Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CEH > DoS and DDoS > Flashcards

DoS and DDoS Flashcards

1
Q

What are the three Basic Catagories of DOS and DDoS?

A

Volume Based Attacks. Consumes bandwidth of target network or service. Measured in bits per second. Includes UDP floods, ICMP floods, and other spoofed-packet floods.

Protocol Attacks. Consumes other types of resources like connection state tables present in the network infrastructure and components such as load balancers, firewalls and application servers. Measured in packets per second. Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more.

Application Layer Attacks - Consumes the application resources or service therby making it unavailable to other legitemate users. Measured in request per second. HTTP Flood, Slowloris Flood

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

UPD Flood Attack

A

Basic principle is to send UDP packets at an extremely high rate from a spoofed IP address. This causes the server to check repeatedly for non existent application on ports causing legitimate users to get ICMP error message ‘destination unreachable’. Attacks bandwidth and send packets so it is a prtocol attack.

Use Hping3 and LOIC or XOIC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ICMP Flooding (Ping flood)

A

ICMP = Internet Control Message Protocol) is an error-reporting protocol network devices like routers use to generate error messages to the source IP address when network problems prevent delivery of IP packets. … ICMP is not a transport protocol that sends data between systems.

ICMP request and acknowldge is used when you PING an IP address. It can also be used for echo (port 7). ICMP can be used to redirect m#traffic as well - it can tell a router where to send the traffic.

Using Hping3
hping3 -1 (specifies in icmp mode) –flood -a (spoofs target ip address) then end range of subnet

Using LOIC

Defence against it. Within router specify the amount of packets allowed (number of packets per second).
Disabling a ping flood is most easily accomplished by disabling the ICMP functionality of the targeted router, computer or other device. A network administrator can access the administrative interface of the device and disable its ability to send and receive any requests using the ICMP, effectively eliminating both the processing of the request and the Echo Reply. The consequence of this is that all network activities that involve ICMP are disabled, making the device unresponsive to ping requests, traceroute requests, and other network activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Ping of Death

A

On the Internet, ping of death is a denial of service (DoS) attack caused by an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. One of the features of TCP/IP is fragmentation; it allows a single IP packet to be broken down into smaller segments.

Can be performed by using script 
\:loop
ping  -l  65500 -w 1 -n 1
goto :loop 
Save above as a .bat and then run it from cmd centre and it will loop the oversized ping and perform DoS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Smurf Attack

A

The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address.

With Hping3.
hping3 –icmp (places in icmp mode) -c 1(packet count) –spoof from and to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SYN Flood.

A
  1. hping3 -V (vebose) -c 1000 (number of packets) -d (size of packets 64 -150) -S (Syn flag) -p 23 –flood
  2. With LOIC type, IP address or url, select packet size and port number and press go.

Tools used Hping3 for sending packets. LIOC - can be used for multiple different DoS. Nmap for the system scan.

A SYN flood where the IP address is not spoofed is known as a direct attack. In this attack, the attacker does not mask their IP address at all. As a result of the attacker using a single source device with a real IP address to create the attack, the attacker is highly vulnerable to discovery and mitigation. In order to create the half-open state on the targeted machine, the hacker prevents their machine from responding to the server’s SYN-ACK packets. This is often achieved by firewall rules that stop outgoing packets other than SYN packets or by filtering out any incoming SYN-ACK packets before they reach the malicious users machine. In practice this method is used rarely (if ever), as mitigation is fairly straightforward – just block the IP address of each malicious system. If the attacker is using a botnet such as the Mirai botnet they won’t care about masking the IP of the infected device.
Spoofed Attack: A malicious user can also spoof the IP address on each SYN packet they send in order to inhibit mitigation efforts and make their identity more difficult to discover. While the packets may be spoofed, those packets can potentially be traced back to their source. It’s difficult to do this sort of detective work but it’s not impossible, especially if Internet service providers (ISPs) are willing to help.
Distributed attack (DDoS): If an attack is created using a botnet the likelihood of tracking the attack back to its source is low. For an added level of obfuscation, an attacker may have each distributed device also spoof the IP addresses from which it sends packets. If the attacker is using a botnet such as the Mirai botnet, they generally won’t care about masking the IP of the infected device.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

CEH (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions