 All right, let's go through those different forms of the denial of service attacks using ping flooding. So in all cases we're looking at ping, using ping to try and in this case generate a lot of traffic. We're trying to overload the network resources and for the simple case, let's imagine the link between entering the target's network is the bottleneck, it's the slowest, so to overload the network resources we need to be able to send enough to reach the capacity of that link. And the simple ping flooding attack, the attacker with say one computer sends many pings, ping requests with the intent that if they send enough, this link will have to spend all its time delivering those ping requests to the target's computer and the link will not have any time to send the normal data. For example, other people out on the internet are trying to access that target computer. If this link is full of sending ping requests, then say the web request to the server will not get through or they'll be delayed. Now different countermeasures for this drop or block ping packets, but that's not a good solution because ping has an intended purpose in the internet for monitoring the network connectivity. If the target can identify the attacker they can take some action to try and stop the attacker and an extension of that, which we saw yesterday, if we use a fake source address, so address spoofing means use a fake source address, then at least in that case the attacker cannot easily identify the source. So by using a fake source address the attacker has several advantages, it's harder to identify them and also we'll see in a moment that we can reflect off other nodes. Now a way to prevent using fake source addresses is for the ISP that the attacker connects to should not allow someone to send using a fake source address. But not all ISPs do that, so it's still possible in some cases for an attacker to use a fake source address. If we do use a fake source address there are different ways that we can use it. In this case the attacker sends many pings again, but instead of all the replies coming back to the attacker and overloading the attacker's own network they go to someone else on the internet, the fake source address, and we could change the fake source address each time we send a ping packet or every few seconds. So we can choose a fake source address say randomly even. We don't care from the attacker's perspective what the source address is in this case. We just don't want it to be us. So the target cannot identify the attacker and that the replies don't come back to us because that may overflow our own network. And the further extension of using this is to reflect these ping requests of other nodes. So instead of pinging the target, ping some other nodes on the internet, again you can choose them randomly or from some set, and using a fake source address in this case when those nodes receive the ping message they reply to that fake source address, in this case the fake source is a specific address, it's the address of the target. So the attacker sends a ping to this computer, this computer thinks it came from the target so sends the reply to the target. The attacker does it in parallel to many other computers on the internet. They all think those ping requests came from the target so they all reply to the target with the intent of overloading the link leading to the target. So here's a use of the fake source address in a different manner than just hiding the attacker reflecting off other hosts. What we'll try and demonstrate this further in our virtual network, I've set up a more detailed example where we'll try and see it in practice in some simple cases. But before we do that, we'll come back to this one later after we see the demonstration. Remember the aim in all of these ping attacks, so we're still on a ping attack is to overflow the network resources. So in this picture, think of these two routers before the target, the link between these two routers, we want to overflow that. If the capacity is 10 megabits per second, we want to generate enough ping packets coming in which exceeds that 10 megabits per second, which will mean that that link will spend all its time delivering the ping packets and very little time delivering the real data to the target. We'll see one way to do that is try and increase, well, how do we increase the amount of traffic coming, send more ping requests or make sure that the individual packets are larger, the size, the number of bytes in those packets, and we'll do some calculation shortly, but not yet. But I just want to introduce one more before we see a demo. Remember in the internet, we have special types of addresses called broadcast addresses where if we send to that special broadcast address, the intention is that packet will be delivered to everyone on a particular subnet. So an idea from the attacker again to increase the number of messages going to the target, increase the chance of overflowing the target, is to use broadcast as a destination. So in this example, the packets, the ping requests are sent to not a specific computer but to a broadcast address which represents a range of computers. For example, the address 192.1681.255, if you send a packet to that address, it doesn't go to one computer, it should go to every computer on the subnet identified by 192.1681. So 192.1681.1 will receive it, .2, .3 and so on. So that's how broadcast is used. So what an attacker could try to do, let's say in my picture here, there are several subnets. For example, the one