Chapter 8 DOS Attacks PDF

Summary

This document provides a detailed overview of denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. It covers various attack types, techniques, and tools used in these attacks. The document also discusses countermeasures and protection methods against these attacks.

Full Transcript

System Hacking-Denial
of Service attack
Topics
DOS / DDOS Concepts
DOS / DDOS Attack Techniques
Botnets
DOS/ DDOS Attack Tools
Countermeasures
DOS/DDOS Protection Tools
What is denial Of Service(DoS)
 A type of attack on a service that disrupts its normal function and
prevents other users from accessing it
 Typically aimed at a website, but can attack whole networks, a
specific server, or a specific application
 DoS can be achieved by:
 Flooding the network or routers/switches with traffic (consuming all network
bandwidth)
 Consuming all of a server’s CPU, RAM or disk resources
 Consuming all of a server’s permitted concurrent TCP connections
 DoS attacks can cause the following problems:
 Ineffective services
 Inaccessible services
 Interruption of network traffic
 Connection interference
 Distributed Denial of Service(DDoS)
 Launched from numerous compromised devices
 There can be hundreds or even thousands of devices
 The compromised devices are typically organized
and remotely controlled
 Such computers are called “zombies”
 They are managed by “command and control” (C&C)
computers
 These are regionally located
 Often compromised machines themselves
 The C&C computers are in turn controlled by the attacker’s
computer
Dos Example DDoS Example

Hacker Computer
 DoS Types/ Attack Techniques
1) Volumetric Attacks
 Designed to consume network bandwidth so authorized clients cannot
connect
2) Fragmentation Attacks
 Designed to keep a target busy with packet fragments that cannot be
reassembled.
3) State-Exhaustion Attacks
 Designed to consume connection state tables in network infrastructure
components
4) Application Layer Attacks
 Designed to consume app resources/service so they are not available to
users
5) Protocol Attacks
 Designed to abuse commonly used Internet protocols
6) Multi-vector Attacks
 A combination of attack types
1) Volumetric Attacks
 Common types of Volumetric Attack are :
 Packet Flood
 Botnet DDoS
 Smurf, ICMP Flood, Fraggle
 HTTP Flood
 A) Packet Flood:- Sends massive amounts of TCP, UDP,
ICMP, or random packet traffic to target. Can include
different TCP flag variants.
 B) HTTP Flood:- Uses seemingly legitimate HTTP GET
or POST requests to attack a web server. Does not
require spoofing or malformed packets. Can consume
a high amount of resources with a single request
C) Botnet DDoS Attack:- Service request flood. The
attacker/zombie group sets up/tears down TCP connections in an
attempt to use up all server resources. A request is initiated on
each connection. The flood of service requests overwhelms the
target server(s)
D) Smurf Attack:- Large numbers of ICMP echo requests are sent to
intermediate devices. The source is spoofed so they all respond to the target
Working
1. The ICMP Echo Request(ping) is
sent to a broadcast address (an
address that distributes packets
to all devices on a network)
2. The ICMP Packet has a spoofed
source address (IP address of the
target)
3. Each device responds with an
ICMP Echo Reply to the spoofed IP
address (victim)
E) ICMP Flood:- Similar to Smurf but without the intermediate
devices. Send ICMP Echo packets with a spoofed address, eventually
reach the limit of packets per second sent
F) Fragile Attack:- Same concept as Smurf attack.
But UDP packets instead of ICMP (UDP flood attack)
2) Fragmentation Attacks
Common types of Fragmentation attacks are:
 Fragmentation
 Teardrop
 UDP and TCP Fragmentation
 Ping of Death
Attacker exploits the way networks handle fragmented packets to overwhelm or
disrupt a target system. It involves sending fragmented packets in a manner that
consumes the target's resources or causes it to malfunction.
A) Fragmentation Attack B) Ping To Death
 Designed to keep a target  Fragments ICMP messages
busy with packet fragments
that cannot be reassembled  Upon reassembly the ICMP
packet is larger than the
 IP fragments are sent to a
target maximum allowable size
 Their fragment offsets overlap  Crashes the target
or otherwise cannot be
reassembled
 The target’s CPU is kept busy
attempting to reassemble the
packets
 Can result in system freezing
or crash
C) TCP Fragmentation D) UDP Fragmentation
Similar to an IP fragmentation Send the target UDP fragments
attack, but for TCP When reassembled they are too
Send the target TCP large for the network's MTU
segments that have
overlapping sequence
numbers and cannot be
reassembled
Windows NT,Windows 95,
and Linux versions prior to
version 2.1.63 are most
vulnerable
3) Teardrop Fragmentation Attack
 An IP fragmentation attack
 IP fragment offset in the packet headers overlap

