Cybercrime and Threats_06 PDF
Document Details
Uploaded by TrendySpruce
University of Bisha
MUHANNAD ALRIHALI
Tags
Summary
This document provides information about cybercrimes and threats. It details the concept of a Denial-of-Service (DoS) attack, including its classifications, types, and methods. It clarifies the differences between DoS and DDoS attacks.
Full Transcript
CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 6. Denial of Service Attack (DoS) OUTLINE DoS– Denial of Service Attack Classification of DoS Attacks Types or Levels of DoS attack DDoS– Distributed Denial of Service Attack How to protect from DoS and DDoS attack Q/A DOS– DENIAL O...
CYBERCRIMES AND THREATS MUHANNAD ALRIHALI 6. Denial of Service Attack (DoS) OUTLINE DoS– Denial of Service Attack Classification of DoS Attacks Types or Levels of DoS attack DDoS– Distributed Denial of Service Attack How to protect from DoS and DDoS attack Q/A DOS– DENIAL OF SERVICE ATTACK ❑ The term DOS refers to a form of attacking computer system over a network. It is normally a malicious attempt to make a networked system unable to function but without permanently damaging it. ❑ A Denial-of-Service attack aims at preventing legitimate users from authorized access to a system resource. The attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources. ❑ Denial of Service is currently the most expensive computer crime for victim organizations: CLASSIFICATION OF DOS ATTACKS ❑ Volume Based attacks or Bandwidth attacks: Attacks will consume all available network bandwidth. Every site is given with a particular amount of bandwidth for its hosting, say for example 50 GB. Now if more visitors consume all 50 GB bandwidth then the hosting of the site can ban this site. The attacker does the same. Attacker will open 100 pages of a site and keeps on refreshing and consuming all the bandwidth, thus the site become out of service. Eg: UDP floods, ICMP floods, spoofed packet floods ❑ Application layer attacks or Programming flaws: Failures of applications or OS components to handle exceptional conditions (i.e.unexpected data is sent to a vulnerable component). The goal of this attack is to crash the web server. CLASSIFICATION OF DOS ATTACKS ❑ Protocol attacks or Resource starvation: ▪ Attacks will consume system resources (mainly CPU, memory, storage space) ▪ Protocols here are rules that are to be followed to send data over network. These kind of attacks exploit a specific feature or implementation bug of some protocol installed at the victim’s system to consume excess amount of its resources. ▪ Eg: TCP SYN floods, fragmented packet attacks, Ping of death, Smurf attack etc. ❑ Unintentional DoS Attack ▪ A friendly or unintentional DoS attack is when a website experiences such heavy traffic that users can no longer access the website. This is done when many people flood to the website and cause the server to crash. ▪ This may be due to a sudden enormous spike in popularity of a particular website. ▪ Eg: A celebrity shares a link of a particular website in his/her own social media page so that a large no of followers visit that particular website and finally leads to server crash. TYPES OR LEVELS OF DOS ATTACKS ❑ UDP flood ❑ ICMP Flood attack or ping flood ❑ SYN attack or TCP SYN Flooding ❑ Smurf attack ❑ Ping of Death Attack. ❑ Teardrop Attack. ❑ Land Attack. ❑ Nuke Attack ❑ Permanent denial-of-service attacks TYPES OR LEVELS OF DOS ATTACKS ❑ ICMP Flood Attack or ping flood ▪ Ping flood, also known as ICMP flood, is a common Denial of Service (DoS) attack in which an attacker takes down a victim’s computer by overloading it with ICMP echo requests. ▪ The attacker hopes that the victim will respond with ICMP "echo reply" packets for each ICMP request, thus consuming both outgoing bandwidth as well as incoming bandwidth of target device. ▪ It is most successful if the attacker has more bandwidth than the victim. If the target system is slow enough, it is possible to consume enough of its CPU cycles for a user to notice a significant slowdown. TYPES OR LEVELS OF DOS ATTACKS ❑ UDP flood ▪ A UDP flood is a type of denial-of-service attack in which a large number of User Datagram Protocol (UDP) packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and respond. ▪ The firewall protecting the targeted server can also become exhausted as a result of UDP flooding, resulting in a denial-of-service to legitimate traffic. ❑ Ping of Death Attack ▪ An attacker sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to victim. Since the received ICMP echo request packet is bigger than the normal IP packet size, the victim cannot reassemble the packets. The OS may be crashed or rebooted as a result. TYPES OR LEVELS OF DOS ATTACKS ❑ Teardrop Attack A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target machine. Here the size of one fragmented packet differs from that of the next fragmented packet. Since the machine receiving such packets cannot reassemble them and hence the packets overlap one another, crashing the network device or server. The figure given below shows two different fragmented packet with different size. Since the size is different for each fragmented packet the server will not be able to reassemble the packet properly and leads