1. 2 Presented To: Madam Zunera Jalil Presented By: Sonia Shah1725 Faiza Shahzad 1728 Sadia Khan1748

1

2

Presented To: Madam Zunera Jalil

Presented By:Sonia Shah 1725

Faiza Shahzad 1728Sadia Khan 1748

33Authors: Dr Lech J. Janczewski, Douglas Reamer and Juergen Brendel

DISTRIBUTED DENIAL OF SERVICE ATTACKS ( DDOS):

HANDLING DISTRIBUTED DENIAL OF SERVICE ATTACKS page 1:

4

INTRODUCTION:

The first recorded appearance of a Distributed Denial-of-Service (DDoS) attack occurred at the University of Minnesota in August 1999.

In February 2000 several sites in the US(yahoo.com, eBay.com and others) faced a similar threat.

Authors: Dr Lech J. Janczewski, Douglas Reamer and Juergen Brendel

HANDLING DISTRIBUTED DENIAL OF SERVICE ATTACKS page: 1

5

The DDoS attack is conducted in several phases:

The attacker must compromise the security of a large number of hosts, to be used later as launching pads for the attack. These machines or hosts are frequently known as ‘zombies’.

Next, the attacker installs the necessary attack software on the zombie systems.

Finally the attacker sends a triggering signal to all the zombies to start the attack.


PHASES OF DISTRIBUTED DENIAL OF SERVICE ATTACK:

HANDLING DISTRIBUTED DENIAL OF SERVICE ATTACKS page :1

6

DISTRIBUTED DENIAL OF SERVICE ATTACK:

We can not easily find the source of DDoS attacks. We can easily find the zombies but finding the location of the source of an attack is not easy. Even tracing the original source address may not

lead to the attacker.



7

SUGGESTION FOR DDoS:

A group of students from UNITEC, Auckland, New Zealand [Janczewski, 2000] suggested that planting the Trojan horse at zombie machines could be done from a scrap computer.The real machine was sent for servicing.

This is done to avoid identification of the machine and its content in the case of investigation.


HANDLING DISTRIBUTED DENIAL OF SERVICE ATTACKS page:1

8

Information on the systems can be secured by:


SECURITY OF INFORMATION SYSTEMS


9

LAUNCHING A DDOS ATTACK:

Launching a DDoS attack is not very difficult.The known tools that are available are :

Trinoo (or trin00) TFN TFN2K Stacheldraht [Watch Guard] Trinity [IT World, 2001] There source codes and mechanisms are easily find

on the internet



10

According to the FBI/CSI surveys, the probability of launching an attack against information systems from outside has been greatly reduced.

The same source indicated a great increase in the total number of attacks. Therefore, we concluded that the net number of attacks is at least steady, if not on the rise.


REACTION OF THE INDUSTRY


11

Xianjun Geng and Andrew Whinston in their paper ‘Defeating Distributed Denial of Service Attacks’[Geng/Whintson, 2000] concluded two solutions:


PROTECTION AGAINST DDOS:



LOCAL SOLUTION:By local approach, we mean

HANDLING DISTRIBUTED DENIAL OF SERVICE ATTACKS page 3:

13

The challenge remains to determine legitimate traffic vs. malicious traffic.


SOLUTION OF DISTRIBUTED DENIAL OF SERVICE ATTACK:


14

By global approach, we mean:


GLOBAL SOLUTION:

HANDLING DISTRIBUTED DENIAL OF SERVICE ATTACKS page:3

15

Solution is to build a scalable “filter” for the incoming traffic.

The "filter” means installation of a mechanism, which would monitor the incoming traffic, and disable all the messages bearing symptoms of being a part of a flood-type attack


Filters:

ANOTHER SOLUTION:


16

The filter should be based on some points: The filter should be invisible to the outsider. The filter should inspect all incoming traffic. In the case of detecting suspicious traffic, the

filters can notify system administrators to active defense or dropping of attack packets.

The filter should have a scalable design. This means that it could be installed to protect a small network as well as a huge installation.


Filters:


17

In the network hierarchy, the filter effectively protects the network below from any kind of outside attack.

The higher the filter is placed in the network hierarchy, the more difficult it is going to be for an attacker to fill the pipes leading to the filter point.


Filters:


18

DoS can be divided into several subsets,


DIVISION OF DENAIL OF SERVICE ATTACKS:


19

Firewalls can help in penetrating threats or attacks. Means systems are designed to filter incoming and outgoing traffic in terms of accepting only specific senders, destinations and contents.


FIREWALLS:


20

Net Deflect (ND)is located between the router and the firewall and consists of four major components:

Sentinel Arbiter Librarian Monitor.


