ENPM693 - Chapter 7
Why do many DoS attacks use packets with spoofed source addresses?
Some of the spoofed source addresses will correspond to real systems, which will generate error packets which will add to the flood of traffic targeting the system.
What is the primary defense against many DoS attacks, and where is it implemented?
Spoofed address filtering must be implemented and needs to be done close to the source packet with the help of routers or gateways by identifying the valid address range of incoming packets. An ISP is the best place for this implementation, since it knows which addresses belong to which customers.
Define a distributed denial-of-service (DDoS) attack.
The attacker uses a botnet to significantly increase the volume of traffic flooding the target system.
Define an amplification attack.
Amplification attacks generate a high volume of packets to flood the target website without alerting the intermediary, by returning a large reply to a small request. The attacker exploits vulnerabilities in DNS servers to turn initially small queries into much larger payloads. It is a type of reflection attack which manipulates publically-accessible DNS.
What measures are needed to trace the source of various types of packets used in a DoS attack? Are some types of packets easier to trace back to their source than others?
Ask the ISP to trace the flow of packets back. Difficult and time consuming to trace spoofed addresses back to the source.
What types of packets are commonly used for flooding attacks?
ICMP (error messages), UDP, TCP SYN
What steps should be taken when a DoS attack is detected?
Identify the type of attack and the best approach to defend the attack, such as by capturing the packets and analyzing them for common attack packet types. Suitable filters are designed to block the flow of attack packets. If the attack creates a bug on the system instead of high traffic, then it must be IDed and recovered through corrective steps.
What is a flooding attack?
A DoS attack which slows down the network or service due to large amounts of traffic in the network.
Define a denial-of-service (DoS) attack.
A malicious attempt by an individual or group to attack any network or website and abrupt service for the people using those networks or websites.
What is "backscatter traffic"? Which types of DoS attacks can it provide information on? Which types of attacks does it not provide any information on?
Backscatter traffic is a side effect of spoofed DoS/DDoS attacks. The victim responds to the spoofed packets as it normally would, and the traffic generated by these responses is called the backscatter traffic. The term "backscatter analysis" refers to observing backscatter packets arriving at a statistically significant portion of the IP address space to determine characteristics of DoS attacks and victims.
What defenses are possible to prevent an organization's systems being used as intermediaries in a broadcast amplification attack?
Block the usage of IP-directed broadcasts, either by the ISP or by an organization system which is used as an intermediary.
What is the goal of a flooding attack?
Load the network capacity on some link to a server, or overload the capability of the server to handle and respond to traffic.
What types of resources are targeted by such DoS attacks?
Prevents the authorized use of networks, systems, or applications with the help of resources such as memory, bandwidth, CPU, system resources, network connectivity, and disk space.
What defenses are possible against nonspoofed flooding attacks? Where must these be implemented? Which are unique to this form of attack?
Provision of significant excess network bandwidth and replicated distributed servers when overload on the network is predicted. Rate limits.
Define a reflection attack.
Reflection attacks use the same protocol in both directions. The attacker spoofs the victim's IP address and sends a request for information via UDP to servers known to respond to that type of request. The server answers the request and sends the response to the victim's IP address. The data from those serves pile up, congesting the target's connectivity.
What do the terms slashdotted and flash crowd refer to? What is the relation between these instances of legitimate network overload and the consequences of a DoS attack?
They refer to huge volumes of legitimate traffic on the system that will lead to devastation of the system's network connection. This happens sometimes as a result of high popularity regarding a particular web site.
What architecture does a DDoS attack typically use?
Typically uses a control hierarchy approach, where the attacker controls the small number of handler systems, and the handles control the large number of agent systems.
