SlideShare a Scribd company logo

Ddos and mitigation methods.pptx

O
Ozkan E

This document discusses DDoS attacks and mitigation methods. It begins by defining DDoS attacks as using multiple sources to overwhelm a target's availability, unlike a DOS attack which uses a single source. Common DDoS attack types are then outlined, along with the costs and impacts of attacks for victims. The document also provides details on specific attack methods like SYN floods, reflection attacks using DNS and NTP, and recommended mitigation techniques including whitelisting, rate limiting, and fingerprinting. It concludes by emphasizing that DDoS attacks are easy to carry out and difficult to detect, while having significant negative effects on victims.

Technology
1 of 47
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
DDOS Attacks and Mitigation Methods Özkan Erdoğan ozkan.erdogan@btpsec.com Ms.C, CISA, CEH, ISO 27001 LA BTPSec LTD info@btpsec.com Office:+44 203 2870040 +44 792 6112461 Address:5 Milton Grove, London UK
What is DOS & DDOS? ★ D = Distributed ○ DOS : focused on vulnerabilities, using single source ○ DDOS : overflow focused, using multiple sources ○ Target of attacks is to eliminate availability of the resource
What is DDOS
Is it possible to mitigate Ddos attacks? Our experience shows that its quite possible to mitigate ddos attacks. However, there are caveats such that: ❏ Most ddos attacks come big in volume where it saturates your bandwidth . Attack volume > Target network bandwidth (mbps). These attacks can be handled by obtaining service from global anti ddos providers: e.g. Cloudflare, Incapsula, Akamai etc. ❏ Other kinds of attacks are usually ineffective if we configure our network with correct measures.
Botnet Lethic , Cutwail, Grum (spam), Flashback (Mac), Zeus (bank), Spyeye (banka) etc..
Botnet Builder (10$)
Ddos Survey Results 61% loss of access to information 38% business stop 33% loss of job opportunities 29% reputation loss 26% insurance premium increases 65% Received security consultancy 49% More investments on IT 46% Started legal processes 43% Informed customers 36% Applied legal ways 26% Informed the media ● Spamhaus ● Chinese domain authority (.cn) ● Pohjola -Finland bank ● Nasdaq ● Bitcoin ● Bank of America
Ddos Costs
BOTNETs ➔ Controlled by Botnet herders ➔ Commanded via : Mirc, http(s), Tor (popular now) ➔ Injection methods: Wordpress, Joomla etc. old Windows systems are easiest targets. ➔ Botnet members are targeted to be amongst data center systems.
Ddos and mitigation methods.pptx
DDOS events 1. Spamhaus (DNS Amplification) 300gbps. a. 11 Feb 2015: New NTP attack: 400gbps 2. Brobot (American Financial companies) 3. Chinese attacks 4. Russia: DDOS gangs 5. Syn reflection attacks are gaining a rise.
DDOS Detection Methods ➔ Honeypot ➔ Flow ➔ DPI
DDOS Mitigation Methods (General) ★ ACL ★ BGP Routing (Cloud service) ★ Blackhole ★ Mitigation devices (Inline, Offline)
Basic DDOS Attacks ➔ Signature based attacks (Teardrop, Land, Smurf, Nuke,Fraggle vb) ➔ Volumetric attacks (legal and illegal attacks) ➔ Reflection (dns, syn) ➔ Application based attacks: e.g. Slow attacks ➔ Connection attacks
Protocols used in DDOS ➔ TCP/IP ◆ Tcp,udp, icmp, ◆ ➔ Other (GRE, ESP etc) ➔ IPv4 ➔ IPv6 ➔ Application layer ◆ Http, dns, VOIP etc.
IP Spoofing (&How to detect it) ➔ uRPF- Unicast reverse path forwarding. ➔ Source IP of packet is compared to the FIB table in router and dropped if routes are not the same. ➔ Authentication ➔ First packet drop, and let following packets go.
Attack Tools ➔ Hping, nping, mz, isic ➔ Slowloris, httpflooder, Torshammer, jmeter, ab, httpDOS, R-U-D-Y, pyloris etc. ➔ Scripts (socket programming: Python, Perl etc)
Volumetric Attacks Band filling attacks ➔ Network attacks (syn, syn-ack, ack, udp flood etc) ➔ Application Attacks (http, https, dns, voip etc) ➔ Botnet, HOIC, LOIC
Application Layer DDOS ➔ Slow attack (Apache)- slowloris, pyloris etc ➔ Slow Read- tcp window size ➔ RUDY- HTTP post ➔ XML dos ➔ SIP invite- multiple udp calls to overwhelm server..
