 This topic is about denial of service and different types of attacks, denial of service attacks. We'll go through what we mean by denial of service and then we'll go through several examples of, or techniques that denial of service attacks use and see some of the counter measures, the ways that we can stop those attacks. And we'll use several demos on the computer and one of your homework tasks will be using or extending one of those demos to try a small denial of service attack in a controlled environment of course. What does denial of service mean? We've seen it before, to grade the quality of something, of the service that we provide our normal users. We remember back to some of those original services, we said availability was a key service. Our computer system must be available to the users, denial of service attack is about making that computer system unavailable to users. We often think about those computer systems as acting as servers, like a web server is a common example. What's a server? If I ask you to define a server, what will you say? A server, not a service, a computer server, what's an example or a definition again? Does anyone have a server or has anyone used a server? Well there's different, maybe two main interpretations of the word server. We can often think about a server as a piece of hardware, dedicated hardware to perform some operations or as a piece of software. For example, a web server is usually implemented as a piece of software and a common name of a web server is called the Apache web server. In that instance, we think the server is an application, a piece of software running on a computer. The computer can be any type of computer, it can be my laptop, your mobile phone or a mainframe computer. We can think of the server as a perspective of the software, but sometimes when we talk about a server we also think or imply some specialized hardware. That is, I may say my laptop is not a server in that it does not use hardware which is specialized for running server software, so you may buy a hardware server. We'll use as an example denial of service attacks on, say, websites or servers. So we'll say a little bit about the characteristics of some servers to illustrate what servers. Very similar word. What's an example of a server that you use on a regular basis? Tell me the name or an example of a server that you use. ICT, so the ICT.SIT is the domain name and Moodle, the website is running on a particular computer and is running some web server software on that computer. In fact, with ICT the computer is just a general purpose PC. It's just a PC with, I think, 12 or 16 giga RAM, some hard drives and just a normal CPU, so it's nothing special in terms of hardware, but it's running some server software. Why would someone perform a denial of service attack to make the server down? Why would you make the server down? But what? Yes, an attack is something malicious, yes. First, let's define what we mean by denial of service attack, some action that prevents or stops the normal use of a network, the authorised use of networks, systems or applications. Networks like the links, the Wi-Fi, the systems, the computer systems, the hardware or applications like a web server application or some application running on your computer. So it prevents the normal use of those things by exhausting the resources of those things. That is, exhausting the CPU, making the CPU work at 100%, exhausting the memory so you fill out with memory and you cannot process anymore, or the network bandwidth. That is, you overload the network such that no one else can send data, or for example, the disk space. Why would someone do a denial of service attack? Or what benefit may someone gain by doing a denial of service attack? Become famous, okay? Some person performs a denial of service attack on the SIT website and eventually they tell everyone who did it and people may be infamous or famous. What else? So for personal gratification from the person doing the attack, attack a competitor. If that service that someone is attacking is, say, a website for a company that sells things or makes money through their business, through that website, a competitor may perform an attack such that their website is no longer available and therefore the competitor can get the business that they are attacking. So there can be some financial gain of performing a denial of service attack. Let's look at the general techniques and we'll go through very simple techniques for performing a denial of service attack and we'll build them up to go through, arrive at some more realistic techniques. First, we said in the definition, impairs the authorised use of network systems or applications. What do we mean by them? So an attack attacks these three types of resources. The network resources, you overload the communications network. For example, the links or the devices that create that network. You overload the wireless link to the wireless access point. That is, it makes it difficult for others that would normally use that Wi-Fi for their internet access. It makes them difficult to send their data through. Or you overload the network switch, such the network switch spends a lot of time processing your or the attack data and gets no time to forward the normal user's data. So that's one form of the resource that a denial of service attack will impair the network. In practice, when we look at denial of service attacks in the internet, for example, on popular websites, then we need to know something about the structure of the network to realise how the attacks may take place in practice. Normally, the attack is only effective on the network, on those links in the network which are the bottleneck links, the slowest performing or the lowest capacity links. If we