Module Objectives
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks have become a major threat to computer networks. These attacks attempt to make a machine or network resource unavailable to its authorized users. Usually DoS/DDoS attacks exploit vulnerabilities in the implementation of TCP/IP model protocol or bugs in a specific OS.
This module starts with an overview of DoS and DDoS attacks. It provides an insight into different DoS/DDoS attack techniques. Later, it discusses about botnet network, DoS/DDoS attack tools, techniques to detect DoS/DDoS attacks, and DoS/DDoS countermeasures. The module ends with an overview of penetration testing steps an ethical hacker should follow to perform a security assessment of the target.
At the end of this module, you will be able to perform the following:
■ Describe the DoS/DDoS concepts
■ Perform DoS/DDoS using various attack techniques ■ Describe Botnets
■ Describe DoS/DDoS case studies
■ Explain different DoS/DDoS attack tools
■ Apply best practices to mitigate DoS/DDoS attacks ■ Perform DoS/DDoS penetration testing
DoS/DDoS Concepts
For better understanding of DoS/DDoS attacks, one must be familiar with their concepts beforehand. This module discusses about what a DoS attack is, what a DDoS attack is, and how the DDoS attacks work.
What is a Denial-of-Service Attack?
DoS is an attack on a computer or network that reduces, restricts, or prevents accessibility of system resources to its legitimate users. In a DoS attack, attackers flood a victim's system with nonlegitimate service requests or traffic to overload its resources, bringing the system down, leading to unavailability of the victim's website or at least significantly slowing the victim's system or network performance. The goal of a DoS attack is not to gain unauthorized access to a system or to corrupt data; it is to keep the legitimate users away from using the system. Following are the examples of types of DoS attacks:
■ Flooding the victim's system with more traffic than can be handled
■ Flooding a service (e.g., internet relay chat (IRC)) with more events than it can handle
■ Crashing a transmission control protocol (TCP)/internet protocol (IP) stack by sending
corrupt packets
■ Crashing a service by interacting with it in an unexpected way
■ Hanging a system by causing it to go into an infinite loop
DoS attacks come in a variety of forms and target a variety of services. The attacks may cause the following:
■ Consumption of scarce and nonrenewable resources
■ Consumption of bandwidth, disk space, CPU time, or data structures
■ Actual physical destruction or alteration of network components
■ Destruction of programming and files in a computer system
In general, DoS attacks target network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic using existing network resources, thus depriving legitimate users of these resources. Connectivity attacks overflow a computer with a large amount of connection requests, consuming all available resources of the OS so that the computer cannot process legitimate users' requests.
Imagine a pizza delivery company, which does much of its business over the phone. If an attacker wanted to disrupt this business, he could figure out a way to tie up the company's phone lines, making it impossible for the company to do business. That is how a DoS attack works—the attacker uses up all the ways to connect to the system, making legitimate business impossible.
DoS attacks are a kind of security break that does not generally result in the theft of information. However, these attacks can harm the target in terms of time and resources. However, failure might mean the loss of a service such as email. In a worst-case scenario, a DoS attack can mean the accidental destruction of the files and programs of millions of people who happen to be surfing the Web at the time of attack.
What is Distributed Denial-of-Service Attack? Source: http://searchsecurity. techtarget.com
A DDoS attack is a large-scale, coordinated attack on the availability of services on a victim's system or network resources, launched indirectly through many compromised computers (botnets) on the Internet.
As defined by the World Wide Web Security FAQ: "A distributed denial-of-service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial of service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms." The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the legitimate users.
The services under attack are those of the "primary victim," whereas the compromised systems used to launch the attack are the "secondary victims." The use of secondary victims in performing a DDoS attack provides the attacker with the ability to wage a larger and a more disruptive attack while making it more difficult to track down the original attacker.
The primary objective of any DDoS attacker is to first gain administrative access on as many systems as possible. In general, attackers use customized attack script to identify potentially vulnerable systems. Once the attacker gains access to the target systems, he or she will upload DDoS software and run it on these systems but not until the time chosen to launch the attack.