How to mitigate DDOS attacks? ● WL/BL (ALL protocols) ● ACL (All protocols) ● Fingerprint (udp, dns) ● Authentication (tcp, http, dns) ● Session management (dns, tcp) ● Statistical Methods ● Rate Limit
Syn Flood and Prevention Attacker ServerSyn Syn Syn Syn Syn-Ack Syn-Ack Syn-Ack • Most popular ddos attack is syn flood. • Protection method: Authentication and WL. (Whitelisting) (Syn cookie vs. syn proxy) • Syn reflection factor • Syn flood from real IP addresses: TCP ratio mechanism
Syn-Ack Flood and Mitigation Attacker ServerSyn-Ack Syn-Ack Syn-Ack Syn-Ack • Protection: Check session table if syn-ack’s are real.
Ack Flood ve Mitigation Attacker ServerAck Ack Ack Ack • Protection: Check session table if ack’s are real.
FIN/RST Flood and Mitigation Attacker ServerFin/Rst Fin/Rst Fin/Rst Fin/Rst • Protection: Check session table if packets are real.
Udp Flood and Mitigation Attacker ServerUdp Udp Udp Udp • Udp is the most effective for ddos • Protect method: Payload and Header. (Fingerprint) • Dest.port, source port, ttl, source/dest IP also checked • ACL
Icmp Flood and Mitigation Attacker ServerIcmp Icmp Icmp Icmp • Protect method: Payload and Header. (Fingerprint) • Session check (query, response) • Rate limit • ACL
TCP Connection Flood & Mitigation ❏ Low rate attack (Protection: Number of connections are analyzed- Bot detection methods are used) ❏ TCP Null connection attack (No packets after handshake) ❏ Also check for rates of: ❏ New connections ❏ Total connections per second
TCP Retransmission Attack
SIP Flood
SIP Invite Flood
SIP Flood Prevention Methods ➢ Traffic limiting ➢ Source IP limiting ➢ Fingerprint
Http(s) Get/Post Flood Attacker ServerSyn HTTP get Ack Syn-Ack HTTP get HTTP get HTTP get
Http Ddos Detection & Mitigation Methods ● Authentication (Http redirection) ● SSL Ddos (Crypto handshake messages increase abnormally) ● Captcha usage ● Fingerprint
Example: Http Get Attack
DNS Flood ➔ Is the target DNS: Authoritative DNS or cache DNS?
DNS Attacks- Continued ★ Dns Cache poisoning attack ★ ★ Dns reflection attack ★ ★ Dns query/repsonse attacks
DNS Query/Response Attacks SP DNS 1. What is the IP for abc.google.com? 2. What is the IP for abc.google.com? Attacker 3. IP= XXX.XXX.XXX =news.google.com DNS Reply Flood Attacker
DNS Cache Poisoning SP DNS 1. What is the IP for abc.google.com? 2. What is the IP for abc.google.com? Attacker 3. abc.google.com= x.x.x.x DNS Reply Attacker • Domain info on Cache DNS servers are attempted to be changed with the fake one. • Attacker should guess the query id correctly. (which is so easy if query id’s are not random) DNS Reply
DNS Reflection Open DNS resolvers 1. What is the IP for abc.google.com? 2. What is the IP for abc.google.com? Attacker DNS Reply • Attacker uses victim’s IP address as his source, and sends a dns query to all known dns servers. • Thousands of resolvers return the answer to the victim and victim is Ddos’ed DNS Reply DNS authority Victim
DNS Attacks Conclusion: ➔ DNS attacks are very dangerous and can be performed with the least effort and cost . ➔ Ddos attacks are on the rise every year and quite possible to be so in the future. ➔ Udp and Dns based ddos attacks are the most effective protocols for ddos.
Methods To Protect Against DNS Ddos Attacks ➔ Session control (Two way traffic) ➔ DNS proxy, caching ➔ DNS-Tcp Authentication ➔ First packet drop ➔ Domain name limiting ➔ Traffic limiting
An Effective Mitigation Technique: Fingerprinting Packet header and payload is analyzed to determine a fingerprint of attack.
Syn Reflection
DNS Reflection (Attack multiplier 10x)
NTP Amplification ( Attack multiplier 300x) Can also use snmp for upto 600x , however snmp seldom allows nonauthenticated clients 11 February 2015: New NTP attack: 400gbps
Ddos Summary ● Extremely easy to attack ( Many free and user friendly tools) ● Impossible to be detected (If correctly hides) ● Big effects on the victim ● Attack types and methods are broad. ● Every application or service has its own ddos vulnerabilities ● ...Spoofing is possible and mostly costless ● ...AGAIN.. attack tools are free
THANKS QUESTIONS???

