DDoS Botnets Flashcards
Availability attack on physical layer?
Cut wire
Availability attack on data link layer?
WiFi Deauthentication
Availability attack on network layer?
ICMP ping flood
Availability attack on transport layer?
TCP SYN flood
Availability attack on Application layer?
HTTP flood
Describe ICMP flood
Attacker spoofs their IP, sends packet to server
Server responds to spoof IP
Server gets overloaded with lots of fake requests
Server goes down
Genuine client cannot connect
How does TCP protocol work?
Needs handshake, SYN - SYN ACK - ACK
How does UDP protocol work?
Does not need connection, only request-response
Types of DDoS attacks. What do they do?
(3)
Volumetric attack - high volume of traffic
Protocol attack - exploits vulnerabilities in network protocols
Application layer attack - target specific application to exhaust resources
Describe an amplification DDoS attack
Uses an intermediary server that returns a large response to a query
Requirements:
- server provides large responses on small queries
- ability to spoof address (to send attack to someone else)
Can be done on many protocols, usually UDP
Popular: DNS
What layers are targeted by protocol attacks?
Network
Transport
Describe a TCP SYN flood
Between SYN and ACK, server is waiting and memory is allocated for connection
Send spoofed SYN packet, server waits for response, memory is blocked, users cannot reach server anymore
How to defend against TCP SYN flood attack?
But a cryptographic value in sequence number, so you dont have to allocate memory anymore, when ACK comes you can verify value
How to measure TCP SYN floods
Backscatter
if we have a lot of IP addresses we can identify ongoing attacks
Application layer attack characteristics
Hard to identify, since it closely resembles normal user traffic
Describe a HTTP flood
Attacker requests many pages or files from a website
Attacker must complete TCP handshake to do this, cannot be spoofed
DDoS mitigation
(4)
Redundant network infrastructure
Traffic filtering
Content Delivery Networks - distribute content over large network to absorb and mitigate ddos traffic by serving content from distributed servers
Web app firewalls - can protect from app layer attacks by identifying malicious traffic
What is a botnet?
network of compromised computers (bots) under the control of a single entity, usually malicious actor
What is the purpose of botnets?
typically used for various malicious activities, including distributed denial of service (DDoS) attacks, spreading malware, and stealing sensitive information.
Describe the architecture of a botnet
(3)
- infected bots
- command and control (C2 or C&C) -> bots receive commands through C2 infrastructure
- communication channels (IRC, HTTP, P2P, Blockchain…)
How does Mirai work?
- Infects IoT devices.
- Propagates like a worm.
- C2 servers are centralized.
- Telnet-like communication channel
How to mitigate botnets?
(3)
- Securing devices to make harder to compromise a large number of devices.
- Taking down command and control infrastructure. -> The servers are often international and
require collab between law-enforcement agencies.
- Blocklisting devices that are infected by a botnet so that owners clean them
What does DGA refer to?
- Domain Generation Algorithm
- Since domain name/ip can be taken down, generate lots
What is peer to peer architecture in a botnet?
Since Command and Control servers might be taken down. -> Using the bots as C2 channel makes the botnet redundant. (bots do everything themselves)
How does a blockchain architecture look like when it comes to botnets?
- sending C2 location through blockchain
- Decentralized
- blockchain will not be taken down