down the bottom left is 192.1681.something, at the top is 192.1682.something and .3 in the top right. So three different subnets. What the attacker does is sends three ping requests. The destination of one of them is to the 192.1681.255 address, meaning to the entire subnet here and the second one is to the 2.255 and to the 3.255 addresses. So the attacker just sends three messages. And the way that broadcast is intended to work like this is that once that packet arrives at the router for that particular subnet, the router, and it's not shown in the diagram, but the router receives it and sees, ah, this needs to go to everyone on my subnet, and therefore the router makes copies and sends to everyone on the subnet. That's the intended mode for directed broadcast. So the attacker sends one packet. It gets to the router for this subnet and the router realizes, oh, let's deliver this one packet to everyone on my subnet. Here we have just three computers, but in general there could be more. And similar for these other two subnets up the top. So the result is that in this first subnet down the bottom that three computers receive a copy of this ping request. And when you receive a ping request, what do you do? You reply. Who do you reply to? You reply to the source, and again if we're using a fake source where the source address, they think it came from the target. So they, all three computers here send a ping reply to the target. And the computers on the other subnets all reply to the target. So this is what we call an amplification attack in that the attacker in this simple example sends three messages, but using the broadcast feature, the result is the number of messages delivered to the target is amplified, more than three. So that's good from the attacker's perspective because they need few resources to send to initiate the attack, but it's a greater chance to overload the target and the target network. So this is a very powerful attack because on most subnets there's not three computers, there are hundreds of computers. So if the attacker could, for example, from outside on the internet send one packet, it comes into SIT and the 100 computers in SIT all reply to a particular target. And the attacker does the same for other subnets in the internet, those thousands and thousands of computers all send the reply to one target and very easy to overflow the link heading into the target with that. So this takes advantage of the broadcast nature which is supported in most networks. Any questions on how it works? So amplify, we want to increase the number of messages sent to the target and we want it to be as easy as possible from the attacker, send as few as possible. In practice, the countermeasure for stopping this is that the routers do not allow directed broadcast from outside. For example, this subnet down the bottom here, the router receives destination is 192.1681.255. The router would be configured to say if there's a directed broadcast message coming in from someone outside, drop that packet. Don't forward on to everyone inside. The reason being is because this attack, the reason routers drop it is to prevent this attack from happening, that's the countermeasure. So in practice, so in theory this would work in the internet but in practice most routers are configured such that if someone outside tries to ping our directed broadcast address, the router will not send it on to everyone because that would be too dangerous if they did. It's easy for a denial of service attack. So what I'm going to do now is just demonstrate this one and another simple denial of service attack and we'll see the basics of how it works. There is it. You have the printed copy of the notes I hope it's called ping flooding DOS attack in a virtual network so you can see some of the pictures that I show but just watch and follow along and this is something that you can actually try yourself and one of the homework tasks will involve you doing an extension of this type of attack. So you'll use similar commands and the commands are all here and recorded you don't need to remember them or write them down but as a homework task you'll be doing a similar denial of service attack but of course inside our virtual network not on the real network. So let me bring up the example network. Actually before we do that I want to bring up something else. Let me find the website. In all of these cases let's do some rough calculations of how many packets we need to send to overflow the link. So in all these cases I'll go back to the simple one the bottleneck link. This bottleneck link between the heading into the targets network that's the slowest link. How many packets do we need to send if we're using ping to overflow that? Well let's consider some simple examples of what is the capacity of such a link and we said yesterday if this is your web server for your personal business so the target is a web server you want other people on the internet to access your web server you pay your ISP for a link what's the speed of such links and we said yesterday say you're hosting your web server home and you're using ADSL what's the speed of a link heading into that your network what speeds can you get with ADSL 10 megabits per second in the order of several megabits per second 10 megabits per second maybe a few more so if you've got ADSL then this the capacity is about 10 megabits per second now lost lost control I heard a noise but didn't see it of course if you're hosting your own website and it becomes popular you probably don't want to