Chapter 7

Denial-of-Service Attacks

1
 Denial-0f-Service (DoS) Attack

The NIST Computer Security Incident Handling Guide

defines a DoS attack as:

“an action that prevents or impairs the authorized use of

networks, systems, or applications by exhausting
resources such as central processing units (CPU),
memory, bandwidth, and disk space.”

2
 Denial-of-Service (DoS)

 a form of attack on the availability of some service

 categories of resources that could be attacked are:

application
network bandwidth system resources
resources
relates to the capacity of the
network links connecting a typically involves a number
server to the Internet of valid requests, each of
which consumes significant
aims to overload or crash the
resources, thus limiting the
network handling software
ability of the server to
for most organizations this is respond to requests from
their connection to their other users
Internet Service Provider (ISP)

3
4
 Classic Denial-of-Service Attacks

flooding ping command

 aim of this attack is to overwhelm the capacity of the network
connection to the target organization
 traffic can be handled by higher capacity links on the path, but
packets are discarded as capacity decreases
 source of the attack is clearly identified unless a spoofed
address is used
 network performance is noticeably affected

5
 Source Address Spoofing

 use forged source addresses

 usually via the raw socket interface on operating systems
 makes attacking systems harder to identify
 attacker generates large volumes of packets that have
the target system as the destination address
 congestion would result in the router connected to
the final, lower capacity link
 requires network engineers to specifically query flow
information from their routers
 backscatter traffic
 advertise routes to unused IP addresses to monitor attack
traffic
6
 SYN Spoofing
common DoS attack
attacks the ability of a server to respond to future
connection requests by overflowing the tables
used to manage them
thus legitimate users are denied access to the
server
hence an attack on system resources, specifically
the network handling code in the operating
system
7
TCP
Connection
Handshake

8
TCP SYN
Spoofing Attack

9
 Flooding Attacks
 classified based on network protocol used
 intent is to overload the network capacity on some link to a server
 virtually any type of network packet can be used

• ping flood using ICMP echo request packets

ICMP flood • traditionally network administrators allow such packets into their
networks because ping is a useful network diagnostic tool

UDP flood • uses UDP packets directed to some port number on the target
system

• sends TCP packets to the target system

TCP SYN flood • total volume of packets is the aim of the attack rather than the
system code
10
Distributed Denial of Service DDoS Attacks

attacker uses a flaw

large collections of
in operating system
such systems under
use of multiple or in a common
the control of one
systems to generate application to gain
attacker’s control
attacks access and installs
can be created,
their program on it
forming a botnet
(zombie)

11
DDoS Attack Architecture

12
Session Initiation Protocol (SIP) Flood
 standard protocol for VoIP telephony

 text-based protocol with a syntax

similar to that of HTTP

 two types of SIP messages: requests

and responses

A SIP flood attack exploits the fact that a

single INVITE request triggers
considerable resource consumption. The
attacker can flood a SIP proxy with
numerous INVITE requests with spoofed
IP addresses, or alternately a DDoS
attack using a botnet to generate
numerous INVITE request. This attack
puts a load on the SIP. 13
 Hypertext Transfer Protocol (HTTP) Based
Attacks

HTTP flood Slowloris

 attack that bombards Web  attempts to monopolize by
sending HTTP requests that
servers with HTTP requests never complete
 consumes considerable  eventually consumes Web
resources server’s connection capacity
 utilizes legitimate HTTP traffic
 spidering  existing intrusion detection and
 bots starting from a given HTTP prevention solutions that rely
link and following all links on on signatures to detect attacks
the provided Web site in a will generally not recognize
recursive way Slowloris

14
 Reflection Attacks

 attacker sends packets to a known service on the

intermediary with a spoofed source address of the
actual target system
 when intermediary responds, the response is sent to
the target
 “reflects” the attack off the intermediary (reflector)
 goal is to generate enough volumes of packets to
flood the link to the target system without alerting
the intermediary
 the basic defense against these attacks is blocking
spoofed-source packets 15
Reflector Attack
Figure 7.6 , based on [SCAR08], shows this type of attack. The
upper part of the figure shows normal Domain Name System
operation. The DNS client sends a query from its UDP port 1792 to
the server’s DNS port 53 to obtain the IP address of a domain
name. The DNS server sends a UDP response packet including the
IP address.
The lower part of the figure shows a reflection attack using DNS.
The attacker sends a query to the DNS server with a spoofed IP
source address of j.k.l.m; this is the IP address of the target. The
attacker uses port 7, which is usually associated with echo, a
reflector service. The DNS server then sends a response to the
victim of the attack, j.k.l.m, addressed to port 7. This can cause a
loop between the DNS server and the victim if the DNS server
responds to the packets sent by the victim. Most reflector attacks
can be prevented through network-based and host-based firewall
rulesets that reject suspicious combinations of source and
destination ports. 16
DNS Reflection Attacks

17
Amplification Attacks

18
 DNS Amplification Attacks

use packets directed at a legitimate DNS server as

the intermediary system
attacker creates a series of DNS requests
containing the spoofed source address of the
target system
exploit DNS behavior to convert a small request to
a much larger response (amplification)
target is flooded with responses
basic defense against this attack is to prevent the
use of spoofed source addresses 19
 DoS Attack Defenses
four lines of defense against DDoS attacks

attack prevention and preemption

• before attack
 these attacks cannot be
prevented entirely
 high traffic volumes may be attack detection and filtering
legitimate • during the attack
 high publicity about a specific
site
 activity on a very popular site attack source traceback and
 described as slashdotted, flash identification
crowd, or flash event • during and after the attack

attack reaction
• after the attack
20
 DoS Attack Prevention
block spoofed source addresses
on routers as close to source as possible
 filters may be used to ensure path back to the claimed source
address is the one being used by the current packet
filters must be applied to traffic before it leaves the ISP’s
network or at the point of entry to their network
use modified TCP connection handling code
cryptographically encode critical information in a cookie that
is sent as the server’s initial sequence number
 legitimate client responds with an ACK packet containing the
incremented sequence number cookie
drop an entry for an incomplete connection from the TCP
connections table when it overflows
21
 DoS Attack Prevention

block IP directed broadcasts

block suspicious services and combinations
manage application attacks with a form of
graphical puzzle (captcha) to distinguish legitimate
human requests
good general system security practices
use mirrored and replicated servers when high-
performance and reliability is required
22
 Responding to DoS Attacks

Good Incident Response Plan

• details on how to contact technical personal for ISP

• needed to impose traffic filtering upstream
• details of how to respond to the attack

antispoofing, directed broadcast, and rate limiting

filters should have been implemented
ideally have network monitors and IDS to detect
and notify abnormal traffic patterns 23
 Responding to DoS Attacks
 identify type of attack
 capture and analyze packets
 design filters to block attack traffic upstream
 or identify and correct system/application bug
 have ISP trace packet flow back to source
 may be difficult and time consuming
 necessary if planning legal action
 implement contingency plan
 switch to alternate backup servers
 commission new servers at a new site with new addresses
 update incident response plan
 analyze the attack and the response for future handling
24
 Summary

 denial-of-service (DoS)  distributed denial-of-service attacks

(DDoS)
attacks  reflection attacks
 network bandwidth  amplification attacks
 system resources  DNS amplification attacks
 application resources  application-based bandwidth attacks
 overwhelm capacity of network  SIP flood
 forged source addresses (spoofing)  HTTP-based attacks
 SYN spoofing/TCP connection requests  defenses against DoS attacks
 flooding attacks  responding to a DoS attack
 ICMP flood
 UDP flood
 TCP SYN flood
25