Distributed denial of service
Prensented by:
• Kamar MEDDAH
• Redouane AIT ELMKDEM
• Fatima-Azzahra AYACH
• Jamila AKHARAZ
• Mohamed LIDOUH
Plan
2
Introduction
02 Dos vs DDos 01
How DDoS attack 03 works?
3
DDoS Tools
04 DDoS Attack Methods
AIM OF A DDoS ATTACK
05
07
06 DDoS ATTACK Types
4
DDoS Mitigation
09 Conclusion
08
Add a full screen image
Introduction 1
Introduction
DDos is an acronym of “ Distributed Denial of Service ”.
It is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
It denies a victim (host, router, or entire network) from providing or receiving normal services.
It is a dangerous and common type of cyber-attacks.
6
Add a full screen image
Wishing is not enough; we must do.
Add a full screen image
Dos vs DDos 2
Dos vs DDos
In a DoS attack, an attacker uses a single Internet connection to either exploit a software vulnerability or flood a target with fake requests in an attempt to exhaust server resources .
.
DDoS attacks are launched from multiple connected devices that are distributed across the Internet.
9
How DDoS attacks 3
works
Attack Daemon Agents
Master
Program/Agent
Attacker/Attacking Hosts
DDoS attack consist of 4 elements :
Victim (Target)
11
Add a full screen image
Ddos attack 4
methods
SMURF
19
Different phases of attack:
21
IP address of the victim is obtained by the attacking computer.
All the devices in this network gets these ICMF messages and they send back ICMF replies to the IP address of the victim.
Using this spoofed IP address the attacker sends ICMF messages to a network’s broadcasting address.
Victim get flooded with packets coming from all these zombies and crashes.
0 1
0 2 0 4 0
3
Phase 2 Pahse 1
Phase 4 Phase 3
Steps to protect against SMURF attacks
Configure the router to not contact all the devices connected to its network when an ICMP message is obtained to its broadcast address.
Setup a firewall so as to filters unwanted messages
22
SYN Flood (TCP SYN Atack)
23
Different phases of attack:
25
The attacker obtains the IP addresses of various systems.
Impersonating as these systems the attacker sends a number of SYN requests which is the first signal to be sent for establishing a TCP connection with a 3 way handshake.
The server which holds the website replies with a TCP SYN/ACK reply on receiving the SYN requests and waits for the ACK signal to receive from the IP address which had been spoofed by the
attacker
The server thus wastes it resources and bandwidth and waits for the ACK signal to be received.
0 1
0 2 0 4 0
3
Phase 2 Pahse 1
Phase 4 Phase 3
Steps to protect against SYN Flood
Decrease the TCP Connection Timeout on the victim server so that server
waits for only little time and stops waiting for TCP ACK signal after that time.
.
Using firewall as an intermediatory between the attacker and server.
27
UDP Flood
28
Different phases of attack:
30
As always the attacker obtains IP addresses of many devices.
He now sends data packets to random ports of the the server.
The server finds that the data packet received was in the wrong port and tries to notify the sender of the data packet that he has sent it to the wrong port by sending back a destination unreachable message.
Even though the server does this the continuous flow of data packets to different ports of the
server continues and server has time only to send destination unreachable packet and server
crashes due to overload.
0 1
0 2 0 4 0
3
Phase 2 Pahse 1
Phase 4 Phase 3
Steps to protect against UDP flood attacks
Limit the rate at which destination unreachable messages are sent or not send such packets.
.
Introduce a firewall before the server to check whether the incoming packets are assigned to the correct port or not.If correct then pass the packets, else reject the packet.
31
Add a full screen image
Ddos attack tools 5
Ddos attack tools
Trinoo UDP
Tribe Flood Network (TFN) UDP, ICMP, SYN, Smurf
Stacheldracht UDP, ICMP, SYN, Smurf
TFN 2K UDP, ICMP, SYN, Smurf
33
Add a full screen image
Ddos attack types 6
Ddos attack types
35
Attacker sends large number of packets directly towards victim
Direct attacks
An attacker sends packets that require responses to the reflectors with the packets’ inscribed source address set to victim’s address.
Reflectors Attacks
Add a full screen image
Aim of a Ddos 7
Attack
Aim of a Ddos Attack
37
Expression of anger and criticism.
Anticompetitive business practices.
To disrupt operation of private or government enterprise.
Means to extract money.
01 02 03 04
Add a full screen image
DDoS Mitigation 8
DDoS Mitigation
Identifying incoming traffic to separate human traffic from human-like bots and hijacked web browsers.
Analyzing and Filtering incoming traffic.
DDoS attack can be direct or indirect (spoofing).
Comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, HTTP Headers, etc...
39
DDoS Mitigation
Setup having both anti-DDoS technology and antiDDoS emergency response services such as CloudFlare or Radware.
40
Add a full screen image
Conclusion 9
Conclusion
DDoS is a dangerous and common type of cyber-attacks.
It is an attempt to make services unavailable by overwhelming them with traffic from multiple sources.
DDoS attack can be direct or reflected (spoofing).
Identifying, analyzing and filtering incoming traffic helps to protect from DDoS attacks.
42
Thank you!
• https://www.princeton.edu/~rblee/ELE572F02presentations/DDoS.ppt
• https://fr.slideshare.net/cloudflare/ddos-101-attack-types-and-mitigation
• https://fr.slideshare.net/AmazonWebServices/ddos-protection-79797085
• https://web.cs.wpi.edu/~rek/Adv_Nets/Fall2006/DDOS.ppt
• https://conference.apnic.net/35/pdf/ddos-
attacks_preparationdetectionmitigation_apricot_1361720605.pdf
• https://www.icann.org/presentations/ssac-la-estonia-ddos-attacks-25jun07.pdf
• https://www.f5.com/pdf/white-papers/ddos-threat-spectrum-wp.pdf
• https://www.f5.com/pdf/white-papers/mitigating-ddos-attacks-tech-brief.pdf