Networking Chapter 4 Instructors Manual Materials Accompany Computer Security Fundamentals Denialofservice Attacks Objectives

Unlock access to all the studying documents.

View Full Document

Instructor’s Manual Materials to Accompany

COMPUTER SECURITY FUNDAMENTALS

CHAPTER 4

DENIAL-OF-SERVICE ATTACKS

CHAPTER 4 OBJECTIVES

When students finish reading this chapter, they will be able to:

• Understand how denial-of-service (DoS) attacks are accomplished.

• Know how certain DoS attacks work such as SYN flood, Smurf, and DDoS.

• Take specific measures to protect against DoS attacks.

• Know how to defend against specific DoS attacks.

CHAPTER OVERVIEW

This chapter describes in depth the workings of the denial-of-service (DoS) attack. This threat is one of the most

common attacks on the Internet, due in part to its ease of use and effectiveness in shutting down services. If you

can keep a service from reaching customers, then you can effectively stop e-business. Therefore, it is prudent for

you to understand how DoS attacks work and how to defend yourself against them.

The major sections in this chapter are

1. Overview. Demonstrates a simple way to squelch a web server with the ping utility.

3. DoS Weaknesses. A DoS attach can be stopped and traced back. DDoS are hard to trace back.

5. Distributed Denial of Service (DDoS). DDos is described as getting a number of machines to attack the

target.

7. How to Defend Against DoS Attacks. Gives steps you can take to minimize the danger of DoS attacks,

including some information resources.

CHAPTER OUTLINE

I. Chapter 4 Objectives

II. Introduction

Denial of Service

III. Illustrating an Attack

Common Tools Used for DoS

1. TFN and TFN2K

2. Stacheldraht

DoS Weaknesses

IV. Specific DoS Attacks

TCP SYN Flood Attack

Micro Blocks

2. RST Cookies

3. Stack Tweaking

Smurf IP Attack

UDP Flood Attack

ICMP Flood Attack

The Ping of Death (PoD)

Teardrop Attack

Land Attack

Echo/Chargen Attack

V. Distributed Denial of Service (DDoS)

VI. Real-World Examples

MyDoom

Anonymous Uses DoS

VII. How to Defend Against DoS Attacks

VIII. Summary

IX. Test Your Skills

X. Exercises

XI. Projects

KEY TERMS

buffer overflow An attack that involves loading a buffer with more data than it is designed to hold.

crash A sudden and unintended failure, as in “My computer crashed.”

echo/chargen attack A type of DoS attack that attempts to build up too much CPU activity with echoes.

encryption The act of encrypting a message. This usually involves altering a message so that it cannot be read

without the key and the decryption algorithm.

firewall A device or software that provides a barrier between your machine or network and the rest of the world.

flood attack An attack that involves sending a large number of packets to a server in an attempt to overload the

server.

hacker One who tries to learn about a system by examining it in detail and reverse-engineering it.

ICMP flood attacks An attack that attempts to overload the target system with too many ICMP packets for it to

respond to.

Internet Control Message Protocol (ICMP) A protocol used for a variety of purposes, including “pinging”

other computers.

Internet Protocol (IP) A protocol that is part of the TCP/IP suite of protocols, which is the foundation for most

networking and all Internet communications.

land attack Sending a packet to a machine with the source host/port being the same as the destination host/port,

causing some systems to crash.

loop back address An address used to test a machine’s own network card, 127.0.0.1.

ping To send a single ICMP packet to a destination, usually to confirm that the destination can be reached.

Ping of Death (PoD) To send an extremely large packet to a target. For some older systems, this would cause the

target to crash.

proxy server A machine or software that hides all internal network IP addresses from the outside world. It

provides a point of contact between a private network and the Internet.

router A device that separates networks.

RST cookie A method to prevent denial-of-service attacks that actually uses a type of cookie to authenticate the

client’s connection.

smurf A specific type of distributed denial-of-service attack.

SYN cookies Cookies used to authenticate connection requests and thus avoid certain types of Denial of Service

attacks.

SYN flood A denial-of-service attack in which the target is flooded with connection requests that are never

completed.

teardrop attack A type of attack against a TCP/IP stack based on using fragmented packets.

Trojan horse Software that appears to have a valid and benign purpose but actually has another nefarious

purpose.

