DDOS Attack was the first attack in the world and it was the biggest one. This presentation was part of the "Networking" Subject.

1. DoS & DDoS
Attacks

2. OUTLINE
• “DoS Attacks” – What Is
• History
• Types
• Main targets
• How to Defend

3. 3
• A DoS attack: preventing legal users, authorized access to a
system resource . The attacker uses specialized software to send
a flood of data packets to the target Device .
• DDoS ( distributed DoS attacks)
the attacker gains illegal administrative access to as many computers on the
Internet as possible and uses the multiple computers to send a flood of data
packets to the target Device
DoS = when a single host attacks
DDoS = when multiple hosts attack simultaneously
WHAT IS “DOS ATTACK”

5. Effect
• Too expensive
• Hard to prove who used the computer

6. Aim OF “DOS ATTACKS”

Purpose is to shut down a site, not penetrate it. may be
vandalism(including terrorism)
• Modification of internal data, change of programs

overloading the victim's resources

7. HISTORY
Morris Worm (November 2, 1988)
• First DDoS attack to cripple large amounts of network
infrastructure
• Self-replicating, self-propagating.
• Exploited software commonality (monoculture)

8. HISTORY
Morris Worm effect
• Infected systems became “catatonic “
• Took roughly three days to come under control
• Ultimately infected 10% of Internet computers (6,000) and
cost $ millions to clean up.
• Morris convicted under computer fraud and abuse act, three
years probation, fine of $10,000, he is now prof. At MIT

9. ESTONIAN CYBERWAR, 2007
• Weeks of cyber attacks followed, targeting government and banks,
ministries, newspapers and broadcasters Web sites of Estonia.
•
• 128 unique DDoS attacks
• Used hundreds or thousands of "zombie" computers and pelted Estonian
Web sites with thousands of requests a second

10. ESTONIAN CYBERWAR, 2007
• The attack heavily affected infrastructures of
all network:
– Routers damaged.
– Routing tables changed.
– DNS servers overloaded.
– Email servers mainframes failure, and etc.

11. In Feb 2000, series of massive DoS attacks incapacitated several high-
visibility Internet e-commerce sites, including Yahoo, Ebay and E*trade
In Jan 2001, Microsoft’s name sever infrastructure was disabled
>>98% of users could not get to any Microsoft’s servers
In Oct 2002, all Domain Name System servers were attacked
Attack lasted only an hour
9 of the 13 servers were seriously affected
In Aug 2009, the attack on Twitter and Facebook
HISTORY

12. Why should we care?
Internet is now a critical resource whose disruption has financial
implications, or even dire consequences on human safety
 Cybercrime and cyberwarfare might use of DoS or DDoS as a potential
weapon to disrupt or degrade critical infrastructure
 DDoS attacks are a major threat to the stability of the Internet

13. Pa
ge
The DoS Attack Surface
 Any part of your network or
services that is vulnerable to
an attack
– Network Interfaces
– Infrastructure
– Firewall/IPS
– Servers
– Protocols
– Applications
– Databases
 Attackers will find the
weakness

14. Distributed Denial-of-service
Attacker uses multiple PCs for DoS by:
Utilizing vulnerabilities to gain access to these systems
Installing malicious backdoor programs , thereby making zombies
Creating botnets: large collection of zombies under the control of
attacker
Generally, a control hierarchy is used to create botnets
Handlers: The initial layer of zombies that are directly controlled by the
attacker
Agent systems: Subordinate zombies that are controlled by handlers
Attacker sends a single command to handler, which then automatically
forwards it to all agents under its control
Example: Tribe Flood Network (TFN), TFN2K

15. 15
How They Work ?
Victim
Daemon
Daemon
Daemon
Daemon
Daemon
Master
Real Attacker

16. 16
How They Talk ?
Trinoo tool: attacker uses TCP; masters and daemons
use UDP; password authentication.
TFN ”Tribe Flood Network" tool: attacker uses shell to
invoke master; masters and daemons use ICMP
ECHOREPLY.
Stacheldraht tool: attacker uses encrypted TCP
connection to master; masters and daemons use TCP
and ICMP ECHO REPLY; rcp used for auto-update.

17. Approaches to DOS ATTACKS
Flooding attack
Work by sending a vast number of messages whose processing consumes
some key resource at the target
The strength lies in the volume, rather than the content
Implications :
 Make the traffic look legitimate
 Flow of traffic is large enough to consume victim’s resources
 Send with high packet rate

18. Pa
ge
Flooding DDoS

19. Internet designed for minimal-processing and best-effort forwarding
any packet
 Make shrewd use of flaws in the Internet design and systems
Vulnerability attack
 Vulnerability : a bug in implementation or a bug in a default configuration
of a service
 Malicious messages (exploits) : unexpected input that utilize the
vulnerability are sent
 Consequences :
 The system slows down or crashes or freezes or reboots
 Target application goes into infinite loop
 Consumes a vast amount of memory
 Ex : Ping of death, teardrop attacks, etc.
Approaches to DOS ATTACKS

20. HOW TO DEFEND
• Firewalls - can effectively prevent users from launching simple
flooding type attacks from machines behind the firewall.
• Switches - Some switches provide automatic and/or system-
wide rate limiting, traffic shaping, delayed binding to detect
and remediate denial of service attacks
• Routers - If you add rules to take flow statistics out of the
router during the DoS attacks, they further slow down and
complicate the matter
• DDS based defense
• Clean pipes
Distributed Denial of Service Attacks could be Detected
by Monitoring the Source IP.

21. Airmon-ng start wlan0
Airodump-ng wlan0mon >> get mac Add. And target
channel
Iwconfig wlan0mon channel # >> edit your channel to
the target channel
Aireplay -0 500 -a MAC ADD. wlan0mon
-0> send deauthentication messages
500 > # of packets to send
-a > option [mac address the the interface ]
HOW TO DO THAT

22. Thanks for your attention!