 In the topic on militia software, we looked at some of the software that can be used to create problems in computer systems, viruses, worms. And sometimes we mentioned denial of service attacks. And we may have given a brief explanation to say that to do something such that our computer system is not available for the normal purposes. So if you remember back to the original topic, the first topic I think, in the first week we listed some services that we want to provide. Like confidentiality, authentication, integrity, access control, non-repudiation. And the sixth service was availability. When we want to secure a computer system, if we make that computer system available to our users, a security attack would, to make that computer system unavailable. And such an attack denies the normal user's use of the service. So we call it a denial of service attack or abbreviated DOS, a DOS attack, DOS attack. So what we're going to do in this topic is look at the basic concept of how denial of service attacks are performed. To understand how they operate so that we can have techniques to try and prevent them. Or to minimize the chance that they can be successful. To minimize the disruption of our network or computer system. They can be quite complex attacks, so we're going to start from very simple attacks. Which may no longer be used in practice today, but the same concepts are used in real denial of service attacks. And you hear about denial of service attacks in the news or in media, because they performed a lot by attackers. And they're generally easy to perform. So it doesn't take much to start a denial of service attack. So we'll see why that's the case. But there are some measures that we can use to try and minimize the chance that they'll be successful. So talk about what they are and then we'll go through some classical denial of service attacks. Some very basic ones. And we'll use Linux to demonstrate some. I'll demonstrate some in the class and then you'll do a homework probably after the midterm where you'll do your own denial of service attack. What do we mean by DOS attack? An action that prevents or impairs the authorized use of networks. So we can't use the network systems, the computer system or applications. How does it do that? By exhausting resources. So the resources that we have available run out because of the attack. So some action takes place such that my resources like CPU, my memory, the network bandwidth or the disk runs out. So I can no longer do the normal things on my computer or my network. So a DOS attack attacks resources. So sometimes we can classify based upon what types of resources they attack. What do they try to exhaust? It could be network resources. So if we're not looking at just a single computer but a network, then an attacker can try to overload our network. That may mean we have a link. Maybe we have a link that comes into our server, web server or some other server that we want others to access. That link has some capacity. Maybe 100 megabits per second is the capacity of that link. If the attacker tries to send traffic onto that link that starts to approach that capacity, 100 megabits per second, then the normal data coming from the normal users may be delayed or may not be sent across that link. So one aspect of exhausting the network resources is overloading the links. Sending so many packets such that the links cannot send all of them. And that often happens if the link from an organization, like your organization, your company, your university, that has a service on offer, the link from the organization to their local internet service provider is often slower than the links inside the internet service provider. And we'll try and illustrate that with a diagram, but a bottleneck arises at the organization's link. For example, SIT is connected to an internet service provider to get our outside internet access. Let's say that link coming from our ISP that we pay for into SIT is 100 megabits per second. That's the capacity of our link. But within the ISPs network, they probably have a much higher capacity because they need to support multiple users. So if you think of traffic coming into SIT, then the bottleneck link may often be that one coming into SIT, the 100 megabit per second link. So if that gets overloaded, that link, that is, it's sending all the traffic from an attacker, then the traffic of our normal users will not get sent through or be delayed significantly. And if there are many packets sent in and a link gets overloaded, what happens? Eventually packets start to get dropped. My capacity is 100 megabits per second. But someone is sending at 200 megabits per second. So where do the packets go? Well, and we'll show in a picture, they'll get to a router, and the router can only send out at 100 megabits per second. It's getting 200 coming in, so it must drop some. And it will drop packets. So packets from our normal users will not get to the server. So that's an example of exhausting network resources. Another denial of service attacks will look at either applications or the system. For example, try to crash the software that handles the forwarding of packets. So there's been a tax where you say a router has software running on it that looks at the packet and then sends it on, and then looks at the next packet and sends it on. If that software doesn't work correctly, then the router may take a lot of time to look at a packet before it sends it on, slowing it down, slowing down all the traffic, and eventually getting packet drops. So some denial of service attacks will try to exhaust the resources of the system that is forwarding the traffic. Usually using some bugs. So bugs in network protocols. Or to exhaust the application. So for example, a web server. A web server is not just a