11. SYN-Flood - Normal TCP Setup
Flow table
3-way handshake establishes connection
Flow table entry created
and inserted on receipt of
SYN packet
Connection Established
12. SYN-Flood – Consume Session Table
Flow table
SYNs overflow flow table on server
Flow table entry created
and inserted on receipt of
SYN packet
Overflow! Denial of Service
14. Querying for randomly-generated non-existent
hostnames
• Causes enormous work on DNS resolver
• Blows out DNS caches
• Easy to generate – single packet per name
• Easy to spoof source address – UDP
• Asymmetric
• Low-Bandwidth
DNS NXDOMAIN Random Hostname Attack
17. Izz ad-din al Qassam Cyber Fighters
DDoS attacks on Bank of America, NYSE, Wells Fargo, PNC, Chase,
SunTrust, Capital One and others.
Peak attacks 75G, including mix of layer 3, 4, 5 and 7 attacks.
Spotlight: Operation Ababil
Motivation appears to be pro-censorship, specifically demanding the Google remove the
video “Innocence of Muslims.”
Video director has been incarcerated (unrelated charges).
A Fatwa exists against him, the actors, and anyone involved with the video.
• Actors say the anti-Muslim rhetoric was dubbed in post-production.
18. Goal of layer-7 DDoS reconnaissance
• Obtain list of site URIs
• Sort by time-to-complete (CPU cost)
• Sort list by megabytes (Bandwidth)
Spiders for rent on Internet that will do this
• Though they are often known by security community
• Can be done with simple wget script
# wget –r –wait=1 -nv https://the.target.com
Application Reconnaissance