WEBVTT

00:00.760 --> 00:08.320
The big challenge to attacks is that once we discover an attack it's usually repaired or prevented or

00:08.320 --> 00:10.930
mitigated in some fashion fairly quickly.

00:11.050 --> 00:16.810
But there is one big exception to that probably the biggest attack problem we have today and that is

00:16.870 --> 00:23.910
a denial of service attack a denial of service attack is designed to do one thing to deny service.

00:23.920 --> 00:28.630
Imagine that you've got some type of server out there could be a web server and e-mail server DNS server

00:28.660 --> 00:30.510
don't care what it is.

00:30.520 --> 00:36.340
The whole idea behind a denial of service attack is that you have so many people coming in to talk to

00:36.340 --> 00:39.490
that server that it can't take care of anybody else.

00:39.490 --> 00:43.690
So imagine you've got a little store and you've got a whole bunch of people trying to push in the front

00:43.690 --> 00:44.390
door.

00:44.410 --> 00:46.660
That is a denial of service attack.

00:46.660 --> 00:49.760
Now there are lots and lots of denial of service attacks out there.

00:49.760 --> 00:52.340
They've been around for close to 20 years.

00:52.420 --> 00:55.450
But I like to break them down into three big groups.

00:55.450 --> 00:59.360
The first one I'm going to call it a volume attack a volume attack.

00:59.500 --> 01:03.190
We're not really doing anything evil in terms of how we're talking to the server.

01:03.280 --> 01:07.120
We're just doing a lot of talking so the server can't help anybody else.

01:07.120 --> 01:12.430
The next type of denial of service attack is a protocol attack a protocol attack does something with

01:12.430 --> 01:14.080
the underlying protocol.

01:14.170 --> 01:21.970
The Web HTP protocol or a DNS protocol if you're talking to a DNS server that does something not normally

01:21.970 --> 01:28.620
accepted to the protocol that causes the server to do weird things and keep it from answering quickly.

01:28.630 --> 01:34.570
The third type is what we call an application attack and application attack works with in the application

01:34.570 --> 01:40.390
conversation itself doing naughty things that keeps the application that that server is running from

01:40.390 --> 01:42.740
being able to respond in a timely fashion.

01:42.910 --> 01:47.520
So let's go and start off with the granddaddy of all good old volumetric attack.

01:47.530 --> 01:48.880
So here's my little network.

01:48.880 --> 01:53.350
I've got one server on this network and other computers doing something now.

01:53.380 --> 01:57.340
One example of a volumetric attack would be a ping flood.

01:57.520 --> 02:02.530
In essence one or more the machine starts sending pings to the server.

02:02.530 --> 02:06.720
Now the trick is is they just keep sending pings and they don't wait for a response.

02:06.760 --> 02:08.590
And that could overwhelm the server.

02:08.980 --> 02:15.550
Another example could be a UDP flood in this case the attacking machine is sending out all kinds of

02:15.550 --> 02:19.590
strange UDP requests to all kinds of different ports on the server.

02:19.720 --> 02:25.510
So the server has to deal with all of these incoming requests and it has to respond back and that could

02:25.510 --> 02:26.930
overwhelm the machine.

02:27.250 --> 02:32.520
Now the volumetric attacks I just showed you are pretty much easily negated today.

02:32.590 --> 02:37.650
For one thing we're not going to let people from the outside try to fake these types of attacks.

02:37.660 --> 02:41.610
Routers are by definition designed to stop that type of stuff.

02:41.620 --> 02:47.350
However we can still see as we get a little bit more to this episode where we can still do volumetric

02:47.350 --> 02:50.500
attacks although we make them a little bit smarter than this.

02:50.500 --> 02:50.760
OK.

02:50.770 --> 02:52.320
So that's a biometric attack.

02:52.360 --> 02:58.590
Remember a biometric attack doesn't really do anything wrong it just does a lot of it.

02:58.600 --> 03:02.360
We're going to change that now with what's known as a protocol attack.

03:02.590 --> 03:07.090
So here we have our little server doing its server thing it could be a web server DNS server again I

03:07.090 --> 03:07.950
don't care.

03:08.170 --> 03:13.690
Now a protocol attack is going to do naughty things to the protocol to create confusion.

03:13.810 --> 03:19.980
So in this particular example we're going to create what's known as a sin flood or a TCAP sin attack.

03:19.990 --> 03:26.230
Now in this particular case what we're talking about with it a TCAP IP conversation is that the client

03:26.230 --> 03:31.630
will send a sin and then the server sends back a sin.

03:31.660 --> 03:34.650
And this initiate conversation within TZP IP.

03:34.660 --> 03:39.920
However what we're going to do with this case is we're going to have the client send out a sin after

03:39.920 --> 03:40.840
his sin after sin.

03:40.840 --> 03:42.630
Keep trying to make all these connections.

03:42.790 --> 03:47.920
Each one of these creates an extra connection to the server itself and the client never responds No

03:47.920 --> 03:51.190
matter how many sent x are sent back in response.

03:51.190 --> 03:56.860
This can clog the system up beautifully protocol attacks are still a huge problem out there when it

03:56.860 --> 04:03.280
comes to denial of service and they are arguably the most common form of denial of service attack out

04:03.280 --> 04:03.770
there.

