Upload
cornelius-jones
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
© Sombers Associates, Inc. 2013 3
What is a Distributed Denial of Service Attack?
• An attempt to make an Internet service unavailable to its users.
• Saturate the victim machine with external traffic.
• The victim machine:- can’t respond to legitimate traffic, or- is so slow as to be essentially unavailable.
• Address of attacker is spoofed:- Victim machine can’t simply block traffic from a known source.
• Commonly constitutes violations of the laws of nations.
© Sombers Associates, Inc. 2013 4
What is a Distributed Denial of Service Attack?
• Malware attacks do not generally pose a threat to availability:- They are aimed at stealing personal information and other data.
• DDoS attacks are a major threat to availability.
• They have been used to take down major sites for days
• They are easy to launch and are difficult to defend.
• Reasons for DDoS attacks:- revenge- competitive
© Sombers Associates, Inc. 2013 5
How Can So Much Traffic Be Generated?By Botnets
• Typical attacks generate about 10 gigabits/sec. of malicious traffic.- One Pc can generate about one megabit/sec. of traffic.- It takes about 10,000 PCs to generate 10 gigabits of traffic.- This is a botnet.
• A botnet is a collection of computers:- whose security defenses have been breached.- control is conceded to a third party, the bot master.
• The bot master controls the activities of the compromised computers.
© Sombers Associates, Inc. 2013 6
How Can So Much Traffic Be Generated?By Botnets
• More recently, servers have been included in botnets.
• A large server can generate a gigabit/sec. of malicious traffic:- one thousand times that of a PC.
• Ten large servers can generate as much traffic as 10,000 PCs.
• Servers are infected via network vulnerabilities.
• The latest attacks have generated 100 gigabits of malicious data:- combination of infected PCs and servers.
© Sombers Associates, Inc. 2013 7
The Anatomy of a DDoS Attack
• DDoS attackers depend upon infecting thousands of PCs.
• A typical infection sequence is:- a user succumbs to a phishing attack (opens a malicious
email or visits a malicious web site).- a Trojan is injected into the machine which opens a “back door.”- a bot infection is inserted into the PC via the back door.- the bot infection establishes a connection with the bot master.
© Sombers Associates, Inc. 2013 8
Phishing
• Phishing masquerades as a trusted entity in an electronic communication:
– email, web site.
• Designed to get sensitive information like account numbers, SSNs by:
- tricking users to respond to email.- leading users to a spoofed web site that looks real.
• Emails can also carry malicious executables or point to malicious web sites.
• Malicious executables or malicious web sites can infect the PC:- used to inject a Trojan to create a back door into the PC.
• User training – send them phishing messages that take them to a web site that informs them that they have been lured.
© Sombers Associates, Inc. 2013 9
Trojans
• Creates a “back door” allowing unauthorized access to the target computer.
• Main purpose is to make the host system open to access from the Internet.
• Installed via malicious emails or Internet applications.
• Consequences: - controlling the computer system remotely (botnets). - also, keystroke logging, data theft, installing other malware.
© Sombers Associates, Inc. 2013 10
The BYOD Conundrum
• Bring Your Own Devices (BYOD) are the new gateways into corporate networks:
- Employees using smart phones, tablets, notebook computers. - Conducting their work at home or on the road. - Connecting outside the corporate firewall to servers and databases.
• Malware can gain access to a company’s network by infecting these devices. • Mobile malware is becoming a greater threat than direct infections of systems.
© Sombers Associates, Inc. 2013 11
Android Devices are the Primary Target
• Mobile malware most likely to be installed via malicious apps.
• Android is an open operating system modified by each vendor:- security provisions often bypassed.
• Hundreds of Android app stores not vetted by Google.
• Number of malicious apps has grown 800% over the last year.
• 92% directed at Android devices.
• Apple has tight control over apps:- tests each one thoroughly.- does not allow unvetted apps to be downloaded from the Apple app store.
• Malware can also be downloaded with phishing.
© Sombers Associates, Inc. 2013 12
• Android and iOS prevent unauthorized access to privileged OS commands.
• Android device can be modified by user to let apps have access:- rooted device.- necessary to run some apps.
• A rooted Android device can be infected with malware that runs at the operating system level:
- Trojans- keyloggers
• Similarly, an iOS devices can be jail-broken. However:- iOS world is tightly controlled.- several security functions must be bypassed.- cannot be done by the ordinary user.
Jail-Broken and Rooted Devices
© Sombers Associates, Inc. 2013 13
• Compromised Wi-Fi hot spots:- coffee shops, airports, hotels.- corporate data is vulnerable whenever an employee logs onto a public Wi-Fi hot spot.- frequently configured so that anyone can see all of the network traffic.- commercially available apps provide network monitoring
capability.
• Poisoned DNS servers:- user must trust the DNS server used by a Wi-Fi hot spot.- hackers can hi-jack a public DNS server.- direct traffic to a malicious web site.- web site can get users private data – passwords, etc.- malware is downloaded to device from the web site.
