DOS Attacks (Lesson 12)

Question 1

Email Flooding/bombing

Answer 1

A form of denial of service attack.

Question 2

DOS Categories

Answer 2

Bandwidth Consumption
-attackers will consume all available bandwidth to a particular network
Resource Starvation
-focuses on consuming system resources rather than network resources (e.g. CPU utilization, memory, file-system quotas)
Programming Flaws
-failures of an application, or operating system to handle exceptional conditions (normally result when a user sends unintended data to the vulnerable element)
Routing and DNS attacks
-involves attackers manipulating routing table entries to deny service to legitimate systems or networks.

Question 3

Poisoned Traffic

Answer 3

malformed or invalid data that can’t be properly handled

Question 4

Brute-force resource

Answer 4

simply use up all available capacity

Question 5

Stateful resource

Answer 5

take advantage of client/server relationship in protocols

Question 6

POD

Answer 6

Ping of Death

Question 7

Smurf/ping flooding/ICMP storm

Answer 7

Attacker sends a large stream of spoofed ping packets to a broadcast address (an IP address that services a network of computers)
Hosts reply to the victim

Question 8

SYN Flooding

Answer 8

Exploits the synchronization protocol used to initiate connections

Question 9

Resource Starvation Attack

Answer 9

One method utilizes two UDP services
-Echo: the server returns whatever the client sends
-Chargen: The server sends a datagram containing a random number of characters each time the client sends a datagram.
Now, an intruder will spoof a packet and connects the Echo service on one machine to the chargen service on another.

Question 10

Teardrop attack

Answer 10

Some implementations of the TCP/IP IP fragmentation re-assembly code do not properly handle overlapping IP fragments. Teardrop is a widely available attack tool that exploits this vulnerability. Any remote user can crash a vulnerable machine.

Question 11

Protection from DOS and DDOS attacks

Answer 11

Best way would seem to be to stop the attack before it happens
-Detect and Remove Trojans/zombies from servers, use file-integrity checking programs
Block “marching orders”
-e.g. one method to send the “attack” order is to send an unsolicited ICMP ping response – firewalls should be set to block this. Broadcasts should not send ping requests. Limit ability to spoof.
Block the attack at the source

Question 12

Mitigating the Effects of DoS

Answer 12

Acknowledges that we can’t stop DoS
Harden the network
Avoid putting “all of your eggs in one basket”
Use Load balancers
can employ “delayed binds” which drop sessions
can also drop “Silent” TCP sessions
Adjust state limits (e.g. wait time)

Question 13

PING (Acronym)

Answer 13

Packet Internet Groper

Question 14

TCP SYN Scanning

Answer 14

“half open” scanning. Sends a SYN packet to each remote port. Open ports respond with a SYN/ACK packet. Closed ports usually respond with an RST packet.

Question 15

TCP FIN Scanning

Answer 15

Sends a FIN packet (normally sent to clear connection when conversation is finished). Closed ports usually respond with an RST packet. Open ports usually ignore FIN packets.

Question 16

UDP Scanning

Answer 16

often more difficult than TCP since UDP services may not respond. If a ICMP “port unreachable” message is received, however, it is an indication the service is NOT running.

Question 17

Fragmentation Scanning

Answer 17

break scan up into several smaller packets. This may result in being able to hide the scan from firewalls and IDS.

Question 18

Relay or bounce scanning

Answer 18

send scan through another system (proxy or forwarding gateway), may confuse/hide origin of attack

Question 19

Decoy scanning

Answer 19

send a large number of spoofed packets along with your real one so they hide the real scan.

Question 20

Ways to recognize scanning

Answer 20

System log file analysis – look for multiple, short duration connections or connection attempts.
Network traffic – monitor the volume of inbound and outbound network traffic. If you have established a profile of what is normal activity you will be able to recognize spikes in the activity level which may indicate scanning activity.
Firewall and router logs – look for multiple rejections or access violations coming from the same source or group of sources.
Intrusion detection systems – most IDS contain built-in methods for examining traffic to detect scanning attempts.

Question 21

Defending Against Scanning

Answer 21

Block ports at your router/firewall.
Block ICMP, including echo
Create a DMZ
Use bastion hosts/proxy servers
Use NAT to hide private, internal IP addresses
Remove default/sample materials
Remove unnecessary services
Restrict permissions
Change default headers associated with services
Keep applications and operating systems patched
Establish a “Honeypot” to trap attackers

Question 22

Eavesdropping - Cellular Intercepts

Answer 22

extremely vulnerable to interception

Question 23

Eavesdropping - Pager Intercepts

Answer 23

Fairly simple to do

Question 24

Defeating Sniffing Attacks

Answer 24

Detecting and Eliminating Sniffers
-Possible on a single box if you have control of the system
-Difficult (depending on OS) to impossible (if somebody splices network and adds hardware) from network perspective
Safer Topologies
-Sniffers capture data from network segment they are attached to, so – create segments
Encryption
-If you sniff encrypted packets, who cares?
(outside of traffic analysis, of course)

Question 25

Traffic Analysis Tips

Answer 25

Looks at activity, not contents
Pen Registers and Trap & Trace
-pen registers provide access to the numbers that are dialed from a phone
-trap & trace provides incoming numbers
Location Tracking
-possible with cellular phones
-can work even when phone not in use

Question 26

.rhosts file

Answer 26

used to establish a trusted relationship between machines. Used by rlogin, rsh, and rcp to determine which remote hosts and users are considered “trusted” and are allowed to access the host without supplying a password.
- rlogin (remote login), rsh (remote shell), rcp (remote copy)

Question 27

/etc/hosts.equiv file

Answer 27

/etc/hosts.equiv are essentially equivalent to a system-wide .rhosts file and contain lines with hostnames.

Question 28

Blind Spoofing

Answer 28

In non-blind spoofing the response sent by the target machine can be observed (sniffed).
In blind spoofing, the target’s responses can not be observed.
Attacker must find way to guess sequence numbers.

Question 29

Spoofing Prevention Tips

Answer 29

General rule of thumb: Don’t have any trusted relationships if you can help it.
Don’t accept packets from outside of your network that claim to be originating from inside of your network.