computer but is an application, software application running on a computer. So the Apache software is a web server. And if we can make that application slow down, then that can be considered a denial of service attack by consuming resources from that application. For example, getting the application to use a lot of RAM. Use up all the RAM on the computer such that nothing else can run on that computer. Or use up all the hard disk space. Many applications will have logs or have to have temporary use of the hard disk. If the hard disk is full, the applications may stop working. So denial of service attacks will try to either exhaust the network resources, exhaust the intermediate devices, the intermediate systems between leading up to their application and or exhaust the application itself. And we'll see some examples of that attacks on different resources. So what we're going to do is go through two very basic denial of service attacks. The first one quite quickly and then we'll go through the second one in a bit more depth. And I say that classic denial of service attacks, that is some of the most or the original ones which are popularized. But in many networks today, they're no longer successful because there are measures to try to stop them. But they'll show the principles of denial of service attacks. And these attacks require some understanding of network protocols. And I know everyone here is experts on our experts on network protocols. Remember your knowledge of TCP, maybe. TCP we know is a transport protocol. We know that many applications today use TCP as a transport protocol. Web browsing, email. Most applications which are not multi-media applications or maybe some gaming applications will use TCP to send data because TCP provides reliability. And the way that TCP works is that before you send any data, you create a connection from client to server. So for the example of a web server, the web server is running on one computer, your web browser on another computer. Before you can send a request for a web page, what happens is that your TCP software on your web browser computer tries to set up a connection to the server using TCP. And that connection set up normally involves exchange of three messages. It's called a three-way handshake. We send a special message from the initiating computer in the picture. The computer A wants to initiate a connection to computer B. So computer A sends a special message saying, let's start a connection. B, when it gets that, if everything goes fine, we'll send back a response saying, okay, I acknowledge that. And here is some information about me. That's what B says. And then finally, A sends back a third message saying, thank you for that information. From then on, we can transfer data. This is called a three-way handshake. We have three messages involved. The specific names of those messages, we refer to them the first one as a SIN message. It's used to synchronize sequence numbers. So when we transfer data, we use sequence numbers to keep track of that data. Which number do we start at? Well, those numbers are synchronized in these first messages. So we say this is a SIN segment, saying from A, I want to synchronize with you. Here's the value I choose. B says okay, it's sent back an acknowledgement. And in addition, in that same segment, B says I want to synchronize with you. So we say that this second message contains both a synchronized message and an act message, so we simply call it a SIN act. And the last one is A saying thank you, I acknowledge your initial values, the final act. So we'll often see SIN, SIN act, act, as a three-way connection set up. After that data is transferred. And this happens with all clients want to connect to a server. What happens when the client wants to connect to the server, in addition to exchanging these messages, the server in particular, when a client wants to set up a connection, the server will store some information about that connection. The client says I want to start a connection with you. The server will store, when it gets that first message, it will store some information saying who the client is, the address, the IP address and port number. And maybe even allocate some memory for the upcoming data transfer. Some buffer space. If it's going to use some flow control, then it's going to need some buffer space. So what B does when it receives this first SIN segment is says okay, we're about to transfer data with A, I'll send back an act and I'll allocate some memory inside the computer for this upcoming data transfer. And that memory allocation is what leads to a denial of service attack. What an attacker will try to do is to get the server to allocate memory for many connections and eventually consume all the memory of the server and therefore the server will not be able to accept any future connections. Let's just see the TCP 3-way handshake and then try and illustrate that memory allocation. First, and I think you have this in your handouts, this is the TCP segment. If you go forward a few pages, I've included the TCP segment. We don't need to remember it, but we do note that the segment includes a source port identifying the application that sent the segment, destination port. For example, the source port would identify my web browser, the destination port would identify a web server and the destination port for a web server is, everyone remembers the destination, the port of a web server. Web server? 