SlideShare ist ein Scribd-Unternehmen logo

DDoS - Distributed Denial of Service

Als PPTX, PDF herunterladen
Er. Shiva K. Shrestha
Er. Shiva K. Shrestha

DDoS Attack (Distributed Denial of Service)

Technologie
1 von 47
Er. Shiva K. Shrestha Er. Niran Kafle December 27, 2016 1 DDoS Attack (Distributed Denial of Service)
Introduction ■ Denial of Service (DoS) – Attack to disrupt the authorized use of networks, systems, or applications ■ Distributed Denial of Service (DDoS) – Employ multiple compromised computers to perform a coordinated and widely distributed DoS attack ■ DoS Attacks Affect: – Software Systems – Network Routers/Equipment/Servers – Servers and End-User PCs December 27, 2016 2
DoS Single Source December 27, 2016 3
DDoS Collateral Damage Points December 27, 2016 4
How DDoS Attacks Work ■ incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. ■ effectively makes it impossible to stop the attack simply by blocking a single IP address; ■ very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin. December 27, 2016 5
DDoS Headlines December 27, 2016 6
DDoS Attacks Based On December 27, 2016 7
DDoS Source &Targets December 27, 2016 8
DDoSWebApplication Attacks December 27, 2016 9
Types of DDoS Attacks ■ Traffic attacks: Traffic flooding attacks send a huge volume of TCP, UDP and ICPM packets to the target. Legitimate requests get lost and these attacks may be accompanied by malware exploitation. ■ Bandwidth attacks: This DDoS attack overloads the target with massive amounts of junk data. This results in a loss of network bandwidth and equipment resources and can lead to a complete denial of service. ■ Application attacks: Application-layer data messages can deplete resources in the application layer, leaving the target's system services unavailable. December 27, 2016 10
DoS Attacks Fast Facts ■ Early 1990s: Individual Attacks single source. First DoSTools ■ Late 1990s: Botnets, First DDoSTools ■ Feb 2000: First Large-Scale DDoS Attack ■ CNN,Yahoo, E*Trade, eBay, Amazon.com, Buy.com ■ 2001: Microsoft’s name sever infrastructure was disabled ■ 2002: DDoD attack Root DNS ■ 2004: DDoS for hire and Extortion ■ 2007: DDoS against Estonia ■ 2008: DDoS against Georgia during military conflict with Russia ■ 2009: Ddos onTwitter and Facebook ■ 2010: Ddos onVISA and Master Card December 27, 2016 11
2000 DoS Attacks ■ In Feb 2000, series of massive DoS attacks – Yahoo, Amazon, eBay, CNN, E*Trade, ZDNet, Datek and Buy.com all hit ■ Attacks allegedly perpetrated by teenagers ■ Used compromised systems at UCSB ■ Yahoo : 3 hours down with $500,000 lost revenue ■ Amazon: 10 hours down with $600,000 lost revenue December 27, 2016 12
2002 DNS DoS Attacks l ICMP floods 150 Kpps (primitive attack) l Took down 7 root servers (two hours) DNS root servers December 27, 2016 13
■ Hours-long service outage – 44 million users affected ■ At the same time Facebook, LiveJournal, andYouTube were under attacked – some users experienced an outage ■ Real target: a Georgian blogger 2009 DDoS onTwitter December 27, 2016 14
■ December 2010 ■ Targets: MasterCard,Visa,Amazon, Paypal, Swiss Postal Finance, and more DDoS on Mastercard andVisa  Attack launched by a group of vigilantes called Anonymous (~5000 people)  DDoS tool is called LOIC or “Low Orbit Ion Cannon”  Bots recruited through social engineering  Directed to download DDoS software and take instructions from a master  Motivation: Payback, due to cut support of WikiLeaks after their founder was arrested on unrelated charges December 27, 2016 15
The new DDoS tool by Anonymous ■ New operation is beginning ■ A successor of LOIC ■ Using SQL and .js vulnerability, remotely deface page ■ May be available in this September 2011 V for Vendetta December 27, 2016 16
