malicious software
TRANSCRIPT
![Page 1: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/1.jpg)
Raja M. Khurram Shahzad
1!
MALICIOUS SOFTWARE
![Page 2: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/2.jpg)
Overview � IntroducAon � Virus � Worm
� Other Malicious SoEware o Backdoor/Trapdoor o Logic Bomb o Trojan Horse
� DDoS ANack o DDos DescripAon o ConstrucAon of ANack
2!
![Page 3: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/3.jpg)
Program DefiniAon A computer program tells a computer
what to do and how to do it • Computer viruses, network worms, and Trojan Horse are
computer programs.
3!
![Page 4: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/4.jpg)
Malicious soEware ?
• Malicious SoEware (Malware) is a soEware that is included or inserted in a system for harmful purposes.
OR • A Malware is a set of instrucAons that run on your computer
and make your system do something that an aNacker wants it to do.
4!
![Page 5: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/5.jpg)
The Malware Zoo • Virus
• Worms
• Logic Bomb
• Trojan horse • Zoombie
• Scareware • Adware • Backdoor / Trapdoors
5!
![Page 6: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/6.jpg)
Taxonomy of Malicious Programs
6!
Need Host Program Independent
Trapdoors
Logic Bombs
Trojan Horses
Viruses
Zombies
Worms
Malicious Programs
Most current malicious code mixes all capabilities!
![Page 7: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/7.jpg)
What it is good for ? • Steal personal informaAon
• Delete files
• Click fraud
• Steal soEware serial numbers
7!
![Page 8: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/8.jpg)
What to Infect • Executable
• Interpreted file
• Kernel
• Service
• Master Boot Record
8!
![Page 9: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/9.jpg)
Virus • Self-‐replicaAng code, aNaches itself to another program
and executes secretly when the host program is executed.
• No Hidden acAon – Generally tries to remain undetected, but what about acAviAes,
such as deleted files ?
9!
![Page 10: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/10.jpg)
Parts of a Virus • Three Parts
– InfecAon Mechanism: The means by which a virus spreads, enabling it to replicate, also referred as InfecAon Vector.
– Trigger: The event or condiAon that determines when the payload is acAvated or delivered.
– Payload: The payload may involve damage or may involve benign but NOTICEABLE acAvity.
![Page 11: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/11.jpg)
Phases – Life Cycle • Dormant phase -‐ the virus is idle
• Propaga1on phase -‐ the virus places an idenAcal copy of itself into other programs
• Triggering phase – the virus is acAvated to perform the funcAon for which it was intended
• Execu1on phase – the funcAon is performed
11!
![Page 12: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/12.jpg)
Virus Structure
12!
![Page 13: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/13.jpg)
OperaAon rouAne • Operates when infected code executed (execuAon
sequence) – Jump to Main Virus program – If spread (infecAon) condiAon then
{ For target files : if not infected, then alter file to include virus
} – Perform malicious acAon – Transfer control back – Execute normal program
• If the infecAon phase is rapid, user will not noAce any difference between the execuAon of infected program and uninfected program.
![Page 14: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/14.jpg)
Types of Viruses • On the basis of target
• Boot Sector Infector: Infects master boot record / boot record (boot sector) of a disk and spreads when a system is booted with an infected disk (original DOS viruses). They are Memory-‐resident Virus.
• File Infector : Infects executable files, they are also called Parasi1c Virus as they aNach their self to executable files as part of their code. Runs whenever the host program is executed.
• Macro Virus –Infects files with macro code that is interpreted by the relevant applicaAon, such as doc or excel files.
14!
![Page 15: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/15.jpg)
Types of Viruses • On the basis of concealment strategy
• Encrypted Virus – A porAon of virus creates a random encrypAon key and encrypts the remainder of the virus. The key is stored with the virus. When the virus replicates, a different random key is generated.
• Stealth Virus -‐ explicitly designed to hide from Virus Scanning programs.
• Polymorphic Virus -‐ mutates with every new host to prevent signature detecAon, signature detecAon is useless.
• Metamorphic Virus – Rewrites itself completely with every new host, may change their behavior and appearance.
15!
