Defense Against Denial of Service (DoS) Attacks
A. University Network Diagram illustrates nature of DDoS attack in Red
Hacking
POWER 10 11
Cisco 2517
RS232
NMS IN BAND RESET
Speed
1
3
5
7
9
11
Link/Act
Speed
13
15
17
19
21
23
Link/Act
Speed
25
27
29
31
33
35
Link/Act
Speed
37
39
41
43
45
47
In Use Link/Act
Link/Act
In Use
Link/Act
Console 47
45
Pwr
Status
Up
RPSU Base
Down
Speed
2
4
6
8
10
12
Link/Act
Speed
14
16
18
20
22
24
Link/Act
Speed
26
28
30
32
34
36
Link/Act
Speed
38
40
42
44
46
48
Link/Act
46
48
BayStack 5 520-48T-PW R
Speed
1
3
5
7
9
11
Link/Act
Speed
13
15
17
19
21
23
Link/Act
Speed
25
27
29
31
33
35
Link/Act
Speed
37
39
41
43
45
47
In Use Link/Act
Link/Act
In Use
Link/Act
Console
45
47
Pwr
Status
Up
RPSU Base
Down
Speed
2
4
6
8
10
12
Link/Act
Speed
14
16
18
20
22
24
Link/Act
Speed
26
28
30
32
34
36
Link/Act
Speed
38
40
42
44
46
48
Link/Act
46
48
BayStack 5 520-48T-PW R
12
1
2
3
4
5
6
7
8
9
Speed
1
3
5
7
9
11
Link/Act
Speed
13
15
17
19
21
23
Link/Act
Speed
25
27
29
31
33
35
Link/Act
Speed
37
39
41
43
45
47
In Use Link/Act
Link/Act
In Use
Link/Act
Console 47
Speed
45
1
3
5
7
9
11
Link/Act
Speed
13
15
17
19
21
23
Link/Act
Speed
25
27
29
31
33
35
Link/Act
Speed
37
39
41
43
45
47
In Use Link/Act
Link/Act
In Use
Link/Act
Console 47
45
Pwr Pwr Status Up
Status
Up
RPSU Base RPSU Base Down
Down
Speed
2
4
6
8
10
12
Link/Act
Speed
14
16
18
20
22
24
Link/Act
Speed
26
28
30
32
34
36
Link/Act
Speed
38
40
42
44
46
48
Link/Act
46
48
Speed
BayStack 5 520-48T-PW R
2
4
6
8
10
12
Link/Act
Speed
14
16
18
20
22
24
Link/Act
Speed
26
28
30
32
34
36
Link/Act
Speed
38
40
42
44
46
48
Link/Act
46
48
BayStack 5 520-48T-PW R
P a g e | 1 By Thomas A. Groshong Sr LOT2_Task1.docx
21 Nov 2011
Defense Against Denial of Service (DoS) Attacks
B. Executive Summary: Measures to counter University Distributed Denial of Service (DDoS) attack.
A DDoS attack against the Universities Registration System Server (RSS) by infected computers (Bots) located in the University Computer Labs (see diagram) resulted in shutting down access to the RSS system. Orchestrated and controlled by a central controller these Bots established web connections (HTTP protocol) to the RSS using up all available bandwidth. Doing so prevented other users from accessing the Web site/server for legitimate traffic during the attack. This is considered a Consumption of Resources attack using up all the resources of RSS bandwidth. This summary will address measure to counter this type of DoS attack. (Specht, S. M., & Lee, R. B. (2004)) Measures to counter a DoS attack can be broken down into two types; In-Depth Defense and Countermeasures. Devices such as Routers and Proxy Firewalls are designed to protect against attacks from outside not inside the protective boundaries of the University’s network. The use of up-to-date antivirus software on all network computers, an Intrusion Detection and Prevention System (IDPS) to monitor network traffic, and a host-based IDPS (local computer firewall) are recommended. Training of computer users and Information Technology (IT) personnel that manage computer services on the University network is critical to counter such attacks. Disaster Recovery procedures and/or Checklists need to be created and followed by IT staff during the attack phase. Using the concept of In-Depth Defense includes the following; Principle of Least Privilege, Bandwidth Limitation, and Effective Patch Management (EPM). To reduce risk of attack the use of Microsoft’s Active Directory (AD) Rights Management (RM) to assign users the least amount of privileges necessary to operate on the network. This would prevent rogue (Virus or Trojan) software installations that could lead to Bot compromises and DDoS attacks. Limiting the bandwidth or setting bandwidth caps could help to reduce the effects of DDoS attacks by reducing the amount of data any single computer can use. Much like how Internet Service Providers (ISPs) limit the amount of traffic by any one customer to access the Internet. The use of automated patch management, Microsoft’s System Center Configuration Manager (SCCM) to keep computers properly updated and patched is essential. EPM reduces the risk of attacks by reducing the vulnerabilities due to know weaknesses in applications and Operating Systems (OSs). A centrally managed Host Based IDPS or Host Based Security System
