10.1 Understand a Denial of Service attack, and analyze symptoms of a DoS Attack

Exam Focus: Understand a Denial of Service attack, and analyze symptoms of a DoS attack. Objective includes:

  • Understand a Denial of Service attack.
  • Assess DoS attack techniques.
  • Gain insights on Distributed Denial of Service attacks.
  • Examine the working of Distributed Denial of Service attacks.
  • Analyze symptoms of a DoS attack.

Denial of Service (DoS) attack

A Denial of Service (DoS) attack is mounted for causing a negative impact on the performance of a computer or network. It is also referred to as network saturation attack or bandwidth consumption attack. Attackers send a large number of protocol packets to a network for making Denial of Service attacks. A DoS attack can cause the following:

  • Saturate network resources.
  • Disrupt connections between two computers, thereby preventing communications between services.
  • Disrupt services to a specific computer.

Common DoS attacks

Some of the common DoS attacks are as follows:

  • SYN attack: A SYN attack is a common Denial of Service (DoS) technique. Using this technique, an attacker sends multiple SYN packets to the target computer. For each SYN packet received, the target computer allocates resources and sends an acknowledgement (SYN-ACK) to the source IP address. Since the target computer does not receive a response from the attacking computer, it attempts to resend the SYN-ACK. This leaves TCP ports in a half-open state. When an attacker sends TCP SYNs repeatedly, the target computer eventually runs out of resources and is unable to handle any more connections, thereby denying services to legitimate users. A SYN attack affects computers running on the TCP/IP protocol. It is a protocol-level attack that can render a computer's network services unavailable. A SYN attack is also known as SYN flooding.
  • PING attack: A PING attack is a Denial of Service technique. In this technique, a computer repeatedly sends illegitimate, oversized ICMP echo requests to another computer. PING attacks are targeted to specific TCP stacks that cannot handle ICMP packets. These attacks overload the targeted servers with fake packets.
  • Flood attack: In flood attack, an attacker sends more and more traffic to the victim than it could handle. It is the simplest denial attack but most difficult to completely prevent.
  • Teardrop attack: In teardrop attack, corrupt packets are sent to the victim's computer by using IP's packet fragmentation algorithm. As a result of this attack, the victim's computer might hang.
  • Smurf attack: In a smurf attack, an attacker sends a large number of ICMP echo requests at IP broadcast addresses using a fake source address. These requests appear to be coming from the victim's network address. Therefore, every computer within the broadcast domain starts sending responses to the victim. As a result, the victim's computer is flooded with responses.
  • Replay attack: A replay attack is a type of attack in which attackers capture packets containing passwords or digital signatures whenever packets pass between two hosts on a network. These attackers then filter the data and extract the passwords, encryption keys, or digital signatures from the captured packets. In an attempt to obtain an authenticated connection, the attackers then resend this information to the system.
  • Magic Packets attack: A Magic Packets attack is a class of DoS. In this attack, the attacker causes a DoS attack by exploiting an existing vulnerability in the OS running in the target computer or applications of the target computer by sending some specially designed data packets to particular ports, for instance, Ping of Death and WinNuke.
  • Resource exhaustion attack: A resource exhaustion attack is a type of denial of service (DoS) which is implemented by intentional utilization of the maximum resources and then stilling information. It is a flood of fake RPCs; such floods would waste resources of the nodes, specially, disk seeks on affirmative GETs, entries in the RAM index for PUTs, and CPU cycles to process RPCs.

DoS attack techniques

The following are DoS attack techniques:

  • Bandwidth attack: It is not possible for a single machine to make enough requests to overwhelm network equipment. Therefore, DDoS attacks are performed where several computers are used by an attacker to flood a victim. Due to the significant statistical change in the network traffic, flooding a network with requests can cause network equipment such as switches and routers to be overwhelmed when a DDoS attack is launched. Basically, all bandwidth is used and no bandwidth remains for legitimate use. Attackers use a botnet and flood the network with ICMP ECHO packets to perform DDoS attacks.
  • Service request flood: An attacker or a group of zombies tries to exhaust server resources by establishing and tearing down TCP connections. In a service request flood attack, servers are flooded with a high rate of connections from a valid source. On every connection, a request is initiated.
  • SYN attack: In this attack, the attacker sends multiple SYN packets to the target computer. For each received SYN packet, the target computer allocates resources and sends an acknowledgement (SYN-ACK) to the source IP address. Since the target computer does not receive a response from the attacking computer, it attempts to resend the SYN-ACK. This leaves TCP ports in a half-open state. When the attacker sends TCP SYNs repeatedly, the target computer eventually runs out of resources and is unable to handle any more connections, thereby denying services to legitimate users. A SYN attack affects computers running on the TCP/IP protocol. It is a protocol-level attack that can render a computer's network services unavailable. A SYN attack is also known as SYN flooding.
  • ICMP flood attack: An ICMP flood attack occurs when ICMP echo requests overload a victim device with a large number of requests such that the victim's device expends all its resources responding to these requests until the victim can no longer process valid network traffic.
  • Peer-to-peer attack: Attackers use peer-to-peer attacks to instruct clients of peer-to-peer file sharing hubs for the following purposes:
  • To disconnect from their network
  • To connect to the victim's fake website

Attackers exploit flaws appeared in the network that uses the DC++ (Direct Connect) protocol. The DC++ (Direct Connect) protocol permits the exchange of files between instant message clients. Attackers use peer-to-peer attacks to launch massive Denial of Service attacks and compromise websites.

