Module 10 - Denial-of-Service PDF - Certified Ethical Hacker
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Summary
This document details Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks. It provides an overview of DoS concepts, botnets, attack techniques, and countermeasures. The document's content is related to ethical hacking and is intended for cybersecurity professionals.
Full Transcript
C|EH Certified Ethical Hacker MODU DENIAL -OF-SE L Iy RVICE e...
C|EH Certified Ethical Hacker MODU DENIAL -OF-SE L Iy RVICE e - ¢ ) = < (5N ] |&) S, T =D 2 — (@] LL LL.| (&) o s (a4 - Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service LEARNING OBJECTIVES LO#01: Summarize DoS/DDoS Concepts € LO#04: Present DDoS Case Study LO#02: Explain Botnet Network LO#05: Explain DoS/DDoS Attack Countermeasures LO#03: Demonstrate Different DoS/DDoS Attack o Techniques Learning Objectives Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks are a major threat to computer networks. These attacks attempt to make a machine or network resource unavailable to its authorized users. Usually, DoS/DDoS attacks exploit vulnerabilities in the implementation of the Transmission Control Protocol (TCP)/Internet Protocol (IP) model or bugs in a specific operating system (OS). At the end of this module, you will be able to do the following: = Describe DoS/DDoS concepts = Describe botnets = Understand various DoS/DDoS attack techniques = Explain different DoS/DDoS attack tools = |llustrate DoS/DDoS case studies = Apply best practices to mitigate DoS/DDoS attacks = Apply various DoS/DDoS protection tools Module 10 Page 1415 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service CEH whed | 1hhd Mot LO#01: Summarize DoS/DDoS Concepts DoS/DDoS Concepts For a good understanding of DoS/DDoS attacks, one must be familiar with related concepts in advance. This section defines DoS and DDoS attacks and discusses how DDoS attacks work. Module 10 Page 1416 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service What is a DoS Attack? C:E H ' Denial-of-Service (DoS) is an attack on a computer or network that reduces, restricts, or prevents accessibility of system resources to its legitimate users ““_.—_Il 2 In a DoS attack, attackers flood the victim system with non-legitimate service requests or traffic = to overload its resources Malicious Traffic........ fi ------- 3 Malicious traffic consumes : all the available bandwidth & S U = Internet - Regular Traffic Regular Traffic Server Cluster What is a DoS Attack? A DoS attack is an attack on a computer or network that reduces, restricts, or prevents access to system resources for legitimate users. In a DoS attack, attackers flood a victim’s system with nonlegitimate service requests or traffic to overload its resources and bring down the system, leading to the unavailability of the victim’s website or at least significantly reducing the victim’s system or network performance. The goal of a DoS attack is to keep legitimate users from using the system, rather than to gain unauthorized access to a system or to corrupt data. The following are examples for types of DoS attacks: * Flooding the victim’s system with more traffic than it can handle = Flooding a service (e.g., Internet Relay Chat (IRC)) with more events than it can handle = (Crashing a TCP/IP stack by sending corrupt packets = (Crashing a service by interacting with it in an unexpected manner = Hanging a system by causing it to go into an infinite loop Module 10 Page 1417 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Malicious Traffic B sessssay Malicious traffic consumes : all the available bandwidth H L J — : Internet : :: :. Sesesnss = -------- L Attack Traffic ) = =. et I Regular Traffic Regular Traffic Server Cluster Figure 10.1: Schematic of a DoS attack DoS attacks have various forms and target various services. The attacks may cause the following: = Consumption of resources = Consumption of bandwidth, disk space, CPU time, or data structures = Actual physical destruction or alteration of network components = Destruction of programming and files in a computer system In general, DoS attacks target network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic by using existing network resources, thereby depriving legitimate users of these resources. Connectivity attacks overflow a system with a large number of connection requests, consuming all available OS resources to prevent the system from processing legitimate user requests. Consider a food catering company that conducts much of its business over the phone. If an attacker wants to disrupt this business, they need to find a way to block the company’s phone lines, which would make it impossible for the company to do business. A DoS attack works along the same lines—the attacker uses up all the ways to connect to the victim’s system, making legitimate business impossible. DoS attacks are a kind of security breach that does not generally result in the theft of information. However, these attacks can harm the target in terms of time and resources. Furthermore, security failure might cause the loss of a service such as email. In the worst-case scenario, a DoS attack can cause the accidental destruction of the files and programs of millions of people who were connected to the victim’s system at the time of the attack. Module 10 Page 1418 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service What is a DDoS Attack? C:E H e | et Mo 4 Distributed denial-of-service (DDoS) is a coordinated attack that involves a multitude of compromised systems (Botnet) attacking a single target, thereby denying service to users of the targeted system ow Handler infects Impact of DDoS How do DDoS a large numberof G S San e Attacks Work? computers over Qi ® Lossof Goodwik st s [ @ the Internet ] 25 [0 ] =5 @) N handler system _,-" Disabled Network @ Financial Loss Disabled Organization Server an What is a DDoS Attack? Source: https.