2. Agenda
Information Security Incident Handling
â 1 The Denial of Service attack
2 Detection and Analysis
3 Containment, Eradication, and Recovery
4 Post-Incident Recovery
5 Maintaining network security
3. DoS
DoS do not are standing for âDepartment of Something!
Denial of Service Availability
Some security threats affect DoS it is about a kind of
? Confidentiality... ! information security attack to the
networks, systems and
Others impact the Integrity of
Information... applications, in order to make
them unavailable for the
legitimate users.
What the DoS is all about?
⢠It is not about to gain unauthorized
It is not about Confidentiality or
access to a system
Integrity. It is about:
⢠It is not about to corrupt data
⢠It is not about to crack any
Availability
password.
4. DoS
What happens when a DoS attack is going on?
Networks Computers Applications
Network OSs are crashed by Application crash by
performance is the action of receiving illegal
compromised malformed TCP/IP requests
packets
Broadcasts are sent Applications on
on the same Servers establish too Web tier,
frequencies than many simultaneous Application tier and
login session
wireless devices Data tier can be
affected
Too many processor-
Network intensive requests
components are are made
modified or
destructed Large files are
created
5. Distributed Denial of Service (DDoS)
How does it work?
1
⢠Agents are installed on compromised hosts
⢠They perform the attacks
DDoS Agents
are installed on ⢠They are also called âbotsâ
the hosts ⢠The set of hosts running bots is called âbotnetâ
2
⢠It is a program that controls the agents
Handler instructs
⢠The handler says:
the DDoS ⢠When to attack
Agents ⢠What to attack
⢠How to attack
3
⢠Bots follow the instructions
⢠Bots attack the targeted victims
DDoS Agents
attack the victim ⢠The bots could be pre-programmed to attack
networks and ⢠Attacker can also communicate with the bots via
hosts
IRC
6. DDoS
The three types of DDoS attacks
⢠An UDP service based is used to attack
⢠An intermediate host is used to attack the victim
Reflector ⢠The intermediate host is called Reflector
Attacks ⢠The real source is hidden behide an spoofed address
⢠Loops between Ports 7 (Echo) and 19 (Chargen)
⢠Also it involves sending requests with spoofed source address
⢠Use a whole network of intermediate hosts
Amplifier ⢠Uses ICMP and UDP requests to broadcast addresses
Attacks ⢠E.g.: DNS recursive attack
⢠Use large number of incomplete connection requests
⢠Prevent new connections from being made
Floods ⢠Examples: SYNFlood and peer-to-peer attacks
⢠Can be used by sending UDP, ICMP and TCP packets
Attacks
7. Detection and Analysis
Precursors
⢠Reconnaissance activity
ďź Usually a low volume of the traffic
ďź Handlers could detect preparation for a DoS attack
ďź Changing the security implementation as a Response
⢠Newly released DoS tool
ďź Usually a low volume of the traffic
ďź Investigate the new tool and change the security
controls
8. Detection and Analysis
Indications
⢠Network-based DoS against a host
⢠Network-based DoS against a network
⢠DoS against the Operating System
⢠Layer 7 DoS attack - against an application/service
9. Detection and Analysis
Additional Challenges
⢠Trace the source of attacks
⢠The IP of the handler is not visible
⢠False positive alerts
⢠Server crash and service outages resultant from
attacks
10. Containment, Eradication and Recovery
Performing containment, gathering and handling evidence for
DoS incidents
Containment for a DoS incident
1
It usually consists of STOPPING ⢠Correct the Vulnerability
the DoS. â It is not too easy!
⢠Implement Filtering based on
Stop bleeding
the cahracteristics of the attack
Try all possible solutions for
2
containing a DoS attack ⢠The ISPs are key partners
against the network-based DoS
Eradication & Recovery
⢠Hide the target
3 Clean up the house
11. Post-incident Recovery
Corrective and Preventive actions
⢠Hold a lessons learned meeting
⢠Configure firewall rulsets to prevent reflector attacks
⢠Configure border routers to prevent aplifier attacks
⢠Implement/Configure NIDS and HIDS to detect DoS attacks
⢠Create and maintain a multi-solution containment strategy
⢠Separate critical services
⢠Create a follow-up Report
12. Maintaining network security
How employees can help maintain network security?
