Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
IntroductionIn the recent past, new classes of security threats have emerged: one, which does not target the integrity of resources, but rather their very availability. All threats under the new class is collectively known as DENIAL OF SERVICE (DoS) ATTACKS. DoS neither do nor associate with the actual contents, do they just concentrate on preventing the data from reaching its actual destination, thus effectively making the resource or service unavailable by exploiting either flaws in popular internet protocols or the very functioning of internet. A key problem in detecting denial of service attacks is that the source address of the packets are spoofed. This ensures that the compromised machines remain undetected and thereby can be used for other attacks. If the source of the attack is kept constant (even if it is spoofed), it is possible to block that particular address and recover from the attack. However, the attack now takes a new form by being distributed (DDoS). In this form, a number of compromised systems all over the world are used in a synchronized manner to attack a particular server. By distributing the attack, the intensity near the source is lessened and is therefore not detected there. Meanwhile, the concentrated effect at the victim is sufficient to overload networks and systems and thus deny service. This latest evolution in DoS has received much publicity, but some of the most important aspects have not yet been explored. DDoS isnt simply about multiplication of attack sources, it brings about issues of path diversity, obscurity, invisibility, and demoralization of the victim. In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. As clarification, DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots. (See botnet) DoS (Denial of Service) attacks are sent by one person or system. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. DoS threats are also common in business, and are sometimes responsible for website attacks. This technique has now seen extensive use in certain games, used by server owners, or disgruntled competitors on games, such as server owners' popular Minecraft servers. Increasingly, DoS attacks have also been used as a form of resistance. Richard Stallman has stated that DoS is a form of 'Internet Street Protests. The term is generally used relating to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management. The most recent findings from a report by Radware (2012) revealed that most victims of DDoS attacks are online businesses, carriers and service providers. DDoS attacks target revenuegenerating organizations by overtaxing their link capacity. Such an attack causes a company both direct and indirect damages. Direct damages include revenue loss due to downtime and increased network maintenance costs, whereas indirect damages tend to be related to the reputation and perceived reliability of the organization and its services.
Over the years, the world has seen many large-scale Distributed Denial of Service (DDoS) attacks conducted by organized cyber-criminal groups, some of these attacks have managed to disrupt the online services of prominent, major global enterprises. Despite the efforts of the security community, DDoS attacks have remained a constant threat and continue to wreak havoc in the cyberspace.
trying to implement temporary Access Control Lists on routing devices or modify the border Firewall rule base, it is too late you are left at the mercy of the attack under way.
that are at the end of this command chain finally initiate the attack traffic against the Victim.
An Example of an attack: Of all the attacks causing denial of service, the TCP-SYN Flooding attack is most common. A simplified diagram of the TCP SYN flooding problem is depicted below: Defense Against Distributed Denial of Service Attacks9.0.0.0/8 host < router < Internet < router < attacker TCP/SYN < Source: 192.168.0.4/32 SYN/ACK no route TCP/SYN < Source: 10.0.0.13/32 SYN/ACK no route TCP/SYN < Source: 172.16.0.2/32 SYN/ACK
no route Assume: o The host is the targeted machine. o The attacker resides within the valid prefix, 9.0.0.0/8. o The attacker launches the attack using randomly changing source addresses; in this example, the source addresses are depicted as from within, which are not generally present in the global Internet routing tables, and therefore, unreachable. However, any unreachable prefix could be used to perpetrate this attack method.
Performing DoS-attacksA wide array of programs is used to launch DoS-attacks. Most of these programs are completely focused on performing DoS-attacks, while others are also true Packet injectors, able to perform other tasks as well. Such tools are intended for benign use, but they can also be utilized in launching attacks on victim networks.
FirewallsFirewalls can be set up to have simple rules such to allow or deny protocols, ports or IP addresses. In the case of a simple attack coming from a small number of unusual IP addresses for instance, one could put up a simple rule to drop all incoming traffic from those attackers. More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic. Additionally, firewalls may be too deep in the network hierarchy. Routers may be affected before the traffic gets to the firewall. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.
SwitchesMost switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing. These schemes will work as long as the DoS attacks are something that can be prevented by using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS may be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.
RoutersSimilar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack. Cisco IOS has features that prevent flooding, i.e. example settings.
Application front end hardwareApplication front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors.
IPS based preventionIntrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks. An ASIC based IPS may detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way. A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic. DDS based defense More focused on the problem than IPS, a DoS Defense System (DDS) is able to block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks (such as ICMP floods and SYN floods).
Blackholing and sink holingWith blackholing, all the traffic to the attacked DNS or IP address is sent to a "black hole" (null interface or a non-existent server). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP. Sinkholing routes traffic to a valid IP address which analyzes traffic and rejects bad packets. Sinkholing is not efficient for most severe attacks.
Clean pipesAll traffic is passed through a "cleaning center" or a "scrubbing center" via various methods such as proxies, tunnels or even direct circuits, which separates "bad" traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service unless they happen to be located within the same facility as the "cleaning center" or "scrubbing center". Arbor Networks, Prolexic Technologies, Tata Communications, AT&T and VeriSign are examples of providers of this service.
Side effects of DoS attacksIn computer network security, backscatter is a side-effect of a spoofed denial-of-service attack. In this kind of attack, the attacker spoofs (or forges) the source address in IP packets sent to the victim. In general, the victim machine cannot distinguish between the spoofed packets and legitimate packets, so the victim responds to the spoofed packets as it normally would. These response packets are known as backscatter. If the attacker is spoofing source addresses randomly, the backscatter response packets from the victim will be sent back to random destinations. This effect can be used by network telescopes as indirect evidence of such attacks. The term "backscatter analysis" refers to observing backscatter packets arriving at a statistically significant portion of the IP address space to determine characteristics of DoS attacks and victims.
LegalityIn the Police and Justice Act 2006, the United Kingdom specifically outlawed denial-of-service attacks and set a maximum penalty of 10 years in prison. In the US, denial-of-service attacks may be considered a federal crime under the Computer Fraud and Abuse Act with penalties that include years of imprisonment. Many other countries have similar laws. The US situation is under court ruling with a case in California. On January 7, 2013, Anonymous posted a petition on the whitehouse.gov site asking that DDoS be recognized as a legal form of protest similar to the Occupy protests.