Network Monitoring and Security Nick Feamster CS 4251 Spring 2008.
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
-
Upload
amia-caldwell -
Category
Documents
-
view
214 -
download
0
Transcript of (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
![Page 1: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.](https://reader036.fdocuments.in/reader036/viewer/2022082805/5514992f550346ea6e8b5603/html5/thumbnails/1.jpg)
(Distributed) Denial of Service
Nick FeamsterCS 4251
Spring 2008
![Page 2: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.](https://reader036.fdocuments.in/reader036/viewer/2022082805/5514992f550346ea6e8b5603/html5/thumbnails/2.jpg)
Distributed Denial of Service (DDoS)
Victim
Daemon
Daemon
DaemonDaemon
Daemon
Master
Real Attacker
Asymmetry comes in the form of a large farm of machines.IP addresses no longer need to be spoofed
![Page 3: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.](https://reader036.fdocuments.in/reader036/viewer/2022082805/5514992f550346ea6e8b5603/html5/thumbnails/3.jpg)
February 2000: DDoS
Traditional protection techniques no longer applicable.
![Page 4: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.](https://reader036.fdocuments.in/reader036/viewer/2022082805/5514992f550346ea6e8b5603/html5/thumbnails/4.jpg)
DDoS Attack: Yahoo!
• February 2000
• Intermittent outages for nearly three hours
• Estimated to have cost Yahoo $500,000 due to fewer page hits during the attack
• Attacker caught and successfully prosecuted
• Other companies (eBay, CNN) attacked in the same way the following days
![Page 5: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.](https://reader036.fdocuments.in/reader036/viewer/2022082805/5514992f550346ea6e8b5603/html5/thumbnails/5.jpg)
DDoS Attack: Microsoft
• Target of multiple DDoS attacks
• Some successful, some not
• Successful one in January 2001• Attacked router in front of Microsoft’s DNS servers• During attack, as few as 2% of web page requests
were being fulfilled
![Page 6: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.](https://reader036.fdocuments.in/reader036/viewer/2022082805/5514992f550346ea6e8b5603/html5/thumbnails/6.jpg)
DDoS Attack: DNS Root Servers
• October 2002 for 1 hour• Ping flood to all 13 of the DNS root servers • Successfully halted operations on 9
• Did not cause major impact on Internet• DNS NS record caching at local resolvers helped• Several root servers are very well-provisioned
![Page 7: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.](https://reader036.fdocuments.in/reader036/viewer/2022082805/5514992f550346ea6e8b5603/html5/thumbnails/7.jpg)
DDoS: Setting up the Infrastructure
• Zombies– Slow-spreading installations can be difficult to detect– Can be spread quickly with worms
• Indirection makes attacker harder to locate– No need to spoof IP addresses
![Page 8: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.](https://reader036.fdocuments.in/reader036/viewer/2022082805/5514992f550346ea6e8b5603/html5/thumbnails/8.jpg)
What is a Worm?
• Code that replicates and propagates across the network– Often carries a “payload”
• Usually spread via exploiting flaws in open services– “Viruses” require user action to spread
• First worm: Robert Morris, November 1988– 6-10% of all Internet hosts infected (!)
• Many more since, but none on that scale until July 2001
![Page 9: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.](https://reader036.fdocuments.in/reader036/viewer/2022082805/5514992f550346ea6e8b5603/html5/thumbnails/9.jpg)
Example Worm: Code Red
• Initial version: July 13, 2001
• Exploited known ISAPI vulnerability in Microsoft IIS Web servers
• 1st through 20th of each month: spread20th through end of each month: attack
• Payload: Web site defacement• Scanning: Random IP addresses• Bug: failure to seed random number generator
![Page 10: (Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.](https://reader036.fdocuments.in/reader036/viewer/2022082805/5514992f550346ea6e8b5603/html5/thumbnails/10.jpg)
Why Denial-of-Service “Works”
• Asymmetry: generating a request is cheaper than formulating a response
• One attack machine can generate a lot of requests, and effectively multiply its power
• Not always possible to achieve this asymmetry