Dos/DDoS
Slowdroid prevention
*Needs research
3 methods of perpetrating an email bomb
1. Mass mailing 2. List linking 3. Zip bombing
3 uses of email bombs
1. Overflowing a mailbox 2. Overwhelming the server hosting the address (DoS) 3. Smoke screen to distract from important IT emails indicating a breach
Billion Laughs Attack (XML Bomb)
A DoS attack aimed at parsers of XML documents Delivery method is an XML bomb, an XML document that contains 9 lines, each consisting of 10 of the previous' content (eg a 'lol' string) The XML document contains a reference to the 9th line When the 9th line is encountered, it is expanded into 10 line 8s, and so on
DoS vs DDoS
A DoS attack is launched from a single entity A DDoS attack is launched from several entities, usually a botnet
Invite of Death
A DoS attack on a VOIP System that involves sending a malformed SIP INVITE request to a telephony server, resulting in a crash of the server
Resource exhaustion attack
A DoS attack that exploits a software bug or design deficiency, causing the system to crash or hang; or otherwise interferes with the system In software with manual memory management (most commonly written in C/C++), memory leaks are a very common bug exploited for resource exhaustion Even if a garbage collected programming language is used, resource exhaustion attacks are possible if the program uses memory inefficiently and does not impose limits on the amount of state used when necessary File descriptor leaks are another common vector. Most general-purpose programming require the programmer the explicitly close file descriptors, so even high-level languages allow the programmer to make such mistakes
Wifi Deauthentication Attack
A DoS attack that exploits the 802.11 provision for a deauthentication frame to force a client to disconnect from an AP Insert Image
LAN Denial (LAND)
A DoS attack that involves sending a spoofed TCP SYN message (connection initiation) with the target host's IP address set as both source and destination to an open port, causing the target machine to reply to itself continuously Distinct from SYN Flood Most firewalls should intercept and discard the packet
Syn Flood (Half-Open) Attack
A DoS attack that spams a server with initial connection requests (SYN messages) without continuing the handshake (No ACK response after the Server's SYN-ACK) *Insert image The malicious client can either not send the ACK or spoof the source IP in the SYN so that the server will send the SYN-ACK to the falsified, spoofed IP, which will not send an ACK because it "knows" it never sent a SYN Every SYN packet causes the server to temporarily maintain a new open port connection for a certain length of time. Goal is to use up all available ports
Fork Bombs (Rabbit Viruses)
A DoS attack wherein a process continually replicates itself in order to deplete system resources, leading to resource starvation which severely slows down the system (a DoS) Fork bombs operate both by consuming CPU time via forking and by saturating the OS's process table
Squatting attack
A DoS attack wherein a program interferes with another through the use of shared synchronization objects in an unwanted or unexpected way *Need C, C++ research
Slowdroid
A DoS attack which allows a single mobile device to take down a network server requiring minimal bandwidth This attack was created for research purposes Like other slow DoS attacks, creates many conections with the victim in order to saturate the resources of the listening daemon application One difference between slowdroid and slowloris is the payload: In the case of slowdroid, the payload is not compliant to a specific protocol. Instead of sending a forged HTTP request, an endless sequence of spaces is sent. This makes slowdroid able to target different protocols with the same payload. Another difference is with sending: instead of sending a sequence of characters as slowloris does, slowdroid sends a single character, reducing bandwidth amounts
A packet that induces a broadcast storm is sometimes called
A chernobyl packet
Ping of death
A dos attack that involves sending malformed/malicious pings to a computer. A correctly-formed ping packet is typically 56 bytes (64 bytes including ICMP header, 84 bytes including ipv4 header). But, any ipv4 packet may be as large as 65,535 bytes Some computer systems were never designed to properly handle a ping larger than the maximum packet size because it violates the Internet Protocol documented in RFC 791. Like other large but well-formed packets, a ping of death is fragmented into groups of 8 octets before transmission. When the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code The original ping of death attack is less common today. A related attack known as an ICMP flood attack is more prevalent.
