CEH Chapter 10: Denial of Service

More DoS/DDoS Protection Hardware Tool

Arbor Networks APS Herculon DDoS Hybrid FortGuard DDoS Protection System F200 Series D-Guard DDoS Protection System

Examples of types of DoS attacks

Flooding the victim's system with more traffic than can be handled Flooding a service (e.g., internet relay chat (IRC)) with more events than it can handle Crashing a transmission control protocol (TCP)/internet protocol (IP) stack by sending corrupt packet Crashing a service by interacting with it in an unexpected way Hanging a system by causing it to go into an infinite loop

DoS/DDoS Countermeasure Strategies

- Absorbing the Attack: - Degrading Services: If it is not possible to keep all your services functioning during an attack, it is a good idea to keep at least the critical services functional. - Shutting Down the Services:

Prevent Potential Attacks

- Egress Filtering -Ingress Filtering -TCP Intercept -Rate Limiting

DDoS Application Layer attacks

- HTTP flood attack - Slowloris attack

Techniques to Defend against Botnets

- RFC 3704 Filtering - Cisco IPS Source IP Reputation Filtering - Black-Hole Filter - DDoS Prevention Offerings from ISP or DDoS Service

DDoS Protocol Attack techniques

- SYN flood attack - ACK flood attack - TCP connection flood attack - TCP state exhaustion attack - Fragmentation attack - RST attack

Dos Attack countermeasure

- protect secondary victims - detect and neutralize the handler - enable ingress and egress filtering - deflect attack by diverting it to the honeypot - mitigate attacks by load balancing - disable unnecessary services - using anti-malware - enable router throttling - using a reverse proxy - IDS

Symptoms of DoS Attacks

-Consumption of scarce and nonrenewable resources -Consumption of bandwidth, disk space, CPU time, or data structures - Actual physical destruction or alteration of network components -Destruction of programming and files in a computer system

Botnets can be used for

-DDoS attacks: Botnets can generate DDoS attacks, which eat up the bandwidth of the victims' computers. Botnets can also overload a system, wasting valuable host system resources and destroying network connectivity. -Spamming: Attackers use SOCKS proxy for spamming. They harvest email addresses from web pages or some other sources. -Sniffing traffic: A packet sniffer observes the data traffic entering a compromised machine. It allows an attacker to collect sensitive information such as credit card numbers and passwords. The sniffer also allows an attacker to steal information from one botnet and uses it against another botnet. In other words, botnets can rob one another. -Keylogging: Keylogging provides sensitive information, such as system passwords. Attackers use keylogging to harvest PayPal account login information. -Spreading new malware: Botnets can be used to spread new bots. -Installing advertisement add-ons: Botnets can be used to perpetrate "click fraud" by automating clicks. -Google AdSense abuse: Some AdSense companies permit showing Google ads on their websites for economic benefits. This allows an intruder to automate clicks on an ad, thus producing a percentage increase in the click queue. -Attacking IRC chat networks: Also called as clone attacks, these are similar to a DDoS attack. A master agent instructs each bot to link to thousands of clones within the IRC network, which can flood the network. -Manipulating online polls and games: Every botnet has a unique address, enabling it to manipulate online polls and games. -Mass identity theft: Botnets can produce a large number of emails pretending to be some reputable site such as eBay. This technique allows attackers to steal information for identity theft.

DoS/DDoS Protection Software

-Incapsula DDoS Protection -quickly mitigates any size attack without getting in the way of legitimate traffic or increasing latency. -Anti DDoS Guardian -DDoS-GUARD -Cloudflare -DOSarrest's DDoS protection service -DefensePro -F5 -DDoSDefend -NetFlow Analyzer -Wireshark -NetScaler AppFirewall -Andrisoft Wanguard -SDL Regex Fuzzer

Botnets setup

-Installing a bot in the victim machine by using a trojan horse, which carries the bot payload which is forwarded to the victims using phising or redirecting the victim to a malicious site. -Once the trojan is executed, the victim will be infected and get in control of the handler, waiting for the instruction by the C&C. -The handler is the bot command and control which send the instruction to these infected system (bots to attempt an attack on a primary target.