Operation Facebook ■ Announcement onYouTube to bomb Facebook on Nov. 5 2011 ■ Facebook’s privacy reveals issues Remember Remember poem Remember remember the fifth of November Gunpowder, treason and plot. I see no reason why gunpowder, treason Should ever be forgot...  Why Nov. 5? V December 27, 2016 17
DDoS Attack Classification December 27, 2016 18
DOS attack list ■ Flood attack – TCP SYN flood – UDP flood – ICMP (PING) flood – Amplification (Smurf, Fraggle since 1998) ■ Vulnerability attack – Ping of Death (since 1990) – Tear Drop (since 1997) – Land (since 1997) December 27, 2016 19
Flooding attack ■ Commonly used DDoS attack ■ Sending a vast number of messages whose processing consumes some key resource at the target ■ The strength lies in the volume, rather than the content ■ Implications : ■ The traffic look legitimate ■ Large traffic flow large enough to consume victim’s resources ■ High packet rate sending 20 December 27, 2016
Vulnerability DoS attack ■ Vulnerability : a bug in implementation or a bug in a default configuration of a service ■ Malicious messages (exploits) : unexpected input that utilize the vulnerability are sent ■ Consequences : ■ The system slows down or crashes or freezes or reboots ■ Target application goes into infinite loop ■ Consumes a vast amount of memory 21 December 27, 2016
TCP SYN flood SYN RQST SYN ACK client server Spoofed SYN RQST zombie victim Waiting queue overflows Zombies SYN ACK December 27, 2016 22
Smurf attack ■ Amplification attack – Sends ICMP ECHO to network – Amplified network flood – widespread pings with faked return address (broadcast address) – Network sends response to victim system – The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion 23 December 27, 2016
DoS : Smurf A B Ping Broadcast Src Addr : B Dst Addr : Broadcast December 27, 2016 24
DoS : Fraggle UDP Broadcast src port : echo dest port: chargen port A B Infinite Loop! Src Addr : B Dst Addr : Broadcast ■ Well known exploit Echo/ChargenDecember 27, 2016 25
Ping of Death ■ Sending over size ping packet to victim – >65535 bytes ping violates IP packet length – Causes buffer overflow and system crash ■ Problem in implementation, not protocol ■ Has been fixed in modern OSes – Was a problem in late 1990s December 27, 2016 26
Teardrop ■ A bug in theirTCP/IP fragment reassembly code ■ Mangle IP fragments with overlapping, over-sized payloads to the target machine ■ Crash various operating systems December 27, 2016 27
LAND ■ A LAND (Local Area Network Denial) attack ■ First discovered in 1997 by “m3lt” – Effect several OS : ■ AIX 3.0 ■ FressBSD 2.2.5 ■ IBM AS/400 OS7400 3.7 ■ Mac OS 7.6.1 ■ SUN OS 4.1.3, 4.1.4 ■ Windows 95, NT and XP SP2 ■ IP packets where the source and destination address are set to address the same device – The machine replies to itself continuously – Published code land.c December 27, 2016 28
LAND December 27, 2016 29
DDoS Defense December 27, 2016 30
Are we safe from DDoS? ■ My machine are well secured – It does not matter.The problem is not your machine but everyone else ■ I have a Firewall – It does not matter.We slip with legitimate traffic or we bomb your firewall ■ I useVPN – It does not matter.We can fill yourVPN pipe ■ My system is very high provision – It does not matter.We can get bigger resource than you have 31 December 27, 2016
Why DoS Defense is difficult ■ Conceptual difficulties – Mostly random source packet – Moving filtering upstream requires communication ■ Practical difficulties – Routers don’t have many spare cycles for analysis/filtering – Networks must remain stable—bias against infrastructure change – Attack tracking can cross administrative boundaries – End-users/victims often see attack differently (more urgently) than network operators ■ Nonetheless, need to: – Maximize filtering of bad traffic – Minimize “collateral damage” December 27, 2016 32
