DOS Attacks - PowerPoint PPT Presentation

1 / 37

About This Presentation

Title:

DOS Attacks

Description:

What are DoS attacks? DoS : Denial of Service attacks ... OpenVMS 7.1 with UCX 4.1-7. QNX 4.24. Rhapsody Developer Release. SCO OpenServer 5.0.2 SMP ... – PowerPoint PPT presentation

Number of Views:949

Avg rating:3.0/5.0

Slides: 38

Provided by: itIi

Category:

more less

Transcript and Presenter's Notes

Title: DOS Attacks

1
DOS Attacks

Laxmikant Patil
Ashish Khurange

2
Overview

What are DoS (Denial of Service) attacks?
Other types of Attack
DoS Attack Classification
Popular DoS attacks
Attack Description
Intrusion Detection System (IDS) signature
Prevention

3
What are DoS attacks?

DoS Denial of Service attacks
Attacks intended to consume the resources of a
remote system, thereby denying or degrading
service to legitimate users.
Easier to accomplish than remotely gaining
administrative access, hence very common on the
Internet.
e.g. Ping of death, Teardrop, smurf

4
Other types of Attack

viruses, Trojan Horses, worms
Viruses
propagates itself by infecting other programs on
the same computer
Can not spread to a new computer without human
assistance (floppy, sent e-mails)
Worm
A worm is also a program that propagates itself
Unlike a virus, however, a worm can spread itself
'automatically e.g. blaster_worm

5
Blaster worm

W32.Blaster.Worm is a worm that exploits the DCOM
RPC vulnerability.
Port 135 is used for RPC.
An infected node starts scanning network for open
port 135.
Sends data on TCP port 135 that may exploit the
DCOM RPC vulnerability.
creates a hidden remote shell process that will
listen on TCP port 4444, used to issue remote
commands on an infected system.

6
Blaster worm (cont.)

Worm listens on UDP port 69. Port 69 is TFTP
(Trivial FTP) port.
When the worm receives a request from a computer
on port 69, it will send msblast.exe to that
computer and tell it to execute the worm.
And thus the other end gets infected.

7
Other types of Attack (cont.)

Trojan Horses
programs that appear desirable, but actually
contain something harmful
looks like a free game, but when you run it, it
erases every file in that directory
trojan's contents could also be a virus or worm

8
Cost of DoS attacks
DoS most expensive computer crime
9
DoS Attack -Classification
Attacker
DNS Server
DBs
Firewall Router Load
Balancer
WEB Servers
Source students.cs.tamu.edu/kam2959
10
DoS Attack -Classification

System Attacked
Firewall, Router, Load Balancer, WEB Server,
DBs
Part of the System (Resource) Attacked
Network Card, CPU, Storage, kernel buffer
Bandwidth consumption
Attack will consume all available n/w bandwidth
Programming flaws
Failures of applications or OS components to
handle exceptional condition (protocol loop
holes)

11
Popular DoS attacks

Win Nuke Attack
Land Attack
Ping-of-Death Attack
Smurf Attack
Fraggle Attack
PinPong Attack
TCP-SYN Flood
Teardrop

12
Win Nuke attack

WinNuke was the first DoS attack.
Port 139 All "File and Printer Sharing" on a
Windows machine runs over this port.
Can affect only Windows 95 and NT.
Works by sending "Out of Band" data to port 139
of the target host.
Out of band is sent by setting URG pointer in TCP
header.

13
Win Nuke attack (cont.)

The reason is program accepting the packets
doesn't know how to appropriately handle Out Of
Band data. So, it crashes.
Port 445 The SMB (Server Message Block)
protocol is used for file sharing in Windows
NT/2000/XP. TCP port 445 which is used for SMB
over TCP.
New version of WinNuke has surfaced recently, and
it can affect Windows NT, 2000, XP, and even
.NET. A malformed Server Message Block (SMB)
packet is sent to port 139 or 445, brings the
system down.

14
Win Nuke attack

IDS signature
Destination port 139 or 445
URG pointer set in TCP header.
Prevention
Block traffic intended to port 139, 445 at
firewall.
If you are not using file sharing services block
ports 135, 445.

15
Land Attack

Sends a packet where
source IP addr port dest IP addr port
If the attack is launched against a TCP port that
is actually listening, then it can
prevent further legitimate connections for
approximately 30 seconds.
Or very high CPU utilization.
Or will hang indefinitely and must be physically
reset.

16
Land (cont.)

List of OS found vulnerable to Land attack.
AIX 3
AmigaOS AmiTCP 4.2 (Kickstart 3.0)
BeOS Preview Release 2 PowerMac
BSDI 2.0
BSDI 2.1 (vanilla)
FreeBSD 2.2.5-RELEASE
HP External JetDirect Print Servers
IBM AS/400 OS7400 3.7
IRIX 5.2
IRIX 5.3
MacOS MacTCP
MacOS 7.6.1 OpenTransport 1.1.2
MacOS 8.0
NetApp NFS server 4.1d
NetApp NFS server 4.3

Novell 4.11
OpenBSD 2.1
OpenVMS 7.1 with UCX 4.1-7
QNX 4.24
Rhapsody Developer Release
SCO OpenServer 5.0.2 SMP
SCO OpenServer 5.0.4
SCO Unixware 2.1.1
SCO Unixware 2.1.2
SunOS 4.1.3
SunOS 4.1.4
Windows 95 (vanilla)
Windows 95 Winsock 2 VIPUPD.EXE
Windows NT (vanilla)
Windows NT SP3
Windows NT SP3 simptcp-fix
Now it is noticed that both Windows XP SP2 and
Windows Server 2003
remain susceptible to an eight-year-old LAND
attack.

