Defensive Measures for DDoS By Farhan Mirza. Contents Survey Topics Survey Topics Introduction...
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Defensive Measures for DDoS By Farhan Mirza. Contents Survey Topics Survey Topics Introduction...
Defensive Measures for Defensive Measures for DDoSDDoS
ByByFarhan MirzaFarhan Mirza
ContentsContents
Survey TopicsSurvey Topics IntroductionIntroduction Common Target of DoS AttacksCommon Target of DoS Attacks DoS ToolsDoS Tools Defensive Measures & Their VulnerabilitiesDefensive Measures & Their Vulnerabilities Honeypot for DDoSHoneypot for DDoS Honeypot implementationHoneypot implementation Issues & ConcernsIssues & Concerns ConclusionConclusion
Survey TopicSurvey Topic
Paper 1Paper 1 Analysis of Denial-of-Service Attacks on Analysis of Denial-of-Service Attacks on
Denial-of-Service Defensive MeasuresDenial-of-Service Defensive Measures
Paper 2Paper 2 Honeypots for Distributed Denial of Honeypots for Distributed Denial of
Service AttacksService Attacks
IntroductionIntroductionDoS attacksDoS attacks Weapons of Mass DestructionWeapons of Mass Destruction Paralyze Internet systems with bogus trafficParalyze Internet systems with bogus traffic 44thth Major Attack in 2001 – Computer Crime & Survey Major Attack in 2001 – Computer Crime & Survey
ReportReport
Attacks on TargetsAttacks on Targets
Attacking tools - More offensiveAttacking tools - More offensive To discover and filter – More difficultTo discover and filter – More difficult Powerful automatic scanning & Powerful automatic scanning &
observing target’s vulnerabilityobserving target’s vulnerability Uses methods - Uses methods - TCP Syn, UDP, ICMP TCP Syn, UDP, ICMP
FloodingFlooding etc etc Includes Viruses & Worms - Includes Viruses & Worms - MS-SQL MS-SQL
Server Worm, Code RedServer Worm, Code Red etc etc
Code Red Worm AttackCode Red Worm Attack
Common Target of DoS Common Target of DoS attacks attacks
Bandwidth DOS AttackBandwidth DOS Attack Memory DOS AttacksMemory DOS Attacks Computation DOS AttacksComputation DOS Attacks
Bandwidth DoS AttacksBandwidth DoS Attacks
Target - Target - BandwidthBandwidth Example – Example – Slammer (MS-SQL Server Slammer (MS-SQL Server
Worm)Worm) Self Propagating malicious codeSelf Propagating malicious code Employs multiple vulnerabilities of SQL Employs multiple vulnerabilities of SQL
Server Resolution ServiceServer Resolution Service
Memory Dos AttacksMemory Dos Attacks
Target – Target – MemoryMemory Backscatter AnalysisBackscatter Analysis (Moore Investigation)(Moore Investigation): :
94% DoS attacks occurs on TCP Protocol94% DoS attacks occurs on TCP Protocol 49% of attacks are TCP Syn attacks 49% of attacks are TCP Syn attacks
targeting 3 way handshaketargeting 3 way handshake 2% on UDP2% on UDP 2% on ICMP2% on ICMP
Memory DoS Attacks Memory DoS Attacks (Cont..)(Cont..)
Every TCP connection establishment requires an Every TCP connection establishment requires an allocated memory resourceallocated memory resource
Limited number of concurrent TCP half-open Limited number of concurrent TCP half-open connectionsconnections
Attacker can disable service - Sending overdosed Attacker can disable service - Sending overdosed connection requests with spoofed source addressesconnection requests with spoofed source addresses
Computation DoS AttacksComputation DoS Attacks
Target – Target – Computational ResourcesComputational Resources Example: Example: Database Query AttacksDatabase Query Attacks
Sequence of queries requesting DBMS to Sequence of queries requesting DBMS to execute complex commands, execute complex commands, overwhelming the CPUoverwhelming the CPU
Software Bugs & ExploitsSoftware Bugs & Exploits
Exploit on 7xx routersExploit on 7xx routers – connecting – connecting with Telnet and typing very long with Telnet and typing very long passwordspasswords Effects – Effects –
Reboot the routerReboot the routerDeny service to users during reboot Deny service to users during reboot
periodperiod
Connecting with Telnet Connecting with Telnet and Typing long and Typing long
passwordspasswords
Software Bugs & Exploits Software Bugs & Exploits (Cont...)(Cont...)
