Denial of Service

Denial of Service Attack

• Denial-of-service (DoS) is an attack that prevents
authorized users from accessing a computer or network.
DoS attacks target the network bandwidth or connectivity.
Bandwidth attacks overflow the network with a high
volume of traffic using existing network resources, thus
depriving legitimate users of these resources. Connectivity
attacks overflow a computer with a large amount of
connection requests, consuming all available operating
system resources, so that the computer cannot process
legitimate user requests.
Distributed Denial of Service Attacks
• A distributed denial-of-service (DDoS) attack is a
large-scale, coordinated attack on the availability of
services on a target's system or network resources,
launched indirectly through many compromised
computers on the Internet.
 Symptoms of a DoS Attack
• Unavailability of a particular website
• Inability to access any website
• Dramatic increase in the amount of spam emails
received
• Unusually slow network performance
 DoS Attack Techniques
• Bandwidth Attacks
• Service Request Floods
• SYN Flooding Attacks
• ICMP Flood Attacks
• Peer-to-Peer Attacks
• Permanent Denial-of-Service Attacks
• Application-Level Flood Attacks
 Bandwidth Attacks
• A bandwidth attack floods a network with a large
volume of malicious packets in order to overwhelm
the network bandwidth. The aim of a bandwidth attack
is to consume network bandwidth of the targeted
network to such an extent that it starts dropping
packets. The dropped packets may include legitimate
users. A single machine cannot make enough requests
to overwhelm network equipment; therefore, DDoS
attacks were created where an attacker uses several
computers to flood a victim.
 Service Request Floods
• Service request floods work based on the connections per
second principle. In this method or technique of a DoS
attack, the servers are flooded with a high rate of
connections from a valid source. In this attack, an attacker
or group of zombies attempts to exhaust server resources
by setting up and tearing down TCP connections. This
probably initiates a request on each connection, e.g., an
attacker may use his or her zombie army to fetch the home
page from a target web server repeatedly. The resulting
load on the server makes it sluggish.
 SYN Attack
• A SYN attack is a simple form of DoS attack. In this attack,
an attacker sends a series of SYN requests to a target
machine (victim). When a client wants to begin a TCP
connection to the server.
• SYN flooding is a TCP vulnerability protocol that emerges
in a denial-of-service attack. This attack occurs when the
intruder sends unlimited SYN packets (requests) to the
host system. The process of transmitting such packets is
faster than the system can handle.
 ICMP Flood Attack
• A DDoS ICMP flood attack occurs when zombies
send large volumes of ICMP_ECHO packets to a
victim system. These packets signal the victim's
system to reply, and the combination of traffic
saturates the bandwidth of the victim's network
connection. The source IP address may be spoofed.
 Peer-to-Peer Attacks
• A peer-to-peer attack is one form of DDoS attack. In this
kind of attack, the attacker exploits a number of bugs in
peer-to-peer servers to initiate a DDoS attack. Attackers
exploit flaws found in the network that uses DC++ (Direct
Connect) protocol, which allows the exchange of files
between instant messaging clients. This kind of attack
doesn't use botnets for the attack. Unlike a botnet-based
attack, a peer-to-peer attack eliminates the need of
attackers to communicate with clients.
 Permanent Denial-of-Service
Attack
• Permanent denial-of-service (PDoS) is also known as
plashing. This refers to an attack that damages the
system and makes the hardware unusable for its
original purpose until it is either replaced or
reinstalled. A PDoS attack exploits security flaws.
This allows remote administration on the
management interfaces of the victim's hardware
such as printers, routers, and other networking
hardware
 Application-level Flood Attacks
• Application-level flood attacks have rapidly become a
conventional threat for doing business on the Internet.
Web application security is more critical than ever. This
attack can result in substantial loss of money, service and
reputation for organizations. Usually, the loss of service is
the incapability of a specific network service, such as
email, to be available or the temporary loss of all
network connectivity and services. Using this attack,
attackers destroy programming source code and files in
affected computer systems.
 Botnet
• The term botnet is derived from the word roBOT
NETwork, which is also called zombie army. A botnet
is a huge network of compromised systems. It can
compromise huge numbers of machines without the
intervention of machine owners. Botnets consist of a
set of compromised systems that are monitored for a
specific command infrastructure.
