7

Questions and Answers

What is the primary objective of an amplification attack?

• To intercept packets from the target without detection
• To increase bandwidth consumption from a low volume to a high volume (correct)
• To establish a secure connection with the target system
• To redirect traffic through intermediate servers for surveillance

Which port is typically associated with the echo service used in reflector attacks?

• Port 25
• Port 80
• Port 7 (correct)
• Port 53

What can help prevent most reflector attacks?

• Allowing multicast traffic on the network
• Using network-based and host-based firewall rulesets (correct)
• Setting up a proxy server for all incoming requests
• Implementing strong encryption protocols

In a DNS Reflection Attack, which aspect of the attack is exploited?

The ability to spoof source IP addresses (B)

What is a potential consequence of incorrectly configured DNS servers in the context of reflection attacks?

Creation of a self-contained loop between the intermediary and the target (C)

What is the primary goal of a denial-of-service (DoS) attack?

To prevent or impair authorized use of services (B)

Which of the following is a common target of a denial-of-service attack?

Network bandwidth (A)

What distinguishes a distributed denial-of-service (DDoS) attack from a standard DoS attack?

DDoS uses multiple attacking sources (A)

In the context of DoS attacks, what is a flooding attack?

An attack that sends a large volume of traffic to overwhelm a target (A)

What is one approach for defending against denial-of-service attacks?

Implementing constant network monitoring (C)

Which of the following best describes an application-based bandwidth attack?

Creating excessive data requests to exhaust application bandwidth (B)

What is a key characteristic of reflector and amplifier attacks in the context of DoS?

They amplify the attacker's signals through exploited servers (C)

What is the primary consequence of DDoS attacks on a server?

Inability to respond to connection requests (C)

What role do 'zombies' play in DDoS attacks?

They are compromised systems that execute commands from an attacker. (C)

Which method is commonly used to create large-scale DDoS attacks?

Employing multiple compromised systems (C)

What is a suggested countermeasure against becoming part of a DDoS attack?

Regularly updating and patching systems (C)

What type of flooding attack is characterized by overwhelming a target with UDP packets?

UDP flood (B)

What is the term used for a network of compromised systems controlled by an attacker?

Botnet (B)

Which of the following is a resource-consuming attack technique applicable to denial-of-service?

SIP flood (D)

Which aspect is crucial for defending against unwanted DDoS participation?

Maintaining good system security practices (C)

Which attack mentioned relies on sending a high volume of Internet Control Message Protocol (ICMP) packets?

ICMP flood (D)

What is the function of malware in a DDoS attack?

To control compromised systems remotely (A)

What is the primary goal of a cyberslam attack?

To generate a large volume of packets aimed at overwhelming the server (B)

Which attack specifically targets a network server's ability to manage TCP connection requests?

SYN Flooding (B)

What adverse effect does flooding attacks typically have on network resources?

Failure of legitimate connection requests (C)

How does the server become incapacitated during a flooding attack?

By being overwhelmed with malicious packets (B)

What happens to valid traffic during a flooding attack?

It is usually discarded due to congestion (D)

Flooding attacks vary based on which aspect?

The network protocol used (D)

Which type of attack aims to exhaust the resources of the server's network handling code?

SYN Spoofing (D)

What is a characteristic feature of SYN Flooding attacks?

They overwhelm the connection management tables (B)

What must happen for a server affected by a crash due to an attack to resume operations?

It needs to be restarted (B)

What is the primary goal of a Slowloris attack?

To monopolize web server threads by sending incomplete requests (B)

How does a Slowloris attack consume server resources?

By sending requests that require extensive reading and memory usage (D)

What is the effect of the recursive HTTP flood variant of the Slowloris attack?

It follows links on a website in a recursive manner (B)

What role do reflectors play in reflector and amplifier attacks?

They amplify the size of the attack's response packets (C)

What is the main operational difference between DDoS attacks and reflector attacks?