HTTPS GET/POST Attack

-Layer 7 attack, requires less bandwidth GET Attack - attacker uses time delayed HTTP header to hold on to HTTP connection and exhaust web server resources. The attacker never sends full request to the target server. As a result, server holds on to the HTTP connection and keeps waiting making the server down for the legitimate users. In these types of attacks, all the network parameters will look good but the service will be down. POST Attack - the attacker sends the HTTP requests with complete headers but incomplete message body to the target web server or application. Since the message body is incomplete, the server keeps waiting for the rest of the body thereby making the web server or web application not available to the legitimate users. This is a sophisticated layer 7 attack, which does not use malformed packets, spoofing, or reflection techniques. This type of attack requires less bandwidth than that of other attacks to bring down the targeted site or web server. The aim of this attack is to compel the server to allocate as many resources as possible to serve the attack, thus denying legitimate users access to the server's resources.

DoS/DDoS Attack Techniques

-UDP flood attack -ICMP flood attack -Ping of Death attack -Smurf attack -SYN flood attack -Fragmentation attack -HTTPS GET/POST attack -Slowloris attack -Multi-Vector attack -Peer-to-Peer attack -Permanent Denial-of-Service attack -Distributed Reflection Denial-of-Service (DrDoS)

DDoS Volumetric Attack Techniques

-o User Datagram Protocol (UDP) flood attack -o Internet Control Message Protocol (ICMP) flood attack -o Ping of Death attack -o Smurf attack -o Malformed IP packet flood attack -o Spoofed IP packet flood attack

Detection Techniques

1. Activity Profiling 2. Wavelet Analysis 3. Sequential change point detection

Kinds of propagation of malicious codes

1. Central Source propagation 2. Back-Chaining Propagation 3.Autonomous Propagation

Scanning Vulnerable System techniques

1. Random Scanning Technique 2. Hit-List Scanning technique 3. Topological scanning technique 4. Subnet scanning technique 5. Permutation Scanning technique

Slowloris Attack

A DDoS attack tool. It is used to perform layer 7 DDoS attack to take down web infrastructure. It uses perfectly legitimate HTTP traffic to take down a target server. Opens multiple connections These requests will not be complete, and as a result, the target server's maximum concurrent connection pool will be filled up and additional attempts of connection will be denied.

Ingress Filtering

A packet filtering technique used by many Internet Service Providers (ISPs) to prevent source address spoofing of Internet traffic, and thus indirectly combat several types of net abuse by making Internet traffic traceable to its true source. It protects against flooding attacks that originate from valid prefixes (IP addresses). It enables the originator to be traced to its true source.

Block the traffic at the provider level

A protocol-based DDoS attack with at least 10 000 bots sending the traffic from the entire globe can be countered how?

Remote Triggered Black Hole Filtering (RTBHF)

A routing technique, is used to mitigate DoS attack by using Border Gateway Protocol (BGP). the router performs Black hole filtering using null o interfaces.

RFC 3704 filtering

A type of ingress filtering for multi-homed network to limit the DoS attack. it denies traffic with a spoofed address to access the network and ensure the trace to its source address A "bogon list" consists of all unused or reserved IP addresses that should not come in from the Internet

Denial of Service (DoS)

An attack on a computer or network that reduces, restricts, or prevents accessibility of system resources to its legitimate users. Attackers flood a victim's system with non-legitimate service requests or traffic to overload its resources, bringing the system down, leading to unavailability of the victim's website or at least significantly slowing the victim's system or network performance.

Smurf Attack

An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim. The attacker spoofs the source IP address with the victim's IP address and sends large number of ICMP ECHO request packets to an IP broadcast network This causes all the hosts on the broadcast network to respond to the received ICMP ECHO requests. These responses will be sent to the victim's machine since the IP address is spoofed by the attacker. This causes significant traffic to the actual victim's machine, ultimately leading the machine to crash.

UDP Flood Attack

An attacker sends spoofed UDP packets at a very high packet rate to a remote host on random ports of a target server and by using a large source IP range. This causes server to check repeatedly for nonexistent applications at the ports. Legitimate applications are inaccessible by the system and gives an error reply with an ICMP "Destination Unreachable" packet This attack consumes network resources and available bandwidth, exhausting the network until it goes offline.