can overflow the lowest capacity link, then we can stop and deny service to accessing a server or a particular network. It's common in the internet that the link from, let's say, your organisation where you run a website to your ISP is usually lower capacity than the links between ISPs. So let's say you start, you graduate in, what, one year, 18 months time and you start your own company and as part of that company you run a website and you make money from running that website. So where is your website? So you've started your own company, many of you will do this in the coming years and you have your own website where, so you create some HTML, some JavaScript, some PHP or whatever, where do you put all those files? On the server, where's the server? On the cloud, it's out in the cloud somewhere but specifically where are you going to put it? Again, in home, so you've got an office, you rent an office somewhere and you buy a computer and you put it in that office and that's your server and you host your website on there and what's the capacity of the link that you're going to get from your web server out to the internet? Well it depends upon your office or maybe if you're, right, it depends upon the ISP that you use, okay? Let's say you're just starting up your company and you do it from home. How fast is your ISP link from your home? 10 megabits per second, so ADSL nowadays is in the order of several megabits per second, maybe tens of megabits per second. So that's the capacity of the link from the server to the ISP. What we're saying here is in most cases the link from the server or the organization running the network to the ISP is the slowest in the path from anyone to your website or server. The links from your ISP to another one are usually much faster than the links into your server. Not always, but that's commonly the case. What that means is what an attacker needs to do to overflow your network is to generate enough data that approaches the capacity of that link into your server or into your network. And if you're at home with ADSL and your link supports say 10 megabits per second then they need to generate enough data that approaches 10 megabits per second to overflow that link. We'll give some examples as we go through the some of the attacks. What happens if you do overflow a link is that packets start to be dropped. Okay, so my link can support so many bits per second being sent through it. If we start sending into the link at a rate that exceeds that capacity then something needs to be, something needs to give and what normally happens is packets get dropped. And as packets start to get dropped then people's data doesn't get transferred to the server and that's when the normal users are denied service. Another type of resource is the system resource which really thinks we think about the either the hardware, the server or the operating system or some part, some devices running on that server. And an attack would attack the system resources if somehow it can overload that system. Use up the memory on your computer, make the CPU run at 100% so that the CPU cannot handle the normal applications. So consume resources that make the system slow down and maybe eventually hang. We'll give some examples of how that may happen. It may involve taking advantage of bugs in the system such that it does something unexpected. And the final set of resources are applications. Again, we have a network, we have a server connected to that network. The server has some system resources and running on that server is some applications like a web server application. Another type of attack will try and get that application to crash. So again get that application to do something such that the application cannot process the normal requests. Get it to consume memory again consume CPU or get into a state such that it cannot process normal requests. So we distinguish between network system and application resources. I see as I come in many of you are taking a course on computer networking with Dr. Conwood. So you're experts on the internet, TCP and UDP and so on. And even though it's not taking it, I'm sure they know about different aspects of the internet. Let's look at some very really old style of what we say classical denial of service attacks here to demonstrate some simple concepts. And the first, so this is an example of a denial of service attack. And this is the attack that will go through is dependent upon TCP. What's TCP? It's a transport protocol for and allows you to set up connections between applications. So I'm running a web server on my computer. You're running a web browser. TCP is used to establish a connection from the browser to the server and then transfer data between them in a reliable manner. And the way that TCP works to get started is it sets up a connection. And the steps for setting up a connection is called a three-way handshake. So we'll just summarize how it works. We don't need to know all the details of TCP, but we'll see that a denial of service attack can take advantage of this three-way handshake. So the way it works, TCP, is that let's say we have our Firefox web browser running on computer A and some web server, the Apache web server running on computer B, two computers in the internet. And someone wants to visit the website. So TCP is used to establish a connection from the computer A, in particular the application on computer A to the application on computer B. And the three messages are exchanged to establish a connection. Before we can send any data, we establish a connection by sending a special TCP packet from A to B called a SIN packet. SIN for synchronize. The idea is to synchronize some sequence numbers that we're about to use and to get the server ready to receive data. So A sends a SIN