Scribd Logo
Upload

Welcome to Scribd!

  • DoS Attacks and Prevention

    Uploaded by

    zohaib mukhtar
    161 views18 pages
    A presentation about denial of service attacks and distributed denial of service attacks. This was given in university of Ottawa to Professor Surben Gheorghe.

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    A presentation about denial of service attacks and distributed denial of service attacks. This was given in university of Ottawa to Professor Surben Gheorghe.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    161 views18 pages

    DoS Attacks and Prevention

    Uploaded by

    zohaib mukhtar
    A presentation about denial of service attacks and distributed denial of service attacks. This was given in university of Ottawa to Professor Surben Gheorghe.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    Denial of Service Attack and

    Prevention.
    Shahzad Khan
    Zohaib Mukhtar

    Agenda

    Where Target Segments

    Why Reasons to Attack (DoS/DDoS)

    What General Architecture

    How Methods of Attack and Prevention.

    References

    Brief introduction
    Denial of Service
    A DoS (Denial of Service) attack aims at preventing, for

    legitimate users to access authorized access to any


    system, application or server.
    Attacker uses specialized software to send a flood of data
    packets to the target computer with the aim of
    overloading its available resources.
    Distributed Denial of Service (DDoS)
    Many machines or agents are used to overload

    the victim.

    Where: Target Segments


    Banks
    Web hosting services
    Online shopping sites
    Government servers
    Social networks.
    News agencies
    Educational Institutes.

    Why: Reasons of Attack


    Extortion via a threat of a DoS attack

    The attacker might aim to directly profit


    from his perceived ability to disrupt the
    victims services by demanding
    payment to avoid the disruption.

    Turf wars and fights between online


    gangs

    Groups and individuals in engaged on


    Internet-based malicious activities
    might use DoS as weapons against each
    others infrastructure and operations,
    catching legitimate businesses in the
    crossfire.

    Anticompetitive business practices

    Cyber-criminals sometimes offer DoS


    services to take out competitors
    websites or otherwise disrupt their
    operations.

    Why: Reasons of Attack


    Distraction from other malicious
    actions

    A DoS attack might be performed


    just to draw victims attention away
    from other malicious intrusion activities
    that they perform elsewhere in his
    environment.

    No apparent reason at all

    Unfortunately, many DoS


    attackers/victims never learn what
    motivated the attack.

    What: General Architecture


    Attacker machine running
    client program

    Unidirectional Commands

    Handler

    Handler

    Handler

    Handler

    Handler

    Handler

    Agent

    Agent

    Agent

    Agent

    Agent

    Coordinating
    communication
    Agent

    Attack Traffic
    Using internet
    Target

    How: Generate a DDoS


    To generate a 65Gbps of stream for attack from only

    one machine is not possible.


    A way to generate that big attack is using botnet.
    Botnet is a collection of machines or networks.

    The botnet is compromised through commands or

    software.
    Penetration: Attacker gets inside agents machine.
    Eavesdropping: Attacker gets access to same network of

    agent machine.
    Man in the middle: Attacker listens agents machine
    output and controls output.

    How: Smurf
    Attacker sends sustained Internet Control Message

    Protocol (ICMP) echo packets (ping) to broadcast


    address of the Amplifying Network
    Source address is forged.
    All hosts of Amplifying network will answer to the
    victims IP address (source address)

    Prevention Smurf DDoS


    Router are configured for all interfaces to prevent Smurf
    attack.
    Deny the directed broadcast
    AOIP.ORG(config)# access-list 101 deny ip any host 192.168.1.255

    log
    Allow unicast traffic
    AOIP.ORG(config)# access-list 101 permit ip any 192.168.1.0

    0.0.0.255 log
    Attach the ACL to the interface for inbound traffic
    AOIP.ORG(config)# interface fa0/0
    AOIP.ORG(config-if)# ip access-group 101 in
    AOIP.ORG(config-if)# exit

    How: SYN Flood


    TCP three-way Handshake
    The attacker sends SYN packet to victim forging non-

    existent IP address.
    Victim replies with syn/ack but neither receives ACK nor
    RST from non-existent IP address.
    Victim keeps potential connection in a queue in SYNRecv state, and the queue is small and takes some time to
    timeout to flush the queue.
    E.g 75 seconds

    If a few SYN packets are sent by the attacker every 10

    seconds, the victim will never clear the queue and stops to
    respond to legal users.

    How: SYN Flood

    Normal Connection

    Syn flooded connection

    SYN Flood: Prevention


    Firewall rules to protect against SYN attacks
    Allow or deny protocols, ports, IP addresses.
    In case of attack a simple rule can drop all incoming traffic from

    that source.
    Protection using Switches
    Most switches have rate-limiting and ACL capability.
    Automatic rate limiting, traffic shaping, delayed binding.
    Bogon filtering (Bogus IP filtering)

    Using IDS and IPS


    Complex IDS and IPS for big organizations.
    Snort is a free and open source IDS/IPS for small organizations.
    Configure system to block all kinds of DoS attacks.

    How: Bottleneck
    The attacker shuts down victims connection by

    overloading slow part of the connection line.

    Bottleneck Prevention
    Strategic firewall Placement
    Companys firewall is placed on ISPs premises.
    This shorts the connection line between ISP and router

    firewall.

    Cost of DDoS attack for Victim


    Organization.

    References
    https://blog.cloudflare.com/65gbps-ddos-no-problem/
    https://en.wikipedia.org/wiki/IP_address_spoofing
    https://en.wikipedia.org/wiki/Smurf_attack
    http://

    www.academia.edu/9966857/DDoS_SYN_Flooding_Mitigation_and_Prevention
    http://www.anythingoverip.co.za/tutorials/course-content/iscw/mitigating-smurf-d
    os-attacks
    /
    http://
    www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-co
    ntents-34/syn-flooding-attacks.html
    CERT, "CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing
    Attacks," September 1996.
    https://hakin9.org/syn-flood-attacks-how-to-protect-article /
    The continued rise of DDoS attacks. Candid Wueest. Version 1.0 October 21,
    2014, 13:00 GMT. https://
    www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
    the-continued-rise-of-ddos-attacks.pdf

    Thank You!
    Team 20
    Shahzad Khan
    Zohaib Mukhtar

    You might also like