DDoS attacks use compromised intermediary systems, while reflector attacks do not (A)

What advantage does an attacker gain from using a service that creates larger response packets in a reflector attack?

Greater likelihood of overwhelming the target's network link (A)

What is the key characteristic of the packets sent by an attacker in a reflector attack?

They have a spoofed source address (C)

In the context of HTTP requests, what does the term 'spidering' refer to?

The process of crawling a website to collect data (B)

What is a notable consequence of a successful Slowloris attack on a web server?

Denial of access for legitimate users (A)

Flashcards

Denial-of-Service (DoS) Attack

A type of attack that aims to prevent or limit the availability of a service or resource.

DoS Attack on Network Bandwidth

A DoS attack that overloads the target's network connection with excessive traffic.

DoS Attack on System Resources

A DoS attack that exhausts the target's system resources, like CPU, memory, or disk space.

Distributed Denial-of-Service (DDoS) Attack

A type of DoS attack where multiple computers, often controlled by an attacker, work together to send excessive traffic to a target.

Application-based Bandwidth Attack

This attack focuses on consuming network bandwidth by exploiting vulnerabilities in network protocols or services.

Reflector and Amplifier Attack

This attack uses legitimate servers to reflect or amplify malicious traffic towards the target, making it hard to trace.

Defenses Against Denial-of-Service Attacks

These are strategies used to mitigate or prevent DoS attacks, like filtering malicious traffic, using firewalls, and improving network capacity.

Syn Spoofing

A type of attack that overwhelms a network server with a large volume of packets, typically targeting the server's ability to manage TCP connections.

Flooding Attacks

Attacks that overwhelm network resources by flooding the server with excessive traffic.

Syn Spoofing Attack

A flooding attack that targets the network server's ability to manage and respond to TCP connection requests.

Flooding Attacks: Targeting Protocols

Flooding attacks can target various network protocols. They aim to overload network capacity, making it difficult for legitimate data to reach the server.

Flooding Attacks: Server Overload

Flooding attacks can overwhelm a server's resources, causing it to struggle to handle and respond to legitimate traffic.

Flooding Attacks: Packet Dropping

In a flooding attack, congestion in routers on the path to the targeted server can cause many packets to be dropped, hindering legitimate traffic.

Flooding Attacks: Disrupting Service

The intent of flooding attacks is usually to disrupt service by overwhelming network resources or the server itself.

Flooding Attacks: Randomized Source Addresses

In a flooding attack, the source addresses of packets are often randomly selected, making it difficult to identify the attacker.

Flooding Attacks: Impact on Communication

Flooding attacks can cause delays and packet loss, making it difficult for legitimate users to communicate with the targeted server.

Denial of Service (DoS)

A type of attack that overwhelms a server with requests, making it unable to respond to legitimate users.

Distributed Denial of Service (DDoS)

A DoS attack launched from multiple compromised systems, often controlled by a botnet.

Zombies

Compromised systems controlled by an attacker, often used in DDoS attacks.

Botnet

A network of compromised systems under the control of a single attacker, used for various malicious activities.

SIP Flood

A DDoS attack technique that targets a specific application layer protocol, often used to disrupt VoIP services.

ICMP Flood

An attack where an attacker sends a large number of ICMP packets to a target, overwhelming it.

UDP Flood

An attack where an attacker sends a large number of UDP packets to a target, often overwhelming it.

TCP SYN Flood

An attack where an attacker sends a large number of TCP SYN packets to a target, consuming its resources and halting legitimate connections.

DDoS Countermeasures

The best way to avoid becoming a zombie in a DDoS attack is to maintain good security practices and keep your systems updated.

Amplification Attack

A type of attack where an attacker sends a packet with a spoofed source address to an intermediary, causing the intermediary to send a response to the intended target, amplifying the attack volume.

Reflector Attack

A type of attack where an attacker establishes a loop between an intermediary and the intended target, sending packets back and forth.

DNS Reflection Attack

A specific type of reflector attack that uses the Domain Name System (DNS) to amplify traffic.

