DoS Flashcards
Whats is DOS attack
These attacks attempt to make a machine or network resource unavailable to its authorized users. Usually DoS/DDoS attacks exploit vulnerabilities in the implementation of TCP/IP model protocol or bugs in a specific OS.
Whats is DDOS attack, how it works, whats its impact
The attacker initiates the DDoS attack by sending a command to the zombie agents. These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim. The reflector systems see these requests as coming from the victim’s machine instead of the zombie agents due to spoofing of source IP address. Hence, they send the requested information (response to connection request) to the victim. The victim’s machine is flooded with unsolicited responses from several reflector computers at once. This either may reduce the performance or may cause the victim’s machine to shut down completely.
Categories of Dos/DDos Attack Vectors
<p>Volumetric Attacks</p>
<p>Protocol Attacks</p>
<p>Application Layer Attacks</p>
Victims in DDoS
The services under attack are those of the “primary victim,” whereas the compromised systems used to launch the attack are the “secondary victims.”
Whats Volumetric Attacks which are techniques there
<p>Consumes the bandwidth of target network or service</p>
<p>The magnitude of attack is measured in <strong><span>bits-per-second (bps) </span></strong></p>
<p>Types of bandwidth depletion attacks: Flood attacks Amplification attacks</p>
<p></p>
<p><strong>Attack Techniques </strong></p>
<p>UDP flood attack</p>
<p>ICMP flood attack</p>
<p>Ping of Death attack</p>
<p>Smurf attack</p>
UDP Flood Attack
<ol><li>An attacker sends <span><strong>spoofed UDP packets</strong></span> at a very high packet rate to a remote host on random ports of a target server using a large source IP range</li><li>Flooding of UDP packets causes server to repeatedly check for <strong><span>non-existent applications</span></strong> at the ports</li><li>Legitimate applications are inaccessible by the system and gives a <strong><span>error reply</span></strong> with an ICMP ‘Destination Unreachable’ packet</li><li>This attack consumes <strong><span>network resources</span></strong> and available bandwidth, exhausting the network until it goes offline</li></ol>
ICMP Flood Attack
<p>Network administrators use ICMP primarily for IP operations, troubleshooting, and error messaging of <span><strong>undeliverable packets </strong></span></p>
<p>ICMP flood attack is a type of attack in which attackers send large volumes of <strong><span>ICMP echo request packets</span></strong> to a victim system directly or through reflection networks</p>
<p>These packets signal the victim’s system to reply and the combination of traffic saturates the bandwidth of the victim’s network connection causing it to be overwhelmed and <span><strong>subsequently stop</strong></span> responding to legitimate TCP/IP requests</p>
<p>To protect against ICMP flood attack, set a <strong><span>threshold limit</span></strong>, which when exceeded invokes the ICMP flood attack protection feature</p>
Ping of Death Attack
<p>In Ping of Death (PoD) attack, an attacker tries to crash, destabilize, or freeze the targeted system or service by <span><strong>sending malformed or oversized packets</strong></span> using a simple ping command</p>
<p>For instance, the attacker sends a packet which has a size of 65,538 bytes to the target web server. <strong><span>This size of the packet exceeds the size limit prescribed by RFC 791 IP which is 65,535</span></strong> bytes. The reassembly process by the receiving system might cause the system to crash</p>
Smurf Attack
<p>In Smurf attack, the attacker spoofs the <strong><span>source IP address</span></strong> with the victim’s IP address and sends <strong><span>large number of ICMP ECHO request packets</span></strong> to an IP broadcast network</p>
<p>This cause all the hosts on the broadcast network to respond to the received <strong><span>ICMP ECHO</span></strong> requests. These responses will be sent to the victim machine, ultimately leading the machine to crash</p>
Types of bandwidth deplition attacks
Flood attacks, Amplification attacks
Protocol Attacks
<p>Consumes other types of resources like <span><strong>connection state tables</strong></span> present in the network infrastructure components such as <span><strong>load-balancers, firewalls, and application servers</strong></span></p>
<p>The magnitude of attack is measured in <strong><span>packets-per-second (pps)</span></strong></p>
<p></p>
<p><span><strong>Attack Techniques </strong></span></p>
<ol><li><span>SYN flood attack </span></li><li><span>Fragmentation attack </span></li><li><span>ACK flood attack </span></li><li><span>TCP state exhaustion attack</span></li></ol>
SYN Flood Attack
<p>The attacker sends a large number of <span><strong>SYN request</strong></span> to target server (victim) with <span><strong>fake source IP addresses </strong></span></p>
<p>The target machine sends back a <strong><span>SYN ACK</span></strong> in <strong><span>response to the request</span></strong> and waits for the ACK to complete the session setup</p>
<p>The target machine <strong><span>does not get the response</span></strong> because the <strong><span>source address is fake </span></strong></p>
<p>SYN Flooding takes advantage of a flaw in the way most hosts implement the <strong><span>TCP three-way handshake </span></strong></p>
<p>When <strong><span>Host B</span></strong> receives the <strong><span>SYN</span></strong> request from Host A, it must keep track of the partially-opened connection in a <strong><span>"listen queue"</span></strong> for <strong><span>at least 75 seconds </span></strong></p>
<p>A malicious host can exploit the small size of the listen queue by <strong><span>sending multiple SYN requests</span></strong> to a host, but <strong><span>never replying to the SYN/ACK </span></strong></p>
<p>The victim’s listen queue is quickly filled up This ability of <strong><span>holding up</span></strong> each incomplete connection for 75 seconds can be cumulatively used as a <span><strong>Denial-of-Service attack</strong></span></p>
Fragmentation Attack
Teardrop attack <ol><li>These attacks destroy a victim’s ability to <strong><span>re-assemble the fragmented packets</span></strong> by flooding it with TCP or UDP fragments, resulting in reduced performance. Attacker sends large number of fragmented (1500+ byte) packets to a <strong><span>target web server</span></strong> with relatively small packet rate</li><li>Since the protocol allows the fragmentation, these packets usually pass through the network equipments like routers, firewalls, IDS/IPS, etc. uninspected</li><li>Reassembling and inspecting these large fragmented packets consumes excessive resources. Moreover the <strong><span>content in the packet fragments</span></strong> will be randomized by the attacker, which makes the process to consume more resource and leading the system to crash</li></ol>
Application Layer Attacks
<p>Consumes the application resources or service thereby making it unavailable to other legitimate users</p>
<p>The magnitude of attack is measured in <strong><span>requests-per-second (rps)</span></strong></p>
<p></p>
<p><span><strong>Attack Techniques</strong></span></p>
<ol><li><span>HTTP GET/POST attack </span></li><li><span>Slowloris attack</span></li></ol>
HTTP GET/POST Attack
<p>HTTP Clients such as web browsers, etc. connect to a web server through HTTP protocol to send HTTP requests. These requests can be either HTTP GET or HTTP POST</p>
<p>In HTTP GET attack, the attackers use time delayed HTTP header to hold on to HTTP connections and exhaust web server resources</p>
<p>In HTTP POST attack, the attacker sends the HTTP requests with complete headers but <strong><span>incomplete message body</span></strong> to the target web server or application making the server wait for the rest of the message body</p>