More Related Content

What's hot (20)

PDF
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
FrancisJeremiah1
 
PPTX
Network And Application Layer Attacks
Arun Modi
 
PDF
DNS Security
johnmcclure00
 
PDF
08 tcp-dns
pantu_1961
 
PDF
Assume Compromise
Zach Grace
 
PPTX
Session for InfoSecGirls - New age threat management vol 1
InfoSec Girls
 
PDF
Dns tunnelling its all in the name
Security BSides London
 
PPTX
Understanding DNS Security
Nihal Pasham, CISSP
 
PDF
Dnssec tutorial-crypto-defs
AFRINIC
 
PDF
Строим ханипот и выявляем DDoS-атаки
Positive Hack Days
 
PDF
2016 state of the internet threat advisory dnssec ddos amplification attacks
Andrey Apuhtin
 
PDF
Detecting dns-tunneling-34152
huynhvanphuc
 
PDF
CNIT 40: 6: DNSSEC and beyond
Sam Bowne
 
PPT
Intro To Hacking
nayakslideshare
 
PDF
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
PDF
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
PPTX
Hiding in plain sight
Rob Gillen
 
PPTX
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
 
PDF
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PROIDEA
 
PDF
IPv6 Threat Presentation
johnmcclure00
 
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
FrancisJeremiah1
 
Network And Application Layer Attacks
Arun Modi
 
DNS Security
johnmcclure00
 
08 tcp-dns
pantu_1961
 
Assume Compromise
Zach Grace
 
Session for InfoSecGirls - New age threat management vol 1
InfoSec Girls
 
Dns tunnelling its all in the name
Security BSides London
 
Understanding DNS Security
Nihal Pasham, CISSP
 
Dnssec tutorial-crypto-defs
AFRINIC
 
Строим ханипот и выявляем DDoS-атаки
Positive Hack Days
 
2016 state of the internet threat advisory dnssec ddos amplification attacks
Andrey Apuhtin
 
Detecting dns-tunneling-34152
huynhvanphuc
 
CNIT 40: 6: DNSSEC and beyond
Sam Bowne
 
Intro To Hacking
nayakslideshare
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
CNIT 40: 2: DNS Protocol and Architecture
Sam Bowne
 
Hiding in plain sight
Rob Gillen
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PROIDEA
 
IPv6 Threat Presentation
johnmcclure00
 

Viewers also liked (6)

PDF
EECS 441 Company Presentation (Arbor Networks)
Rebecca Preib
 
PDF
More Databases. More Hackers. More Audits.
Imperva
 
PPTX
Gartner MQ for Web App Firewall Webinar
Imperva
 
PPTX
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 
PPT
DDoS Attacks
Jignesh Patel
 