DDoS attacks have become popular because of the easy accessibility of exploit plans and the negligible amount of brainwork required while executing them. These attacks can be very dangerous because they can quickly consume the largest hosts on the Internet, rendering them
useless. The impact of DDoS includes loss of goodwill, disabled network, financial loss, and disabled organizations.
How Distributed Denial-of-Service Attacks Work?
In a DDoS attack, many applications pound the target browser or network with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable.
The attacker initiates the DDoS attack by sending a command to the zombie agents. These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim. The reflector systems see these requests as coming from the victim's machine instead of the zombie agents due to spoofing of source IP address. Hence, they send the requested information (response to connection request) to the victim. The victim's machine is flooded with unsolicited responses from several reflector computers at once. This either may reduce the performance or may cause the victim's machine to shut down completely.
DoS/DDoS Attack Techniques
Attackers implement various techniques to launch DoS/DDoS attacks on target computers or networks. This section deals with the basic categories of DoS/DDoS attack vectors and various attack techniques.
Basic Categories of DoS/DDoS Attack Vectors
DDoS attacks mainly aim at the network bandwidth, exhaustion of network, application, or service resources, thereby restricting the legitimate users from accessing their system or network resources. In general, following are the categories of DoS/DDoS attack vectors:
■ Volumetric Attacks
These attacks exhaust the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet, and result in traffic blockage preventing access to legitimate users. The magnitude of attack is measured in bits per second (bps).
Volumetric DDoS attacks generally target protocols that are stateless and do not have built-in congestion avoidance. Generation of a large number of packets can cause the consumption of all the bandwidth on the network. A single machine cannot make enough requests to overwhelm network equipment. Hence, in DDoS attacks, the attacker uses several computers to flood a victim. In this case, the attacker can control all the machines and instruct them to direct traffic to the target system. DDoS attacks flood a network overwhelming network equipments such as switches and routers with the significant statistical change in the network traffic. Attackers use the processing power of a large number of geographically distributed machines to generate huge traffic directed to the victim, which makes it a DDoS attack.
There are two types of bandwidth depletion attacks:
o A flood attack involves zombies sending large volumes of traffic to victim's systems in order to clog these systems' bandwidth
o An amplification attack engages the attacker or zombies to transfer messages to a broadcast IP address. This method amplifies malicious traffic that consumes victim systems' bandwidth.
Attackers use botnets and perform DDoS attacks by flooding the network. All bandwidth is used, and no bandwidth remains for legitimate use. Following are some of the volumetric attack techniques:
o User Datagram Protocol (UDP) flood attack
o Internet Control Message Protocol (ICMP) flood attack o Ping of Death attack
o Smurf attack
o Malformed IP packet flood attack o Spoofed IP packet flood attack
■ Protocol Attacks
Apart from volumetric attacks which consumes bandwidth, attackers can also prevent access to a target by consuming other types of resources such as connection state tables. Protocol DDoS attacks exhaust resources available on the target or on a specific device between the target and the Internet. These attacks consume the connection state tables present in the network infrastructure devices such as load-balancers, firewalls, and application servers, and no new connections will be allowed since the device will be waiting for existing connections to close or expire. The magnitude of attack is measured in packets per second (pps) or connections per second (cps). These attacks can even take over state of millions of connections maintained by high capacity devices.
Following are some of the protocol attack techniques: o SYN flood attack
o ACK flood attack
o TCP connection flood attack o TCP state exhaustion attack o Fragmentation attack
o RST attack
■ Application Layer Attacks
Attacker tries to exploit the vulnerabilities in application layer protocol or in the application itself to prevent the access of the application to the legitimate user. Attacks on unpatched, vulnerable systems do not require as much bandwidth as either protocol or volumetric DDoS attacks, in order to be successful in attacking. In application DDoS attacks, the application layer or application resources will be consumed by opening up connections and then leaving them open until no new connections can be made. Theseattacks destroy a specific aspect of an application or service and are effective with one or few attacking machines producing a low traffic rate (very hard to detect and mitigate). The magnitude of attack is measured in requests-per-second (rps).
