Ethical Hacking and oun ermeasures Version 6
o u e Denial of Service
Module Objective This module will familiarize you with : • • • • • • • • •
EC-Council
Deni Denial al of of Serv Servic ice(D e(D0S 0S)) Attac Attack k Types of DoS Attacks Tool Toolss that that faci facili lita tate te DoS DoS Atta Attack ck BOTs Distri Distribut buted ed Denia Deniall of Servi Service ce (DDoS) (DDoS) Atta Attack ck Taxono xonom my of DD DDoS Atta ttack oo s a ac a e o ac Worm Wormss and and thei theirr role role in DDoS DDoS atta attack ck Reflected DoS Attack
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Terminologies
• It is an an attack attack thro through ugh whic which h a person person can can rende renderr a , legitimate users, by overloading its resources
- attack: • On the Intern Internet, et, a distrib distributed uted denia denial-o l-of-s f-serv ervice ice (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Goal of DoS , but to prevent legitimate users of a service from using it
Attackers may: • Attempt Attempt to flood flood a network, network, thereby thereby preventin preventing g legitimate legitimate network traffic • , preventing access to a service • Attempt Attempt to prevent prevent a particula particularr individual individual from from accessin accessing ga service
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DoS Attack Classification
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Smurf Attack The perpetrator generates a large amount of ICMP ICMP echo echo in traf traffi ficc to a netw networ ork k broa broadc dcas astt address with a spoofed source IP set to a victim host
The result will be lots of ping p ing replies (ICMP Echo Reply) flooding the spoofed host
Amplified ping reply stream can overwhelm the victim’s network connection
Fraggle Fraggle attack, attack, which which uses UDP echo is similar similar to t e smur attac
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Smurf Attack
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Buffer Overflow Attack
Buffer overflow occurs any time the program writes more information into the buffer than the space allocated in the memory
The attacker can overwrite the data that controls the program execution pa an ac e con ro o e program o execu e e a ac er’s co e instead of the process code
Sending email messages that have attachments with 256-character 25 6-character file names can cause buffer overflow
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ping of Death Attack The attacker deliberately sends an IP packet larger than the 65,536 bytes allowed by the IP protocol
Fragmentation allows a single IP packet to be broken down into smaller segments
The fragments can add up to more than the allowed 65,536 bytes. The operating system, unable to handle over oversi size zed d acke ackets ts free freeze zess rebo reboot otss or sim sim l cras crashe hess
The identity of the attacker sending the oversized packet can e easi easi y spoo spoo e
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Teardrop Attack IP requires that a packet that is too large for f or the next router to handle s ou e v e nto ragments The attacker's IP puts a confusing offset value in the second or later fra ment If the receiving operating system is not able to aggregate the packets accordingly, it can crash the system It is a UDP attack, which uses overlapping offset fields to bring down hosts
The Unnamed Attack • Variation Variation of the Teardr Teardrop op attack attack • Fragments are not overlapping but gaps are incorporated
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SYN Attack
server. The host allocates resources (memory sockets) to the connection
Prevents the server from responding to the legitimate requests
This attack exploits the three-way handshake
Malicious flooding by large volumes of TCP SYN packets to the victim’s system with spoofed source IP addresses can cause o
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SYN Flooding X
SYN Flooding takes advantage of a flaw in how most hosts implement the TCP three-way handshake
A Normal connection establishment
When Host B receives the SYN request from f rom A, it must keep " " for at least 75 seconds A malicious host can exploit the small size of the listen queue y sen ng mu p e reques s o a os os , u never replying to the SYN&ACK
SYN Flooding
T e victim s isten queue is quic y i e up
75 seconds can be used as a denial-of-service attack EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Bot (Derived from the Word
Internet Relay Chat (IRC) is a form of real-time communication over the . - discussion forums called channels
The bot oins oins a s ecific ecific IRC channe channell on an IRC IRC serv server er and and wait waitss for for furth further er commands
profit
Different bots connected together is called botnet called botnet
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Botnets
Botnets Botnets consist consist of a multitude multitude of machines machines
They are used used for DDoS DDoS attacks attacks
A relatively small small botnet with only 1,000 bots has a combined bandwidth bandwidth that is probably higher than the Internet connection of most corporate systems (1,000 home s w an average ups ream o 12 s can o er more than 100MBit/s) EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How Do They Infect
1 Hacker in Russia
Attacker sends commands to the Bots
Downloads and executes chess.zip from freeware site John’s machine is infected with Agabot
4 2
Bot •Bots connect to the “Master” using IRC channel and waits for instructions
3 •Bot looks for other vulnerable systems and infects them
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What is DDoS Attack According to the website, www.searchsecurity.com: www.searchsecurity.com: On the Internet, a compromised systems systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Characteristicss of DDoS Attacks Characteristic DDoS Attack is a large-scale and coordinated attack on the availability of services of a v c m sys em
The services under attack are those of the “primary “pr imary victim,” while the compromised systems use to aunc t e attac are o ten ca e t e secon ary v ct ms
If a single IP address is attacking a company, it can block that address at its firewall. If it is 30,000, t is is extreme y i icu t Perpetrator is able to multiply the effectiveness of the Denial of Service significantly by attack platforms EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DDOS Unstoppable DDoS attacks rely on finding thousands thousands of vulnerable, Internet-connected systems and systematically compromising them using known vulnerabilities
,
Packets arriving at your firewall may be blocked there, but they may just as easily overw e m e nc ncom ng s e o yo your n erne co connec on If the source addresses of these packets have been spoofed, then you will have no way of knowing if they reflect the true source of the attack until you track down some of the alleged sources
The sheer volume of sources sources involved in DDoS attacks makes it difficult difficult to stop
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Conduct a DDoS Attack
• Write a virus that that will send ping packets to to a target target network/websites network/websites
Step 2: • Infect a minimum minimum of (30,000) computers computers with with this virus virus and turn turn them into “zombies”
Step 3: • Trigger the zombies to launch the attack by sending wake-up wake-up signals to the zombie zombiess or activa activated ted b certai certain n data data
Step 4: • The The zom zombi bies es will will star startt att attac acki kin n the the tar tar et ser serve verr unt until il the the are are dis disin infe fect cted ed
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Mitigate or Stop the Effects of
• Providers can increase increase bandwidth bandwidth on critical connections connections to prevent • Replicatin Replicating g servers can provide provide additional additional failsafe failsafe protection protection • Balancing the the load to each server in a multiple-server multiple-server architecture architecture can improve both normal performances as well as mitigate the effect o a o a ac
• This method method sets up up routers that access a server with with logic to adjust process EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Deflect Attacks Honeypots • Syste Systems ms that that are are se sett up with limited security act as attacker • Se Serv rvee as a me mean anss for for gaining information about atta attacc ers ers y stor storin ing ga record of their activities and learning what types of attacks and software tools the attackers used
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Post-attack Forensics Traffic pattern analysis
• Data can be analyzed analyzed—pos —post-att t-attack— ack—to to look for specific specific characteristics characteristics within the attacking traffic
This characteristic data can be used for updating load balancing and throttling countermeasures
DDoS attack traffic patterns can help network admin dminis istr tra ator tors to dev develo elo new new filt filter erin in tech techni ni ues ues for for preventing it from entering or leaving their networks EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Packet Traceback ’ identifying the attacker
Additionally, when the attacker sends vastly different types of attacking traffic, this method assists in providing the victim’s system with information that might help develop filters to block the attack
Event Logs:
• It keeps logs of of the DDoS DDoS attack attack informatio information n in order order to do a forensic forensic analysi analysis, s, and to assist law enforcement in the event the attacker does severe financial damage
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary DoS attacks can prevent legitimate users from using the the system by overloading the the resources
,
,
,
Smurf, Buffer overflow, Ping of death, Teardrop, Teardrop , SYN, and Tribal Flow Attacks are some of , , , . used to achieve DoS
A DDoS DDoS atta attack ck is is an atta attack ck in in whic which h a mul multi titu tude de of com com romi romise sed d s stem stemss atta attack ck a sin sin le target
Countermeasures include preventing secondary victims, detecting and neutralizing handlers, detecting or preventing the attack, mitigating or stopping the attack, and deflecting the attack EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited