9781435483613_PPT_ch06
-
Upload
robbie-beltronic -
Category
Documents
-
view
10 -
download
0
description
Transcript of 9781435483613_PPT_ch06
![Page 1: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/1.jpg)
Hacking Book 2: Threats and Defensive Mechanisms
Chapter 6: Denial of Service
![Page 2: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/2.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Objectives
Define what a denial-of-service attack is Identify the types of denial-of-service attacks List the tools that facilitate a denial-of-
service attack Define bots Explain what a distributed denial-of-service
attack is
![Page 3: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/3.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Objectives (cont’d.)
Identify the taxonomy of a distributed denial-of-service attack
Define what a reflect denial-of-service attack is
List tools that facilitate a distributed denial-of-service attack
List countermeasures to a distributed denial-of-service attack
![Page 4: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/4.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Case Example 1
Henderson, an investigative journalist in the field of information security, set up a new security portal called “HackzXposed4u” Portal claimed to expose the activities and identities
of all known hackers across the globe He planned a worldwide launch on March 28
Portal received wide media coverage before its release
Within five minutes of launch, the server crashed A large number of computers connected to the
Internet played the role of zombie machines, and all were directed toward the “HackzXposed4u” portal
![Page 5: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/5.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Case Example 2
Blogging service wordpress.com was attacked with a denial-of-service attack Attack caused heavy loads on the server,
making it inaccessible In the same attack, CNN Interactive was
unable to update its stories for two hours Devastating problem for a news organization
that takes pride in its timeliness
![Page 6: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/6.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Introduction to Denial of Service
Denial-of-service (DoS) attack Attacker overloads a system’s resources,
bringing the system down, or at least significantly slowing system performance
Targets network bandwidth or connectivity Examples
Flooding the victim with more traffic than can be handled
Flooding a service (like IRC) with more events than it can handle
Crashing a TCP/IP stack by sending corrupt packets
![Page 7: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/7.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Overview
Goal of a DoS attack Keep legitimate users from using the system
Attackers may do the following: Attempt to flood a network in order to prevent
legitimate traffic Attempt to disrupt connections in order to
disrupt access to a service Attempt to prevent a particular user from
accessing a service Attempt to disrupt service to a specific system
![Page 8: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/8.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Impact and the Modes of Attack
Denial-of-service attacks can compromise the computers in a network
Network Connectivity Goal is to stop hosts or networks from
communicating on the network or to disrupt network traffic
Misuse of Internal Resources In a fraggle attack, forged UDP packets are used
to connect the echo service on one machine to the character generator on another machine
Bandwidth Consumption Attacker can consume all of the bandwidth on a
network by generating a large number of packets
![Page 9: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/9.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Impact and the Modes of Attack (cont’d.) Consumption of Other Resources
Attackers may be able to consume other resources that systems need to operate
Destruction or Alteration of Configuration Information Alteration of the configuration of a computer,
or the components in the network, may disrupt the normal functioning of the system
![Page 10: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/10.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Types of Attacks
DoS Attack Classification Smurf Buffer overflow attack Ping of death Teardrop SYN flood
Distributed denial-of-service attacks Multiple compromised systems are
coordinated in an attack against one target
![Page 11: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/11.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Types of Attacks (cont’d.)
Figure 6-1 In this attack, the systems on the network respond to the spoofed IP address.
![Page 12: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/12.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
DoS Attack Tools Tools include:
Jolt2 Bubonic Land and LaTierra Targa Blast Nemesy Panther2 Crazy Pinger Some Trouble UDP Flood FSMax
![Page 13: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/13.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
DoS Attack Tools (cont’d.)
Figure 6-3 Bubonic’s sending so many random packets to a machine quickly overwhelms system resources.
![Page 14: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/14.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Bots
Bots Software applications that run automated
tasks over the Internet Types of bots
Internet bots, IRC bots, and chatter bots Botnets
Derived from the phrase roBOT NETwork Can be composed of a huge network of
compromised systems Also referred to as agents that an intruder can
send to a server system to perform some illegal activity
![Page 15: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/15.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Bots (cont’d.)
Uses of Botnets Distributed denial-of-service attacks Spamming Sniffing traffic Keylogging Spreading new malware Installing advertisement add-ons Google AdSense abuse Attacking IRC chat networks Manipulating online polls and games Mass identity theft
![Page 16: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/16.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Bots (cont’d.) How Bots Infect: An Analysis of Agobot
Step 1: Method of Infection Step 2: Massive Spreading Stage Step 3: Connect Back to IRC Step 4: Attacker Takes Control of the Victim’s
Computer Process Termination
Agobots are also designed to interrupt programs that appear to be antivirus or other security programs
NuclearBot IRC bot that can be used for floods, managing,
utilities, spread, and IRC-related actions
![Page 17: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/17.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Bots (cont’d.)
Figure 6-8 This shows how an Agobot infection spreads.
![Page 18: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/18.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
What Is a DDoS Attack?