Ping of Death Attack

An attacker tries to crash, destabilize, or freeze the target system or service by sending malformed or oversized packets larger than the maximum 65,535 bytes using a simple ICMP ping command. For instance, the attacker sends a packet that has a size of 65,538 bytes to the target web server. This size of the packet exceeds the size limit prescribed by RFC 791 IP, which is 65,535 bytes. The reassembly process by the receiving system might cause the system to crash. In this type of attacks, the attacker's identity could be easily spoofed, and the attacker might not need detailed knowledge of the target machine he/she was attacking, except its IP address

Wavelet Profiling

An autonomous process of detecting DoS/DDoS attack by analysis of input signals. - it evaluates the traffic and filter on a certain scale whereas adaptive threshold techniques are used to detect DoS attack. Technique analyzes network traffic in terms of spectral components. Analyzing each spectral window's energy determines the presence of anomalies. These techniques check frequency components present at a specific time and provide a description of those components. Presence of an unfamiliar frequency indicates suspicious network activity.

By using CAPTCHA

Application layer-based DDoS attack which sends at least 1000 malicious POST requests per second spread through the entire globe can be countered how?

Distributed Denial of Service (DDoS)

Attack is a large-scale, coordinated attack on the availability of services on a victim's system or network resources, launched indirectly through many compromised computers (botnets) on the Internet. An attack uses many computers to launch a coordinated DoS attack against one or more targets. The primary objective of any attacker is to first gain administrative access on as many systems as possible. Mainly aimed at the network bandwidth, exhaustion of network, application, or service resources, thereby restricting the legitimate users from accessing their system or network resources.

Application Layer Attack

Attacker tries to exploit the vulnerabilities in application layer protocol or in the application itself to prevent the access of the application to the legitimate user. -Application resources will be consumed by opening up connections and then leaving them open until no new connections can be made. Attacks result in the loss of services of a particular network, such as emails, network resources, temporary ceasing of applications and services, and so on. These attacks destroy a specific aspect of an application or service and are effective with one or few attacking machines producing a low traffic rate (very hard to detect and mitigate). The magnitude of attack is measured in requests-per-second (rps).

Protocol Attack

Attacks exhaust resources available on the target or on a specific device between the target and the Internet. These attacks consume the connection state tables present in the network infrastructure devices such as load-balancers, firewalls, and application servers, and no new connections will be allowed since the device will be waiting for existing connections to close or expire. The magnitude of attack is measured in packets per second (pps) or connections per second (cps). These attacks can even take over state of millions of connections maintained by high capacity devices

Black hole filtering

Black hole refers to network nodes where incoming traffic is discarded or dropped without informing the source that the data did not reach the intended recipient. A process of silently dropping the traffic (either incoming or outgoing traffic) so that the source is not notified about discarding of the packet. It uses Border Gateway Protocol (BGP) host routes to route traffic heading to victim servers to a "null0" next hop

Zombies

Compromised systems which is controlled by a master computer (attack) or controlling zombies through handler provide support to initiate a DDoS attack.

FortiDDoS

DDoS Protection Hardware Tools -provides comprehensive protection against DDoS attacks. It helps you protect your Internet infrastructure from threats and service disruptions by surgically removing network and application layer DDoS attacks, while letting legitimate traffic flow without being impacted

DDoS Protector

DDoS Protection Hardware Tools Check Point DDoS Protector appliances block DDoS attacks with multi-layered protection. Benefits o Blocks a wide range of attacks with customized multi-layered protection o Fast response time—protects against attacks within seconds o Flexible deployment options to protect any business o Integrated with Check Point Security Management

A10 Thunder TPS

DDoS Protection Hardware Tools Protection System ensures reliable access to your key network services by detecting and blocking external threats such as DDoS and other cyber-attacks before they escalate into costly service outages. Features: o Custom protection with immediate blocking o Proactive DDoS detection and mitigation o Combined on-premise and cloud-based DDoS protection o Built-in SSL inspection to block encrypted traffic o Inbound reputation-based DDoS protection o Inbound and outbound advanced threat protection