//www.techtarget.com A DDosS attack is a large-scale, coordinated attack on the availability of services on a victim’s system or network resources, and it is launched indirectly through many compromised computers (botnets) on the Internet. As defined by the World Wide Web Security FAQ, “A distributed denial-of-service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial of service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms.” The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to legitimate users. The services under attack belong to the “primary victim,” whereas the compromised systems used to launch the attack are called “secondary victims.” The use of secondary victims in performing a DDoS attack enables the attacker to mount a large and disruptive attack while making it difficult to track down the original attacker. The primary objective of a DDoS attack is to first gain administrative access on as many systems as possible. In general, attackers use a customized attack script to identify potentially vulnerable systems. After gaining access to the target systems, the attacker uploads and runs DDoS software on these systems at the time chosen to launch the attack. DDoS attacks have become popular because of the easy accessibility of exploit plans and the negligible amount of brainwork required to execute them. These attacks can be very dangerous because they can quickly consume the largest hosts on the Internet, rendering them useless. Module 10 Page 1419 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service The impacts of DDoS include the loss of goodwill, disabled networks, financial losses, and disabled organizations. How do DDoS Attacks Work? In a DDoS attack, many applications barrage a target browser or network with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable. The attacker initiates the DDoS attack by sending a command to zombie agents, which are Internet-connected computers compromised by an attacker through malware programs to perform various malicious activities through a command and control (C&C) server. These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim, which causes the reflector systems to presume that these requests originate from the victim’s machine instead of the zombie agents. Hence, the reflector systems send the requested information (response to the connection request) to the victim. Consequently, the victim’s machine is flooded with unsolicited responses from several reflector computers simultaneously, which may either reduce the performance or cause the victim’s machine to shut down completely. Handler infects a large number of computers over @ Zombie systems are e @y [ W] [ |- @) et sene the Internet instructed to attack a Attackersetsa o handler system. = - 3 % Handler | ] _ - “ | ,." Targeted Attacker Q T eyl o Server ". L] 0'. ‘a Sl=Em --..-..@......., @ [@ - Resesad @....... o — \r ) Handler [ - W - Compromised PCs (Zombies) Figure 10.2: Schematic of a DDoS attack Module 10 Page 1420 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service c'EH u—alnu-..- LO#02: Explain Botnet Network Botnets The term “bot” is a contraction of “robot” and refers to software applications that run automated tasks over the Internet. Attackers use bots to infect a large number of computers that form a network, or “botnet,” allowing them to launch DDoS attacks, generate spam, spread viruses, and commit other types of crime. This section deals with organized cyber-crime syndicates, organizational charts, botnets, and botnet propagation techniques; botnet ecosystems; scanning methods for finding vulnerable machines; and the propagation of malicious code. Module 10 Page 1421 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Organized Cyber Crime: Organizational Chart C:EH ] Hierarchical Setup Culeninel Boss Underboss: Trojan Provider and Attackers (Cri Toolkit O s)) Manager of Trojan Command and Control Distribute Trojans in Legitimate websites............................................................................................ v v Campaign Manager & Campaign Manager Campaign Manager v v v Affiliation Network Affiliation Network Affiliation Network < ‘Stolen Data Reseller ‘ < Stolen Data Reseller ‘= Stolen Data Reseller Organized Cyber Crime: Organizational Chart Organized Crime Syndicates While cyber criminals worked independently in the past, they now tend to operate in organized groups. They are increasingly associated with organized crime syndicates and take advantage of the sophisticated techniques of these syndicates to engage in illegal activity, usually for monetary benefit. There are organized groups of cyber criminals who work in a hierarchical set up with a predefined revenue-sharing model, which is a kind of major corporation that offers criminal services. Organized groups create and rent botnets and offer various services ranging from the development of malware and hacking of bank accounts to the deployment of massive DoS attacks against any target for a price. For example, an organized crime syndicate might perform a DDoS attack against a bank to divert the attention of the bank’s security team while they clean out bank accounts with stolen account credentials. The growing involvement of organized criminal syndicates in politically motivated cyber warfare and hacktivism is a matter of concern for national security agencies. Cybercrime features a complicated range of players, and cyber criminals are paid according to the task they perform or the position they hold. The head of the cybercrime organization (i.e., the boss) acts as a business entrepreneur. The boss does not commit any crimes directly. Immediately below the boss in the organizational hierarchy is the “underboss,” who sets up a C&C server and crimeware toolkit database to manage the implementation of attacks and provide Trojans. Below the underboss are various “campaign managers” with their own affiliation networks for implementing attacks and stealing data. Finally, resellers sell the stolen data. Module 10 Page 1422 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Criminal Boss Hierarchical