 A denial-of-service attacker, a DOS attack involves an attacker or multiple attackers trying to overload some resources at some target. The resources may be the network resources. It may be the processor, make it the processor be overloaded, or some application resources. So we saw briefly an example of a TCP-SIN flooding attack. Any questions about TCP-SIN flooding? That's a question. Everything OK with SIN flooding? Probably a question in the exam in about a week or a bit over a week's time. So we need to understand the details of how flooding attacks can be applied and the different mechanisms that can be combined together to create a more successful attack. We then introduced a ping flooding attack. We know how ping works. Ping is an application. Our source computer sends an ICMP echo request message to the target, and the target normally responds. Now, the idea with a ping flooding attack is to get the number of echo requests going to the target to overflow the link leading into the target's network. So in this scenario, the link going into the target's network, this line here, we assume is the slowest link in the part, the bottleneck link. And if the attacker can generate enough ping messages, echo requests such that those coming into this link start to approach the capacity of that link, then you can think the capacity of the link is used up for sending the ping requests, and there's no space available for sending the normal requests. For example, if the target is a website, the normal requests from other computers on the internet going to that website will be delayed significantly or maybe even dropped at the router, therefore denying normal users service. So just get the attacker to send many pings. Why ping? Why not other applications or protocols? What's the good thing about ping? Why not use HTTP get requests or secure shell requests? Too big? Well, we actually want to send a lot of traffic. We want to generate a lot of bytes per second going to the target, so bigger is sometimes better. Why not send from the attacker some HTTP get requests or some secure shell connection requests using some other application? The benefit of ping, and we'll see it when we look at the other mechanisms, the benefit of ping is that most computers will respond to ping. Even if it's a PC out on the internet, if someone sends a ping echo request to it, it will reply. Whereas my computer will only reply to a web page request if I'm running a web server. Many home computers will not run a web server. So we'll see in the larger attacks, ping has this advantage that most computers will respond if someone pings them. So assuming that this link is the bottleneck, what the attacker needs to do is send ping requests fast enough to overflow that bottleneck. Let's say this is a real website and let's say there's a single server and the capacity of this link is say one gigabit per second. So the company has a incoming link at one gigabit per second. Then the attacker's goal is to be able to send pings at a rate that exceeds one gigabit per second. How do we do that? How do we send packets such that the total will exceed one gigabit per second? How many pings do we need to send per second? We want to exceed one gigabit per second. How many pings do we need to send per second? How do you calculate it in the exam? You want to calculate how do you want to set the sender to send to overflow? Well, we know ping, a very simple application, generates at a regular interval packets and sends them. So we need to know what is the interval or what interval and what packet size can we combine to generate one gigabit per second? Let's try some numbers. So let's say we want to exceed one gigabit per second. To exceed, that's our aim. Or get close to at least. So let's aim for one gigabit per second. If the capacity is this amount we want to get close to or even exceed it. A ping message, the one that we send is called an echo request. How big is an echo request? When we normally ping someone, that's ping another node. How big is a ping? By default when we ping someone, I just have some different nodes on this computer. When I ping address 1921683.31, another computer in this virtual network, it by default sends one message per second, one echo request per second and 56 bytes of data. But if you add in the header, if you add in the 20 byte IP header and the 8 byte ICMP header, I think it goes up to 84 bytes is the total size of the packet. So about 84 and we can change the size of course. Let's say 900 bytes. Then we have a 900 bytes of data, 20 bytes of IP header, 8 bytes of ICMP header. And the response that comes back contains an additional 908 bytes. So we can set the size to whatever we like. There are limits as to how many packets be sent based upon the packet size supported by the lower layers. Let's say we set it to approximately 1,000 bytes. Let's say it was 1,000 bytes. What interval do we need? Or how many pings per second to get one gigabit per second? We need to send 1,000,000 bits per second. Bits per second, that's 1 gigabit per second we want to send. We have every packet 1,000 bytes or 8,000 bits. Actually we'll do it the other way to get the answer pings per second, derived by the size 125,000 pings per second. If we send 125,000 per second, everyone contains 8,000 bits. It