Cisco Guard XT 5650

DDoS Protection Tools DDoS mitigation appliance from Cisco Systems. Based on unique multi-verification process (MVP) architecture, the Cisco Guard XT employs the most advanced anomaly recognition, source verification, and anti-spoofing technologies to identify and block individual attack flows while allowing legitimate transactions to pass. Benefits o Multistage verification o Multi-Gigabit performance o Multilevel monitoring and reporting

Permanent Denial-of-Service (PDoS)

DoS attack also known as phlashing, purely targets hardware causing irreversible damage to the hardware, perform this attack using a method known as "bricking a system." This PDoS attack exploits security flaws in a device, thereby allowing the remote administration on the management interfaces of the victim's hardware, such as printers, routers, or other networking devices This attack is quicker and is more destructive than the traditional DoS attacks and works with a limited number of resources

The process involved in Distributed Reflection Denial of Service (DRDoS) attack

First, the attacker commands the intermediary victims (zombies) to send a stream of packets (TCP SYN) with the primary target's IP address as the source IP address to other noncompromised machines (secondary victims or reflectors) to exhort them to establish connection with the primary target. As a result, the reflectors send a huge volume of traffic (SYN/ACK) to the primary target to establish a new connection with it, as they believe it was the host that requested it. The primary target discards the SYN/ACK packets received from the reflectors, as they did not send the actual SYN packet The reflectors keep waiting for the acknowledgement (ACK) response from the primary target. Assuming that the packet lost its path, these bunches of reflector machines resend SYN/ACK packets to the primary target in an attempt to establish the connection, until time-out occurs. This way, a heavy volume of traffic is flooded onto the target machine with the available reflector machines. The combined bandwidth of these reflector machines overwhelms the target machine.

Types of Bandwidth depletion

Flood attack - involves zombies sending large volumes of traffic to victim's systems in order to clog these systems' bandwidth Amplification attack - engages the attacker or zombies to transfer messages to a broadcast IP address. This method amplifies malicious traffic that consumes victim systems' bandwidth

Autonomous Propagation

Here the attacking host itself transfers the attack toolkit to the newly discovered vulnerable system, exactly at the time it breaks into that system.

DDoS Prevention Offerings from ISP or DDoS Service

Here, the ISP scrubs/cleans the traffic prior to allowing it to enter your Internet link. Since this service runs in the cloud, DDoS attack does not saturate your Internet links.

DoS/DDoS Attack Tools

High Orbit Ion Cannon (HOIC) -A network stress and DoS/DDoS attack application -designed to attack up to 256 target URLs simultaneously -t sends HTTP POST and GET requests at a computer that uses lulz inspired GUIs Low Orbit Ion Cannon (LOIC) -call it an application-based DOS attack as it mostly targets web applications -use LOIC on a target site to flood the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host. HULK Thor's Hammer Metasploit Nmap Blackhat Hacking Tools DAVOSET Tsunami R-U-Dead-Yet UDP FLooder DLR_DoS Moihack Port-Flooder DDOSIM

Deflect Attacks

Honey pots -KFSensor -is a Windows-based honeypot IDS. It acts as a honeypot, designed to attract and detect hackers and worms by simulating vulnerable system services and Trojan -SSHHiPot -Artillery

Peer-to-peer Attacks

In this kind of attack, the attacker exploits a number of bugs in peer-to-peer servers to initiate a DDoS attack. Attackers exploit flaws found in the network that uses DC++ (Direct Connect) protocol, which allows the exchange of files between instant messaging clients Does not use botnets, the attack eliminates the need of attackers to communicate with the clients it subverts Here, the attacker instructs clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and instead, to connect to the victim's website. Can be minimized by specifying ports for peer-to-peer communication - specifying port 80 not to allow peer-to-peer communication minimizes the possibility of attacks on websites.

Random Scanning

In this technique the infected machine (an attacker's machine or a zombie) probes IP addresses randomly from the target network's IP range and checks their vulnerability. This technique generates a significant traffic as many compromised machines probe and check the same IP addresses. Malware propagation takes place quickly in the initial stage, and later on, it reduces as the number of new IP addresses available will be less as the time passes.

