Computer System Security

(040613601)

Lecture 8 : Network Security (I)

Denial of Service

By Assoc. Prof. Benchaphon Limthanmaphon, PhD.

 Objective

 Student be able to understand:

 Network security threat and attack
 Distributed denial of service attack
 How to countermeasure of DoS attack
 Student be able to apply in the future career

2
 Contents
 What is Network Security
 Threats in Network  Threat in Availability
 Motives of Attackers  Denial of Service
 Threat Precursors  introduced denial of service (DoS) attacks
 Threat in Transit  classic flooding and SYN spoofing attacks
 Threat in Authentication  ICMP, UDP, TCP SYN floods
 Impersonation  distributed denial of service (DDoS) attacks
 Spoofing  reflection and amplification attacks
 Threat in Confidentiality and  defenses against DoS attacks
Integrity  responding to DoS attacks
 Protocol Flaw
 Noise
 Falsification of Messages

3
 Network Terms and Concepts
 A single computing system in a network is called a node, and its
processor (computer) is called a host. A connection between two
hosts is known as a link.
 Network environment characteristics:
 Anonymity
 Automation
 Distance
 Opaqueness
 Routing diversity
 Shape and Size – topology
 Mode of communication – digital vs analog
 Media
 Protocols

4
 ISO OSI Model

OSI Layer Name Activity

7 Application User-level data
6 Presentation Standardized data appearance
5 Session Logical connection among parts
4 Transport Flow control
3 Network Routing
2 Data Link Reliable data deliver6y
1 Physical Actual communication across physical medium 5
 TCP/IP
Layer Action Responsibilities
Application Prepare messages User interaction,
addressing
Transport Convert messages to packets Sequencing, reliability,
error connection
Internet Convert messages to datagrams Flow control, routing
Physical Transmit datagrams as bits Data communication

 ISO/OSI:
 Slows things down
 TCP/IP:
 More efficient
 Open
 Results:
 TCP/IP used over Internet
 Introduces security issues 6
 What is network security?
 Confidentiality:
 only sender, intended receiver should “understand” message
contents
 sender encrypts message
 receiver decrypts message
 Authentication:
 sender, receiver want to confirm identity of each other
 Message Integrity:
 sender, receiver want to ensure message not altered (in transit, or
afterwards) without detection
 Access and Availability:
 services must be accessible and available to users

7
 Network Security Problem
REMOVABLE
MEDIA
REMOTE
USER LOCATION

MODEM +
TELEPHONE RADIO “BACKDOOR”
EMISSIONS INTERNET
LOCAL AREA CONNECTION
NETWORK
WIRELESS
USER
INTERNET ISP
CONNECTION
REMOTE
USER

VENDORS AND
SUBCONTRACTORS

SOURCE: CERT 8
 Friends and Enemies: Alice, Bob, Trudy

 well-known in network security world

 Bob, Alice (lovers!) want to communicate “securely”
 Trudy (intruder) may intercept, delete, add messages

Alice Bob
data, control
channel
messages

data secure secure data

sender receiver

Trudy
9
 Who might Bob, Alice be?
 … well, real-life Bobs and Alices!
 Web browser/server for electronic transactions (e.g., on-line purchases)
 on-line banking client/server
 DNS servers
 routers exchanging routing table updates

Q: What can a “bad guy” do?