totals up to 1 gigabit per second. So this is just an indicator that if we wanted to overflow this link, we need to send it 125,000 pings per second. Sometimes I'll abbreviate that as packets per second. PPS, or you'll see P slash S, but packets per second. Because every packet is 8,000 bits, we'll get up to 1 gigabit per second. Now I don't think my app computer will support sending at that speed. It means setting the interval. The interval needs to be the inverse of that. We'll try, we'll show you again. I'm trying to pin with a very small interval. So we'll send 125,000 messages per second. Size 900, well it's about, if we take into account the header, that brings us up to 1,000. When I run it, it says my computer won't allow me to do that. I don't have permissions to send at such a small rate. If I don't have permissions, I can try sudo. It's trying, but no, it's not sending 125,000 per second even though I set the rate to be that. It only in that case sent 100 in those several seconds. My computer's not, or the software's not configured to be able to send at that rate. So even if we want to, we need to make special modifications to be able to generate and transmit packets at that rate. So one of the problems here with the attacker is that they need to generate this large amount of traffic. And that's hard because it requires them to have a high speed computer and a high speed link to be able to send at one gigabit per second. And like we said last week, not many people at home have a one gigabit per second uplink to send out it to the network. So what can the attacker do? We'll go through a set of mechanisms. If they did manage to send, the idea is they send many packets per second to the target and the target sends back. The way for the attacker to be blocked in this case is for an ISP to block PIN packets. But that means PIN will not work for normal people. To identify the source, since we're using our original IP address, the target can identify who's doing the attack and then take some action. And the other problem is the attacker needs high performance to do this. So the next thing we said was to use a fake source address. The attacker doesn't send a packet where the source address is theirs, but is someone else's. And this is an example. The way that IP addresses are structured in the internet is usually an internet service provider that you subscribe to, they allocate you an IP address within a range. So your ISP has a group of addresses to give to its customers. You get one of them in that range and other customers get similar addresses, but unique. So in this example, the idea is that this ISP, the one that the attacker's using, has a range of addresses. The range in the example is 72.16.0.0 slash 16. The idea is that every customer of the internet service provider would have an IP address 72.16.something.something. That's a common setup. So our attacker, which is a customer, maybe 72.16.3.4, other customers 72.16.something.something. So what the attacker does for their ping-floating attack is that when they send that echo request, they don't use their real IP address as the source. They generate a packet and they set the source address to be a fake one. Let's say they choose some fake random IP address, 33.101.53.2. If the attacker does that, then it's harder for the target to track the attacker. That's better for the attacker. Now, the problem is that some internet service providers will not allow you to send a packet with a fake source address. The ISPs set up their network such that if one of their customers is sending a packet out to the internet, then they will check. Is the source address matched to the address allocated to this customer? If so, that's okay. But if it doesn't, do not allow that packet out. So in this case, if the ISP was configured in this way, a packet comes from this computer, source address 33.101.53.2. The ISP realizes, ah, I have no customers in this network with this address. Maybe someone's using a fake address and trying to perform some attack and therefore the ISP would filter those packets or drop those packets. So I would say this packet cannot go out to the internet. So this is a common technique used by organizations, including internet service providers, to stop denial of service attacks, to disallow the use of fake source addresses. ISP filters or drops packets that come from an invalid source address. Making it harder for the attacker. Now they need to use a real source address. If all internet service providers in the world did such filtering, then many denial of service attacks would not be possible because they usually depend upon using fake addresses. Unfortunately, there are some ISPs that don't do that filtering. They haven't set it up, they forgot about it or they don't care about it. And therefore there's still attackers that can send packets with fake source addresses. So it's recommended practice for ISPs to block packets from fake source addresses. Unfortunately, not all of them do. Therefore, denial of service attacks are still quite common. If the fake source address was not blocked, if the ISP was not configured to block it, then effectively what happens? We send our ping packets from the attacker. Usually we'd use a different source address each time. Maybe just choose a random IP address or