Chapter 11: DoS Flashcards
DoS goal
To remove the A from the Confidentiality, Integrity, & Availability triad
Denial of service
an attack that aims at preventing normal communication with a resource
What is the most common form of DoS?
to flood a victim w/ so much traffic that all available resources of the system are overwhelmed & unable to handle additional requests
What are signs of a potential DoS attack?
- Unavailability of a resource
- Loss of access to a website
- Slow performance
- Increase in spam e-mails
Hactivism
hackers who take action against a target based on “principle” or a sense of personal mission
They are a threat bc their focus is not for personal gain, but measured by how much their actions benefit their CAUSE.
DoS Targets (3)
1) Web Server Compromise - loss of uptime for company web page
2) Back-end Resources - include infrastructure items that support a public-facing resource, Dos take down back end which makes front-end unavailable
3) NW or Computer Specific
*** Types of Attacks (12)
1) SERVICE REQUEST FLOODS - flooding web server or web app w/ requests until all resources are used up; These are typically carried out by setting up repeated TCP connection to a system
2) SYN ATTACK/FLOOD - This exploits the 3-way handshake; Done by forging SYN packets w/ a bogus source address. When victim system responds w/ a SYN-ACK, it goes to this bogus address, & since the address doesn’t exist, it causes the victim system to wait for a response that will never come; This ties up a connection up for 75 seconds, attacker can keep opening half open connections to keep systems out of service //THE ACK RESPONSE IS MISSING; Syn is sent, syn-ack replied;
3) ICMP FLOOD ATTACK - an ICMP request requires the server to process the request & respond; Attacks include smurf attacks, ICMP floods, ping floods, all of which flood the server w/ ICMP requetss w/ out waiting for the response
4) PING OF DEATH - used back in the day; a ping packet that was larger than the allowable 64K was sent
5) TEARDROP - sending custom-crafted fragmented packets w/ offset values that overlap during the attempted rebuild making the target machine unstable
6) SMURF - spoofs the target IP & sends numerous ICMP echo requests to the broadcast address of intermediary sites; The intermediary sites amplify the ICMP traffic back to the source IP, saturating the NW
7) FRAGGLE - like SMURF attack but uses UDP instead of ICMP. Still uses an intermediary for amplification & spoofs target IP; The attack targets the UDP echo requests to the CHARGEN (character generator) port of the intermediary systems
8) LAND - sends traffic to the target machine w/ the source spoofed as the target machine itself; The victim attempts to acknowledge the requests repeatedly w/ no end.
PERMANENT DOS ATTACKS - most DoS attacks are temporary, some destroy a system & cause it to be permanently offline;
9) PHLASHING is one of them (pushes bogus/incorrect updates to a system’s firmware, this system is said to be BRICKED, aka worthless computer)
APPLICATION-LEVEL ATTACKS - those that result in a loss or degradation of a service to the point it is unusable; Can result in loss of data
10) FLOOD - overwhelm target w/ traffic
11) DISRUPT - attacking w/ intent of locking out or blocking a user (i.e. logging into system several times to lock up acct)
12) JAM - crafted SQL queries to lock up DB;
Performing a SYN Flood
Tool: HPING3 //Linux utility used to craft custom packets such as packets that have specific flags activated
1) Have Wireshark up & running; get sniffer started;
2) In your BackTrack box, open cmd, hping3 for a list of commands
3) hping3 –flood -p 80 -S 192.168.1.2 //Flood SYN packets
4) Check out the traffic
5) Go back to BackTrack & terminate cmd with ctrl+C
Buffer Overflow
takes adv. of a flaw in a program’s coding by inputting more data than the program’s buffer, or memory space, has room for; once the buffer of a program is an overflow state, it can crash, etc
C functions & signs of buffer overflow
Some C functions do not perform bounds checking, making it vulnerable to buffer overflow
gets(), scanf(), strcpy(), strcat() are common functions for buffer overflow
The HEAP and STACK
Two areas of memory a program uses for storage
HEAP //dynamic storage location that does not have sequential constraints or organizational scheme; considered the larger pool of free storage for programs to use as needed; once dynamic memory space is no longer needed, it is freed