P a g e | 2 By Thomas A. Groshong Sr LOT2_Task1.docx
Hacking
21 Nov 2011
Defense Against Denial of Service (DoS) Attacks
(HBSS) to audit and report on computer systems helps defend against known attacks. HBSS allows the management of local computer firewall configurations to identify and possibly shut down infected computers during an attack. The use of AD, SCCM, and HBSS combine to reduce the likelihood of an attack and provide valuable information during the attack and post-attack phases. Countermeasures to internal network DDoS attacks consist of detection, neutralization, prevention of additional attacks, deflection, and post-attack forensics. In the current network design an IDPS can alert network administrators of potential problem detection and block signature based (known) attacks to help in the mitigation process. Use of HBSS and Network IDPS allows administrators to shut down services during an attack to neutralize attacks. The capture of Traffic Patterns stored during DDoS attacks can be used for forensic analyzes post-attack. Load Balancing increases incoming traffic levels during peak hours of operations and during DDoS attacks. Proper configuration of load balancing of network devices, services, and servers will reduce effects of a DDoS attack. (Householder, A., Manion, A., Pesante, L., Weaver, G., & Thomas, R. (2001)) Documentation of these processes provides effective lessons learned and should be the basis of future response procedures. Identifying Bot computers as quickly as possible and removing them from the network is an effective response to DDoS attacks. Once removed from the network the Bot application can be removed from the computer. If removal is not possible or effective a baseline installation of the Operating System is required. With the use of InDepth Defense and Countermeasures DDoS damage can be significantly reduced. Defensive steps include; user account best practices, effective application patching process, current virus definitions usage, properly configured host-based firewall rules, active network scans for anomalies by IDPS are effective tools against DDoS. Identifying, shutting down, and preventing additional outbreaks of infected computers best practices must be documented. Education of Users and IT staff helps to reduce the root causes of DDoS attacks by reducing Bots infections. Tools such as AD, SCCM, and IDS used properly can help detect and formulate an effect defense against these attacks. In-Depth Defense and Countermeasures used together to formulate an effect process when dealing with DDoS attacks.
Hacking
P a g e | 3 By Thomas A. Groshong Sr LOT2_Task1.docx
21 Nov 2011
Defense Against Denial of Service (DoS) Attacks
C. References
DEFEATING DDOS ATTACKS. (2004). Retrieved from Cisco Systems website: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5879/ps6264/ps5888/prod_white _paper0900aecd8011e927.pdf
Hacking
Householder, A., Manion, A., Pesante, L., Weaver, G., & Thomas, R. (2001). Managing the Threat of Denial-of-Service Attacks. CERT Coordination Center, 543. Retrieved from http://www.cert.org/archive/pdf/Managing_DoS.pdf
Specht, S. M., & Lee, R. B. (2004). Distributed Denial of Service: Taxonomies of Attacks, Tools and Countermeasures. In Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems. 2004 International Workshop on Security in Parallel and Distributed Systems, (p. 543-550). Retrieved from http://palms.ee.princeton.edu/PALMSopen/DDoS Final PDCS Paper.pdf
P a g e | 4 By Thomas A. Groshong Sr LOT2_Task1.docx