Defenses against DoS attacks ■ DoS attacks cannot be prevented entirely ■ Impractical to prevent the flash crowds without compromising network performance ■ Three lines of defense against (D)DoS attacks – Attack prevention and preemption – Attack detection and filtering – Attack source traceback and identification 33 December 27, 2016
Attack prevention ■ Limit ability of systems to send spoofed packets – Filtering done as close to source as possible by routers/gateways – Reverse-path filtering ensure that the path back to claimed source is same as the current packet’s path ■ Ex: On Cisco router “ip verify unicast reverse-path” command ■ Rate controls in upstream distribution nets – On specific packet types – Ex: Some ICMP, some UDP,TCP/SYN ■ Block IP broadcasts 34 December 27, 2016
Responding to attacks ■ Need good incident response plan – With contacts for ISP – Needed to impose traffic filtering upstream – Details of response process ■ Ideally have network monitors and IDS – To detect and notify abnormal traffic patterns 35 December 27, 2016
How are DDoS practically handled? 36 December 27, 2016
Router Filtering 37Server1 Victim Server2 .... .... R3 R1 R2 R5R4 RR R 1000 1000 FE peering 100 ACLs, CARs December 27, 2016
Cisco uRPF 38 Router A Router B Pkt w/ source comes in Path back on this line? Accept pkt Path via different interface? Reject pkt Check source in routing table  Unicast Reverse Path Forwarding  Does routing back to the source go through same interface ?  Cisco interface command: ip verify unicast rpf December 27, 2016
Black hole Routing 39Server1 Victim Server2 .... .... R3 R1 R2 R5R4 RR R 1000 1000 FE peering 100 ip route A.B.C.0 255.255.255.0 Null0 December 27, 2016
Blackhole in Practice (I) 40 Victim Non-victimized servers Upstream = Not on the Critical Path Guard Detector December 27, 2016
Blackhole in Practice (II) 41 Guard Victim Non-victimized servers BGP announcement 1. Detect 2. Activate: Auto/Manual 3. Divert only victim’s traffic Activate Detector December 27, 2016
Blackhole in Practice (III) 42 Guard Victim Non-victimized servers Traffic destined to the victim Legitimate traffic to victim Inject= GRE, VRF, VLAN, FBF, PBR… Hijack traffic = BGP Detector December 27, 2016
■ Attackers follow defense approaches, adjust their code to bypass defenses ■ Use of subnet spoofing defeats ingress filtering ■ Use of encryption and decoy packets, IRC or P2P obscures master- slave communication ■ Encryption of attack packets defeats traffic analysis and signature detection ■ Pulsing attacks defeat slow defenses and traceback ■ Flash-crowd attacks generate application traffic DDoS AttackTrends December 27, 2016 43
Conclusion ■ No matter how secure a system is or good defense techniques has been used it is not possible to completely prevent DDoSAttack. ■ 75 % ofWeb Application attacks targeted US sites December 27, 2016 44
DoS Attack Demo December 27, 2016 45
ThankYou ! ■ Q/A ? December 27, 2016 46
Recommendations ■ http://thehackernews.com/2016/09/ddos-attack-iot.html ■ http://www.datacenterdynamics.com/content-tracks/security-risk/ddos-attacks-hit- cloudflare-originate-from-new-botnet/97438.fullarticle ■ http://www.theregister.co.uk/2016/12/08/can_isps_step_up_and_solve_the_ddos_pro blem/ ■ http://calvinayre.com/2016/12/16/business/bitcoin-exchange-btc-e-falls-victim-ddos- attack/ ■ http://en.yibada.com/articles/180618/20161222/biggest-hacks-data-breaches-2016- from-yahoo-breach-to-ddos-attacks.htm ■ http://news.softpedia.com/news/infographic-ddos-attacks-in-q3-2015-497312.shtml December 27, 2016 47