Setup Underboss: Trojan Provider and Attackers (Crimeware Toolkit Owners) Manager of Trojan Command and Control Distribute Trojans in Legitimate websites - L e v Campaign Manager Vo Campaign Manager. Campaign Manager v v v Affiliation Network Affiliation Network Affiliation Network v v v ‘[~ N Stolen Data Reseller QvStolen ‘ Data Reseller Q ‘ Stolen Data Reseller Figure 10.3: Hierarchical setup of a cybercrime organization Module 10 Page 1423 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Botnets C : EH 1 Bots are software applications that run automated tasks over the Internet and perform simple, repetitive tasks, such as web spidering and search engine indexing ' Abotnet is a huge network of compromised systems and can be used by an attacker to launch denial-of-service attacks Bots connect to C&C fl < 0 En Eo B, st P handler and wait for instructions ’ q o |- ". lllf o © 59 Q000 Attacker sends commands to the @g @a ] Bot Command and bots through CAC Y =) B =3 Target Server (4 nter q : Setsabot i c&Chandler Bot looks for other vulnerable systemsand infects them to e 5 9 create Botnet i Attacker infects a machine Attacker Victim (Bot) Botnets Bots are used for benign data collection or data mining activities, such as “web spidering,” as well as to coordinate DoS attacks. The main purpose of a bot is to collect data. There are different types of bots, such as Internet bots, IRC bots, and chatter bots. Examples for IRC bots are Cardinal, Sopel, Eggdrop, and EnergyMech. A botnet (a contraction of “roBOT NETwork”) is a group of computers “infected” by bots; however, botnets can be used for both positive and negative purposes. As a hacking tool, a botnet is composed of a huge network of compromised systems. A relatively small botnet of 1,000 bots has a combined bandwidth larger than the bandwidth of most corporate systems. The advent of botnets led to an enormous increase in cybercrime. Botnets form the core of the cybercriminal activity center that links and unites various parts of the cybercriminal world. Cybercriminal service suppliers are a part of a cybercrime network. They offer services such as malicious code development, bulletproof hosting, the creation of browser exploits, and encryption and packing. Malicious code is the primary tool used by criminal organizations to commit cybercrimes. Botnet owners order both bots and other malicious programs such as Trojans, viruses, worms, keyloggers, and specially crafted applications to attack remote computers via networks. Developers offer malware services on public sites or closed Internet resources. Botnets are agents that an intruder can send to a server system to perform an illegal activity. Botnets run hidden programs that allow the identification of system vulnerabilities. Attackers can use botnets to perform the tedious tasks involved in probing a system for known vulnerabilities. Module 10 Page 1424 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Attackers can use botnets to perform the following: DDoS attacks: Botnets can generate DDoS attacks, which consume the bandwidth of the victim’s computers. Botnets can also overload a system, wasting valuable host system resources and destroying network connectivity. Spamming: Attackers use a SOCKS proxy for spamming. They harvest email addresses from web pages or other sources. Sniffing traffic: A packet sniffer observes the data traffic entering a compromised machine. It allows an attacker to collect sensitive information such as credit card numbers and passwords. The sniffer also allows an attacker to steal information from one botnet and use it against another botnet. In other words, botnets can rob one another. Keylogging: Keylogging is a method of recording the keys typed on a keyboard, and it provides sensitive information such as system passwords. Attackers use keylogging to harvest account login information for services such as PayPal. Spreading new malware: Botnets can be used to spread new bots. Installing advertisement add-ons: Botnets can be used to perpetrate a “click fraud” by automating clicks. Google AdSense abuse: Some companies permit showing Google AdSense ads on their websites for economic benefits. Botnets allow an intruder to automate clicks on an ad, producing a percentage increase in the click queue. Attacks on IRC chat networks: Also called clone attacks, these attacks are similar to a DDoS attack. A master agent instructs each bot to link to thousands of clones within an IRC network, which can flood the network. Manipulating online polls and games: Every botnet has a unique address, enabling it to manipulate online polls and games. Mass identity theft: Botnets can send a large number of emails while impersonating a reputable organization such as eBay. This technique allows attackers to steal information for identity theft. The below figure illustrates how an attacker launches a botnet-based DoS attack on a target server. The attacker sets up a bot C&C center, following which they infect a machine (bot) and compromises it. Later, they use this bot to infect and compromise other vulnerable systems available in the network, resulting in a botnet. The bots (also known as zombies) connect to the C&C center and awaits instructions. Subsequently, the attacker sends malicious commands to the bots through the C&C center. Finally, as per the attacker’s instructions, the bots launch a DoS attack on a target server, making its services unavailable to legitimate users in the network. Module 10 Page 1425 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service PR e @ | @D @O @7 —— Bots connect to C&C handler and wait for instructions q a targetse...... 