Understanding denial of service

- [Instructor] Denial of service attacks have been a threat on the internet starting as far back as when Robert Morris released his internet worm in 1988. The internet was in its infancy, and the result was little more than an inconvenience. In the age of cyberspace and ubiquitous connectivity, online business depends upon accessible services. A denial of service becomes a much more serious issue and one which can have devastating consequences. The digital attack map provides a view of DDOS attacks based on data collected by arbor networks. Additional information is available by hovering over the streams. In an assessment carried out by Kaspersky Labs in 2015 the cost of such an incident is between $52,000 and $444,000 as a result of an inability to carry out core business. Loss of contracts and opportunities, credit rating impact and insurance premium increases. This is significant enough to justify internal testing to ensure the business is resilient. There are many different ways to achieve a denial of service and it would take a very long time to enumerate them all. But we'll look at the general approaches, and a number of typical attacks in this course. Denial of service is a name given to a class of cyber attacks for which the aim is to disrupt or deny use of a business service. Be that a website or some other service accessible from outside the organization. An attack might be from one source, in which case it's called simply a denial of service. Typically it starts with a phishing attack on an employee to gain access to the enterprise. This kind of an attack requires the use of an attack workstation, and a tool but no additional infrastructure. The attack may be from multiple sources in which case it's known as a distributed denial of service, this is more complicated because it firstly requires access to a large number of compromised systems. A botnet which can be used as distributed sources all controlled from one master attack work station. One of them issues a phishing email and when activated the enterprise is then a target for all. Distributed denial of service attacks were first seen in 1999 a DOS tool called Trinoo was deployed on over 200 hosts to flood a server at the University of Minnesota. It successfully took the server offline for two days. A third type of attack known as a reflection attack, so called because it goes indirectly to the target by being reflected from a third party service. This is a sophisticated attack that takes advantage of legitimate functions on third party services. To act as the reflection surface that is used in the attack. Typically the reflected volume of data is much larger than the request data, and so the reflection also amplifies the effect of the attack. Because of this, these attacks are sometimes called amplification attacks, the domain name service and the network time service have both been used to run these forms of attack. An interesting variation on each of these classes of attack known as intermittent or pulsing flooding can be used to navigate through anti DoS defenses. This can be successful when a defense mechanism such as a firewall is more tolerant to a flooding attack than the server it's protecting. There are many attack techniques which can be used to deny services, and these will result in one of three classes of impact, the first is choking access to the service. In which the pathway from the client to the service is overloaded on congested, in such a way as to make it difficult or impossible for a legitimate request to get through. The second is disabling the service, typically by sending a malformed packet which causes some form of internal malfunction in the service or application. The third type of impact is downgrading service performance. Typically done by exhausting host resources for providing services. In addition to the three classes of attack and the three types of impact. There are three classes of attack techniques. The first is network-based attack techniques, which depend upon some form of protocol manipulation to exhaust resources, these include the following attacks, TCP SYN flooding attack which partially creates a TCP session, but does not complete the session handshake, and so consumes resources to maintain status information on the half open connection. The ICMP smurf flooding attack which is a reflective attack using using the ICMP echo because the source address is forged as the target address and the ICMP response is sent back to the target. If sufficient ICMP requests are made, the response packets flood the target's bandwidth. UDP flooding, a UDP flooding attack is just a distributed denial of service attack in which any form of UDP packets is sent to the target, and flooding occurs because, with a large number of emitting sources the volume of packet data can easily exceed the target's incoming bandwidth. ARP flooding, the ARP protocol is used in local area networks to identify the association between MAC addresses and IP addresses. So that ethernet routing can be done using MAC addresses. By corrupting the ARP caches, in individual network hosts these hosts can be isolated from the network, thus denying resources. The DNS amplification or reflection attack. A variant of the Smurf attack, this is another reflective attack in which a request is made to a DNS server and the DNS response which is over 50 times larger which is returned, this leverages not only the number of responses but their size to congest the network. A similar approach can be achieved using the NTP service gaining up to 50 times the amplification effect, a global NTP flooding attack took place in early 2014 causing hour long outages in many data centers around the world. The second class of attack is wireless network attacks. These often require the attack to be in close proximity to the wireless network and are focused on stopping workstations connecting. These include the following attacks, the De-authentication attack, in which the attack monitors for workstations trying to authenticate and issues a specific de-authentication request to that workstation. Alternatively a broadcast de-authentication can be sent which affects all workstations. The routing congestion attack, in which an adversary can flood the network by sending a large number of rout requests. Causing high levels of congestion which in turn disrupts routing. The final class of attack techniques is known as application or host based attacks. Which exploit vulnerabilities in the operating and application code on the target host. This class of attack can exploit certain algorithms, memory structures, implementation specifics and so on. Each of these attacks is typically system and version specific, one of the key application level attacks is a HTTP flooding to create a denial of service. Similar to ICMP, the HTTP flooding attack sends a large number of HTTP messages to a webserver typically in a way that resources are held open by the request, and causes to consume all its connections. Many other applications are also vulnerable to attack, and I'll cover FTP later in the course. SIP services are increasingly becoming a key target, as internet voice becomes a major carrier for businesses. There are a number of techniques that can be used to protect against denial of service attacks. These are often ineffective due to a lack of testing prior to the incident and either fail when used or are not used because of the risk of failure. They can be implemented as an in-house capability or used in the form of DoS mitigation as a service. Mitigation typically involves diagnosing an attack and discarding packets that are identified as part of the attack. Okay that's an overall look at the topic of denial of service, so now let's get into the detail.