DDOS Part-4 Maulik Kotak (ROCKHACK)
DDOSPart-4
Maulik Kotak(ROCKHACK)
./whoami
0 If You want to Hack some one First Hack Your self.
0 I am NOT a Hacker Just Learning for Security analyst.
Why DoS?
0 Sub-cultural status0 To gain access0 Revenge0 Political reasons0 Economic reasons0 Nastiness
How DoS (remotely)?
0 Consume host resources0 Memory0 Processor cycles0 Network state
0 Consume network resources0 Bandwidth0 Router resources (it’s a host too!)
0 Exploit protocol vulnerabilities0 Poison ARP cache0 Poison DNS cache
0 Etc…
Where DoS
0 End hosts0 Critical servers (disrupt C/S network)
0 Web, File, Authentication, Update0 DNS
0 Infrastructure0 Routers within org0 All routers in upstream path
Outline
What is a DDOS attack?
How to defend a DDoS attack?
What is DDoS attack?
• Internet DDoS attack is real threat
0 - on websites
· Yahoo, CNN, Amazon, eBay, etc (Feb. 2000) 0 services were unavailable for several hours
on Internet infrastructure0 13 root DNS servers (Oct, 2002)
7 of them were shut down, 2 others partially unavailable
• Lack of defense mechanism on current Internet
What is a DDos Attack?
0 Examples of DoS include:0 Flooding a network0 Disrupting connections between machines0 Disrupting a service
0 Distributed Denial-of-Service Attacks 0 Many machines are involved in the attack against one or more
victim(s)
ATTACK SIZE IN GBPS
MAIN TARGETS
What Makes DDoS Attacks Possible?
0 Internet was designed with functionality & not security in mind
0 Internet security is highly interdependent0 Internet resources are limited0 Power of many is greater than power of a few
IP Traceback
- Allows victim to identify the origin of attackers - Several approaches ICMP trace messages, Probabilistic Packet Marking, Hash-based IP Traceback, etc.
PPM0 Probabilistic Packet Marking scheme - Probabilistically inscribe local path info - Use constant space in the packet header - Reconstruct the attack path with high probability
Marking at router RFor each packet w Generate a random number x from [0,1)If x < p then Write IP address of R into w.head Write 0 into w.distance else if w.distance == 0 then write IP address of R into w.tail Increase w.distanceendif
DDoS Attack and Its Defense 16
PPM (Cont.)
Victim
legitimate user attacker
DDoS Attack and Its Defense 17
PPM (Cont.)
Victim
legitimate user attacker
DDoS Attack and Its Defense 18
PPM (Cont.)
Victim
legitimate user attacker
V
R
R R
R R
What is Pushback?
0 A mechanism that allows a router to request adjacent upstream routers to limit the rate of traffic
How Does it Work?
0 A congested router requests adjacent routers to limit the rate of traffic for that particular aggregate
0 Router sends pushback message
0 Received routers propagate pushback
How Does it Work?
When is it invoked?
0 Drop rate for an aggregate exceeds the limit imposed on it (monitoring the queue)
0 Pushback agent receives information that a DoS attack is underway (packet drop history)
When does it stop?
0 Feedback messages are sent to upstream routers that report on how much traffic from the aggregates is still present
What are some advantages?
0 Pushback prevents bandwidth from being wasted on packets that will later be dropped (better when closer to the source)
0 Protects other traffic from the attack traffic
0 When network is under attack it can rate limit the malicious traffic
Conclusion
0 Defending a DDoS attack0 Ingress filtering0 Traceback0 Pushback
THANK YOU !! For Regarding any question contact me !!
http://www.maulikkotak.webnode.comhttp://www.facebook.com/maulikkotakstar
http://www.twitter.com/maulikkotakstar