Denial of Service Last Class Fault tolerance Concurrency Naming - - PowerPoint PPT Presentation

denial of service last class
SMART_READER_LITE
LIVE PREVIEW

Denial of Service Last Class Fault tolerance Concurrency Naming - - PowerPoint PPT Presentation

Jul 28, 2023 142 likes •437 views

Denial of Service Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a

slide-1
SLIDE 1

Denial of Service

slide-2
SLIDE 2
slide-3
SLIDE 3

Last Class

  • Fault tolerance
  • Concurrency
  • Naming
slide-4
SLIDE 4

This Class

  • Networking
  • How DDoS works
slide-5
SLIDE 5
slide-6
SLIDE 6

UDP

Client Server

Data Response

slide-7
SLIDE 7

TCP

slide-8
SLIDE 8

DDoS

  • Distributed denial-of-service attack
  • Attacker targets a victim from a number of different

IP addresses

  • Purpose is to overwhelm victim’s resources so that

legitimate users can’t use them

slide-9
SLIDE 9
slide-10
SLIDE 10

DDoS as Protest

slide-11
SLIDE 11

DDoS as Protest

slide-12
SLIDE 12

DDoS as Protest

  • 1995 Strano Network took down French

government websites to protest French nuclear policy

  • 1998 NYTimes article about “virtual sit-ins”
  • 2014 Hong Kong protests

https://motherboard.vice.com/en_us/article/d734pm/history-of-the-ddos-attack https://www.nytimes.com/1998/10/31/world/hacktivists-of-all-persuasions-take-their-struggle-to-the-web.html https://www.forbes.com/sites/parmyolson/2014/11/20/the-largest-cyber-attack-in-history-has-been-hitting-hong-kong- sites/

slide-13
SLIDE 13

Mirai Botnet

https://www.usenix.org/conference/usenixsecurity17/technical- sessions/presentation/antonakakis

slide-14
SLIDE 14

Victim Population

slide-15
SLIDE 15

Compromised Devices

slide-16
SLIDE 16

DDoS over time

slide-17
SLIDE 17
slide-18
SLIDE 18

TCP

slide-19
SLIDE 19

SYN Flood

slide-20
SLIDE 20

Protecting against SYN flood

  • Filtering
  • Increasing Backlog
  • Reducing SYN-RECEIVED Timer
  • Recycling the Oldest Half-Open TCB
  • SYN Cache
  • SYN Cookies
  • Firewalls and Proxies

https://tools.ietf.org/html/rfc4987

slide-21
SLIDE 21

Smurf Attack

  • Send ping message “from” victim to broadcast IP

address

  • Every computer on that network will helpfully reply

to the victim.

slide-22
SLIDE 22

Ping Flood

  • Send a bunch of ping messages to a server
  • ping: ICMP "echo request"
slide-23
SLIDE 23

DNS amplification

  • Forge a DNS query to an open DNS resolver with

victim’s IP address as return address

  • Victim gets overwhelmed with DNS queries they

didn’t ask for

  • Queries for a DNSSEC-signed zone if victim is a

DNS server

slide-24
SLIDE 24

DNS amplification

  • dig +trace cr.yp.to any

cr.yp.to. 600 IN MX 0 a.mx.cr.yp.to. cr.yp.to. 600 IN MX 10 b.mx.cr.yp.to. cr.yp.to. 600 IN A 80.101.159.118 yp.to. 259200 IN NS a.ns.yp.to. yp.to. 259200 IN NS uz5uu2c7j228ujjccp3ustnfmr4pgcg5ylvt16kmd0qzw7bbjgd5xq.ns.yp.to. yp.to. 259200 IN NS b.ns.yp.to. yp.to. 259200 IN NS f.ns.yp.to. yp.to. 259200 IN NS uz5ftd8vckduy37du64bptk56gb8fg91mm33746r7hfwms2b58zrbv.ns.yp.t

  • .

;; Received 414 bytes from 131.193.36.24#53(f.ns.yp.to) in 32 ms

https://dankaminsky.com/2011/01/05/djb-ccc/#dnsamp

slide-25
SLIDE 25

DNS amplification

  • http://www.pir.org. 300 IN A 173.201.238.128

pir.org. 300 IN NS ns1.sea1.afilias-nst.info. pir.org. 300 IN NS ns1.mia1.afilias-nst.info. pir.org. 300 IN NS ns1.ams1.afilias-nst.info. pir.org. 300 IN NS ns1.yyz1.afilias-nst.info. ;; Received 329 bytes from 199.19.50.79#53(ns1.sea1.afilias-nst.info) in 90 ms

  • http://www.pir.org. 300 IN A 173.201.238.128

http://www.pir.org. 300 IN RRSIG A 5 3 300 20110118085021 20110104085021 61847 pir.org. n5cv0V0GeWDPfrz4K/CzH9uzMGoPnzEr7MuxPuLUxwrek+922xiS3BJG NfcM9nlbM5GZ5+UPGv668NJ1dx6oKxH8SlR+x3d8gvw2DHdA51Ke3Rjn z +P595ZPB67D9Gh6l61itZOJexwsVNX4CYt6CXTSOhX/1nKzU80PVjiM wg0= pir.org. 300 IN NS ns1.mia1.afilias-nst.info. pir.org. 300 IN NS ns1.yyz1.afilias-nst.info. pir.org. 300 IN NS ns1.ams1.afilias-nst.info. pir.org. 300 IN NS ns1.sea1.afilias-nst.info. pir.org. 300 IN RRSIG NS 5 2 300 20110118085021 20110104085021 61847 pir.org. IIn3FUnmotgv6ygxBM8R3IsVv4jShN71j6DLEGxWJzVWQ6xbs5SIS0oL OA1ym3aQ4Y7wWZZIXpFK +/Z+Jnd8OXFsFyLo1yacjTylD94/54h11Irb fydAyESbEqxUBzKILMOhvoAtTJy1gi8ZGezMp1+M4L +RvqfGze+XFAHN N/U= ;; Received 674 bytes from 199.19.49.79#53(ns1.yyz1.afilias-nst.info) in 26 ms

slide-26
SLIDE 26

Spam

  • Unwanted email
  • Sending email from bad server farms
  • Moved to sending from compromised machines
slide-27
SLIDE 27

Spam Case Study: McColo

  • California-based Hosting Provider
  • Shut down in November 2008. Guess which day?
  • Chart of emails rejected
slide-28
SLIDE 28

In Class Exercise

  • Most security competitions explicitly disallow

denial of service attacks.

  • Today we’re going to play around with Google

Gruyere.

  • https://google-gruyere.appspot.com/

part1#1__setup

  • https://google-gruyere.appspot.com/

part4#4__denial_of_service