to server failure. Server failure will lead to Denial of Service. TYPES OR LEVELS OF DOS ATTACKS ❑ Teardrop Attack TYPES OR LEVELS OF DOS ATTACKS ❑ TCP SYN Flood Attacks ▪ Taking advantage of the flaw of TCP three–way handshaking behavior, an attacker makes connection requests aimed at the victim server with packets with unreachable source addresses. TYPES OR LEVELS OF DOS ATTACKS ❑ TCP SYN Flood Attacks ▪ In TCP-SYN Flooding the last message of TCP’s 3-way handshake never arrives from sender. ▪ This causes server to allocate memory for pending connection and wait. This fills up the buffer space for SYN messages on the target system, preventing other systems on the network from communicating with target system. TYPES OR LEVELS OF DOS ATTACKS ❑ TCP SYN Flood Attacks TYPES OR LEVELS OF DOS ATTACKS ❑ Smurf Flood Attacks ▪ For a network there are three type of IP addresses First one represent IP address of Network Router itself eg: 192.168.1.0 Second category of IP addresses represent the IP address of all devices connected to that particular Network router. Eg from 192.168.1.1 to 192.168.1.254 Third one represent broadcast IP of that particular network. Eg: 192.168.1.255. ▪ In Smurf attack the attacker will send ICMP request to broadcast IP of a network by using Victim’s IP as source address. ▪ All the systems on these networks reply to the victim with ICMP echo replies. ▪ This attack rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users. TYPES OR LEVELS OF DOS ATTACKS ❑ Smurf Flood Attacks TYPES OR LEVELS OF DOS ATTACKS ❑ Smurf Flood Attacks TYPES OR LEVELS OF DOS ATTACKS ❑ Land Attack ▪ Attacker sends a fake TCP SYN packet with the same source and destination IP addresses and ports to a host computer ▪ IP address used is the host’s IP address ▪ For this to work, the victim’s network must be unprotected against packets coming from outside with their own IP addresses TYPES OR LEVELS OF DOS ATTACKS ❑ Land Attack ▪ Attacker sends a fake TCP SYN packet with the same source and destination IP addresses and ports to a host computer ▪ IP address used is the host’s IP address ▪ For this to work, the victim’s network must be unprotected against packets coming from outside with their own IP addresses TYPES OR LEVELS OF DOS ATTACKS ❑ Permanent DoS (PDoS) attack: ▪ It is a type of DoS attack. It damages a system so badly that it requires replacement or reinstallation of hardware. ❑ Nuke Attack ▪ Attacker repeatedly sends fragmented or invalid ICMP packets to the target computer using a ping utility. This significantly slows the target computer DDOS ATTACK ❑ A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses the multiple computers to send a flood of data packets to the target computer. DOS AND DDOS ATTACK: DIFFERENCE ❑ It is important to differentiate between denial of service (DOS) and distributed denial of service (DDOS) attacks. ❑ In a DOS attack, a single computer and a single internet connection is used to exhaust the victim resources by flooding a server with packets. ❑ On the other hand DDOS attacks multiple computers and multiple internet connections are used which are distributed globally to make an attack. In this situation the victim will be flooded with the packets send from many hundreds and thousands of sources. DOS AND DDOS ATTACK: DIFFERENCE DOS AND DDOS ATTACK: DIFFERENCE HOW TO PROTECT FROM DOS AND DDOS ATTACK ❑ Buy more bandwidth ▪ To ensure that you have enough bandwidth to handle spikes in traffic that may be caused by malicious activity. ❑ Build redundancy into your infrastructure ▪ To make it as hard as possible for an attacker to successfully launch a DDoS attack against your servers, make sure you spread them across multiple data centers with a good load balancing system to distribute traffic between them. If possible, these data centers should be in different countries, or at least in different regions of the same country. ❑ Deploy anti-DDoS hardware and software modules ▪ Servers should be protected by network firewalls and more specialized web application firewalls. By configuring your firewall or router to drop incoming ICMP packets or block DNS responses from outside your network can help prevent certain DNS and ping-based volumetric attacks. ▪ Software protection can also be used. for example, by monitoring how many incomplete connections exist and flushing them when the number reaches a configurable threshold value. HOW TO PROTECT FROM DOS AND DDOS ATTACK ❑ Practice Basic Network Security ▪ Engaging in strong security practices can keep business networks from being compromised. Secure practices include complex passwords that change on a regular basis, anti-phishing methods, and secure firewalls that allow little outside traffic. ❑ Understand the Warning Signs ▪ Some symptoms of a DDoS attack include network slowdown, or broken website shutdowns. No network is perfect, but if a lack of performance seems to be prolonged or more severe than usual, the network likely is experiencing a DDoS and the company should take action. ❑ Maintain spares ▪ Spares means the machines that can be placed into service quickly if a similar machine is disabled. ❑ Establish and maintain regular backup schedules and policies Q/A THANK YOU FOR LISTENING ANY QUESTIONS?