Killer Poke
A method of inducing physical hardware damage on a machine or its peripherals by the insertion of invalid values into a memory-mapped control register Example: BASIC's POKE command Typically used to describe a family of fairly well-known commands/tricks that can overload (dos) the analog electronics in CRT monitors lacking hardware sanitary checking
Christmas Tree Packet
A packet with every single option set for whatever protocol is in use A large number of these can be used to DoS hardware devices by exploiting the fact that these require much more processing Created by manipulating a TCP segment header and setting each flag/setting to open
Ping flood
A simple DoS that involves overwhelming a victim with ICMP "echo request" ping packets. Most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies Most implementations of ping require the user to be privileged to specify the flood option Most successful when the attacker has more bandwidth than the victim The attacker hopes that the victim will respond with ICMP echo reply packets, thus consuming both outgoing and incoming bandwidth A flood ping can also be used as a diagnostic for network packet loss and throughput issues
HTTP Flood
A sophisticated layer 7 attack that exploits the use of HTTP GET and HTTP POST requests by using several sources (usually a botnet) to remand a single resource from a web server, eventually overwhelming it and bringing it down This attack does not use malformed packets, spoofing or reflection and requires little bandwidth, making it difficult to detect and control
Most common cause of a broadcast storm
A switching loop in the Ethernet wiring topology: when 2 or more paths exist between end stations
Hit-and-Run DDoS
A type of DDoS attack that uses short bursts of high volume attacks in random intervals Distinguished from a persistent DDoS which continues until the attacker stops the attack or the server is able to defend against it These attacks consistently bring down the server for 20-60 minute intervals over the span of days or weeks Often used as a test before a persistent DDoS or to exploit anti-DDoS software that was designed to only defend against persistent DDoS attacks
Packet drop (Blackhole) Attack
A type of DoS attack in which a router that is supposed to relay packets instead discards them, due to the router being compromised One cause for compromise is a DoS attack tool A variant of this attack is called a GREYHOUND ATTACK
NXDOMAIN DNS flood
A variant of the DNS flood wherein an attacker floods the DNS server with requests for records that are nonexistent or invalid The DNS server expands all of its resources looking for these records, its cache fills with bad request,s and it eventually has no resources to serve legitimate requests
DNS Flood
A variant of the UDP flood, wherein an attacker attempts to overload DNS servers with UDP requests, since DNS servers rely on the UDP protocol for name resolution Goal is to render a domain unresponsive
UDP Flood
A volumetric DoS attack that exploits UDP by sending a large number of UDP packets to random ports on a remote host. As a result, the remote server will: Check for the application listening at that port See that no applications listens at that port Reply with an ICMP Destination unreachable packet Eventually the server is backlogged due to the overwhelming amount of replies it must make with so many requests waiting in the queue Insert image
Martian packet
An IP packet seen on the public Internet that contains a source or destination address that is reserved for special=use by IANA Such a packet either has a spoofed source address or the packet cannot be delivered Can also arise from equipment malfunction or misconfiguration In Linux terminology, a martian packet is one received by a kernel on a specific interface, while routing tables indicate that the source IP is expected on another interface
Slashdot effect
An accidental DoS attack caused by a popular website becoming linked to a smaller website, overloading the smaller website's web server SLANG: farked, drudged, Reddit effect, hug of death Common causes of the crash are insufficient data bandwidth, servers that fail to cope with the high number of requests, and traffic quotas Sites that are maintained on shared hosting services often fail when confronted with the slashdot effect Sometimes used interchangeably with the term "flash crowd"
Regular Expression DoS (REDOS)
An algorithmic complexity attack that produces a DoS by providing a regular expression that takes a very long time to evaluate The attack exploits the fact that most REGEX have exponential time worst case complexity: the time taken can grow exponentially in relation to input size The target program will either slow down or become unresponsive
List Linking Prevention
An attempt to prevent these is made by most email subscription services as they send a confirmation email to new subscribers: These, however, often only contribute to the attack (the victim is instead flooded with confirmation emails) A better approach would be to have new subscribers email the site to validate their subscription
Reflected (Spoofed) Attacks
Any DDoS attack that involves sending a large number of requests to a large number of computers The source address of the requests will be set to a victim computer's IP, so all replies will flood that victim
Amplification attacks
Any DoS/DDoS attack that uses larger-sized packets than normal
Why is a frame able to loop infinitely in a broadcast storm?