packet to B, in the normal case. When B receives this SIN packet, it realizes, ah, A wants to send me some data. Let's prepare some memory to keep track of the reception of this data. So let's allocate some memory on computer B for this upcoming connection. Because what B expects is, it's going to eventually, after the connection is established, receive some data from A. So what B does is reserve some memory. It's part of the RAM for the upcoming data transfer. B responds in the normal case saying, yes, everything's okay. It sends back an ACK. And also it's actually another message to synchronize the sequence numbers with A. So we call it a SIN ACK. It has two meanings. One to acknowledge the message I just received, saying thank you. And one to tell A the sequence number it wants to use. And the final message in this three-way handshake is that A sends back a final ACK saying, all right, thank you for your response. We're now ready to transfer data. So that's the normal process of the three-way handshake in TCP. After that, A and B can start transferring data using retransmissions where necessary, using the buffer and flow control to make sure we don't overflow each other and so on. The details of the sequence numbers are not so important. That's just how it works. What is important is that when B receives the first SIN packet here, it allocates a memory in preparation for the upcoming data transfer. So some memory is allocated and then we wait for the third message, this ACK, to come back. And once we get this ACK, we'll start to use that memory with the data that we receive. Another thing is that, again, what is SN and AN? SN is short for sequence number, AN is short for acknowledgement number. The way that it works, and it's not relevant to the attack, but the way that it works is that A sends a sequence number, an initial sequence number to B, ISNA, the initial sequence number, saying, I want to use this value. B sends back an ACK saying, that's okay and here's my initial sequence number, ISNB. And then A sends back an ACK saying, the one that you chose is okay as well. So one part of this is to agree upon these initial sequence numbers. Normally when we use sequence numbers we think we start at zero. In TCP we don't have to and we normally don't start at zero, we start at these initial values chosen by A and B. There are some more features that are not shown here and one of them is that B, the server, receives the first SIN message. It sends back a SIN ACK and it waits for the third ACK to come back. So it waits. If it doesn't receive that third ACK after some time it will retransmit the previous SIN ACK. Maybe something went wrong and we lost the ACK in the network. So from B's perspective, it receives the SIN, allocates some memory, sends a SIN ACK back to A and now waits. If I don't receive an ACK then we'll resend the SIN ACK. We'll do it a few times, maybe we'll give up but we hope we'll receive the ACK and then start the data transfer. If we don't receive the ACK after some time, maybe a minute or so, then we'll delete any information about this. So B may wait for seconds or even minutes before it gives up on A. Let's see how the ACK can take advantage of that. The SIN flooding ACK involves the ACKer sending TCP SIN segments to a server. So in the previous picture the ACKer is like the user at a computer A and B is the server that we're trying to attack and what the ACKer does is when they send the initial TCP SIN segment they use a fake source address. So the ACKer sends this SIN to B. B the server thinks, ah someone wants to communicate with me let's reserve some memory, allocates the memory and we'll send back a SIN ACK and then we'll wait for the final ACK. That's what the server thinks but what the ACKer does is when they send this first SIN message they send a message with a fake source address. Not their real source address and the address we're talking about is the IP address and we'll show you later how or shortly how to do that fake source address. So what happens they keep doing that on a regular basis that is the ACKer sends many of these SIN segments to the server. For every SIN segment received by the server it allocates some memory, sends back a SIN ACK and waits for the for the next ACK. So it's not just once you can try and visualize this is happening many times the server is receiving many SIN segments in a very short period of time thousands per second. Everyone it receives it allocates some memory sends back a SIN ACK and then waits for some time. Now because there's a fake source address when B sends back the SIN ACK in fact there's going to be no final ACK because if B sends this SIN ACK to this to the fake source address then it could go either to no computer on the internet the fake address could be one of a computer that doesn't exist or it may go to a computer that wasn't expecting it which would normally just drop that packet ignore it. So there will never be this final third ACK. The end result is that B the server has allocated a lot of memory for in preparation for these potential connections and waits for some time with this memory allocated and if we can send enough SIN segments to the server B it will overflow the memory of that server B that is it will use up the memory consuming those system resources and it uses up the memories to a point where a normal user who wants to connect to the server sends a SIN segment but there's no more memory for B to allocate for that next connection so the normal user's connection cannot be established and the result is that the normal user cannot connect to the server and we've denied them access to that service. So the target server of this attack becomes overloaded in two ways really processing the SIN segments so if you're receiving thousands