Chapter 11: DoS Flashcards
DoS goal
To remove the A from the Confidentiality, Integrity, & Availability triad
Buffer Overflow
takes adv. of a flaw in a program’s coding by inputting more data than the program’s buffer, or memory space, has room for; once the buffer of a program is an overflow state, it can crash, etc
C functions & signs of buffer overflow
Some C functions do not perform bounds checking, making it vulnerable to buffer overflow
gets(), scanf(), strcpy(), strcat() are common functions for buffer overflow
Stack pointer represents
the top of a stack; in a buffer overflow, the stack pointer is ignored an data is stacked over top of it creating False EIPs (Extended instruction pointer/point of execution) and False Stack pointers
When smashing the stack, the EIP points to injected malicious code
NOP sled
shellcode (or machine code) used in buffer overflow attack; uses multiple “NO OPERATION” commands in a sequenced chunk; 0x90 will instruct an Intel processor to perform one clock cycle on empty process
Equates to a full CPU cycle w/ no acutal work being accomplished
Define Load Balancing
distributing workloads across multiple computer resources
Buffer Overflow vs. Stack Overflow
Stack overflow is when the execution stack grows beyond the memory reserved whereas Buffer Overflow is any case in which a program writes beyond the end of the memory allocated (INCLUDING in the heap, not just the stack)
SERVICE REQUEST FLOODS (DoS Attack)
1) SERVICE REQUEST FLOODS - flooding web server or web app w/ requests until all resources are used up; These are typically carried out by setting up repeated TCP connection to a system
SYN ATTACK/FLOOD (DoS Attack)
2) SYN ATTACK/FLOOD - This exploits the 3-way handshake; Done by forging SYN packets w/ a bogus source address. When victim system responds w/ a SYN-ACK, it goes to this bogus address, & since the address doesn’t exist, it causes the victim system to wait for a response that will never come; This ties up a connection up for 75 seconds, attacker can keep opening half open connections to keep systems out of service //THE ACK RESPONSE IS MISSING; Syn is sent, syn-ack replied;
ICMP FLOOD ATTACK (DoS Attack)
3) ICMP FLOOD ATTACK - an ICMP request requires the server to process the request & respond; Attacks include smurf attacks, ICMP floods, ping floods, all of which flood the server w/ ICMP requetss w/ out waiting for the response
PING OF DEATH (DoS Attack)
4) PING OF DEATH - used back in the day; a ping packet that was larger than the allowable 64K was sent
TEARDROP (DoS Attack)
5) TEARDROP - sending custom-crafted fragmented packets w/ offset values that overlap during the attempted rebuild making the target machine unstable
SMURF (DoS Attack)
6) SMURF - spoofs the target IP & sends numerous ICMP echo requests to the broadcast address of intermediary sites; The intermediary sites amplify the ICMP traffic back to the source IP, saturating the NW
FRAGGLE (DoS Attack)
7) FRAGGLE - like SMURF attack but uses UDP instead of ICMP. Still uses an intermediary for amplification & spoofs target IP; The attack targets the UDP echo requests to the CHARGEN (character generator) port of the intermediary systems
LAND (DoS Attack)
8) LAND - sends traffic to the target machine w/ the source spoofed as the target machine itself; The victim attempts to acknowledge the requests repeatedly w/ no end.
PHLASHING (DoS Attack)
9) PHLASHING pushes bogus/incorrect updates to a system’s firmware, this system is said to be BRICKED, aka worthless computer
HEAP
HEAP //dynamic storage location that does not have sequential constraints or organizational scheme; considered the larger pool of free storage for programs to use as needed; once dynamic memory space is no longer needed, it is freed
STACK
STACK // linear in operation (top, bottom, LIFO); smaller pool of storage; memory allocated to a program for short-term processing, main action area where program variables are temporarily stored, added, & removed as needed; Can only see values from top down; LIFO; PUSH describes adding to a stack, POP is removing
RFC 3704 FILTERING
1) RFC 3704 FILTERING //designed to block or stop packets from addresses that are unused or reserved in any given IP range
BLACK HOLE FILTERING
2) BLACK HOLE FILTERING //a black hole or area is created on the NW where offending traffic is fowarded or dropped
SOURCE IP REPUTATION FILTERING
3) SOURCE IP REPUTATION FILTERING //filters traffic based on reputation (determined by past history of attacks & other factors)
NOP in Hex
0x90
INGRESS/EGRESS FILTERING
Ingress filtering prevents DoS and DDoS
attacks by filtering for items such as spoofed IP addresses coming in from an outside
source. In other words, if traffic coming in from the public side of your connection has a
source address matching your internal IP scheme, then you know it’s a spoofed address.
Egress filtering helps prevent DDoS attacks by filtering outbound traffic that may prevent
malicious traffic from getting back to the attacking party.
REVERSE PROXY
Similar to Load Balancer, sits in front of web server and distributes requests. Also caches content