from some set. The echo request packets go to the target. The replies go to the source and the source was some fake address so the replies may go to some random computers on the internet. They ignore them, but from the target's perspective it doesn't easily identify who the source is. And from the attacker's perspective the traffic is not coming back to it, not overflowing its inbound link. So that's the one advantage of source address spoofing or using a fake source address. So from the attacker's perspective with denial of service and especially ping flooding, their aim is to get the target's network to receive as much traffic as possible. And we said, a simple way to do that, where to go, send packets very fast. And large packets. Now there are usually limits on the packet size because links have limits, usually 1,500 bytes is the upper size. So it means we need to send as many as possible. The problem from the attacker's perspective, if they have to send a lot it costs them a lot of resources. So what a successful denial of service attack would like to do, the attacker sends a little bit but it generates a lot of traffic at the target. That's the aim and that's what we'll see the next approaches try to do. What we'd like is that the attacker, when it sends packets, sends at a low rate and when the target receives, it receives at a very high rate. So we'd like to take advantage of some of the protocols or some of the networking features from the attacker's perspective it doesn't have to do much to overflow the target and that's what the next mechanisms will try to achieve. Another, one of those mechanisms and it will be combined with others in a moment, is when we send with a fake address, with a fake source address, we don't need to send direct to the target with some cases we can send to some other computers in the internet and get them to send to the target. If this attacker sends to, say, these three computers on the internet and in each case it sets the source address to be that of the target, then these three computers when they reply will send their reply to the target. This is called a reflector attack we're reflecting the messages of some some innocent computers in the internet and with ping that's generally possible if those innocent computers will respond to ping packets if this one receives a ping packet it sends an echo reply to whoever sent the echo request who sent the echo request is in the source address if it's a fake source address and the source identifies the target then this one sends the reply to the target as do the other computers they all send to that target. What else can we do to increase the load? Well, if we could take that approach but get the replies to be larger than the requests the concept is that we send small requests to these innocent computers using the protocol they send a response to the source which is the target and the attack will be successful if that response is significantly larger than the request because that leads to a scenario where the attacker is sending a small amount of data out but a large amount of data is going into the target Going back to our ping example let's come back to our numbers with ping it doesn't work so well how big is an echo reply? we said our echo request was a thousand bytes is a ping reply larger or smaller than a ping request? many of you are experts on ping you've used it in an assignment last semester you've used it in labs this semester so in the exam I'll assume that you know how ping works is the reply larger than equal to or smaller than the request? well there's a little bit of a hint when we do our test let's set it to 972 almost the same when I set the size to be 972 it's actually 972 bytes of data plus 8 bytes of ICMP header plus 20 bytes of IP headers so 972 plus the 28 is a thousand bytes is the packet being sent out what comes back is also effectively a thousand bytes there may be a small difference so 980 bytes coming back that is the ping request and ping reply are about the same size you'd need to capture to see the exact packets to see but with ping the reply is also a thousand bytes so we have a problem from the attacker's perspective with ping everything I send the same size will be received by the target what if we had another protocol what if ping was different and let's say the request was 100 bytes and the reply was 1000 bytes if ping operated like this then what happens as the attacker I send these small packets out at a rate of 125,000 packets per second and I send them to these it's hard to draw here but to these other computers on the internet it's better on the slides I send them to say random computers on the internet sending at a rate of 100 bytes every 125,000 125,000 times per second which is equal to 100 megabits per second sending when these computers receive the request they send a reply they send a reply into the target and if the reply is a larger say a thousand bytes they send at the same rate but since the replies are larger in this case 10 times larger the total amount coming into the target will be 1 gigabit per second this is just because of the mismatch or the difference in the size of the request and the response from the attacker's perspective this is good what the attacker needs to do is send out at 100 megabits per second sending