04:03.970 --> 04:10.420
But there is another thing we can do what we can also do is take advantage of problems within applications

04:10.420 --> 04:11.410
themselves.

04:11.500 --> 04:14.820
And let's go ahead and do an example of an application attack.

04:15.060 --> 04:15.980
OK.

04:16.360 --> 04:22.300
In this situation I've got an old copy of the very very popular Apache web server and we're going to

04:22.300 --> 04:26.370
take advantage of something within the application to do something naughty.

04:26.470 --> 04:30.050
And in this case we're going to do what's known as a slow loris attack.

04:30.370 --> 04:35.320
The slow loris is named because Laurus is a slow animal and it just does things really slow.

04:35.320 --> 04:40.750
So what is going to do is the client is going to initiate a conversation with the Apache web server

04:40.960 --> 04:42.420
and it'll get the conversation going.

04:42.430 --> 04:48.820
But then it just stops talking and the poor Apache web server sitting there waiting for a response.

04:48.880 --> 04:55.240
In the meantime the attacker is sending out more conversations and just not talking back.

04:55.350 --> 05:02.530
And as a result of that the poor Apache server simply gets overwhelmed waiting for these clients to

05:02.530 --> 05:04.390
talk which never do.

05:04.390 --> 05:10.690
Now this is fairly easy to fix and later versions of Apache simply lowered their timeout value and slow

05:10.690 --> 05:14.070
loris is not nearly as big of a problem as it used to be.

05:14.910 --> 05:19.530
Now you can get a lot more detail than simply the big three that are broken down.

05:19.530 --> 05:24.150
For example one great thing we can do is what's known as amplification.

05:24.150 --> 05:26.030
Let me show you that in action.

05:26.040 --> 05:28.710
So here's my little web server again.

05:28.770 --> 05:34.530
Now in this case what we're going to do is what we call a smurf attack a smurf attack is a great example

05:34.530 --> 05:41.790
of an amplification attack because it simply does this we send in an ICMP packet into the network.

05:41.790 --> 05:51.000
Now what we do is that the attacker spoofs the Web site's IP address so it sends out a broadcast into

05:51.000 --> 05:55.020
the network and then everybody in the network starts responding back.

05:55.110 --> 05:57.780
Except they're responding back to the target.

05:57.870 --> 06:03.450
And that would be a great example where one packet being sent into a network can generate lots and lots

06:03.570 --> 06:05.930
of packets and that's amplification.

06:06.600 --> 06:13.100
Now of all the examples of denial of service I've shown you so far we basically only have one attacker.

06:13.170 --> 06:15.300
Now think about this for a minute.

06:15.330 --> 06:22.080
How hard would it be if we got a bunch of computers to work together to all attack one client.

06:22.080 --> 06:24.390
And that's really the big problem today.

06:24.390 --> 06:27.300
Distributed Denial of Service attacks.

06:27.300 --> 06:29.690
Let's take a look at DiDio.

06:29.790 --> 06:32.440
So here's that poor little server one more time.

06:32.490 --> 06:38.700
Now this time what we're going to do is we're going to attack that server but not with just one individual

06:38.700 --> 06:40.140
computer someplace.

06:40.140 --> 06:45.300
What we can do is add a bunch of computers to it and each one of these will start attacking.

06:45.300 --> 06:47.310
Now the problem here is that how do you do this.

06:47.310 --> 06:53.720
Well you could call your buddies up and you could all basically say go and start attacking simultaneously.

06:53.850 --> 06:59.280
But usually what we will do instead is we will create a form of malware that generates what we call

06:59.340 --> 07:00.440
a bot net.

07:00.600 --> 07:06.540
Now in this situation all of these computers over here on the left have some form of malware on them

07:06.750 --> 07:10.330
and they're controlled by a single computer somewhere else.

07:10.440 --> 07:17.190
So these individual computers are called zombies and collectively all of these computers under the control

07:17.250 --> 07:24.760
of a single system are known as a botnet distributed denial of service attacks are the nightmare of

07:24.760 --> 07:26.240
the Internet these days.

07:26.350 --> 07:32.560
To give you an idea of just how bad DiDio attacks are there are a number of Web sites from security

07:32.560 --> 07:37.840
companies that provide real time tracking of the tax Azer taking place and I just happened to have one

07:37.840 --> 07:39.270
of my favorites up right now.

07:39.280 --> 07:41.340
This is from Norse corporation.

07:41.350 --> 07:46.890
And you can actually see it has this pretty graphics showing who's attacking who right now.

07:47.020 --> 07:51.980
And you can see the attack Origin's you can see the types of attacks you can see who they're going after

07:52.240 --> 07:56.050
and then you can actually see what's taking place in terms of the attack.

07:56.050 --> 08:01.630
For example you can see attack type and the port numbers that are actually being attacked in real time

08:01.720 --> 08:07.450
right now is a huge issue today and it's something we've always got to watch out for.

08:07.450 --> 08:11.350
Make sure you're comfortable with the basic types of denial of service attacks because you're going

08:11.350 --> 08:22.870
to see it on the exam.