IT 430 Information Assurance

1
IT 430 Information Assurance

• Lesson 23 Denial of Service

2
Reasons to DoS Attack

• Nuisance
• Disrupt Any Operations
• Targeted Systems
• Disrupt Specific Operations
• As Part of Another Attack

3
DoS Attack Categories
Stop Services
Exhaust Resources
Local
OverNetwork
Counter Hack Reloaded, Pg 514
4
Locally Stopping Services

• Description
• Either Kill Processes, Reconfigure Systems or
  Crash Processes
• Why It Works
• Usually have to be inside Network
• If attacker does not have Root, they exploit a
  vulnerability in software which wasnt intended
  to break the software
• Defenses
• Up to date patching
• Minimize accounts with Root / System Access
• Verify critical processes / files are not altered

5
Locally Exhausting Resources

• Description
• Fill up the bandwidth
• Fill up the memory on a key component
• Fill up the disk space on a key component
• Why It Works
• Must be inside the network (for local)
• Defenses
• Traffic (bandwidth/useage) quotas
• Set system to warn long before crashing

6
Remotely Stopping Services

• Description
• Remote Stopping of Services via Malformed Packets
  
• Why It Works
• Many Services will not know what to do with
  malformed packets
• Sometimes it drops it
• Sometimes it processes it (causing it to
  eventually crash)
• Defenses
• Patching
• Stop bad traffic at the firewall before it gets
  to the service
• Antispoof filters
• Adequate Bandwidth and backups (on different
  network paths for Critical Servers / Components
• Drop Packets when you get too many Syns / or
  other queued items

7
Distributed Denial of Service

• Description
• Rather than denying service on a single system,
  systems are used as jump off points
• Exponential attacks (e.g. 12416256655364
  Billion!)
• Why it Works
• Lots of systems have trusts with systems that are
  a lot less secure (think about .edu sites
  connected to .mil sites)
• Defenses
• Patching (to prevent systems from exploits that
  allow DDoS software placed on them)
• Up to date Antivirus / IPS signatures
• Quickly filter the unwanted traffic (by IP, type
  of attack etc.)

8
Older Case Studies

• Code Red Worm (2001)
• 2 Million Users
• Big enough to hit the National News
• Nimda Worm (2001)
• Admin backwards
• Multiple attack vectors / Millions of infections
• SQL Slammer (2003)
• Slowed entire internet in 10 minutes

9
Estonia Denial of Service

• May 2007
• Entire Country / Govt / Banking is electronic
• Denial of Service
• Handled well by Estonians
• USA is used to that much traffic BUT
• USA may not be prepared for larger impact
• Electrical Grid / Transportation etc.