⢠Only provide username and password on certified websites
⢠Donât accept any kind of software installation through the Internet
⢠Be aware of the Social Engineering. Email messages can be used
for identity theft and phishing
⢠Donât click on suspicious email attachments
⢠Prefer to use BCC when sending emails to multiple recipients
⢠Emails usually are sent in clear-text format
⢠Donât forward any email chain letters
13. References
⢠Scarfone, K., & Grance, T., & Masone, K. (2008). . Computer Security Incident Handling
Guide, NIST 800-61, Gaithersburg, MD: National Institute of Standards and Technology.
⢠EC Council (2010). Ethical Hacking and Countermeasures, Threats and Defense
Mechanisms, Clifton Park, NY: EC-Council Press.
Hinweis der Redaktion
By Marcelo Silva
The Denial of Service (DoS) is an attack that by overloading a network or systemâs resource, brings the system down, or at least reduces significantly the network availability and systems performance, in order to prevent the authorized userâs access.Some of the DoS attacks are listed below:Flooding the network or host with more traffic or requests than can be handledFlooding a Service with more events than it can handleCrashing a TCP/IP stack by sending corrupt packetsCrashing a service by interacting with it in an unexpected wayHanging a system by causing it to go into an infinite loopThe Network are affected in their bandwidthThe Operating Systems are impacted on their CPUs, Memory and Disk spaceThe Services/Applications are affected on their ability to respond to the requestsThe Network Devices are affected in their ability to work on purpose (Router=routing, Switch=Manage Traffics, Firewall=Filtering/Blocking/Allowing/DetectionâŚ)Therefore, the DoS attack is against the availability of the systems and the communication networks.
DoS attack against NetworkThe attacker uses all available network bandwidth by generating a large volume of traffic.Another way to attack the network availability it is broadcasting on the same frequencies used by a wireless network to make it unusable.The network is also compromised when a attack cause physical destruction or alteration of the network components.DoS attack against ComputersMalformed TCP/IP packets are sent to a server so that operating system will crash.Establishing many simultaneous login session to a server so that legitimate users cannot start login.Making many processor-intensive requests so that the server stops responding.Consuming all available disk space by creating a high number of large files.DoS attack against ApplicationsSending illegal requests to an application to crash it.Web servers, application servers and database servers can be affected by the Dos attack.
DDoS is a well coordinated Denial of Service attack that is launched indirectly through many compromised computers on the Internet, against the service availability on a victimâs network or systems.The three steps of the DDoS attack:Attackers compromise hosts on the Internet and deploy bots on themAttackers uses a handler to instruct the agents (or they do that by pre-programming those bots) on what, when and how to attackThe botnet initiates the attack according to the instructionsUsually the attacker uses thousands of bots when performing a DDoS attack.
Reflector AttacksAttackers like to use spoofed source addresses in order to hide the real source of the attack.The attacker sends UDP packets to the Reflector, using spoofed IP addressesThe host generates a reply to each request and sends the replies to the spoofed addressThen a potentially loop occurs, generating high network traffic and processing activitiesBut it worth to mention that during that type of attack, a DoS could happen to the Reflector, the host at spoofed address, or both hosts.Some common ports/services used by the reflector attack are:Echo (7)Chargen (19)DNS (53)SNMP (161)ISAKMP (500)Amplifier AttacksThat kind of attack tries to explore the broadcast address, expecting that many hosts will respond to it.This attack could be blocked by configuring properly the border routers to not forward directed broadcasts.One of the examples of an Amplifier attack it is a DNS recursion attack. Thatâs why the DNS server should be configured for non-recursive.Flood AttacksAs stated by the EC Council (2010) in DDoS flood attacks, âzombies flood victim systems with IP traffic. The large volume of packets that zombies send to victim systems slows down the systems, crashes the systems, or saturates the networkâs bandwidthâ.On UDP attacks, for example, the large amount of packets can saturate the network, impacting the network performance for legitimate service requests.
