Network Security(CP33925) DoS and DDoS 부산대학교 공과대학 정보컴퓨터공학부 What we’ll learn today … DoS Attack DDoS Attack DoS and DDoS attack countermeasures 2 Understanding DoS attacks DoS (Denial of Service) . An attack that provides information beyond the ability of an attacking target to accept it and then, prevents an attacking target from operating normally beyond the capacity of the user or network DoS Attack Features . Destruction: Disks, Data, System Destruction . System resource depletion: Heavy load due to excessive use of CPU, memory, disk . Network resource depletion: Depletion of network bandwidth with garbage data 3 Ping of Death Attack (1/6) Ping of Death Attack . Use ping to make ICMP packets much larger than normal . Large packets are routed through the network and are broken into very small pieces while reaching the attacking network . The attack target should process much more fragmented packets, so it takes much more load than normal ping Why to segment a packet and deliver it? . Routing does not go through the networks with the same characteristics when forwarding packets • If the maximum packet size for each network is different and the maximum packet size is small, then the data will be divided smaller . Packets once divided do not grow again • To increase the packet, it is necessary to store the packet and reassemble the packet data that comes in next time, which causes a load which is fatal to the performance of the router. 4 Ping of Death Attack (2/6) Packet Segmentation Data Data Data Header FCS 1/3 2/3 3/3 Data Data Data Header FCS Header FCS Header FCS 1/3 1/3 1/3 . Set the maximum length of ICMP packets to 65,500 bytes . When you ping the network with a maximum size of 65,500 bytes, the packet is split into segments . If the maximum transmissionable length of a network through a packet is 100 bytes, then one packet is divided into 655 number of packets 5 Ping of Death Attack (3/6) Practice Environment . Attacker system: Ubuntu desktop 14 . Attack target system: Windows server 2012 . Need hping3, Wireshark Procedure . Installing hping3 (sudo) apt- get install hping3 . Performing Ping of Death Attacks 6 Ping of Death Attack (4/6) Procedure . Analyzing Ping of Death Attacks • Capture a packet sent from Ubuntu desktop 14 (attacker) to Windows Server 2012 (attack target) using Wireshark 7 Ping of Death Attack (5/6) Procedure . Analyzing Ping of Death Attacks • Confirm details of the number 724 packet at Windows Server 2012 using Wireshark 8 Ping of Death Attack (6/6) Security Countermeasures . Ignore ICMP packets over a certain number of incoming iterations . The most common countermeasures are patches 9 SYN Flooding (1/7) SYN Flooding (flooding) . To prevent other users from being offered services by mimicking as clients that do not exist in accessible space limited by server Understanding SYN Flooding Attacks ① The attacker sends a large number of SYN packets to the server ② The server sends a SYN / ACK packet for each received SYN packet to each client ③ The server does not receive an ACK packet for the SYN/ACK packet it sent ④ The server waits for the connection of the session and the attack succeeds . Waiting for an ACK packet in the 'SYN Received' state Server Max. No. of Clients IIS Server 5.0 100,000 Apache Server 150 FTP, Telnet Server 10 100 SYN Flooding (2/7) Practice Environment . Attacker system: Ubuntu desktop 14 . Attack target system: Windows server 2012 . Need hping3 Procedure . Getting started with Web services • Install IIS on the victim machine 11 SYN Flooding (3/7) Procedure . Performing SYN Flooding attacks • Using hping3, a lot of packets are sent in a very short time to perform SYN flooding attack easily hping3 --rand-source 192.168.0.100 -p 80 -S -p 80: Packet transmission for port 80 -S: send only SYN of TCP packets 12 SYN Flooding (4/7) Procedure . Identifying packets of SYN flooding attacks • Capture packets sent by hping3 to the victim machine using Wireshark 13 SYN Flooding (5/7) Procedure . Identifying attacks • Make sure you are being attacked by using netstat, which is used to see information about the currently connected session netstat -an 14 SYN Flooding (6/7) Procedure . Identifying attacks • If multiple IPs are in SYN_RECV state, normal connection to Web server is not possible 15 SYN Flooding (7/7) SYN Flooding Security Countermeasures . Installing System Patches . Install Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) . If it recognizes an attack that sends the same type of packet in a short time, it prohibits the connection of the ① When receiving a SYN packet from a client, corresponding IP address range or put a Syn_Cookie containing simple prohibits the connection from the authentication information in the sequence value and close the session firewall or router. ② When the client sends