A: a lot!
– eavesdrop: intercept messages
– actively insert messages into connection
– impersonation: can fake (spoof) source address in packet (or any field
in packet)
– hijacking: “take over” ongoing connection by removing sender or
receiver, inserting himself in place
– denial of service: prevent service from being used by others (e.g., by
overloading resources)
10
 Threats in Networks
 Anonymity
 potential attacker is safe behind an electronic shield.
 Effort to disguise the attack’s origin
 Many points of attack - both targets and origins
 Sharing
 access is afforded to more systems, so that access controls for single
systems may be inadequate in networks
 Complexity of system
 A network operating system/control system is more complex than an
operating system for a single computing system
 An average computer is so powerful, most users do not know what their
computers are really doing at any moment.
 Unknown perimeter
 A network’s expandability implies uncertainty network boundary
 Every network node must be able to react to the possible presence of
new, untrustable hosts
 Unknown path
11
 Network users seldom have control over the routing of their messages
 Motives of Attackers
 Challenge
 An attacker is intrigued with knowing the answers to “Can I defeat this
network? What would happen if I tried this approach or that
techniques?”
 Just to see how far they can go in performing unwelcome activities
 Fame
 part of the challenge is doing the deed; another part is taking credit for it
 They may not be able to brag too openly, but they enjoy the personal
thrill of seeing their attacks written up in the news media
 Money and Espionage
 Financial reward motivates attackers
 Ideology
 Hactivism involves operations that use hacking techniques against a
target’s network with the intent of disrupting normal operations but not
causing serious damage
 Cyberterrorism is politically motivated hacking operations intended to
cause grave harm such as loss of life or severe economic damage
12
 Threat Precursor (1)
 Port Scan
 gather network information for a particular IP address
 Tells which standard ports or services are running and responding on the
target system, what OS is installed, and what applications and versions
of applications are present.
 Social Engineering
 involves using social skills and personal interaction to get someone to
reveal security-relevant information
 Operating System and Application Fingerprinting
 The attacker can consult a list of specific software’s known vulnerabilities
to determine which particular weaknesses to try to exploit
 Fingerprint – a new version will implement a new feature but an old
version will reject the request.

13
 Threat Precursor (2)
 Bulletin Boards and Chats
 Attackers can post their latest exploits and techniques, read what
others have done, and search for additional information on systems,
applications, or sites.
 Availability of Documentation
 Vendors themselves sometimes distributed information that is useful to
an attacker
 Reconnaissance : Concluding Remarks
 collecting information from various sources and putting them together
 involve eavesdropping
 A good thief, spends time understanding the context of the target
 The clever thief or attacker will collect a little information, go dormant
for a while, and resurface to collect more.
 The best defence against reconnaissance is silence. Give out as little
information about your site as possible, whether by humans or
machines
14
Threat in Transit: Eavesdropping and Wiretapping

 An attacker can pick off the content of a communication passing in

the clear
 Eavesdrop implies overhearing without expending any extra effort
 Wiretap means intercepting communications through some effort.
 Passive wiretapping is just listening much like eavesdropping
 Active wiretapping means injecting something into the
communication.
 Wiretapping conjures up a physical act by which a device extracts
information as its flows over a wire.

15
 Threat in Authentication : Impersonation
 Impersonation falsely represents a valid entity in a communication
 Authentication Foiled by Guessing
 Guess the identity and authentication details of the target.
 Authentication Thwarted by Eavesdropping or Wiretapping
 Pick up the identity and authentication details of the target from a
previous communication or from wiretapping.
 Authentication Foiled by avoidance
 Circumvent or disable the authentication mechanism at the target
computer.
 Nonexistence Authentication
 Use a target that will not be authenticated.
 Well-Known Authentication
 Use a target whose authentication data are known
 Trusted Authentication
 Identification is delegated to other trusted sources. Useful to users who
have accounts on multiple machines. For example, .rhosts and
16
/etc/hosts/equiv on UNIX.
 Threat in Authentication : Spoofing
 Guessing or obtaining the network authentication credentials of an entity.
 Permits an attacker to create a full communication under the entity’s identity.
 Examples of spoofing: masquerading, session hijacking, man-in-the-middle
attacks.
 Masquerade
 one host pretends to be another. The attacker exploits a flaw in the
victim’s web server and able to overwrite the victim’s web pages.
 Session Hijacking
 intercepting and carrying on a session begun by another entity.
 Man-in-the-Middle Attack
 one entity intrudes between two others.

17
 Other Threats
 Protocol Flaws
 Internet protocols are publicly posted for scrutiny by the entire
Internet Community. Each accepted protocol is known by its
request for comment (RFC) number.
 For example, TCP connections are established through sequence
numbers. The client (initiator) sends a sequence number to open
a connection, the server responds with the server’s sequence
number. Attacker can guess a client’s next sequence number then
impersonate the client in an interchange.
 Noise – signals sent over communications media are subject to
interference from other traffic on the same media as well as from
natural sources.

