第4章阻断服务攻击.ppt

* Computers have physical limitations Number of simultaneous users Size of files Speed of data transmission Amount of data stored Exceed any of these operational limits and the computer will cease to respond appropriately Only so many cars can go on the highway. If more are allowed, then the safety, speed, and other qualities of highway traffic suffer. * These are all free tools available on the Internet. * The next slide shows Stacheldracht on the Symantec site. * This slide shows Stacheldracht on the Symantec site. * Hacker must successfully spoof the source IP. The flood must be sustained In a DDoS, as soon as victims’ machines are disinfected, attack stops In a single attack, hacker’s own machine is at risk of discovery * TCP SYN Flood Attack Hacker sends out a SYN packet, which wants to open a connection By law (IETF RFC 793), the receiver must respond within a certain period of time with a SYN ACK, holding space in its buffer for the final ACK The hacker never sends the final ACK, but sends more illegitimate SYNs While the receiving system keeps resources open for the ACKs, the bogus SYNs overflow the buffer or overwrite legitimate SYNs already in the buffer You might draw the 3–way handshake on the board. TCP is a huge topic. * * SYN Cookies This saves the buffer overflow attack. At first, upon receipt of a SYN, no buffer is created. Receiver sends SynAck containing hashed information in the header. It then receives Ack and checks for confirmation of hash in header. Only then is the buffer created, avoiding allocating resources for false Syns. However, this is very resource intensive. * RST Cookies Sends a false SYNACK back. Should receive an RST back if original SYN was legitimate. Can now accept connections from that host because it is legitimate. Easier to implement, but not compatible with Windows 95. Still not the easiest method to use. * Check the information in the FYI on page 92. * Smurf IP Attack Hacker sends out an ICMP broadcast with a spoofe