Smurf DoS BugSmurf DoS Bug – uses ICMP Echo – uses ICMP Echo Request packet with spoofed source Request packet with spoofed source addressaddress Effects –Effects –
All machines on the subnet reply directly All machines on the subnet reply directly to victim’s addressto victim’s address
Congestion in the victim’s network Congestion in the victim’s network connectionconnection
DoS ToolsDoS Tools
Trin00Trin00 TFN – Tribe Flood NewtorkTFN – Tribe Flood Newtork StacheldrahtStacheldraht – “Barbed Wire” – “Barbed Wire”
Trin00Trin00
Distributed attacking tool Distributed attacking tool Installed on intermediate host using a Installed on intermediate host using a
buffer overrun bugbuffer overrun bug Compiled on Linux and Solaris Compiled on Linux and Solaris
operating systemsoperating systems Capable of generating a UDP packets Capable of generating a UDP packets
for attack for attack Target Ports – 0 to 65534Target Ports – 0 to 65534
TFN – Tribe Flood NetworkTFN – Tribe Flood Network
Launch Distributed Denial of Service Launch Distributed Denial of Service attacksattacks
Installed on Intermediate host and Installed on Intermediate host and based on buffer overrun bugbased on buffer overrun bug
Capable of launching ICMP floods, UDP Capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks floods, SYN attacks, Smurf attacks
Compiled on Linux and Solaris Compiled on Linux and Solaris operating systemsoperating systems
Stacheldraht ("barbed wire")Stacheldraht ("barbed wire")
Combines features of Trin00 and TFNCombines features of Trin00 and TFN Capable of producing ICMP flood, SYN Capable of producing ICMP flood, SYN
flood, UDP flood, and SMURF attacksflood, UDP flood, and SMURF attacks ICMP, UDP and TCP-SYN packets of sizes ICMP, UDP and TCP-SYN packets of sizes
up to 1024 bytes against multiple victim up to 1024 bytes against multiple victim hostshosts
TCP-SYN packets are generated against TCP-SYN packets are generated against random ports taken from selected range random ports taken from selected range of port numbersof port numbers
DDoS PatternDDoS Pattern
Setting up of a stolenSetting up of a stolenaccount as a repositoryaccount as a repository
for attack toolsfor attack tools
Scanning of largeScanning of largeranges for ranges for
potentialpotentialvulnerable vulnerable
targetstargets
Creation of scriptCreation of scriptto perform the exploitto perform the exploit
and to report the and to report the resultsresults
Choice of a subset ofChoice of a subset ofsuitable compromisedsuitable compromisedservers from the listservers from the list
Script automatedScript automatedinstallation of the installation of the
neededneededtools on the tools on the compromisedcompromised
serversservers
Optional installation of Optional installation of aa
root kit to hide theroot kit to hide thecompromisecompromise
Defensive MeasuresDefensive Measures System Self DefenseSystem Self Defense
Stop all unnecessary or non-essential system services Stop all unnecessary or non-essential system services and network ports.and network ports.