 Botnet cont’d
• Botnets are also referred to as agents that an
intruder can send to a server system to perform
some illegal activity. They are the hidden programs
that allow identification of vulnerabilities. It is
advantageous for attackers to use botnets to perform
illegitimate actions such as stealing sensitive
information (e.g., credit card numbers) and sniffing
confidential company information
 Botnet cont’d
• Botnets are used for both positive and negative purposes.
They help in various useful services such as search engine
indexing and web spidering, but can also be used by an
intruder to create denial-of-service attacks. Systems that
are not patched are most vulnerable to these attacks. As
the size of a network increases, the possibility of that
system being vulnerable also increases. An intruder can
scan network ranges to identify which ones are vulnerable
to attacks. In order to attack a system, an intruder targets
machines with Class B network ranges
 Botnet Propagation Technique
• Botnet propagation is the technique used to hack a
system and grab tradable information from it
without the victim's knowledge In this attack, the
criminal doesn't attack the victim system directly;
instead, he or she performs attacks with the help of
attackers. The criminal configures an affiliation
network as distribution channels. The job of
campaign managers is to hack and insert reference
to malicious code into a legitimate site. The malicious
code is usually operated by other attackers.
 Botnet Ecosystem
• group of computers infected by bots is called botnet. A bot is a
malicious program that allows cybercriminals to control and use
compromised machines to accomplish their own goals such as
scams, launching DDoS attacks, distributing spam, etc. The
advent of botnets led to enormous increase in cybercrimes.
Botnets form the core of the cybercriminal activity center that
links and unites various parts of the cybercriminal world.
Cybercriminal service suppliers are a part of cybercrime
network. These suppliers offer services such as malicious code
development, bulletproof hosting, creation of browser exploits,
and encyrption and packing.
 Botnet Ecosystem cont’d
• Typically, the botnet ecosystem is divided into three
parts, namely trade market, DDoS attack, and spam. A
botmaster is the person who makes money by facilitating
the infected botnet groups for service on the black
market. The master searches for vulnerable ports and
uses them as candidate zombies to infect. The infected
zombies further can be used to perform DDoS attacks.
On the other hand, spam emails are sent to randomly
chosen users. All these activities together guarantee the
continuity of malicious botnet activities.
 Botnet Trojan: sharK
• sharK is a reverse-connecting, firewall- bypassing
remote administration tool written in VB6. With
shark, you will be able to administrate any PC (using
Windows OS) remotely.
 Poison Ivy
• Poison Ivy is an advanced encrypted "reverse
connection" for firewall bypassing remote
administration tools. It gives an attacker the option
to access, monitor, or even take control of a
compromised system. Using this tool, attackers can
steal passwords, banking or credit card information,
as well as other personal information
 Botnet Trojan: PlugBot
• PlugBot is a hardware botnet project. It's a covert
penetration testing device (bot) is designed for
covert use during physical penetration tests. PlugBot
is a tiny computer that looks like a power adapter;
this small size allows it to go physically undetected
all while being powerful enough to scan, collect, and
deliver test results externally.
 NetBot Attacker
• NetBot attacker has a simple Windows user interface
to control botnets. Attackers use it for commanding
and reporting networks, even for command attacks.
It has two RAR files; one is INI and the other one is a
simple EXE. It is more powerful when more bots are
used to affect the servers. With the help of a bot,
attackers can execute or download a file, open
certain web pages, and can even turn off all PCs.
 DDoS Attack
• In a DDoS attack, a group of compromised systems
usually infected with Trojans are used to perform a
denial-of-service attack on a target system or
network resource. The figure that follows shows how
an attacker performs a DDoS attack with the help of
an LOIC tool.
 DDoS Attack Tool: LOIC
• LOIC is an open source tool, written in C#. The main purpose of
the tool is to conduct stress tests of web applications, so that the
developers can see how a web application behaves under a
heavier load. Of course, a stress application, which could be
classified as a legitimate tool, can also be used in a DDoS attack.
LOIC basically turns the computer's network connection into a
firehouse of garbage requests, directed towards a target web
server. On its own, one computer rarely generates enough TCP,
UDP, or HTTP requests at once to overwhelm a web server—
garbage requests can easily be ignored while legit requests for
web pages are responded to as normal.
