9781435483613_PPT_ch06

Hacking Book 2: Threats and Defensive Mechanisms

Chapter 6: Denial of Service

Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited

Objectives

Define what a denial-of-service attack is Identify the types of denial-of-service attacks List the tools that facilitate a denial-of-

service attack Define bots Explain what a distributed denial-of-service

attack is


Objectives (cont’d.)

Identify the taxonomy of a distributed denial-of-service attack

Define what a reflect denial-of-service attack is

List tools that facilitate a distributed denial-of-service attack

List countermeasures to a distributed denial-of-service attack


Case Example 1

Henderson, an investigative journalist in the field of information security, set up a new security portal called “HackzXposed4u” Portal claimed to expose the activities and identities

of all known hackers across the globe He planned a worldwide launch on March 28

Portal received wide media coverage before its release

Within five minutes of launch, the server crashed A large number of computers connected to the

Internet played the role of zombie machines, and all were directed toward the “HackzXposed4u” portal


Case Example 2

Blogging service wordpress.com was attacked with a denial-of-service attack Attack caused heavy loads on the server,

making it inaccessible In the same attack, CNN Interactive was

unable to update its stories for two hours Devastating problem for a news organization

that takes pride in its timeliness


Introduction to Denial of Service

Denial-of-service (DoS) attack Attacker overloads a system’s resources,

bringing the system down, or at least significantly slowing system performance

Targets network bandwidth or connectivity Examples

Flooding the victim with more traffic than can be handled

Flooding a service (like IRC) with more events than it can handle

Crashing a TCP/IP stack by sending corrupt packets


Overview

Goal of a DoS attack Keep legitimate users from using the system

Attackers may do the following: Attempt to flood a network in order to prevent

legitimate traffic Attempt to disrupt connections in order to

disrupt access to a service Attempt to prevent a particular user from

accessing a service Attempt to disrupt service to a specific system


Impact and the Modes of Attack

Denial-of-service attacks can compromise the computers in a network

Network Connectivity Goal is to stop hosts or networks from

communicating on the network or to disrupt network traffic

Misuse of Internal Resources In a fraggle attack, forged UDP packets are used

to connect the echo service on one machine to the character generator on another machine

Bandwidth Consumption Attacker can consume all of the bandwidth on a

network by generating a large number of packets


Impact and the Modes of Attack (cont’d.) Consumption of Other Resources

Attackers may be able to consume other resources that systems need to operate

Destruction or Alteration of Configuration Information Alteration of the configuration of a computer,

or the components in the network, may disrupt the normal functioning of the system


Types of Attacks

DoS Attack Classification Smurf Buffer overflow attack Ping of death Teardrop SYN flood

Distributed denial-of-service attacks Multiple compromised systems are

coordinated in an attack against one target


Types of Attacks (cont’d.)

Figure 6-1 In this attack, the systems on the network respond to the spoofed IP address.


DoS Attack Tools Tools include:

Jolt2 Bubonic Land and LaTierra Targa Blast Nemesy Panther2 Crazy Pinger Some Trouble UDP Flood FSMax


DoS Attack Tools (cont’d.)

Figure 6-3 Bubonic’s sending so many random packets to a machine quickly overwhelms system resources.


Bots

Bots Software applications that run automated

tasks over the Internet Types of bots

Internet bots, IRC bots, and chatter bots Botnets

Derived from the phrase roBOT NETwork Can be composed of a huge network of

compromised systems Also referred to as agents that an intruder can

send to a server system to perform some illegal activity


Bots (cont’d.)

Uses of Botnets Distributed denial-of-service attacks Spamming Sniffing traffic Keylogging Spreading new malware Installing advertisement add-ons Google AdSense abuse Attacking IRC chat networks Manipulating online polls and games Mass identity theft


Bots (cont’d.) How Bots Infect: An Analysis of Agobot

Step 1: Method of Infection Step 2: Massive Spreading Stage Step 3: Connect Back to IRC Step 4: Attacker Takes Control of the Victim’s

Computer Process Termination

Agobots are also designed to interrupt programs that appear to be antivirus or other security programs

NuclearBot IRC bot that can be used for floods, managing,

utilities, spread, and IRC-related actions


Bots (cont’d.)

Figure 6-8 This shows how an Agobot infection spreads.


What Is a DDoS Attack?