out to some other computers on the internet and when they receive they all reply to the target and since the replies are large compared to the request the amount coming into the target is much more than what the attacker needs to send out attacker sends out 100 megabits per second the target receives 1 gigabit per second so effectively the attacker has to do less to overflow the target and that's good from the attacker's perspective so what a denial of service attack in practice would need to do is to make sure that the protocol supports having replies larger than the requests PING doesn't do that in PING the request and reply are about the same so this such attack is not useful with PING but there are other protocols where it is the case where the reply can be much larger than the request if the attacker can use those then their denial of service attack can be much more effective who has 100 megabits per second upload speed at home what's your upload speed at home maybe some of your friends you've heard have higher ones what's the highest you've heard maybe home cable or fibre optic in the order of 10 megabits per second so say a single home attacker their upload speed is in the order of megabits per second maybe tens of megabits per second if they pay a bit more so that's all they have to send out not even 100 megabits per second they only have that amount of capacity so from their perspective what they want to do is to be able to send out say that 10 megabits per second but still overflow the target which has a link of say 1 gigabit per second so one way to do that is to use a protocol such that what they send out is much much smaller than what is sent in the reply and using this reflector they can overflow the target with a small sending rate that's what I try to illustrate here we send out small packets to these innocent nodes on the computer who reply to the source where the source is in fact the target using a fake source address and those reply packets are larger making the receive rate of the target much larger some of the protocols that do that are very specialised so Ping doesn't do that domain name system, DNS requests often have that characteristic we send a small query we get a large reply some network management protocols some security protocols or some security management protocols have this feature and another one which you will see in your homework is the network time protocol you need a protocol where the response is very large and the request is very small and some support that any questions before we move on to the next mechanism so we're combining fake sources reflection plus using a protocol with large responses okay so these computers in the middle let's say there are some innocent computers at this stage, they're not under our control as the attacker so the questions about the upload or the link capacity of these innocent computers alright so we have the same problem that these innocent computers maybe home computers they also have limits on their upload download capacity the idea though let's say the attacker doesn't use the same one but let's say it sends out to a thousand different computers so it sends out to a thousand different computers so each individual computer is only contributing a small amount so they only need a small upload capacity for that individual computer because alright in this case I'm sending out three but this innocent computer only has to receive one and send one alright in a real case let's say I send out a hundred thousand packets to a hundred thousand different computers each innocent computer only needs to receive one and send one so they don't need much individual capacity so the idea is these innocent computers don't need many resources but because we have lots of them then it can combine to create a large traffic coming into the target in these pictures there's small examples of three but imagine it scaled up to say a hundred thousand computers why would this innocent computer respond why would it respond with PING normally computers do respond to PINGs but the normal behavior is that if your computer's there on the internet and it receives a PING request it will send a PING reply so PING is a protocol that by default or the normal case is that computers will respond reply to a PING now you can set it up so that they don't reply and some organizations will set up their networks such that they will not reply but what the attacker needs to do is find enough that do reply to a protocol because many computers do reply to PING requests if it was a HDDP request request a web page to this computer and it should send back a web page in response it would only reply if it was actually a web server not many random computers on the internet are web servers so that's why PING is a good protocol here because many more computers would reply than using application protocols like web browsing, email secure shell and so on so normally PING or other management protocols protocol used to manage the network so PING's good but there are a few others that work as well from the attacker's perspective they want to get as many other computers involved as possible it makes it harder for the target to identify who the attacker is by receiving packets from thousands of other computers on the internet with all random computers and also it's easier to take advantage of those computers because you don't have to care about their upload and download capacities we're not limited by that the next or another approach to increase the amount of traffic going to the target even if we can't use the larger response maybe we have to use PING we don't have the ability to use a large response we can still increase the traffic using other techniques one of them is using broadcast broadcast on a LAN means I send one packet and the router or the switch on that LAN delivers a copy of that one packet to everyone on the LAN so the idea of broadcast and we're talking about broadcast within a LAN only is that you can send one packet but the switch will send a copy to everyone on the LAN broadcast inside the LAN so if the attacker can take advantage of that they can greatly increase the number of computers receiving that request that's what's shown in this picture what the attacker does let's say on this bottom LAN let's say they've identified a LAN there and they send one packet to the broadcast address of that LAN how do you calculate a broadcast address? 255 is common that the last n bits are all ones which often results in a address something dot something dot something dot 255 but it depends on the mask so they are broadcast addresses when I send a packet where that is the destination I send one packet in theory the way that it works it goes to the router for that network and then that router will send a copy to everyone on the LAN so let's say I am at home and I send one packet to the SIT broadcast address or maybe for our lab 10 dot 10 dot 16 dot 255 I send that's the destination address it comes to the router SIT and it realizes this is a special broadcast destination I will send copies of this packet to everyone on the LAN every computer on the LAN will get a copy so what I've tried to show here is that the attacker sends one packet to the LAN to this LAN the router gets a copy and then makes copies and sends to everyone on that same LAN here there are only three computers on that LAN but just to keep the picture simple and same as before everyone who receives a request sends a reply who do they send a reply to the source we're still using fake source addresses and the source is that of the target attacker sends a packet to the broadcast address the source address equals that of the target everyone gets a copy and they all send a reply to the target and the attacker does that to other LANs as well not just to the one LAN but sends broadcast messages to multiple LANs as you can see as the number of nodes on each LAN grows the number of replies sent to the target rapidly grows here we only have three per LAN or two on this small LAN I send three messages out eight messages come into the target imagine there are hundred computers in these three LANs I send three messages out 300 packets come into the target now imagine I send it to larger LANs and more than again much easier for the attacker to send a small amount out such that a large amount comes into the target this is called an amplification attack we're amplifying the amount that comes to the target compared to what we send out and it takes advantage of the broadcast nature of using LANs this is a very powerful denial of service attack that is what the attacker could do to send to a thousand different LANs let's say there are 200 computers on every LAN then there's 200,000 responses all going to the target so a very large amplification target very successful at denying service at the target and because of that most routers do not allow you to send such broadcast messages in practice if you try to do this it won't work this router will receive it and say no you who are outside of the LAN are not allowed to send a broadcast message to my LAN in fact it may be even blocked earlier so in theory this is a very powerful attack nowadays most routers will not allow you to send broadcast messages to other LANs so in practice it's not very useful but the concept of amplification by broadcast is one mechanism for denial of service we're almost there through the different mechanisms and then we'll look at some examples to finish in all of these cases those computers on the internet are innocent computers they just summons computer at the internet and they respond to the protocols normally from the attacker's perspective it could be even better if they can take advantage of some computers under their control let's say in the past the attacker has got malicious software on some computers in the internet and that malicious software allows the attacker to send commands to those computers to do something we call them zombies so the attacker has a set of zombie computers under their control the collection of zombie computers we refer to as a botnet and the idea is the attacker is no longer initiating the denial of service attack it gets the zombies to initiate let's say each zombie sends requests to random other computers in the internet and those random computers send to the target but that's multiplied for every zombie every other zombie computer is doing the same thing all at the same time from the attacker's perspective they do almost nothing once they have the zombies under their control they just need to send a command to them start the attack and it's the