Distributed Systems

• Service Denial Attacks

Introduction
• Denial of Service Attack: an attack on a computer or
network that prevents legitimate use of its resources.

• DoS Attacks Affect:

• Software Systems
• Network Routers/Equipment
• Servers and End-User PCs

2
Classification of DoS Attacks
Attack Affected Area Description
Network Level Routers, IP Attack attempts to exhaust hardware resources
Device Switches, Firewalls using multiple duplicate packets or a software
bug.
OS Level Equipment Vendor Attack takes advantage of the way operating
OS, End-User systems implement protocols.
Equipment.
Application Level Finger Bomb Attack a service or machine by using an
Attacks application attack to exhaust resources.
Data Flood Host computer or Attack in which massive quantities of data are
(Amplification, network sent to a target with the intention of using up
Simple Flooding) bandwidth/processing resources.

Protocol Feature Servers, Client PC, Attack in which “bugs” in protocol are utilized to
Attacks DNS Servers take down network resources. Methods of
attack include: IP address spoofing, and
Page 3
corrupting DNS server cache.
Service Denial Attacks
• One of the reasons we want security services to be fault-tolerant is to
make service-denial attacks less attractive, more difficult, or both.

• These attacks are often used as part of a larger attack plan. For
example, one might swamp a host to take it temporarily offline, and
then get another machine on the same LAN to assume its identity for
a while.

• Another possible attack is to take down a security server to force

other servers to use cached copies of credentials.

4
Service Denial Attacks(cont…)
• A powerful defense against service denial is to prevent the opponent
mounting a selective attack.
• Where this isn’t possible, and the opponent knows where to attack,
then there are some types of service-denial attacks which can be
stopped by redundancy and resilience mechanisms, and others
which can’t.
• An opponent can send a large number of connection requests and
prevent anyone else establishing a connection.
• Finally, where a more vulnerable fall back system exists, a common
technique is to force its use by a service denial attack.

5
Service Denial Attacks(cont…)
• A typical attack nowadays is to use a false terminal, or a bug inserted
into the cable between a genuine terminal and a branch server, to
capture card details, and then write these details to the magnetic
stripe of a card whose chip has been destroyed .
• In the same way, burglar alarms that rely on network connections for
the primary response and fall back to alarm bells may be very
vulnerable if the network can be interrupted by an attacker: now that
online alarms are the norm, few people pay attention any more to
alarm bells.

6
DoS Shortfalls
• DoS attacks are unable to attack large bandwidth websites – one
upstream client cannot generate enough bandwidth to cripple major
megabit websites.
• New distributed server architecture makes it harder for one DoS to
take down an entire site.
• New software protections neutralize existing DoS attacks quickly
• Service Providers know how to prevent these attacks from effecting
their networks.

7
DoS Basics
• What is Internet?
• What resources you access through Internet?
• Who uses those resources?
• Good vs Bad Users
• Denial-of-Service attack
• DoS attack is a malicious attempt by a single person or a group of people to
cause the victim, site, or node to deny service to its customers.
• DoS vs DDoS
• DoS: when a single host attacks
• DDos: when multiple hosts attacks simultaneously

8
DDoS Architecture

Client Client

Handler Handler Handler Handler

Agents

9
DDos Attack Description
• DDos Attack
• build a network of computers
discover vulnerable sites or hosts on the network
exploit to gain access to these hosts
install new programs (known as attack tools) on the
compromised hosts
hosts that are running these attack tools are known as zombies
many zombies together form what we call an army

• building an army is automated and not a difficult process

nowadays

10
DDos Attack Description (cont..,)
• How to find Vulnerable Machines?
 Random scanning:
infected machines probes IP addresses randomly and finds
vulnerable machines and tries to infect it
creates large amount of traffic
spreads very quickly but slows down as time passes
• Hit-list scanning
attacker first collects a list of large number of potentially vulnerable
machines before start scanning
once found a machine attacker infects it and splits the list giving half of
the list to the compromised machine
same procedure is carried for each infected machine.
all machines in the list are compromised in a short interval of time
without generating significant scanning traffic
11
DDos Attack Description (cont..,)
• Topological scanning
uses information contained on the victim machine in order to
find new targets
looks for URLs in the disk of a machine that it wants to infect
extremely accurate with performance matching the Hit-list
scanning technique
• Local subnet scanning
acts behind a firewall
looks for targets in its own local network
creates large amount of traffic

12
DDos Attack Description (cont..,)

• Permutation scanning
all machines share a common pseudorandom permutation list of IP
addresses
based on certain criteria it starts scanning at some random point
or sequentially
coordinated scanning with extremely good performance
randomization mechanism allows high scanning speeds

13
DDos Attack Propagation
How to propagate Malicious Code?
• Central source propagation:
this mechanism commonly uses HTTP, FTP, and remote-procedure call
(RPC) protocols

14
DDos Attack Propagation (cont..,)
How to propagate Malicious Code?
• Back-chaining propagation:
• copying attack toolkit can be supported by simple port
listeners or by full intruder-installed Web servers, both of
which use the Trivial File Transfer Protocol (TFTP)

15
DDos Attack Propagation
• How to propagate Malicious Code?
• Autonomous propagation
transfers the attack toolkit to the newly compromised system
at the exact moment that it breaks into that system

16
DDos Attack Taxonomy
• There are mainly two kinds of DDoS attacks
Typical DDoS attacks, and
Distributed Reflector DoS (DRDoS) attacks
• Typical DDoS Attacks

17
DDos Attack Taxonomy
• DRDoS Attacks
slave zombies send a stream of packets with the victim's IP address as the
source IP address to other uninfected machines (known as reflectors)
the reflectors then connects to the victim and sends greater volume of
traffic, because they believe that the victim was the host that asked for it
the attack is mounted by non-compromised machines without being
aware of the action

18
DDoS Attack Types

19
Defense Mechanisms
• No fail-safe solution available to counter DDoS attacks
The attackers manage to discover other weaknesses of the protocols
They exploit the defense mechanisms in order to develop attacks
They discover methods to overcome these mechanisms
Or they exploit them to generate false alarms and to cause catastrophic
consequences.
• There are two approaches to defense
• Preventive defense
• Reactive defense

20
Modern Techniques in Defending
• Right now there is no 100% effective defense mechanism
• Developers are working on DDoS diversion systems
• e.g. Honeypots

21
Modern Techniques in Defending
• Honeypots
• low-interaction honeypots
emulating services and operating systems
easy and safe to implement
attackers are not allowed to interact with the basic operating
system, but only with specific services
• high-interaction honeypots
Honey-net is not a software solution that can be installed on a
computer but a whole architecture
it is a network that is created to be attacked
every activity is recorded and attackers are being trapped
a Honey-wall gateway allows incoming traffic, but controls
outgoing traffic using intrusion prevention technologies

22
Modern Techniques in Defending(cont..,)
• Route Filter Techniques
when routing protocols were designed, developers did not focus
on security, but effective routing mechanisms and routing loop
avoidance
by gaining access to a router, attackers could direct the traffic over
bottlenecks, view critical data, and modify them
routing filters are necessary for preventing critical routes and
subnetworks from being advertised and suspicious routes from
being incorporated in routing tables
attackers do not know the route toward critical servers and
suspicious routes are not used
• Two route filter techniques
• blackhole routing
• sinkhole routing
23
Modern Techniques in Defending
• Route Filter Techniques
 filtering on source address
best technique if we knew each time who the attacker is

 filtering on services
filter based on UDP port or TCP connection or ICMP messages

 filtering on destination address

reject all traffic toward selected victims

24