PPT
10 DDoS Mitigation Techniques
IntruGuard
 
EECS 441 Company Presentation (Arbor Networks)
Rebecca Preib
 
More Databases. More Hackers. More Audits.
Imperva
 
Gartner MQ for Web App Firewall Webinar
Imperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 
DDoS Attacks
Jignesh Patel
 
10 DDoS Mitigation Techniques
IntruGuard
 
Ad

Similar to Ddos and mitigation methods.pptx (20)

ODP
DDoS - unstoppable menace
Aravind Anbazhagan
 
ODP
DDoS - unstoppable menace
Aravind Anbazhagan
 
PPTX
Denial of Service (DoS) and Distributed DoS (DDoS) Attacks
Swarup Saw
 
PDF
Distributed Denial of Services (DDoS) Attacks Conceptual Intro
SakthiSaravananShanm
 
PDF
A10 issa d do s 5-2014
Raleigh ISSA
 
PPTX
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
PDF
KHNOG 3: DDoS Attack Prevention
APNIC
 
PDF
denialofservice.pdfdos attacck basic details with interactive design
perfetbyedshareen
 
PPTX
BADCamp 2017 - Anatomy of DDoS
Suzanne Aldrich
 
PPTX
Denial of service
garishma bhatia
 
PPTX
DDoS attacks
Ch Anas Irshad
 
PPTX
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
PriyadharshiniHemaku
 
PPTX
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
PPTX
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PROIDEA
 
PPT
Protecting your business from ddos attacks
Saptha Wanniarachchi
 
PPTX
Day 2 - 1. Denial of Sergvice (DoS) Attacks.pptx
pfeprojet
 
PPTX
Day 2 - 1. Denial of Service (DoS) Attacks.pptx
pfeprojet
 
PPTX
Denial of Service (DoS) Attacks and its types
johnjeremiah9
 
PPTX
DrupalCon Vienna 2017 - Anatomy of DDoS
Suzanne Aldrich
 
PDF
Ntp in Amplification Inferno
Sriram Krishnan
 
DDoS - unstoppable menace
Aravind Anbazhagan
 
DDoS - unstoppable menace
Aravind Anbazhagan
 
Denial of Service (DoS) and Distributed DoS (DDoS) Attacks
Swarup Saw
 
Distributed Denial of Services (DDoS) Attacks Conceptual Intro
SakthiSaravananShanm
 
A10 issa d do s 5-2014
Raleigh ISSA
 
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
KHNOG 3: DDoS Attack Prevention
APNIC
 
denialofservice.pdfdos attacck basic details with interactive design
perfetbyedshareen
 
BADCamp 2017 - Anatomy of DDoS
Suzanne Aldrich
 
Denial of service
garishma bhatia
 
DDoS attacks
Ch Anas Irshad
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
PriyadharshiniHemaku
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PROIDEA
 
Protecting your business from ddos attacks
Saptha Wanniarachchi
 
Day 2 - 1. Denial of Sergvice (DoS) Attacks.pptx
pfeprojet
 
Day 2 - 1. Denial of Service (DoS) Attacks.pptx
pfeprojet
 
Denial of Service (DoS) Attacks and its types
johnjeremiah9
 
DrupalCon Vienna 2017 - Anatomy of DDoS
Suzanne Aldrich
 
Ntp in Amplification Inferno
Sriram Krishnan
 
Ad

Recently uploaded (20)

PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
The Future of Artificial Intelligence (AI)
Mukul
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 

