1. Denial-of-service (DoS) Attacks
Risk & Security Management
Dipl.-Phys. Rainer Barthels
09.11.2012
Pascal Flöschel (FS060217)
Tomal K. Ganguly (FS090182)
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
2. Agenda
1. Facts and Figures Tomal
2. Examples Tomal
3. DoS – denial of service Tomal
4. DoS Attacks Pascal
5. Flooding Attacks Pascal
6. Attack Architectures Pascal
7. Defenses against DoS-Attacks Tomal
8. Responding to a DoS-Attack Tomal
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
3. 1. Facts and Figures
> Hackers have been carrying out DDoS attacks for more than
a decade (400 MB/s in 2002 100 GB/s in 2010)
> CSI Computer Crime and Security Survey states that 17% of
respondents experienced some form of DoS attack in 2010
> Focus is generally on network services that are attacked over
their network connection
> Slashdotting / Flash crowd
> popular website links to smaller site causing massive increase of traffic
> overloading smaller site slow down, temporary unavailability
> Flash crowd is more generic term network or host receives lots of traffic
source: Stallings/Brown (2012), p. 243 f.
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
4. 2. Examples
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
5. 3. DoS – denial of service
«A denial of service (DoS) is an action that prevents or impairs the authorized
use of networks, systems, or applications by exhausting resources such as
central processing units (CPU), memory bandwidth, and disk space.»
(from: NIST Computer Security Incident Handling Guide, source: Stallings/Brown (2012), p.244)
> Categories of resources which can be attacked:
network bandwidth, system resources, application resources
> Typical aims of DoS attacks:
> consuming bandwidth with large traffic volumes
> overload or crash the network handling software
> send specific types of packets to consume limited available resources
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
6. 4. DoS Attacks
Example network to
illustrate DoS Attacks
source: Stallings/Brown (2012), p. 245
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
7. 4. DoS Attacks
> SYN Spoofing
source: Stallings/Brown (2012), p. 248 f.
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
8. 5. Flooding Attacks
«Flooding attacks take a variety of forms, based on which network protocol is
being used to implement the attack. In all cases the intent is generally to
overload the network capacity on some link to a server.»
(from: Stallings/Brown (2012), p.250)
> ICMP Flood
> UDP Flood
> TCP Syn Flood
> Distributed denial-of-service Attacks
> Reflector Attacks
> Amplifier Attacks
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
9. 6. Attack Architectures
> Distributed Denial-of-Service (DDoS) Attacks
source: Stallings/Brown (2012), p. 253
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
10. 6. Attack Architectures
> Application-based bandwidth attacks
> SIP Flood
> HTTP-Based Attacks
> HTTP Flood
source: Stallings/Brown (2012), p. 255
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
11. 6. Attack Architectures
> Reflector and Amplifier Attacks
> Reflection Attacks
source: Stallings/Brown (2012), p. 247 ff.
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
12. 6. Attack Architectures
> Reflector and Amplifier Attacks
> Amplification Attacks
source: Stallings/Brown (2012), p. 259
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
13. 7. Defenses against DoS-Attacks
> Attack prevention and preemption
(before the attack)
> Attack detection and filtering
(during the attack)
> Attack source traceback and identification
(during and after the attack)
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
14. 8. Responding to a DoS-Attack
> Incident response plan
> Details of how to contact technical personal for ISP
> Flooding attacks can only be filtered upstream from user’s network connection
> Details of how to respond to the attack
> Implementation of standard antispoofing, directed broadcast and rate limiting
filtering
> Automated network monitoring and instrusion detection system for abnormal
traffic flows and identification (attack, misconfiguration, hard- / software failure)
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
15. 8. Responding to a DoS-Attack
> Proposal of guideline for organizations
1) Identify the type of attack and traceback
2) Identify best approach to defend against it
3) Capture packets flowing into the organization and analyze them, looking for
common attack types (e.g. network analysis tool)
4) Documentation of actions for support of any legal action
5) Develop a strategy to switch to alternative backup servers or commission
of new site with new address to restore the service (forward planning)
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein
16. Thank you for your attention.
Any questions?
Risk & Security Management – DoS Attacks
09.11.2012
University of Liechtenstein