zombies which may be your computer which is home infected with some malware who starts the attack by sending a ping request to other random computers which then all go to the target this becomes very hard to stop assuming the attacker can infect these computers not just three but maybe have thousands hundreds of thousands of computers under their control then they can initiate a large denial of service attack on targets via those zombie computers not many real denial of service attacks used today how do we stop this how can we prevent such an attack what are some ideas in practice what do we need to do again reinstall your operating system I think the point is don't let our computers be infected to become zombies so once there are many zombie computers under the control of an attacker, the attack is very powerful so the main way to stop such attacks is to make sure that computers don't get infected with malicious software that they don't get under the control so that involves of course having antivirus and other mechanisms but having organisations ensure all of their computers are protected via internal and also firewall mechanisms so it's about making it hard for the attacker to get zombies because once they do they can do very powerful denial of service attacks what we'll do now is look at some examples and you'll use I'll show some examples in a virtual network we'll just see the numbers in a very small scenario and your homework which will not be due until after the midterm but the next homework will involve you doing a denial of service attack which is some of these different mechanisms you build them up to make a more powerful denial of service attack the example network I've created and I've set it up a little bit already has 8 computers similar structure to what we had in our general diagram there's a target server some target computer and just for reference the IP of the target computer has address 192.168.3.31 so when we set our fake source address we'll set it to 3.31 we want to overload this target computer our malicious computer will do a couple of different attacks in one case computer 1 or node 1 will be the malicious computer in another case we'll show as node 3 is a malicious computer a separate case we have some innocent computers on the internet 4, 5 and 6 they are the reflectors they're going to be used in the attacks we're going to bounce messages off them we'll see in a moment and some routers so you think in terms of networks there's a network between 1 and 2 there's one network containing the reflectors and there's a third network for the target server so nodes 2 and 7 are routers if I want to do a ping attack on the target server from our malicious node 1 let's say my pings are limited to 1,000 bytes how many pings per second do I need to send to overflow the target without doing any reflectors or broadcast if the malicious user computer 1 sends to the target ping requests the very basic attack how many pings per second does it need to send to overflow the target well we need to know what the capacities of the links are how fast is the link from node 1 to node 2 how fast is the link from node 2 to node 7 how fast is the link from 7 to 8 well the way I've set it up is that the links from 1 to 2 and 2 to 7 are very fast as my computer can handle gigabits per second but I've explicitly set the speed for the link from 7 to 8 to be a very small value for this experiment 100 kilobits per second so I've set it up so the bottleneck link is that from 7 to 8 so my bottleneck link or the capacity that I want to exceed is 100 kilobits per second how many pings per second do I need to send from the malicious user a simple attack the attack will simply involve node 1 sending ping request to the target directly we'll use a fake source address and let's assume just for simplicity in our calculations the ping request is 1000 bytes which is 972 of data plus 8 bytes of ICMP header and 20 bytes of IP that's where the 1000 comes from the bottleneck link the slowest link in the path the one leading up to the target in this setup is 100 kilobits per second what sending rate do I need how far should I send my pings or what interval should I set that an answer calculate I send 1000 bytes per packet I need to get the the arrival rate of the target the target should be receiving at up to 100 kilobits per second that's the link capacity we don't have 1 gigabit per second in this example I've set it very low so we can do a quick example how far should I send 100,000 bits per second divided by every packet is 1000 bytes so we need to times by 8 12.5 packets per second if I send 12.5 packets per second on average then that's the same as sending 12.5 times 1000 bytes times by 8 sending rate of 100 kilobits per second PPS means packets per second or pings per second but generalized packets per second remember from the attacker's perspective they want to exceed the capacity they want to reach 100 kilobits per second and they want to do as little as possible so they want a sending rate as small as possible so let's try it and in this case I've set up the network I've got the 8 nodes so node 1 is the attacker in this case node 1 they want to ping 192.168.3.31 3.31 3.31 is the target and they want let's set the size to be 972 when we add in the header it will be add up