18
 Other Threats
 Falsification of Messages
 Attacker can take advantage of our trust in messages to mislead us.
 An attacker may
 change some or all of the content of a message
 replace a message entirely
 reuse (replay) an old message
 combine pieces of different messages into one
 change the apparent source of a message
 redirect a message
 destroy or delete a message
 These attacks can be perpetrated in the ways:
 active wiretap
 Trojan horse
 Impersonation
 Preempted host
 Preempted workstation

19
 Denial of Service (DoS)
 Attack to disable a machine by making it unable to respond to requests
 Use up resources
 Bandwidth, swap space, RAM, hard disk
 Some attacks yield millions of service requests per second
 Types of Attack
 Transmission Failure
 Connection Flooding
 Ping of Death
 Syn flood
 ICMP
 Echo, Chargen (UDP Services)
 Smurf
 Traffic Redirection
 DNS Attacks
 Distributed Denial of Service 20
 Denial of Service
 Denial of service (DoS) an action that prevents or impairs the
authorized use of networks, systems, or applications by exhausting
resources such as central processing units (CPU), memory, bandwidth,
and disk space
 attacks
 network bandwidth
 relates to the capacity of the network links connecting a server
to the wider Internet
 system resources
 typically aims to overload or crash its network handling software
 application resources
 aim to overload the capabilities of a server and limit its ability to
respond to requests from other users

21
 Types of Flooding Attacks

classified based on network protocol used

 ICMP Flood
 uses ICMP packets, eg echo request
 typically allowed through, some required
 UDP Flood
 alternative uses UDP packets to some port
 TCP SYN Flood
 use TCP SYN (connection request) packets
 but for volume attack

22
 Classic Denial of Service Attacks
 The simplest classical denial of service attack is a flooding attack
 The aim of this attack is to overwhelm the capacity of the network
connection to the target
 If the attacker has access to a system with a higher capacity network
connection, then this system can generate a higher volume of traffic
than the lower capacity target connection can handle.
 classic ping flood attack, the source of the attack is clearly identified
since its address is used as the source address in the ICMP echo
request packets.
 This has two disadvantages from the attacker’s perspective.
 Firstly the source of the attack is explicitly identified, increasing
the chance that the attacker can be identified, and legal action
taken in response.
 Secondly, the targeted system will attempt to respond to the
packets being sent.
23
 Ping Flooding
 Attacker sends a flood of pings to the intended victim
 The ping packets will saturate the victim’s bandwidth

Internet

Attacking System(s)

SOURCE: PETER SHIPLEY Victim System

24
 Classic Denial of Service Attacks

The attacker might use the large company’s web server to target the
medium sized company with a lower capacity network connection. 25
 Source Address Spoofing
 use forged source addresses
 given sufficient privilege to “raw sockets”
 easy to create
 Problem with the routers.
 Routers look at destination addresses only.
 Authentication based on source addresses only.
 To change source address field in IP header field is easy
 generate large volumes of packets
 directed at target
 with different, random, source addresses
 cause same congestion
 responses are scattered across Internet
 real source is much harder to identify

26
 Spoofing Attack
flooding attack  conducting the attack, attackers
spoof source IP addresses to
make tracing and stopping the
DoS as difficult as possible.
 When multiple compromised
hosts are participating in the
attack, all sending spoofed traffic,
it is very challenging to quickly
block the traffic.
Sender

 IP spoofing is almost always used in

denial of service attacks (DoS), in
which attackers are concerned with
consuming bandwidth and resources
Oops, many packets by flooding the target with as many
are coming. But, packets as possible in a short amount
who is the real of time.
source? victim 27
 SMURF ATTACK
 Attacker chooses an unwitting victim
 Send ICMP ping packet with spoofed IP source address to a LAN which
will broadcast to all hosts on the LAN