tens of thousands of SIN segments per second even millions of SIN segments per second then the server has to process each and allocate memory for each. They store some information about the upcoming connection in memory and that overloads the server which means the normal request from your browser will not get accepted. So that's a what we call a classical denial of service attack in that there are ways to overcome it and it's one of the earlier types of denial of service attacks which was prominent in the internet. We flood, flood means overflow the server with SIN segments, a TCP SIN flooding attack. Now I said that the attacker must send many SIN segments just sending one per second it will not overflow the server because most servers have the capabilities to accept many requests per second thousands hundreds of thousands. So the number of SIN segments that are being sent to the server per second must exceed the capacity that it can handle. Now an attacker on their own probably cannot do that with a single source attacking computer it's very hard to generate such a large number of SIN segments per second. So to make this attack effective what an attacker can do is try to get other computers to send the SIN segments on its behalf. So what this diagram tries to illustrate is that the attacker using some malicious software takes control of some other computers in the internet it's a noted here is the slave servers and triggers those slaves to send the SIN packets to the server. The server allocates memory for each SIN packet request received and sends back a SIN act and eventually if there's enough slaves sending enough SIN segments per second the server will become overloaded and the normal users will not be able to access. So this is a more practical approach from the attacker's perspective because they use many slave servers hundreds thousands maybe even millions of slave servers to send those SIN segments to that single targeted web server. This of course assumes that somehow the attacker control these slave servers. Maybe through some other virus or worm that it's used to take control of those other computers it can initiate that attack and in fact we'd generally call this a distributed denial of service attack because the attackers are it's not just one attacker it's an attack from a distributed set of clients distributed set of computers all attacking one target and that's much easier to generate enough data to overload the server. How do you stop it? Well there's some approaches here try to filter the packets earlier before they get to the router before they get to the server for example once the SIN segments get to the server the server will allocate memory and that will start to consume the memory. Maybe one of the devices before the server there's a router beforehand at this point it can recognize we're starting to receive thousands of SIN segments per second from these sources maybe the router can drop them before they get to the server such that the server doesn't get overloaded. So perform some filtering if the packets coming into our network are too too many drop them before they get to the server and overload the server. The problem with that is that sometimes it's hard to distinguish between whether these packets coming in are part of an attack or it's just part of the normal users trying to access our website. Most websites we would like many users to try and access it and in some cases maybe someone linked to our website on facebook and all of a sudden thousands of people try and access the website at the same time. We should support that we shouldn't drop the users. So distinguishing between normal usage and attack is quite hard. There are other techniques that have specifically built to added to TCP to try and stop this TCP SIN flooding attack. SIN cookies is one common technique and we'll not go through it but it involves rather than the attack rather than the server immediately allocating memory for each connection sending back some challenge to the to the computer A saying really meaning are you really sure you want to set up this connection? If it's an attack then most likely A will not respond and the the server will ignore the SIN segment. If it's a real client then the they'll respond and the server will set up the connection but it requires some modifications to software and operating systems to support that. So that's one example a TCP SIN flooding attack. We'll go through another one ping a ping attack but before we do that I'll show you some other aspects of what's used in TCP SIN flooding and others. We said here that the where the attacker uses a uses source address spoofing what does that mean? Spoofing means here using a fake source address okay so the attacker uses a fake source address how do we do that? How do you send a message using a fake source address? Is it easy? Hard? What could you do? Many of you have done program program your computer when you send the packet to just change the source address. Which source address? The source address usually in the IP header. When we're sending packets across the internet the thing that identifies computer A and computer B is the IP source and destination address. Okay so computer A is a computer on the internet with an IP address so is computer B. When I say the source address I really mean the IP address of computer A and the destination address will be the IP address of computer B. So when A sends an IP packet normally it sets the source address to its own and the destination to that of B. But there's nothing really to stop computer A to setting the source address to someone else's because the setting of that source address happens on computer A. So you just need some software to change the source address. There's nothing to prevent