Empfohlen

Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
Ahmed Salama
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS Protection
Amazon Web Services
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Denial of service
Denial of serviceDenial of service
Denial of service
garishma bhatia
 

Empfohlen

Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
Ahmed Salama
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS Protection
Amazon Web Services
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Denial of service
Denial of serviceDenial of service
Denial of service
garishma bhatia
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
stollen_fusion
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
OECLIB Odisha Electronics Control Library
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Ahmed Ghazey
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacks
Rollingsherman
 
Dos attack
Dos attackDos attack
Dos attack
Manjushree Mashal
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
Haltdos
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attacks
communication-eg
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
Hansa Nidushan
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddos
kalyan kumar
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
Vivek Gandhi
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service Attack
Dhrumil Panchal
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
Fatima Qayyum
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Introduction IDS
Introduction IDSIntroduction IDS
Introduction IDS
Hitesh Mohapatra
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
Radware
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
sadhana21297
 

Weitere ähnliche Inhalte

Was ist angesagt?

An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacks
Rollingsherman
 

Was ist angesagt? (20)

DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacks
 
Dos attack
Dos attackDos attack
Dos attack
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attacks
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddos
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service Attack
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Introduction IDS
Introduction IDSIntroduction IDS
Introduction IDS
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 

Ähnlich wie DDoS - Distributed Denial of Service

A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONSA SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
IJNSA Journal
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigations
IJNSA Journal
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigations
IJNSA Journal
 
4-DDoS-DES-CEN451-BSE-Fall2023-16102023-082938pm (1).pdf
4-DDoS-DES-CEN451-BSE-Fall2023-16102023-082938pm (1).pdf4-DDoS-DES-CEN451-BSE-Fall2023-16102023-082938pm (1).pdf
4-DDoS-DES-CEN451-BSE-Fall2023-16102023-082938pm (1).pdf
UsamaBSEBUIC
 

Ähnlich wie DDoS - Distributed Denial of Service (20)

DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
 
Aleksei zaitchenkov slides about DOS Attacks
Aleksei zaitchenkov slides about DOS AttacksAleksei zaitchenkov slides about DOS Attacks
Aleksei zaitchenkov slides about DOS Attacks
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
 
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONSA SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigations
 
A survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigationsA survey of trends in massive ddos attacks and cloud based mitigations
A survey of trends in massive ddos attacks and cloud based mitigations
 
Network Security - Luxury or Must Have?
Network Security - Luxury or Must Have? Network Security - Luxury or Must Have?
Network Security - Luxury or Must Have?
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
Network security
Network securityNetwork security
Network security
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Arbor Presentation
Arbor Presentation Arbor Presentation
Arbor Presentation
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016
 
Network and Application Security 2017. Prediction 2017
Network and Application Security 2017. Prediction 2017Network and Application Security 2017. Prediction 2017
Network and Application Security 2017. Prediction 2017
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacks
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetupWeapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
 
4-DDoS-DES-CEN451-BSE-Fall2023-16102023-082938pm (1).pdf
4-DDoS-DES-CEN451-BSE-Fall2023-16102023-082938pm (1).pdf4-DDoS-DES-CEN451-BSE-Fall2023-16102023-082938pm (1).pdf
4-DDoS-DES-CEN451-BSE-Fall2023-16102023-082938pm (1).pdf
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
 

Mehr von Er. Shiva K. Shrestha

Mehr von Er. Shiva K. Shrestha (7)

Workshop on Classroom and Meet - Er. Shiva K. Shrestha
Workshop on Classroom and Meet - Er. Shiva K. ShresthaWorkshop on Classroom and Meet - Er. Shiva K. Shrestha
Workshop on Classroom and Meet - Er. Shiva K. Shrestha
 
Numerical Computing
Numerical Computing Numerical Computing
Numerical Computing
 
Deep Learning for Artificial Intelligence (AI)
Deep Learning for Artificial Intelligence (AI)Deep Learning for Artificial Intelligence (AI)
Deep Learning for Artificial Intelligence (AI)
 
Executing Joins Dynamically in DDBS Query Optimizer
Executing Joins Dynamically in DDBS Query OptimizerExecuting Joins Dynamically in DDBS Query Optimizer
Executing Joins Dynamically in DDBS Query Optimizer
 