INTERNET
1 SYN
PERPETRATOR
VICTIM

10,000 SYN/ACKs -- VICTIM IS DEAD

INNOCENT
REFLECTOR SITES

BANDWIDTH MULTIPLICATION:
A T1 (1.54 Mbps) can easily
yield 100 MBbps of attack  Each host will send a
ICMP echo (spoofed source address of victim)
reply packet to the
Sent to IP broadcast address spoofed IP address
ICMP echo reply leading to denial of
SOURCE: CISCO
service
ICMP = Internet Control Message Protocol 28
 Syn Flood
 Attacker sends many connection requests
 Spoofed source address
 Victim allocates resources for each request
 Connection requests exist until timeout
 Fixed bound on half-open connections
 Resources exhausted -> requests rejected

Three-Way Handshake

SYN
SYN | ACK
Client ACK

1: Send SYN seq=x Server

SOURCE: PETER SHIPLEY
2: Send SYN seq=y, ACK x+1
3: Send ACK y+1 29
 SYN Spoofing Attack
Three-Way Handshake SYN Flood

Normal flow

30
 SYN Spoofing Attack
 The potential of abuse arises at the point when the server system
sends the SYN-ACK message back to the client and before it
receives the final ACK message.
 This situation is referred to as a half-opened connection.
 The server usually keeps in its memory a data structure that
describes all the pending connections.

 Since this data

structure has a finite
size, it can be easily
overflowed by
intentionally creating
too many partially-
opened connections
31
 Land Attack
 Land attack occurs when an attacker sends spoofed TCP SYN
packets (connection initiation) with a target host's IP address and an
open port as both source and destination.
 The target host responds by sending the SYN-ACK packet to itself
creating an empty connection that lasts until the idle timeout value is
reached.
 Flooding a system with empty connection requests will overwhelm it
and cause it to deny the services that it offers

Source IP address = Destination IP address

Source Port = Destination Port

32
 Teardrop Attack
 Teardrop attack targets vulnerability in the way fragmented IP packets
are reassembled.
 Fragmentation is necessary when IP datagrams are larger than the
maximum unit of transmission (MUT) of a network segment across
which the datagrams must traverse.
 In order to successfully reassemble packets at the receiving end, the
IP header for each fragment should include an offset to identify the
fragment’s position in the original un-fragmented packet.
 In a Teardrop attack, packet
fragments are deliberately
configured with overlapping
offset fields causing the host to
hang or crash when it tries to
reassemble them.

33
33
 Distributed Denial of Service Attacks

 have limited volume if single source used

 multiple systems allow much higher traffic volumes to form a
Distributed Denial of Service (DDoS) Attack
 often compromised PC’s / workstations
 zombies with backdoor programs installed
 forming a botnet
 e.g. Tribe Flood Network (TFN), TFN2K

34
 DDoS Attack Illustrated
Hacker
1 Hacker scans Unsecured Computers
Internet for
unsecured systems
that can be
compromised

Internet

Scanning
Program

35
 DDoS Attack Illustrated
Hacker

Zombies

2 Hacker secretly
installs zombie
agent programs, turning
unsecured computers Internet
into zombies

36
 DDoS Attack Illustrated
Hacker

Zombies
Master
Server

3 Hacker selects a Internet

Master Server to
send commands to the
zombies

37
 DDoS Attack Illustrated
Hacker

Zombies
Master
Server

4 Using Client program, Internet

Hacker sends commands
to Master Server to launch
zombie attack against a
Targeted
targeted system
System

38
 DDoS Attack Illustrated
Hacker

Zombies
Master
Server

5 Master Server Internet

sends signal to
zombies to launch
attack on targeted
Targeted
system
System

39
 DDoS Attack Illustrated
Hacker

Zombies
Master
Server

6 Targeted system is
overwhelmed by
bogus requests that Internet
shut it down for
legitimate users
Targeted
Request Denied System