host it in your home or even in your office you may host on a remote location which is set up for hosting websites for many people a hosting service so where is it I just bring up an example of a company that hosts servers for you it's not there it's here and just give an example of the features that are or the speeds for example this company linode you can pay per month or per year to use one of their servers so for example the cheapest one ten dollars per month and what you get is really your own server and the the network speeds not the entire capacity that you get but the links coming in if you can see it's a 40 gigabit per second link coming in and 125 megabit per second link going out so the link coming in to the network there is 40 gigabits per second not 10 megabits per second but 40 now in this case you as the customer that hosts your server don't have that just to yourself it's shared amongst many customers so maybe they have a thousand customers sharing that 40 gigabit 40 gigabit per second link so on average you hold this on average you as the customer may be getting maybe hundreds of megabits per second in so your server bottleneck link is in the order of hundreds of megabits per second maybe even gigabits per second if you want to pay more you can get a higher capacity so how many packets do we need to send to say exceed let's say a hundred megabits per second how many ping packets if our link capacity is just a rough calculation then let's say we're using ping how big a ping packets well we can actually set the size if you know remember using ping you can specify the size of the packet okay there's minus s option to say you can change the size usually they the maximum size is limited to 1500 bytes but let's just for easy calculation say the size is of every packet is a thousand bytes or 8000 bits so one packet coming in is 8000 bits the link supports a hundred million bits per second how many packets can we do we need to generate to overflow or to reach the capacity of that link for example or in this case our link is a hundred megabits per second every packet is 8000 bits so the number of packets per second that we'll need to send is 12500 pps what does pps mean packets per second that is if my capacity is 100 megabits per second and I'm just using ping and I want to reach that capacity a denial of service attack requires us to send enough traffic such that the link fills up then I need to send around 12,500 packets per second to reach that capacity now of course that link may be carrying other people's traffic as well so we may not have to generate that much because the link is carrying other traffic but that gives us an order of magnitude we need to generate thousands or even tens of thousands of ping packets per second to overflow such a link if we had a one gigabit per second link then it multiplies by 10 some links to servers maybe in the order of tens of gigabits per second so you're talking about millions of packets per second needed to be generated for a denial of service attack to be successful getting your computer on its own to send 12,000 packets per second is a going to use up some resources on your computer and also going to use up your link okay so that's why we need reflectors and especially amplification so that our attack attacker can send a little amount but still exceed the capacity of the bottleneck link at the target for the demo that I'm about to do to make it simpler to perform a denial of service attack I'm going to change the bottleneck link instead of a 100 megabits per second let's set it to very low 100 kilobits per second just so that I can create enough traffic to overflow it in in the demonstration so if the capacity is a hundred kilobits per second then it's a thousand times less than a hundred megabits per second so we'd need to send it a thousand times less that is 12.5 packets per second if we have a capacity of a hundred kilobits per second just with ping traffic trying to fill up that capacity our attacker needs to generate about 12.5 packets per second if those packets are a thousand bytes if they are smaller we'd need to increase the rate so let's go to an example and the network that we're going to consider is here and this is on your printout you have a copy of this picture the pictures also on the website so you can see it there this is the virtual network that I've set up already and let's just explain the scenario so I'm trying to create a network where we can perform an actual denial of denial of service attack and it tries to match the pictures that I have in the slides in that we have a target a target computer a router leading to that an attacker computer and on the internet we have some other computers to to act as either reflectors or the the normal users and I'll use two different scenarios so the target server think of a web server the normal users want to access this web server will be computer 8 node 8 in in the setup its address is 3 as 192 168 3 dot 31 that's the one that we want to stop people from accessing and the router that leads to that target this this node 7 is the target router and what I've done is I set the link from node 7 to node 8 such that the capacity is a hundred kilobits per second so what we need to do to do a deny denial of service attack is to generate enough traffic coming into this node 7 that exceeds a hundred kilobits per second such that what goes in let's say coming is a hundred and twenty kilobits per second it can only send out a hundred kilobits per second because that's the capacity