  • Permanent Denial of Service attack: Permanent DoS is also known as phlashing. It is an attack that causes irreversible damage to system hardware. This attack is performed using a method referred to as bricking a system. Attackers send fraudulent hardware updates to the victims by using the "bricking a system" method.
  • Application-level flood attack: The application-level flood attack leads to the loss of service of a specific network, such as emails, network resources, and the temporary ceasing of applications and services. Attackers use the application-level flood attack to destroy programming source code and files in affected computer systems. Attackers try to do the following by using application-level flood attacks:
  • Flood web applications in order to legitimate user traffic.
  • Disrupt service to a specific system or person. For example, repeat invalid login attempts to block a user's access.
  • Craft malicious SQL queries to jam the application-database connection.

Symptoms of a DoS attack

The following are the symptoms of a DOS attack:

  • A particular website is unavailable.
  • A user cannot access any website.
  • There is a dramatic increase in the amount of spam emails received.
  • There is unusual slow network performance.

DDoS attack

In a Distributed Denial of Service (DDoS) attack, the attacker uses multiple computers throughout the network that it has previously infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. The major advantages to an attacker of using a Distributed Denial of Service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down. TFN, TRIN00, etc. are tools used for the DDoS attack. An attacker uses botnets and attacks a single system to launch a DDoS attack.

Working of a Distributed Denial of Service (DDOS) attack

An attacker sets a handler system. A large number of computers over Internet are infected by handlers. Compromised PCs (zombies) are instructed to attack a target server.

Organized cybercrime: organizational chart

The following is the organized cybercrime: organizational chart:

Mail bombing attack

Mail bombing is an attack that is used to overwhelm mail servers and clients by sending a large number of unwanted e-mails. The aim of this type of attack is to completely fill the recipient's hard disk with immense, useless files, causing at best irritation, and at worst total computer failure. E-mail filtering and properly configuring email relay functionality on mail servers can be helpful for the protection against this type of attack.

UDP flood attack

The UDP flood attack takes place when an attacker sends IP packets containing UDP datagram with the purpose of slowing down the victim so that the victim can no longer handle valid connections.

10.2 Understand Internet Chat Query (ICQ), Internet Relay Chat (IRC), and botnets

Exam Focus: Understand Internet Chat Query (ICQ), Internet Relay Chat (IRC), and botnets. Objective includes:

  • Understand Internet Chat Query (ICQ).
  • Understand Internet Relay Chat (IRC).
  • Understand botnets.

Internet Chat Query

Internet Chat Query (ICQ) is a chat client used for chatting with people. It assigns a Universal Identifier Number (UIN). The Universal Identifier Number recognizes the user univocally among other ICQ users. An ICQ user wakes up and attempts to connect to the Mirabilis, where there is a database including all ICQ users' information when the ICQ user connects to the Internet. The Mirabilis Company developed ICQ. At the Mirabilis server, ICQ looks for the requested UIN number inside its database and updates its information. Now, as ICQ knows the IP address, the user can contact his friend.

Internet Relay Chat

Internet Relay Chat (IRC) is a system used for chatting involving a set of rules and conventions and client/server software. For easy file sharing between clients, IRC permits direct computer-to-computer connections. A few websites such as Talk City or IRC networks such as Undernet provide servers and help users in downloading IRC clients to a PC. A user can start a chat group, known as a channel, or join an existing one after the user has downloaded the client application. #hottub and #riskybus are popular ongoing IRC channels. Transmission Control Protocol is used by the IRC protocol.

Bots

Bots are software applications. They run automated tasks over the Internet and carry out simple repetitive tasks, such as web spidering and search engine indexing. A botnet is a huge network of the compromised systems. An attacker can use the botnet to create Denial of Service attacks.
Botnet propagation technique

Botnet ecosystem

Working of bots

The following is the working of bots:

  • An attacker sets a bot C&C handler.
  • The attacker infects the machine.
  • Bots look for vulnerable systems and infect them to create a botnet.
  • Bots connect to C&C handler and wait for instructions.
  • An attacker sends command to the bot through C&C.
  • Bots attack a target server.

PlugBot

PlugBot is a hardware botnet project. It is a covert penetration device (bot). It is designed for covert use during physical penetration tests.