80. Port 80, for example, for a web server. The sequence numbers, those who passed my data communications course and made it through to this semester, remember that flow control and error control are sequence numbers to keep track of what's been sent, what have we received. So sequence numbers and in addition acknowledgement numbers are included in the header. And a number of other fields, there's data and the flags indicate the type of message, whether it's a normal message, an ACK, a SIN message or some other special purpose like a FIN message or a reset message. So that's the general structure of the TCP segment. What I've set up and I'll show you in a moment is a simple network using VirtualBox, which looks like this. We'll use this for some demos today. We have three computers, three nodes. And you've used the nodes, I think, for homework, the past homeworks and the current Linux permissions homework. So the VirtualBox nodes, I've already set them up on my computer. There are three inside the same LAN for a very simple example. And node 1 has IP address 192.168.1.11. Node 2 is .12 and node 3.13. So we can remember the IP addresses of nodes 1, 2 and 3, 11, 12 and 13. Let's just capture a TCP three-way handshake. And in my computer, node 1 is going to be red. You'll see in a moment. Node 2 is blue, I think. That's blue. And node 3 is green. So we can keep track of the different nodes. So we have three nodes, and we're going to run some experiments to see first how TCP connection setup works, and then later some other denial-of-service attacks. So these are my three terminals I've already started and logged into those three nodes. We'll zoom in in a moment. So node 1, I've logged into it. It's running. It's a Linux computer. And similar node 2 and node 3. They are there. In this one, we're only going to need two of the nodes just to show what's going on. Node 1 and node 2. Node 2 is running a web server. Okay, it has a web server running. I hope. How do I see if a web server is running? Maybe we can try Netstat. Netstat shows me the connections I'm listening to in this case with the minus L option. It shows me something's listening on port 80. So we guessed that that's a web server. There's a web server running on the blue node 2 which is waiting for people to connect to it. So what I'm going to do is connect to it from node 1 and at the same time capture the packets so we can see the three-way handshake. So I'm going to use TCP dump to capture the packets on node 2. It's recording everything it receives. And then on node 1, what web browser am I going to use? I don't have Firefox. I don't have a graphical user interface. So links, text-based web browser. Node 2 is 12. I'm just going to visit the web page. And it works. Okay, that's the default web page and I can quit. This is the default for the web server. Quit, yes. And now I'll stop the capture. And we want to look at the packets just to see the connection set up. I could look at it on the screen but it's very hard to see. So instead we'll try and open it in Wireshark. Here are the captured packets. And let's just focus on the TCP packets and then see what happened. So what can we observe here? We can observe that these are packets sent between node 3 and node 2. Why node 3 and node 2? Because I've got... Let's check the IP addresses. I've got the wrong file. I've copied this file to my computer just before the lecture and I've got the wrong one. But I think we can still see what I want to show you at least. Here it's node 3 and node 2 whereas what I did was just between node 1 and node 2. So it's just the IP addresses are different. But it's exactly the same trace. It's one I did before. What I wanted to show you... Here is a HTTP message sent by node 3 to node 2. And it's the web browser sending a message to the web server saying I want to get some web page. The forward slash. And then the response, the web page comes back in this message. So this is the data that's been transferred first from client to server and then from server back to client. The web request and then the web page coming back. This was done using HTTP but the transport protocol was TCP and the first three messages, these three are the connection set up. And there's a lot of detail there but the thing you should recognize, the SIN, the SINAC and the AC. Client sends a SIN message to the server. That triggers the server to realize, ah, someone wants to connect to me. And this someone is computer with IP address ending in 13 and a particular port number 57401. So what the server does, assuming it's going to accept the connection because it's running a web server, yes. It allocates some memory, records those values and allocates some buffer space for the upcoming data transfer and sends back an AC, the SINAC saying thank you, let's continue and then the final AC. So that's the SINAC taking place. When we get this SIN message, memory is allocated. Let's see on our three-way handshake. The memory is allocated. I don't want that one, this one. What a denial of service attack does is as multiple such requests arrive then the idea is that if many SIN packets arrive at the server within a small amount of time, memory is allocated for each one it receives and if you have enough, then the memory will fill up on the server and there will be no more memory to be allocated for subsequent requests. So the idea is to overflow the resources on the target web server and the way the attacker does that is sends many SIN packets to the server not just one, not just one per second but send thousands, millions per second of SIN packets to the web server. Every one that the web server receives it must allocate a small amount of memory but as that builds up then the memory of the server may fill up and if the memory of the server is full then the next SIN packet that comes in cannot be processed because we cannot allocate more memory. Now, how does the attacker achieve this? We're using different approaches. First for this to work the attacker must send lots of SIN segments to the server and that's possible but to enhance that and that's what this picture shows what the