of the link so if we can exceed that then packets will be dropped here meaning the performance for the normal users will slow down and eventually stop to do the attacks I've set up also node one which in one case will act as the malicious user the attacker and four other nodes out on the internet in one case I'll use three to act as a reflector that is the malicious user will send to them and bounce off them and go to the target but first I'll do a broadcast attack that is we'll get the malicious users to send one message one pin packet but send it to the broadcast address such that all people all nodes in the network will reply and try to overflow the target will quickly demonstrate that and then do a second attack so the first one I'm going to show in fact we're not going to use node one node three will be the malicious user just for the first demonstration node three is malicious the other nodes in the subnet are two five six four and seven and I'm going to use broadcast to try and generate traffic on the target remove this so I've set up that topology and set up our nodes the website explains some of the steps needed to set that up but we'll go direct to what we need to perform the attack and we don't want node one we have in this case node three is going to be malicious he's red the others node four five and six are other nodes in the network we'll see what happens on them we'll zoom in when necessary node eight is the target web server so to do the broadcast attack let's go to it remember we send one message to the broadcast address everyone on the subnet will receive it and they'll all reply to the target the source of the pin request what's the address what should it be the attacker sets the source address what should it be to do this amplification attack what should the source address be the address of the target so we need to use a fake source address so we send it to all the people in one subnet they receive it they think it came from the target so they will reply to the target so first thing I'll do is on the malicious node set the fake source address let's hope this works and the command I'm using and we can zoom in a bit IP tables is the command that allows us in this case to set a fake source address so instead of the node three address the source will be set to 192 168 3.31 that's the target the web server now I'm going to get node three to try and ping everyone on a particular subnet and it's quite easy to do we just use the pin command but there's a special option with ping to send to a broadcast address you add the minus B option and the network is this so just a reminder before I start that we are node three at this case we're going to ping to everyone on the 192 168 2 network that is the intention is to send one message and it should go to four two five six and seven the source will appear to be 3.31 so when they they receive that message they'll all reply to 3.31 so we're starting the ping we'll see what's happening in a moment but of course we're not going to see any responses here because the fake source address means that our malicious node will not receive the reply so it will appear as if nothing's coming back but let's see what's happening on some of the other nodes for example to switch between node four for example if we capture on node four see what's coming in node four is receiving an echo request I'll just stop that every one second node four is receiving an echo request from what it thinks to be 3.31 therefore node four replies to 3.31 similar if we look at the other nodes I lose node five for example the ping still running every one second it's receiving an echo request and replying to 3.31 and if we looked at the other nodes they would all be doing the same so this is the amplification attack the source is sending one packet per second but it goes to everyone on the subnet the 2.255 address and therefore everyone in that subnet receives and they all reply to the target and now let's look at the target and see what happens there you can stop that this is the target node you see every one second it's receiving what five packets per second five echo replies so our malicious node is sending one per second the target receives five per second from each of those nodes inside that LAN you see from the source addresses there so this is just a simple case of an amplification attack I have another program called IP traffic which will give us some statistics about how many packets per second or how many bits per second we're receiving just a nice summary of what's happening so this is the target node and it gives us some statistics about the incoming rates 3.9 kilobits per second 3900 bits per second approximately and you see all of those packets are ICMP packets ping packets coming in so every second this is updated you see increases by five because we're receiving five per second the average five packets per second coming in why is it 3.9 kilobits per second five packets per second it depends upon the size of the packet right in this case the ping packet size as I think 64 bytes we see the length of every ping is 64 bytes if we add on 64 bytes plus there's an IP header plus there's an ethernet header of 14 bytes so the total packet size is 98 bytes every ping packet coming in is 98 bytes or 784 bits but we're receiving five per second so the rate per second we times by five is 3920 bits per second coming in the 3.9 kilobits per second coming in is this a good attack is it is the attack working that is would the attacker be happy with this no why not it's