Arab Academy for Banking &Financial Sciences
Faculty of Information Systems & Technology - Department of CIS
Information System Security
Ph.D
Denial of Service Attack
(DoS)
Prepared To: Dr. lo’ai tawalbeh
Prepared by : mohammad nassar
1/42
� Learning Objectives
TYPES OF ATTACKS.
Definitions of DoS and DDoS attacks .
Costs of DoS attacks for victim organizations.
Classification of DoS attacks.
Strategic Firewall Placement.
Default Deny.
Detecting DDoS Attacks by Monitoring the Source IP
addresses.
Example.
Conclusion.
2/42
� TYPES OF ATTACKS
Nontechnical attack Technical attack
Denial-of-service
Malicious code Sniffing Spoofing
attack
Virus
Worm
Trojan horse
3/42
� Definitions of DoS and DDoS attacks
• A DoS (Denial of Service) attack aims at preventing, for
legitimate users, authorized access to a system resource . The
attacker uses specialized software to send a flood of data packets to the target
computer with the aim of overloading its resources
• DDoS ( distributed Denial of Service attacks)
A denial-of-service attack in which the attacker gains illegal administrative
access to as many computers on the Internet as possible and uses the
multiple computers to send a flood of data packets to the target computer
4/42
�Distributed Denial-of-service
(DDoS) attack
5/42
� INTERNET INSECURITY
• Morris worm of 1987
• Password sniffing attacks in 1994
• IP spoofing attacks in 1995
• Denial of service attacks in 1996
• Email borne viruses 1999
• Distributed denial of service attacks 2000
• Fast spreading worms and viruses 2003
• Spam 2004
• … no end in sight
• Internet insecurity grows at super-Internet speed
• security incidents are growing faster than the Internet (which has
• roughly doubled every year since 1988)
6/42
�Costs of DoS attacks for victim organizations
• Denial of Service is currently the most expensive computer
crime for victim organizations:
7/42
� Classification of DoS attacks
1. Bandwidth consumption:
Attacks will consume all available network bandwidth
2. Resource starvation:
Attacks will consume system resources (mainly CPU, memory,
storage space)
3. Programming flaws:
Failures of applications or OS components to handle exceptional
conditions (i.e. unexpected data is sent to a vulnerable component).
4. Routing and DNS attacks:
manipulate routing tables.
changing routing tables to route to attacker’s net or black hole.
attack to DNS servers, again route to attackers or black hole.
8/42
� examples
Smurf
1. Attacker sends sustained ICMP (availability
of host) Echo packets (ping) to broadcast address
of the amplifying network, with source
address is forged.
2. Since traffic was sent to broadcast address all
hosts in the amplifying LAN will answer to the
victim’s IP address.
Ping of death???
9/42
� Ping (win XP)
C:\>ping 64.233.183.103 with 32 bytes of data (yahoo)
Reply from 64.233.183.103: bytes=32 time=25ms TTL=245
Reply from 64.233.183.103: bytes=32 time=22ms TTL=245
Reply from 64.233.183.103: bytes=32 time=25ms TTL=246
Reply from 64.233.183.103: bytes=32 time=22ms TTL=246
Ping statistics for 64.233.183.103:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
10/42
� examples
Syn flood
TCP three-way handshake:
• The client requests a connection by sending a SYN
(synchronize) message to the server.
• The server acknowledges this request by sending SYN-ACK
back to the client, which,
• Responds with an ACK, and the connection is established.
How it work………???
1. attacker sends SYN packet to victim forging non-existent
IP address
2. victim replies with Syn/Ack but neither receives Ack nor
RST from non-existent IP address
3. victim keeps potential connection in a queue in Syn_Recv
state, but the queue is small and takes some time to timeout
and flush the queue, e.g 75 seconds
4. If a few SYN packets are sent by the attacker every 10
seconds, the victim will never clear the queue and stops to
respond.
11/42
� examples
LAND:
• The attack involves sending a spoofed
TCP SYN packet (connection initiation)
with the target host's IP address as both
source and destination.
• It uses ports (echo and chargen ports).
12/42
� Bottleneck
• To shut down the company’s connection, a
hacker only has to overload this relatively slow
part of the line.
• To stop DDoS attacks, illegitimate traffic must
never be allowed to reach the bottleneck.
13/42
�Normal connection
Cable connection
(Bottleneck)
Firewall
(Bad traffic
stopped
here)
ISP
14/42
� Strategic Firewall Placement
• In the strategic firewall placement method, the
company’s firewall is placed on the ISP’s
premises.
• This means that the line connecting the ISP
router to the firewall is very short, and a much
higher bandwidth line (ex. Ethernet) can be used
for this connection at very little extra cost.
15/42
�Strategic Firewall Placement
ISP
ISP
Ethernet
Ethernet Bottleneck
connection
connection
Firewall
Firewall
(Bad traffic
stopped here)
Bottleneck
16/42
� Strategic Firewall Placement
• Firewall remains under the control of the
company.
• Now the company is able to control exactly
which traffic is allowed into the bottleneck
part of the connection.
17/42
� Strategic Firewall Placement
• In the old setup, to thwart a DDoS attack, the company
had to call the ISP and tell them which kinds of packets
to filter.