9..................................................) @% m fl "e""""'""'“"""") Attackersends commands to the. @ 0’ Bot Command and St Whemegl R T A Eo B & Control Center q b SRS Zombies i Bot looks for other vulnerable ¢ systems and infects them to Attacker Victim (Bot) Figure 10.4: Botnet-based DDoS attack Module 10 Page 1426 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service A Typical Botnet Setup C :_EJ:_l Affiliation Network =¥ =T =) | ——— Attack Malicious Websites A Typical Botnet Setup Affiliation Network Attacker DS Pt O............ 5 Toolkit database " ictims + Compromise : A o maiciows | legtmate : will receive Bots websiteusing ; Websiteor : Instructio C&C from ns ;o createnew ; % center to attack the etc. : engineering, ; I.S Botswill 1 primary target 8 H \4 El.......... ® > H Malicious Attacks the : Website/Compromised primary target E Legitimate Website Malicious Websites Organization Figure 10.5: Typical botnet setup Module 10 Page 1427 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Botnet Ecosystem p%“‘ IS«n& RESIem———— P Moliclous S, isisw ° — Intrusion o Zero-Day < - Botnet - ‘y -y Market | = 1 Market i f K — T H 4 N K Licenses : 0&\‘." & : : MP3, DivX ‘M‘:‘:' ket : I ¥ H Diversk \................ > PETTTTTTTTTTI TN S Owmri i cac : Malware Market Extortion % @ @D aqm Stock Fraud Scams Figure 10.6: Botnet ecosystem Module 10 Page 1428 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Scanning Methods for Finding Vulnerable Machines Random 'J The infected machine probes IP addresses randomly from the target network Scanning IP range and checks for vulnerabilities Hit-list 'J An attacker first collects a list of potentially vulnerable machines and then scans Scanning them to find vulnerable machines Topological 4 It uses information obtained from an infected machine to find new vulnerable Scanning machines Local Subnet 'J The infected machine looks for new vulnerable machines in its own local network Scanning Permutation J It uses a pseudorandom permutation list of IP addresses to find new vulnerable Scanning machines Scanning Methods for Finding Vulnerable Machines Discussed below are scanning methods used by an attacker to find vulnerable machines in a network: Random Scanning In this technique, the infected machine (an attacker’s machine or a zombie) probes IP addresses randomly in the target network’s IP range and checks their vulnerability. On finding a vulnerable machine, it hacks and attempts to infect the vulnerable machine by installing the same malicious code installed on it. This technique generates significant traffic because many compromised machines probe and check the same IP addresses. Malware propagates quickly in the initial stage, and the speed of propagation reduces as the number of new IP addresses available decreases with time. Hit-list Scanning Through scanning, an attacker first collects a list of potentially vulnerable machines and then creates a zombie army. Subsequently, the attacker scans the list to find a vulnerable machine. On finding one, the attacker installs malicious code on it and divides the list in half. The attacker continues to scan one half, whereas the other half is scanned by the newly compromised machine. This process keeps repeating, causing the number of compromised machines to increase exponentially. This technique ensures the installation of malicious code on all the potentially vulnerable machines in the hit list within a short time. Module 10 Page 1429 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service = Topological Scanning This technique uses the information obtained from an infected machine to find new vulnerable machines. An infected host checks for URLs in the hard drive of a machine that it wants to infect. Subsequently, it shortlists URLs and targets, and it checks their vulnerability. This technique yields accurate results, and its performance is similar to that of the hit-list scanning technique. = Local Subnet Scanning In this technique, an infected machine searches for new vulnerable machines in its local network, behind a firewall, by using the information hidden in the local addresses. Attackers use this technique in combination with other scanning mechanisms. = Permutation Scanning In this technique, attackers share a common pseudorandom permutation list of IP addresses of all machines. The list is created using a block cipher of 32 bits and a preselected key. If a compromised host is infected during either hit-list scanning or local subnet scanning, the list is scanned from immediately after the point of the compromised host to identify new targets. If a compromised host is infected during permutation scanning, scanning restarts from a random point. If an already infected machine is encountered, scanning restarts from a new random start point in the permutation list. The process of scanning stops when the compromised host consecutively encounters a predefined number of already infected machines and fails to find new targets. Thereafter, a new permutation key is generated to initiate a new scanning phase. Permutation scanning has the following advantages: o The reinfection of a target is avoided. o New targets are scanned at random, thereby ensuring a high scanning speed. Module 10 Page 1430 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service How Does Malicious Code Propagate? C EH Attackers use three techniques to propagate malicious code to newly discovered vulnerable systems Central Source 3 Attackers placean attack toolkiton the i @ ™% CopyCode central source,and a copy of the attack Central Source - toolkitis transferred to the newly Propagation _~ -4 = R discovered vulnerable system y [ 2 | - @R @ N\ Attacker Victim Next Victim Copy Code 9’ An attacker placesan attack toolkit on Fi ] 4 his/her own system, and a copy of ¥ A% — Repeat t} Back-chaining Propagation _~., 4o apacktoolkitis. transferred to fl », P, P the newly discovered vulnerable Attacker e Victim Next Victim /4/ system The attacking host itself transfers the and attack toolkit to the newly discovered Kutonomous ! CopyCode | l%. Repeat g vulnerable system at the exact time. Propagation [2)Y T " ' A4 fl that it breaks into thatsystem L Aetacker Vidtim Next Victim How Does Malicious Code Propagate? Discussed below are three techniques used by an attacker to propagate malicious code and build attack networks: = (Central Source Propagation In this technique, the attacker places an attack toolkit on a central source and a copy of the attack toolkit is transferred to a newly discovered vulnerable system. Once the attacker finds a vulnerable machine, they instruct the central source to transfer a copy of the attack toolkit to the newly compromised machine, on which attack tools are automatically installed under management by a scripting mechanism. This initiates a new attack cycle, in which the newly infected machine searches for other vulnerable machines and repeats the process to install the attack toolkit. In general, this technique uses HTTP, FTP, and RPC protocols. Central Source EE Copy Code Exploit Repeat -~ - o-------.