DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network...
Transcript of DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network...
![Page 1: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/1.jpg)
Slide title
In CAPITALS
50 pt
Slide subtitle
32 pt
Elliot Wallace
August 24, 2020
DOS AND DDOS
Lecture 13a
COMPSCI 726
Network Defence and Countermeasures
Source of some slides: CMU, Stanford University, and University of Twente
![Page 2: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/2.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
2
CYBER KILL CHAIN
Source: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
![Page 3: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/3.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
3
PORT SCANNING
▪ Reconnaissance
▪ Scans refer to information gathering
– Find vulnerable services/hosts
– Discover network topology (used IP addresses)
▪ Can be combined with a “real” attack
– E.g., a buffer overflow (ping of death)
![Page 4: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/4.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
4
SCAN TYPES
1
256
512
768
1024
1280
http
smtp
ftp
smb
imaps
kazaa
1.1.1.1 130.89.1.1 130.89.1.255 130.89.2.1
Horizontal scan
Vertical scan
Block scan
![Page 5: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/5.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
5
SCAN TYPES
▪ Most common uses – valuable for both attackers and
defenders
– Vulnerability scan (e.g. Nessus, Qualys)
– Discovery (e.g. nmap)
▪ IP range, applications, etc
▪ Attacker goals:
– Enumerate a network – entry point, next hop, etc
– Enumerate software on a system – identify vulnerabilities
![Page 6: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/6.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
6
SCAN TYPES
▪ Nmap cheat sheet
– nmap -sV -O -p- $TARGET_IP
– Scan all ports (-p-) on $TARGET_IP and detect the running
services (-sV) and operating system (-O)
▪ As a defender, we want to know what our attackers will
be doing
– It’s worth running these against your home network or local
machine to understand the output
– Look up some of the results in exploitdb - is your device
vulnerable to anything at the moment?
![Page 7: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/7.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
7
SCAN TYPES
▪ Common tools
– nmap
– wfuzz – Web application bruteforcer/fuzzer
– dirbuster/dirb/gobuster – web directory scanner (i.e. find all
directories under https://cs.auckland.ac.nz/)
– sqlmap – automated SQL injection tool/fuzzer
– Others: hydra, Wpscan, Nikto, etc etc
![Page 8: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/8.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
8
DENIAL OF SERVICE (DOS) ATTACK
▪ Old attack – consistent use in recent history
▪ First recorded DoS attack – 1996 (SYN Flood against
an ISP)
▪ June 2020 – AWS hit by 2.3Tbps DDoS
Source: https://www.bbc.com/news/technology-53093611
![Page 9: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/9.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
9
DENIAL OF SERVICE (DOS) ATTACK
▪ Aim: downgrade availability for a service (take it offline)
▪ Types
– Brute-forcing
▪ Send a lot of data (overload network), multiple queries
(overload CPU), ...
– Semantic
▪ Exploit vulnerability (buffer overflow, …)
▪ Send heavy requests (triggering complex operations)
▪ DoS can be applicable to any layer in the OSI model!