an ACK with a value . By using encryption technology in that contains Syn_Cookie, the server SYN+ACK packet sent from server to reopens the session and starts communicating client and sending it to client, use Wait time per server after receiving SYN Syn_Cookie to generate a sequence Server Waiting Time number containing authentication Windows NT/2K 255 Sec information Unix/Linux 60 sec 16 Apache 300 sec (/etc/httpd.conf) Boink, Bonk, Teardrop (1/4) Boink, Bonk, Teardrop . Boink, Bonk, and Teardrop trick sequence numbers to overload the system's packet retransmission and reassembly Understanding Boink, Bonk, Teardrop . Bonk: After sending the first packet with the sequence number 1, the sequence numbers of the second packet and the third packet are set to 1 . Boink: After sending the first packet with the sequence number 1, number 101 for the second packet, number 201 for the third packet, etc., and send the patterned sequence number in the middle . Teardrop: Shuffle the sequence number to make it more complicated by creating overlapping and free space, changing the sequence number constantly → The sequence numbers that are not matched at all cause confusion for the attacker to combine the packetized data and thus, the CPU is overloaded. 17 Boink, Bonk, Teardrop (2/4) Teardrop Attack Packet Number Seq. Number of Normal Packet Seq. Number of Attack Packet 1 1-101 1-101 2 101-201 811-181 3 201-301 221-321 4 301-401 2511-3511 18 Boink, Bonk, Teardrop (3/4) Practice Environemnt . Attacker system: Ubuntu desktop 14 . Attack target system: Windows server 2012 . Need hping3 Procedure . Perform Teardrop Attacks hping3 -a 200.200.200.200 192.168.0.1 --id 3200 --seqnum -p 21 -d 320 --flood --id 3200: TCP packet's ID value, if the same ID value, considered TCP packets of the same session --seqnum: randomly set the sequence number of the TCP packet -d 320: set the length of the packet to 320 bytes 19 Boink, Bonk, Teardrop (4/4) Procedure . Analyze packets of Teardrop attack • It can be confirmed that the sequence number of the TCP packet is arbitrarily generated and transmitted. 20 Land Attack (1/2) Land Attack . Putting the system in a bad state . When sending a packet, make the packet whose source IP address and destination IP address are the same • The value of the malformed IP address must be the IP address of the victim . Land attack method occupies the number of concurrent users and thus, increases CPU load Land security measures . In a router or firewall, prevent the packet whose source IP address is the same as the internal IP address Practice Environment . Attacker system: Ubuntu desktop 14 . Attack target system: windows server 2012 . Need hping3 21 Land Attack (2/2) Procedure . Run Land attack . Analyze packets of Land attack • Capture packets sent by hping3 using Wireshark 22 Smurf & Fraggle Attack (1/3) Smurf Attack . When the worm attacks the network, it uses ICMP packets . Routers do not support broadcasts by default, so when you broadcast to other networks, you will have a direct broadcast . When the destination IP address value is set to 255.255.255.255 and the packet is sent, the router is prevented from going out to the external network, so that it operates only in the internal LAN . The network that receives the ICMP request sends the ICMP Reply back to the forged IP address of the ICMP Request packet . The victim receives a large number of ICMP replies, and numerous packets, such as Ping of Death, overload the system Smurf Security Countermeasures . Prevent Direct Broadcast 23 Smurf & Fraggle Attack (2/3) Practice Environment . Attacker system: Ubuntu desktop 14 . Agent system: Ubuntu desktop 16 . Attack target system: windows server 2012 . Need hping3 Procedure . Run Smurf attack 24 Smurf & Fraggle Attack (3/3) Procedure . Analyzing packets of Smurf attacks • Check results captured with TCP Dump and Wireshark 25 7-layer DoS Attack (1/3) 7-layer DoS attack . The recent DoS attacks are aimed at web applications, etc . Difference between 3, 4-layer DoS attack and 7-layer DoS attack 3, 4-Layer DoS Attack 7-Layer DoS Attack • Bandwidth Depletion Attack • Server resource depletion attack Main Attack • Session depletion attack Main protocol • TCP, UDP, ICMP • HTTP, SMTP, FTP, VoIP etc. • Attacks by generating a large amount of flooding traffic • Attacks using normal traffic • Spoofed IP has a high percentage of attacks using • Attacks using a small amount of traffic Characteristics unusual traffic • Exploiting vulnerability of specific application • Can be defended through security equipment Key features of 7-layer attack . Normal TCP / UDP connection-based attack • It is difficult to detect because it is difficult to distinguish from normal user's traffic with attack traffic after requesting access using normal IP instead of modulated IP .