10.

1 DOS
 DOS & DDOS
CONCEPTS
 A type of attack on a service that disrupts its normal function and prevents other
users from accessing it
 Typically aimed at a website, but can attack whole networks, a specific server, or a
specific application
 DoS can be achieved by:
 Flooding the network or routers/switches with traffic (consuming all network bandwidth)
 Consuming all of a server’s CPU, RAM or disk resources
 Consuming all of a server’s permitted concurrent TCP connections

 DoS attacks can cause the following problems:

 Ineffective services
 Inaccessible services
 Interruption of network traffic
 Connection interference
 Volumetric Attacks
 Designed to consume network bandwidth so authorized clients cannot connect

 Fragmentation Attacks
 Designed to keep a target busy with packet fragments that cannot be reassembled

 TCP State-Exhaustion Attacks

 Designed to consume connection state tables in network infrastructure components

 Application Layer Attacks

 Designed to consume app resources/service so they are not available to users

 Protocol Attacks
 Designed to abuse commonly used Internet protocols

 Multi-vector Attacks
 A combination of attack types
Some DoS attacks have characteristics
of more than one attack type
 Launched from numerous compromised devices
 There can be hundreds or even thousands of devices

 The compromised devices are typically organized and remotely controlled

 Such computers are called “zombies”
 They are managed by “command and control” (C&C) computers
 These are regionally located
 Often compromised machines themselves
 The C&C computers are in turn controlled by the attacker’s computer
Attacker

C&C Servers

Zombies
  Packet Flood
 Botnet DDoS
10.2  DRDoS

VOLUMETRIC  Smurf, ICMP Flood, Fraggle

 HTTP Flood
ATTACKS  DNS Flood
 NTP Flood
 The most popular type of DDoS attack
 Designed to consume network bandwidth so authorized clients cannot connect
 The volume of incoming traffic determines the efficiency of a volume-based attack
 The goal of a volume-based attack is to saturate the website’s bandwidth. This
attack also has an impact on CPU utilization
 Bits per second are used to quantify the bandwidth-based attack
 Amplification is one of the strategies for transmitting a vast amount of data to a
specific website
• Send massive amounts of TCP, UDP, ICMP, or random packet traffic to target
• Can include different TCP flag variants
 Service request flood
 Attacker/zombie group sets up/tears down TCP connections in an attempt to use
up all server resources
 A request is initiated on each connection
 Flood of service requests overwhelms the target server(s)
 AKA spoofed attack
 Uses multiple intermediary and secondary (victim) machines in the DDoS attack
 Attacker sends requests to intermediary hosts, which are redirected to secondary
machine, then to target
 Advantages include:
 Target appears to be attacked by secondary machine
 Results in an increase in attack bandwidth
 A type of DRDoS
 Large numbers of ICMP echo requests sent to intermediate devices
 Source is spoofed so they all respond to the target

 You could use hping3 to perform this attack:

hping3 -1 -c 1000 10.0.0.$i --fast -a <spoofed target>

IRC servers were historically the primary victims of Smurf attacks

 Similar to Smurf but without the intermediate devices
 Send ICMP Echo packets with a spoofed address
 Eventually reach limit of packets per second sent
 Example – you could use hping3 to perform an ICMP flood:
hping3 -1 --flood --rand-source <target>
 Same concept as Smurf attack
 UDP packets instead of ICMP (UDP flood attack)
 hping3 example:
hping3 --flood --rand-source --udp -p <target>
• Uses seemingly legitimate HTTP GET or POST requests to attack a web server
• Does not require spoofing or malformed packets
• Can consume a high amount of resources with a single request
• Use spoofed DNS queries to consume server resources
• Similar to Smurf or other amplification attacks
• Multiple public DNS servers receive spoofed queries
• They all respond to a single target to overwhelm it with UDP
• Similar to Smurf and DNS
amplification attacks
• Multiple NTP queries are sent
• The time servers all respond to
a single target to overwhelm it
with UDP
 10.3  Fragmentation
 Teardrop
FRAGMENTATION  UDP and TCP Fragmentation

ATTACKS  Ping of Death

 Designed to keep a target busy with packet fragments that cannot be reassembled
 IP fragments are sent to a target
 Their fragment offsets overlap or otherwise cannot be reassembled
 The target’s CPU is kept busy attempting to reassemble the packets
 Can result in system freezing or crash
 An IP fragmentation attack
 IP fragment offset in the packet headers overlap

Offset starts too soon

Overlaps with previous packet
• Similar to an IP fragmentation attack, but for TCP
• Send the target TCP segments that have overlapping sequence numbers and
cannot be reassembled
• Windows NT, Windows 95, and Linux versions prior to version 2.1.63 are most
vulnerable
• Send the target UDP fragments
• When reassembled they are too large for the network's MTU
 Fragments ICMP messages
 Upon reassembly the ICMP packet is larger than the maximum allowable size
 Crashes the target