attacker will try to do is to get other computers to send those SIN segments on their behalf and we saw in the last topic if we have some malicious software installed on other computers computers already infected here they're called some slaves the attacker has infected these other ones and it triggers the malicious software on those computers to send the SIN segments to the target web server so it's not the attacker's computer that's sending the SIN segments it's other computers on behalf of the attacker why? Maybe they've been infected with malicious software so that's how one way to increase the number of SIN packets that come to the web server so you have many of these slave servers or we referred to them as bots in the previous topic sending packets then that increases the number of packets arriving at the target web server and makes it easier to overflow the memory at the target web server where does the SIN act go to? so with TCP 3 way handshake we saw when we receive a SIN the web server sends back an act where does that go to? the SIN act message back to the ones who sent the SIN okay so the target web server receives a SIN message ah someone wants to set up a connection so it sends back a SIN act saying okay allocates memory the normal behaviour for TCP is we'll allocate some memory with the expectation we'll receive the act shortly the third message if we don't receive the act after some time we'll deallocate that memory and no longer store it but for a short period of time we will allocate that memory now in terms of the attacker they don't want to receive the SIN act messages there's no need to because they're not going to respond with the third act there's no need for that it's just overloading with the SIN messages so a common technique again that's used by the attacker not just using many slave servers but setting a fake source address when they send that first SIN message if the source address of the SIN message is fake where does the SIN act go to? it goes to that fake address which is not the attacker's computer and this will be a key technique which is used in other denial of service attacks when the attacker sends a message to the server, the target don't include your real IP address as a source include a fake IP address so when the server responds with this SIN act message it doesn't come back to these slaves it goes somewhere else it's not of concern to us as the attacker in this case so we'll see that using fake source addresses is a key part of many denial of service attacks and we'll show that in a moment so TTP, this is called the TTP SIN flooding attack it's very simple the attacker generates many SIN segments going to the server it floods the server with SIN segments every SIN segment the server receives it allocates a small amount of memory and it allocates a small amount of memory and sends back a SIN act response but if the source address was a fake address that SIN act response goes to someone else and there's never going to be a final act coming back so what happens at the target web server or the target computer it comes overload of processing SINs and storing connection information every one it receives it allocates a little bit of memory and if it receives millions per second then it allocates a lot of memory and therefore no more memory will be allowed for the subsequent SIN messages how to stop this it's not easy in some cases there are some techniques which are required really an upgrade of the TCP software so they wouldn't handle that and the upgrade is sometimes implemented as SIN cookies so there's an extra check to make sure that this is really a true connection request from a client another way is to filter packets if we receive millions of SIN packets from a particular source then don't let them in but we'll see that there are problems with filtering packets so TCP SIN flooding was one of the earlier one of the main denial of service attacks in the early days it's not so common today because of the filtering because of some of the counter measures like SIN cookies which are used there are limits on the number of SIN messages received so this is an example of overloading the application it's not overloading the network there are only small packets it doesn't use many resources it's overloading the application on the target computer there using up the RAM usually or the CPU let's look at a similar type of attack but it's overloading a different resource and it's called a ping flooding attack flooding means to fill something up in this case for a network to send many packets we'll go through and look at a similar type of attack called a ping flooding before we go through another reminder the IP address format the IP header format, sorry so this at the bottom is the TCP header format and also as reference this is the IP header structure what are the two most important fields in the IP header? what would you say if that was an exam question or if we have a quiz next Tuesday the two most important fields in the IP header from our course perspective or from what you know source and destination are two things that we always come across who's sending it, who's receiving it there are many fields here but from our perspective we often care about who's the source and who's the destination there are some other things about the length and the type but that's important from a security perspective first it identifies computers the source address is in theory it's the address of the original sending computer and the destination is the final destination so when I send a packet from my laptop to the Facebook web server the source address of that packet would be that that identifies my computer and the destination address inside that IP header would be that that identifies the Facebook web server so IP