not enough remember our capacity of the link is 100 kilobits per second we're only generating 3.9 kilobits per second we're nowhere near approaching the capacity okay so to make this attack effective the attacker needs to increase this incoming rate to about 100 how do we increase that what could they do again in the okay we if we had other subnets we could try to send to them in this case we've only limited to very few nodes so what else could we do to increase increase the size with ping we can set the size of the packet here at defaults to 64 bytes we could set it to a thousand bytes and therefore each packet will be larger okay so the way to increase it one way increase the packet size what else how can we speed up ping to decrease the interval remember this is one packet per second ping by default sends one request per second we could set the interval to be half a second that is every second we send two packets doubling the rate and of course you can reduce it to be very small so basically send more packets per second and send bigger packets is the way to increase that we'll stop that we would not increase this one because in fact broadcast doesn't work in practice in many cases because you see the way that I did it so we could increase it and we could see the effect but just to move on to the other one in this case the attacker was actually node 3 is sent to everyone in the subnet the reason I made the attacker node 3 is because if the attacker was node 1 the router will block the ping request from going to everyone on the subnet most operating systems have built-in features that don't allow someone to send a request to the directive broadcast address so I had to set it up especially so it would work but in practice if node 1 tried to ping 192 168 2.255 it would get to node 2 and it would say no you're not allowed to do that and it would not send it onto them and it wouldn't work so this broadcast amplification doesn't work much in practice because the security features of the computers don't allow it to work so let's try a different case where we don't use broadcast let me stop these what do I need to do stop the ping and this one I said it as a fake source address I'm going to remove that and we'll make this one back to the normal node delete changing back to green shrink that a bit sorry we've got many nodes here it's hard to show them all at once and come back now next attack we will use this node 1 as the actual malicious node so node 3 is back to the normal node it's going to be a node that tries to access the website on the target server node 1 is the malicious node of the attacker node 5 6 and 4 will use as reflectors so we'll try a reflection attack where we use ping node 1 will ping individually not using broadcast it will ping node 4 and using a fake source address when node 4 receives that ping it will reply to the target and the same time node 1 will ping node 5 which will reply to the target node 1 will ping node 6 which will reply to the target with the aim of overflowing the targets network and we'll demonstrate whether it works because node 3 will run a web browser and see if we can quickly access the website remember denial of service is about denying other people from accessing the server so if node 3 can still access the server the attack is ineffective but if node 3 cannot access the server or at least is slowed down from accessing it the attack seems to be working so that's the topology we're going to use let's access the server first I've set up a very good website on node 8 the target server what web browser will I use firefox no no what's what's a better web browser than firefox to use chrome unfortunately in our virtual network we only have command line terminal access there's no GUI okay the virtual network there is no GUI you know each of these nodes okay so we need a much simpler web browser for this demo than firefox links is one and the address of the server 192 168 dot 3 dot 31 and I have a web page I put on there let's access okay that's the web page links is just a tech space web browser and this web page has a title and a link to another page it to and if we follow that link it takes us to it to so there's actually two web pages they just link between each other and just look at the response time that is I'm following the link we're on it to we follow the link to it one and it immediately brings up the web page so the response time is almost immediate okay so we're browsing the web here everything's working fine this is on node 3 what we want to do is initiate an attack such that when we try to access this website it's slow or it even cannot be accessed so return to that in a moment so links will be our simple web browser quit that so target node is running a web server node 8 node 1 is our malicious node what do we need to do on node 1 set the source address so we need a fake source address so we'll set the fake source address and the source address will be what the address of the target the copy and paste so we don't have to type it so this is the command for setting the fake source address so that from node 1 when it sends a packet the source will be set to 3.31 that of the target what do we do next we need to ping and come back to the picture of the network node 1 is going to ping who we're going to ping we're trying to do a reflector attack ping to everyone node 4 5 and 6 okay so what I would do is maybe open three terminals and in one of them say ping 192 168 2.22 and in other terminal ping 2.23 and a third one ping 2.24 so now the three