Malicious Ping of Death ICMP packet fragments

assemble to become larger than 65535 Bytes

Normal ICMP Maximum Packet Size 65535 Bytes

 10.4 STATE  TCP State Exhaustion
 Syn Flood
EXHAUSTION  SSL/TLS Exhaustion

ATTACKS  DNS/NXDOMAIN Flood

 Attempts to consume all permitted connections
 Targets can include:
 Application servers/web servers
 Load balancers
 Firewalls
 AKA Half-open attack
 Send thousands of SYN packets to a target
 Source address is spoofed to non-existent devices

 The server replies with SYN/ACK to non-existent source

 No ACK is received to complete the handshake

 The server must wait to time out each connection

 Servers are usually configured to allow a limited number of concurrent connections
 All permitted connections are consumed
 Legitimate client requests are ignored
• Send garbage SSL/TLS data to the server
• Server runs out of resources attempting to process corrupt SSL handshakes
• Firewalls generally cannot distinguish between legitimate and phony SSL data
• The attacker floods the DNS server
with requests for invalid or
nonexistent records
• The DNS server spends its time
searching for something that
doesn't exist
• Instead of serving legitimate
requests
• The result is that the cache on the
DNS server gets filled with bad
requests
• Clients can't find the sites/servers
they are looking for
 10.5
APPLICATION  Layer 7 Attacks
 SMB Malformed Request
LAYER  Slowloris / Low and Slow Attack

ATTACKS
 Abuse Layer 7 protocols such as HTTP/HTTPS, SNMP, SMB
 Exploit weak code

 Consume resources necessary for the application to run

 Measured in Requests per second (Rps)

 Slow rate, consume few network resources, but harmful to the target
 Imitate legitimate user activity
 Target file servers, web servers, web applications and specific web-based apps
 Common attack examples:
 HTTP GET/POST attack
 Slowloris or R.U.D.Y (low and slow) attack
 Malformed SMB requests
 Malicious SQL queries that disrupt a database server
 Malformed request to an SMB named pipe
 Causes a Blue Stop Screen (Blue Screen of Death) on Windows
 Operates by utilizing partial HTTP requests
 The attack functions by opening connections to a targeted Web server
 Keeps those connections open as long as it can

 The attacker first opens multiple connections to the targeted server

 Sends multiple partial HTTP request headers

 The target opens a thread for each incoming request

 Need to prevent the target from timing out the connections
 The attacker periodically sends partial request headers to the target
 Keeps the requests alive
 In essence saying, “I’m still here! I’m just slow, please wait for me.”

 The targeted server is never able to release any of the open partial connections
 Remains waiting for the termination of the request

 Once all available connections are in use, the server will be unable to respond to
additional requests made from regular traffic
  Protocol Attacks

10.6 OTHER  BGP Hijacking

 Land Attack
ATTACKS  Phlashing
 Peer-to-Peer Attack
 Rely on weakness in Internet communications protocols
 Because many of these protocols are in global use, changing how they work is
complicated and very slow to roll out
 Their inherent complexity might introduce new flaws as the original flaws are fixed
 A great example of a protocol that can become the basis of a DDoS attack
 BGP is the routing protocol used on the Internet
 It is used by Internet routers to update each other on changing route conditions
 It has very slow convergence
 If an attacker can send a false route update to a BGP router
 Internet traffic could be misdirected or halted in certain areas
 Attacker sends fake BGP routing protocol updates to Internet routers
 Internet routes now point to the wrong network
 2018 -
 Russian provider announced a number of IP prefixes (groups of IP addresses)
 The prefixes actually belong to Route53 Amazon DNS servers
 Amazon DNS queries were hijacked so that DNS queries for [Link] went to
servers the attackers controlled
 Users attempting to log in to the cryptocurrency site were redirected to a fake site
 Attackers stole approximately $152,000 in cryptocurrency

 2008 -
 Pakistani government-owned Pakistan Telecom attempted to censor Youtube within
Pakistan by updating its BGP routes for the website
 New routes were announced to Pakistan Telecom's upstream providers, and from there
broadcast to the whole Internet
 Suddenly, all web requests for Youtube were directed to Pakistan Telecom
 Resulted in an hours-long outage of the website for almost the entire Internet
 Overwhelmed the ISP
 Get a victim to try to start a session with itself
 Send a SYN packet to the target with a spoofed IP
 The source and destination IP both belong to the target
 If vulnerable, the target loops endlessly and crashes
 A DoS attack that causes permanent damage to a system
 Modifies the firmware
 AKA “bricking”
 Example:
 Send fraudulent firmware update to victim
 Crash the BIOS
 Attacker causes clients to disconnect from peer-to-peer network and connect to a
fake website
 Attacker uses DC++ protocol (peer-to-peer file sharing) to exploit network flaws
 Attacker can launch huge DoS attacks which will compromise target websites
  DoS and DDoS Attack Tools
10.7 DOS/DDOS  RUDY

