Appropriated Reflection Refusal of Administration.


120 views
Uploaded on:
Description
Dispersed Reflection Foreswearing of Administration Systems administration Talks for the Deficiently Suspicious In view of: http://grc.com/dos/drdos.htm Jim Gast, CS-642 Security, Spring, 2003 jgast@cs.wisc.edu , UW-Madison Ordinary Association Foundation
Transcripts
Slide 1

Dispersed Reflection Denial of Service Networking Talks for the Insufficiently Paranoid Based on: http://grc.com/dos/drdos.htm Jim Gast, CS-642 Security, Spring, 2003 jgast@cs.wisc.edu , UW-Madison

Slide 2

Normal Connection Establishment The Server sets up retransmission clocks, dispenses get cushions, and so forth. Envision a web server that can deal with 12,000 associations. On the off chance that the procedure comes up short, a timeout happens following 120 seconds, arranging for the assets. Note: SYN parcels are little and take up next to no data transmission. Design stolen from http://grc.com/dos/drdos.htm

Slide 3

CLOSED Active open/SYN Passive open Close LISTEN SYN/SYN + ACK Send/SYN/SYN + ACK SYN_RCVD SYN_SENT ACK SYN + ACK/ACK Close/FIN ESTABLISHED Close/FIN/ACK FIN_WAIT_1 CLOSE_WAIT FIN/ACK Close/FIN ACK + FIN/ACK FIN_WAIT_2 CLOSING LAST_ACK Timeout after two ACK portion lifetimes FIN/ACK TIME_WAIT CLOSED State Transition Diagram

Slide 4

SYN Flood Each SYN makes one half-open association Half-open associations set aside minutes to time-out Servers have limited association tables Perpetrator would be effortlessly gotten (Source IP) Unless SourceIP is satirize See: CERT Advisory CA-1996-21 http://www.cert.org/advisories/CA-1996-21.html 100 SYN parcels for each second fits in 56 Kbps Graphics stolen from http://grc.com/dos/drdos.htm

Slide 5

Spoofed IP Address The SYN/ACK is conveyed to the fake (mock) IP Address. The aggressor doesn’t see it, and doesn’t care. (Backscatter) Graphics stolen from http://grc.com/dos/drdos.htm

Slide 6

Example SYN Flood Attack February 5 th - 11 th , 2000 Victims included CNN, eBay, Yahoo, Amazon Attackers (supposedly) utilized straightforward, promptly accessible instruments (script-kiddies) Law authorization not able (unwilling?) to help Under-age culprits have cover invulnerability

Slide 7

Defense against SYN Flood Increase size of association table Add more servers Trace assault back to source Ask your ISP to channel vindictive parcels Add firewall Typically “SYN proxy” Dave Parter will chat on firewalls later in the semester Ultimate arrangement was “SYN-cookies” Reply to SYN with SYN-treat Allocate no assets until SYN-treat is returned

Slide 8

Potential spots to stop DoS surge Graphics stolen from http://grc.com/dos/drdos.htm

Slide 9

Distributed DoS Rather than filling association table, fill all accessible data transmission Infect pure observers (zombies) Zombies tune in (e.g. on IRC channel) for assault order (or basically assault freely) Attacker require not have high data transfer capacity association Typical Program: EvilGoat EvilBot Graphics stolen from http://grc.com/dos/drdos.htm

Slide 10

Example Distributed DOS Attack 6 assaults on 5 distinct days One assault went on for 17 hours 474 tainted windows PC as zombies 2.4 billion pernicious parcels Goodput? Time (minutes?) Graphics stolen from http://grc.com/dos/grcdos.htm

Slide 11

Flood-based Distributed DoS Attacks Coordinate zombies to assault with enormous bundles Use up “last-hop” transfer speed “Last-hop” switch disposes of parcels unpredictably Zombies require not satire locations See http://grc.com/dos/intro.htm for instance awfulness story Graphics stolen from http://grc.com/dos/drdos.htm

Slide 12

Newest Twist - Reflection Many switches acknowledge associations on port 179 (Border Gateway Protocol) Although any huge server and any port it listens on will work Send a SYN to a switch, guaranteeing it originated from the casualty The switch will send a SYN/ACK to the casualty And then re-transmit a few times before surrendering (normally around 4X) Note: Tar-pits won\'t see any “Backscatter” however nectar pots may see the attacker’s summons.

Slide 13

Reflection Mechanism Graphics stolen from http://grc.com/dos/drdos.htm

Slide 14

Distributed Reflection DoS Graphics stolen from http://grc.com/dos/drdos.htm

Slide 15

Other ports helpless to DRDoS 22 – Secure Shell 23 – Telnet 53 – DNS 80 – HTTP/Web 4001 – Proxy Servers 6668 – Internet Relay Chat Easily identified ports 1-1023 “Well-Known” (as such) But reflection from port 179 is so effective it effortlessly overpowers others

Slide 16

Call to activity Ingress sifting at all ISPs would stop the ridiculed SYN parcels before they cleared out home Egress separating at all ISPs would keep mock IP addresses from navigating the Internet Flagging duplicate attempted, fizzled SYN/ACKs could be utilized to find casualties and channel further assault Disable crude attachment interface in cu

Recommended
View more...