--’ ll°l!---|-|nn--’ Attacker Victim Next Victim Figure 10.7: Central source propagation Module 10 Page 1431 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service = Back-chaining Propagation In this technique, the attacker places an attack toolkit on their own system, and a copy of the attack toolkit is transferred to a newly discovered vulnerable system. The attack tools installed on the attacking machine use some special methods to accept a connection from the compromised system and then transfer a file containing the attack tools to it. Simple port listeners containing a copy of this file or full intruder-installed web servers, both of which use the Trivial File Transfer Protocol (TFTP), support this back-channel file copy. Copy Code.'0....5.*.'2'2‘}...,.g.fi??saf...... z @ Victim Next Victim Figure 10.8: Back-chaining propagation = Autonomous Propagation Unlike the previously discussed mechanisms, in which an external file source transfers the attack toolkit, in autonomous propagation, the attacking host itself transfers the attack toolkit to a newly discovered vulnerable system, exactly at the time it breaks into that system. Exploit and Copy Code f Repeat @ sssssssnnnna) i ) 9---.------.-’ \_:" — Attacker Victim Next Victim Figure 10.9: Autonomous Propagation Module 10 Page 1432 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service LO#03: Demonstrate Different DoS/DDoS Attack Techniques DoS/DDoS Attack Techniques Attackers implement various techniques to launch denial-of-service (DoS)/distributed denial-of- service (DDoS) attacks on target computers or networks. This section discusses the basic categories of DoS/DDoS attack vectors, various attack techniques, and various DoS/DDoS attack tools used to take over a single or multiple network system to exhaust their computing resources or render them unavailable to their intended users. Module 10 Page 1433 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Basic Categories of DoS/DDoS Attack Vectors CEH Volumetric Attacks Protocol Attacks Application Layer Attacks 4 Consume the bandwidth of a target ‘4 Consume other types of resources 4 Consume the resources or network or service like connection state tables present services of an application, @ The magnitude of attackis in network infrastructure thereby making the application measured in bits-per-second (bps) components such as load-balancers, unavailable to other legitimate i. firewalls, and application servers users 4 Types of bandwidth depletion attacks: 'J The magnitude of attack is 'J The magnitude of attackis ® Flood attacks measured in packets-per-second measured in requests-per- (pps) second (rps) @ Amplification attacks Attack Techniques Attack Techniques Attack Techniques © UDP flood attack © SYN flood attack © HTTPGET/POST attack © ICMP flood attack © Fragmentationattack © Slowloris attack © Ping of Deathand Smurf attack @ Spoofed session flood attack © UDP application layer flood ttack © Pulsewave and zero-dayattack @ ACK flood attack atta © DDosS extortion attack © TCPSACK panic attack Basic Categories of DoS/DDoS Attack Vectors DDoS attacks mainly aim to diminish the network bandwidth by exhausting network, application, or service resources, thereby restricting legitimate users from accessing system or network resources. In general, DoS/DDoS attack vectors are categorized as follows: Volumetric Attacks These attacks exhaust the bandwidth either within the target network/service or between the target network/service and the rest of the Internet to cause traffic blockage, preventing access to legitimate users. The attack magnitude is measured in bits per second (bps). Volumetric DDoS attacks generally target protocols such as the Network Time Protocol (NTP), Domain Name System (DNS), and Simple Service Discovery Protocol (SSDP), which are stateless and do not have built-in congestion avoidance features. The generation of a large number of packets can cause the consumption of the entire bandwidth on the network. A single machine cannot make enough requests to overwhelm network equipment. Hence, in DDoS attacks, the attacker uses several computers to flood a victim. In this case, the attacker can control all the machines and instruct them to direct traffic to the target system. DDoS attacks flood a network, causing a significant statistical change in network traffic that overwhelms network equipment such as switches and routers. Attackers use the processing power of a large number of geographically distributed machines to generate huge traffic directed at the victim, which is why such an attack is called a DDoS attack. Module 10 Page 1434 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service There are two types of bandwidth depletion attacks: o In a flood attack, zombies send large volumes of traffic to the victim’s systems to exhaust the bandwidth of these systems. o Inan amplification attack, the attacker or zombies transfer messages to a broadcast IP address. This method amplifies malicious traffic that consumes the bandwidth of the victim’s systems. Attackers use botnets and perform DDoS attacks by flooding the network. The entire bandwidth is used up by attackers, and no bandwidth remains for legitimate use. The following are examples for volumetric attack techniques: o User Datagram Protocol (UDP) flood attack