SUGGESTED SOUTION:THE NETDEFLECT SOLUTION:


21

THE NETDEFLECT SOLUTION:

The role of the Sentinel is to act as a switch. It receives incoming network traffic, passing it to the Arbiter for analysis and decision making.

The Arbiter can analyze the packets and determine whether the LAN is being subjected to a flood attack. If the packet being examined matches an existing attack profile then it will be routed to the Trash. The Arbiter contains a virtual machine that implements a user definable set of rules

Librarian contains the relevant information, e.g. detected types of attacks, traffic patterns, bandwidth utilization and so on.

The Monitor is a client component that represents ND’s end user interface.




23

Distributed denials of service attacks are a complex and serious problem, and consequently, numerous approaches have been proposed to counter them.

The denial-of-service attack cause severe damage to unprepared users of information Technology.

There is an urgent need to develop technologies, tools and policies able to handle such a threat.


CONCLUSION:


24

CONCLUSION: In this paper, suggested solution is Net Deflect,

(underdevelopment) which is based on the concept of a filtering system.

Constant monitoring of data traffic . Multi-dimensional analysis of traffic parameters. Verification of analyzed results against the

database-stored definition If there is positive identification of an attack, the

flow of data from the outside world is limited to packets that are not part of the flood attack and discarded the left incoming traffic.



25

o Security professionals generally confirm existence of DDoS attacks threat, but relatively few remedies have been available on the market so far.

o The practice of monthly fee conveys to ISPs,corporations, and individuals the message that they are not responsible for control of their traffic. This encourages carelessness in traffic control, making the entire system vulnerable to DDoS attacks.


CRITICS:

HANDLING DISTRIBUTED DENIAL OF SERVICE ATTACKS

26

The mechanisms defined at the global scale cannot be implemented. As there are organizations and countries not willing to contribute to such an effort, the attacks will happen. This makes global solutions infeasible.

As the Solutions are suggested to control traffic and attacks. But they have not pay attention to track the source of the attack or the attacker so that they can protect their systems more effectively.


CRITICS:


27

ADVANCEMENTS AND SUGGESTIONS:

Denial-of-Service is a serious threat in Internet and previous methods offered partial solutions to block the attack. The Deterministic Bit Marking (DBM) scheme offers a simple and comprehensive protection against the attack under a widely distributed attack.

DBM changes one or more bits in the packet header at each router along the path of a packet creating a virtually unique path signature (PS) for each source network.

Using the PS’s in place of source IP addresses, it is possible to detect and drop the attack packets with high accuracy.

DBM may be used for source trace back and it can defend the DBM-enabled networks from the attacks from non-DBM networks.



28

Cisco Systems delivers a complete DDoS protection solution based on the principles of detection, diversion, verification, and forwarding to help ensure total protection.

The Cisco solution delivers a rapid DDoS response that is measured in seconds, not hours. Easily deployed adjacent to critical routers and switches.

The Cisco solution offers a scalable option that eliminates any single points of failure and does not impact the performance or reliability of the existing network components.

When a DDoS attack is launched against a victim protected by the Cisco solution, business continuity is maintained by:

Detecting the DDoS attack Diverting the data traffic destined for the target device to a Cisco appliance for

treatment Analyzing and filtering the bad traffic flows from the good traffic flows packets,

preventing malicious traffic from impacting performance while allowing legitimate transactions to complete

Forwarding the good traffic to maintain business continuity

ADVANCEMENTS AND SUGGESTIONS:



29

REFRENCES:

Article: Handling Distributed Denial-of-Service Attacks by Dr Lech J. Janczewski, The University of Auckland, Douglas Reamer and Juergen Brendel, JSD Ltd, Auckland, New Zealand( Information Security Technical Report, Vol 6, No. 3 (2001) 37-44)

[WatchGuard, 2000], Distributed Denial ofService, A White Paper prepared by WatchGuard technologies, Seattle, WA, USA, February 2000.

[ITWorld, 2001]. Messmer, E., New denial of service attack tool discovered, ITWorld.com, 15 January 2001.

[FBI/CSI, 2001]. 2001 Computer Crime and Security Survey, The Computer Security Institute, USA, 2001.

[Cisco, 2000], Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks, A Cisco White paper, Cisco Systems Inc., USA, 2000.

[Cisco Systems] WHITE PAPER DEFEATING DDOS ATTACKS (Link: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5879/ps6264/ps5888/prod_white_paper0900aecd8011e927.pdf)



30



Documents

1. 2 Presented To: Madam Zunera Jalil Presented By: Sonia Shah1725 Faiza Shahzad 1728 Sadia Khan1748