UDP flood attack A denial-of-service attack based on sending a huge number of UDP packets.

virus Software that is self-replicating and spreads like a biological virus.

TEACHING NOTES

I. Overview

Teaching Tips: You should not attempt any of these attacks on a LAN that is a subnet

of any production system. You may need to set up an isolated LAN to demonstrate this.

Teaching Tips: Point out that it would be unreasonable to use a PII Windows 98 as a

web server. The more up to date the OS and the bigger the computer and network, the better to defend

against a DoS attack.

II. DoS Attacks

Teaching Tips: Diagram the different attacks in steps. This gives a temporal

understanding of an attack that is hard to get from a book.

III. Real-World Examples

Teaching Tips: Explain that the reason these examples are still in circulation today is

mostly because people have not updated their computers against them.

IV. How to Defend Against DoS Attacks

PROJECTS/EXERCISES

I. Discussion Questions

A. Discussion Question 1

Should old or unpatched computers be allowed on a LAN?

B. Discussion Question 2

Can there ever be an effective defense against DDoS attacks?

II. Web Projects

A. Web Project 1

The Ping of Death exploit is an old one. Most modern operating systems are not

vulnerable to it. Go to Google.com and enter “Ping of Death vulnerable operating

systems” to see if any of your computers may be vulnerable. A good place to start is

http://www.pnl.gov/isrc/advisory-notices/advis3.stm.

B. Web Project 2

Go to ftp://ftp.isi.edu/in-notes/rfc2267.txt to find out how to configure a firewall

to protect against DoS attacks. Look up Land attack. What two simple rules for a firewall

(in English) would stop this type of attack?

C. Web Project 3

Go to Google.com and enter “DDoS zombie nets” to find out about networks of

compromised PCs. How do these PCs cause Web sites to fail? Why are these “botnets” so

hard to stop on DDoS attacks? A good place to start is http://news.zdnet.com/2100-

1009_22-5236403.html.

D. Web Project 4

Get the latest list of port numbers from IANA at

http://www.iana.org/assignments/port-numbers. Find out what port numbers need to be

blocked to stop echo and chargen.

WEB RESOURCES

CHAPTER REVIEW/ANSWERS TO TEST YOUR SKILLS

Multiple Choice Questions

1. What is one of the most common and simplest attacks on a system?

2. Which of the following is not a valid way to define a computer’s workload?

3. What do you call a DoS launched from several machines simultaneously?

4. Leaving a connection half open is referred to as a

5. What is the basic mechanism behind a DoS attack?

6. What is the most significant weakness in a DoS attack from the attacker’s viewpoint?

7. What is the most common class of DoS attacks?

8. What are three methods to protect against SYN flood attacks?

9. Which attack mentioned in this chapter causes a network to perform a DoS on one of its own servers?

10. A defense that depends on a hash encryption being sent back to the requesting client is called

11. What type of defense depends on sending the client an incorrect SYNACK?

12. What type of defense depends on changing the server so that unfinished hand-shaking times out sooner?

13. What type of attack is dependent on sending packets too large for the server to handle?

14. What type of attack uses Internet routers to perform a DoS attack on the target?

15. Which of the following is an example of a DDoS attack?

16. How can securing internal routers help protect against DoS attacks?

17. What can you do to your internal network routers to help defend against DoS attacks?

18. Which of the following was rated by many experts to be the fastest-growing virus on the Internet?

19. What can you do with your firewall to defend against DoS attacks?

20. Why will protecting against Trojan horse attacks reduce DoS attacks?

Exercises

EXERCISE 4.1: EXECUTING A DOS

This exercise is best accomplished in a lab with numerous machines available. The target server should be one of

low capacity for this exercise.

EXERCISE 4.2: STOPPING SYN FLOOD ATTACKS

EXERCISE 4.3: USING FIREWALL SETTINGS AND EXERCISE 4.4: USING ROUTER SETTINGS

Projects

PROJECT 4.1: EMPLOYING ALTERNATIVE DEFENSES

PROJECT 4.2: DEFENDING AGAINST SPECIFIC DENIAL OF SERVICE ATTACKS

PROJECT 4.3:HARDENING THE TCP STACK AGAINST DOS

This is a more complex project, requiring a lab machine, regarding the hardening of the TCP stack against DoS.

Case Study