Cont’d
• But when thousands of users run LOIC at once, the
wave of requests become overwhelming, often
shutting a web server (or one of its connected
machines, like a database server) down completely,
or preventing legitimate requests from being
answered
 How botnet owners make money
• So how do botnet owners make money with infected
computers? There are several major sources of
income: DDoS attacks, theft of confidential
information, spam, phishing, SEO spam, click fraud
and distribution of adware and malicious programs.
It should be noted that, if chosen, any of these
sources can provide a cybercriminal with a good
income. But why choose? A botnet can perform all of
these activities… at the same time
 DoS Attack Tools DoS HTTP
• DoSHTTP is HTTP flood denial-of-dervice (DoS)
testing software for Windows. It includes URL
verification, HTTP redirection, and performance
monitoring. It uses multiple asynchronous sockets to
perform an effective HTTP flood. It can be used
simultaneously on multiple clients to emulate a
distributed-denial-of-service (DDoS) attack. It also
allows you to test web server performance and
evaluate web server protection software.
 Detection Techniques
• The detection techniques for DoS attacks are based on
identifying and discriminating the illegitimate traffic
increases and flash events from legitimate packet
traffic.
• There are three kinds of detection techniques: activity
profiling, change-point detection, and wavelet-based
signal analysis. All detection techniques define an
attack as an abnormal and noticeable deviation from a
threshold of normal network traffic statistics.
 Wavelet-based Signal Analysis
• Wavelet analysis describes an input signal in terms of spectral
components. It provides a global frequency description and no time
localization. Wavelets provide for concurrent time and frequency
descriptions. This makes it easy to determine the time at which
certain frequency components are present. The input signal
contains both time-localized anomalous signals and background
noise. In order to detect the attack traffic, the wavelets separate
these time-localized signals and the noise components. The
presence of anomalies can be determined by analyzing each
spectral window's energy. The anomalies found may represent
misconfiguration or network failure, flash events, and attacks such
as DoS, etc.
Sequential Change-Point Detection
• Sequential change-point detection algorithms
segregate the abrupt changes in traffic statistics
caused by attacks. This detection technique initially
filters the target traffic data by port, address, and
protocol and stores the resultant flow as a time
series. This time series can be considered as the
time-domain representation of a cluster's activity.
The time series shows a statistical change at the time
the DoS flooding attack begins.
 DoS/DDoS Countermeasure
Strategies
There are three types of countermeasure strategies
available for DoS/DDoS attacks
• Absorb the attack
• Degrade services
• Shut down services
 Countermeasures
There are six countermeasures against DDoS attacks:
• Protect secondary targets
• Neutralize handlers
• Prevent potential attacks
• Deflect attacks
• Mitigate attacks
• Post-attack forensics
 Protect Secondary Victims
Individual Users
• Potential secondary victims can be protected from
DDoS attacks, thus preventing them from becoming
zombies. This demands intensified security
awareness, and the use of prevention techniques. If
attackers are unable to compromise secondary
victims' systems and secondary victims from being
infected with DDoS, clients must continuously
monitor their own security.
 Protect Secondary Victims
Network Service Providers
• Service providers and network administrators can
resort to dynamic pricing for their network usage so
that potential secondary victims become more active
in preventing their computers from becoming part of
a DDoS attack. Providers can charge differently as per
the usage of their resources. This would force
providers to allow only legitimate customers onto
their networks
 Detect and Neutralize Handler
• The DDoS attack can be stopped by detecting and neutralizing
the handlers, which are intermediaries for the attacker to
initiate attacks. Finding and stopping the handlers is a quick
and effective way of counteracting against the attack.
• There are usually a few DDoS handlers deployed as compared
to the number of agents, so neutralizing a few handlers can
possibly render multiple agents useless. Since agents form the
core of the attacker's ability to spread an attack, neutralizing
the handlers to prevent the attacker from using them is an
effective strategy to prevent DDoS attacks
 Detect Potential Attacks
• Ingress filtering: Ingress filtering doesn't offer
protection against flooding attacks originating from
valid prefixes (IP addresses); rather, it prohibits an
attacker from launching an attack using forged source
addresses that do not obey ingress filtering rules.
Cont’d
• Egress Filtering: In this method of traffic filtering, the IP
packet headers that are leaving a network are initially
scanned and checked to see whether they meet certain
criteria. Only the packets that pass the criteria are routed
outside of the sub-network from which they originated; the
packets which don't pass the criteria will not be sent. There
is a good possibility that the source addresses of DDoS
attack packets will not represent the source address of a
valid user on a specific sub-network as the DDoS attacks
often use spoofed IP addresses.