User 40
 Reflection and Amplifier Attacks
 use normal behavior of network
 attacker sends packet with spoofed source address being that of
target to a server
 Normal server are being used as intermediaries
 server response is directed at target
 if send many requests to multiple servers, response can flood target
 various protocols e.g. UDP or TCP/SYN
 ideally want response larger than request
 2 basic variants: Simple Reflection and the amplification attack
 These attack can easily deploy and hard to trace back to the actual
attacker
 prevent if block source spoofed packets

41
 Reflection Attacks
 The attacker uses this attack with a number of intermediaries
 The aim is to generate high volumes of packets to flood the link to the
target system, no to exhaust its network handling resources.

ip spoofed packet
src: victim
Sender dst: reflector reflector

Oops, a lot of
replies without any
request… victim 42
 Reflection Attacks
 creates a self-contained loop between intermediary and target
 Echo Chargen loop
 consumes bandwidth by sending characters to a hosts chargen port with
a faked return address and echo port
 Results in ping pong between the two hosts

 When UDP port 7 (echo port)

receives a packet, it checks the
payload and then echoes the
payload back to the source
 When UDP port 19 (character
generator port) receives a
packet, it replies with a
somewhat random string of
characters

43
 Amplification Attacks
 Variant of reflector attacks
 Multiple replies for each original packet sent
 achieved by directing the original request to the broadcast address for
some network
 As a result, all hosts on that network can potentially respond to the
request, generating a flood of responses

Sender
Bigger replies

Sender

 The best additional defense against this form of attack is to not allow
“directed broadcasts” to be routed into a network from outside.
44
 DNS Amplification Attacks
 Attacks using IP spoofed dns query
 generating a traffic overload
 bandwidth attack
 similar to ‘smurf attacks’
 Components are:
 –IP spoofing
 –DNS amp

 use DNS requests with spoofed source address being the target
 exploit DNS behavior to convert a small request to a much larger
response
 60 byte request to 512 - 4000 byte response
 attacker sends requests to multiple well connected servers, which
flood target
 need only moderate flow of request packets
 DNS servers will also be loaded
45
DNS Amplification Attacks

46
DNS Amplification Attacks

47
 DoS Attack Defenses
 high traffic volumes may be legitimate
 result of high publicity
 or to a very popular site
 or legitimate traffic created by an attacker
 three lines of defense against (D)DoS:
 attack prevention and preemption (before the attack)
 These mechanisms enable the victim to endure attack attempts
without denying service to legitimate clients.
 attack detection and filtering (during the attack)
 These mechanisms attempt to detect the attack as it begins and
respond immediately.
 attack source traceback and identification (during & after the attack)
 This is an attempt to identify the source of the attack as a first
step in preventing future attacks.
 This method does not yield result fast enough, but to mitigate
the ongoing attack 48
 Attack Prevention

 block spoofed source addresses

 on routers as close to source as possible
 still far too rarely implemented
 rate controls in upstream distribution nets
 on specific packets types
 e.g. some ICMP, some UDP, TCP/SYN
 use modified TCP connection handling
 use SYN cookies when table full
 or selective or random drop when table full

49
 Attack Prevention
 block IP directed broadcasts
 block suspicious services & combinations
 limiting or blocking traffic to suspicious services, or combinations
of source and destination ports, can restrict the types of reflection
attacks that can be used against an organization
 manage application attacks with “puzzles” to distinguish legitimate
human requests
 good general system security practices
 The aim is to ensure that your systems are not compromised and
used as zombie systems.
 use mirrored and replicated servers when high-performance and
reliability required

50
 Responding to Attacks
 need good incident response plan
 with contacts for ISP
 needed to impose traffic filtering upstream
 details of response process
 have standard filters
 ideally have network monitors and IDS
 to detect and notify abnormal traffic patterns

51
 Responding to Attacks
 identify type of attack
 capture and analyze packets
 design filters to block attack traffic upstream
 or identify and correct system/application bug
 have ISP trace packet flow back to source
 may be difficult and time consuming
 necessary if legal action desired
 implement contingency plan
 switch to alternate backup servers
 to rapidly commission new servers at a new site with new
addresses, in order to restore service.
 update incident response plan

52