COMP1829: Week 3

COMP1829
Network Security
Week 3
Denial Of Service
Anatolij Bezemskij
1 / 22
COMP1829 Network Security
Denial Of Service
The NIST Computer Security Incident Handling Guide defines a DoS as:
“An action that prevents or impairs the authorized use of networks, systems, or
applications by exhausting resources such as central processing units (CPU,
memory, bandwidth, and disk space.”
However, are they only cyber?
Anonymous calling for demonstrations at the bottleneck points in a city is not unlike
Anonymous calling for a network DoS
• San Francisco Subways, 2011
Anatolij Bezemskij
2 / 22
System Limitations
Computer System Components:

• Central Processing Unit (CPU)
• Random Access Memory (RAM)
• Graphics Processing Unit (GPU)
• Power Supply Unit (PSU)
• Hard Disk Drive (HDD/SSD)
Computer Networks:
• Bandwidth
• Network Protocols
• Intermediate Devices
• Wireless Technologies
• Other Communication Mediums
Anatolij Bezemskij
3 / 22
Denial of Service
In the context of computer networks, we may use definition:

“A Denial of Service attack is any intended attempt to prevent legitimate users from
reaching a specific network resource”
Loukas, G., & Öke, G. (2010). Protection against denial of service attacks: a survey. The Computer Journal, 53(7), 1020-1037.
The Denial of Service can be performed by:

• Exhausting resources, such as CPU, memory, disk space, or more often the
network bandwidth
• Triggering a bug in the network protocol (poison packet)
• Through the means of exploitation, e.g. crashing the server
The defences are limited and can be summarized in such words:
There are no defences against Denial of Service, there is a lack of

attackers’ resources and knowledge
Anatolij Bezemskij
4 / 22
Classic Denial of Service
Classic Denial of Service attacks falls under flooding where a high-capacity link is
flooding a lower-capacity one, causing most packets to be lost. This type of Denial
of Service called Flooding, or sometimes referred as Volume Attack.
Anatolij Bezemskij
5 / 22
ICMP Flood
A simple echo request (ping) packet can be used as a tool for Denial of Service
The real-world example:

Denial of Service attack on Estonia in
2007 (Bronze Night)
3 weeks of distributed denial of service

attack made $40 million cyber damage
115/128 DoS attacks were ICMP Flood
Anatolij Bezemskij
6 / 22
SYN Flood
A SYN flood attack is a form of denial-of-service attack in which an attacker rapidly

initiates a connection to a server without finalizing the connection.
The server must spend resources waiting for half-opened connections, which can
consume enough resources to make the system unresponsive to legitimate traffic
Anatolij Bezemskij
7 / 22
SYN Flood
A SYN flood attack is commonly used with flooding methodology as the attack
vector is the hardware resources and exhausting network bandwidth, this type of
attack frequently used by adversarial actors
Anatolij Bezemskij
8 / 22
Flooding Mitigation
The key thoughts on flooding:

• The bandwidth is flooded, so maybe we will increase the bandwidth rate?
• The bandwidth has various limitation such as costs, protocols, physics
• The distribution of resources may take place, requires management
• Any other thoughts?
• Use of filtering
• Ingress/Egress Firewall filtering
• Deep Packet Inspection
• Application Firewalls
• All of them have flaws, you may defend from a script-kiddie, not APT
The mitigation must be performed as a complex measure on all network levels:

Local, ISP, Government and other global providers.
Anatolij Bezemskij
9 / 22
Reflection Denial of Service Attack
R.T. Morris (1985): “There is no provision in the Internet Protocol to discover the
true origin of a packet”
It is assumed that the source IP address in the IP header is authentic, however, an

adversarial may write anything they like. This causes “Backscatter” i.e. response
from intermediate server to falsified IP address.
Anatolij Bezemskij
10 / 22
Amplification Denial Of Service Attack
The attack is the same as reflection denial-of-service attack, the only difference is
implied amplification factor
Anatolij Bezemskij
11 / 22
Distributed Denial Of Service Attack
• The type of Denial-of-Service attack may vary or can be combined by the

attacker.
• The botnets can be merged to increase the power of such attack.
• The intermediate servers can utilize multiple protocols: Memcached, DNS, NTP
and many others.
Anatolij Bezemskij
12 / 22
Distributed Denial Of Service Modern Endpoints
• Nowadays the roles are distributed across variable platforms

• The endpoints sometimes are behind the firewall or are on the internal server
• Threat actors may have a specific target disable a role or a function
• Load Balancers and CDN’s can mitigate such attacks, but they cannot defend
fully
Anatolij Bezemskij
13 / 22
Famous DDoS
The Amazon Web Services (2020):

• The volume of 2.3 Terabytes per second
• The client was not disclosed by Amazon
• CLDAP Reflection Attack
• Amplification Factor: x56 – x70
The Akamai Technologies (2018):

• The volume of 1.3 Terabytes per second
• Target GitHub
• Memcached Amplification Attack
• Amplification Factor: x10,000 – x51,000
Mirai Botnet (2016):

