Security (Continued)

V.T. Raja, Ph.D.,

Oregon State University

Outline• Denial of Service (DoS) Attack

– Smurf Attack– Half-open telnet sessions– SYN Flood Attack

• Distributed DoS Attack

• Network Address Translation– NAT Proxy Server

• Demilitarized Zone (DMZ)

Denial of Service (DoS) Attacks

• Denial of Service attacks– “Ping” attacks– Smurf attack– SYN flood attack– Half-open telnet sessions

• Distributed Denial of Service attacks

Denial of Service (DoS) Attack• Hacker attempts to disrupt the network by flooding the network with

messages so that the network cannot process messages from legitimate users

• Examples:1. Hacker’s program continuously pings target computer.– Consequence: – Solution: 2. Hacker’s program continuously send “ping” requests to the target that list the

target as the sender– Consequence: – Solution: 3. Smurf attack:

What is a smurf attack? What is the consequence of a smurf attack?

4. SYN Flood attack:What is a SYN flood attack?What is the consequence of such an attack?

Telnet

• A protocol used for remote login• Does not transfer data in bulk• Interactive

– Each character typed by Telnet user is sent to remote host – Remote host sends back a copy of each character to Telnet

user, which will be displayed on the Telnet user’s screen (echo back)

– Echo back is used to ensure that characters seen by Telnet user have already been received and processed at remote site .

– Each character thus traverses the network twice between the time the user hits the key and the time the character is displayed on the user’s monitor

Client Server

Half-open Telnet sessions

TCP header: Packet #s (Sequence #s)

• Assume a file has 500,000 bytes• Assume TCP breaks this file into packets, where

each packet size is 1000 bytes• Each packet is given a packet # • The packet # for a packet is the number of the

first byte in that packet.– The packet # of first packet would be 1– The packet # of next packet would be 1001– The packet # of third packet would be 2001 and so on

TCP: Acknowledgement #

• Assume A transmits to B• B acknowledges receipt of A’s message, by

specifying an acknowledgment #. • The ACK # sent by B is the packet # of the next

packet that B is expecting from A. • Example:

– After A sends first packet, B sends an acknowledgment to A by specifying ACK# 1001.

– After A sends second packet, B acknowledges by specifying ACK# 2001.

TCP SYN for a simple Telnet application

• TCP stands for: Transmission Control Protocol

• SYN stands for: Synchronize Sequence Numbers

• Assume Client A initiates a Telnet session with Server B. Assume client A has typed the letter “C.”

Client Server

Half-open TCP SYN

SYN Flood Attack

• Attacker (client) sends a TCP SYN (Synchronize Sequence/Packet Number) request to server.

• The server responds by sending a TCP SYN/ACK packet.

• The attacker does not respond – resulting in half-open session using up server resources.

• The attacker sends a flood of such TCP SYN requests without responding.

• Requests from other legitimate clients are unable to reach the server due to multiple half-open sessions

Distributed DoS (DDos) attack

• In A DDoS attack, a hacker first gains control of hundreds/thousands of computers.

• Plants software referred to as DDoS agent on each of the slaves (Zombies)

• Hacker then uses software referred to as DDoS handler (master zombie) to control the agents (slave zombies)

• Attacker launches attacks from all the slaves so that it is difficult to trace hacker

High Profile Victims of DDoS

• Yahoo, eBay, Amazon and eTrade websites were rendered inaccessible to legitimate visitors after being flooded with traffic from hundreds of hijacked system

• www.msn.com; www.expedia.com; www.carpoint.com sites were flooded with DDoS attack for almost one day

• DDoS attack high-level DNS servers on the Internet

Network Address Translation

• Network address translation (NAT) is used to shield a private network from outside interference.

• An NAT proxy server uses an address table, translating network addresses inside the organization into aliases for use on the Internet. So, internal IP addresses remain hidden.

• It is common to combine DMZ, firewalls and proxy servers. (See Figure).

Figure: Network design using firewalls, DMZ and NAT Proxy Servers