reflectors we've chosen when they receive that ping echo request they'll see the source address is that of the target so they'll all send the reply to the target now rather than me having to start three terminals and type it in three times I've created a small script that will automate that so it it just pins many nodes at once so we can save a bit of time in typing it in so we come up to node one and I've created something called ping many I'll explain how it works ping many simply starts ping three times or as many times as we specify the source the destination addresses so in fact I'm going to ping 192 168 2.21 2.22 23 and 24 in parallel and I'm going to set the interval of 0.5 remember ping is by default 1 per second will set the interval of 0.5 meaning 2 per second 2 packets per second of being sent and I'll set the size to be 972 bytes why that strange number if you add on the headers I think it comes up to a thousand bytes data of 972 plus the headers I've worked out that that totals to a thousand bytes per packet so the aim in this case two packets per second to the four destinations each packet is a thousand bytes per second you will not show any output it will just run I hope and it's running in the background now let's see what the other nodes are receiving for example node 5 all right node 5 one of those reflectors is receiving if you count two packets per second echo request and sending an echo reply to 31 the length is 980 bytes plus the 20 byte IP header so in total it's a thousand byte packet and we'll see and if we see node 4 and 6 the other nodes it will be the same let's stop that and see if our attack is working let's look at our website and see if our normal user can access the website just note the response time see if it's fast or not okay not too bad what's wrong so my normal user can still access the website very fast but quit and access again so the attack is not working what's wrong let's look at what the server is receiving the packets per second or bits per second coming in in total to the server is here we see what around 55 64 kilobits per second it varies a bit remember the capacity of our link is 100 kilobits per second we're seeing about 64 kilobits per second coming in when we haven't yet generated enough traffic to overflow the link average is about 8 packets per second remember we pinged 4 nodes at an interval of 0.5 so 2 per second so that's 8 packets per second every packet is about a thousand bytes 8 packets per second a thousand bytes per packet is 8 thousand bytes per second or about 60 or 64 kilobits per second so we're only generating about 64 kilobits per second we need to increase it to reach our capacity how we're going to increase it we can change the packet size and or change the the interval okay let's change the interval just so it's easy to calculate the packet size and then we'll I need to stop that let me remember how to do it so I stopped that doesn't matter how we'll run it again what let's say 5 packets per second interval of 0.2 5 packets per second to 4 different destinations you see there are 4 IP addresses there so that's 20 packets per second we expect 20 times a thousand is 20 thousand bytes per second or 160 kilobits per second this should be generating 160 kilobits per second our capacity is only a hundred we should slow down the the web server let's start it it's running let's this is what's coming into the server now the server is not going to receive more than a hundred kilobits per second because the link that comes into the server is a capacity of a hundred kilobits per second so we can see we've approached the capacity let's go to our website our web browser now just note the response time so when I press enter see how long it takes to access the website and press enter now it's making a connection okay it's trying to connect to the website so now our attack is working because the normal web browser cannot access the server because the link to the server is full of all those ping packets coming in and it may connect or it may time out depending on how lucky we are it sent the request it's waiting for a response that link is full that response may come eventually or maybe it will time out let let it run there trying again let's bring up node 7 node 7 is our target router so what we have here is the output link of the router is a hundred kilobits per second you can send out a hundred kilobits per second we're generating packets coming into the router at approximately 160 kilobits per second because the malicious node is sending to node 2 4 5 and 6 they all reply via node 7 we had five packets per second per node four nodes that's 20 packets per second coming in each is a thousand bytes which is 20,000 bytes per second coming into node 7 or 160 kilobits per second coming in you can only send a hundred kilobits per second out let's just check that IP trap shows us some statistics this is the input interface so the router should show the average the incoming rate you see is alright about 140 kilobits per second 150 so it's coming up to the what we calculated about 160 kilobits per second coming into the router that's coming in and if we look at the other interface the output interface what's going out look at the outgoing rate and it should approach around a hundred kilobits per second so we're losing 60 kilobits per second of traffic the router drops at or it sits in the queue and waits so that's our attack working if we return to our website where did it go I'm lost all my nodes our client couldn't access the website