Professional Documents
Culture Documents
2 DDoS PP
2 DDoS PP
aka
(D)DoS Attacks
Network Security
Outline
- Introduction
- What is a Denial of Service Attack?
- What is a Distributed Denial of Service Attack?
- BotNets, BotNet Architectures, Bot Recruitment
- Transport Layer DoS Attacks
- TCP attacks
- Network Layer and Overlay Attacks
- Smurf Attacks, P2P based DDoS
- Operation #PayBack
- Research on DoS and DDoS
• Tracing back the source of DDoS traffic
6/8/2015 2
Introduction
•Approximately 20% of
attacks targeting web sites
are DoS based
•Things get worse in case of
DDoS attacks
6/8/2015 3
Introduction (cont'd)
6/8/2015 4
Introduction (cont'd)
Companies
6/8/2015 5
Introduction (cont'd)
Authorities
6/8/2015 6
Introduction (cont'd)
Or even Nations...
6/8/2015 7
Introduction (cont'd)
Because when these DDoS attacks swamp access lines, then filtering
at the other end does not help
Vinton Cerf
6/8/2015 8
DoS Attacks
•Denial of Service (DoS) Attacks target system availability
•They do not require a lot of computing work and resources
•They take advantage of:
6/8/2015 9
DoS attacks: 802.11b De-
authentication
6/8/2015 10
DoS attacks: 802.11b De-
authentication (cont'd)
The 802.11b De-authentication:
6/8/2015 11
DoS attacks: 802.11b De-
authentication (cont'd)
•User D gets
disconnected from
the network
6/8/2015 12
DoS attacks: The Apache Killer
Bug
6/8/2015 13
DoS attacks (cont'd)
What about the
Physical layer?
• Can be launched on all OSI layers:
- 802.11b bug: Link Layer DoS
- Apache Killer: Application Layer DoS
- Jamming??
6/8/2015 14
DoS attacks (cont'd)
6/8/2015 15
SYN Flooding (1)
Transport Layer Attacks (SYN Flooding)
A TCP connection is established
with a 3-way handshake
• SYN message
• SYN-ACK message
• ACK message
6/8/2015 16
SYN Flooding (2)
Transport Layer Attacks (SYN Flooding)
6/8/2015 17
SYN Flooding (3)
Transport Layer Attacks (SYN Flooding)
6/8/2015 18
Protecting Against SYN-Flooding:
The SCTP Protocol
6/8/2015 19
Protecting Against SYN-Flooding:
The SCTP Protocol
6/8/2015 20
Protecting Against SYN-Flooding:
Proxies
• Use of Proxies
Proxy Server
SYNs
SYN-ACKs
ACKs ACKs
6/8/2015 21
Protecting Against SYN-Flooding:
Cryptographic Puzzles
6/8/2015 22
Smurf Attacks
6/8/2015 23
Preventing Smurf Attacks
6/8/2015 24
Distributed Denial of Service
(DDoS) Attacks
DoS vs DDoS Hollywood version of a BotNet
Vs
6/8/2015 25
Basic BotNet Architectures
BotNet: A large number of compromised computers
6/8/2015 26
Basic BotNet Architectures (1)
6/8/2015 27
Basic BotNet Architectures (2)
6/8/2015 28
Basic BotNet Architectures (3)
6/8/2015 29
Basic BotNet Architectures (4)
6/8/2015 30
Basic BotNet Architectures (5)
6/8/2015 31
IRC controlled BotNets
6/8/2015 32
IRC controlled BotNets (2)
The most common DDoS Architecture
6/8/2015 33
BotNet Recruitment
BotNet Recruitment (1)
Scanning for vulnerable machines to 'recruit' for a BotNet:
• Random: Brute-force the IP address space
6/8/2015 35
BotNet Recruitment (3)
Looking for vulnerable
machines within the IRC
network
6/8/2015 36
Distributed SYN flooding
•The same idea like
the simple DoS
version of TCP
flooding
•Much more
effective due to the
use of a BotNet
•Server has to keep
state for thousands
semi-open TCP
sessions.
6/8/2015 37
P2P based DDoS Attacks
•A large number of
hosts have joined a
P2P Community for
content exchange
purposes
6/8/2015 38
P2P based DDoS Attacks (2)
6/8/2015 39
Operation #PayBack
Social DDoS
• Social BotNets
• Normal users joining willingly a DDoS attack against
major websites (paypal, mastercard, visa, ...)
6/8/2015 40
Operation #PayBack (2)
Social DDoS
Censored :)
http://en.wikipedia.org/wiki/LOIC
6/8/2015 41
Operation #PayBack (3)
Social DDoS
6/8/2015 42
Research on DoS and DDoS
6/8/2015 43
Research on DoS and DDoS
6/8/2015 44
Research on DoS and
DDoS (2)
6/8/2015 45
Research on DoS and DDoS (3)
6/8/2015 46
Conclusions
• DoS and DDoS target the availability of a system/service
• Attackers can take advantage of system defects to launch a DoS/DDoS attack
• DoS attacks do not require many resources from the attacker.
• Any DDoS attack can be launched as a Distributed attack
• These attacks require the use of large collections of infected computers (Botnets)
6/8/2015 47