A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units, memory, bandwidth, or disk space.

Examples:› Using all available network bandwidth by generating

unusually large volumes of traffic› Sending malformed TCP/IP packets to a server so that

its operating system will crash› Sending illegal requests to an application to crash it› Making many processor-intensive requests so that the

server’s processing resources are full› Consuming all available disk space by creating many

large files

Network bandwidth is so large for most organizations that a single attacking machine cannot cause a network DoS.

DDoS attacks coordinate an attack among many computers

Lack of availability of computing and network services causes significant disruption an major financial lost

Two types of components:› Agents: which run on compromised hosts and

perform the actual attacks (bots)› Handler: which is a program that controls the

agents, telling them when, what, and how to attack.

Talk with the organizations ISPs about how they handle network-based DoS attacks› Filtering or limiting traffic, blocking a particular

source IP address or ICMP messages, providing logs, retracing attacks to their source

Consider participating in a coordinated response to a widespread DDoS attack that affects many organizations› Exchange information regarding such an attack

with a centralized incident response entity Deploy and configure intrusion detection and

prevention software to prevent DoS traffic› Network behavior analysis software can identify

unusual traffic flows

Perform ongoing resource monitoring to establish baselines of network bandwidth utilization

Internet Health Monitoring: when a network-based DoS occurs, incident responders could use Web sites to attempt to determine if similar attacks are currently affecting other organizations

Meet with network infrastructure administrators› Adjust logging of a certain type of activity

Maintain local copies of any information that may be useful in handling DoS incidents

Configure the network perimeter to deny all incoming and outgoing traffic that is not explicitly permitted› Block services that are used in DoS attacks (ex. Echo)› Perform egress and ingress filtering to block spoofed packets› Block traffic from unassigned IP address ranges› Make certain firewall rules and router ACL’s are written and

sequenced properly› Limit incoming and outgoing ICMP traffic› Block outgoing connections to common IRC, P2P services if the

usage is not permitted. Implement Rate limiting for certain protocols (ex. ICMP) Disable unneeded services Ensure that networks and systems are not running near

max. capacity so minor DoS attacks can’t occur easily.

Precursors:› DoS attacks are often

preceded by reconnaissance activity – a low volume of the traffic that will be used in the actual attack - to determine which attacks may be effective

› A newly released DoS tool

Responses:› Example: Alter

firewall rulesets to block a particular protocol from being used

› Investigate the new tool and alter security controls accordingly

Correct the vulnerability or weakness that is being exploited› Patch the OS› Block unnecessary services

Implement filtering based on the characteristic of the attack› Temporarily block certain requests (ICMP)› Rate limiting

Have the ISP implement filtering Relocate the target Attack the attackers (not recommended)

Identify the source of the attack from observed traffic (very difficult)

Trace attacks back through ISPs (easier if attack is ongoing)

Review Log Entries (Some may be overwritten depending on logging practices)

Configure firewall rulesets to prevent reflector attacks› Reject suspicious combinations of source and

destination ports Configure border routers to prevent amplifier

attacks› Do not forward directed broadcasts

Determine how ISP can assist Configure security software Perimeter security – deny all incoming and

outgoing traffic not expressly permitted Create a containment strategy that includes

several solutions in sequence

Viruses – designed to self-replicated› Compiled viruses: executed by the operating

system File Infector viruses: Attach themselves to an

executable program Boot Sector viruses: Infects the master boot

record of a hard drive or removable media› Interpreted viruses: executed by an

application (most common) Macro viruses: Attach themselves to application

documents Script viruses: Similar to a macro but written in a

language understood by the OS

Worms – self-replicating programs that are completely self-contained.› Network Service Worms: spread by exploiting a vulnerability in a network

service associated with an OS or an application› Mass Mailing Worms: Similar to email-borne viruses but are self-contained

instead of infecting an existing file. Trojan Horses – non-replicating programs that appear to be

benign but actually have a hidden malicious purpose Others:

› Malicious Mobile Code› Blended Attack (Ex: Nimda worm)› Tracking Cookies› Attacker Tools:

Backdoors Keystroke Loggers Rootkits Web browser plug-ins

› Non-Malware Threats: Social Engineering Phishing Virus Hoaxes

Use Antivirus Software Prevent the installation of Spyware Block suspicious files Filtering Spam Limit the use of nonessential programs with

file transfer capabilities (IM, P2P,etc.) Educate users about email attachments Eliminate Open Window Shares Use Web Browser Security to Limit Mobile

Code Prevent open relaying of email Configure email clients to act more securely

Precursor:› An alert warns of

new malicious code that targets software the organization uses

› Antivirus software detects and disinfects or quarantines infected file

Response› Research new virus,

Update antivirus software, configure email clients to block emails with certain characteristics

› Determine how it entered the system and what vulnerability it was attempting to exploit

Identifying and Isolating other infected hosts› Performing port scans› Use antivirus scanning and cleaning tools› Review logs

Send unknown malicious code to antivirus vendors

Configuring email servers and clients to block emails

Blocking particular hosts Shutting down email servers Isolate networks from the internet Disabling services, possibly connectivity

Forensic Identification› Antivirus software, spyware detection, content

filtering Active Identification

› Used to identify which hosts are currently infected

› Deploying patches, updates, running a disinfection utility

Manual Identification› Most labor-intensive› IT staff identify infections by using information

on the malware and the signs of an infection

Make users aware of malicious code issues – Education!!

Read antivirus bulletins Use antivirus software and update regularly Configure software to block suspicious files Eliminate open window shares Contain malicious code incidents as fast as

possible Deploy host-based intrusion detection and

prevention systems

An unauthorized access incident occurs when a person gains access to resources that the person was not intended to have. It is typically gained through the exploitation of operating system or application vulnerabilities, the acquisition of usernames and passwords, or social engineering.

Examples:› Guessing or cracking passwords› Viewing or copying sensitive data› Running a packet sniffer on a workstation to

capture usernames and passwords› Using an unattended, logged-in workstation

without permission

Precursors:› Users report possible social engineering

attacks Response: Give advice to all users on how to

handle social engineering attempts

› A person or system may observe a failed physical access attempt Response: Detain the person. Strengthen

physical and computer security controls if necessary

Isolate the affected systems› Perform port scans for backdoors

Disable the affected service Eliminate the attacker’s route into the

environment Disable user accounts that may have

been compromised Enhance physical security measures When unauthorized access is suspected,

make a full image backup of the system

A multiple component incident is a single incident that encompasses two or more incidents

Example:› Malicious code spread through email

compromises an internal workstation› An attacker uses the infected workstation to

compromise additional workstations and servers

› An attacker uses one of the compromised hosts to launch a DDoS attack against another organization