addresses act as some identifier of the computers and that is some security issue in terms of privacy if someone can observe this header they can see who's communicating now there are some special cases or some other issues that arrive that make that not so easy to identify individual computers generally we assume that computers can be identified by the IP address from an attacker's perspective that's bad because one of the ways to stop attackers is to identify who they are and maybe send the police around them and tell them to stop but to take actions outside of the computer system so what an attacker would like to do is to hide its IP address and one way quite simply is to send a fake IP address when you send packets, set a fake source address so we'll show how to send fake source addresses as part of attacks but setting a fake source address also has other benefits so let's go through a ping flooding attack before we explain this network setup let's demonstrate ping we'll zoom in in a moment what does ping do? ping very simply as an application triggers when I run the application it triggers my computer to send a special message to the destination in this case from my computer node 1 to 192.168.1.12 in this case send, repeat five times and the protocol being used it's not TCP or UDP it's a special one called ICMP the internet control message protocol and the way that it works is my computer sends a ping request to the server, to the destination, not the server the destination computer when it receives the request in the normal case sends back a reply and when I get a reply my ping software prints a line on the screen saying some information about that reply it took 2.85 milliseconds to get there and back and then in this case it does it again it repeats five times the ping involves sending a request to the destination and getting a response back sometimes we say an echo request and an echo reply how big are those messages? approximately how big are the packets being sent across the network in this case? megabytes, gigabytes, approximately, how many bytes? can anyone see the number up there? 64 bytes, alright there may be some header and some other overheads we're talking about 100 bytes or so because it says here there was a reply that we got 64 bytes from computer 12 when I pinged from computer 11, the red one, to computer 12 64 bytes come back but we know that there may be some overhead due to headers like the IP header maybe another 20 bytes, the ethernet header and so on so we're talking about messages in the order of 100 bytes not very big, quite small can we make them bigger? how do we make them bigger? we can make them bigger as big as we like although there may be some limits we can set the size so we've got bigger packets so ping is very simple and ping is supported by most computers they'll respond to ping now let's see how ping can be used in a denial of service attack here's our example network structure we say there's the attacker maybe the attacker's computer they have their local network maybe a LAN and this is a router say the attacker owns a router at home or in their business and the attacker gets access to the internet via an internet service provider tell me three internet service providers you know of anyone? who's an ISP in Thailand? true AIS DTAC you're talking about mobile phone providers yes they are internet providers also but yeah there are a number of ISPs if you look on maps of the internet there are tens of even 100 plus companies that provide internet service inside Thailand so what we do as an end user we pay the ISP for access and we can think of the network structure is that for my, if I'm the attacker, my router has a connection going into the ISP's network there's a cable coming into my home from the ISP's network or into my business and the internet service provider has some router then they connect to a larger ISP maybe a small one connects to a larger one and they connect out to other ISPs in other countries and that's what the internet is made up of now think of the target maybe some organization and the target maybe a server in that organization maybe a web server the attacker wants to make it so that others cannot access this web server so we can think of the target computer and the similar structure the target has a network their own router and they connect to the internet via their ISP the internet service provider of the target and they connect out now let's assume that in terms of the links between the attacker and the target let's assume the slowest link across that path is this one leading into the target's network let's say that's what we call the bottleneck link the slowest one maybe internal for the target's network we've got a fast LAN very fast there but when they pay for a connection to their ISP that's the most expensive part and therefore that's the slowest part of the network across the different ISP networks usually they have very high speed links so across Trues network across TOT's network inside their network they have very high speed links but going to the end customer the slower links so let's assume that's the bottleneck link and that the attacker they also connect to an ISP but it's faster than the target's that may not be so realistic but we'll come back to that in a moment so this is the bottleneck link so what the attacker tries to do is to send enough packets to the target such that this bottleneck link is overloaded it has some capacity if we send enough packets in such that we start to reach that capacity then the link is carrying packets from the attacker and it cannot carry the packets from the normal users and normal users out on the internet that are trying to access the target web server cannot access the denied servers that's the idea here how that is achieved