Defending against botnets

The following techniques are used to defend against botnets:

  • RFC 3704 filtering: Packets should be originated from a valid, assigned address space, consistent with the topology and space allocation. Before entering the Internet link, any traffic that comes from unused or reserved IP addresses should be filtered as it is bogus.
  • Black hole filtering: In the network where traffic is forwarded and dropped, black holes are placed. The RTBH filtering technique uses routing protocol updates in order to manipulate route tables at the network edge. Before the undesired traffic enters the service provider network, the RTBH filtering technique can be used to drop the undesirable traffic.
  • Cisco IPS source IP reputation filtering: Cisco IPS receives threat updates from the Cisco SensorBase Network, including serial attackers, botnet harvesters, malware outbreaks, and dark nets. The Cisco SensorBase Network includes detailed information regarding known threats on the Internet.
  • DDoS prevention offerings from ISP or DDoS service: A host can be prevented from sending out spoofed packets as it becomes a bot itself by turning on the IP Source Guard on the network switches.

10.3 Assess DoS/DDoS attack tools

Exam Focus: Assess DoS/DDoS attack tools. Objective includes:

  • Assess DoS/DDoS attack tools.
  • Describe detection techniques.

DoS attack tools

The following are some DoS attack tools:

  • Low Orbit Ion Canon (LOIC)
  • HTTP flood denial of service (DoS) testing tool
  • Sprut
  • PHP DoS

LOIC performs a Denial of Service (DoS) attack on a target site. It floods the server with TCP packets or UDP packets for disrupting the service of a particular host. People have used LOIC to join voluntary botnets. Trinoo, Tribe Flood Net, and TFN2K are DDoS attack tools.

Detection techniques

In detection techniques, the illegitimate traffic increase and flash events are identified and discriminated from legitimate packet traffic. According to all detection techniques, an attack is an abnormal and noticeable deviation from a threshold of normal network traffic statistics. The following are detection techniques:

  • Active profiling: An attack is indicated by an increase in activity levels among clusters and an increase in the overall number of distinct clusters. Active profiling is defined as the average packet rate for a network flow, which comprises consecutive packets with similar packet fields. Monitoring of the network packet's header information is required to obtain an active profile.
  • Change-point detection: A traffic statistic's change that is caused by attacks is isolated by change-point detection algorithms. In change-point detection algorithm, the traffic data is initially filtered by address, port, or protocol and then the resultant flow is stored as a time series. The custom algorithm identifies deviations in the actual versus exceptional local average in the traffic time series to identify and localize a DoS attack. Change-point detection is also required to identify the typical scanning activities of the network worms.
  • Wavelet analysis: Wavelet analysis specifies an input signal in terms of spectral components. Wavelets provide for concurrent time and frequency description. They find the time at which certain frequency components are available. The presence of anomalies is determined by analyzing each spectral window's energy.

10.4 Identify DoS/DDoS countermeasure, post-attack forensics, and Penetration Testing

Exam Focus: Understand DoS/DDoS countermeasure, post-attack forensics, and penetration Testing. Objective includes:

  • Identify DoS/DDoS countermeasure strategies.
  • Analyze post-attack forensics.
  • Identify DoS/DDoS protection tools.
  • Understand DoS/DDoS penetration testing.

DoS/DDoS countermeasures

The following are DoS/DDoS countermeasures:

  • The firewall should be configured to deny external Internet Control Message Protocol (ICMP) traffic access.
  • The use of unnecessary functions such as gets, strcpy, etc. should be prevented.
  • The remote administration and connectivity testing should be secured.
  • The return addresses should be prevented from being overwritten.
  • Data processed by the attacker should be stopped from being executed.
  • Thorough input validation should be performed.
  • A better network gateway card should be used to handle a large number of packets. The network card is the gateway to the packets.
  • For each piece of broadband technology, efficient encryption mechanisms should be proposed.
  • Particularly for the multi-hop WMN, improved routing protocols are desirable.
  • Unused and insecure services should be disabled.
  • All inbound packets that originate from the service ports should be blocked to block the traffic from the reflection servers.
  • Kernel should be updated to the latest version.
  • The transmission of the fraudulently addressed packets at the ISP level should be prevented.
  • Cognitive radios should be implemented in the physical layer so that the jamming and scrambling kind of attacks can be handled.

Mitigate attacks

The following are mitigate attacks:

  • Load balancing: In the event of an attack, providers can increase the bandwidth on critical connections in order to prevent them from going down. Additional failsafe protection can be provided by replicating servers. Normal performances can be improved and the effect of a DDoS attack can be mitigated by balancing the load to each server in a multiple-server architecture.
  • Throttling: This method allows a user to set up routers that access a server to adjust (throttle) incoming traffic to the level that is safe for the server to process. Flood damage to servers can be prevented using throttling. Throttling can also be used to throttle DDoS attacking traffic versus legitimate user traffic for better results.

Honeypots

Honeypots are systems established with limited security. They work as an enticement for an attacker. They serve as a means to gain information about attackers. They facilitate storing a record of activities of attackers and identifying types of attacks and software tools used by attackers. The defense-in-depth approach should be used with IPSec at different network points in order to divert suspicious DoS traffic to several honeypots.