Comparison of Amoeba, Mach & Chorus: DOS
Comparison of Amoeba, Mach & Chorus: DOSComparison of Amoeba, Mach & Chorus: DOS
Comparison of Amoeba, Mach & Chorus: DOS
 
Software Configuration Management (SCM)
Software Configuration Management (SCM)Software Configuration Management (SCM)
Software Configuration Management (SCM)
 
Mongo DB
Mongo DBMongo DB
Mongo DB
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Kürzlich hochgeladen (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

DDoS - Distributed Denial of Service

  • 1. Er. Shiva K. Shrestha Er. Niran Kafle December 27, 2016 1 DDoS Attack (Distributed Denial of Service)
  • 2. Introduction ■ Denial of Service (DoS) – Attack to disrupt the authorized use of networks, systems, or applications ■ Distributed Denial of Service (DDoS) – Employ multiple compromised computers to perform a coordinated and widely distributed DoS attack ■ DoS Attacks Affect: – Software Systems – Network Routers/Equipment/Servers – Servers and End-User PCs December 27, 2016 2
  • 5. How DDoS Attacks Work ■ incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. ■ effectively makes it impossible to stop the attack simply by blocking a single IP address; ■ very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin. December 27, 2016 5
  • 7. DDoS Attacks Based On December 27, 2016 7
  • 10. Types of DDoS Attacks ■ Traffic attacks: Traffic flooding attacks send a huge volume of TCP, UDP and ICPM packets to the target. Legitimate requests get lost and these attacks may be accompanied by malware exploitation. ■ Bandwidth attacks: This DDoS attack overloads the target with massive amounts of junk data. This results in a loss of network bandwidth and equipment resources and can lead to a complete denial of service. ■ Application attacks: Application-layer data messages can deplete resources in the application layer, leaving the target's system services unavailable. December 27, 2016 10
  • 11. DoS Attacks Fast Facts ■ Early 1990s: Individual Attacks single source. First DoSTools ■ Late 1990s: Botnets, First DDoSTools ■ Feb 2000: First Large-Scale DDoS Attack ■ CNN,Yahoo, E*Trade, eBay, Amazon.com, Buy.com ■ 2001: Microsoft’s name sever infrastructure was disabled ■ 2002: DDoD attack Root DNS ■ 2004: DDoS for hire and Extortion ■ 2007: DDoS against Estonia ■ 2008: DDoS against Georgia during military conflict with Russia ■ 2009: Ddos onTwitter and Facebook ■ 2010: Ddos onVISA and Master Card December 27, 2016 11
  • 12. 2000 DoS Attacks ■ In Feb 2000, series of massive DoS attacks – Yahoo, Amazon, eBay, CNN, E*Trade, ZDNet, Datek and Buy.com all hit ■ Attacks allegedly perpetrated by teenagers ■ Used compromised systems at UCSB ■ Yahoo : 3 hours down with $500,000 lost revenue ■ Amazon: 10 hours down with $600,000 lost revenue December 27, 2016 12
  • 13. 2002 DNS DoS Attacks l ICMP floods 150 Kpps (primitive attack) l Took down 7 root servers (two hours) DNS root servers December 27, 2016 13
  • 14. ■ Hours-long service outage – 44 million users affected ■ At the same time Facebook, LiveJournal, andYouTube were under attacked – some users experienced an outage ■ Real target: a Georgian blogger 2009 DDoS onTwitter December 27, 2016 14
  • 15. ■ December 2010 ■ Targets: MasterCard,Visa,Amazon, Paypal, Swiss Postal Finance, and more DDoS on Mastercard andVisa  Attack launched by a group of vigilantes called Anonymous (~5000 people)  DDoS tool is called LOIC or “Low Orbit Ion Cannon”  Bots recruited through social engineering  Directed to download DDoS software and take instructions from a master  Motivation: Payback, due to cut support of WikiLeaks after their founder was arrested on unrelated charges December 27, 2016 15