Distributed denial-of-service (DDoS) attack Large-scale, coordinated attack on the

availability of services on a victim’s system or network resources, launched indirectly through many compromised computers on the Internet

Main objective of any DDoS attacker Gain administrative access on as many

systems as possible Early Attacks

February 2000: One of the first major DDoS attacks was waged against yahoo.com


What Is a DDoS Attack? (cont’d.)

Is DDoS Stoppable? DDoS attack is common for noncommercial entities Firewall does not guarantee 100% protection

against attacks, but it can prevent some DoS/DDoS attacks

How to Conduct a DDoS Attack Write a virus that will send ping packets to a target

network/Web site Infect a minimum of 30,000 computers (“zombies”) Trigger the zombies to launch the attack by

sending wake-up signals Zombies will start attacking the target server until

it is disinfected



Figure 6-11 Many distributed denial-of service attacks use the agent/handler model.



Agent/Handler Model Consists of clients, handlers, and agents Agent software is installed in compromised

systems that will carry out the attack Agents can be configured to communicate with

a single handler or multiple handlers Handler software is placed on a compromised

router or network server The terms master and daemon are often used

for handler and agent



DDoS IRC-Based Model Internet Relay Chat (IRC): multiuser online

chatting system consisting of a network of servers located throughout the Internet

IRC-based DDoS attack network is just like the agent/handler DDoS attack model It is installed on a network server instead of

using a handler program It makes use of the IRC communication

channel to connect the attacker to the agents


DDoS Attack Taxonomy

Figure 6-12 The main types of attacks deplete either bandwidth or system resources.


The Reflected DoS Attacks TCP three-way handshake vulnerability is

exploited Zombies send out a large number of SYN packets

with the target system as the IP source address For each SYN packet sent by a reflector, up to four

SYN/ACK packets will be generated Bandwidth Multiplication

Emission of several times more SYN/ACK attack traffic from the reflection servers than the triggering SYN traffic they receive

Parallel Damage Instead of sending SYN packets to the server

under attack, it reflects them off any router or server connected to the Internet


Reflective DNS Attacks

Figure 6-14 In reflective attacks, bots bounce requests off of servers to amplify the number of requests and halt the victim system.


DDoS Tools

Classic tools include: Tribal Flood Network (TFN) TFN2K Shaft Trinity Knight Kaiten Mstream


Suggestions for Preventing DoS/DDoS Attacks Precautionary steps:

Prevent installation of distributed attack tools on the systems

Prevent origination of IP packets with spoofed source addresses

Monitor the network for signatures of distributed attack tools

Employ stateful inspection firewalling What to Do If Involved in a Denial-of-Service

Attack Security policies should include emergency out-of-

band communication procedures to network operators and/or emergency response teams


Suggestions for Preventing DoS/DDoS Attacks (cont’d.) Countermeasures for Reflected DoS

Router port 179 can be blocked as a reflector Routers can also be configured to filter (drop)

packets destined for a particular address Servers could be programmed to recognize a

SYN source IP address that never completes its connections

ISPs could prevent the transmission of fraudulently addressed packets


Suggestions for Preventing DoS/DDoS Attacks (cont’d.) XDCC Vulnerability

XDCC is a peer-to-peer variant that uses automated bots to connect to IRC servers

IROffer Most common bot Connects to a predefined IRC channel and posts

the most popular files it has for downloading Tools for Detecting DDoS Attacks

ipgrep tcpdstat findoffer


Taxonomy of DDoS Countermeasures

Figure 6-17 Being fully prepared for an attack means using as many of the countermeasures available as possible.


Summary

Denial-of-service attacks prevent legitimate users from accessing the resources and services in their network

Smurf, buffer overflow, and ping of death are some of the types of DoS attacks

SYN flooding takes advantage of a flaw in how most hosts implement the TCP three-way handshake

In distributed denial-of-service attacks, a multitude of compromised systems are engaged to bring down a target system

There can be resource depletion attacks


Summary (cont’d.)

Trinoo, TFN, TFN2K, and MStream are some of the tools attackers use to cause a DDoS attack

Countermeasures include preventing systems from being compromised and becoming secondary victims, detecting and neutralizing handlers, detecting or preventing the attack, mitigating or stopping the attack, and deflecting the attack

9781435483613_PPT_ch06

Documents

Transcript of 9781435483613_PPT_ch06