o Internet Control Message Protocol (ICMP) flood attack o Ping of Death (PoD) attack o Smurf attack o Pulse wave attack o Zero-day attack o Malformed IP packet flood attack o Spoofed IP packet flood attack = Protocol Attacks Attackers can also prevent access to a target by consuming types of resources other than bandwidth, such as connection state tables. Protocol DDoS attacks exhaust resources available on the target or on a specific device between the target and the Internet. These attacks consume the connection state tables present in network infrastructure devices such as load balancers, firewalls, and application servers. Consequently, no new connections will be allowed, because the device will be waiting for existing connections to close or expire. In this case, the attack magnitude is measured in packets per second (pps) or connections per second (cps). These attacks can even take over the state of millions of connections maintained by high-capacity devices. The following are examples for protocol attack techniques: o Synchronize (SYN) flood attack o ACK and PUSH ACK flood attack o Fragmentation attack o TCP connection flood attack o Spoofed session flood attack o TCP state exhaustion attack o Acknowledgement (ACK) flood o RST attack attack o TCP SACK panic attack o SYN-ACK flood attack Module 10 Page 1435 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Application Layer Attacks In these attacks, the attacker attempts to exploit vulnerabilities in the application layer protocol or in the application itself to prevent legitimate users from accessing the application. Attacks on unpatched, vulnerable systems do not require as much bandwidth as protocol or volumetric DDoS attacks for succeeding. In application DDoS attacks, the application layer or application resources are consumed by opening connections and leaving them open until no new connections can be made. These attacks destroy a specific aspect of an application or service and can be effective with one or a few attacking machines that produce a low traffic rate. Furthermore, these attacks are very difficult to detect and mitigate. The magnitude of attack is measured in requests per second (rps). Application-level flood attacks result in the loss of services of a particular network, such as emails and network resources, or the temporary shutdown of applications and services. Through this attack, attackers exploit weaknesses in programming source code to prevent the application from processing legitimate requests. Several kinds of DoS attacks rely on software-related exploits such as buffer overflows. A buffer overflow attack sends excessive data to an application that either shuts down the application or forces the data sent to the application to run on the host system. The attack crashes a vulnerable system remotely by sending excessive traffic to an application. Occasionally, attackers can also execute arbitrary code on the remote system via a buffer overflow. Sending too much data to an application overwrites the data that controls the program, enabling the hacker to run their code instead. Using application-level flood attacks, attackers attempt to do the following: o Flood web applications with legitimate user traffic o Disrupt service to a specific system or person by, for example, blocking a user’s access through repeated invalid login attempts o Jam the application database connection by crafting malicious Structured Query Language (SQL) queries Application-level flood attacks can result in a substantial loss of money, service, and reputation for organizations. These attacks occur after the establishment of a connection. Because a connection is established and the traffic entering the target appears to be legitimate, it is difficult to detect these attacks. However, if the user identifies the attack, they can stop it and trace it back to its source more easily than other types of DDoS attacks. The following are examples for application layer attack techniques: o Hypertext Transfer Protocol (HTTP) flood attack o Slowloris attack Module 10 Page 1436 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service o UDP application layer flood attack o DDoS extortion attack DoS/DDoS Attack Techniques Next, the following DoS/DDoS attack techniques will be discussed: UDP flood attack HTTPS GET/POST attack ICMP flood attack Slowloris attack PoD attack UDP application layer flood attack Smurf attack = Multi-vector attack Pulse wave attack = Peer-to-peer attack Zero-day attack = Permanent DoS (PDoS) attack SYN flood attack Distributed reflection DoS (DRDoS) attack Fragmentation attack TCP SACK panic attack ACK flood attack DDoS extortion attack TCP state exhaustion attack Spoofed session flood attack Module 10 Page 1437 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service UDP Flood Attack S:_E_l:_l ' An attacker sends spoofed UDP packets at a very high 6 packet rate to a remote host on random ports of a IE] target server using a large source IP range | ] The attacker sends - UDP pack with spoofed IP add: TargetS Macker and random destination UDP ports arpetsener ‘4 The flooding of UDP packets causes the server to l UDP Packet \l repeatedly check for non-existent applications at the d ports UDP Packet & UDP Packet \ U Legitimate applications are inaccessible by the system DR Pakat and give an error reply with an ICMP “Destination ¥ Unreachable” packet ) £ ICMP error g".. :. packets of ' This attack consumes network resources and available destination bandwidth, exhausting the network until it goes offline ‘ unreachable & ‘ £ UDP Flood Attack In a UDP flood attack, an attacker sends spoofed UDP packets at a very high packet rate to a remote host on random ports of a target server by using a large source IP range. The flooding of UDP packets causes the server to check repeatedly for nonexistent applications at the ports. Consequently, legitimate applications become inaccessible by the system, and any attempts to access them return an error reply with an ICMP “Destination