Reduce the timeout period for simultaneous half open Reduce the timeout period for simultaneous half open connectionsconnections
Vulnerability:Vulnerability: Reconfiguration may delay, or even deny, legitimate Reconfiguration may delay, or even deny, legitimate
access access Lead to a potential increase in resource usageLead to a potential increase in resource usage
Packet FilteringPacket Filtering
Most popular defensive mechanismMost popular defensive mechanism Selectively screens out suspicious or Selectively screens out suspicious or
malicious packetsmalicious packets Itself a deformed DoSItself a deformed DoS Vulnerability:Vulnerability:
If manipulated or abused - Most If manipulated or abused - Most convenient way to accomplish DOS attack convenient way to accomplish DOS attack
Packet Filtering Packet Filtering (Cont…)(Cont…)
Types of Packet FilteringTypes of Packet Filtering Egress/IngressEgress/Ingress
Manages the flow inside and outside the Manages the flow inside and outside the networknetwork
Ingress - Used to block packets with spoofed Ingress - Used to block packets with spoofed source addresssource address
Egress - manages the flow of traffic as it leaves a Egress - manages the flow of traffic as it leaves a networknetwork
VulnerabilityVulnerabilityEffective only if used in large-scale applicationsEffective only if used in large-scale applications
Packet Filtering Packet Filtering (Cont…)(Cont…)
FirewallsFirewallsVictims network mechanismVictims network mechanismEnable a form of protection against SYN FloodingEnable a form of protection against SYN FloodingExamine packets and maintain connection and Examine packets and maintain connection and
state information of session trafficstate information of session traffic Configured as a relay, as a semi-transparent Configured as a relay, as a semi-transparent
gatewaygateway VulnerabilityVulnerability
Cause delays for every connectionCause delays for every connectionFlood of 14k packets/sec can disable even Flood of 14k packets/sec can disable even
specialized firewallsspecialized firewalls
IP TracebackIP Traceback
Effective & aggressive way to Effective & aggressive way to terminate DoS attacks at their sourcesterminate DoS attacks at their sources
Vulnerability:Vulnerability: Doesn’t locate the attacker, if attacker is Doesn’t locate the attacker, if attacker is
attacking from reflectorsattacking from reflectors
State MonitoringState Monitoring
Uses software agents to continuously monitor TCP/IP Uses software agents to continuously monitor TCP/IP traffic in a networktraffic in a network
RealSecure –RealSecure – Monitors local network for SYN packets that are not Monitors local network for SYN packets that are not
acknowledged for a period of time defined by the acknowledged for a period of time defined by the usersusers
Vulnerabilities:Vulnerabilities: Need to maintain tremendous states to determine Need to maintain tremendous states to determine
malicious packets and consume system resourcesmalicious packets and consume system resources
Resource Allocation ControlResource Allocation Control
Way to prevent exhaustion of the victim’s Way to prevent exhaustion of the victim’s resources to limit the resource allocation resources to limit the resource allocation and usage for each user or serviceand usage for each user or service
Class Based Queuing –Class Based Queuing – Configures different traffic priority queues and Configures different traffic priority queues and
rules that determine which packets should be put rules that determine which packets should be put into which queueinto which queue
Vulnerability:Vulnerability: In case of DoS attacks - Cannot determine which In case of DoS attacks - Cannot determine which
packet belong to the same users or service for packet belong to the same users or service for sharing some quota or resources sharing some quota or resources
Congestion ControlCongestion Control Network Congestion -Network Congestion - Reduction in network Reduction in network
throughputthroughput PushbackPushback
Mechanism for defending against DDoS attacksMechanism for defending against DDoS attacks To identify most of the malicious packets, based To identify most of the malicious packets, based
on Aggregate-based Congestion Controlon Aggregate-based Congestion Control Vulnerability:Vulnerability:
Not an effective method to block bad traffic Not an effective method to block bad traffic under typical DDoS attackunder typical DDoS attack
Cannot differentiate good and bad traffic and will Cannot differentiate good and bad traffic and will drop them equallydrop them equally
Active NetworksActive Networks
Programs can perform customized Programs can perform customized computations and manipulations computations and manipulations
Allow users to inject customized programs into Allow users to inject customized programs into the nodes of the networkthe nodes of the network
Active edge-Tagging – Active edge-Tagging – One of the example, which tags the actual source IP One of the example, which tags the actual source IP
address into the active networks layer header for address into the active networks layer header for each incoming packets from the hosts with first-hop each incoming packets from the hosts with first-hop routersrouters
