Chapter 2 - 03 - Understand Network-level Attacks - 07_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 ' Denial-of-Sexvice Attack (DoS) P Ol Denial-of-Service (DoS)is an attack on a computer or network that H( icts, or | nts accessibility of system resources to its legitimate users O Attackers flood the victim system with icto overload its resources O Attackers use toolssuch as n hping3 to perform a DoS Attack Malicious Traffic Malicious traffic consumes all the available bandwidth Internet - AttackTrafic I Regular Traffic ommmEee | E g Regular Traffic Server Cluster Copyright © by EC 1 , All Rights Reserved. Reproduction Is Strictly Prohibited. Denial-of-Sexrvice Attack (DoS) A DoS attack is an attack on a computer or network that reduces, restricts, or prevents access to system resources for legitimate users. In a DoS attack, attackers flood a victim’s system with nonlegitimate service requests or traffic to overload its resources and bring down the system, leading to the unavailability of the victim’s website or at least significantly reducing the victim’s system or network performance. The goal of a DoS attack is to keep legitimate users from using the system, rather than to gain unauthorized access to a system or to corrupt data. The following are examples for types of DoS attacks: * Flooding the victim’s system with more traffic than it can handle * Flooding a service (e.g., Internet Relay Chat (IRC)) with more events than it can handle = Crashing a TCP/IP stack by sending corrupt packets = Crashing a service by interacting with it in an unexpected manner * Hanging a system by causing it to go into an infinite loop Module 02 Page 208 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Malicious Traffic fl 4 iy snsnnnny _ Malicious traffic consumes all the available bandwidth PER— -. E— Internet : L seeanend. I o : :. Sl Attack Traffic Ll Regular Traffic Regular Traffic =< e Server Cluster Figure 2.23: Schematic of a DoS attack DoS attacks have following: various forms and target various services. The attacks may = Consumption of resources * Consumption of bandwidth, disk space, CPU time, or data structures » Actual physical destruction or alteration of network components = Destruction of programming and files in a computer system cause the In general, DoS attacks target network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic by using existing network resources, thereby depriving legitimate users of these resources. Connectivity attacks overflow a system with a large number of connection requests, consuming all available OS resources to prevent the system from processing legitimate user requests. Consider a food catering company that conducts much of its business over the phone. If an attacker wants to disrupt this business, they need to find a way to block the company’s phone lines, which would make it impossible for the company to do business. A DoS attack works along the same lines—the attacker uses up all the ways to connect to the victim’s system, making legitimate business impossible. DoS attacks are a kind of security breach that does not generally result in the theft of information. However, these attacks can harm the target in terms of time and resources. Furthermore, security failure might cause the loss of a service such as email. In the worst-case scenario, a DoS attack can cause the accidental destruction of the files and programs of millions of people who were connected to the victim’s system at the time of the attack. Module 02 Page 209 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Attackers use tools such as hping3 to perform a DoS Attack. = hping3 Source: http://www.hping.org hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and rawIP protocols. Figure 2.24: Screenshot of hping3 Module 02 Page 210 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Distributed Denial-of-Service Attack (DDoS) ’ Distributed denial-of-service (DDoS) is a coordinated attack that involves a multitude of compromised systems (Botnet) attacking a single target, thereby denying service to users of the targeted system How do DDoS Attacks Work? e Handler infects computers over the Internet P \ handler system 1% k| g [am....... @) _."- Handler @ — @ r o= —=- @............. target server l::t':ubclt::v:::::a:ei % ‘a —— Attacker Q Distributed Denial-of-Service Attack (DDoS) Source: https://searchsecurity.techtarget.com A DDoS attack is a large-scale, coordinated attack on the availability of services on a victim’s system or network resources, and it is launched indirectly through many compromised computers (botnets) on the Internet. As defined by the World Wide Web Security FAQ, “A distributed denial-of-service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial of service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms.” The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to legitimate users. The services under used to launch the performing a DDoS making it difficult to attack belong to the “primary victim,” whereas the compromised systems attack are called “secondary victims.” The use of secondary victims in attack enables the attacker to mount a large and disruptive attack while track down the original attacker. The primary objective of a DDoS attack is to first gain administrative access on as many systems as possible. In general, attackers use a customized attack script to identify potentially vulnerable systems. After gaining access to the target systems, the attacker uploads and runs DDoS software on these systems at the time chosen to launch the attack. DDoS attacks have become popular because of the easy accessibility of exploit plans and the negligible amount of brainwork required to execute them. These attacks can be very dangerous because they can quickly consume the largest hosts on the Internet, rendering them Module 02 Page 211 useless. Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks The impacts of DDoS disabled organizations. Exam 212-82 include the loss of goodwill, disabled networks, financial losses, and How do DDoS Attacks Work? In a DDoS attack, many applications barrage a target browser or network with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable. The attacker initiates the DDoS attack by sending a command to zombie agents, which are Internet-connected computers compromised by an attacker through malware programs to perform various malicious activities through a command and control (C&C) server. These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim, which causes the reflector systems to presume that these requests originate from the victim’s machine instead of the zombie agents. Hence, the reflector systems send the requested information (response to the connection request) to the victim. Consequently, the victim’s machine is flooded with unsolicited responses from several reflector computers simultaneously, which may either reduce the performance or cause the victim’s machine to shut down completely. Handler infects a large number of computers over @ @ Zombie systems are the Internet = Attacker sets a x.* handler system... @ '..'.".@'.....'.targetsewef 0 g " IIHI""'"@'""". instructed to attack a Handler @ lad | @..‘ Compromised PCs (Zombies).é — Handler @. @ = lad | @ i - @. @ Compromised PCs (Zombies) Figure 2.25: Schematic of a DDoS attack Module 02 Page 212 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.