Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
(Distributed) Denial of Service • Relatively new development. – Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN. • One form of DDoS attack simply saturates the network – prevents legitimate use of resources such as Web services. • Another form exploits vulnerabilities to crash machines. • Results in degradation of services on the network. – Locked up accounts. ________________ CS3235, Nov 2002 A Simple DOS attack Attacker ________________ CS3235, Nov 2002 Zombie Victim Attacker ________________ CS3235, Nov 2002 Zombies galore DDoS Attack Victim DDoS • Many more pathways utilized to attack the victim. • Can involve hundreds or thousands of machines all over the Internet. – Break into weakly-secured computers using well known bugs. – Conceal the break-in and hide traces of subsequent activity. – Install software to “remote control” the machine. • Launch a coordinated attack on the victim. ________________ CS3235, Nov 2002 Flooding Attacks • Smurf attack. – Send ICMP ECHO to broadcast address with source address of victim. • TCP SYN attack. – Send SYN datagrams to victim with forged, non-existent source addresses. • UDP flooding – Send UDP datagrams at high volume to ports on the victim machine. ________________ CS3235, Nov 2002 Logic Attacks • Ping of Death – Construct ICMP ECHO datagram as fragments such that the assembled datagram exceeds the 64K limit for IP datagrams. • Land – Send a datagram with the same source and destination address. ________________ CS3235, Nov 2002 Defeating DDoS • Egress filtering. – Stop spoofed packets from leaving your network. • Stop your network from being used as an amplification site. – Disable IP directed broadcast on all systems ________________ CS3235, Nov 2002 Countering DOS • Simple cookies – Would need to remember them. 1 A C 2 3 START PROTOCOL B C, REALLY START PROTOCOL • TCP SYN cookies (http://cr.yp.to/syncookies.html) – Particular choices of ISN. – Self verifying: e.g., MD5(secret, time, src ip, src pt, dest ip, dest pt) SYN STATELESS COOKIE ________________ CS3235, Nov 2002 Countering DOS • Require clients to do work in order to connect [Juel99]. – E.g., what 27-bit number has a SHA checksum of x? ________________ CS3235, Nov 2002 References Juel99 Juels, A. and Brainard, J., “Client Puzzles: A Cryptographic Countermeasure against Connection Depletion Attacks”, NDSS Conference, 1999. ________________ CS3235, Nov 2002