STACK // linear in operation (top, bottom, LIFO); smaller pool of storage; memory allocated to a program for short-term processing, main action area where program variables are temporarily stored, added, & removed as needed; Can only see values from top down; LIFO; PUSH describes adding to a stack, POP is removing
During a buffer overflow, the heap if overflowed. The malicious code soon resides in the STACK & the EIP points to the malicious code executing it
Smashing the Stack
use of buffer overflow to compromise the stack & gain program-level access; submit excess data to stack
Stack pointer represents
the top of a stack; in a buffer overflow, the stack pointer is ignored an data is stacked over top of it creating False EIPs (Extended instruction pointer/point of execution) and False Stack pointers
When smashing the stack, the EIP points to injected malicious code
NOP sled
shellcode (or machine code) used in buffer overflow attack; uses multiple “NO OPERATION” commands in a sequenced chunk; 0x90 will instruct an Intel processor to perform one clock cycle on empty process
Equates to a full CPU cycle w/ no acutal work being accomplished
DDOS
Distributed Denial of Service
multiple comprised systems (by a trojan) target a single system causing a DoS attack; same goals as DoS, but more complex & powerful; DoS relies on a single system to attack a victim whereas DDOS is multiple attackers;
Concept: The MASTER/ATTACKER affects the HANDLER (typically server, a unit that has maneuverability in the NW) computers w/ DDoS SW build commonly known as a BOT; The bot sifts through victim’s NW searching for potential clients to make ZOMBIES; Once all compromised, attack!
Installing a Bot on a HANDLER
they are covertly installed; Trojan horses carry bots as payload; Once handler & zombies are infected, the attacker communicates remotely w/ the BOTNET via communication channels such as IRC or P2P
DoS & DDoS Tools
Tools for creating Botnets
DoS Tools: DoSHTTP, UDP Flood, Jolt2, Targa
DDoS Tools: Trinoo, LOIC Low Orbit Ion Cannon, TFN2K, Stacheldraht
Botnet Tools: Shark, Plugbot, Poison Ivy, LOIC (one of the easiest tools for DDoS)
Seeing LOIC in action
Use a Windows Server 2008 client w/ LOIC installed & Windows 7 target w/ Wireshark for traffic capture
1) Run LOIC.exe (avoid in-depth installation, just run executable)
2) Can target URL or IP, enter IP of your Windows 7
3) Click ‘Lock On’
4) Use Port 80, & the rest default
5) FIRE & view traffic
*** DoS Defensive Strategies (7)
1) DISABLE UNNECESSARY SERVICES
2) USE ANTI-MALWARE REAL-TIME VIRUS PROTECTION //helps stay away from trojans w/ bots
3) ENABLE ROUTER THROTTLING //some DoS rely on traffic saturation, router throttling thwarts
4) USE REVERSE PROXY //request made to a web server is redirected to the reverse proxy before forwarded to actual server (sending traffic to a middleman)
5) ENABLE INGRESS AND EGRESS FILTERING //Ingress filtering prevents DoS and DDoS by filtering for items such as spoofed IP address coming in from an outside source (if traffic coming in from the public side of your connection has a source address matching your internal IP, then it's spoofed) //Egress filtering helps prevent DDoS attacks by filtering outbound traffic that may prevent malicious traffic from getting back to the attacking party
6) DEGRADE SERVICES //the idea is that it makes an attack tougher & the target less attractive
7) ABSORB THE ATTACK //Add extra services & power in the form of bandwidth; have more power than the attacker can consume; This may include Load Balancing technologies
Define Load Balancing
distributing workloads across multiple computer resources
*** Botnet-specific Defenses (3)
1) RFC 3704 FILTERING //designed to block or stop packets from addresses that are unused or reserved in any given IP range
2) BLACK HOLE FILTERING //a black hole or area is created on the NW where offending traffic is fowarded or dropped
3) SOURCE IP REPUTATION FILTERING //filters traffic based on reputation (determined by past history of attacks & other factors)
Buffer Overflow vs. Stack Overflow
Stack overflow is when the execution stack grows beyond the memory reserved whereas Buffer Overflow is any case in which a program writes beyond the end of the memory allocated (INCLUDING in the heap, not just the stack)
Dealing w/ possible DoS attacks: Internal clients making requests from outside the internal LAN. Based on traffic, what action should be taken?
Implement Ingress filtering, this will check for internal addresses coming in from the public side of your NW