links have eventually returned unexpected error I couldn't connect to the website so the denial of service worked in that case we try again you see that that delay and eventually it may time out any questions on some of these concepts so we've just demonstrated the broadcast amp for amplification and reflectors to try and increase the amount of traffic going into the target and as you see it's not so hard to do of course in this example our capacity here is a hundred kilobits per second but let's say in real network it was a hundred megabits per second a thousand times more then what do we do to make the attack effective we can't send it 160 kilobits per second if the capacity is a hundred megabits per second we need more reflectors okay we can't always just increase the pin interval because it will start to use up the the resources of the computer and we can't just increase the size forever because the size is usually limited to 1500 bytes so we've almost approached the the largest size so a way to make this attack effective in practice is to use many more reflectors if you have thousands of reflectors computers in the internet we send to them and they all send to the target so this is just a simple case questions on pin flooding that almost finishes pin flooding when you connect to a server like the ICT server and you cannot access why could be multiple reasons the server itself may not be accessible it may be turned off or not have network connectivity the it's not necessary denial of service attack but the traffic in SIT much be maybe so large such that your request to the server is delayed a lot so similar scenario but not malicious okay so if every student is trying to access via the Wi-Fi or the SIT network then again the network has some capacity and if we start to approach that capacity your packet will be delayed and maybe even dropped so it's the same same outcome here but here the traffic that uses up the capacity is from a malicious user it's intentional so so probably is not an attacker in SIT it's probably just that the normal users use use too much they're watching YouTube too much or or doing whatever in SIT's network and but that's an important point that it's very hard to distinguish between an attacker sending a lot of traffic or the normal users sending a lot of traffic so how do we know from the target whether this is an attack or if it's just many users accessing our website because we became popular for so some reason so it's very hard for the target to know and the ISP even to know what's the reason for all these packets coming in in general for denial of service attacks it's difficult to distinguish between an attack and just normal usage or some peak usage from some large number of users and that makes it hard to stop denial of service attacks why do we use PIN everything here was using PIN what what's the reason for using PIN has a request and reply what other protocols have a request and reply yeah but what applications a request and a response ARP think more common that you use every day HTTP HTTP your browser sends a request the server sends a reply okay so that also had this request and reply why won't it work so in maybe go back to our simpler case say this one why won't in most cases using HTTP work here so we try to send a HTTP request to some computers on the internet and with the hope that they receive that request and they see it's a fake or they don't know it's fake but at the fake source address they reply to the target why will that not work or only work in some cases someone don't use the internet no someone those reflector nodes may not be running a web server for a HTTP request to be replied to that computer must be running a web server for example this computer here that receives a HTTP request if it's going to reply it must be must be running a web server if it's not then it's just going to ignore that drop that packet how many computers how many of you run a web server on your home computer not many people run web servers but ping is built into the operating system for most computers that the operating system automatically when it receives a ping request will send a reply so that's why ping is used a lot because it's most likely that those computers out on the internet will reply to the ping request but of the many computers on the internet only a few of them will reply to a HTTP request so the type of protocol used depends upon how widespread the computers are that will reply to that similar with other protocols not just HTTP but any protocol that was request response it depends on how many computers can we find that will reply to that and pretty much all computers reply to ping but only web servers reply to HTTP requests what do we miss a better thing would be to get the reply to be larger than the request in ping the request we set about a thousand bytes so we set 972 bytes in the request and the reply is about the same size also a thousand bytes so with ping the request and response are the same size what would be better from the attackers perspective if the request was small let's say 20 bytes and the protocol was designed such that the reply is much larger again that's easier for the attacker to send many small requests they only need a small capacity link there and reflectors will reply with many large replies making it easier to overflow the target ping will not do that the request and reply about the same size but there are some protocols used on the internet that are such that the reply can be larger than the request and if