Cont’d
• TCP Intercept: In TCP intercept mode, the software
intercepts the SYN packets sent by the clients to the server
and matches with an extended access list. If the match is
found, then on behalf of the destination server, the
software establishes a connection with the client. Similar to
this, the software also establishes a connection with the
destination server on behalf of the client. Once the two half
connections are established, the software combines them
transparently. Thus, the TCP intercept software prevents
the fake connection attempts from reaching the server.
 Deflect Attacks
• Recent research reveals that a honeypot can imitate all
aspects of a network including its web servers, mail servers,
and clients. This is done to gain the attention of the DDoS
attackers. A honeypot is designed to attract DDoS attackers,
so that it can install the handler or an agent code within the
honeypot. This stops legal systems from being
compromised. In addition, this method grants the owner of
the honeypot a way to keep a record of handler and/or
agent activity. This knowledge can be used for defending
against any future DDoS installation attacks.
 Deflect Attacks cont’d
• KFSensor: KFSensor acts as a honeypot to attract and
detect hackers and worms by simulating vulnerable
system services and Trojans. By acting as a decoy
server, it can divert attacks from critical systems and
provide a higher level of information than can be
achieved by using firewalls and NIDS alone
 Mitigate Attacks
There are two ways in which the DoS/DDoS attacks can be
mitigated or stopped
• Load Balancing: Bandwidth providers can increase their
bandwidth in case of a DDoS attack to prevent their servers
from going down. A replicated server model can also be used
to minimize the risk.
• Throttling: Min-max fair server-centric router throttles can be
used to prevent the servers from going down. This method
enables the routers in managing heavy incoming traffic so
that the server can handle it. It can also be used to filter
legitimate user traffic from fake DDoS attack traffic.
 Post-Attack Forensics
• Sometimes by paying a lot of attention to the
security of a computer or network, malicious hackers
manage to break in to the system. In such cases, one
can utilize the post­attack forensic method to get rid
of DDoS attacks.
 Techniques to Defend against
Botnets
• RFC 3704 Filtering
• Black Hole Filtering
• DDoS Prevention Offerings from ISP or DDoS Service
• Cisco IPS Source IP Reputation Filtering
 DoS/DDoS Countermeasures
• Disable unused and insecure services
• Block all inbound packets originating from the
service ports to block the traffic from the
• reflection servers
• Update kernel to the latest release
• Improved routing protocols are desirable,
particularly for the multi-hop WMN
Cont’d
• Configure the firewall to deny external Internet
Control Message Protocol (ICMP) traffic access
• Prevent the use of unnecessary functions such as
gets, strcpy, etc
• Secure the remote administration and connectivity
testing
• Prevent the return addresses from being overwritten
 DoS/DDoS Protection at the ISP
Level
• Most ISPs simply block all the requests during a DDoS
attack, denying legitimate traffic from accessing the
service. ISPs offer in-the-cloud DDoS protection for
Internet links so that they do not become saturated
by an attack. Attack traffic is redirected to the ISP
during the attack to be filtered and sent back.
Administrators can request ISPs to block the original
affected IP and move their site to another IP after
performing DNS propagation.
 Advanced DDoS Protection
Appliances
• FortiDDoS-300A
• DDoS Protector
• Cisco Guard XT 5650
• Arbor Pravail: Availability Protection System
 DoS/DDoS Protection Tool: D-
Guard Anti-DDoS — Firewall
• D-Guard Anti-DDoS Firewall provides DDoS
protection. It offers protection against DoS/DDoS,
Super DDoS, DrDoS, fragment attacks, SYN flooding
attacks, IP flooding attacks, UDP, mutation UDP,
random UDP flooding attacsk, ICMP, ICMP flood
attacks, ARP spoofing attacks, etc
 Penetration Testing
• Step 1: Define the objective
• Step 2: Test for heavy loads on the server
• Step 3: Check for DoS vulnerable systems
• Step 4: Run a SYN attack on the server
• Step 5: Run port flooding attacks on the server
• Step 6: Run an email bomber on the email servers
• Step 7: Flood the website forms and guestbook with bogus
entries
• Step 8: Document all the findings