Because frame headers do not support a TTL value (see diagram. Notice that no TTL field exists in Layer 2 frames)
Why are layer 7 attacks, such as HTTP floods, so difficult to mitigate?
Because it is difficult to distinguish the malicious traffic from normal traffic, especially when botnets are used to create the illusion that traffic is originating from several legitimate different source addresses
Why are fork bombs ineffective against modern Unix operating systems?
Because modern UNIX systems generally use a Copy-on-Write resource management technique when forking new processes
What is a packet drop (blackhole) attack so difficult to detect and prevent?
Because packets are routinely dropped from a lossy network
Examples of resource exhaustion attacks
Billion laughs Fork bomb Infinite loop LAND Pentium F00F bug Ping of death ReDOS
ARP spoofing is primarily used as a MITM attack, but may also be used to facilitate a DoS. How?
By linking multiple IPs with a single target's MAC address; the MAC address in this case belongs to the victim, not the attacker, and that victim is overwhelmed because it receives all traffic intended for the IPs aforementioned
Mass Mailing
Consists of sending numerous duplicate emails to the same email address These email bombs are easy to design but easily detected by spam filters Commonly deployed using a botnet which targets a single address in order to avoid spam filters (different source addresses, varying content)
List Linking (AKA email cluster bomb)
Consists of signing a single victim email address up to several email list subscriptions Victim must manually unsubscribe from each When carried out automatically using script,s the attack is nearly impossible to trace back
A SYN flood can occur in 3 different ways
Direct Attack Spoofed Attack DDoS
2 Variations of HTTP Flood
GET FLOOD: Easier to design POST FLOOD: More effective
Volume-Based Attacks
Goal is to flood a website with an overwhelming amount of traffic until the website's available bandwidth is used up Most common of 3 types The strength of these attacks is measured in bits per second (bps) Examples include spoofed-packet attacks such as UDP floods
Syn Flood prevention
Increasing backlog queue Recycling oldest half-open connection SYN cookies Reducing SYN-Received timer SYN cache
Slowloris prevention
Increasing the max # of clients allowed Limiting the number of connections that a single IP may make Imposing restrictions on the minimum transfer speed a connection may have Restrictions on the length of time a client may stay connected Switch web server software: EG from apache to nginx or lighttpd
Fork Bomb Designs (Rabbits)
Insert image
HTTP Flood prevention
Issuing captcha-like challenges to requesting machines, a web application firewall, managing an IP reputation database to selectively block traffic and on-the-fly analysis by engineers During HTTP flood attacks, the request rate of a single zombie server is typically far higher than that of a normal user. The most effective way to defend against this type of attack is to restrict the request rate of the source IP. This can be done with a WAF.
Which applications are most vulnerability to REDOS attacks?
Mainly web applications and databases If vulnerable regexes are the result of programming mistakes, email scanners and intrusion detection systems are made vulnerable
Slashdot effect prevention
Mirroring a target site, however 2 drawbacks exist, including a possible breach of copyright and loss of ad revenue
Slowloris
Not an attack itself, but an attack tool that allows a single machine to take down a web server with minimal bandwidth and side effects on unrelated services/ports Attempts to keep many connections to the target web server open as long as possible by sending partial HTTP requests Target opens a thread for each incoming request with intent of closing the thread once the connection is completely. Normally, these threads time out; hence the need for continuous, partial requests. Goal is to use up all threads
Zip Bomb
Note: Most mail servers are configured to do unpack archives (zip files) and check their contents for malware. A zip bomb exploits this extra processing by the mail server by consisting of an enormous "junk" text file, eg the letter z repeating millions of times. The possible result is a DoS.
Ping of death prevention
One solution to stop an attack is to add checks to the reassembly process to make sure the maximum packet size constraint will not be exceeded after packet recombination. Another solution is to create a memory buffer with enough space to handle packets which exceed the guideline maximum. The original Ping of Death attack has mostly gone the way of the dinosaurs; devices created after 1998 are generally protected against this type of attack. Some legacy equipment may still be vulnerable. A new Ping of Death attack for IPv6 packets for Microsoft Windows was discovered more recently, and it was patched in mid 2013. Using an outside vendor: EG, Cloudflare DDoS Protection mitigates Ping of Death attacks by dropping malformed packets before they reach the targeted host computer.
