
Not always possible to achieve this asymmetry
This is called amplification effect
Denial of Service and Asymmetry
![Page 10: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/10.jpg)
Use multiple machines to generate the workload
For any server of fixed power, enough attack machines working together can overload it
Enlist lots of machines and coordinate their attack on a single machine
DDoS “Solves” That Problem
![Page 11: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/11.jpg)
Distributed Computing
![Page 12: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/12.jpg)
Typical Attack Modus Operandi
![Page 13: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/13.jpg)
Yes, attacks happen every dayo One study reported ~4,000 per week1
On a wide variety of targetsTend to be highly successfulThere are very few mechanisms that can
stop certain attacksThere have been successful attacks on
major commercial sites
Is DDoS a Real Problem?
1”Inferring Internet Denial of Service Activity,” Moore, Voelker, and Savage, Usenix Security Symposium, 2002
![Page 14: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/14.jpg)
August 2009, hours-long service outageo44 million users affected
At the same time Facebook, LiveJournal, YouTube and Blogger were under attackoOnly some users experienced an outage
Real target: a Georgian blogger
DDoS on Twitter
Image borrowed from Wired.comarticle. Originallyprovided by Arbor
Networks
![Page 15: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/15.jpg)
December 2010Parts of services went down brieflyAttack launched by a group of vigilantes
called AnonymousoBots recruited through social engineeringoDirected to download DDoS software and take
instructions from a masteroMotivation: Payback to services that cut their
support of WikiLeaks after their founder was arrested on unrelated charges
Several other services affected
DDoS on Mastercard and Visa
![Page 16: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/16.jpg)
Most (if not all) sites could be rendered non-operational
The Internet could be largely flooded with garbage traffic
Essentially, the Internet could grind to a halto In the face of a very large attack
Almost any site could be put out of businesso With a moderate sized attack
Potential Effects of DDoS Attacks
![Page 17: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/17.jpg)
Everyone connected to the Internet can be attacked
Everyone who uses Internet for crucial operations can suffer damages
Who Is Vulnerable?
![Page 18: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/18.jpg)
But My Machines Are Well Secured!
18
Doesn’t matter!The problem isn’t your vulnerability, it’s everyone elses’
![Page 19: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/19.jpg)
But I Have a Firewall!Doesn’t matter! Either the attacker slips his
traffic into legitimate trafficOr he attacks the firewall
![Page 20: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/20.jpg)
But I Use a VPN! Doesn’t matter!
The attacker can fill your tunnel with garbageSure, you’ll detect it and discard it . . .But you’ll be so busy doing so that you’ll have no time for your real work
![Page 21: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/21.jpg)
But I’m Heavily ProvisionedDoesn’t matter!The attacker can probably get enough resources to overcome any level of resources you buy
![Page 22: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/22.jpg)
Widely available on the neto Easily downloaded along with source codeo Easily deployed and used
Automated code for: o Scanning – detection of vulnerable machines o Exploit – breaking into the machine o Infection – placing the attack code
Rootkitso Hide the attack code o Restart the attack codeo Keep open backdoors for attacker access
DDoS attack code
Attack Toolkits
![Page 23: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/23.jpg)
Attacker can customize:o Type of attack
UDP flood, ICMP flood, TCP SYN flood, Smurf attack (broadcast ping flood)
Web server request flood, authentication request flood, DNS flood
o Victim IP addresso Durationo Packet sizeo Source IP spoofingo Dynamics (constant rate or pulsing)o Communication between master and slaves
DDoS Attack Code
![Page 24: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/24.jpg)
You don’t need much knowledge or great skills to perpetrate DDoS
Toolkits allow unsophisticated users to become DDoS perpetrators in little time
DDoS is, unfortunately, a game anyone can play
Implications Of Attack Toolkits
![Page 25: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/25.jpg)
Attackers follow defense approaches, adjust their code to bypass defenses
Use of subnet spoofing defeats ingress filtering
Use of encryption and decoy packets, IRC or P2P obscures master-slave communication
Encryption of attack packets defeats traffic analysis and signature detection
Pulsing attacks defeat slow defenses and traceback
Flash-crowd attacks generate application
traffic
DDoS Attack Trends
![Page 26: Denial of Service](https://reader036.fdocuments.us/reader036/viewer/2022062520/5681614d550346895dd0d051/html5/thumbnails/26.jpg)
If we solve simple attacks, DDoS perpetrators will move on to more complex attacks
Recently seen trends:o Larger networks of attack machineso Rolling attacks from large number of machineso Attacks at higher semantic levelso Attacks on different types of network entitieso Attacks on DDoS defense mechanisms
Need flexible defenses that evolve with attacks
Implications For the Future