• The company’s internet connection remained inoperative
until the ISP was able to complete the company’s
request.
• When the company controls the firewall, as in strategic
firewall placement, they can instead filter unwanted
packets almost immediately.
18/42
� Additional Requirements
• Moving the firewall is helpful, but, to completely
protect against DDoS attacks, the company also
has to change the way its firewall
handles inbound connection requests.
19/42
� Default Deny
• Again !!!!!!TCP three-way handshake ……
20/42
� Default Deny
Spoofed TCP/SYN Firewall
• If every TCP/SYN packet is
SYN/ACK
allowed to reach the company 1
server, hackers can flood the Blocked Connection
company’s server with these
packets, and overload the
connection. Real TCP/SYN
• Instead, the firewall sends back a 2 SYN/ACK
SYN/ACK packet to the source IP. Connection Allowed
• Once the firewall sends out the
SYN/ACK packet, it only allows a
connection from the IP address that
sent the original TCP/SYN packet. Server
• A hacker has to have control of that
IP address to be able to connect to
the company.
21/42
� Default Deny
• Default Deny helps prevent a technique
known as “spoofing” IP addresses.
22/42
� Firewall Capabilities
• Maintaining these policies could require a lot of
computational power from the firewall.
• Firewall may not be able to handle the entire
job itself.
• The processing work of the firewall can be
spread among multiple computers if
necessary, and those computers would feed
directly into the firewall.
23/42
� Simulation of Strategic Firewall
Placement (NS-2 to simulate DDoS traffic.)
DDoS attack
Buildup of packets in
queue on high-speed
Router link
1.5 mbps
Target
Legitimate
traffic
Firewall
24/42
�Simulation of Strategic Firewall Placement
• When the link leading up to the firewall is too
slow, a DDoS attack basically shuts down the
system.
• When the link leading up to the firewall is fast
enough, the system continues running through
a DDoS attack, even after the attack is increased
in intensity from 50 to 100 mbps.
25/42
� How to know if an attack is happening?
• Not all disruptions to service are the result of a DOS. There
may be technical problems with a particular network.
However, the following symptoms could indicate a DoS or
DDoS attack:
• Unusually slow network performance
• Unavailability of a particular web site
• Inability to access any web site or any resources
• Dramatic increase in the amount of spam received in the
account.
26/42
�Detecting Distributed Denial of Service
Attacks by Monitoring the Source IP
addresses
• IP addresses in
DDoS
attack traffic did not
appear before.
[Peng et al. 2003]
• Monitoring the traffic
volume is likely to
create high false
positive
• Monitoring the
percentage of new
IP addresses is very
effective in detecting
the attacks 27/42
� How to avoid being part of the problem?
there are no effective ways to prevent being the victim of a DoS or
DDoS attack, but these ways can help:
• Install anti-virus software
• Install a firewall,
• Applying email filters may help manage unwanted traffic
28/42
� Example (spoofed DoS attack )
• A spoofed DoS attack is a process in which
one host (usually a server or router) sends a
flood of network traffic to another host .
29/42
� A&B
• B: target machine (Athlon 64 3400+ with 1
GB of RAM).
• A: The source machine is a Pentium( 3) 700
with 512 MB of RAM.
30/42
�Using xxpoof … Why?
31/42
�Target Machine Health
32/42
�Source Machine Health
33/42
� Conclusion
Denial of Service is currently the most expensive
computer crime for victim organizations.
Strategic firewall placement allows companies to
use the Internet during a DDoS attack, and it allows
them to continue receiving the packets they want.
Distributed Denial of Service Attacks could be
Detected by Monitoring the Source IP.
It is easy to generate a successful DDoS attack
that bypasses these defenses.
34/42
� References:
• Turban, Efraim; King,davaid;lee Jae;viehland ,Dannis, (2006),electronic
Commerce A Managerial Perspective .International Edition ,Prentice Hall
• Chatam, W. Rice, J. and Hamilton, J.A. Jr., "Using Simulation to Analyze
Denial of Service Attacks" 2004
• Advanced Simulation Technology Conference, April 18 - 24, Arlington,
VA,2004
• Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE
Transactions on Knowledge and Data Engineering, IEEE Educational
Activities Department, vol 40, no 5, (September): pp 1307 – 1315, 2003.
• S. Gibson, “Distributed Reflection Denial of Service. Description and
analysis of a potent, increasingly prevalent, and worrisome Internet attack,”
February 22, 2002, available at http://grc.com/dos/drdos.htm
• Smith, R.; Chen, Y; and Bhattacharya, S., “Cascade of Huegen C.A. , “The
latest in Denial of Service attacks: smurfing description and information to
minimize effects”, Feb 2000, available at http://www.pentics.net/denial-of-
service/white-apers/smurf.cgi
• United State Computer Emergency Readiness Team (2004)
“Understanding Denial-of-Service Attacks” http://www.us-
cert.gov/cas/tips/ST04-015.html
• Williams, Charles (Dr.), (2001)“Who Goes There? Authentication in the On-
Line World”, <http://www.bizforum.org/whitepapers/cylink002.htm
35/42