Vulnerability:Vulnerability: AN poses serious security threats as it is designed to AN poses serious security threats as it is designed to
run executable codes on remote hostsrun executable codes on remote hosts
Bandwidth Overhead of Bandwidth Overhead of Defensive MeasuresDefensive Measures
Memory Overhead of Memory Overhead of Defensive MeasuresDefensive Measures
Computational Overhead of Computational Overhead of Defensive MeasuresDefensive Measures
Attacks on Defensive Attacks on Defensive MeasuresMeasures
Firewalls -Firewalls - invincible and invincible and power unlimited resourcespower unlimited resources
Firewalls -Firewalls - still limited and still limited and causes the single-failure causes the single-failure point or bottleneckpoint or bottleneck
Network Congestion -Network Congestion - control messages delivered control messages delivered to destination efficiently to destination efficiently and successfullyand successfully
Network Congestion -Network Congestion - the the control messages dropped or control messages dropped or lost during transmissionlost during transmission
Defensive devices -Defensive devices - will not will not be targeted by attackerbe targeted by attacker
Defensive devices –Defensive devices – Many are Many are vulnerable to attackvulnerable to attack
Network devices -Network devices - Trustworthy and control Trustworthy and control messages will not be messages will not be tampered, eavesdropped tampered, eavesdropped or forgedor forged
Network Devices -Network Devices - Control Control messages might be messages might be tampered, eavesdropped or tampered, eavesdropped or forgedforged
AssumptionAssumption RealityReality
Honeypot for DDoSHoneypot for DDoS Vantages of System:Vantages of System:
Defending the operational network with high Defending the operational network with high probability against DDoS & new variantprobability against DDoS & new variant
Trapping attacker to record the compromise Trapping attacker to record the compromise to help in legal action against attackerto help in legal action against attacker
Devised System:Devised System: Implemented to lures the hacker to believe he Implemented to lures the hacker to believe he
successfully compromised the systemsuccessfully compromised the system To learn the tactics, tools, methods and To learn the tactics, tools, methods and
motive of an attacker in order to secure the motive of an attacker in order to secure the systemsystem
CharacterizationCharacterization
Should be a replica of operational Should be a replica of operational systemsystem
Consists of similar systems and Consists of similar systems and applicationapplication
Services such as Web, Mail, FTP, DNS Services such as Web, Mail, FTP, DNS should be accessible for attackershould be accessible for attacker
Must be located in DMZMust be located in DMZ
Local Network ProtectionLocal Network Protection
Must be located in another zone Must be located in another zone protected with Firewallprotected with Firewall
Encrypted Transmission - Inside the LANEncrypted Transmission - Inside the LAN Clients run trusted OSClients run trusted OS Services are managed by an indirect Services are managed by an indirect
authentication method – Kerberosauthentication method – Kerberos Detecting Systems like host based IDS Detecting Systems like host based IDS
& vulnerability scanner must be running& vulnerability scanner must be running
Honeypot Implementation in Honeypot Implementation in OrganizationOrganization
View for an AttackerView for an Attacker
Issues To Be ResolvedIssues To Be Resolved
Attack must be detectableAttack must be detectable Attack packets must be actively Attack packets must be actively
directed to the Honeypotdirected to the Honeypot Honeypot must be able to simulate the Honeypot must be able to simulate the
organization’s network infrastructureorganization’s network infrastructure
Concerns & IssuesConcerns & Issues
Not a good idea in real operational environmentNot a good idea in real operational environment Require expertiseRequire expertise Small configuration mistake or loophole will create a Small configuration mistake or loophole will create a
disasterdisaster Difficult to identify regular user and attacker in most Difficult to identify regular user and attacker in most
of the casesof the cases Uses DDoS signature type method while Uses DDoS signature type method while
authentication – Not as effective especially for first authentication – Not as effective especially for first time authenticationtime authentication
Hard to identify culprit – Attacker using compromised Hard to identify culprit – Attacker using compromised systemsystem
VPN and PKI as proposed – How both the environment VPN and PKI as proposed – How both the environment workwork
Conclusion Conclusion
Like a Game - Attacking and defending of Like a Game - Attacking and defending of networksnetworks
Defensive Measure are not always secure Defensive Measure are not always secure and valuable data is at risk with small effort and valuable data is at risk with small effort of attackerof attacker
Honeypot – Promising tool for luring attacker Honeypot – Promising tool for luring attacker for DDoS attackfor DDoS attack
To secure our network – Defensive To secure our network – Defensive measures with proper knowledge and measures with proper knowledge and expertise are requiredexpertise are required