Network Security CS 6262
Popular in Course
Popular in ComputerScienence
This 0 page Class Notes was uploaded by Alayna Veum on Monday November 2, 2015. The Class Notes belongs to CS 6262 at Georgia Institute of Technology - Main Campus taught by Staff in Fall. Since its upload, it has received 6 views. For similar materials see /class/234154/cs-6262-georgia-institute-of-technology-main-campus in ComputerScienence at Georgia Institute of Technology - Main Campus.
Reviews for Network Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 11/02/15
DDoS and Traceback CS 6262 Spring 02 Lecture 4 Thursday 1172002 Denialof Service DOS Attacks Via Resourcebandwidth consumption malicious Q P 1e gitimate TCP Handshake client sewer SYN seqX SYN seqy ACK xl ACK yl 39 connection established IP Spoofing amp SYN Flood l X establishes a TCP connection with B assuming A s IP address l SYN Flood 0 predict B s TCP seq beha 39 icmp echo request 0 icmp echo reply ping icmp echo request to a broadcast address from victim O attacker O victim icmp echo request from all hosts to victim smurf Distributed DOS DDOS Attacks zomb1es DDoS Common Steps l Initiate a scan phase in which a large number of computers 100000 on the internet are probed for known vulnerabilities l Exploit the vulnerabilities to compromised the computers to gain access I Install attack tools on each compromised host and use the compromised hosts for further scanningcompromises l A subset of the compromised hosts with desired architecturetopology are chosen to form the attack network I Install attack and communication tools I Tell the masters to attack DDoS At Least 4 Versions l Trinoo O Attacker uses TCP Masters and zombies use UDP password authentication I TFN O Attacker uses shell to invoke master Masters and zombies use ICMP echo reply I TFNZK O A Combination of UDP ICMP and TCP l Stacheldraht O Attacker uses encrypted TCP Masters and zombies use TCP and ICMP echo reply rcp used for autoupdate DDOS Example Trinoo l Scanning O Buffer over ow bus in Solaris and Linux eg wuftpd statd amd etc 9 A compromised node has a shell running as root and sends back con rmation l Installing attack program 9 Use netcat no to pipe a shell script to the shell running as root on the compromised host I Attacker to master 9 TCP Must provide password commands dos 1P etc I Master to zombie O UDP Command line includes password commands aaa pass IP rsz N etc DDoS What to Do About It I Not a whole lot I Prevention l Detection l Traceback DDoS Prevention l Authentication 0 Not feasible in practice I Ingress ltering on the routers l Traf c volume monitoring 0 Rate limit certain traffics e g ICMP packets SYN packets Measure normal rates rst DDoS Detection l Surge in traf c volume 0 Too much traffic to a particular destination I Speci c to current DDoS tools 0 Control messages between attacker masters and zombies 0 Footprints of attack programs running on masters and zombies I What is after detection 0 Stop the ood Traceback l Why 0 Stop the attacks 0 Gather evidence for law enforcement I Only to machines that directly generate the attack traf cs 0 For the real mastersattackers more forensic analysis necessary I Dif culty 0 Spoofed lP source addresses Traceback Several Proposals l Link Testing l ICMP Traceback l Probabilistic Marking Link Testing Input Debugging l Victim reports to upstream router which installs debugging filter that reveals which upstream router originated the traffic I Repeat recursively until the the ISP s border is reached 9 The upstream ISP is contacted and repeats the process I Considerable management overhead 9 Relying on the availability and willingness of the network operators Link Testing Controlled Flooding l Victim coerces selected hosts along the upstream route to iterative ood each incoming link of the router closest to the victim I Infer which link the attack comes from by observing the attack packet rate changes 9 Router buffers are shared I Repeat recursively l A form of DoS itself I Need to have a good network topology map ICMP Traceback I For a very few packets about 1 in 20000 each router will send the destination a new ICMP packet that includes the contents of that packet and information about previous hop for that packet l The ood Victim can use these ICMP packets to reconstruct the path back to the attacker l Net traffic increase at end point is about 01 probably acceptable l Issues authentication attacker can falsify the ICMP packets loss of traceback packets load and cooperation on routers Probabilistic Marking I Basic idea 0 Probabilistically mark packets with partial path information as they arrive at routers 0 Each marked packet represents a sample of its path 0 But ooding attacks comprise a large number of packets 0 By combing a modest number of these marked packets the entire path can be reconstructed
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'