DOS Attacks (Lesson 12) Flashcards
Email Flooding/bombing
A form of denial of service attack.
DOS Categories
Bandwidth Consumption
-attackers will consume all available bandwidth to a particular network
Resource Starvation
-focuses on consuming system resources rather than network resources (e.g. CPU utilization, memory, file-system quotas)
Programming Flaws
-failures of an application, or operating system to handle exceptional conditions (normally result when a user sends unintended data to the vulnerable element)
Routing and DNS attacks
-involves attackers manipulating routing table entries to deny service to legitimate systems or networks.
Poisoned Traffic
malformed or invalid data that can’t be properly handled
Brute-force resource
simply use up all available capacity
Stateful resource
take advantage of client/server relationship in protocols
POD
Ping of Death
Smurf/ping flooding/ICMP storm
Attacker sends a large stream of spoofed ping packets to a broadcast address (an IP address that services a network of computers)
Hosts reply to the victim
SYN Flooding
Exploits the synchronization protocol used to initiate connections
Resource Starvation Attack
One method utilizes two UDP services
-Echo: the server returns whatever the client sends
-Chargen: The server sends a datagram containing a random number of characters each time the client sends a datagram.
Now, an intruder will spoof a packet and connects the Echo service on one machine to the chargen service on another.
Teardrop attack
Some implementations of the TCP/IP IP fragmentation re-assembly code do not properly handle overlapping IP fragments. Teardrop is a widely available attack tool that exploits this vulnerability. Any remote user can crash a vulnerable machine.
Protection from DOS and DDOS attacks
Best way would seem to be to stop the attack before it happens
-Detect and Remove Trojans/zombies from servers, use file-integrity checking programs
Block “marching orders”
-e.g. one method to send the “attack” order is to send an unsolicited ICMP ping response – firewalls should be set to block this. Broadcasts should not send ping requests. Limit ability to spoof.
Block the attack at the source
Mitigating the Effects of DoS
Acknowledges that we can’t stop DoS
Harden the network
Avoid putting “all of your eggs in one basket”
Use Load balancers
can employ “delayed binds” which drop sessions
can also drop “Silent” TCP sessions
Adjust state limits (e.g. wait time)
PING (Acronym)
Packet Internet Groper
TCP SYN Scanning
“half open” scanning. Sends a SYN packet to each remote port. Open ports respond with a SYN/ACK packet. Closed ports usually respond with an RST packet.
TCP FIN Scanning
Sends a FIN packet (normally sent to clear connection when conversation is finished). Closed ports usually respond with an RST packet. Open ports usually ignore FIN packets.
UDP Scanning
often more difficult than TCP since UDP services may not respond. If a ICMP “port unreachable” message is received, however, it is an indication the service is NOT running.
Fragmentation Scanning
break scan up into several smaller packets. This may result in being able to hide the scan from firewalls and IDS.
Relay or bounce scanning
send scan through another system (proxy or forwarding gateway), may confuse/hide origin of attack
Decoy scanning
send a large number of spoofed packets along with your real one so they hide the real scan.
Ways to recognize scanning
System log file analysis – look for multiple, short duration connections or connection attempts.
Network traffic – monitor the volume of inbound and outbound network traffic. If you have established a profile of what is normal activity you will be able to recognize spikes in the activity level which may indicate scanning activity.
Firewall and router logs – look for multiple rejections or access violations coming from the same source or group of sources.
Intrusion detection systems – most IDS contain built-in methods for examining traffic to detect scanning attempts.
Defending Against Scanning
Block ports at your router/firewall.
Block ICMP, including echo
Create a DMZ
Use bastion hosts/proxy servers
Use NAT to hide private, internal IP addresses
Remove default/sample materials
Remove unnecessary services
Restrict permissions
Change default headers associated with services
Keep applications and operating systems patched
Establish a “Honeypot” to trap attackers
Eavesdropping - Cellular Intercepts
extremely vulnerable to interception
Eavesdropping - Pager Intercepts
Fairly simple to do
Defeating Sniffing Attacks
Detecting and Eliminating Sniffers
-Possible on a single box if you have control of the system
-Difficult (depending on OS) to impossible (if somebody splices network and adds hardware) from network perspective
Safer Topologies
-Sniffers capture data from network segment they are attached to, so – create segments
Encryption
-If you sniff encrypted packets, who cares?
(outside of traffic analysis, of course)