Unreachable” packet. This attack consumes network resources and available bandwidth, exhausting the network until it goes offline. The attacker sends UDP packets with spoofed IP address Target Server and random destination UDP ports UDP Packet iKKcMPerror gt packets of & g destination ° ¢ unreachable & Figure 10.10: UDP flood attack Module 10 Page 1438 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service ICMP Flood Attack CEH 'J e o e P ee Network administrators use ICMP primarily for IP operations and s S > W - packets fl Attacker The attacker sends ICMP ECHO Target Server with sp source 'J ICMP flood attacks are a type of attack in which attackers send I ECHO Request \I large volumes of ICMP echo request packets to a victim system - directly or through reflection networks T oo o S ECHO Request ~ 'J These packets signal the victim’s system to reply, and the oo ECHORSRY resulting combination of traffic saturates the bandwidth of the victim’s network connectlor?, causing 'F tobe overwhelmedand || { § it of ICMP ECHO requestsper second- | subsequently stop responding to legitimate TCP/IP requests “ECHO Request. e ' To protect against ICMP flood attacks, set a threshold limit ECHO Request that invokes an ICMP flood attack protection feature when Legitimate ICMP ECHO request from g exceeded ‘ an address in the same security zone £ ‘ ICMP Flood Attack Network administrators use ICMP primarily for IP operations, troubleshooting, and error messaging for undeliverable packets. In this attack, attackers send large volumes of ICMP echo request packets to a victim’s system directly or through reflection networks. These packets signal the victim’s system to reply, and the large traffic saturates the bandwidth of the victim’s network connection, causing it to be overwhelmed and subsequently stop responding to legitimate TCP/IP requests. To protect against ICMP flood attacks, it is necessary to set a threshold that invokes the ICMP flood attack protection feature when exceeded. When the ICMP threshold is exceeded (by default, the threshold value is 1000 packets/s), the router rejects further ICMP echo requests from all addresses in the same security zone for the remainder of the current second as well as the next second. Module 10 Page 1439 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service @ scsnssnsessannnsannnns A Attacker The attacker sends ICMP ECHO. Target Server requests with spoofed source addresses ECHO Request ECHO Reply Grrrrnnrnaninnniiannaannes ECHO Request S T P T LT P LT P Y P TP EEETEES 3 ECHO Reply D ZIT T TR e P PEE P TP ECHO Request -.u-----u-------u-n------------u-------uu---o---l-u--u----u-l-l-..\o *. L” ECHO Request S SN NN EE RN NN RENRNRRRRENRIRRRRRRRRRRRRRRRRRY Legitimate ICMP ECHO request from ‘:.-' ’ an address in the same security zone Figure 10.11: ICMP flood attack Module 10 Page 1440 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Ping of Death and Smurf Attacks CEH Ping of Death Attack Smurf Attack 'J InaPing of Death (PoD) attack, an attacker tries to crash, & InaSmurf attack, the attacker spoofsthe source IP address destabilize, or freeze the targeted system or service by with the victim’s IP address and sends a large number of sending malformed or oversized packets using a simple ICMP ECHO request packets to an IP broadcast network ping command & This causes all the hosts on the broadcastnetwork to @ Forinstance, the attacker sends a packet which has a size respondto the received ICMP ECHO requests. These of 65,538 bytes to the target web server. This packet size responses will be sentto the victim machine, ultimately exceeds the size limit prescribed by RFC 791 IP, which is causing the machine to crash 65,535 bytes. The reassembly process of the receiving system might cause the system to crash 20Bytes 8Bytes 65,510 Bytes............. sssssssssssssssssanssnsnnsasasssns) Ping of Death Attack In a Ping of Death (PoD) attack, an attacker attempts to crash, destabilize, or freeze the target system or service by sending malformed or oversized packets using a simple ping command. Suppose an attacker sends a packet with a size of 65,538 bytes to the target web server. This size exceeds the size limit prescribed by RFC 791 IP, which is 65,535 bytes. The reassembly process performed by the receiving system might cause the system to crash. In such attacks, the attacker’s identity can be easily spoofed, and the attacker might not need detailed knowledge of the target machine, except its IP address. 20 Bytes 8 Bytes 65,510 Bytes lllll.l'll.llIIIIIIIIlIl'l'.l'lllll'll'll'l'.l'l.> IP ICMP HEADER = HEADER. ,|CMP 2L IIIIIII.IIIIIlIlII.lllIIIIIII..IIIIIIIIIIIIII.III» 0 IIIIIIIIII.IIIIIIIIIIIIIIl.lllIIIIIIIIIIIIIIIIIII> Attacker Target Server Figure 10.12: Ping-of-death attack Smurf Attack In a Smurf attack, the attacker spoofs the source IP address with the victim’s IP address and sends a large number of ICMP ECHO request packets to an IP broadcast network. This causes all the hosts on the broadcast network to respond to the received ICMP ECHO requests. These responses are sent to the victim’s machine because the IP address was spoofed by the attacker, causing significant traffic to the victim’s machine and ultimately making it crash. Module 10 Page 1441 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service y2 [EEII) (R Attacker | = () X0 S || Q esvo‘:: adé(es | 'S gee® IP Broadcast Network Victim Figure 10.13: Smurf attack Module 10 Page 1442 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Pulse Wave and Zero-Day DDoS Attacks CEH Pulse Wave DDoS Attack Zero-Day DDoS Attack 'J Ina pulse wave DDoS attack, attackers send a highly repetitive, 4 Azero-dayDDoS attack is delivered before the DDoS periodic train of packets as pulses to the target victim every vulnerabilities of a system have been patched or effective 10 minutes, and each specific attack session can last for a few defensive mechanismsare implemented hours to days ' Until the victim deploys a patch for the exploited DDoS 4 Asingle pulse (300 Gbps or