is by the attacker sending enough packets such that the input to this router approaches the capacity of the link if we want to put some numbers to that let's say just for this initial case that this link supports say 100 megabits per second I will not write the units but in terms of capacity everything in megabits per second maybe this one supports 2 megabits per second this one's 100 this one's 10 and every link inside here is much faster than the others so by the bottleneck this is the smallest in the path so for a denial of service attack on the network resources in this case what we need is that the attacker sends packets at a rate such that coming in here exceeds 2 megabits per second that's the idea or the aim here or gets close to in most cases that is the attacker wants to send enough packets such that coming into this router is greater than 2 megabits per second because the output is only 2 megabits per second and what happens then is that as packets come in only two can come out and the others are dropped so if there's 3 megabits per second coming in and only two going out then 1 megabit per second is going to be dropped and that will include packets from the normal users those that want to access the web server so the normal users are out on the internet and they're trying to access the target web server as well say it's a website, they try to visit the website when they send their packet to connect to that website the packet gets to this router and there's a high chance it will be dropped or at least delayed a long time because this router is handing the many megabits per second coming in from the attacker so that's the idea that the normal users will have their packets dropped they won't be able to connect to the target server so this is an attack on the network resources in particular on this link the question is how do we generate so much traffic what's your idea how do we generate as the attacker so much traffic so that we overload this link multiple ways, maybe multiple different sources what application, what software could you use to attack you get all your friends to open their web browser and type in the URL and click on the link and press refresh many times okay you've got 100 friends and you tell them let's all at 6pm today refresh on this website so it sends many packets well the dimensions of these links are not in the order of 2 megabits per second they're usually much much larger such that manually it's very hard to overload like that okay you need maybe hundreds of thousands of people to be doing that so it's very hard to manually do that what we need is some automatic way to do that I think it wasn't last year this year or yes there was talk or late last year there was talk of the people were doing that to try to bring down websites generally it's not a very effective denial of service attack because it requires many people right it's very hard right it depends upon the capacity here but for let's say very popular websites they'll have a lot of capacity here it wouldn't be 2 megabits per second it may be hundreds of megabits per second gigabits per second and in fact the website may be distributed across many different servers so you need a large amount of traffic to slow it down and for that you need to automate the sending of packets and the simple approach we'll look at is using PING because with PING the nice thing about PING is that most computers respond to PING PING or let it through with PING we can set the sending rate we can change the interval so with PING we can both set the size of the message and set the rate at which the source will send so here's 2 times per second can we set the rate lower 10 times per second it says no but if we have administrator rights and we do as the attacker it's our computer we can now send 10 times per second and in fact in general we can send as fast as our computer will handle so what the attacker will try to do is send these PING messages as fast as possible such that all of those add up and overload the bottleneck link into the target's network so that's the concept of the simple PING flooding attack the target bottleneck link receives many of these echo request packets from the attacker such that the link is overflowed the ones that do get through the target receives the echo request PING you send back an echo reply you send back the response so all the replies come back to the attacker so that's the simple attack you're the attacker what's wrong what do you not like about this when you do this attack he knows everything I'm looking for someone I'll ask him in a moment he doesn't have to sit the exam you do he's just here for fun yeah Mark's here for fun anyone else what's wrong from the attacker's perspective alright we can't wait too long Mark what's wrong the target knows the IP address of the attacker okay here's one problem here I am the attacker I'm sending the message to the target inside the IP header is the source IP address so the target yes it's being attacked but it knows who's doing it and now they call up the police and send them around to my or they call up my internet service provider more likely and say you've got a customer that's doing a denial of service attack on me please stop them okay so there's the first problem here because the IP header and IP is the protocol being used to carry ICMP the IP header contains the source and destination address the target knows the source which is the attacker so the attacker is identified so that's a bad thing from the attacker's perspective yeah what if the attacker uses some VPN to change the IP address so a VPN would involve and we'll cover it in another topic in detail but basically the attacker sends to or gets another computer sent on their behalf alright then what does the target identify