to 1000 bytes and the interval what should the interval be if it was 0.1 it would be 10 packets per second we want 12 packets per second 12.5 but let's try it at 0.1 and let's see what happens at node 8 I'm not allowed to set at that slow interval so I use sudo to give me the ability to do that sending pings this time 10 per second to the target let that run and now let's look at the target node 8 let's just see that it's working we'll capture we'll see the packets coming in with TCP dump it's receiving the echo request an echo reply so this is the target or 10 times per second it receives an echo request sends a reply I'm not using a fake address yet I haven't set the fake source address I have some software called IPtraff which shows us the statistics and it will give us some numbers that is focus on the bottom line eth1 is the interface for this node activities you see is about 156 kilobits per second now this is in and out so it's receiving some coming in and some going out so because there's an echo request an echo reply if we halve that it's what about 80 kilobits per second 80 kilobits per second here we set at a rate of 0.1 so that's about right we want 100 kilobits per second so we'll try it again but we'll use a fake source address and we'll see what happens at a different node so I'll stop them first I want to set a fake source address because I don't want that I don't want the target to know who I am and it's a long command I ran it before so I think I've got it it's a long command using IP tables that says for all the ICMP packets set the fake source address to be 192.168.3.31 now when I ping where should I ping to let's make a little bit smarter attack let's not ping direct to the target let's do a reflection and ping to one of the innocent nodes so coming back to our network setup our picture is is a ping direct from malicious to target we got up to about 80 kilobits per second if I change the interval it will get even higher we'll try it in a moment but before instead of that let's ping from malicious node let's say to node 4 the reflector 2.22 and using a fake source address this one will apply to the target so I'll set the ping destination to be 2.22 we'll do that in a moment let's not look at node 8 what we'll look at is node 7 and node 4 while we're here node 4 then I'll explain what we're seeing we'll start the ping we're pinging 192.168.2.22 which is this node this is the reflector node 4 and if you see node 4 is receiving a message so it's a bit strange here it's receiving a message from 192.168.3.31 to node 4 node 4 is 2.22 it's an echo request so this is the request coming from the attacker to this node 4 and since the node 4 receives a request it sends a reply node 4 sends a reply to the source 3.31 and it's happening 10 times per second there what about so just to remind you the network setup that we have node 1 is sending to the reflector node 1 is sending to the reflector and the reflector is sending the reply to the target because of the fake address we'll look at node 7 and see what node 7 is sending node 7 node 7 is receiving about 73 kilobits per second and sending about 73 72 kilobits per second our sending rate was currently 10 times per second 10 times per second equivalent to what about 80 kilobits per second node 7 is sending out at 73 kilobits per second or 72 we want to approach 100 how do we approach 100? change our interval double the interval and now we're approaching our capacity so what we can interpret from these numbers EDH1 is the input interface for our router the router is receiving 100 kilobits per second in and the output capacity is limited to 100 kilobits per second what's happening to our packets where are they going my router 7 has 150 coming in or 100 going out what's happening to the other 50 kilobits per second it's being dropped so this is our attack working because 100 kilobits per second we're overflowing it we're sending about 150 into that link and only 100 gets through because that's the capacity so a lot of packets being dropped so this has achieved our goal of overflowing a link this was a simple reflector attack where we reflected off one node how could we expand that we could do 4, 5 and 6 at the same time and getting them to reflect to the target or we could do a broadcast we could broadcast to the entire LAN such that everyone in the LAN responds to the target let's try that one for the broadcast attack it only works if you're on the same LAN the setup of the operating system in that it will not allow you to broadcast to another LAN so I'm going to change my malicious node to node 3 we'll stop this node 1 we will not use that can stay there our last demo let's find node 3 here it is this will be our malicious node for this last attack and we'll set a fake source address node 3 we'll have a fake source address of 3.31 starting with the interval 0.1 we want to ping to everyone on our LAN where should we ping to we use a broadcast address 192.168. in this case the LAN is 2 192.168.2.255 we are node 3 as the attacker when we're going to ping to the broadcast address we will send one packet and it will go to everyone on our LAN including 2, 5, 6, 4 and 7 they will all respond and because we're using a fake source address their response will go to the target let's see if it works 2.255 with