Block Directed Broadcasts

A common defense for amplification and reflection attacks. It prevents directed broadcasts from entering a network from external sources.

Echo Service (Port 7)

A service commonly used in reflection and amplification attacks.

Slowloris Attack

A type of denial-of-service (DoS) attack that overwhelms a web server by sending a continuous stream of HTTP requests that never fully complete.

Recursive HTTP Flood

A variation of the Slowloris attack where bots start from a given webpage and follow all subsequent links, causing an extensive load on the server.

Simple Reflection Attack

A type of Reflector/Amplifier attack where an attacker sends packets to a service with a spoofed source address of the target system, causing the service to reply to the target with amplified traffic.

Reflector

The intermediary system that is used to reflect the amplified traffic back towards the target in a Reflector/Amplifier attack.

Amplifier

A service that creates a larger response packet than the original request, amplifying the impact of the attack.

Spoofing

The process of the attacker sending network packets with a fabricated source address to a service.

Intermediary

A server that responds to a spoofed network packet, effectively redirecting the amplified traffic towards the target.

Target System

The target of the attack, which is overwhelmed by the amplified traffic.

Amplified Flood

The process of an attacker sending numerous requests to multiple servers, all with the same spoofed source address, creating an amplified flood of responses.

Study Notes

Computer Security CS433, Chapter 7 - Denial-of-Service Attacks (Parts 1 & 2)

• Definition of Denial-of-Service (DoS) Attacks: A DoS attack aims to prevent or impair authorized network, system, or application use by depleting resources like CPU, memory, bandwidth, and disk space. Network services are typically targeted over network connections.

Attack Targets

• Network Bandwidth: Malicious traffic overwhelms legitimate traffic, denying access.
• System Resources: Attacks overload network handling software (e.g., SYN spoofing, poison packets).
• Application Resources: Exploits resource-intensive application operations (e.g., database queries, server bugs).

Attack Types

• Source Address Spoofing: Attackers use forged source addresses to mask their identity and flood the target with packets.

Flooding Attacks

• Nature: Overload network links or server response capacity with malicious traffic. Malicious packets cause routers to discard valid traffic.
• Examples: ICMP flood, UDP flood, TCP SYN flood.

Distributed Denial-of-Service (DDoS) Attacks

• Concept: Use multiple compromised systems (zombies) in a botnet to generate a larger attack volume.
• Mechanism: Attacker controls a network of compromised systems (zombies) for coordinated flooding attacks.

DDoS Attack Architecture

• Typically involves an attacker, handlers, and zombie systems targeting a victim.

Application-Based Bandwidth Attacks

• Concept: Exploit disproportionate resource consumption of application operations.
• Examples: SIP flood (Session Initiation Protocol flooding) and HTTP-based attacks (e.g., HTTP flood, Slowloris).

SIP Flood Attack

• Nature: Exploits resource-intensive SIP INVITE messages. Spoofed IP addresses or a botnet can flood SIP proxies with requests.

HTTP-Based Attacks

• HTTP Flood: A DDoS attack overwhelming a web server by flooding it with HTTP requests.
• Slowloris: Attempts to monopolize all available request-handling threads on a web server by sending HTTP requests that never complete.

Reflector and Amplifier Attacks

• Concept: Use intermediary systems (reflectors) to increase attack traffic volume against the target.
• DNS Reflection: Attackers send spoofed DNS requests to a DNS server, leveraging the server's response to flood the target.
• Amplification attacks: Exploits responses from legitimate servers to create a larger packet stream against the target.

Defenses Against DoS Attacks

• Prevention and Preemption: Implement policies for resource consumption, use backup resources.
• Traceback and Identification: Identify the source of attack to prevent future attacks (though slow).
• Detection and Filtering: Detect suspicious patterns during attacks, filtering likely attack packets.
• Reaction: Reduce effects after the attack occurs.

DDoS Countermeasures

• System Compromise Prevention: Maintain strong system security and keep software updated.