identifies the VPN server okay now can it then trace it back to you it depends on whether you're paying for that VPN account the target comes to your VPN provider and says at this point in time someone was doing a denial of service attack the VPN provider looks up their logs and say ah that's this customer I'll stop them from using my service okay so it's not hard to trace back if they take the right means but we'll see that it can be hidden to some extent so that's one problem the IP address identifies the target identifies the attacker to the target what's another problem from the attacker even if we didn't worry about being identified I'm getting all the responses back that's a bit of a problem my network slows down too alright let's say I need to send at 100 megabits per second and I'm getting all the responses back at 100 megabits per second so that can be inconvenient for the attacker so the idea flood the server the attacker uses ping to send many ICMP requests to the target server it overloads the link to the to the router of the target network and that starts to drop the valid packets the packets of the normal users trying to access that website how do we stop that what are the countermeasures we have available we could get the internet service providers to block ping packets don't let them to be sent through our network well that's a possibility and some organisations may do that but that's a bit of a problem because ping packets have a legitimate usage they use for testing connectivity for measuring delay so if everyone blocks them and don't let them be sent then we lose some functionality and not many ISPs will block ping packets some do and you may find the SIT blocks ping packets going out so that's one way but has a drawback that now our normal application is no longer supported the other thing like we saw identify who started the attack identify the source based upon the IP address and take some action contact their ISP you can identify them from the IP address and say this person is doing an attack on me stop them or we'll take you to court or you take the customer to court or take legal action so that's another response and the other problem is that the attackers network is overflowed with all the responses so that's something we'd like to get around from the attackers perspective we'll see that in a moment so what we want to do from the attackers perspective the other problem the other problem is this this assumption the attacker has access to a high capacity link let's say I want to attack a website and I know I found out that website has a 1 gigabit per second link coming into it therefore I need to pay for a link at least 1 gigabit per second how much is 1 gigabit per second link into your home you probably can't buy one in many places so we assume that the attacker has access to a high capacity link so there's maybe a high cost involved from the attackers perspective to do that because the web server is usually run by an organisation and they have a lot of resources the attacker may not have so many so how can we get around that from the attackers perspective and the approach is to use multiple computers to do the attack so we'll go through the different things that the attacker can do to try and improve the success rate for the attack the first thing I don't want to be identified I don't want the target to know who did it use a fake source address it's called source address spoofing we have a fake or a spoofed source address and it's quite easy to do so this just repeats the IP packet header we assume that every packet sent the source addresses of the sending computer the destination is the target therefore the target can identify the attacker that's the problem but it doesn't have to be the target's the attacker's address in the header the attacker can change this address because it's their computer that creates this packet they can set it to anything that they like that's how they set a fake source address as a result the target won't know who performed the attack at least without some further investigation the other benefit from the attacker the responses are not sent back to the attacker the responses are sent to the fake address let's see we'll show you how to set a fake source address in which place when we use a ping just ping and see what happens when we ping computer 12 we can quickly see what happened here when I ping computer 12 the ping packet we call an ICMP echo request zoom in here we sent from computer 11 to computer 12 an ICMP echo request computer 12 with the next line sends back a reply so this is just ping working 12 sends back a reply to computer 11 and then in this case I did it two times I had a count of two so that's ping working let's try with a fake address the red node I want to set as my attacker and I'll first set a fake address and there are different ways to set a fake source address in Linux one simple way is to use the firewall software called IP Tables you don't need to remember this command at the moment we're going to do a process called network address translation I'm going to translate my real address into a fake address do some translation what I'm going to do is after I send the packet or after I create it to change the address so I'll add a rule a rule that will change the address using ICMP whenever we use ICMP use a fake address and we're not trying to explain all of it do some what we call source network address translation as the attacker I want to change my source address from my real one to a fake one I'm going to translate my source address and I want to translate it to I choose a fake address there's a mistake there so this is the command I'm going to use and I'm on node one the attackers computer and the idea is when I run this command every ping packet I send the