Professional Documents
Culture Documents
2008 Batch-I
Module VIII
Denial Of Service
Scenario
Sam heads a media group whose newspaper
contributes to the major portion of the company's
revenue. Within three years of its launch it toppled most
of the leading newspapers in the areas of its distribution.
Sam proposes to extend his reach by coming up with an
online e-business paper and announces the launch date.
John, an ex-colleague of Sam and head of a rival
media group, watches every move of his rival. John
makes plans to foil the grand launch of Sam's e-business
newspaper.
DDoS Countermeasures
Reflected DoS
and Defensive Tools
Real World Scenario of DoS Attacks
Smurf
Buffer Overflow Attack
Ping of death
Teardrop
SYN
Tribal Flow Attack
Smurf Attack
Target
ICMP_ECHO_REQ
Source: Target
Destination: Receiving Network
ICMP_ECHO_REPLY
Internet Source: Receiving Network
Destination: Target
Buffer Overflow attacks
Jolt2
Bubonic.c
might be vulnerable.
Bubonic.c
Attacker Attacker
Handlers
H H H H H
…………
A ... A .. A ... A Agents
A
… A
Victim
DDoS IRC Based Model
Attacker Attacker
IRC
IRC
Network
Network
A A A A A A
Victim
DDoS Attack Taxonomy
Bandwidth depletion
attacks
• Flood attack
• UDP and ICMP flood
Amplification attack
• Smurf and Fraggle attack
Source:
http://www.visualware.com/whitepapers/casestudi
es/yahoo.html
DDoS Attack Taxonomy
DDoS Attacks
Bandwidth Resource
Depletion Depletion
UDP ICMP
Smurf Fraggle
ICMP SYN PUSH+ACK
Attack Attack
Amplification Attack
VICTIM
ATTACKER AGENT
AMPLIFIER
……………………………
Systems Used for amplifying purpose
Trin00
Stacheldraht
Shaft
Trinity
Knight
Mstream
Kaiten
Trinoo
TCP Server
TCP Server
TCP Server
TCP Server
Target/Victim Network
Reflection of the Exploit
Traffic Packet
Individual Event
Network Service MIB Statistics Egress Filtering Pattern trace back
Users Logs
Providers analysis
Honeypots
Install Software
Built In defenses
Patches
Study Attack
Shadow Real
Network
Resources
Egress Filtering
• Scanning the packet headers of IP packets leaving a
network
There is a good probability that the spoofed source
address of DDoS attack packets will not represent a
valid source address of the specific sub-network.
Placing a firewall or packet sniffer in the sub-network
that filters out any traffic without an originating IP
address.
Mitigate or Stop the Effects of DDoS
Attacks
Load Balancing
• Providers can increase bandwidth on critical
connections to prevent them from going down in the
event of an attack.
• Replicating servers can help provide additional
failsafe protection.
• Balancing the load to each server in multiple-server
architecture can improve both normal performance
and mitigate the effects of a DDoS attack.
Throttling
• This method sets up routers that access a server with
logic to adjust (throttle) incoming traffic to levels
that will be safe for the server to process.
Deflect attacks
Honeypots
• Honeypots are systems
that are set up with limited
security to be an
enticement for an attacker
• Serve as a means for
gaining information about
attackers by storing a
record of their activities
and learning what types of
attacks and software tools
the attackers used.
Post-Attack Forensics
http://razor.bindview.com/tools/ZombieZapper_form.shtml
It works against Trinoo (including the Windows Trinoo agent),
TFN, Stacheldraht, and Shaft. It allows the user to put the zombie
attackers to sleep thereby stopping the flooding process.
It assumes that the default passwords have not been changed. Thus
the same commands which an attacker would have used to stop the
attack can be used.
This tool will not work against TFN2K,where a new password has to
be used during setup.
Other Tools:
NIPC Tools
Locates installations on hard drives by scanning file contents
http://www.nipc.gov
Source:
http://www.ripe.net/ttm/
worm/ddos2.gif
Slammer Worm