As indicated by Scarfone, K., & Grance, T., & Masone, K. (2008), âDoS attacks can be detected through particular precursors and indicationsâ. Thus, by observing these precursors and indications, we are able to prevent and pro-actively act in order to avoid the unavailability of systems and applications. The first step that an attacker performs before a DoS attack is executing some reconnaissance tasks. Those activities include network scanning and some tests in order to determine which attacks could be more effective.  Handlers could detect this preparation phase activities; however the attacker can use some techniques to ensure the network traffic doesnât reach common thresholds that are used to trigger the monitoring alarms. If handlers are able to detect these reconnaissance activities, the company can proactively change its security controls such as firewall rules to block a specific protocol or port from being used. Another action/response could be hiding a vulnerable host until the vulnerability or weaknesses are corrected. Another DoS attack precursor, and that could represent a significant threat to an organization, it is when a new DoS tool is released. For this, the company should investigate that tool further, and change its security controls accordingly. This way, the organization will be able to effectively avoid such kind of attack.
In addition to the precursors, there are also some indications that a DoS attack is ongoing. Following below some indications for each type of DoS attack: Network-based DoS attack against a hostServer crashSystem unavailability reported by usersAlerts from the IDS/IPSAlerts/events at the HIDS on the hostLarge number of connections is detected on a single hostPackets with unusual source IP address Server Logs Network-based DoS attack against a networkSystems and Network unavailability reported by the usersAlerts from the NIDSUnexplained connection lossesNetwork activities and bandwidth increased for no reasonPackets with non-existent destination IP addressesHigh number of incoming traffic and low number of outgoing traffic DoS attack against the Operating Systems Continuous server crashSystems and Applications unavailability reported by usersAlerts from the NIDS/HIDSServer Logs (System and Application events/logs)Packets with unusual source IP address  Layer 7 DoS attack against an Web Application / Web Server / Web Service / DatabaseApplications unavailability reported by users or other systemsAlerts from the NIDS/HIDSApplication logs fromWeb tierApplication tierData tierPackets with unusual source IP address
Trace the source of attacksSpoofed IP addresses are used for that kind of attack, by using connectionless protocols (UDP/ICMP) or connection-oriented protocols but without establishing connections properly (TCP SYN packets)The IP of the handler is not visibleDDoS attacks usually use thousands of bots/zombies, which are activated by the controller. The victims canât see the IP of the handler and if it could, it probably would be an IP from one of the compromised computer/host, and not from the real attacker.False positive alertsNetwork-based DoS attacks are difficult to be detected by the IDPS sensors with high level of accuracy. SYNflood is one of the most common kind of false positive on detection systems. A quick port scan, for example, could be detected as a SYNflood attack.Server crash and outages resultant from attacksUsually server crash and service outage are related to hardware failure, bad drivers or physical failures. However, the DoS attacks can cause it, and the most Systems Administrators will not realize that an attack has just occurred.
The Containment phase is focused on suspends the intrusion before it impacts more and more resources and the number of users and applications that are affected is increased.It is not that easy to stop a DoS attack, thatâs why all possible solutions for containing the attack should be attempted.Following below some actions to containing a Denial of Service:Close the gap â The vulnerability that is being exploited by the attack should be corrected. Patches and hotfixes should be applied to Operating Systems and Applications; Services should be re-configured and filters should be altered to block packets from a specific protocol. Also, an attacked host could be removed from the network, as a temporarily measure of containment.Implement filtering accordingly â Identify the characteristics of the attack and change/implement filtering against that. If the attack is using ICMP echo requests, block temporarily that traffic on the network. If there is a SYNflood against one particular host, block the SYN packets to that host on the port it is being attacked, or alter the limit of packets per second to the particular host/port.The ISPs are the first allies â The ISPs should act right away to implement filtering for blocking activities related to the network-based DoS. Correcting OS and Applications vulnerabilities inside the company it will not worth anything if the Internet Service Providers donât implement adequate filtering to contain the DoS from the external hosts.Hide the target â It is one of the last measures to be taken. If other containing measures are not working, then try to change the host IP address, change the subnet, or even move the service to a different host. But make sure that host doesnât have the same vulnerability. Otherwise the sophisticated tools used by the attacker could easily detect the new victim.Clean up the house - Itâs necessary to bring back the systems to the normal operations. For that, the organization should remove all configuration changed by the DoS attack, if it is the case of an internal attack, by removing malicious codes from the hosts, and from the rules of routers and firewalls.  After the incident, the affected systems should be up and running, applications and services tested in their functionalities. The recovery from the incident is necessary. During the evidence gathering phase after a DoS/DDoS attack, itâs hard for the IT security team to collect substantial proofs, due a couple of reasons such as tracing the attacks, or identify the real IP source addresses or even mining the information in the log entries.Get the cooperation from the ISPs; Identifying the spoofed addresses from the real ones; and extract good information from the large log files are some of the challenges on this task.