your computer from sending a packet with the wrong or a fake source address. And I'll demonstrate that we'll demonstrate that and show it using ping how to set a fake source address. Yes? A fake source address. My computer wants to send an IP packet to someone. I've got a picture somewhere. Let's remind you of what an IP packet looks like. That's the IP header, the typical IP header. That is every IP packet we send through the internet contains these fields in it. The version like IP version 4, some length of the packet, some other fields and importantly the source IP address, the IP address of the computer who created this packet and the final destination. For example, the IP address of my laptop is the source. If I'm sending to the ICT web server then the IP address of the ICT web server is set in the destination field. And then the data, for example the TCP SIN segment or whatever data we're sending. This header is created by my computer. So when my computer creates this packet to send some data it sets these values. So it's very easy to get to make some changes to my computer, to the software running on my computer, in particular the operating system, so that when my computer generates this it doesn't set my IP address here as a source, it sets some other one that I choose. And that would be a fake source address. And there are, in terms of a denial of service attack, there are many benefits of that. One is you can potentially hide who is doing the attack. Computer B receives this packet from some fake source address. B doesn't know it came from me. And it can also be used to make sure that packets don't come back to me and overload my computer, effectively doing a denial of service attack on my own computer. And we'll see it shortly used for other things like reflections. Let's just illustrate how it can be done and how effective it is using PIN. How does PIN work? What protocol does PIN use? PIN uses ICMP, a protocol for really managing and testing networks. And the basic operation of PIN, if a source computer PINs some destination then we send a request message to the destination and the destination when it receives that PIN request it sends back a reply. And it keeps doing that on a regular basis until we stop it. So PIN is just a request reply and we reply to whoever sent us the request. I've set up a virtual network containing three computers. I'll show you in a moment. There's, and I'll just show you how we can change the IP address and also the effect of it. There'll be three computers, so there'll be a computer one which will have address what is it, 192.168. You don't need to draw this. It may be in the printed handouts that you have already. 1.11. Computer two will be similar. They're all on the same land, so a very simple case. 192.168.1.12. And node three will be 192.168.1.13. 13 that is. So I'm going to have three computers on the same land and what we're going to do is PIN from one computer to another. For example, if we PIN from computer one to computer two, the request, what's the source address? In the PIN request or what's officially called the ICMP echo request, if we PIN from computer one to two the source address will be 11. All right, 192.168.1.11 or let's just call it 11 or even simpler one because we only have three computer one and the destination of course will be 192.168.1.12. And when the echo request comes to computer two, where will it send the reply to? Who will computer two send the reply to? Computer one. Why? How does it know? The source address in the IP header specifically will tell us. So when we send the packet to computer two, computer two receives the packet. The source address 192.168.1.11, destination 192.168.1.12, computer two realizes, okay, my reply must go to the source of this message I received and we'll send it back to here and we'll create a new IP packet where the source and destination are swapped. That's the wrong one. I'll show you that later. See if I can bring up the... I think you may have this printed out. I think I may have included it. I address spoofing with IP tables in Linux. So I'll just show a few commands of how to first change the IP address and just see the impact. Maybe print it in your handouts. If not, you'll find it on the website. And there are different ways to do it, but I jump direct to the command I want and I'm going to copy it and then I'll show you. So these are my three nodes. The red one is computer one, the blue one is computer two, and the green one computer three. And I'm going to be the malicious user on the red one. Okay, what the red one wants to do is going to send a packet using a fake source address and we'll see the impact of that in a moment. So there are different ways to set a fake source address. I'm using a command called IP tables and it's really a firewall command but it has some extra features and we don't need to remember the syntax, but you'll use it later in some of your homeworks, but in sure what's happening is it's saying before I send a packet, if that packet is ICMP then change the source address to this source address, and sorry it's wrapped around, change the source address to 192.168.1.13. Does it fit in? Okay, so that command is what I use to set a fake source address. Normally when the red computer sends the source will be .11, computer one. This command will change the packet such that the source address becomes .13. Now what I'll do is I'll ping just to make sure you can see them and to see what's happening I'll run TCP dump on computers two and three to see what we receive. TCP dump I think many of us know already that we record the packets coming in and out of that computer and I'll run it on both nodes two and three and I'm going to ping I'll just do two 192.168.1.12. Okay so the red one is going