Denial of Service Attacks: Methods, Tools, and Defenses Prof Mort Anvari Strayer University at Arlington Introduction Basic types of DoS attacks Evolution of DoS tools Overview of DoS tools Defenses What is Denial of Service Attack? “Attack in which the primary goal is to deny the victim(s) access to a particular resource.” (CERT/CC) Very vide definition, covers lots of cases This tutorial covers only subset of all DoS attacks Modes of Denial of Service Attack Consumption of limited resources Network connectivity  Bandwidth consumption  Other resources:  Processing time  Disk space  Lockout of an account  Alteration of configuration information DoS Attacks - Statistics There are more than 4000 attacks per week During 2000, 27% of security professionals detected DoS attack against their system In February 2000 attacks, stream going to one of affected sites was about 800Mb/s DoS Attacks - Statistics Overall Internet performance degradation during February 2000 attacks Date PPW PAW CPW Feb 7th 5.66 5.98 +5.7% Feb 8th 5.53 5.96 +7.8% Feb 9th 5.26 6.67 +26.8% Feb 10th 4.97 4.86 -2.2% PPW – Performance in previous week PAW – Performance in attacking week Source: Keynote Systems CPW – Change from previous week DoS Attacks - Basics Prof Mort Anvari Strayer University at Arlington DoS Attacks - Basics Attack has two phases: Installation of DoS tools Committing an attack DoS Attacks - Basics Installation of DoS tools: Finding a suitable machine: Unprotected ports  Vulnerable services  Errors in operating systems  Trojan horses and worms  Installation of the tool itself Installation of a root-kit DoS Attacks - Basics Ping of Death Maximum size of TCP/IP packet is 65536 bytes Oversized packet may crash, freeze, reboot system Obsolete 10 DoS Attacks - Tools Stacheldraht Several levels of protection:  Hard-coded password in client  Password is needed to take control over handler  Encrypted communication between handler and agent 27 DoS Attacks - Tools Stacheldraht Automated update of agents TCP is used for communication between client and handler, and ICMP_ECHOREPLY for communication between handler and agent 28 DoS Attacks - Tools Stacheldraht ICMP_ECHOREPLY packets are difficult to stop Each agent has a list of its handlers (Blowfish encrypted) and in case that there is no such list, agent uses several hard-coded IP addresses Agent tests for a possibility of spoofing the source address 29 DoS Attacks - Tools Stacheldraht Weakness: it uses rpc command for update Listening on this port can lead to detection of an agent Drawback is in fact that this can generate a lot of false alarms (rpc is used by legitimate users too) 30 Defenses Defenses There is no universal solution There are some preventions that can help in minimizing the damage:  Prevention of becoming the source of an attack  Preparations for defending against an attack 32 Defenses Disable and filter out chargen and echo services Disable and filter out all unused UDP services Good practice is to block all UDP ports below 900 (excluding some specific ports like DNS) 33 Defenses Install a filtering router to disable following cases: Do not allow packet to pass through if it is coming to your network and has a source address from your network  Do not allow packet to pass through if it comes from your network and has a source address that doesn’t belong to your network  34 Defenses Network administrators should log all information on packets that are dropped If you are providing external UDP services, monitor them for signs of misuse 35 Defenses The following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router: 10.0.0.0 to 10.255.255.255 (reserved)  127.0.0.0 to 127.255.255.255 (loopback)  172.16.0.0 to 172.31.255.255 (reserved)  192.168.0.0 to 192.168.255.255 (reserved)  0.0.0.0 and 255.255.255.255 (broadcasts)  36 Defenses Routers, machines, and all other Internet accessible equipment should be periodically checked to verify that all security patches have been installed System should be checked periodically for presence of malicious software (Trojan horses, viruses, worms, root-kits, back doors, etc.) 37 Defenses Train your system and network administrators Read security bulletins like: www.cert.org, www.sans.org, www.eEye.com From time to time listen on to attacker community to be informed about their latest achievements Be in contact with your ISP In case that your network is being attacked, this can save a lot of time 38 Conclusion Several examples of large scale DoS attacks (yahoo, eBuy, CERT, FBI, Amazon) Increased number of consumers with high bandwidth technologies, but with poor knowledge of network security Easy accessible, easy to use DoS attack tools No final solution for attacks 39 This tutorial is based on research paper done for isitworking.com Isitworking is part of Biopop company, Charlotte, NC, USA So far, it was presented on:  SSGRR 2002w, L’Aquila, Italy  YU-INFO 2002, Kopaonik, Serbia 40 Denial of Service Attacks: Methods, Tools, and Defenses Prof Mort Anvari Strayer University at Arlington ... (CERT/CC) Very vide definition, covers lots of cases This tutorial covers only subset of all DoS attacks Modes of Denial of Service Attack Consumption of limited resources Network connectivity...Introduction Basic types of DoS attacks Evolution of DoS tools Overview of DoS tools Defenses What is Denial of Service Attack? “Attack in which the primary goal is... Disk space  Lockout of an account  Alteration of configuration information DoS Attacks - Statistics There are more than 4000 attacks per week During 2000, 27% of security professionals detected