WIXLIB

Ethical Hacking v10Module 9 – Denial ofService

Denial of Service

Goals Learn Denial of Service (DoS)/DistributedDenial of Service (DDoS) Attacks Understand Various Dos/DDoS AttackTechniques Understand Botnet Network Understand DoS/DDoS Attack Tools Understand Detection Techniques forDoS/DDoS Understand DoS/DDoS Countermeasures Learn DoS/DDoS Penetration Testing

Module 9.0 Denial of Service 9.19.29.39.49.69.7DoS/DDoS ConceptsCommon DoS/DDoS Attack TechniquesAdditional DoS Attack TypesBotnetsDoS CountermeasuresDoS Penetration Testing

9.1 DoS/DDoSConcepts

Denial of ServiceAttacks (DoS andDDoS) A DoS attack (denial of service) is anetwork-based attack that prevents thetarget from performing its normalduties A DDoS attack (distributed denial ofservice) is a DoS attack where manyattackers are coordinated to attack onetarget Types: Flooding servers with network trafficCrashing a serviceConsuming available resourcesProtocol-, OS-, or service-based

What are Distribute Denial of Service Attacks(DDoS)? Involves multiple compromised systems used to attack one target This causes DoS for the targeted system Botnets are used to attack a single system

How DDoS Attacks Works Attacker designates a handler system Handler infects many computers via internet Zombie systems attack target server

Attack Categories Volumetric Attacks Designed to consume bandwidth of target Fragmentation Attacks Removes ability for target to reassemble fragmented packets TCP State-Exhaustion Attacks Designed to consume connection state tables in network infrastructurecomponents Application Layer Attacks Designed to consume app resources/service so they are not available to users

Stress Testing Stress Testing is the process of determiningthe ability of a computer, network,application, or device to maintain aspecified level of effectiveness underunfavorable conditions Basically invoking a DoS attack Use scripts, bots, and other tools Often used to determine the level of traffica website can handle When used in pen testing, it will bedestructive Pen testers should get specificauthorization Clients must be aware of theimplications of the testing

9.2 CommonDoS/DDoSAttack Types

SYN Attack Attacker sends significant number of SYN requests to target usingfalse IP addresses Target machine responds with SYN ACK and waits for the ACK to finishsystem setup No response reaches target because source IP address is false

SYN Flooding Uses flaw in host implementation of the TCP three-way handshake When one host receives a SYN request from another host, it mustmonitor the partially open connection for a minimum of 75 seconds Malicious host can send many SYN requests to another host withoutreplying, exploiting the small listen queue The target’s listen queue fills up quickly Cumulatively causing the connection to remain open for 75 secondscan be used as a DoS attack

Bandwidth Attacks Several machines must be used for DDoS attack to overwhelm atarget network/system DDoS attack can overwhelm network equipment because ofsignificant change in network traffic Botnets are used for DDoS attacks All bandwidth is used in DDoS attacks, leaving none for legitimate use

DoS Attack TypesDoS Attack TypePing of DeathICMP/UDP fragmentationattackTCP fragmentation attackSmurf attackDescription Sending ICMP ECHO REQUESTs that are larger than 65,536 bytes, causingthe target to crash, freeze, or reboot Can also be performed by sending fragments that reassemble tooversized packet Send the target fragments that reassemble to be too large for thenetwork's MTU Send the target TCP fragments that have overlapping sequence numbersand cannot be reassembled Windows NT, Windows 95, and Linux versions prior to version 2.1.63most vulnerable Sending large numbers of spoofed ICMP ECHO REQUESTs to intermediatedevices that all respond to a single target

DoS Attack TypesDoS Attack TypePacket floodSYN floodSMB malformedrequestSlowlorisDescription Create and send massive amounts of TCP, UDP, ICMP, or random packet trafficto target Can include different TCP flag variants Create and send massive amounts of traffic to overwhelm a server or service Can use UDP or crafted packet variants Malformed request to an SMB named pipe causes a Blue Stop Screen (BlueScreen of Death) on Windows Keep as many fake web connections as possible open for as long as possible,until the maximum number of allowed connections is reached Allows one web server to take down another without impacting other ports orservices on the target network

DoS Attack TypesDoS Attack TypeDescriptionNTP amplification Sending spoofed NTP queries to publicly available NTP servers to overwhelm atarget with UDP traffic Using seemingly legitimate HTTP GET or POST requests to attack a web server. Does not require spoofing or malformed packets, but can consume a highamount of resources with a single requestHTTP flood attackDNS flood attack Trying to consume all of the CPU or memory of a DNS server with a flood ofrequestsDNS amplificationattack Like Smurf or other amplification attacks, multiple public DNS servers receivespoofed queries and respond to a target

Smurf Attack Example

9.3 AdditionalDoS AttackTypes

Land Attack Get a victim to try to start a session with itself Spoof the source IP/port

Distributed Reflection DoS (DRDoS) Also known as spoofed attack Uses multiple intermediary and secondary (victim) machines in theDDoS attack Attacker sends requests to intermediary hosts, which are redirectedto secondary machine, then to target Advantages include: Target appears to be attacked by secondary machine Results in an increase in attack bandwidth

Peer-to-Peer Attack Attacker causes clients to disconnect from peer-to-peer network andconnect to fake website Attacker uses DC protocol (peer-to-peer file sharing) to exploitnetwork flaws Attacker can launch huge DoS attacks which will compromise targetwebsites