Offset starts too soon
Overlaps with the previous packet
4) State Exhaustion Attack

Common types of State Exhaustion Attack are
 TCP State Exhaustion
 Syn Flood
 SSL/TLS Exhaustion
 DNS/NXDOMAIN Flood
Attack that targets a system's ability to manage network connections, overwhelming it and causing
service disruption.
 A) TCP State B) SSL/TLS
Exhaustion Attack Exhaustion Attack
 Attempts to consume all
Sends garbage SSL/TLS data
permitted connections
to the server
 Targets can include:
 Application servers/web Server runs out of resources
servers attempting to process
 Load balancers or firewall
TCP SYN Flood:
corrupt SSL handshakes
Exploits the three-way handshake in TCP. Firewalls generally cannot
The attacker sends numerous TCP SYN packets
but does not complete the handshake, leaving
the server waiting for ACK responses.
distinguish between
The server's connection table fills up with half- legitimate and phony SSL
open connections, exhausting its resources.
TCP Connection Flood: The server's connection data
table fills up with full-open connections,
exhausting its resources
C) DNS Flood
The attacker floods the DNS server with requests for invalid or
nonexistent records
The DNS server spends its time searching for something that
doesn't exist
Instead of serving legitimate requests
The result is that the cache on the DNS server gets filled with bad
requests
Clients can't find the sites/servers they are looking for
 D) SYN Flood
 Half-open attack
 Sends thousands of SYN packets to a target
 Source address is spoofed to non-existent devices

 The server replies with SYN/ACK to non-existent source
 No ACK is received to complete the handshake

 The server must wait to time out each connection
 Servers are usually configured to allow a limited number of
concurrent connections
 All permitted connections are consumed
 Legitimate client requests are ignored
4) Application Layer Attacks -
 Abuse Layer 7 protocols such as HTTP/HTTPS, SNMP, SMB
 Exploit weak code
 Consume resources necessary for the application to run
 Measured in Requests per second (Rps)
 Slow rate, consume few network resources, but harmful to the
target
 Imitate legitimate user activity
 Target file servers, web servers, web applications and
specific web-based apps
 Common attack examples:
 HTTP GET/POST attack – Sending large volumes of http request to Server
 Slowloris attack - Sends incomplete HTTP requests to a server, keeping connections open as long
as possible to exhaust the server's connection pool.
 Malformed SMB requests
 Malicious SQL queries that disrupt a database server
5) Protocol Attacks
 Protocol attacks are a powerful method for disrupting network
services by exploiting weaknesses in communication protocols.
 Because many of these protocols are in global use, changing
how they work is complicated and very slow to roll out
 Defense against protocol attacks are proper configuration,
regular updates, and robust monitoring, are essential to
mitigate these attacks effectively.
 Common Types of Protocol Attacks are
 BGP Hijacking
 LAND Attack Etc.
DoS and DDoS Tools
 Kali Slowloris
 DDoSIM
 OWASP HTTP POST
 RUDY
 Tor’s Hammer
 DAVOSET
 GoldenEye
 HULK
 Countermeasures
 Use cloud-based anti-DDoS services to protect enterprise-level
online services
 Increase bandwidth for all critical connections
 Filter traffic on upstream routers and Rate-limit allowed connections
 Ensure software/protocols are up-to-date
 Disable all insecure/unused services
 Ensure kernel is kept up-to-date
 Ensure firewall is configured to deny access by external ICMP traffic
 Ensure input validation is performed
 Cloud Based DDoS Protection
 Most ISPs block all requests during
DDoS attack
 Unfortunately denies legitimate
traffic
 In-cloud DDoS protection
 During an attack all attack traffic is
redirected to the provider
 It is filtered and returned
 Cloud-based solutions
 Cloudflare
 Netscout
THANK YOU
Any Questions!

26