![Page 16: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/16.jpg)
Recent addiAon: Email Virus
• Moves around in e-‐mail messages, triggered when user opens aNachment
• Do local damages on the user’s system • Propagates very quickly • Replicates itself by automaAcally mailing itself to dozens of people in the vicAm’s e-‐mail address book
16!
![Page 17: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/17.jpg)
Examples of risky file types • The following file types should never be opened if…
– .EXE – .PIF – .BAT – .VBS – .COM
17!
![Page 18: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/18.jpg)
Viruses PropagaAon • Virus wriNen in some language e.g. C, C++, Assembly
etc.
• Inserted into another program – use tool called a “dropper”
• Virus dormant unAl program executed – then infects other programs – eventually executes its “payload”
18!
![Page 19: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/19.jpg)
Viruses PropagaAon
• An executable program • With a virus at the front (File size is increased) • With the virus at the end (File size is increased) • With a virus spread over free space within program
19!
![Page 20: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/20.jpg)
Viruses PropagaAon
(a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code
20!
![Page 21: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/21.jpg)
AnA-‐virus • It is not possible to build a perfect virus/malware
detector. • Analyze system behavior • Analyze binary to decide if it a virus • Type :
– Scanner – Real Ame monitor
21!
![Page 22: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/22.jpg)
AnA-‐virus • Scanners
– First GeneraAon, relied on signature. – Second GeneraAon, relied on heurisAc rules or integrity
checking (e.g. checksum appended to a program).
• Real Ame Monitors • Third GeneraAon, memory resident and idenAfy virus by its
acAons (behaviour). • Fourth GeneraAon, combinaAon of different capabiliAes.
22!
![Page 23: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/23.jpg)
Worm
23!
A computer worm is a self-replicating computer virus. It uses a network to send copies of itself to other nodes and do so without any user intervention.!
![Page 24: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/24.jpg)
Comparision of Worm Features
24!
1) Computer Virus: • Needs a host file
2) Network Worm: • No host (self-‐contained) • Copies itself • Executable
• Copies itself • Executable
3) Trojan Horse: • No host (self-‐contained) • Does not copy itself • Imposter Program
![Page 25: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/25.jpg)
Worm: History • Runs independently
– Does not require a host program
• Propagates a fully working version of itself to other machines
� History ◦ Morris worm was one of the first worms distributed over Internet � Two examples
◦ Morris – 1998, ◦ Slammer – 2003
25!
![Page 26: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/26.jpg)
Worm OperaAon • Worm has similar phases like a virus:
• Dormant (inacAve; rest)
• PropagaAon • Search for other systems to infect • Establish connecAon to target remote system • Replicate self onto remote system
– Triggering
– ExecuAon
26!
![Page 27: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/27.jpg)
Morris Worm • Best known classic worm
• Released by Robert Morris in 1988
• Targeted Unix systems • Using several propagaAon techniques
• If any aNack succeeds then replicated self
27!
![Page 28: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/28.jpg)
Slammer (Sapphire) Worm • When
• Jan 25 2003
• How • Exploit Buffer-‐overflow with MS SQL
• Random Scanning • Randomly select IP addresses
• Cost • Caused ~ $2.6 Billion in damage
28!
![Page 29: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/29.jpg)
Slammer Scale
29!
The diameter of each circle is a funcAon of the number of infected machines, so large circles visually under represent the number of infected cases in order to minimize overlap with adjacent locaAons
![Page 30: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/30.jpg)
The worm itself … � System load ◦ InfecAon generates a number of processes ◦ Password cracking uses lots of resources ◦ Thousands of systems were shut down
• Tries to infect as many other hosts as possible – When worm successfully connects, leaves a child to conAnue the infecAon
while the parent keeps trying new hosts – find targets using several mechanisms: 'netstat -‐r -‐n‘, /etc/hosts,
• Worm DO NOT: – Delete system's files, modify exisAng files, install Trojan horses, record or
transmit decrypted passwords, capture super user privileges
30!
![Page 31: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/31.jpg)
Backdoor or Trapdoor � Secret entry point into a program � Allows those who know access by passing usual security procedures
� Remains hidden to casual inspecAon � Can be a new program to be installed � Can modify an exisAng program � Trap doors can provide access to a system for unauthorized procedures
� Very hard to block in O/S
31!