Other Mobile Threats
© Sombers Associates, Inc. 2013 15
DDoS StrategiesThe Internet Protocol Suite
• Application Layer – used by applications for network communications (FTP, SMTP).
• Transport Layer – end-to-end message transfer (TCP, UDP)
• Internet Layer – best-efforts datagram transmission between hosts (IP)
• Link Layer – local network topology (routers, switches, hubs, firewalls).
© Sombers Associates, Inc. 2013 16
DDoS StrategiesAttacks Occur at Various Levels
• Network Level:- Network is bombarded with traffic.- Consumes all available bandwidth needed by legitimate requests.
• Infrastructure Level:- Network devices such as firewalls, routers, maintain state in
internal tables.- Fill state tables of network devices.- Network devices cannot handle legitimate traffic.
• Application Level: - Invoke application services:- Consume processing and disk resources.- Illegitimate logins.- Searches (if attacker has obtained user names, passwords).
© Sombers Associates, Inc. 2013 17
DDoS StrategiesAttacks Occur at Various Levels
• ICMP Flood:- Internet Control Message Protocol (ICMP) returns error messages.- Attacker sends messages to random ports.- Most ports will not be used.- Victim system must respond with “port unreachable.”- Victim system so busy responding with ICMP messages that it can’t handle legitimate traffic.
• Ping Attack- ICMP attack in which victim is flooded with pings.- Victim must respond with ping-response messages.
© Sombers Associates, Inc. 2013 18
DDoS StrategiesAttacks Occur at Various Levels
• SYN Flood:- Attacker begins the initiation of a connection.- Sends a SYN connection request.- Server assigns resources to connection, responds with SYN-ACK.- Attacker never sends ACK to complete the connection.- Spoofed client ignores SYN-ACK since it did not send SYN.- Victim holds resources for three minutes awaiting connection completion.- Victim runs out of resources, cannot make legitimate connections.
• GET/POST Flood:- Commands to retrieve and update data.- Use extensive compute and disk resources of computer.- Typically needs user names, passwords.- Consumes all resources of server.
© Sombers Associates, Inc. 2013 19
DDoS StrategiesAmplified Attacks
• The most vicious kind of attack:- Generates a great deal of attack data with little effort.
• Example – DNS Reflection:- Depends upon DNS Open Resolvers.- Will respond to any DNS request, no matter from where it comes.- Send DNS URL request with spoofed IP address of victim.- DNS sends URL response (IP address of URL) to victim.- Typical request message is 30 bytes.- Typical response message is 3,000 bytes.- 100 times amplification.
• Publicly available toolkit – itsoknoproblembro – to launch DNS attacks.
• Open DNS Resolvers were supposed to be phased out:- Still 27 million Open Resolvers on the Internet.- Their IP addresses have all been published.
© Sombers Associates, Inc. 2013 21
September, 2012 – The online banking web sites of six major U.S. banks are taken downfor days by Distributed Denial of Service (DDoS) attacks.
• The Izz ad-Din al-Qassam Cyber Warriors vowed to attack major U.S. banks.
• The attacks will continue until the video “Innocence of Muslims” is removed from the the Internet.
• September 2012 - DDoS attacks are launched against Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank, and PNC Bank.
• The attacks take down their online banking portals for a day.
• Attacks followed against Capital One, SunTrust Banks, and Regions Financial.
• The 70 gigabit/second attacks used hundreds of thousands of volunteer computers and infected servers.
• December 2012 – Attacks were repeated for several days against all banks.
• Intelligence officials say that cyber attacks and cyber espionage have surpassed terrorism as the top security threat facing the U.S.
Major U.S. Banks
© Sombers Associates, Inc. 2013 22
History’s Largest DDoS Attack
• Spamhaus is a spam-filtering site:- provides a blacklist of IP addresses for email spammers.- used by spam-filtering vendors, ISPs, corporations.
• Blocked CyberBunker:- CyberBunker claims to host anything but terrorism, child pornography.
• CyberBunker launched a 300 gigabit/sec. attack against Spamhaus:- lasted for ten days.
• Spamhaus enlisted CloudFlare to help it weather the attack:- CloudFare spread the malicious load across its 23 data centers.- scrubbed the data and fed only legitimate data to Spamhaus.
• CyberBunker extended its attack to CloudFlare.
© Sombers Associates, Inc. 2013 24
Botnets
• Until recently, DDoS attacks were in the 10 gbps range:- infected PC botnets.
• Islamic hackers – 100 gbps:- used tens of thousands of volunteered PCs.- added infected servers.
• CyberBunker – 300 gbps:- used PC/server botnet.- used DNS refection.
© Sombers Associates, Inc. 2013 25
Mitigation
• DDoS attacks are easy to launch, difficult to defend.
• Firewalls and intrusion-prevention (IPV) systems can be overwhelmed.
• Spread load across several data centers to scrub data.
• Use the services of a DDoS mitigation company that can scrub data over several data centers.
- Prolexic- Tata- AT&T- Verisign
• Include DDoS attacks in your Business Continuity Plan.