to ping computer two, computer 12 and then we'll zoom in and see what we see so that it sent two messages, one per second. The blue one is computer 12. Look what it received. This message is saying at that time computer 12 received a packet from 13 and that packet was an ICMP echo request. That's a ping request. So computer 12 we expect to receive the ping and it does here. A little bit strange the source address is computer 13. We actually sent it from computer 11 but because we set this fake source address it's from computer 13. What happens next? Computer two here received the echo request so the normal behavior when you receive an echo request is reply with an echo reply and there's an ARP going on but then we see that at this point the blue computer 12 sends an echo reply to computer 13. Why? Because the source address said it was from computer 13 and then it happens again because we pinged two times and the green one computer 13 receives the echo reply. So computer 13 receives the echo reply and this feature of using the fake source address can be used in different ways in denial of service attacks. So what's really happened here is the ping the request goes from one to two destination was one dot 12 but the source address using a fake source address causes two to send the reply to computer three. So this is how the fake source address is used and in this simple case it triggers the reply to be sent to computer three and this can be used in denial of service attacks if for example computer three is the target or even if computer two is the target we'll see some different cases. With a TCP SIN flooding if computer two was the target when we send the SIN you're not using ping but using the the SIN request we can send a fake source address and computer two will respond to just anyone on the internet we don't care and we'll see shortly another type of attack is this redirection where if three was the target our malicious user one really triggers computer two to overflow the target three and that's can be a powerful feature in denial of service attacks of using this fake source address. Any questions on fake source addresses the command was just a single line of command to do it it's not too hard in practice there are some ways that networks limit that we may return to that later but in a simple scenario it's very easy to use a fake source address so let's let's continue looking at ping now and see how ping can be used for a denial of service attack remember ping send an ICMP echo request whoever gets that echo request will send back a reply and we'll introduce a simple form of a network where we have the attackers network so the attackers computer and they connect to their local ISP the internet service provider so we can think that attackers computer there's their home router or their router in their business and there's a link to the ISP which then has links to other ISPs which forms the internet and there's the target let's say the target server the square there is who we want to target and the target's network has a link to the their own router so say inside a company they have their server their own router and then that company links via their internet service provider out to the internet and what we're going to assume in this scenario is that in the path from the attacker through to the target of all those links the slowest link is the one from the ISP into the target's network the bottleneck link so let's assume and we'll say more about it later that it may not be a realistic assumption but for now let's assume that the attacker has a high capacity link that is at home we have one gigabit per second to our ISP and the business that we're trying to attack has only a 100 megabit per second or a 10 megabit per second link here so this is the slowest in the entire path and from the perspective of the network resources if we send enough packets through this path from attacker through to target then since this is the slowest link as packets come into the ISP into this link this router will eventually have to drop those packets because what's if what's coming in exceeds what can be sent out by that router then the router will need to drop or discard some of those packets and that will be the format form of the denial of service attack for example if this has a capacity of 10 megabits per second this link but the attacker manages to generate 20 megabits per second coming into here then of that 20 coming in only 10 can come out so the rest needs to be dropped so the challenge of the attack is to generate enough traffic to exceed the capacity of that bottle neck link so let's look at that simple case and see how ping can be used to do that and the simplest form of the attack is just a ping very fast flood the server that is the attacker generates ping requests you know you can set the interval the minus i option with ping set it to be very small or get ping running multiple times on your computer the attacker's computer such that thousands or millions of ping echo requests per second are arriving here such that it eventually overflows this bottle neck link so this is an attack on the network resources not on the server itself but on the link that leads to the server if the attacker can generate enough ping requests coming in in theory it can overflow that link so this is the concept of a ping flooding attack the attacker uses ping to send many icmp requests to the target server overflowing the link and the router starts to drop packets including the normal packets from others on the internet who are trying to access the target website therefore denying them normal service how do we stop that what countermeasures can we take to make that hard for the attacker to perform well the internet service provider could block ping