DENIAL OF SERVICE

TYPES OF ATTACKS
Passive Attacks
Traffic Analysis
Release of Message Content
Active Attacks
Masquerade
Replay
Modification of Message
Denial of Service

WHAT IS DENIAL OF
SERVICE ATTACK?
When a denial of service (DoS) attack
occurs, a computer or a network user is
unable to access resources like e-mail and
the Internet. An attack can be directed at an
operating system or at the network.
An explicit attempt by attackers to prevent
legitimate users of a service from using that
service.

WHAT IS DISTRIBUTED
DENIAL OF SERVICE?
A distributed denial of service (DDoS) attack is
accomplished by using the Internet to break
into computers and using them to attack a
network. Hundreds or thousands of computer
systems across the Internet can be turned into
zombies and used to attack another system
or website.

DISTRIBUTED DENIAL
OF SERVICE

Bad guy

Master
agent

Victim (s)

Slave agents
(zombies, bots)
Owned
host
Third parties

MASSIVE ATTACK ON
PUBLIC SITES

STATUS
DoS attacks increasing in frequency, severity
32% respondents detected DoS attacks (1999 CSI/FBI survey)
August 6, 2009, several social networking sites, including
Twitter, Facebook, Livejournal, and Google blogging pages
were hit by DDoS attacks
Internet's root DNS servers attacked on
Oct. 22, 2002, 9 out of 13 disabled for about an hour
Feb. 6, 2007, one of the servers crashed, two reportedly
"suffered badly", while others saw "heavy traffic
An apparent attempt to disable the Internet itself

TYPES OF ATTACKS

Bandwidth Consumption: All available bandwidth used

by the attacker e.g.ICMP ECHO attack
Resource Consumption: Resources like web server, print
or mail server flooded with useless requests e.g., mail
bomb
Network Connectivity: The attacker forces the server to
stop communicating on the network e.g., SYN Flooding.

SMURF ATTACK/BANDWIDTH CONSUMPTION

In this attack, spoofed IP packets containing ICMP
Echo-Request with a source address equal to that
of the attacked system and a broadcast destination
address are sent to the intermediate network.
Sending a ICMP Echo Request to a broadcast
address triggers all hosts included in the network to
respond with an ICMP response packet, thus
creating a large mass of packets which are routed
to the victim's spoofed address.

SMURF ATTACK

(CONTD.)

SYN FLOODING EXPLAINED

Attacker sends many connection requests with spoofed
source addresses
Victim allocates resources for each request
New thread, connection state maintained until timeout
Fixed bound on half-open connections
Once resources exhausted, requests from legitimate clients
are denied
This is a classic denial of service attack
Common pattern: it costs nothing to TCP initiator to send a
connection request, but TCP responder must spawn a thread
for each request - asymmetry!

SYN FLOODING ATTACK/NETWORK CONNECTIVITY

TCP HANDSHAKE
C

S
SYNC
SYNS, ACKC

Listening
Store data

Wait
ACKS
Connected

SYN FLOODING
C

S
SYNC1
SYNC2
SYNC3
SYNC4
SYNC5

Listening
Store data

DIRECT DOS ATTACK

REFLECTOR DOS
ATTACK

ATTACK NETWORK
APPROPRIATE SOFTWARE
DETECTING VULNERABILITY IN THE VICTIM
SYSTEM
STRATEGY FOR LOCTAING VICTIM MACHINES
RANDOM
HIT-LIST
TOPOLOGICAL
LOCAL SUBNET

ATTACK TOOLS OVER TIME

binary encryption
stealth / advanced
scanning techniques

High

Tools

denial of service

packet spoofing
sniffers
Intruder
Knowledge

GUI

distributed
attack tools
www attacks
automated probes/scans

back doors
network mgmt. diagnostics

disabling audits

hijacking
burglaries sessions
Attack
Sophistication

exploiting known vulnerabilities

password cracking

Attackers

password guessing

Low
1980
Source: CERT/CC

1985

1990

1995

2001

DOS COUNTER
MEASURES
1. Attack Prevention (Before the Attack)- Firewalls,
Antiviruses, Defenders etc.
2. Attack Detection and Filtering(During the Attack)Routers, Switches, Fibre optic cables
3. Attack Source Traceback and Identifictaion (during
and after the Attack)- disabling Slave and Zombie
machines

THANK YOU