Ddos and mitigation methods.pptx

  • 1. DDOS Attacks and Mitigation Methods Özkan Erdoğan [email protected] Ms.C, CISA, CEH, ISO 27001 LA BTPSec LTD [email protected] Office:+44 203 2870040 +44 792 6112461 Address:5 Milton Grove, London UK
  • 2. What is DOS & DDOS? ★ D = Distributed ○ DOS : focused on vulnerabilities, using single source ○ DDOS : overflow focused, using multiple sources ○ Target of attacks is to eliminate availability of the resource
  • 4. Is it possible to mitigate Ddos attacks? Our experience shows that its quite possible to mitigate ddos attacks. However, there are caveats such that: ❏ Most ddos attacks come big in volume where it saturates your bandwidth . Attack volume > Target network bandwidth (mbps). These attacks can be handled by obtaining service from global anti ddos providers: e.g. Cloudflare, Incapsula, Akamai etc. ❏ Other kinds of attacks are usually ineffective if we configure our network with correct measures.
  • 5. Botnet Lethic , Cutwail, Grum (spam), Flashback (Mac), Zeus (bank), Spyeye (banka) etc..
  • 7. Ddos Survey Results 61% loss of access to information 38% business stop 33% loss of job opportunities 29% reputation loss 26% insurance premium increases 65% Received security consultancy 49% More investments on IT 46% Started legal processes 43% Informed customers 36% Applied legal ways 26% Informed the media ● Spamhaus ● Chinese domain authority (.cn) ● Pohjola -Finland bank ● Nasdaq ● Bitcoin ● Bank of America
  • 9. BOTNETs ➔ Controlled by Botnet herders ➔ Commanded via : Mirc, http(s), Tor (popular now) ➔ Injection methods: Wordpress, Joomla etc. old Windows systems are easiest targets. ➔ Botnet members are targeted to be amongst data center systems.
  • 11. DDOS events 1. Spamhaus (DNS Amplification) 300gbps. a. 11 Feb 2015: New NTP attack: 400gbps 2. Brobot (American Financial companies) 3. Chinese attacks 4. Russia: DDOS gangs 5. Syn reflection attacks are gaining a rise.
  • 12. DDOS Detection Methods ➔ Honeypot ➔ Flow ➔ DPI
  • 13. DDOS Mitigation Methods (General) ★ ACL ★ BGP Routing (Cloud service) ★ Blackhole ★ Mitigation devices (Inline, Offline)
  • 14. Basic DDOS Attacks ➔ Signature based attacks (Teardrop, Land, Smurf, Nuke,Fraggle vb) ➔ Volumetric attacks (legal and illegal attacks) ➔ Reflection (dns, syn) ➔ Application based attacks: e.g. Slow attacks ➔ Connection attacks
  • 15. Protocols used in DDOS ➔ TCP/IP ◆ Tcp,udp, icmp, ◆ ➔ Other (GRE, ESP etc) ➔ IPv4 ➔ IPv6 ➔ Application layer ◆ Http, dns, VOIP etc.
  • 16. IP Spoofing (&How to detect it) ➔ uRPF- Unicast reverse path forwarding. ➔ Source IP of packet is compared to the FIB table in router and dropped if routes are not the same. ➔ Authentication ➔ First packet drop, and let following packets go.
  • 17. Attack Tools ➔ Hping, nping, mz, isic ➔ Slowloris, httpflooder, Torshammer, jmeter, ab, httpDOS, R-U-D-Y, pyloris etc. ➔ Scripts (socket programming: Python, Perl etc)
  • 18. Volumetric Attacks Band filling attacks ➔ Network attacks (syn, syn-ack, ack, udp flood etc) ➔ Application Attacks (http, https, dns, voip etc) ➔ Botnet, HOIC, LOIC
  • 19. Application Layer DDOS ➔ Slow attack (Apache)- slowloris, pyloris etc ➔ Slow Read- tcp window size ➔ RUDY- HTTP post ➔ XML dos ➔ SIP invite- multiple udp calls to overwhelm server..
  • 20. How to mitigate DDOS attacks? ● WL/BL (ALL protocols) ● ACL (All protocols) ● Fingerprint (udp, dns) ● Authentication (tcp, http, dns) ● Session management (dns, tcp) ● Statistical Methods ● Rate Limit
  • 21. Syn Flood and Prevention Attacker ServerSyn Syn Syn Syn Syn-Ack Syn-Ack Syn-Ack • Most popular ddos attack is syn flood. • Protection method: Authentication and WL. (Whitelisting) (Syn cookie vs. syn proxy) • Syn reflection factor • Syn flood from real IP addresses: TCP ratio mechanism