  • 16. The new DDoS tool by Anonymous ■ New operation is beginning ■ A successor of LOIC ■ Using SQL and .js vulnerability, remotely deface page ■ May be available in this September 2011 V for Vendetta December 27, 2016 16
  • 17. Operation Facebook ■ Announcement onYouTube to bomb Facebook on Nov. 5 2011 ■ Facebook’s privacy reveals issues Remember Remember poem Remember remember the fifth of November Gunpowder, treason and plot. I see no reason why gunpowder, treason Should ever be forgot...  Why Nov. 5? V December 27, 2016 17
  • 19. DOS attack list ■ Flood attack – TCP SYN flood – UDP flood – ICMP (PING) flood – Amplification (Smurf, Fraggle since 1998) ■ Vulnerability attack – Ping of Death (since 1990) – Tear Drop (since 1997) – Land (since 1997) December 27, 2016 19
  • 20. Flooding attack ■ Commonly used DDoS attack ■ Sending a vast number of messages whose processing consumes some key resource at the target ■ The strength lies in the volume, rather than the content ■ Implications : ■ The traffic look legitimate ■ Large traffic flow large enough to consume victim’s resources ■ High packet rate sending 20 December 27, 2016
  • 21. Vulnerability DoS attack ■ Vulnerability : a bug in implementation or a bug in a default configuration of a service ■ Malicious messages (exploits) : unexpected input that utilize the vulnerability are sent ■ Consequences : ■ The system slows down or crashes or freezes or reboots ■ Target application goes into infinite loop ■ Consumes a vast amount of memory 21 December 27, 2016
  • 22. TCP SYN flood SYN RQST SYN ACK client server Spoofed SYN RQST zombie victim Waiting queue overflows Zombies SYN ACK December 27, 2016 22
  • 23. Smurf attack ■ Amplification attack – Sends ICMP ECHO to network – Amplified network flood – widespread pings with faked return address (broadcast address) – Network sends response to victim system – The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion 23 December 27, 2016
  • 24. DoS : Smurf A B Ping Broadcast Src Addr : B Dst Addr : Broadcast December 27, 2016 24
  • 25. DoS : Fraggle UDP Broadcast src port : echo dest port: chargen port A B Infinite Loop! Src Addr : B Dst Addr : Broadcast ■ Well known exploit Echo/ChargenDecember 27, 2016 25
  • 26. Ping of Death ■ Sending over size ping packet to victim – >65535 bytes ping violates IP packet length – Causes buffer overflow and system crash ■ Problem in implementation, not protocol ■ Has been fixed in modern OSes – Was a problem in late 1990s December 27, 2016 26
  • 27. Teardrop ■ A bug in theirTCP/IP fragment reassembly code ■ Mangle IP fragments with overlapping, over-sized payloads to the target machine ■ Crash various operating systems December 27, 2016 27
  • 28. LAND ■ A LAND (Local Area Network Denial) attack ■ First discovered in 1997 by “m3lt” – Effect several OS : ■ AIX 3.0 ■ FressBSD 2.2.5 ■ IBM AS/400 OS7400 3.7 ■ Mac OS 7.6.1 ■ SUN OS 4.1.3, 4.1.4 ■ Windows 95, NT and XP SP2 ■ IP packets where the source and destination address are set to address the same device – The machine replies to itself continuously – Published code land.c December 27, 2016 28
  • 31. Are we safe from DDoS? ■ My machine are well secured – It does not matter.The problem is not your machine but everyone else ■ I have a Firewall – It does not matter.We slip with legitimate traffic or we bomb your firewall ■ I useVPN – It does not matter.We can fill yourVPN pipe ■ My system is very high provision – It does not matter.We can get bigger resource than you have 31 December 27, 2016
  • 32. Why DoS Defense is difficult ■ Conceptual difficulties – Mostly random source packet – Moving filtering upstream requires communication ■ Practical difficulties – Routers don’t have many spare cycles for analysis/filtering – Networks must remain stable—bias against infrastructure change – Attack tracking can cross administrative boundaries – End-users/victims often see attack differently (more urgently) than network operators ■ Nonetheless, need to: – Maximize filtering of bad traffic – Minimize “collateral damage” December 27, 2016 32