source address will not be my computer address of dot 11 but it will be dot 66 we will capture on computer 2 we'll zoom in in a moment now I'm going to ping computer 2 do I get a reply no so what's happening is when I run ping here and I can stop it because nothing or it stops by itself when I run ping my computer will see in the trace sends out an echo request but the source address is dot 66 the packet gets to computer 12 how do I know that it'll be hard for you to see but it's this line says computer with IP address 12 did receive an ICMP echo request it received the request and that request came from computer 66 so 12 received the request from computer 66 and with ping what do you do when you receive a request you send back a reply who do you send the reply to 66 so what my computer does sorry this is node 2 does it wants to send to 66 but on a LAN the hardware address of computer 66 and the way to do that you use a protocol called ARP address resolution protocol saying who has the IP address 192.168.1.66 if you do tell me and it's sending out a message to everyone who is number 66 and it's not going to get a reply because there is no 66 in the network it gets no reply and hence the echo reply back to anyone because it doesn't know who 66 is so what's happened here when I set a fake source address to be someone who doesn't exist the target still received the packets but didn't send a reply back to me as the attacker and that's a good thing from the attacker's perspective the target still got the echo requests but they didn't send back the replies so the attacker doesn't get the replies which is good and who did the attack from the target's perspective computer 66 not the real attacker what if we change the source to the destination then I think the destination would identify that as an error if I receive a message and I was and the source is the same then it would detect that that's something not to respond to we will not try it we'll try another one in a moment but there is another way to handle that so here's a fake source address very easy to implement you can do it on any computer what fake source address should we use here I used it just to I chose the random one 66 another thing we'll see later if I choose someone else's address as the fake one what if I choose computer 3 as the source so in this case what's happened what happened in that very very simple case was my source my attacker send a packet the echo request is sent to computer I've gone the wrong direction it's sent to computer 2 in my case but the source address was set to the special 66 or the 66 address the fake address the destination was 12 in the IP header this one receives the echo request and then it tries to find someone to reply to it couldn't find anyone using ARP another case we could do is set the source address to be computer 3's IP address if it was source address of computer 13 then it would reply to that computer and we'll see that's another feature that can be used in a denial of service attack it's called reflection we can bounce the message across another computer so what we could do from the attacker's perspective let's say we want to attack computer 2 we could send to computer 3 first and then get them to send to computer 2 source equals 12 destination equals 13 computer 3 receives it where does it send the reply to the source of 12 so that's the next way that we'll use the fake source address get another computer to send to the target on our behalf so in this case I still want to attack computer 2 but I send the message to computer 3 first and set the fake source address to be that of computer 2 so when computer 3 replies it goes to computer 2 so that's the use of the fake source address not just hiding who the source is but also getting another computer involved to do the attacking so let's see that on our attack the idea is that our attacker now, whenever it sends a ping packet it sets a fake source address and it changes that source address on a regular basis so what happens we send the ping packets to the target the target gets them and replies to some fake or some other the benefit the attacker doesn't get the response messages another benefit the target can't identify the attacker they see it as someone else so that's the use of the source address fake source addresses and the other approach is called reflection which is you set the destination to be one of the other computers and the source address to a fake address which is that of the target so the approach is I want to send to the target but what I do is I send the ping messages to these other selected maybe randomly selected computers ping them but with a fake source address where the source address is that of the target so this computer receives an echo request source is the target therefore I should send the reply to the target all the other computers receive echo requests and they all have as the source address in those requests the target IP address so they all send to the target so we bounce the messages off the normal computers and this can have the benefit because now the target is not receiving messages from all of the one address it's receiving from many others and it can be used to bypass some filtering techniques that some organizations will use so the source address is a very powerful technique to support denial of service attacks we can reflect the attack but the details I think we'll return to in the next lecture we'll go through and look at how can we what are the counter measures for using fake source addresses and then how can we expand upon this attack to greatly increase the number of packets being sent so we'll talk about the capacity and how to overload the server so we'll do that next Tuesday and then I think Wednesday we'll summarize and prepare for the exam