Mechanisms Chapter 6: Denial of Service Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Objectives Define what a denial-of-service attack is Identify the types of denial-of-service attacks List the tools that facilitate a denial-of-service attack Define bots Explain what a distributed denial-of-service attack is Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Objectives (contd.) Identify the taxonomy of a distributed denial-of- service attack Define what a reflect denial-of-service attack is List tools that facilitate a distributed denial-of- service attack List countermeasures to a distributed denial-of- service attack Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Case Example 1 Henderson, an investigative journalist in the field of information security, set up a new security portal called HackzXposed4u Portal claimed to expose the activities and identities of all known hackers across the globe He planned a worldwide launch on March 28 Portal received wide media coverage before its release Within five minutes of launch, the server crashed A large number of computers connected to the Internet played the role of zombie machines, and all were directed toward the HackzXposed4u portal Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Case Example 2 Blogging service wordpress.com was attacked with a denial-of-service attack Attack caused heavy loads on the server, making it inaccessible In the same attack, CNN Interactive was unable to update its stories for two hours Devastating problem for a news organization that takes pride in its timeliness Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Introduction to Denial of Service Denial-of-service (DoS) attack Attacker overloads a systems resources, bringing the system down, or at least significantly slowing system performance Targets network bandwidth or connectivity Examples Flooding the victim with more traffic than can be handled Flooding a service (like IRC) with more events than it can handle Crashing a TCP/IP stack by sending corrupt packets Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Overview Goal of a DoS attack Keep legitimate users from using the system Attackers may do the following: Attempt to flood a network in order to prevent legitimate traffic Attempt to disrupt connections in order to disrupt access to a service Attempt to prevent a particular user from accessing a service Attempt to disrupt service to a specific system Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Impact and the Modes of Attack Denial-of-service attacks can compromise the computers in a network Network Connectivity Goal is to stop hosts or networks from communicating on the network or to disrupt network traffic Misuse of Internal Resources In a fraggle attack, forged UDP packets are used to connect the echo service on one machine to the character generator on another machine Bandwidth Consumption Attacker can consume all of the bandwidth on a network by generating a large number of packets Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Impact and the Modes of Attack (contd.) Consumption of Other Resources Attackers may be able to consume other resources that systems need to operate Destruction or Alteration of Configuration Information Alteration of the configuration of a computer, or the components in the network, may disrupt the normal functioning of the system Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Types of Attacks DoS Attack Classification Smurf Buffer overflow attack Ping of death Teardrop SYN flood Distributed denial-of-service attacks Multiple compromised systems are coordinated in an attack against one target
Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Types of Attacks (contd.) Figure 6-1 In this attack, the systems on the network respond to the spoofed IP address. Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited DoS Attack Tools Tools include: Jolt2 Bubonic Land and LaTierra Targa Blast Nemesy Panther2 Crazy Pinger Some Trouble UDP Flood FSMax
Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited DoS Attack Tools (contd.) Figure 6-3 Bubonics sending so many random packets to a machine quickly overwhelms system resources. Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Bots Bots Software applications that run automated tasks over the Internet Types of bots Internet bots, IRC bots, and chatter bots Botnets Derived from the phrase roBOT NETwork Can be composed of a huge network of compromised systems Also referred to as agents that an intruder can send to a server system to perform some illegal activity Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Bots (contd.) Uses of Botnets Distributed denial-of-service attacks Spamming Sniffing traffic Keylogging Spreading new malware Installing advertisement add-ons Google AdSense abuse Attacking IRC chat networks Manipulating online polls and games Mass identity theft Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Bots (contd.) How Bots Infect: An Analysis of Agobot Step 1: Method of Infection Step 2: Massive Spreading Stage Step 3: Connect Back to IRC Step 4: Attacker Takes Control of the Victims Computer Process Termination Agobots are also designed to interrupt programs that appear to be antivirus or other security programs NuclearBot IRC bot that can be used for floods, managing, utilities, spread, and IRC-related actions Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Bots (contd.) Figure 6-8 This shows how an Agobot infection spreads. Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited What Is a DDoS Attack? Distributed denial-of-service (DDoS) attack Large-scale, coordinated attack on the availability of services on a victims system or network resources, launched indirectly through many compromised computers on the Internet Main objective of any DDoS attacker Gain administrative access on as many systems as possible Early Attacks February 2000: One of the first major DDoS attacks was waged against yahoo.com Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited What Is a DDoS Attack? (contd.) Is DDoS Stoppable? DDoS attack is common for noncommercial entities Firewall does not guarantee 100% protection against attacks, but it can prevent some DoS/DDoS attacks How to Conduct a DDoS Attack Write a virus that will send ping packets to a target network/Web site Infect a minimum of 30,000 computers (zombies) Trigger the zombies to launch the attack by sending wake-up signals Zombies will start attacking the target server until it is disinfected Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited What Is a DDoS Attack? (contd.) Figure 6-11 Many distributed denial-of service attacks use the agent/handler model. Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited What Is a DDoS Attack? (contd.) Agent/Handler Model Consists of clients, handlers, and agents Agent software is installed in compromised systems that will carry out the attack Agents can be configured to communicate with a single handler or multiple handlers Handler software is placed on a compromised router or network server The terms master and daemon are often used for handler and agent Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited What Is a DDoS Attack? (contd.) DDoS IRC-Based Model Internet Relay Chat (IRC): multiuser online chatting system consisting of a network of servers located throughout the Internet IRC-based DDoS attack network is just like the agent/handler DDoS attack model It is installed on a network server instead of using a handler program It makes use of the IRC communication channel to connect the attacker to the agents Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited DDoS Attack Taxonomy Figure 6-12 The main types of attacks deplete either bandwidth or system resources. Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited The Reflected DoS Attacks TCP three-way handshake vulnerability is exploited Zombies send out a large number of SYN packets with the target system as the IP source address For each SYN packet sent by a reflector, up to four SYN/ACK packets will be generated Bandwidth Multiplication Emission of several times more SYN/ACK attack traffic from the reflection servers than the triggering SYN traffic they receive Parallel Damage Instead of sending SYN packets to the server under attack, it reflects them off any router or server connected to the Internet Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Reflective DNS Attacks Figure 6-14 In reflective attacks, bots bounce requests off of servers to amplify the number of requests and halt the victim system. Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited DDoS Tools Classic tools include: Tribal Flood Network (TFN) TFN2K Shaft Trinity Knight Kaiten Mstream Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Suggestions for Preventing DoS/DDoS Attacks Precautionary steps: Prevent installation of distributed attack tools on the systems Prevent origination of IP packets with spoofed source addresses Monitor the network for signatures of distributed attack tools Employ stateful inspection firewalling What to Do If Involved in a Denial-of-Service Attack Security policies should include emergency out-of- band communication procedures to network operators and/or emergency response teams Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Suggestions for Preventing DoS/DDoS Attacks (contd.) Countermeasures for Reflected DoS Router port 179 can be blocked as a reflector Routers can also be configured to filter (drop) packets destined for a particular address Servers could be programmed to recognize a SYN source IP address that never completes its connections ISPs could prevent the transmission of fraudulently addressed packets
Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Suggestions for Preventing DoS/DDoS Attacks (contd.) XDCC Vulnerability XDCC is a peer-to-peer variant that uses automated bots to connect to IRC servers IROffer Most common bot Connects to a predefined IRC channel and posts the most popular files it has for downloading Tools for Detecting DDoS Attacks ipgrep tcpdstat findoffer Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Taxonomy of DDoS Countermeasures Figure 6-17 Being fully prepared for an attack means using as many of the countermeasures available as possible. Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Summary Denial-of-service attacks prevent legitimate users from accessing the resources and services in their network Smurf, buffer overflow, and ping of death are some of the types of DoS attacks SYN flooding takes advantage of a flaw in how most hosts implement the TCP three-way handshake In distributed denial-of-service attacks, a multitude of compromised systems are engaged to bring down a target system There can be resource depletion attacks Copyright by EC-Council Press All rights reserved. Reproduction is strictly prohibited Summary (contd.) Trinoo, TFN, TFN2K, and MStream are some of the tools attackers use to cause a DDoS attack Countermeasures include preventing systems from being compromised and becoming secondary victims, detecting and neutralizing handlers, detecting or preventing the attack, mitigating or stopping the attack, and deflecting the attack