DENIAL OF SERVICE ATTACKS

AND DEFENCE TECHNICS

BEGÜM TOKUYUCU

1

OUTLINE

• What is DOS?

• What is DDOS?

• Types of DOS and DDOS Attacks

• Defencing ways of DDOS Attacks

2

What is DENial of service attacks?

• To prevent or impairs the authorised use of

networks, systems or applications by resources.

• Resources:

• Network Bandwidth,

• System Resources,

• Application Resources

• To characterise by how many systems are used to

direct traffic at the target system

WHAT IS DISTRIBUTED DENIAL

SERVICE ATTACK?

• DDOS

• Steps

• Recruiting of zombie machines

• Discovering the vulnerability of the target

• Sending the attack instructions to the zombies

• Attack

WHY DDOS?

• Financial and economical gain

• Revenge

• Fun

• Show

• Cyberwarfare

6

TYPES OF ATTACKS

• Classical DOS Attacks

• Source Address Spoofing

• TCP SYN/ACK Spoofing

• ICMP Flood Attacks

• UDP Flood Attacks

• Smurf Attack

• DNS DDOS

• Peer to Peer Attacks9

CLASSIC DOS ATTACKS

• Flooding attack

• To overwhelm the capacity of network

connection to the target organization

• The source of the attack is clearly identified.

10

SOURCE ADDRESS SPOOFING

• Use of forged source address.

• Forged source address harder to identify.

• You cannot create a normal network connection. Receiver will not be able to

reply to you.

• Raw socket interface on many operating systems

• Example:

• Man in the middle

• Routing redirect

• Source routing

11

TCP SYN/ACK SPOOFING

• Ability of a network server to respond to TCP

connection requests

• If there is a valid ->

(RST)

• If the system is busy -

>NO REPLY

• Using table to keep

connections

• When table is full

increase the table size

DEFENCE WAY OF

TCP SYN/ACK SPOOFING• Decrease the TCP connection timeout on the server

(victim)

• Using firewall as an intermediatory between server &

client.

14

FLOODING ATTACKS

• Based on network protocol. (TCP, UDP, ICMP)

• Goal:

• to overload the network capacity on same link in server

• to overload server’s ability to handle the traffic

• Types:

• ICMP Flood Attacks

• UDP Flood Attacks

• Smurf Attack

ICMP FLOOD ATTACKS

• Packets was chosen

traditionally network

administrators

allowed.

• Attackers used

ICMP packets

• Send packets to

victims address16

DEFENCE WAY OF

ICMP FLOOD ATTACKS

• To set a packet-per-second threshold for

ICMP requests.

• When the ICMP packet flow exceeds the

defined threshold, the security device

ignores further ICMP echo requests.

17

UDP FLOOD ATTACKS• Attackers obtain IP address of

many devices.

• Send data packets (UDP packets)

to random ports of the server

• If the server is not running then

packet discarded.

• If the server is running, it try to

identify data received wrong ports

and sent to “destination

unreachable” message.

18

DEFENCE WAY

OF UDPFLOOD ATTACKS

• Limit the rate at which destination unreachable

messages are sent or not send such packets.

• Introduce firewall before the server to check

whether the incoming packets are assigned to

the correct port or not.

• If correct than pass the packets, else reject the

packet.19

SMURF ATTACKS

• To send a huge amount of traffic and cause a virtual explosion of

traffic at the intended target.

• Steps

• To obtain IP address of victim,

• Use this spoofed IP address, hackers send ICMP packets via

routers to a networks broadcasting address of this IP address.

• Devices reply messages via ICMP to the IP address of victim.

• Victim get flooded with incoming packets.

20

DEFENCE WAYS OF SMURF

ATTACKS

• To set up a firewall so as to filters unwanted

messages.

• To configure the router to not contact all the

devices connected to its network when ICMP

message is obtained to its broadcast

address.

DNS DDOS ATTACKS

• Attacker asks zombies to send DNS queries of a site

www.kfssdfsdffks.com to a DNS server and zombies

are impersonated as the target server.

• DNS server thinks that it is the target server which is

requesting the pages and so the DNS server sends

these requested page’s IP address as reply to the

target.

• Target server is receiving a load of DNS replies and

server cashes 23

DEFENCE WAY OF

DNS DDOS ATTACKS

• You know the IP addresses of the sites

which the DNS server is sending to you

continuously, it is a simple matter to use your

firewall to block traffic from those addresses.

24

PEER TO PEER ATTACKS

• The attacker act as puppet, instructing clients of large

P2P file sharing networks to disconnect from their P2P

network and to connect o the victim’s website instead.

• Thousand of computers try to connect to the target

website specified by the attackers for

downloading/uploading files.

• Server get confused of whats going on with the

requests from different thousand computers. 25

DEFENCE WAY OF

PEER TO PEER ATTACKS• To have a semi centralised authority to track

large scale malicious P2P network activity.

• Update to torrent clients as most of the P2P

attacks are done using those computers

running old torrent clients whose loopholes

hadn’t be fixed.

• To encrypt P2P traffic.27

REFERENCES

• Computer Security Principles & Practice (book)

• https://www.nordu.net/articles/smurf.html

• http://hackmageddon.com/2012/10/22/1-15-october-2012-

cyber-attack-statistics/

• https://www.securelist.com/en/analysis/204792189/DDoS_

attacks_in_Q2_2011

• http://www.cse.wustl.edu/~jain/cse571-07/ftp/p2p/

28

• THANKS!

29