Ping flood prevention
Preventing an ICMP flood DDoS attack can be accomplished by disabling the ICMP functionality of the targeted router, computer or other device. By setting your perimeter firewall to block pings, you can effectively prevent attacks launched from outside your network. Outside vendor: EG, Cloudflare mitigates this type of attack in part by standing between the targeted origin server and the Ping flood. When each ping request is made, Cloudflare handles the processing and response process of the ICMP echo request and reply on our network edge. This strategy takes the resource cost of both bandwidth and processing power off the targeted server and places it on Cloudflare's Anycast network.
Fork bomb prevention
Prevention involves limiting the number of processes that a user may own 3 prevention methods on Linux: ulimit utility (eg the command ulimit -u 30) cgroups PID controller On PAM-enabled systems, this limit can also be set in /etc/security/limits.conf, and on FreeBSD, the system administrator can put limits in /etc/login.conf
Protocol Attacks
Protocol attacks aim to exhaust server resources instead of bandwidth. Also may target communication equipment such as firewalls and load balancers Conducted by making phony protocol requests in order to consume the available resources. Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target inaccessible. The strength of these attacks are measured in packets per second (pps). Examples include the Smurf DDoS, Syn Floods, Ping of Death.
REDOS prevention
Remove the possibility for the user to execute arbitrary patterns on the server *Needs more research. See evil regex
Symmetric vs Asymmetric DDoS attacks
Symmetric: The attackers need to generate complete load with their own resources and transfer it to the victim (eg botnets) Asymmetric: Attacker can trigger a large reply (data quantity) from a small request (data quantity) by exploiting the asymmetric nature of some internet protocols. This causes a small load on the attacker side but a huge load/resource consumption on the victim's side
Broadcast storm
The accumulation of broadcast (and possibly multicast) traffic on a network Consumes sufficient network resources so as to render the network unable to transport normal traffic
How is a DNS flood attack conducted?
The attacker runs scripts on several zombies that send malicious UDP packets to a target DNS server, typically from spoofed IP addresses
Greyhound Attack (variant of packet drop attack)
The malicious router can accomplish a packet drop attack selectively, for example: by dropping packets for a particular destination at certain times A packet every n packets and/or every t seconds a randomly selected portion of the packets
Packet drop (blackhole) attack prevention
This attack can be quickly discovered with net tools such as traceroute if the malicious router attempts to drop all incoming packets This will also generally cause other routers to remove the malicious router from their forwarding tables; eventually no traffic will flow to the attack
Application Layer Attacks
This type of attack targets vulnerabilities within applications (hence their name) such as Apache, Windows and OpenBSD. Layer 7 attacks are difficult to defend against, since it can be hard to differentiate malicious traffic from legitimate traffic. Measured in requests/second Examples include HTTP floods (GET/POST floods), Slowloris-based attacks
UDP Flood prevention
Use firewalls to filter out unwanted network traffic (however, this method is becoming irrelevant as high-volume attacks can flood firewalls as well) ICMP rate limiting (however, this method may filter out legitimate traffic) Anycast technology using deep packet inspection and scrubbing software
DoS/DDoS attacks can be divided into 3 broad categories based on how they're conducted
Volume-Based Attacks Protocol Attacks Application Layer Attacks
How must fork bombs be designed for Windows?
Windows does not have an equivalent functionality to the Unix fork system call, so a Windows fork bomb must create new processes instead of forking an existing one
What types of networks are a frequent target of packet drop attacks?
Wireless ad hoc networks
Smurf attack
a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. See image (9.9.9.9 is victim IP)
A basic implementation of a fork bomb is
an infinite loop that repeatedly launches new copies of itself
Email bombs
form of net abuse that sends large volumes of email to an address to overflow the mailbox
In Unix-like operating Systems, fork bombs are typically written to use...
the fork system call (e.g. in C, fork() is used to create child processes)