packets either in the internet or our the isp of the attacker or the isp of the target their routers could be set to say when an icmp request comes in do not send it on drop it and if you've tried to ping from inside sit to outside you'll find that you cannot ping outside because sit drops those ping requests but not not a lot of networks will do that because it has some side effects of dropping ping it means ping no longer works and ping has real uses for monitoring and and error control in the internet so blocking a normal protocol just to stop the denial of service attack prevents us to use that protocol for its intended purpose the target can identify the source so in this simple case we're not using a fake source address the attacker sends many packets to the target when the target gets them or the router gets them it sees the source address and from a source or from a the source IP address in theory you can map that back and find out who the attacker is in practice it's quite easy in many cases to if you know the IP address to find the corresponding ISP you can do a look up you can go to websites like what is my IP address you type in your IP address and it will show you the map of what city you're located in and who your ISP is because there's a correspondence between the range of IP addresses and internet service providers and those internet service providers are usually registered in particular cities and countries so it's not too hard given an IP address to find the ISP and with legal measures you could say to the ISP okay someone in your network one of your customers is performing an attack on my server please stop them please tell me who they are so i can take them to court or take legal measures against them so that's another counter measure against this attack the other problem here is that the attacker's network slows down the attacker is sending many many packets out using their own network resources and also receiving many many requests back those icmp echo replies are coming back so that can be inconvenient for the attacker as well so how can the attacker improve on this ping flooding attack any questions in this case we're not using fake source addresses so when the attacker sends an icmp packet it's inside an IP packet and the IP packet contains the source IP and the destination IP so the the icmp packet that gets to the target network and the router and the server contains the IP address of the attacker's computer so once you have the IP address it's in theory it's possible then to find out which computer who in the internet did that so the IP address identifies the computer for example if i started an attack from my laptop here on to say the facebook web server or one of the some popular website then it wouldn't be too hard for that website to detect the source address and that would identify the source eventually is siit okay so it's not too hard for someone to identify based upon the IP address that the source come from somewhere inside siit and i think you may know that when you connect to the siit network the siit computer center monitors or keeps track of who has a particular internal IP address so the siit computer center could find out okay at 4 p.m. on Thursday afternoon it was Steve's computer that was sending those packets so it's not too hard with a few steps for the target to map it back and find out who the attacker was maybe we'll we'll touch upon that let's see if we can find a website that shows that what is my IP for example there are websites that will provide such a service i just so i visit this website and it says your IP address is 203.131.209.66 you're inside Tamasat University in Bangkok okay so just by visiting that website from my laptop that website the target for example has identified me down to the level of my university Tamasat you may try it on on your phone or on on your computer now there are some details that arise here that in this IP address is actually not the IP address of my laptop it's a common IP address given to most people inside siit so if you did it from your phone right now if you visit that website it will probably show up with the same IP address so the target can at least identify me to the in this case the ISP or the university then within Tamasat or within siit they have a mapping between who at what time was accessing that website so the the computer center could then find out it was me okay if if you do it you'll get the same IP address as well so the target cannot identify the individual directly they can identify the the source network that it come from Tamasat somewhere and from everyone in the world it come from tu and then tu the computer center has a log of mapping of which user was accessing that website at that particular time and they can map it back to your for example your mac address on your phone or your laptop so they're really two steps in identifying the individual but it's not too hard let's say the company the target company came to Tamasat and said who was accessing or sending a ping flooding attack to our server at this time then tu or siit then will come and identify the individual the reason you have the same IP address is from network address translation that let's look at a few extensions of that ping flooding attack so we've already said source address spoofing is setting a fake source address so this is the ip header that we saw before the target the attacker when they send packets they use a fake source address in those packets the benefits from the attacker is that the target doesn't immediately know who performed the attack it will not be coming from that 203 address it'll be coming from somewhere else so the target cannot quickly identify who's attacking and any responses that come back those echo replies do not come