ATTACK TOOLS  LOIC

 HOIC
 LOIC (Low Orbit ION cannon)  RUDY
 HOIC (High Orbit ION cannon)  Tor’s Hammer
 Kali Slowloris  DAVOSET
 PyLoris  GoldenEye
 HTTP Unbearable Load King  HULK
 DDoSIM  Xoic
 OWASP HTTP POST  Thc-ssl-dos

GitHub lists 142 repos for DoS exploits and toolkits

 Floods a target with TCP, UDP or HTTP requests
 Essentially a slowloris tool, but requires DDoS to be effective
 More powerful version of LOIC
 Targets TCP and UDP
 Can open up to 256 simultaneous attack sessions at once
 Sends a continuous stream of junk traffic
 R U Dead Yet?
 DoS with HTTP POST via long-form field submissions
 Similar to a slowloris attack
 Sends more data
 Header and body of a message

 Aims to keep a web server tied up

 Submit form data at an absurdly slow pace

 Categorized as a low-and-slow attack

 Focuses on creating a few drawn-out requests

 Used to attack web applications

 Starves available sessions on the web server
 Keeps the sessions alive
 Uses never-ending POST transmissions
 Sends arbitrarily large content-length header value
 10.8  DDoS Mitigation Stages
 Countermeasure Strategies

DOS/DDOS  Countermeasures
 Cloud-based Protection
COUNTERMEASURES  Botnet Defense
When in the middle of an attack you can:
 Absorb Attack
 Increase capacity to absorb attack
 Requires planning/additional resources

 Degrade Services
 Stop all non-critical services until attack is over

 Shut Down Services

 Shut down all service until attack is over
 Good DoS/DDoS countermeasures can distinguish between legitimate and
illegitimate traffic
 Use cloud-based anti-DDoS services to protect enterprise-level online services
 Increase bandwidth for all critical connections
 Filter traffic on upstream routers
 Rate-limit allowed connections
 Load balance and cluster critical servers/services
 Ensure routers are set to throttle incoming traffic to safe levels
 Throttling controls DoS traffic to minimize damage to servers
 Throttling can be used for DDoS attacks to permit legitimate user traffic
 Ensure software/protocols are up-to-date
 Patch systems so they are no longer vulnerable to attacks that exploit software
defects
 Scan machines to detect anomalous behavior
 Disable all insecure/unused services
 Ensure kernel is kept up-to-date
 Do not allow transmission packets that are addressed fraudulently at the ISP level
 Ensure firewall is configured to deny access by external ICMP traffic
 Ensure remote admin/connectivity testing is secure
 Ensure input validation is performed
 Do not allowed data processed by attacker to be executed
 Ensure prevention of unnecessary functions
 Ensure prevention of return address overwriting
 Most ISPs block all requests
during DDoS attack
 Unfortunately denies
legitimate traffic
 In-cloud DDoS protection
 During an attack all attack
traffic is redirected to the
provider
 It is filtered and returned
 Cloud-based solutions
 Cloudflare
 Netscout
 FortiDDoS  WANGuard Sensor

 DDoS Protector  NetScaler Application Firewall

 Cisco Guard XT  Incapsula

 Arbor Pravail: Availability  DefensePro

Protection System  DOSarrest
 NetFlow Analyzer
 Anti DDoS Guardian
 SDL Regex Fuzzer
 DDoSDefend
 RFC 3704 Filtering
 Strict Reverse Path Forwarding (Strict RPF)
 Basically a dynamic ACL
 Ingress filter
 Denies traffic with spoofed addresses
 Ensures that traffic is traceable to its correct source

 Real Time Black Hole

 Based on a manual trigger by an administrator
 Internal routers in an ISP or other large network propagate a route to a particular target to
Null 0
 Routers inside the network at any point will drop traffic destined for that target
 Develop new filtering techniques based on DDoS traffic patterns
 Determine source of DoS traffic by analyzing firewall, router, and IDS logs
 Analyze DoS traffic for certain characteristics
 Utilize DoS traffic characteristics and pattern analysis to update load-
balancing/throttling countermeasures
10.9 DOS/DDOS  Review
REVIEW
 INTRO TO
 DoS is an attack on a computer/network that restricts/reduces/prevents system access

ETHICAL
 Consumes all available resources such as network bandwidth, CPU, RAM, disk space,
allowed connections

HACKING
 A DDoS attack uses many compromised systems that attack a single target
 There are various categories for DoS/DDoS techniques

REVIEW
 Not all attacks involve large floods of traffic
 Many attacks are designed for a specific target type
 INTRO TO
 DoS is an attack on a computer/network that restricts/reduces/prevents system access

ETHICAL
 Consumes all available resources such as network bandwidth, CPU, RAM, disk space,
allowed connections

HACKING
 A DDoS attack uses many compromised systems that attack a single target
 There are various categories for DoS/DDoS techniques

REVIEW
 Not all attacks involve large floods of traffic
 Many attacks are designed for a specific target type

 A botnet is large network of compromised systems

 They are managed by command and control servers

 DoS detection techniques rely on identifying/discriminating

against illegitimate traffic
 You can use a DoS to stress-test a system
 Be careful as it will be disruptive.