Permanent DoS Attack Also called phlashing, attacker sends fraudulent hardware updates totarget system Causes permanent damage to system hardware, requiring victim toreplace/reinstall hardware Uses a method called bricking a system

App-Level Flood Attack Attacker uses programming source code weaknesses to stop app fromprocessing legitimate requests Causes issues such as loss of service for target network andtemporary halt to apps/services Attackers try to: Flood web apps Disrupt service to a certain system/person Create malicious SQL queries to jam app-database connection

DoS and DDoS Attack Tools Pandora DDoS Bot Toolkit Dereil DoS HTTP BanglaDos Tor’s Hammer Anonymous-DoS DAVOSET PyLoris Low Orbit Ion Cannon (LOIC) High Orbit Ion Cannon (HOIC) MoiHack Port-Flooder DDOSIM HULK R-U-Dead-Yet GoldenEye HTTP Denial Of ServiceTool AnDOSid (mobile)

Low Orbit Ion Cannon Example

9.4 Botnets

Service Request Floods Attacker/zombie group sets up/tears down TCP connections in anattempt to use up all server resources Flood of service requests overwhelms servers that have a high rate ofvalid connections A request is initiated on each connection

Typical Botnet Software apps that run automated tasks across internet, performingsimple, repetitive tasks Large network of systems used to launch DoS attacks Typical setup: AttackerAffiliatesMalicious WebsitesOrganization

Botnet Example

Finding Vulnerable Machines Random Scanning Infected machine finds vulnerability by probing IP addresses in target network IPrange Hit-list Scanning Attacker scans list of potential machines to find one that is vulnerable Topological Scanning Information found on infected machine leads to other vulnerable machines Local Subnet Scanning Infected machine scans local network for other vulnerable machines Permutation Scanning Finds other vulnerable machines by using pseudorandom permutation of IPaddresses

How Malicious Code Propagates Trusting human nature Social engineering ignorance Fear of not complying with requests of social engineer Greed causing people to give information for something in return A sense of moral obligation to help someone Botnet Trojans: BlackShades NETCythosia BotnetAndromeda BotPlugBot

9.5 Common DoSCountermeasures

Detection Techniques Identify illegitimate increases in traffic/flash events An attack is an abnormal and obvious deviation from normal trafficstatistics Types of detection techniques: Activity Profiling Changepoint Detection Wavelet-based Signal Analysis

Activity Profiling Attack is identified by increase in activity of network flow clusters andnumber of distinct clusters Activity profile created based on average packet rate for network flow Network packet header information is monitored to get activityprofile

Changepoint Detection Isolate Traffic Use change-point detection algorithms to identify changes in network trafficstats Filter Traffic Change-point detection algorithms filter targeted traffic data and store flowas a time series Identify Attack Sequential techniques utilize Cusum algorithm (analysis of probabilitydistribution) to identify/locate DoS attack Identify Scan Activity Technique can be utilized to detect scanning activities of worms

Wavelet-based Signal Analysis Uses signal processing techniques applied to network anomalies likeDoS and port scans Wavelet analysis looks at input signal based on spectral components Wavelets allow for simultaneous time/frequency description Presence of anomalies is determined by analysis of the energy of eachspectral window Time each frequency component is active determined by signalanalysis Effective against unknown anomalies

DoS/DDoS Countermeasure Strategies Absorb Attack Increase capacity to absorb attack Requires planning/additional resources Degrade Services Stop all non-critical services until attack is over Shut Down Services Shut down all service until attack is over

Protecting Secondary Victims Ensure anti-virus/anti-Trojan software is installed and up-to-date Ensure increased awareness of security issues/prevention techniques Disable all services that are unnecessary, uninstall apps that aren’tused, scan files from external sources Configure/update built-in mechanisms for hardware/softwaredefense

Detect/Neutralize Handlers Network Traffic Analysis Identify potentially infected network nodes through analysis of allcommunication protocols/traffic patterns between handlers and clients Neutralize Botnet Handlers Fewer DDoS handlers than agents, so neutralizing handlers will make multipleagents useless Spoofed Source Address Possible that spoofed source address for DDoS attack is not valid

Detect/Prevent Attacks Egress Filtering Scan packet headers of packets exiting network to ensureunauthorized/malicious traffic can’t leave Ingress Filtering Protection from flooding attacks by enabling originator to be traced back tosource TCP Intercept DoS attacks prevented by configuring TCP intercept to validate TCPconnection requests

Deflect Attacks Use honeypots to attract attackers Honeypots allow information about attackers and theirtechniques/tools to be gathered and stored as a record in systemactivities Defense-in-depth approach can be used with IPSs are various networkpoints to divert suspicious DoS traffic to various Honeypots

Mitigate Attacks Increase bandwidth for all critical connections Replicate servers for extra failsafe protection Balance load for each server in a multi-server architecture to mitigateDDoS attack Ensure routers are set to access server with logic to throttle incomingtraffic levels that are safe for server Throttling controls DoS traffic to minimize damage to servers Throttling can be used for DDoS attacks to permit legitimate usertraffic

Post-Attack Forensics Develop new filtering techniques based on DDoS traffic patterns Determine source of DoS traffic by analyzing firewall, router, and IDSlogs Analyze DoS traffic for certain characteristics Utilize DoS traffic characteristics and pattern analysis to update loadbalancing/throttling countermeasures

9.6 Additional DoSCountermeasures