the attacker can use those protocols then they can be more effective in the attacks we will not go through the protocols here but this is the names DNS has such feature that you send a DNS request the reply can be very large compared to the request and there are some other protocols which are not so common so it's harder to do this one of them is in a lot listed here is called the network time protocol NTP what's the time on your phone or on your computer where do you get the time from most computers now get it from the internet that is the clock is set from some servers on the internet and the protocol to get that is called the network time protocol and in some scenarios the request the response is much much larger than the request and a year or two years ago there was some real world attacks using NTP that generated tens of gigabits per second of denial of service of traffic your homework will use NTP to perform an attack in a virtual network so you will need to investigate that I'll give you the instructions soon and we finished so we've seen amplification last couple of points okay instead of the attacker initiating the attack by sending say the ping request if the attacker can take control of some computers on the internet you via some malicious software and we talk about having zombies so somehow the attackers installed malicious software on some computers on the internet through a virus or worm and then the attacker triggers those computers the zombies to start an attack so in this case there are three zombies under the control of the attacker and it triggers them to send the ping request to many others so this zombie sends to many others they all reply to the target and each of those zombies do that so again a way to increase the amount of traffic going to the target and the attacker really has to do very little they send very little they get others to do it on their behalf and a collection of zombies is referred to as a botnet and it's been reported that there are botnets in the order of millions of computers so an attacker may have access to one million different zombies there it gets all of them to do some flooding attack against a particular target and with that you can generate enough traffic to take down targets which have tens of gigabits per second capacity that's what real world denial of service attacks involve very hard to stop okay because when there are millions of zombies even if the target or the law enforcement agencies can stop some of them there are many others that they can not stop or new ones arrive and very hard to prevent such attacks to do that the attacker needs to take control of those those computers and we will not say much but somehow infect them with militia software creates them software that will run on those zombies that will initiate the attack on behalf of the attacker usually involves taking advantage of bugs in software or operating systems on those zombie computers to install the software will do the attack to finish how do we prevent the distributed denial of service attacks the DDOS distributed denial of service attacks when we have many computers attacking make sure we have enough resources in our target network and computer to handle a large amount of traffic or a large number of requests use protocols that are less vulnerable to attacks or disable the support of protocols like ping or other special protocols that make it easier for the attacker and aim to be able to provide some even some limited service even under the presence of an attack so for example if you're Amazon the Amazon website even if it is being attacked they may want to have some some limited service saying that you can still maybe you can't purchase things but you can still browse the shop prevention is very hard okay because it's very easy to generate a lot of traffic so detection is important that is once the attack starts need a way to quickly detect that this is an attack it's not just normal users accessing the website and then take some response so detection usually involves looking for some strange or suspicious patterns if you start to receive ICMP echo replies at a rate exceeding some amount that may be suspicious and that detects or indicates there's an attack taking place if you detect an attack then you should take some response maybe technical means to identify the attackers or even legal means to do so so that they will not do it in the future contact that ISP and ask them to stop them or take some legal action so maybe hard to prevent the current attack but it may help in preventing future attacks denial of service attacks prevent use of the network system or applications they exhaust things like CPU bandwidth disk base address buffing is common amongst many attacks using a fake source address reflectors commonly used amplification is is used to increase the amount of traffic going to the target compared to what comes out of the attacker and in practice zombies that is computers that have been infected with malicious software are used to initiate the attack on behalf of the attacker generally denial of service is easy to perform it's hard to prevent but of course easy to detect but often the detection is too late your services is unavailable so there are still many denial of service attacks in the internet today and to prevent them it usually requires cooperation from the different companies that are providing internet service to to stop future attacks and there are different extensions or things to explore about denial of service attacks in the internet