Lessons learnedItâs very important answering the basic questions such as Why? What? When? And if possible, Who?Evaluate which security measures have worked and which didnât, and define what improvements should be done in order to avoid similar incidents in the future. Configure/Reconfigure firewall rulesNetwork-based & Host-based firewalls are great weapons against the reflector attacks.The firewall rulesets should be reviewed and reconfigured so that can stop that type of DDoS attacks. Implement/Configure border routers against amplifier attacksThe broadcasts must be blocked on the border routers in order to block the amplifier attacks.Create rules to not forward that kind of traffic. NIDS/NIPS and HIDS to detect attacksIntrusion detection and prevention systems, on the network and hosts, can be helpful in detecting reconnaissance activities and other suspicious activities related to the DoS attacks. Create and maintain a multi-solution containment strategyOnce not only one solution could stop a DoS attack, the company should have a bundle of solutions pre-defined, in sequence, to be attempted when handling an incident.  Separate critical servicesAs a good practice, the critical services should be separated from non-production or non-critical services, being placed on separated network and VLANs, or even in different sites. Thus, services more susceptible to failure or intrusion would be kept apart from the critical layer of service. Also, Demilitarized zones (DMZ) must be created for Internet-facing services.The medium and large enterprises often separate their applications on different environments such as Development, QA and Production as a way to secure their most valuable and critical services.Create a follow-up ReportDocument all impacts that have occurred during the Incident, and the countermeasures that were taken as well.Take note of the issues that were addressed and which ones were escalated to be addressed on some post-incident actions.Indicate who was responsible for which task/action and the deadlines.Make sure the Incident was reported properly to the managers, directors and authorities.
Since the staff members at the clinic use the Internet extensively on checking patientsâ insurance and get authorizations, they must pay attention to:Only provide username and password on certified websites (Using the HTTPS protocol / SSL Encryption)Not provide any information about the local username/password on external websitesDonât use the same password that it is being used for the local network and systems accessDonât accept any kind of software installation through the Internet, even antivirus solution offered by external sources. Regard to the Email systems:Be aware of the Social Engineering. Email messages can be used for identity theft and phishing. Phishing is a technique in which an attacker sends email messages or provides a link falsely claiming to be from a legitimate site in an attempt to acquire a userâs personal information (EC Council, 2010).Donât click on suspicious email attachments, they can contain worms. They could be scripts or executable disguised as false image or doc text files (e.g.: AnnaKournikova.jpg.vbs). If you receive any suspicious email message, donât click on any link. Report it to the IT department and ask for guidance.Prefer to use BCC when sending emails to multiple recipients. Use carefully the Carbon Copy (CC) field. You can be exposing unnecessarily some email addresses.Donât use the corporate email account for social networks or news groups. Use private accounts for private e-mails.Emails usually are sent in clear-text format, unless you use some encryption technology. Therefore, donât send any sensitive data such credit card number, SSN, Driverâs License numbers and passwords via regular email messages.Donât forward any email chain letters. It can contain malicious code, it exposes email addresses, it generates network traffic and storage consumption.
Scarfone, K., & Grance, T., & Masone, K. (2008). . Computer Security Incident Handling Guide, NIST 800-61, Gaithersburg, MD: National Institute of Standards and Technology.EC Council (2010). Ethical Hacking and Countermeasures, Threats and Defense Mechanisms, Clifton Park, NY: EC-Council Press.