Permutation Scanning

In this technique, attackers share a common pseudorandom permutation list of IP addresses among all machines that is created by using a block cipher of 32 bits and a preselected key if scanning directs an already infected system by either hit-list scanning or another method, it starts scanning from the next IP in the list. if scanning detect an already infected system by permutation list, it starts scanning from a random point in permutation list. The process of scanning stops when the compromised host encounters a predefined number of already infected machines sequentially failing to find the new targets. Now generate a new permutation key to initiate a new scanning phase. Advantages: -o Reinfection of the same target is avoided. -o New targets are scanned at random (thus ensuring high scanning speed).

Protect Secondary Victims

Individual - using anti-malware Network Service Provider -enter dynamic pricing (altering price) for their network usage

Mitigate Attacks

Load Balancing -Bandwidth providers can increase their bandwidth on the critical connections in case of a DDoS attack to prevent their servers from going down Throttling -Throttling helps in preventing damage to servers by controlling the DoS traffic. -This method helps routers manage heavy incoming traffic, so that the server can handle it. It filters legitimate user traffic from fake DDoS attack traffic. Drop Request -Another method is to drop packets when a load increases; usually the router or server does it.

How Distributed Denial-of-Service Attacks Work?

Many applications pound the target browser or network with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable. The attacker initiates the DDoS attack by sending a command to the zombie agents. These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim. The reflector systems see these requests as coming from the victim's machine instead of the zombie agents due to spoofing of source IP address. they send the requested information (response to connection request) to the victim. The victim's machine is flooded with unsolicited responses from several reflector computers at once. This either may reduce the performance or may cause the victim's machine to shut down completely.

Activity Profiling

Monitoring the activities running on a system or network. - activity profiling is measured by comparing it from average traffic rate of a network. Is done based on the average packet rate for a network flow, which consists of consecutive packets with similar packet header information. The higher a flow's average packet rate or activity level, the less time there is between consecutive matching packets. An attack is indicated by -o An increase in activity levels among the network flow clusters -o An increase in the overall number of distinct clusters (DDoS attack One of the major hurdles for an this method is the volume of the traffic. This problem can be overcome by clustering packet flows with similar characteristics.

ICMP Flood Attack

Network administrators use this primarily for IP operations, troubleshooting, and error messaging of undeliverable packets Attackers send large volumes of ICMP echo request packets to a victim's system directly or through reflection networks. These packets signal the victim's system to reply, and the combination of traffic saturates the bandwidth of the victim's network connection causing it to be overwhelmed and subsequently stop responding to the legitimate TCP/IP requests. To protect against this attack, set a threshold limit that when it exceeds, it invokes the ICMP flood attack protection feature. When the ICMP threshold exceeds (by default the threshold value is 1000 packets/second), the router rejects further ICMP echo requests from all addresses in the same security zone for the remainder of the current second and the next second as well.

Cisco IPS Source IP Reputation Filtering

Reputation services help in determining if an IP or service is a source of threat or not. The Cisco SensorBase Network contains all the information about known threats on the Internet such as botnets, malware outbreaks, dark nets, and botnet harvesters. The Cisco IPS makes use of this network to filter DoS traffic before it damages critical assets. To detect and prevent malicious activity even earlier, it incorporates the global threat data into its system.

Egress Filtering

Scans the headers of IP packets leaving a network. If the packets pass the specifications, they can route out of the sub-network from which they originated. - It ensures that unauthorized or malicious traffic never leaves the internal network.

Buffer Overflow

Sends excessive data to an application that either brings down the application or forces the data sent to the application to run on the host system. The attack crashes a vulnerable system remotely by sending excessive traffic to an application.

