dos and ddos lecture 13a - cs.auckland.ac.nz · dos and ddos lecture 13a compsci 726 network...
TRANSCRIPT
Slide title
In CAPITALS
50 pt
Slide subtitle
32 pt
Elliot Wallace
August 24, 2020
DOS AND DDOS
Lecture 13a
COMPSCI 726
Network Defence and Countermeasures
Source of some slides: CMU, Stanford University, and University of Twente
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
2
CYBER KILL CHAIN
Source: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
3
PORT SCANNING
▪ Reconnaissance
▪ Scans refer to information gathering
– Find vulnerable services/hosts
– Discover network topology (used IP addresses)
▪ Can be combined with a “real” attack
– E.g., a buffer overflow (ping of death)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
4
SCAN TYPES
1
256
512
768
1024
1280
http
smtp
ftp
smb
imaps
kazaa
1.1.1.1 130.89.1.1 130.89.1.255 130.89.2.1
Horizontal scan
Vertical scan
Block scan
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
5
SCAN TYPES
▪ Most common uses – valuable for both attackers and
defenders
– Vulnerability scan (e.g. Nessus, Qualys)
– Discovery (e.g. nmap)
▪ IP range, applications, etc
▪ Attacker goals:
– Enumerate a network – entry point, next hop, etc
– Enumerate software on a system – identify vulnerabilities
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
6
SCAN TYPES
▪ Nmap cheat sheet
– nmap -sV -O -p- $TARGET_IP
– Scan all ports (-p-) on $TARGET_IP and detect the running
services (-sV) and operating system (-O)
▪ As a defender, we want to know what our attackers will
be doing
– It’s worth running these against your home network or local
machine to understand the output
– Look up some of the results in exploitdb - is your device
vulnerable to anything at the moment?
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
7
SCAN TYPES
▪ Common tools
– nmap
– wfuzz – Web application bruteforcer/fuzzer
– dirbuster/dirb/gobuster – web directory scanner (i.e. find all
directories under https://cs.auckland.ac.nz/)
– sqlmap – automated SQL injection tool/fuzzer
– Others: hydra, Wpscan, Nikto, etc etc
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
8
DENIAL OF SERVICE (DOS) ATTACK
▪ Old attack – consistent use in recent history
▪ First recorded DoS attack – 1996 (SYN Flood against
an ISP)
▪ June 2020 – AWS hit by 2.3Tbps DDoS
Source: https://www.bbc.com/news/technology-53093611
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
9
DENIAL OF SERVICE (DOS) ATTACK
▪ Aim: downgrade availability for a service (take it offline)
▪ Types
– Brute-forcing
▪ Send a lot of data (overload network), multiple queries
(overload CPU), ...
– Semantic
▪ Exploit vulnerability (buffer overflow, …)
▪ Send heavy requests (triggering complex operations)
▪ DoS can be applicable to any layer in the OSI model!
▪ Distributed DoS (DDoS)
– Attack from multiple sources (e.g. a botnet)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
10
SMURF ATTACK
▪ Spoofed IP packets containing ICMP echo request
– Source: Victim’s IP
– Destination: Broadcast address
▪ Results in triggering all hosts included in the network to
respond with ICMP response packets
▪ Saturates the network with bogus traffic and delays
▪ Prevents legitimate traffic from reaching its destination
▪ An example of reflected attack
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
11
SMURF ATTACK
Attacking System
Internet
Broadcast
Enabled
Network
Victim System
Ping request to a
broadcast address
with source = victim's
IP address
Ping request to
broadcast address
with source = victim's
IP address
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
12
SMURF ATTACK
Attacking System
Internet
Broadcast
Enabled
Network
Victim System
Ping request to a
broadcast address
with source = victim's
IP address
Ping request to
broadcast address
with source = victim's
IP address
Ping reply from
every host
Replies directed
to victim
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
13
SMURF ATTACK
▪ Mitigations
– Don’t respond to ICMP requests
– Don’t forward packets to broadcast addresses
▪ Difficult to avoid being a target (similar mitigations to
DNS reflection)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
14
PING FLOOD ATTACK
▪ Ping of death
▪ Over-sized packets to crash (or reboot) the system
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
15
PING FLOOD ATTACK
▪ Generally requires the attacker to have greater
bandwidth than target
▪ Target saturates bandwidth in two ways – receiving
requests and sending responses
▪ Mitigations
– Disable response to ICMP requests (either OS/network
level)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
16
REVIEW: TCP HANDSHAKE
C S
SYN:
SYN/ACK:
ACK:
Listening
Store SNC , SNS
Wait
Established
SNCrandC
ANC0
SNSrandS
ANSSNC
SNSNC
ANSNS
▪ Client sends SYN, Server sends ACK and waits
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
17
REVIEW: TCP HANDSHAKE
▪ At an implementation level, a new port is allocated per
connection received
▪ The application typically establishes a new thread per
connection
▪ These resources typically remain assigned (both port
and thread) until the session ends
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
18
TCP SYN FLOOD
▪ Attacker sends many connection requests with spoofed
source addresses
▪ Victim allocates resources for each request
– New thread, connection state maintained until timeout
– Limited number of concurrent half-open connections
▪ Once resources exhausted, requests from legitimate
clients are denied
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
19
TCP SYN FLOOD
C
SYNC1
SYNC2
SYNC3
SYNC4
SYNC5
S Single machine:
• SYN packets withRandom source IPaddresses
• Fills up backlog queueon server
• No further connectionspossible
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
20
TCP SYN FLOOD
Backlog timeout: 3 minutes
Attacker needs only to send 128 SYN packets every 3 minutes
Low rate SYN flood
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
21
DDOS ATTACK
▪ Attacker takes over machines
via viruses and launches DoS
attacks from these “zombies”
or “bots”
▪ Larger botnets can have million of bots
▪ Sustainability of botnets
– Many owners are unaware that their machine is a zombie
– Owners are not motivated to patch their machines to
protect against malware in the absence of perceived harm
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
22
APPLICATION-TARGETING DOS
▪ A little out of scope for this course but worth
remembering!
▪ DDoS doesn’t have to target network comms
▪ DDoS also doesn’t have to be malicious ☺
▪ Examples:
– I get access to a Linux machine. I run a Python script that
reads junk into memory and writes junk to fill the disks
– I create an app for remote ordering coffee during lockdown
▪ 100000s of users on day 1
▪ App servers get overwhelmed
▪ Sad users
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
23
AS AN ATTACKER, WHY?
▪ Disrupt service, hacktivism/damage, and often a
smokescreen
▪ Practical example – you’re the CISO of a large bank
▪ Your web banking service (significant money maker)
gets DDoS’d
– You pivot your resources (time, money, people) to restoring
web banking
– Meanwhile, alerts for data exfiltration or weird login patterns
for monitored accounts
– What’s the priority?
▪ Web banking
▪ Attackers exfil data/hop through the network
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
24
TO BE CONTINUED
▪ See the next lecture
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
25
ACKNOWLEDGEMENT
▪ Most of these slides are from Rizwan Asghar,
thanks to him!
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
26
Questions?
Thanks for your attention!