• There are some evidence of a 1.5 Terabytes per second volume
• Target DynDNS and many others
• IoT Devices were taking part
• Multiple types of attacks were used
Anatolij Bezemskij
14 / 22
A bit of History
Smurf Attack – Adversarial crafts an ICMP packet with spoofed broadcast IP

address
Anatolij Bezemskij
15 / 22
Defences
PREVENT
DETECT
RESPOND
Prosecute
Anatolij Bezemskij
16 / 22
Defences: Prevention
MIRRORED CAPTCHAS
SERVERS Server mirroring: A replica of a server is
continuously created on run-time.
PREVENT Primarily for business continuity
HONEYPOTS
CAPTCHAs: Completely Automated Public Turing test to

tell Computers and Humans Apart
Honeypots: Fake servers existing to

divert attacks to themselves instead of
the real servers of the organization
Anatolij Bezemskij
17 / 22
Defences: Detection
How can we tell that the traffic we receive is illegitimate traffic sent by a DoS
attacker and not normal?
Similarly, increase in delays,
packet losses …
Inbound bitrate: Differences between

Almost always a DoS inbound and outbound
causes bitrate that is
higher than usual DETECT traffic:
e.g. during a SYN flood,
the number of inbound
SYN requests are many
more than the outbound
Rate of increase of inbound bitrate: SYN-ACKs
A DDoS does not reach its max rate
immediately, due to imperfect
synchronization of zombies and different
distances. IP blacklists Packet sizes
…
Anatolij Bezemskij
18 / 22
Defences: Detection w/ Machine Learning
Signature-based:
There are known
“signatures” of DoS
attacks and we compare
our network traffic Anomaly-based
against them
DETECT Anomaly-based:
Signature-based We know what “normal
operation” is and we
determine that there is
an attack when the
current network situation
differs to the normal
operation
Anatolij Bezemskij
19 / 22
Defences: Response
Implement Contingency Plan: e.g. revert to mirrored

servers, reduce internal use of network etc.
Limit bitrate of suspicious traffic: This Prioritise legitimate

assumes that we have a classification traffic: (same
mechanism (often similar to a detection assumption as above)
mechanism) that can tell what is suspicious
and what is not
Traceback: Try to identify the IMPLEMENT

real source(s) of the attack CONTINGENCY PLAN
TRACEBACK
RESPOND
LIMIT BITRATE OF PRIORITISE THE TRAFFIC
SUSPICIOUS TRAFFIC MORE LIKELY TO BE
LEGITIMATE
Anatolij Bezemskij
20 / 22
Defences: Summary
MIRRORED CAPTCHAS BLOCK

SERVERS SPOOFED IPS
LIMIT INCOMING
PREVENT BITRATE PER PACKET
TYPE
HONEYPOTS Anomaly-based
DETECT IMPLEMENT
Signature-based CONTINGENCY PLAN
TRACEBACK
RESPOND
LIMIT BITRATE OF PRIORITISE THE TRAFFIC
SUSPICIOUS TRAFFIC MORE LIKELY TO BE
LEGITIMATE
Anatolij Bezemskij
21 / 22
Prosecution
Can I DoS in UK?

– No (since 2006). Maximum penalty: 10 years
Can I download a DoS tool?

– Depends, if you have malicious intent to perform an offence, No. For the use
within controlled virtual environment with permission, Yes.
Computer Misuse Act (Section 3A)

“a person is guilty of an offence if he obtains any article with a view to its being
supplied for use to commit, or to assist in the commission of, an offence under
section 1 or 2”
Anatolij Bezemskij
22 / 22

COMP1829: Week 3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

COMP1829: Week 3

Uploaded by

Copyright:

Available Formats

COMP1829

However, are they only cyber?

• San Francisco Subways, 2011

Computer System Components:

In the context of computer networks, we may use definition:

The Denial of Service can be performed by:

The defences are limited and can be summarized in such words:

There are no defences against Denial of Service, there is a lack of

The real-world example:

3 weeks of distributed denial of service

115/128 DoS attacks were ICMP Flood

A SYN flood attack is a form of denial-of-service attack in which an attacker rapidly

The key thoughts on flooding:

The mitigation must be performed as a complex measure on all network levels:

It is assumed that the source IP address in the IP header is authentic, however, an

• The type of Denial-of-Service attack may vary or can be combined by the

• Nowadays the roles are distributed across variable platforms

The Amazon Web Services (2020):

The Akamai Technologies (2018):

Mirai Botnet (2016):

Smurf Attack – Adversarial crafts an ICMP packet with spoofed broadcast IP

CAPTCHAs: Completely Automated Public Turing test to

Honeypots: Fake servers existing to

Inbound bitrate: Differences between

Implement Contingency Plan: e.g. revert to mirrored

Limit bitrate of suspicious traffic: This Prioritise legitimate

Traceback: Try to identify the IMPLEMENT

MIRRORED CAPTCHAS BLOCK

Can I DoS in UK?

Can I download a DoS tool?

Computer Misuse Act (Section 3A)

You might also like