Application-level flood attacks result in the loss of services of a particular network, such
as emails, network resources, temporary ceasing of applications and services, and so on. Using this attack, attackers exploit weaknesses in programming source code to prevent the application from processing legitimate requests.
Several kinds of DoS attacks rely on software-related exploits such as buffer overflows. A buffer overflow attack sends excessive data to an application that either brings down the application or forces the data sent to the application to run on the host system. The attack crashes a vulnerable system remotely by sending excessive traffic to an application.
Sometimes, attackers are also able to execute arbitrary code on the remote system via buffer overflow vulnerability. Sending too much data to the application overwrites the data that controls the program, and runs the hacker's code instead.
Using application-level flood attacks, attackers attempt to: o Flood web applications to legitimate user traffic
o Disrupt service to a specific system or person, for example, blocking a user's access
by repeating invalid login attempts
o Jam the application database connection by crafting malicious SQL queries Application-level flood attacks can result in substantial loss of money, service, and reputation for organizations. These attacks occur after the establishment of a connection. Because the connection is established and the traffic entering the target appears to be legitimate, it is difficult to detect these attacks. However, if the user identifies the attack, he or she can stop it and trace it back to a specific source more easily than other types of DDoS attacks. Following are some of the application layer attack techniques:
o HTTP flood attack o Slowloris attack
DoS/DDoS Attack Techniques
Following are some of the DoS/DDoS attack techniques:
■ UDP flood attack
■ ICMP Flood Attack
UDP Flood Attack
In a UDP flood attack, an attacker sends spoofed UDP packets at a very high packet rate to a remote host on random ports of a target server and by using a large source IP range. Flooding of UDP packets causes server to check repeatedly for nonexistent applications at the ports. Legitimate applications are inaccessible by the system and gives an error reply with an ICMP "Destination Unreachable" packet. This attack consumes network resources and available bandwidth, exhausting the network until it goes offline.
ICMP Flood Attack
Network administrators use ICMP primarily for IP operations, troubleshooting, and error messaging of undeliverable packets. In this attack, attackers send large volumes of ICMP echo request packets to a victim's system directly or through reflection networks. These packets signal the victim's system to reply, and the combination of traffic saturates the bandwidth of the victim's network connection causing it to be overwhelmed and subsequently stop responding to the legitimate TCP/IP requests.
To protect against ICMP flood attack, set a threshold limit that when it exceeds, it invokes the ICMP flood attack protection feature. When the ICMP threshold exceeds (by default the threshold value is 1000 packets/second), the router rejects further ICMP echo requests from all addresses in the same security zone for the remainder of the current second and the next second as well.
Ping of Death Attack
In a Ping of Death (PoD) attack, an attacker tries to crash, destabilize, or freeze the target system or service by sending malformed or oversized packets using a simple ping command. For instance, the attacker sends a packet that has a size of 65,538 bytes to the target web server. This size of the packet exceeds the size limit prescribed by RFC 791 IP, which is 65,535 bytes. The reassembly process by the receiving system might cause the system to crash. In this type of attacks, the attacker's identity could be easily spoofed, and the attacker might not need detailed knowledge of the target machine he/she was attacking, except its IP address.
Smurf Attack
In a Smurf attack, the attacker spoofs the source IP address with the victim's IP address and sends large number of ICMP ECHO request packets to an IP broadcast network. This causes all the hosts on the broadcast network to respond to the received ICMP ECHO requests. These responses will be sent to the victim's machine since the IP address is spoofed by the attacker. This causes significant traffic to the actual victim's machine, ultimately leading the machine to crash.
SYN Flood Attack
In a SYN attack, the attacker sends a large number of SYN requests to target server (victim) with fake source IP addresses. The attack creates incomplete TCP connections that use up network resources. Normally, when a client wants to begin a TCP connection to a server, the client and the server exchange a series of messages, as follows:
■ A TCP SYN (synchronize packet) request is sent to a server.
■ The server sends back a SYN/ACK (acknowledgement) in response to the request. ■ The client sends a response ACK to the server to complete the session setup.