Denial-of-Service (DoS) Attack Penetration Testing

Step 1: Define the objective: Step 2: Test for heavy loads on the server: Step 3: Check for DoS vulnerable systems: Step 4: Run a SYN attack on the server: Step 5: Run port flooding attacks on the server Step 6: Run an email bomber on the email servers: Step 7: Flood the website forms and guestbook with bogus entries Step 8: Document all the findings

SYN attack / Flooding

The attacker sends a large number of incomplete SYN requests to target server (victim) with fake source IP addresses. The attack creates incomplete TCP connections that use up network resources. The attacker exploits the "three-way handshake" method. First, the attacker sends a fake TCP SYN request to the target server and when the server sends back a SYN/ACK in response to the client's (attacker) request, the client never sends an ACK response. This leaves the server waiting to complete the connection. Countermeasures -Proper packet filtering is a viable solution. -An administrator can also modify the TCP/IP stack. -Tuning the TCP/IP stack will help reduce the impact of SYN attacks while allowing legitimate client traffic through. -Decreasing the time-out period to keep a pending connection in the "SYN RECEIVED" state in the queue Two tools to counter this attack are SYN cookies and SynAttackProtect.

Multi-Vector Attack

The attackers use combinations of volumetric, protocol, and application-layer attacks to take down the target system or service Attacker quickly changes from one form of DDoS attack (e.g., SYN packets) to another one (Layer 7), These attacks are either launched one vector at a time, or in parallel, in order to confuse a company's IT department and make them spend all their resources as well as divert their focus to the wrong side

Subnet scanning technique

The infected machine looks for new vulnerable machines in its local network, behind the firewall using the information hidden in the local addresses. Attackers use this technique in combination with other scanning mechanisms.

DoS Fragmentation

These attacks destroy a victim's ability to reassemble the fragmented packets by flooding it with TCP or UDP fragments, resulting in reduced performance. The attacker sends large number of fragmented (1500+ byte) packets to a target web server with relatively small packet rate. Since the protocol allows fragmentation, these packets usually pass through the network equipments uninspected such as routers, firewalls, and Intrusion Detection System (IDS)/Intrusion Prevention System (IPS). Reassembling and inspecting these large fragmented packets consumes excessive resources. Fragments will be randomized by the attacker, which makes the process to consume more resource in turn leading the system to crash.

Volumetric Attacks

These attacks exhaust the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet, and result in traffic blockage preventing access to legitimate users. The magnitude of attack is measured in bits per second (bps). - slow down performance and degradation of the network generally target protocols that are stateless and do not have built-in congestion avoidance. This has two types of bandwidth depletion flood attacks and amplification attacks.

Bandwidth Attack

This attack requires multiple resources to generate a request to overload the target.

Sequential Change Point Detection

This change-point detection technique identifies the typical scanning activities of the network worms. technique filters network traffic by IP addresses, targeted port numbers, and communication protocols used, and stores the traffic flow data in a graph that shows the traffic flow rate versus time. Change-point detection algorithms isolate changes in network traffic statistics and in traffic flow rate caused by attacks. If there is a drastic change in traffic flow rate, a DoS attack may be occurring. This technique uses Cumulative Sum (Cusum) algorithm to identify and locate the DoS attacks; the algorithm calculates deviations in the actual versus expected local average in the traffic time series.

Central Source propagation

This code propagation requires a central source where attack toolkit is installed. - when the attacker exploits the vulnerable machine, it opens the connection on infected system listening for file transfer. then the toolkit is copied from the central source. this toolkit is automatically installed automatically after transferring from central source. general, this technique uses HTTP, FTP, and RPC protocols.

Back-Chaining Propagation

This code propagation requires the toolkit installed on attacker's machine. when an attacker exploits the vulnerable machine. it opens the connection on infected system listening for file transfer. then, the toolkit is copied from the attacker. once the toolkit is installed on the infected system, it will search for other vulnerable system and the process continues. Simple port listeners (which copy file contents) or full intruder-installed web servers, both of which use the Trivial File Transfer protocol (TFTP) support this back-channel file copy.