back to the the attacker they go to someone else so not of concern to the attacker and all right not a benefit but the source address that you use as a fake address could be one of an actual computer on the internet or it could be even a non-existent one sometimes we don't care whether the reply goes to someone or not so we've shown how we can use a source address fake source address this illustrates it again but add some uh details in this example so the same example but i've said that all right just for some uh details we've got a isp which using the address range of 72.16.00 slash 16 that is everyone who is a customer of this internet service provider would have an address 72.16.something.something so if i'm the attacker my IP address is 72.16.3.4 another customer of that isp will be 72.16.7.52 or whatever so that's an example scenario where the isp has a range of addresses and for each of their customers they'll give them a specific address if we don't use a fake source address and we attack the target the attacker would know that it came from 72.16.3.4 they can immediately identify the isp where the attack came from and what they could do is then maybe contact the isp and say someone from one of your customers is performing an attack please stop them or keep kick them off your network or take some legal action if we use a fake source address though when the attacker sends the packet they set the source address to something different and i just choose a random one here 33.101.53.2 when the packet goes to the target the target doesn't know who is doing the attack they think it's coming from 33.101 so on so that's the role of the fake source address the way to stop this is that what your isp really should do is whenever packets come from one of its customers the isp should check if the source address is valid or not and the isp knows what's a valid address so if i'm the customer and the isp has given me the ip 72.16.3.4 and then i send a packet then the isp's router should be able to detect if the source address is correct or not and if it's not what the isp should do is filter or drop those packets which have a fake source address and some isps will do that and it's a good security measure to not allow people to send packets with fake source addresses inside your network and if the isp does that then the attack using a fake source address address will not be effective unfortunately not all isps do that so still attacks with fake source addresses are possible you may no you will not try but you could quite easily try within SIT and try and set a fake source address and try and contact not do an attack but send a packet to a server outside and see if it gets out and if it doesn't get out it's probably because SIT is dropping packets with fake source addresses so it's not too hard to set up the routers inside the organization or the isp to drop packets that come from fake addresses if if fake addresses are allowed then this is effectively what we get so if they're not dropped then the attacker can send the echo request to the target trying to overflow the target and any replies will go to some random computers are out on the internet they will not come to the attacker the target won't be able to identify the attacker and the responses will come not come back to the attacker and I think we'll finish with this last one the reflector attack remember when we use a fake address what happened with our demo that we used when we did a ping with a fake source address computer one pinged computer two because it had a fake source address computer two replied to computer three so we call this reflection that is this we reflect the packet off computer two to reach the target three or bounce it off computer two and this can be used in a denial of service attack if we use that feature we don't ping the target we ping another computer on the internet with a fake source address where the fake source address is that of the target and that's what we would get for example this is a ping and the destination is this computer but the source address is set to be that of the target so when this computer receives the echo request it replies to the source and the source being fake in this case is goes is identified to be the target and the computer sends the echo reply to the target and our attacker does that to many different computers on the internet sending ping request to them and when they get that ping request they look at who sent this and they think that this target server centered so they all send their reply to the target and this is a way to start to overflow that target so again the role of the fake source address in this case any questions so far are now ping flooding building up from a very simple case if we just send many pings to the target but now arriving at a case instead of sending to the target send to other normal computers on the internet and they all reply to the target and from the target's perspective that's harder to monitor that this is an attack because now the target is receiving many echo requests but all from different locations in the previous case in the original case we go back here it's very easy for the target or the isp to start to filter packets because they've got ping packets all coming in from one same source but by using a fake source address packets are coming in from different sources from the target's perspective so I cannot realize that this is just from one computer it looks like it's from many different computers so it's harder for the target to drop or filter that out we will stop there and tomorrow we'll continue on and look at some extensions of trying to increase the amount of traffic that goes to the target making it easier for the attacker to overflow the target we'll look at ways to do that