Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Deep packet inspection wikipedia , lookup
Computer security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
TCP congestion control wikipedia , lookup
Wireless security wikipedia , lookup
Distributed firewall wikipedia , lookup
Cross-site scripting wikipedia , lookup
Internet protocol suite wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Distributed Denial-of-Services (DDoS) Ho Jeong AN CSE 525 – Adv. Networking Reading Group #8 Reading Group # 8 – DDoS Papers F. Kargl, J. Maier, M. Weber “Protecting Web Servers from Distributed Denial of Service Attacks”, WWW 2001 V. Paxson, “An Analysis of Using Reflectors for Distributed Denail-of-Service Attacks”, CCR vol. 31, no. 3, July 2001 Catherine Meadows, “A cost-based framework for analysis of denial of service in network”, Journal of Computer Security, 9(1—2):143-164, 20012 Classification of IT Attacks Denial of Service (DoS) Main goal of the attack is the disruption of service Intrusion Intension is simply to get access to system and to circumvent certain barriers Information Theft Main goal of attack is access to restricted, sensitive information Modification Attacker tries to alter information. Definition of DoS WWW Security FAQ (http://www.w3.org/Security/FAQ) … an attack designed to render a computer or network incapable of providing normal services … J.D. Howard (http://www.cert.org) … Denial-of-service can be conceived to include both intentional and unintentional assaults on a system's availability. The most comprehensive perspective would be that regardless of the cause, if a service is supposed to be available and it is not, then service has been denied ... Definition of DDoS WWW Security FAQ (http://www.w3.org/ Security/FAQ) … A Distributed Denial of Service attack uses many computer to launch a coordinated DoS attack against one or more targets. … DoS attack Classification System Attacked Router Firewall Load-balancer Individual web server Supporting services (i.e. database servers) Part of the system attacked Hardware failure OS or TCP/IP stack of host/router Application level (i.e. web server, database servers) Bug or overload Bugs Overload DoS attack Classification Example Cisco 7xxx routers with IOS/700 Software version 4.1(1)/4.1(2) Jolt2 – targeting most Microsoft Windows Systems (98/NT4/2000) MIIS version 4.0/5.0 Smurf SYN Flood Apache MIME flooding/Apache Sioux Attack DDoS tools Trinoo Tribe Flood Network (TFN) Trinoo’s UDP flooding, TCP SYN and ICMP flood TFN2K Known to the first DDoS tools UDP flooding Encrypted communication between components TARGA attack stacheldraht ICMP, UDP and TCP SYN flooding Update to agents automatically DDoS Protection Environment Linux Kernel Immune to Teardrop, TARGA tcp_syn_cookie enabled against SYN flood attack Load Balancer Linux Virtual Server against overload attack DDoS Protection Environment ipchains Firewall Only port 80 is reachable directly Only ICMP host unreachable messages are accepted Class Based Queuing Function of the Linux kernel Setup different traffic queues Determines what packets to put in what queue Assign a bandwidth to each of the queue DDoS Protection Environment Traffic Monitor Monitor Thread 1: monitors in and out packet Thread 2: checks the hashtable Thread 3: server thread Manager Analyzes the supplied data Sorts the IPs in one of several classes, class 1 through class 4 Test 1: http-attack using http_load and static html database Conclusion DDoS attacks are substantial threat to today’s Internet infrastructure Solution to the problem of handling massive http overload requests is based on class based routing and active traffic monitoring DDoS attack by using reflector Reflector Any IP host that will return a packet if it receives request All web server, DNS server, router ICMP Victim eventually receive “huge” number of message and clogging every single path to victim from the rest of the Internet Defense against Reflector Ingress filtering Traffic generated by reflector Our pick Reflector enable filtering Require widespread Deploy trace back mechanism Enormous deployment of filtering deployment difficulties IDS Widespread deployment of security technology Filtering out reflector replies IP version, header length TOS/DSCP length ID fragments TTL, protocol, checksum source destination Filtering out reflector replies ICMP Request/response Generated ICMP messages TCP source port SYN ACK RST guessable sequence number T/TCP Filtering out reflector replies UDP DNS DNS reply DNS recursive query SNMP HTTP proxy server Gnutella (TCP application) Other UPD application Implications of reflector attacks for traceback A major advantage to attackers in using ref lectors in DDOS attack is difficult tracebac k Low volume flows – SPIE HTTP proxies Logging Reverse ITRACE Conclusion DDoS attack by using reflector have a seve ral significant threat Most major threats are TCP guessable sequence number DNS query to name server Gnutella Defender vs. Attacker Defense against attack Increase the resources of the defender Introduce authentication Goal of attacker Waste resource of defender Keep the defender from learning attacker’s identity Formal method are good way to addressing probl ems. Station to Station protocol Station to station protocol is a protocol that was makes use of the Diffie-Hellman protocol togeth er with digital signatures in order to exchange an d authenticate keys between two principals. XA A B : B A : XB , EK ( S B ( A B : EK ( S A ( XA , XB , XB )) XA )) Station to Station protocol A B : preeexp1, storename1 || X || A storeonce1 ,storename 2 ,accept1 B A : preexp1 , sign1 , exp1 , encrypt1|| X , EK ( S B ( X , X )) || B B A checkname1 , retrivevenonce1 , exp 2 , decrypt1 , checksig1 , accept 2 A B : sign 2 , encrypt 2 || EK ( S A ( X A , X B )) || checkname 2 , retrivevenonce 2 , decrypt 2 , checksig 2 , accept 3 Station to Station protocol Compute the attack cost functions and the protocol engagement cost functions for eac h accept events Compute the attack cost functions and the message processing cost functions for each verification event Station to Station protocol It is vulnerable to DOS attack in several pl aces First message Intruder could mount Lowe’s attack Solution Cookie exchange Lowe’s attack – including the identity of inten ded receiver Conclusion This framework shows how existing tools a nd methods could be modified against DoS attack.