Distributed Reflection Denial of Service (DRDoS)

This is a type of DoS attack in which intermediary and secondary victims are also involved in the process of launching a DoS. attackers sends requests to the intermediary victim which direct the traffic towards a secondary victim. the secondary victim redirects the traffic toward the target. This attack exploits the TCP three-way handshake vulnerability. Also known as a "spoofed" attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application The DRDoS attack exploits the TCP three-way handshake vulnerability. This attack is more effective than a typical DDoS attack as multiple intermediary and secondary victims generate huge attack bandwidth. Its difficult or even impossible to trace the attacker. Countermeasures -o Turn off the Character Generator Protocol (CHARGEN) service to stop this attack method -o Download the latest updates and patches for servers

Application-level flood attacks

This result in the loss of services of a particular network, such as emails, network resources, temporary ceasing of applications and services, and so on. This attack can result in substantial loss of money, service, and reputation for organizations These attacks occur after the establishment of a connection. Because the connection is established and the traffic entering the target appears to be legitimate, it is difficult to detect these attacks. However, if the user identifies the attack, he or she can stop it and trace it back to a specific source more easily than other types of DDoS attacks Attackers attempt to: -o Flood web applications to legitimate user traffic -o Disrupt service to a specific system or person, for example, blocking a user's access by repeating invalid login attempts -o Jam the application database connection by crafting malicious SQL queries

Topological scanning technique

This technique uses the information obtained from the infected machine to find new vulnerable machines. An infected host checks for URLs in the disk of a machine that it wants to infect. Then it shortlists the URLs, targets, and checks their vulnerability. This technique yields accurate results, and the performance is similar to the hit-list scanning technique

Hit-List Scanning technique

Through scanning an attacker first collects a list of potentially vulnerable machines and then creates a zombie army. Then the attacker performs scanning down the list to find a vulnerable machine. On finding one, the attacker installs a malicious code on it and divides the list in half In one half, the attacker continues to scan; the other half is given to the newly compromised machine to find the vulnerable machine in its list and continue the same process as discussed before. This goes on simultaneously from an everlasting increasing number of compromised machines. This technique ensures installation of malicious code on all the potential vulnerable machines in the hit list within a short time.

DoS/DDoS Attack Tools for Mobile

Tools -LOIC - AnDOSid -DDOS -DDoS -Packets Generator -PingTools Pro

Post Attack Forensic

Traffic Pattern Analysis -the traffic pattern tool stores post-attack data, which users analyze for the special characteristics of the attacking traffic -These data are helpful in updating load balancing and throttling countermeasures to enhance their efficiency and protection ability. Run Zombie Zapper Tool -When a company is unable to ensure the security of its servers and a DDoS attack starts, the network IDS notices the high volume of traffic that indicates a potential problem. The targeted victim can run Zombie Zapper to stop the packets from flooding the system -two versions of Zombie Zapper: one runs on UNIX and the other runs on Windows systems. -this tool acts as a defense mechanism against Trinoo, TFN, Shaft, and Stacheldraht Packet Traceback -It is similar to reverse engineering. The targeted victim works backwards by tracing the packet to its original source. -This information can be of help in developing and implementing different filtering techniques to block the attack. Event Log Analysis -helps when an attacker causes destruction resulting in severe financial damage. -Allows network administrators to recognize the type of DDoS attack or a combination of attacks used.

DoS/DDoS Countermeasure

Use strong encryption mechanisms such as WPA2 and AES 256 for broadband networks to withstand against eavesdropping Ensure that the software and protocols are up-to-date and scan the machines thoroughly to detect any anomalous behavior Update kernel to the latest release and disable unused and insecure services Block all inbound packets originating from the service ports to block the traffic from reflection servers Enable TCP SYN cookie protection Prevent the transmission of the fraudulently addressed packets at ISP level

Absorbing the attack

Volume-based DDoS attack with at least 1 000 000 bots sending the traffic from the entire globe can be counter how?

Botnet

a group of computers "infected" by bots

Bot

software applications that run automated tasks over the Internet Attackers use these for benign data collection or data mining, such as "Web spidering," as well as to coordinate DoS attacks. Attackers use these to infect a large number of computers that form a network, or "botnet," allowing them to launch DDoS attacks, generate spam, spread viruses, and commit other types of crime. There are different types of bots, such as Internet bots, IRC bots, and chatter bots. -IRC bots - Eggdrop, Winbot, Supybot, Infobot, and EnergyMech