![Page 32: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/32.jpg)
Trap Door Example
(a) Normal code. (b) Code with a trapdoor inserted
32!
![Page 33: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/33.jpg)
Logic Bomb • One of oldest types of malicious soEware • Piece of code that executes itself when pre-‐defined condiAons are
met • Logic Bombs that execute on certain days are known as Time
Bombs • AcAvated when specified condiAons met
– E.g., presence/absence of some file – parAcular date/Ame – parAcular user
• When triggered typically damage system – modify/delete files/disks, halt machine, etc.
33!
![Page 34: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/34.jpg)
Tracing Logic Bombs • Searching - Even the most experienced programmers have trouble
erasing all traces of their code
• Knowledge - Important to understand the underlying system functions, the hardware, the hardware/software/firmware/operating system interface, and the communications functions inside and outside the computer
• Example of benign logical fun – http://googletricks.com/top-25-fun-google-tricks/ – Type zerg rush in google
34!
![Page 35: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/35.jpg)
Trojan Horse
35!
![Page 36: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/36.jpg)
Trojan Horse • Trojan horse is a malicious program that is designed as
authenAc, real and genuine soEware. • Like the giE horse leE outside the gates of Troy by the
Greeks, Trojan Horses appear to be useful or interesAng to an unsuspecAng user, but are actually harmful.
36!
![Page 37: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/37.jpg)
Trojan Percentage
37!
![Page 38: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/38.jpg)
What Trojans can do ? • Erase or overwrite data on a computer • Spread other viruses or install a backdoor. In this case the
Trojan horse is called a 'dropper'. • Sevng up networks of zombie computers in order to launch
DDoS aNacks or send Spam.
• Logging keystrokes to steal informaAon such as passwords and credit card numbers (known as a key logger)
• Phish for bank or other account details, which can be used for criminal acAviAes.
• Or simply to destroy data • Mail the password file.
38!
![Page 39: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/39.jpg)
How can you be infected ? • Websites: You can be infected by visiAng a rogue website.
Internet Explorer is most oEen targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox, if Java is enabled, your computer has the potenAal of receiving a Trojan horse.
• Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of AOL's instant messenger.
• E-‐mail: ANachments on e-‐mail messages may contain Trojans. Trojan horses via SMTP.
39!
![Page 40: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/40.jpg)
Sample Delivery • ANacker will aNach the Trojan to an e-‐mail with an enAcing
header. • The Trojan horse is typically a Windows executable
program file, and must have an executable file extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is configured by default to hide extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file.
40!
![Page 41: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/41.jpg)
Where They Live ? (1) • Autostart Folder
The Autostart folder is located in C:\Windows\Start Menu\Programs\startup and as its name suggests, automaAcally starts everything placed there.
• Win.ini Windows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan
• System.ini Using Shell=Explorer.exe trojan.exe results in execuAon of every file aEer Explorer.exe
• Wininit.ini Setup-‐Programs use it mostly; once run, it's being auto-‐deleted, which is very handy for Trojans to restart
41!
![Page 42: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/42.jpg)
Where They Live ? (2) • Winstart.bat
AcAng as a normal bat file trojan is added as @trojan.exe to hide its execuAon from the user
• Autoexec.bat It's a DOS auto-‐starAng file and it's used as auto-‐starAng method like this -‐> c:\Trojan.exe
• Config.sys Could also be used as an auto-‐starAng method for Trojans
• Explorer Startup Is an auto-‐starAng method for Windows95, 98, ME, XP and if c:\explorer.exe exists, it will be started instead of the usual c:\Windows\Explorer.exe, which is the common path to the file.
42!
![Page 43: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/43.jpg)
What the aNacker wants? • Credit Card InformaAon (oEen used for domain
registraAon, shopping with your credit card)
• Any accounAng data (E-‐mail passwords, Login passwords, Web Services passwords, etc.)
• Email Addresses (Might be used for spamming, as explained above)
• Work Projects (Steal your presentaAons and work related papers)
• School work (steal your papers and publish them with his/her name on it)
43!
![Page 44: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/44.jpg)
Stopping the Trojan …
The Horse must be “invited in” ….
44!
How does it get in? Downloading a file
By:
Installing a program Opening an aNachment
Opening bogus Web pages
Copying a file from someone else
![Page 45: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/45.jpg)
Zombie • The program which secretly takes over another
networked computer and force it to run under a common command and control infrastructure.