▪ Distributed DoS (DDoS)
– Attack from multiple sources (e.g. a botnet)
![Page 10: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/10.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
10
SMURF ATTACK
▪ Spoofed IP packets containing ICMP echo request
– Source: Victim’s IP
– Destination: Broadcast address
▪ Results in triggering all hosts included in the network to
respond with ICMP response packets
▪ Saturates the network with bogus traffic and delays
▪ Prevents legitimate traffic from reaching its destination
▪ An example of reflected attack
![Page 11: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/11.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
11
SMURF ATTACK
Attacking System
Internet
Broadcast
Enabled
Network
Victim System
Ping request to a
broadcast address
with source = victim's
IP address
Ping request to
broadcast address
with source = victim's
IP address
![Page 12: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/12.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
12
SMURF ATTACK
Attacking System
Internet
Broadcast
Enabled
Network
Victim System
Ping request to a
broadcast address
with source = victim's
IP address
Ping request to
broadcast address
with source = victim's
IP address
Ping reply from
every host
Replies directed
to victim
![Page 13: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/13.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
13
SMURF ATTACK
▪ Mitigations
– Don’t respond to ICMP requests
– Don’t forward packets to broadcast addresses
▪ Difficult to avoid being a target (similar mitigations to
DNS reflection)
![Page 14: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/14.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
14
PING FLOOD ATTACK
▪ Ping of death
▪ Over-sized packets to crash (or reboot) the system
![Page 15: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/15.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
15
PING FLOOD ATTACK
▪ Generally requires the attacker to have greater
bandwidth than target
▪ Target saturates bandwidth in two ways – receiving
requests and sending responses
▪ Mitigations
– Disable response to ICMP requests (either OS/network
level)
![Page 16: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/16.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
16
REVIEW: TCP HANDSHAKE
C S
SYN:
SYN/ACK:
ACK:
Listening
Store SNC , SNS
Wait
Established
SNCrandC
ANC0
SNSrandS
ANSSNC
SNSNC
ANSNS
▪ Client sends SYN, Server sends ACK and waits
![Page 17: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/17.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
17
REVIEW: TCP HANDSHAKE
▪ At an implementation level, a new port is allocated per
connection received
▪ The application typically establishes a new thread per
connection
▪ These resources typically remain assigned (both port
and thread) until the session ends
![Page 18: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/18.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
18
TCP SYN FLOOD
▪ Attacker sends many connection requests with spoofed
source addresses
▪ Victim allocates resources for each request
– New thread, connection state maintained until timeout
– Limited number of concurrent half-open connections
▪ Once resources exhausted, requests from legitimate
clients are denied
![Page 19: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/19.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
19
TCP SYN FLOOD
C
SYNC1
SYNC2
SYNC3
SYNC4
SYNC5
S Single machine:
• SYN packets withRandom source IPaddresses
• Fills up backlog queueon server
• No further connectionspossible
![Page 20: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/20.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
20
TCP SYN FLOOD
Backlog timeout: 3 minutes
Attacker needs only to send 128 SYN packets every 3 minutes
Low rate SYN flood
![Page 21: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/21.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
21
DDOS ATTACK
▪ Attacker takes over machines
via viruses and launches DoS
attacks from these “zombies”
or “bots”
▪ Larger botnets can have million of bots
▪ Sustainability of botnets
– Many owners are unaware that their machine is a zombie
– Owners are not motivated to patch their machines to
protect against malware in the absence of perceived harm
![Page 22: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/22.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
22
APPLICATION-TARGETING DOS
▪ A little out of scope for this course but worth
remembering!
▪ DDoS doesn’t have to target network comms
▪ DDoS also doesn’t have to be malicious ☺
▪ Examples:
– I get access to a Linux machine. I run a Python script that
reads junk into memory and writes junk to fill the disks
– I create an app for remote ordering coffee during lockdown
▪ 100000s of users on day 1
▪ App servers get overwhelmed
▪ Sad users
![Page 23: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/23.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
23
AS AN ATTACKER, WHY?
▪ Disrupt service, hacktivism/damage, and often a
smokescreen
▪ Practical example – you’re the CISO of a large bank
▪ Your web banking service (significant money maker)
gets DDoS’d
– You pivot your resources (time, money, people) to restoring
web banking
– Meanwhile, alerts for data exfiltration or weird login patterns
for monitored accounts
– What’s the priority?
▪ Web banking
▪ Attackers exfil data/hop through the network
![Page 24: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/24.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
24
TO BE CONTINUED
▪ See the next lecture
![Page 25: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/25.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
25
ACKNOWLEDGEMENT
▪ Most of these slides are from Rizwan Asghar,
thanks to him!
![Page 26: DOS AND DDOS Lecture 13a - cs.auckland.ac.nz · DOS AND DDOS Lecture 13a COMPSCI 726 Network Defence and Countermeasures Source of some slides: CMU, Stanford University, and University](https://reader036.fdocuments.in/reader036/viewer/2022070113/605e2113503aa94e5a375e79/html5/thumbnails/26.jpg)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
26
Questions?
Thanks for your attention!