DOS Attacks
Stracheldracht
-combines Trinoo with TFN -detects source address forgery -performs a variety of attacks
What are the two forms of DOS Attacks?
1. Crash a server 2. Floods a service
DDOS
A DOS attack that is distributed over large group of computers. To perform, attackers use a zombie network: a group of infected computers on which the attacker has silently installed the DOS tool. A server system is being flooded from fake requests coming from multiple sources. Hackers use a Trojan to create the zombie network.
SYN flood
A form of DOS attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make to system unresponsive to legitimate traffic.
Protocol DDOS attack
A protocol DDOS attack is a DOS attack on the protocol level: Synflood and Ping of Death
Tor
A software and an open network that helps you defend against traffic analysis. A form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.
UDP(User Datagram Protocol)
A transport layer protocol defined for use with the IP network layer protocol
Clean Pipes
All traffic is passed through a cleaning center, where various methods are performed to filter back traffic. Tata Communications, Verisign, AT&T are the main providers of this kind of protection
What is a DOS Attack?
An attempt to make a system or server unavailable for legitimate users and, finally, to take the service down.
ICMP(Internet Control Message Protocol)
An error-reporting protocol network device like routers used to generate error messages to the source IP address when the network problems prevent delivery of IP
DAVOSET
Another nice tool for DDOS attacks.
Three types of DDOS attacks
Application-layer DDOS attack Protocol DOS attack Volume-based DDOS attack
Application Layer DDOS
Attacks that target Windows, Apache, OpenBSD, or other software vulnerabilities to attack and crash the server.
Methods of Prevention: Stack Tweaking
Complex method Alters TCP stack Makes attack difficult but not impossible
How to defend Against DOS Attacks:
Configure firewall to-->filter out incoming ICMP packets, egress filter for ICMP packets, disallow any incoming traffic Use tools such as NetStat. Disallow traffic not originating within the network Disable all IP broadcasts Filter for external and internal IP addresses Keep AV signatures updated Keep OS and software patches current Have an acceptable use policy
Blackholing
Detects the fake attacking traffic and sends it to a black hole
Echo/Chargen Attack
Echo service sends back whatever it receives Chargen is a character generator. Combined, huge amounts of data to form an endless loop.
ICMP Flood Attack
Floods-Broadcasts of pings or UDP packets Nukes-Exploit known bugs in operating systems
GoldenEye HTTP Denial of Service Tool
GoldenEye is developed in Python for testing DOS attacks but people use it as a hacking tool.
Protection against Smurf attacks
Guard against Trojans Have adequate AV software Utilize proxy servers Ensure routers don't forward ICMP broadcasts
HULK(HTTP Unbearable Load King)
HULK is another nice DOS attacking tool that generates a unique request for each and every generated request to obfuscated traffic at a web server. It has a list of known user agents to use randomly with requests. It also uses referrer forgery and it can bypass caching engines, thus it directly hits the server's resource pool. The developer of the tool tested it on an IIS 7 web server with 4 GB RAM. This tool brought the server down in under one minute.
UDP Flood Attack
Hacker sends UDP packets to a random port, generates illegitimate UDP packets, causes system to tie up resources sending back packets
Teardrop Attack
Hacker sends a fragmented message Victim system attempts to reconstruct message Causes system to halt or crash
Smurf IP attack
Hacker sends out ICMP broadcast with spoofed source IP -intermediaries respond with replies -ICMP echo replies flood victim -the network performs a DDOS on itself
TCP SYN Flood Attack
Hacker sends out a SYN packet Receiver must hold space in buffer Bogus SYNs overflow buffer
Volume-based DDOS attack
ICMP floods, UDP floods, and other kinds of floods performed via spoofed packets.
Real World Examples of DDOS attacks
MyDoom and Slammer
DDOSIM- Layer 7 DDOS Simulator
Performs DDOS attacks by simulating several zombie hosts. Tool is written in C++ and runs on Linux systems -zombie attacks -random IP addresses -TCP-connection-based attacks -application-layer DDOS attacks -HTTP DDOS with valid/invalid requests -SMTP DDOS -TCP connection flood on random port
XOIC
Performs a DOS attack at any server with an IP address, a user-selected port, and a user-selected protocol. Comes with 3 methods: Test mode, normal DOS attack mode, DOS attack mode with a TCP/HTTP/UDP/ICMP message.
Sinkholing
Routes all traffic to a valid IP address where traffic is analyzed, it rejects back packets.
Methods of Prevention SYN cookies
SYN cookies: initially no buffer is created Client response is verified using a cookie only then is the buffer is created resource-intensive
Ping of Death
Sending a malformed malicious ping to a computer. Deliberately sending an IP packet larger than 65,536 bytes.
Methods of Prevention: RST cookies
Sends a false SYNACK back Should receive an RST in reply Verifies that the host is legitimate *not compatible with Windows 95
Land Attack
Simple attack Hacker sends packet with the same source and destination IP System "hangs" attempting to send and receive message
Tor's Hammer
Slow post tool written in Python. It can be run through a TOR network to be anonymous while performing the attack. It is an effective tool that can kill Apache or IIS servers in few seconds.
Common Tools Used for DOS
TFN and TFN2K -perform various protocol floods -master controls agents -agents flood designated targets -communications are encrypted -communications can be hidden in traffic -master can spoof its IP
How is a DOS Attack achieved?
This is achieved by flooding the server's request queue with fake requests. After this, server will not be able to handle the requests of legitimate users.
LOIC(Low Orbit Ion Canon)
Tool performs a DOS attack by sending UDP, TCP, or HTTP requests to the victim server. Used by a single user to perform a DOS attack on small severs. All you need is the URL of the IP address of the server.
OWASP DOS HTTP POST
Tool to check if web server is able to defend DOS attacks or not. Also can be used perform DOS attacks against a website.
PyLoris
Utilizes SOCKS proxies and SSL connections to perform a DOS attack on a server. It can target various protocols including HTTP, FTP, SMTP, IMAP, and Telnet.
R-U-Dead-Yet (RUDY)
performs a DOS attack with a long form field submission via the POST method