18
Land attack (cont.)

IDS signature
dest IP source IP
dest port source port
Prevention
Eliminate packets at firewall whose source IP is
set to some of internal IP address.

19
Ping-of-Death Attack

Sending a packet of size gt 64 KB can cause lot of
systems to reboot, crash or hang.
Size of IP packets can be up to 64 KB.
Packets that are bigger than the MTU are
fragmented into smaller packets, which are then
reassembled by the receiver.

20
Ping-of-Death (cont.)

At the receiver side the node can not process the
packet untill it gets all the fragments. So, it
has to buffer all the fragments.
Now if the kernel uses 16 bit variable to store
packet size and 64 KB buffer to store packet, by
sending packet greater than 64 KB, it results
into buffer 16 bit variable overflow.

21
Ping-of-Death (cont.)

IDS signature
For any fragment offset length gt 64 KB

22
Smurf Attack

The attacker sends ping requests directed to a
broadcast address, with the source address of the
IP datagram set to the address of the target
system under attack.
All systems within the broadcast domain will
answer back to the target adress, thus flooding
the target system with ICMP traffic and causeing
network congestion.

23
Smurf Attack (cont.)

Traffic amplification strength to the attack is
given by the amplification factor provided by all
affected syetms in the broadcast domain.
Systems with limited network resource may
generate a large amount of network traffic
towards sophisticated sites.
If there are N nodes in broadcast domain, then an
attacker with bandwidth equal to 1/N of targets
bandwidth can bring down the target.

24
Smurf Attack (cont.)
Broadcast address 10.129.127.255
Attacker
Send Ping request to broadcast with source
address 10.129.22.35
Target 10.129.22.35
25
Smurf attack (cont.)

IDS signature
Any node sending ping broadcast request more than
some threshold within a time window.
Prevention
At firewall eliminate all ping request to
broadcast address.

26
Fraggle Attack

Fraggle is UDF amplification attack.
In this attack victim ports are the ports that
generate some charcter strings such as chargen,
time, daytime, echo etc.
In fraggle attack a spoofed UDP packet is send to
the chargen port on a target system with the
source address set to broadcast address.
On receving this packet, the target starts
sending 512 bytes of randomized character data to
all the nodes in the broadcast domain, causing
bandwidth cosumption.

27
Fraggle Attack
Broadcast address 10.129.127.255
Send UDP packet with source IP
10.129.127.255 Destination IP
10.129.22.35 Destination port 19
Target 10.129.22.35
Attacker
28
Fraggle attack (cont.)

IDS signature
Any packet with source addr broadcast addr
And UDP port chargen, echo, daytime, time etc.
Prevention
At firewall block packets with source address as
broadcast address.
If you are not using some UDP services then block
those ports.

29
PingPong Attack

This attack uses basic functionality of two ports
echo port chargen port.
In this attack the attacker sends a malformed UDP
packet to chargen port of target A, with source
address of target B and source port as echo.
Now the target A sends random character string to
echo port of target B. Target B replies it back
to chargen port of target A. This sequence run
infinitely between target A and B. Consuming
bandwidth and processing power of targets.

30
PingPong Attack
Attacker Send UDP packet with Source IP
10.129.30.10 Source port 7 Destination IP
10.129.22.35 Destination port 17
Target A 10.129.22.35 Port 19 (chargen)
Target B 10.129.30.10 Port 7 (echo)
31
PingPong Attack (cont.)

Imagine a scenario where attacker sends malformed
UDP packet to chargen port of target node with
source address set to broadcast address and
source port set to echo.
Very large traffic will be generated in the
network, entire bandwidth of network will be
consumed.
This effect will be like chain reaction.

32
PinPong Attack
Broadcast address 10.129.127.255
Attacker Send UDP packet with Source IP
10.129.127.255 Source port 7 Destination IP
10.129.22.35 Destination port 19
Target 10.129.22.35
33
PingPong attack (cont.)

IDS signature
Any communication between two hosts using chargen
and echo port.
Prevention
If you are not using chargen, daytime, time, echo
ports block these ports.

34
TCP SYN Flood

Based on 3 way handshake of TCP connection.
Attacker sends TCP SYN packet with spoofed source
IP address to target system.
Now the target replies back with SYN / ACK
packet. But as the source IP of request is
spoofed, it wont get ACK back.
It results in to half open connections.
Now the kernel has limited data structure to
store information about half open connections.
Because of this attack that data structure
overflows.

35
TCP SYN flood (cont.)
0
31
Victim 10.129.22.35
Attacker send packet with IP addr 10.129.13.13
Imaginary node with IP 10.129.13.13
36
TCP SYN attack (cont.)