• Uses it to indirectly launch aNacks, e.g., DDoS, phishing, spamming, cracking
• Difficult to trace zombie’s creator) • Infected computers — mostly Windows machines — are
now the major delivery method of spam.
• Zombies have been used extensively to send e-‐mail spam; between 50% to 80% of all spam worldwide is now sent by zombie computers.
45!
![Page 46: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/46.jpg)
Adware
46!
![Page 47: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/47.jpg)
Scareware / Rouge/ Fake anAvirus
47!
![Page 48: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/48.jpg)
Where malware Lives: Auto start • Folder auto-‐start
• Win.ini : run=[backdoor]" or "load=[backdoor]".
• System.ini : shell=”myexplorer.exe”
• Autoexec.bat
• Config.sys • Init.d
48!
![Page 49: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/49.jpg)
Auto start • Assign know extension (.doc) to the malware
• Add a Registry key such as HKCU\SOFTWARE\Microso=\Windows \CurrentVersion\Run
• Add a task in the task scheduler
• Run as service
49!
![Page 50: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/50.jpg)
Web � 1.3% of the incoming search queries to Google returned at a least one malware site
� Visit sites with an army of browsers in VMs, check for changes to local system
� Indicate potenAally harmful sites in search results
![Page 51: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/51.jpg)
Web: Fake page
51!
![Page 52: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/52.jpg)
Shared folder
52!
![Page 53: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/53.jpg)
53!
![Page 54: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/54.jpg)
Email again
54!
![Page 55: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/55.jpg)
P2P Files
• 35.5% malwares
55!
![Page 56: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/56.jpg)
Typical Symptoms • File deleAon • File corrupAon • Visual effects • Pop-‐Ups • Computer crashes • Slow ConnecAon • Spam Relaying
56!
![Page 57: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/57.jpg)
Distributed Denial of Service • A denial-‐of-‐service aKack is an aNack that causes a loss
of service to users, typically the loss of network connecAvity.
• CPU, memory, network connecAvity, network bandwidth, baNery energy
• Hard to address, especially in distributed form
57!
![Page 58: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/58.jpg)
DDoS Mechanism • Goal: make a service unusable.
• How: overload a server, router, network link, by flooding with useless traffic
• Focus: bandwidth aNacks, using large numbers of “zombies”
58!
![Page 59: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/59.jpg)
How it works? • The flood of incoming messages to the target system
essenAally forces it to shut down, thereby denying service to the system to legiAmate users.
• VicAm's IP address. • VicAm's port number. • ANacking packet size. • ANacking inter-‐packet delay. • DuraAon of aNack.
59!
![Page 60: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/60.jpg)
Example 1 • Ping-‐of-‐death
– IP packet with a size larger than 65,536 bytes is illegal by standard
– Many operaAng system did not know what to do when they received an oversized packet, so they froze, crashed or rebooted.
– Routers forward each packet independently.
– Routers don’t know about connecAons.
– Complexity is in end hosts; routers are simple.
60!
![Page 61: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/61.jpg)
Example 1
![Page 62: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/62.jpg)
Example 2 • TCP handshake
• SYN Flood – A stream of TCP SYN packets directed to a listening TCP port at the
vicAm – The host vicAm must allocate new data structures to each SYN request – legiAmate connecAons are denied while the vicAm machine is waiAng
to complete bogus "half-‐open" connecAons – Not a bandwidth consumpAon aNack
• IP Spoofing
62!
![Page 63: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/63.jpg)
Example 2
63!
![Page 64: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/64.jpg)
From DoS to DDoS
64!
![Page 65: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/65.jpg)
From DoS to DDoS
65!
![Page 66: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/66.jpg)
Distributed DoS ANack
66!
![Page 67: Malicious software](https://reader034.vdocuments.net/reader034/viewer/2022042518/5557a3c6d8b42a4a5d8b4a47/html5/thumbnails/67.jpg)
DDoS Countermeasures • Three broad lines of defense:
1. aNack prevenAon & preempAon (before)
2. aNack detecAon & filtering (during)
3. aNack source trace back & idenAficaAon (aEer)
67!