more) is sufficient to crowd a vulnerability, an attacker can actively block all the victim's network pipe resources and steal the victim’s data ' These attacks can cause severe damage to the victim’s I 400 Gbps network infrastructure and assets § 300Gbps 3 a 200 Gbps. 100 Gbps 0 Gbps 10:00 Pulse Wave DDoS Attack Pulse wave DDoS attacks are the latest type of DDoS attacks employed by threat actors to disrupt the standard operations of targets. Generally, DDoS attack patterns are continuous incoming traffic flows. However, in pulse wave DDoS attacks, the attack pattern is periodic, and the attack is huge, consuming the entire bandwidth of target networks. Attackers send a highly repetitive strain of packets as pulses to the target victim every 10 min, and the attack session lasts for approximately an hour or some days. A single pulse (300 Gbps or more) is more than enough to crowd a network pipe. Recovery from such attacks is very difficult and occasionally impossible. TdOOGbPSsassssssssassaesssss;sss ;T 300Gbps| 3:R: if: O iR HEY iR R @i EO iREO iRt Y O iRER iEt O iRt O ifr ilB 2 H HEH HEH HEH B HEH B HEH B B HEEH H [. -. -. - -. -.. -. -.. -...... H 4 H HE HEH H B ] e HE B B e B H P UCL RN B HEH HEH O O HEH HEH HEH HEH HEH HEH HEH © 100 Gbps 0 Gbps (o] o o o o o o o o o o o (=] e N n A i < o N " W HH e o o o o o o - - - - - - o~ - - - - - - - - - - - - - Time —» Figure 10.14: Pulse wave DDoS attack Module 10 Page 1443 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Zero-Day DDoS Attack Zero-day DDoS attacks are attacks in which DDoS vulnerabilities do not have patches or effective defensive mechanisms. Until the victim identifies the threat actor’s attack strategy and deploys a patch for the exploited DDoS vulnerability, the attacker actively blocks all the victim’s resources and steals the victim’s data. These attacks can cause severe damage to the victim’s network infrastructure and assets. Currently, there is no versatile approach to protect networks from this type of attack. Module 10 Page 1444 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service SYN Flood Attack CEH U The attacker sends a large number of SYN requests with fake source IP —- addresses to the targetserver (victim) AR 6 ------------ [ [‘$ £=— 4 The target machine sends back a SYN/ACK in response to the request HostA Host8 and waits for the ACK to complete the session setup l ' Normal connection U The target machine does not get the response because the source L N establishment addressisfake B e > J SYN flooding takes advantage of a flaw in the implementation of the s_v"rygg!_.............. TCP three-way handshake in most hosts PRETELL J When Host B receives the SYN request from Host A, it must keep track | | "= of the partially opened connection in a "listen queue" for at least 75 > seconds SYN SYN Flooding 4 A malicious host can exploit the small size of the listen queue by T ———.., sending multiple SYN requests to a host, but never replying to the o a SYN/ACK -...,,_S.Y!!...................... D> 3 The victim’s listen queue is quickly filled up SN > 4 The ability to delay each incomplete connection for 75 seconds canbe | | e > used cumulatively as a Denial-of-Service attack ‘ Copyright © by All Rights Reserved. Reproduction Is Strictly Prohibited SYN Flood Attack In a SYN attack, the attacker sends a large number of SYN requests to the target server (victim) with fake source IP addresses. The attack creates incomplete TCP connections that use up network resources. Normally, when a client wants to begin a TCP connection to a server, the client and server exchange the following series of messages: = ATCP SYN request packet is sent to a server. » The server sends a SYN/ACK (acknowledgement) in response to the request. = The client sends a response ACK to the server to complete the session setup. This method is a “three-way handshake.” In a SYN attack, the attacker exploits the three-way handshake method. First, the attacker sends a fake TCP SYN request to the target server. After the server sends a SYN/ACK in response to the client’s (attacker’s) request, the client never sends an ACK response. This leaves the server waiting to complete the connection. SYN flooding takes advantage of the flawed manner in which most hosts implement the TCP three-way handshake. This attack occurs when the attacker sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. Normally, a connection is established with the TCP three-way handshake. The host keeps track of partially open connections while waiting for response ACK packets in a listening queue. As shown in the figure, when Host B receives a SYN request from Host A, it must keep track of the partially opened connection in a “listen queue” for at least 75 s. Module 10 Page 1445 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Denial-of-Service Host A Host B Normal connection SYN establishment.-........,) SYNJACK | aweeee PRl e ACK........... ).. Setetttnn SYN nane..,. SYN Flooding sy......SYN n---u----.c.....-.>. SYN Taay raa, “ee....> LT.....> Figure 10.15: SYN flood attack A malicious host can exploit another host, managing many partial connections by sending many SYN requests to the target host simultaneously. When the queue is full, the system cannot open new connections until it drops some entries from the connection queue through handshake timeouts. This ability to hold up each incomplete connection for 75 s can be cumulatively exploited in a DoS attack. The attack uses fake IP addresses, making it difficult to trace the source. An attacker can fill a table of connections even without spoofing the source IP address. In addition to SYN flood attacks, attackers can also employ SYN-ACK and ACK/PUSH ACK flood attacks to disrupt target machines. All these attacks are similar in functionality with minor variations. SYN-ACK Flood Attack This type of attack is similar to the SYN flood attack, except that in this type of flood attack, the attacker exploits the second stage of a three-way handshake by sending a large number of SYN- A
