SLIDE 1
DDoS Last Class Fault tolerance Concurrency Naming This Class - - PowerPoint PPT Presentation
DDoS Last Class Fault tolerance Concurrency Naming This Class - - PowerPoint PPT Presentation
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of
SLIDE 2
SLIDE 3
Last Class
- Fault tolerance
- Concurrency
- Naming
SLIDE 4
This Class
- Networking
- How DDoS works
SLIDE 5
SLIDE 6
UDP
Client Server
Data Response
SLIDE 7
TCP
SLIDE 8
DDoS
- Distributed denial-of-service attack
- Attacker targets a victim from a number of different
IP addresses
- Purpose is to overwhelm victim’s resources so that
legitimate users can’t use them
SLIDE 9
SLIDE 10
Mirai Botnet
https://www.usenix.org/conference/usenixsecurity17/technical- sessions/presentation/antonakakis
SLIDE 11
Victim Population
SLIDE 12
Compromised Devices
SLIDE 13
DDoS over time
SLIDE 14
SLIDE 15
SYN Flood
SLIDE 16
Protecting against SYN flood
- Filtering
- Increasing Backlog
- Reducing SYN-RECEIVED Timer
- Recycling the Oldest Half-Open TCB
- SYN Cache
- SYN Cookies
- Firewalls and Proxies
https://tools.ietf.org/html/rfc4987
SLIDE 17
Smurf Attack
- Send ping message “from” victim to broadcast IP
address
- Every computer on that network will helpfully reply
to the victim.
SLIDE 18
Ping Flood
- Send a bunch of ping messages to a server
- ping: ICMP "echo request"
SLIDE 19
DNS amplification
- Forge a DNS query to an open DNS resolver with
victim’s IP address as return address
- Victim gets overwhelmed with DNS queries they
didn’t ask for
- Queries for a DNSSEC-signed zone if victim is a
DNS server
SLIDE 20
DNS amplification
- dig +trace cr.yp.to any
cr.yp.to. 600 IN MX 0 a.mx.cr.yp.to. cr.yp.to. 600 IN MX 10 b.mx.cr.yp.to. cr.yp.to. 600 IN A 80.101.159.118 yp.to. 259200 IN NS a.ns.yp.to. yp.to. 259200 IN NS uz5uu2c7j228ujjccp3ustnfmr4pgcg5ylvt16kmd0qzw7bbjgd5xq.ns.yp.to. yp.to. 259200 IN NS b.ns.yp.to. yp.to. 259200 IN NS f.ns.yp.to. yp.to. 259200 IN NS uz5ftd8vckduy37du64bptk56gb8fg91mm33746r7hfwms2b58zrbv.ns.yp.t
- .
;; Received 414 bytes from 131.193.36.24#53(f.ns.yp.to) in 32 ms
https://dankaminsky.com/2011/01/05/djb-ccc/#dnsamp
SLIDE 21
DNS amplification
- http://www.pir.org. 300 IN A 173.201.238.128
pir.org. 300 IN NS ns1.sea1.afilias-nst.info. pir.org. 300 IN NS ns1.mia1.afilias-nst.info. pir.org. 300 IN NS ns1.ams1.afilias-nst.info. pir.org. 300 IN NS ns1.yyz1.afilias-nst.info. ;; Received 329 bytes from 199.19.50.79#53(ns1.sea1.afilias-nst.info) in 90 ms
- http://www.pir.org. 300 IN A 173.201.238.128
http://www.pir.org. 300 IN RRSIG A 5 3 300 20110118085021 20110104085021 61847 pir.org. n5cv0V0GeWDPfrz4K/CzH9uzMGoPnzEr7MuxPuLUxwrek+922xiS3BJG NfcM9nlbM5GZ5+UPGv668NJ1dx6oKxH8SlR+x3d8gvw2DHdA51Ke3Rjn z +P595ZPB67D9Gh6l61itZOJexwsVNX4CYt6CXTSOhX/1nKzU80PVjiM wg0= pir.org. 300 IN NS ns1.mia1.afilias-nst.info. pir.org. 300 IN NS ns1.yyz1.afilias-nst.info. pir.org. 300 IN NS ns1.ams1.afilias-nst.info. pir.org. 300 IN NS ns1.sea1.afilias-nst.info. pir.org. 300 IN RRSIG NS 5 2 300 20110118085021 20110104085021 61847 pir.org. IIn3FUnmotgv6ygxBM8R3IsVv4jShN71j6DLEGxWJzVWQ6xbs5SIS0oL OA1ym3aQ4Y7wWZZIXpFK +/Z+Jnd8OXFsFyLo1yacjTylD94/54h11Irb fydAyESbEqxUBzKILMOhvoAtTJy1gi8ZGezMp1+M4L +RvqfGze+XFAHN N/U= ;; Received 674 bytes from 199.19.49.79#53(ns1.yyz1.afilias-nst.info) in 26 ms
SLIDE 22
Exercise
https://github.com/ctfs/write-ups-2013/blob/master/pico- ctf-2013/ddos-detection/syn_attack.pcap It appears a SYN-flood style DDoS has been carried out on this system. Send us a list of the IP addresses of the attackers (in any order, separated by spaces), so we can track them down and stop them. https://www.wireshark.org/docs/wsug_html_chunked/ ChapterWork.html