Denial of Service and DDoS Attacks
how does flooding occur?
occurs because the incoming bandwidth is insufficient or resources—hardware devices, computing power, software, or table capacity—are inadequate.
overload / flood attack
occurs from demand in excess of capacity, from malicious or natural causes (classified as volumetric)
volume based attacks
overwhelming basic network capacity
botmasters
people who infect machines to turn them into bots
thrasing
performance fails because of nearly continuous switching
blocked access
prevention of a service from functioning
next hop
router determining the best next path to which t direct a data unit
context awitching
switching from one application to another
command-and-control center
the bot headquarters; instructs specific machines to target a particular victim at a given time and duration. bots can either be pushed or pulled, with each bot responsible for periodically calling home to a controller to determine if there is work to do.
DNS (Domain Name System)
the database of translations of Internet names to addresses, and the DNS protocol resolves the name to an address
malicious autonomous mobile agents
working largely on their own, these programs infect computers anywhere they can access, causing denial of service and other harm
ICMP (Internet Control Message Protocol) includes what?
•ping, which requests a destination to return a reply, intended to show that the destination system is reachable and functioning • echo, which requests a destination to return the data sent to it, intended to show that the connection link is reliable (ping is actually a version of echo) • destination unreachable, which indicates that a destination address cannot be accessed • source quench, which means that the destination is becoming saturated and the source should suspend sending packets for a while
source routing
Allows a sender of a packet to specify the route the packet takes through the network versus routers determining the path.
Berkeley Internet Name Domain (BIND)
An Internet naming system that performs name resolution, for unix
smurf attack
An attack that broadcasts a ping request to all computers on the network yet changes the address from which the request came to that of the target.
denial of service attack
An attempt to overwhelm a computer system or network with excessive communications in order to deny users access, thus defeating availability
strict source routing
IP protocol header option that allows sender to specify the exact route a packet should take to its destination.
ping of death
- type of DoS attack - over-sized ICMP packets are sent to the victim. Systems that are vulnerable to this type of attack do not know how to handle ICMP packets over a specific size and may freeze or reboot - Countermeasures are to patch the systems and implement filtering to detect these types of packets
two things used to mount a distributed denial-of-service attack
1. conscript an army of compromised machines to attack a victim 2. attacker sends a signal to all the zombies to launch the attack
botnets
networks of bots, are used for massive denial-of-service attacks, implemented from many sites working in parallel against a victim
Internet Control Message Protocol (ICMP)
Normally used for system diagnostics, these protocols do not have associated user applications
DNS spoofing,
Unauthorized changes to the DNS
syn flood
a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
DNS cache poisoning
an incorrect name-to-address DNS conversion is placed in and remains in a translation cache
counter measure to DNA cache poisoning
an unpredictable series of sequence numbers, preferable drawn from a large range of possibilities
targets of flooding attack
application, os or one of its components, or network appliance (router)
echo-chargen
attack works between two hosts
session hijack
attacker allows an interchange to begin between two parties but then diverts the communication
teardrop
attacker sends a series of datagrams that cannot fit together properly.
DNS poisoning
attackers try to insert inaccurate entries into that cache so that future requests are redirected to an address the attacker has chosen
protecting against session hijacking
by concealing connecting data within the application and by hiding the header data
loose source rougting
certain (small or all) required intermediate points are specified
distributed denial-of-service (DDoS) attack
change the balance between adversary and victim by marshaling many forces on the attack side
zombie
compromised systems running pieces of malicious code under remote control. these code objects are Trojan horses that are distributed to large numbers of victims' machines. often undetected because they may not interfere with or harm a user's computer
inoculation agent
developer involved initially to set up the process and, usually, to establish a scheme for updates for code
scripted DDoS attack
easily launched from scripts. one can easily write a procedure to plant a trojan horse that can launch any or ll of the DDoS attacks
DOS attack types
excessive volume, failed application, severed link, hardware or software failure
application based attack
exhaust the application that services a particular network
three root threats to availability
insufficient capacity; overload blocked access unresponsive component