Scribd
Upload
33 views25 pages

7 Secure Network DoS

The document outlines the goals of creating a secure networking environment, focusing on availability, confidentiality, functionality, and access control. It discusses denial-of-service (DoS) attacks, including their methods, impacts, and defenses, highlighting the significant harm they can cause to businesses. Strategies for defending against DoS attacks, such as black holing, validating handshakes, and rate limiting, are also presented.

Uploaded by

Rehan Yousaf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
33 views25 pages

7 Secure Network DoS

The document outlines the goals of creating a secure networking environment, focusing on availability, confidentiality, functionality, and access control. It discusses denial-of-service (DoS) attacks, including their methods, impacts, and defenses, highlighting the significant harm they can cause to businesses. Strategies for defending against DoS attacks, such as black holing, validating handshakes, and rate limiting, are also presented.

Uploaded by

Rehan Yousaf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Secure Networks

DOS

Dr Syed Shabih Ul Hasan


IT Department
University of Haripur
Secure Network

There are four broad goals to consider when creating a secure


networking environment.
• These goals are an extension of the CIA (confidentiality, integrity, and
availability) framework. They include availability, confidentiality,
functionality, and access control.
• Attacks against networks are typically focused on defeating one or more
of these common goals.
Availability

• Ensuring network availability means that authorized users have access to


information, services, and network resources.
• Denial-of-service (DoS) attacks are one of the most common types of
network attacks against corporations. They can be launched from anywhere
in the world and have instantaneous debilitating effects.
• Attacks on network availability can prevent customers, suppliers, and
employees from transacting business.
• Even the best cryptographic systems become inconsequential if the
messages cannot be delivered.
Confidentiality

• The term confidentiality has a slightly different meaning in the context of network
security than it did in the on cryptography, which meant that people who intercept
messages cannot read them.
• In the context of network security, confidentiality means preventing unauthorized
users from gaining information about the network’s structure, data flowing across
the network, network protocols used, or packet header values.
• An attacker can gain valuable information by passively monitoring traffic coming into
and out of a corporate network. Even if the traffic is encrypted the attacker can still
see which sites are visited, how much data is sent or received, and which port
numbers are used
Functionality

• Ensuring appropriate network functionality means preventing attackers from


altering the capabilities or operation of the network. Appropriate network
functionality would include properly routing packets, correctly resolving
hostnames, excluding unapproved protocols, correctly assigning IP addresses,
and so on.
Access Control

• Within the context of network security, access control is the policy-driven


control of access to systems, data, and dialogues.

• Essentially, the goal is to keep attackers from accessing any internal resources.

• This would also include limiting access to internal employees.


DoS Attacks

• A DoS attack attempts to make a server or network unavailable to


legitimate users.

• A denial-of-service (DoS) attack attempts to make a server or network


unavailable to serve legitimate users by flooding it with attack packets.
DDos

• A distributed denial-of-service (DDoS) attack occurs when multiple systems


flood the bandwidth or resources of a targeted system, usually one or more
web servers.

• A DDoS attack uses more than one unique IP address or machines, often from
thousands of hosts infected with malware.
Goals of Dos Attacks

•Ultimate goal of DoS attacks is to cause harm


• Harm includes losses related to online sales, industry reputation, employee
productivity, customer loyalty, etc.
•The two primary means of causing harm via DoS attacks include:
1. Stopping critical services- Amazon unavailable once during busiest
buying season
2. Slowly degrading services- difficult to recognize, since its hard to
distinguish general growth of traffic or due to DoS
Scope of the problem

• A denial-of-service attack can effectively shut down a web site for hours or
even days.
• DOS attacks cost significant losses
• On February 2000, several serious DDoS attacks targeted some of the largest
Internet web sites, including Yahoo, Buy.com, Amazon, CNN and eBay
Dos Attacks Methods

• Direct DoS Attack


• An attacker tries to flood a victim with a stream of packets directly from
the attacker’s computer
• Indirect DoS Attack
• The attacker’s IP address is spoofed (i.e., faked) and the attack appears
to come from another computer
Indirect/Direct DoS Attack

• Flooding Direct or indirect attacks can only succeed if the attacker can flood
the victim with more requests than the victim can handle. The attacker must
have more bandwidth, memory (RAM), and/or CPU power than the victim.
• Spoofing Direct attacks are rare. Attackers do not like to directly attack
victims because their source IP address is shown on all incoming packets.
Rather, attackers prefer to use spoofed IP addresses that hide their IP
address.
• Backscatter occurs when a victim sends responses to the spoofed IP address
used by the attacker, and inadvertently floods an unintended victim
SYN Flood
DoS
Attack
•IP spoofing, or IP address
spoofing, refers to the
IP creation of Internet
Protocol (IP) packets with a
spoofing false source IP address to
impersonate another
computer system.
TCP Three-way Handshake

• When a computer wants to make a TCP/IP connection (the most common


internet connection) to another computer, usually a server, an exchange of
TCP/SYN and TCP/ACK packets of information occur.
• The computer requesting the connection, usually the client's or user’s
computer, sends a TCP/SYN packet which asks the server if it can connect. If
the server will allow connections, it sends a TCP/SYN-ACK packet back to the
client to say "Yes, you may connect" and reserves a space for the connection,
waiting for the client to respond with a TCP/ACK packet detailing the specifics
of its connection.
Smurf Attack

• In a Smurf Attack, the attacker sends Internet Control Message Protocol


broadcast packets to a number of hosts with a spoofed source Internet
Protocol (IP) address that belongs to the target machine. The recipients of
these spoofed packets will then respond, and the targeted host will be
flooded with those responses.
Smurf
Attack
Intermediary

• Intermediaries, typically referred to as bots, are actually compromised hosts running malware
controlled by the attacker.
• The DoS attack begins when the botmaster, the attacker who controls the bots, sends a signal for
the bots to attack the victim.
• Bots
• Updatable attack programs
• Botmaster can update the software to change the type of attack the bot can do
• Botmaster can update the bot to fix bugs
• Botmaster can control bots via a handler
• Handlers are an additional layer of compromised hosts that are used to manage large groups
of bots
• Handlers, sometimes known as command-and-control servers,
Fixing and
Updating
Bots
Defending Against Denial-of-Service
Attacks

• Black holing
• Drop all IP packets from suspected IP address of an attacker
• Not a good long-term strategy because attackers can quickly change
source IP addresses
Defending Against Denial-of-Service
Attacks

• Validating the handshake


• Whenever a SYN segment arrives, the firewall itself sends back a SYN/ACK
segment, without passing the SYN segment on to the target server (false
opening)
• When the firewall gets back a legitimate ACK the firewall send the original
SYN segment on to the intended server
• Rate limiting
• Used to reduce a certain type of traffic to a reasonable amount

You might also like