Professional Documents
Culture Documents
Network Security
Week 3
Denial Of Service
Anatolij Bezemskij
1 / 22
COMP1829 Network Security
Denial Of Service
The NIST Computer Security Incident Handling Guide defines a DoS as:
“An action that prevents or impairs the authorized use of networks, systems, or
applications by exhausting resources such as central processing units (CPU,
memory, bandwidth, and disk space.”
Anonymous calling for demonstrations at the bottleneck points in a city is not unlike
Anonymous calling for a network DoS
Anatolij Bezemskij
2 / 22
COMP1829 Network Security
System Limitations
Computer Networks:
• Bandwidth
• Network Protocols
• Intermediate Devices
• Wireless Technologies
• Other Communication Mediums
Anatolij Bezemskij
3 / 22
COMP1829 Network Security
Denial of Service
Anatolij Bezemskij
4 / 22
COMP1829 Network Security
Classic Denial of Service
Classic Denial of Service attacks falls under flooding where a high-capacity link is
flooding a lower-capacity one, causing most packets to be lost. This type of Denial
of Service called Flooding, or sometimes referred as Volume Attack.
Anatolij Bezemskij
5 / 22
COMP1829 Network Security
ICMP Flood
A simple echo request (ping) packet can be used as a tool for Denial of Service
Anatolij Bezemskij
6 / 22
COMP1829 Network Security
SYN Flood
The server must spend resources waiting for half-opened connections, which can
consume enough resources to make the system unresponsive to legitimate traffic
Anatolij Bezemskij
7 / 22
COMP1829 Network Security
SYN Flood
A SYN flood attack is commonly used with flooding methodology as the attack
vector is the hardware resources and exhausting network bandwidth, this type of
attack frequently used by adversarial actors
Anatolij Bezemskij
8 / 22
COMP1829 Network Security
Flooding Mitigation
• Use of filtering
• Ingress/Egress Firewall filtering
• Deep Packet Inspection
• Application Firewalls
• All of them have flaws, you may defend from a script-kiddie, not APT
Anatolij Bezemskij
9 / 22
COMP1829 Network Security
Reflection Denial of Service Attack
R.T. Morris (1985): “There is no provision in the Internet Protocol to discover the
true origin of a packet”
Anatolij Bezemskij
10 / 22
COMP1829 Network Security
Amplification Denial Of Service Attack
The attack is the same as reflection denial-of-service attack, the only difference is
implied amplification factor
Anatolij Bezemskij
11 / 22
COMP1829 Network Security
Distributed Denial Of Service Attack
Anatolij Bezemskij
12 / 22
COMP1829 Network Security
Distributed Denial Of Service Modern Endpoints
Anatolij Bezemskij
13 / 22
COMP1829 Network Security
Famous DDoS
Anatolij Bezemskij
14 / 22
COMP1829 Network Security
A bit of History
Anatolij Bezemskij
15 / 22
COMP1829 Network Security
Defences
PREVENT
DETECT
RESPOND
Prosecute
Anatolij Bezemskij
16 / 22
COMP1829 Network Security
Defences: Prevention
MIRRORED CAPTCHAS
SERVERS Server mirroring: A replica of a server is
continuously created on run-time.
PREVENT Primarily for business continuity
HONEYPOTS
Anatolij Bezemskij
17 / 22
COMP1829 Network Security
Defences: Detection
How can we tell that the traffic we receive is illegitimate traffic sent by a DoS
attacker and not normal?
Similarly, increase in delays,
packet losses …
Anatolij Bezemskij
18 / 22
COMP1829 Network Security
Defences: Detection w/ Machine Learning
Signature-based:
There are known
“signatures” of DoS
attacks and we compare
our network traffic Anomaly-based
against them
DETECT Anomaly-based:
Signature-based We know what “normal
operation” is and we
determine that there is
an attack when the
current network situation
differs to the normal
operation
Anatolij Bezemskij
19 / 22
COMP1829 Network Security
Defences: Response
TRACEBACK
RESPOND
LIMIT BITRATE OF PRIORITISE THE TRAFFIC
SUSPICIOUS TRAFFIC MORE LIKELY TO BE
LEGITIMATE
Anatolij Bezemskij
20 / 22
COMP1829 Network Security
Defences: Summary
LIMIT INCOMING
PREVENT BITRATE PER PACKET
TYPE
HONEYPOTS Anomaly-based
DETECT IMPLEMENT
Signature-based CONTINGENCY PLAN
TRACEBACK
RESPOND
LIMIT BITRATE OF PRIORITISE THE TRAFFIC
SUSPICIOUS TRAFFIC MORE LIKELY TO BE
LEGITIMATE
Anatolij Bezemskij
21 / 22
COMP1829 Network Security
Prosecution
Anatolij Bezemskij
22 / 22
COMP1829 Network Security