  • 22. Syn-Ack Flood and Mitigation Attacker ServerSyn-Ack Syn-Ack Syn-Ack Syn-Ack • Protection: Check session table if syn-ack’s are real.
  • 23. Ack Flood ve Mitigation Attacker ServerAck Ack Ack Ack • Protection: Check session table if ack’s are real.
  • 24. FIN/RST Flood and Mitigation Attacker ServerFin/Rst Fin/Rst Fin/Rst Fin/Rst • Protection: Check session table if packets are real.
  • 25. Udp Flood and Mitigation Attacker ServerUdp Udp Udp Udp • Udp is the most effective for ddos • Protect method: Payload and Header. (Fingerprint) • Dest.port, source port, ttl, source/dest IP also checked • ACL
  • 26. Icmp Flood and Mitigation Attacker ServerIcmp Icmp Icmp Icmp • Protect method: Payload and Header. (Fingerprint) • Session check (query, response) • Rate limit • ACL
  • 27. TCP Connection Flood & Mitigation ❏ Low rate attack (Protection: Number of connections are analyzed- Bot detection methods are used) ❏ TCP Null connection attack (No packets after handshake) ❏ Also check for rates of: ❏ New connections ❏ Total connections per second
  • 31. SIP Flood Prevention Methods ➢ Traffic limiting ➢ Source IP limiting ➢ Fingerprint
  • 32. Http(s) Get/Post Flood Attacker ServerSyn HTTP get Ack Syn-Ack HTTP get HTTP get HTTP get
  • 33. Http Ddos Detection & Mitigation Methods ● Authentication (Http redirection) ● SSL Ddos (Crypto handshake messages increase abnormally) ● Captcha usage ● Fingerprint
  • 35. DNS Flood ➔ Is the target DNS: Authoritative DNS or cache DNS?
  • 36. DNS Attacks- Continued ★ Dns Cache poisoning attack ★ ★ Dns reflection attack ★ ★ Dns query/repsonse attacks
  • 37. DNS Query/Response Attacks SP DNS 1. What is the IP for abc.google.com? 2. What is the IP for abc.google.com? Attacker 3. IP= XXX.XXX.XXX =news.google.com DNS Reply Flood Attacker
  • 38. DNS Cache Poisoning SP DNS 1. What is the IP for abc.google.com? 2. What is the IP for abc.google.com? Attacker 3. abc.google.com= x.x.x.x DNS Reply Attacker • Domain info on Cache DNS servers are attempted to be changed with the fake one. • Attacker should guess the query id correctly. (which is so easy if query id’s are not random) DNS Reply
  • 39. DNS Reflection Open DNS resolvers 1. What is the IP for abc.google.com? 2. What is the IP for abc.google.com? Attacker DNS Reply • Attacker uses victim’s IP address as his source, and sends a dns query to all known dns servers. • Thousands of resolvers return the answer to the victim and victim is Ddos’ed DNS Reply DNS authority Victim
  • 40. DNS Attacks Conclusion: ➔ DNS attacks are very dangerous and can be performed with the least effort and cost . ➔ Ddos attacks are on the rise every year and quite possible to be so in the future. ➔ Udp and Dns based ddos attacks are the most effective protocols for ddos.
  • 41. Methods To Protect Against DNS Ddos Attacks ➔ Session control (Two way traffic) ➔ DNS proxy, caching ➔ DNS-Tcp Authentication ➔ First packet drop ➔ Domain name limiting ➔ Traffic limiting
  • 42. An Effective Mitigation Technique: Fingerprinting Packet header and payload is analyzed to determine a fingerprint of attack.
  • 44. DNS Reflection (Attack multiplier 10x)
  • 45. NTP Amplification ( Attack multiplier 300x) Can also use snmp for upto 600x , however snmp seldom allows nonauthenticated clients 11 February 2015: New NTP attack: 400gbps
  • 46. Ddos Summary ● Extremely easy to attack ( Many free and user friendly tools) ● Impossible to be detected (If correctly hides) ● Big effects on the victim ● Attack types and methods are broad. ● Every application or service has its own ddos vulnerabilities ● ...Spoofing is possible and mostly costless ● ...AGAIN.. attack tools are free