ping to do broadcast we need to add the minus b for broadcast option I think we'll need sudo as well it's pinging let's check node 4 if it's receiving node 4 is receiving pings and replying node 5 or node 6 is also receiving and let's set node 7 the router eth1 is what comes into node 7 the router and eth2 is what goes out and note that what's coming into the router before it was about 150 kilobits per second now we've increased what comes into about 370 kilobits per second why? because we're sending one message and it's going to everyone on the LAN and they're all replying via this router so we're filling up the capacity again and in this case our necessary sending rate can be much smaller let's try again with a different rate a half a second takes some time even with an interval of 0.5 seconds the input rate approaches the 100 kilobit per second capacity the point is with this broadcast the attacker needs to can send less but still overflow the capacity here we're sending 2 packets per second getting close to 100 kilobits per second in capacity out let's finish with those calculations so the second one we got to demonstrate we didn't get all of them we have in this case node 3 the sending rate necessary well on the LAN we had how many nodes are responding we had nodes 2 4 and I think 7 wasn't set up to respond we have 4 nodes so to finish with the calculation we want to send 100 kilobits per second every packet is 8000 bits so we need a sending rate of 12.5 packets per second but in this case I send to 4 nodes and they all reply so I only need to send and either sending rate of about 3.1 or 3 packets per second because if I send it about 3 packets per second that packet each time goes to 4 different nodes and they all reply so we amplify by a factor of 4 because there are 4 nodes on the LAN that would respond if I'm sending at 3 echo requests they send echo replies at a total of 3 times 4 packets per second giving us our sending rate which is the capacity of 100 kilobits per second the point being in this second attack to get the same success of overflowing the capacity at the receiver the sender has to send much less in the second attack than the first attack the second attack is better because the attacker only needs to send 3 packets per second it took advantage of the broadcast pings unfortunately for the attackers broadcasts are usually blocked in network so in theory we can do it in this small network in practice it's not very effective in a large internet the instructions for running these commands are available in your handouts are on the course website what you'll do is homework the next homework is you can review the commands and do a similar attack but you won't use ping you'll use a different protocol called the network time protocol where does your computer get the time from? it gets it from some server your computer sends a request to the server and the server sends back some information about the time from that server has some synchronization with some atomic clocks that protocol has a feature that allows you to send a small request and that feature can be used for an amplification attack so that will be your homework to study the NTP flooding attack and that brings us to the end the last thing let's summarize from the attacker if they can infect other computers with malicious software they can use those as zombies and those zombies then can use to initiate attacks and that's much more powerful to do that they need to use find some vulnerable computers usually using some scanning find the software that those computers are running and find ones which are running software with bugs and then get malicious software on there how do we stop denial of service attacks? DDOS what we're talking about here is distributed denial of service attacks not one computer attacking the target it's many computers attacking the target either innocent computers zombies or multiple attackers a distributed denial of service attack how do we prevent them? make sure we have enough capacity such they cannot be overloaded but that doesn't work very well because we need to pay for that capacity instead of having a 1 gigabit per second link have a 2 gigabit per second link but that requires extra costs detection is a main thing monitor the traffic coming in and monitor the statistics of how often the amount of traffic changes and if it goes above some thresholds then maybe that's an indicator of a denial of service attack detection is very practical but of course you need to detect as soon as possible before the service becomes unavailable so response happens after detection and response can be using technical means blocking this IP address or blocking all this range of IP addresses or some legal measures like contacting the ISP of the target and saying disconnect that customer or taking legal action against different organizations so it cannot prevent the attack but it may prevent future attacks so we've gone through some different techniques used in denial of service attacks have a look at those and the best way to understand them is to have some hands on practice so what you should do before the next lecture and you have a few weeks now is to try the attacks that I just tried the instructions are on the course website because your homework will be to try a different one