  • 33. Defenses against DoS attacks ■ DoS attacks cannot be prevented entirely ■ Impractical to prevent the flash crowds without compromising network performance ■ Three lines of defense against (D)DoS attacks – Attack prevention and preemption – Attack detection and filtering – Attack source traceback and identification 33 December 27, 2016
  • 34. Attack prevention ■ Limit ability of systems to send spoofed packets – Filtering done as close to source as possible by routers/gateways – Reverse-path filtering ensure that the path back to claimed source is same as the current packet’s path ■ Ex: On Cisco router “ip verify unicast reverse-path” command ■ Rate controls in upstream distribution nets – On specific packet types – Ex: Some ICMP, some UDP,TCP/SYN ■ Block IP broadcasts 34 December 27, 2016
  • 35. Responding to attacks ■ Need good incident response plan – With contacts for ISP – Needed to impose traffic filtering upstream – Details of response process ■ Ideally have network monitors and IDS – To detect and notify abnormal traffic patterns 35 December 27, 2016
  • 36. How are DDoS practically handled? 36 December 27, 2016
  • 37. Router Filtering 37Server1 Victim Server2 .... .... R3 R1 R2 R5R4 RR R 1000 1000 FE peering 100 ACLs, CARs December 27, 2016
  • 38. Cisco uRPF 38 Router A Router B Pkt w/ source comes in Path back on this line? Accept pkt Path via different interface? Reject pkt Check source in routing table  Unicast Reverse Path Forwarding  Does routing back to the source go through same interface ?  Cisco interface command: ip verify unicast rpf December 27, 2016
  • 39. Black hole Routing 39Server1 Victim Server2 .... .... R3 R1 R2 R5R4 RR R 1000 1000 FE peering 100 ip route A.B.C.0 255.255.255.0 Null0 December 27, 2016
  • 40. Blackhole in Practice (I) 40 Victim Non-victimized servers Upstream = Not on the Critical Path Guard Detector December 27, 2016
  • 41. Blackhole in Practice (II) 41 Guard Victim Non-victimized servers BGP announcement 1. Detect 2. Activate: Auto/Manual 3. Divert only victim’s traffic Activate Detector December 27, 2016
  • 42. Blackhole in Practice (III) 42 Guard Victim Non-victimized servers Traffic destined to the victim Legitimate traffic to victim Inject= GRE, VRF, VLAN, FBF, PBR… Hijack traffic = BGP Detector December 27, 2016
  • 43. ■ Attackers follow defense approaches, adjust their code to bypass defenses ■ Use of subnet spoofing defeats ingress filtering ■ Use of encryption and decoy packets, IRC or P2P obscures master- slave communication ■ Encryption of attack packets defeats traffic analysis and signature detection ■ Pulsing attacks defeat slow defenses and traceback ■ Flash-crowd attacks generate application traffic DDoS AttackTrends December 27, 2016 43
  • 44. Conclusion ■ No matter how secure a system is or good defense techniques has been used it is not possible to completely prevent DDoSAttack. ■ 75 % ofWeb Application attacks targeted US sites December 27, 2016 44
  • 46. ThankYou ! ■ Q/A ? December 27, 2016 46
  • 47. Recommendations ■ http://thehackernews.com/2016/09/ddos-attack-iot.html ■ http://www.datacenterdynamics.com/content-tracks/security-risk/ddos-attacks-hit- cloudflare-originate-from-new-botnet/97438.fullarticle ■ http://www.theregister.co.uk/2016/12/08/can_isps_step_up_and_solve_the_ddos_pro blem/ ■ http://calvinayre.com/2016/12/16/business/bitcoin-exchange-btc-e-falls-victim-ddos- attack/ ■ http://en.yibada.com/articles/180618/20161222/biggest-hacks-data-breaches-2016- from-yahoo-breach-to-ddos-attacks.htm ■ http://news.softpedia.com/news/infographic-ddos-attacks-in-q3-2015-497312.shtml December 27, 2016 47