Distributed denial-of-service (DDoS) attack Large-scale, coordinated attack on the
availability of services on a victim’s system or network resources, launched indirectly through many compromised computers on the Internet
Main objective of any DDoS attacker Gain administrative access on as many
systems as possible Early Attacks
February 2000: One of the first major DDoS attacks was waged against yahoo.com
![Page 19: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/19.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
What Is a DDoS Attack? (cont’d.)
Is DDoS Stoppable? DDoS attack is common for noncommercial entities Firewall does not guarantee 100% protection
against attacks, but it can prevent some DoS/DDoS attacks
How to Conduct a DDoS Attack Write a virus that will send ping packets to a target
network/Web site Infect a minimum of 30,000 computers (“zombies”) Trigger the zombies to launch the attack by
sending wake-up signals Zombies will start attacking the target server until
it is disinfected
![Page 20: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/20.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
What Is a DDoS Attack? (cont’d.)
Figure 6-11 Many distributed denial-of service attacks use the agent/handler model.
![Page 21: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/21.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
What Is a DDoS Attack? (cont’d.)
Agent/Handler Model Consists of clients, handlers, and agents Agent software is installed in compromised
systems that will carry out the attack Agents can be configured to communicate with
a single handler or multiple handlers Handler software is placed on a compromised
router or network server The terms master and daemon are often used
for handler and agent
![Page 22: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/22.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
What Is a DDoS Attack? (cont’d.)
DDoS IRC-Based Model Internet Relay Chat (IRC): multiuser online
chatting system consisting of a network of servers located throughout the Internet
IRC-based DDoS attack network is just like the agent/handler DDoS attack model It is installed on a network server instead of
using a handler program It makes use of the IRC communication
channel to connect the attacker to the agents
![Page 23: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/23.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
DDoS Attack Taxonomy
Figure 6-12 The main types of attacks deplete either bandwidth or system resources.
![Page 24: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/24.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
The Reflected DoS Attacks TCP three-way handshake vulnerability is
exploited Zombies send out a large number of SYN packets
with the target system as the IP source address For each SYN packet sent by a reflector, up to four
SYN/ACK packets will be generated Bandwidth Multiplication
Emission of several times more SYN/ACK attack traffic from the reflection servers than the triggering SYN traffic they receive
Parallel Damage Instead of sending SYN packets to the server
under attack, it reflects them off any router or server connected to the Internet
![Page 25: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/25.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Reflective DNS Attacks
Figure 6-14 In reflective attacks, bots bounce requests off of servers to amplify the number of requests and halt the victim system.
![Page 26: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/26.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
DDoS Tools
Classic tools include: Tribal Flood Network (TFN) TFN2K Shaft Trinity Knight Kaiten Mstream
![Page 27: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/27.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Suggestions for Preventing DoS/DDoS Attacks Precautionary steps:
Prevent installation of distributed attack tools on the systems
Prevent origination of IP packets with spoofed source addresses
Monitor the network for signatures of distributed attack tools
Employ stateful inspection firewalling What to Do If Involved in a Denial-of-Service
Attack Security policies should include emergency out-of-
band communication procedures to network operators and/or emergency response teams
![Page 28: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/28.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Suggestions for Preventing DoS/DDoS Attacks (cont’d.) Countermeasures for Reflected DoS
Router port 179 can be blocked as a reflector Routers can also be configured to filter (drop)
packets destined for a particular address Servers could be programmed to recognize a
SYN source IP address that never completes its connections
ISPs could prevent the transmission of fraudulently addressed packets
![Page 29: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/29.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Suggestions for Preventing DoS/DDoS Attacks (cont’d.) XDCC Vulnerability
XDCC is a peer-to-peer variant that uses automated bots to connect to IRC servers
IROffer Most common bot Connects to a predefined IRC channel and posts
the most popular files it has for downloading Tools for Detecting DDoS Attacks
ipgrep tcpdstat findoffer
![Page 30: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/30.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Taxonomy of DDoS Countermeasures
Figure 6-17 Being fully prepared for an attack means using as many of the countermeasures available as possible.
![Page 31: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/31.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Summary
Denial-of-service attacks prevent legitimate users from accessing the resources and services in their network
Smurf, buffer overflow, and ping of death are some of the types of DoS attacks
SYN flooding takes advantage of a flaw in how most hosts implement the TCP three-way handshake
In distributed denial-of-service attacks, a multitude of compromised systems are engaged to bring down a target system
There can be resource depletion attacks
![Page 32: 9781435483613_PPT_ch06](https://reader035.fdocuments.in/reader035/viewer/2022062805/55cf96c7550346d0338db566/html5/thumbnails/32.jpg)
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Summary (cont’d.)
Trinoo, TFN, TFN2K, and MStream are some of the tools attackers use to cause a DDoS attack
Countermeasures include preventing systems from being compromised and becoming secondary victims, detecting and neutralizing handlers, detecting or preventing the attack, mitigating or stopping the attack, and deflecting the attack