This method is a "three-way handshake".
In a SYN attack, the attacker exploits the "three-way handshake" method. First, the attacker sends a fake TCP SYN request to the target server and when the server sends back a SYN/ACK in response to the clients (attacker) request, the client never sends an ACK response. This leaves the server waiting to complete the connection.
SYN flooding takes advantage of the flaw with regard to how most of the hosts implement the TCP three-way handshake. This attack occurs when the intruder sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. Normally, the connection establishes with the TCP three-way handshake. The host keeps track of the partially open connections, while waiting for response ACK packets in a listening queue.
As shown in the above slide, when Host B receives the SYN request from Host A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds.
A malicious host can exploit the host managing many partial connections by sending many SYN requests to the host at once. When the queue is full, the system cannot open new connections until it drops some entries from the connection queue (due to handshake timeout). This ability of holding up each incomplete connection for 75 seconds can be cumulatively used in a DoS attack. This attack uses fake IP addresses, so it is difficult to trace the source. An attacker can fill table of connections even without spoofing the source IP address.
■ Countermeasures
Proper packet filtering is a viable solution. An administrator can also modify the TCP/IP stack. Tuning the TCP/IP stack will help reduce the impact of SYN attacks while allowing legitimate client traffic through.
Some SYN attacks do not attempt to upset servers but instead try to consume all the bandwidth of the Internet connection. Two tools to counter this attack are SYN cookies and SynAttackProtect.
To guard against an attacker trying to consume the bandwidth of an Internet connection, an administrator can implement some additional safety measures, for example, decreasing the time-out period to keep a pending connection in the "SYN RECEIVED" state in the queue. Normally, if a client sends no response ACK, a server will retransmit the first ACK packet. Decreasing the time of the first packet's retransmission, decreasing the number of packet retransmissions, or turning off packet retransmissions entirely can erase this vulnerability.
Fragmentation Attack
These attacks destroy a victim's ability to reassemble the fragmented packets by flooding it with TCP or UDP fragments, resulting in reduced performance. In fragmentation attacks, the attacker sends large number of fragmented (1500+ byte) packets to a target web server with relatively small packet rate. Since the protocol allows fragmentation, these packets usually pass through the network equipments uninspected such as routers, firewalls, and Intrusion Detection System (IDS)/lntrusion Prevention System (IPS). Reassembling and inspecting these large fragmented packets consumes excessive resources. Moreover, the content in the packet fragments will be randomized by the attacker, which makes the process to consume more resource in turn leading the system to crash.
HTTP GET/POST Attack
HTTP attacks are layer 7 attacks. HTTP clients, such as web browsers, connect to a web server through HTTP protocol to send HTTP requests. These requests can be either HTTP GET or HTTP POST. Attackers exploit these requests to perform DoS attacks.
In a HTTP GET attack, the attacker uses time delayed HTTP header to hold on to HTTP connection and exhaust web server resources. The attacker never sends full request to the target server. As a result, server holds on to the HTTP connection and keeps waiting making the server down for the legitimate users. In these types of attacks, all the network parameters will look good but the service will be down.
In a HTTP POST attack, the attacker sends the HTTP requests with complete headers but incomplete message body to the target web server or application. Since the message body is incomplete, the server keeps waiting for the rest of the body thereby making the web server or web application not available to the legitimate users.
This is a sophisticated layer 7 attack, which does not use malformed packets, spoofing, or reflection techniques. This type of attack requires less bandwidth than that of other attacks to bring down the targeted site or web server.
The aim of this attack is to compel the server to allocate as many resources as possible to serve the attack, thus denying legitimate users access to the server's resources.
Slowloris Attack
Slowloris is a DDoS attack tool. It is used to perform layer 7 DDoS attack to take down web infrastructure. It is distinctly different from other tools, where it uses perfectly legitimate HTTP traffic to take down a target server. In case of Slowloris attack, the attacker sends partial HTTP requests to the target web server or application. Upon receiving the partial requests, the target server opens multiple connections and keeps waiting for the requests to be complete. These requests will not be complete, and as a result, the target server's maximum concurrent connection pool will be filled up and additional attempts of connection will be denied.
Multi-Vector Attack
In multi-vector DDoS attacks, the attackers use combinations of volumetric, protocol, and application-layer attacks to take down the target system or service. Attacker quickly changes from one form of DDoS attack (e.g., SYN packets) to another one (Layer 7), and so on. These attacks are either launched one vector at a time, or in parallel, in order to confuse a company's IT department and make them spend all their resources as well as divert their focus to the wrong side.
Peer-to-Peer Attack
A peer-to-peer attack is one form of DDoS attack. In this kind of attack, the attacker exploits a number of bugs in peer-to-peer servers to initiate a DDoS attack. Attackers exploit flaws found in the network that uses DC++ (Direct Connect) protocol, which allows the exchange of files between instant messaging clients. This kind of attack does not use botnets for the attack. Unlike a botnet-based attack, a peer-to-peer attack eliminates the need of attackers to communicate with the clients it subverts. Here, the attacker instructs clients of large peer-to- peer file sharing hubs to disconnect from their peer-to-peer network and instead, to connect to the victim's website. With this, several thousand computers may aggressively try to connect to a target website, which causes a drop in the performance of the target website. It is easy to identify peer-to-peer attacks based on signatures. Using this method, attackers launch massive DoS attacks and compromise websites.
You can minimize the peer-to-peer DDoS attacks by specifying ports for peer-to-peer communication. For example, specifying port 80 not to allow peer-to-peer communication minimizes the possibility of attacks on websites.
Permanent Denial-of-Service Attack
Permanent DoS (PDoS) attacks, also known as phlashing, purely targets hardware causing irreversible damage to the hardware. Unlike other DoS attacks, it sabotages the system's hardware, requiring the victim to replace or reinstall the hardware. The PDoS attack exploits security flaws in a device, thereby allowing the remote administration on the management interfaces of the victim's hardware, such as printers, routers, or other networking devices.
This attack is quicker and is more destructive than the traditional DoS attacks. It works with a limited number of resources, unlike a DDoS attack, in which attackers enforce a set of Zombies onto a target. Attackers perform this attack using a method known as "bricking a system." In this method, the attacker sends email, IRC chats, tweets, and posts videos with fraudulent content for hardware updates to the victim by modifying and corrupting the updates with vulnerabilities or defective firmware. When the victim clicks on the links or pop-up windows referring to the fraudulent hardware updates, the victim installs it in his/her system. Thus, the attacker gets complete control over the victim's system.
Distributed Reflection Denial of Service (DRDoS)
A distributed reflection denial of service attack (DRDoS), also known as a "spoofed" attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application. The DRDoS attack exploits the TCP three-way handshake vulnerability.
This attack involves attacker machine, intermediary victims (zombies), secondary victims (reflectors), and the target machine. Attacker launches this attack by sending requests to the intermediary hosts, which in turn reflects the attack traffic to the target.
The process involved in DRDoS attack is as follows:
First, the attacker commands the intermediary victims (zombies) to send a stream of packets (TCP SYN) with the primary targets IP address as the source IP address to other noncompromised machines (secondary victims or reflectors) to exhort them to establish connection with the primary target. As a result, the reflectors send a huge volume of traffic (SYN/ACK) to the primary target to establish a new connection with it, as they believe it was the host that requested it. The primary target discards the SYN/ACK packets received from the reflectors, as they did not send the actual SYN packet.
The reflectors keep waiting for the acknowledgement (ACK) response from the primary target. Assuming that the packet lost its path, these bunches of reflector machines resend SYN/ACK packets to the primary target in an attempt to establish the connection, until time-out occurs. This way, a heavy volume of traffic is flooded onto the target machine with the available reflector machines. The combined bandwidth of these reflector machines overwhelms the target machine.
DRDoS attack is an intelligent attack, as it is very difficult or even impossible to trace the attacker. The secondary victim (reflector) seems to directly attack the primary target but not the actual attacker. This attack is more effective than a typical DDoS attack as multiple intermediary and secondary victims generate huge attack bandwidth.
■ Count er measures
o Turn off the Character Generator Protocol (CHARGEN) service to stop this attack method
o Download the latest updates and patches for servers
Botnets
The term "bot" is a contraction of the term "robot." Attackers use bots to infect a large number of computers that form a network, or "botnet," allowing them to launch DDoS attacks, generate spam, spread viruses, and commit other types of crime.
This section deals with organized cyber-crime syndicates; organizational charts, botnet, and their propagation techniques; botnet ecosystems; scanning methods for finding vulnerable machines; and propagation of malicious code.
Botnets
Bots are software applications that run automated tasks over the Internet. Attackers use bots for benign data collection or data mining, such as "Web spidering," as well as to coordinate DoS attacks. The main purpose of a bot is to collect data. There are different types of bots, such as Internet bots, IRC bots, and chatter bots. Some IRC bots are Eggdrop, Winbot, Supybot, Infobot, and EnergyMech.
A botnet (from "roBOT NETwork") is thus a group of computers "infected" by bots; however, botnets can be used for both positive and negative purposes. As a hacking tool, a botnet can be composed of a huge network of compromised systems. A relatively small botnet of only 1,000 bots has a combined bandwidth that is larger than the Internet connection of most corporate systems.
The advent of botnets led to an enormous increase in cybercrime. Botnets form the core of the cybercriminal activity center that links and unites various parts of the cybercriminal world. Cybercriminal service suppliers are a part of cybercrime network. They offer services such as malicious code development, bulletproof hosting, creation of browser exploits, and encryption and packing.
Malicious code is the primary tool used by criminal gangs to commit cybercrimes. Botnet owners order both bots and other malicious programs such as Trojans, viruses, worms, keyloggers, and specially crafted applications to attack remote computers via networks. Developers offer malware services on public sites or closed Internet resources.
Botnets are agents that an intruder can send to a server system to perform some illegal activity. They are the hidden programs that allow identification of system vulnerabilities. Attackers can use botnets to perform the tedious tasks involved in probing a system for known vulnerabilities.
■ DDoS attacks: Botnets can generate DDoS attacks, which eat up the bandwidth of the victims' computers. Botnets can also overload a system, wasting valuable host system resources and destroying network connectivity.
■ Spamming: Attackers use SOCKS proxy for spamming. They harvest email addresses from web pages or some other sources.
■ Sniffing traffic: A packet sniffer observes the data traffic entering a compromised machine. It allows an attacker to collect sensitive information such as credit card numbers and passwords. The sniffer also allows an attacker to steal information from one botnet and uses it against another botnet. In other words, botnets can rob one another.
■ Keylogging: Keylogging provides sensitive information, such as system passwords. Attackers use keylogging to harvest PayPal account login information.
■ Spreading new malware: Botnets can be used to spread new bots.
■ Installing advertisement add-ons: Botnets can be used to perpetrate "click fraud" by automating clicks.
■ Google AdSense abuse: Some AdSense companies permit showing Google ads on their websites for economic benefits. This allows an intruder to automate clicks on an ad, thus producing a percentage increase in the click queue.
■ Attacking IRC chat networks: Also called as clone attacks, these are similar to a DDoS attack. A master agent instructs each bot to link to thousands of clones within the IRC network, which can flood the network.
■ Manipulating online polls and games: Every botnet has a unique address, enabling it to manipulate online polls and games.
■ Mass identity theft: Botnets can produce a large number of emails pretending to be some reputable site such as eBay. This technique allows attackers to steal information for identity theft.
The diagram above illustrates how an attacker launches a botnet-based DoS attack on a target server. The attacker sets up a bot Command and Control (C&C) Center. He/she then infects a machine (bot), and compromises it. Later on, they use this bot to infect and compromise other vulnerable systems available in the network, resulting in a botnet. The bots (also known as zombies) connect to the C&C center and waits for instructions. The attacker then sends malicious commands to the bots through the C&C center. Finally, as per the instructions given by the attacker, the bots launch DoS attack on a target server, making its services unavailable to the legitimate users in the network.