Lecture 4: Denial of Service Flashcards
Describe how an “ICPM (ping) flood” works, and some ways in which it can be prevented
- High volumes of ping requests are sent to a device
- Device will attempt to respond to requests by sending a message
- The high volume of back and forth traffic might make the device inaccessible to other devices
- Can be prevented by either disabling ping functionality, or
- Limiting the amount and/or size of request packages
What are two variations of the ICMP flood?
- DDoS, where a distributed network is used to send requests
- Source address spoofing, to hide the identity of attacker. This also avoids back traffic
Name three different kinds of flooding attacks
- ICMP flood
- UDP flood
- TCP SYN flood
Explain how TCP SYN spoofing works
- Attack ability of server to respond to future connection requests
- Overflowing tables used to manage them
- Possible even if attacker has small bandwidth
- Time-out connections, meaning:
- Send SYN
- Let server respond SYN- ACK
- Do not return ACK
Explain what DDoS is, why it’s used, and some ways of creating such attacks
- Have limited volume if single source is used
- Multiple systems allow much higher traffic volumes
- Often uses compromised PCs/workstations
- Zombies/bots with backdoor programs installed
- Forming a botned
Explain what a “Reflection attack” is, and how it’s done
- Attacker initiates connection with target
- Target attempts to authenticate attacker by sending challenge
- Attacker opens another connection to target, and “reflects” the challenge as its own
- The target responds to the challenge
- Attacker sends that response back to the target on the original connection
Give an example of DOS over email, and how to defend against it
- If A and B have set vacation messages
- Send message to A with B as sender
- A will respond to B, who in turn will respond to A
- The loop continues
- To defend, keep track of auto-generated mails and use auto-submitted tag
Give two examples of ways in which email filters can be attacked
Infinite recursive zip:
- A malicious archive that takes exorbitant time to unpack, effectively disabling virus protection software
Bombs (e..g non-recursive files)
- Archives that increase massively in size when unpacked
Explain what an “XML bomb” is
It’s an DOS attack where the XML entities are recursively defined, giving and exponential size increase when parsed. E.g., a 1 KB file could become 3GB XML
Give an example of a “Fork bomb”, and how it works
- PostgreSQL 7.2
- Uses elapsed milliseconds to compute number of threads to spawn
- No limit check
- If date is advanced, e.g. to next year, a large number of threads will be spawned
- “Network time protocol attack”
Explain how a “Slowloris” attack works
- Open TCP connection
- Infinitely (and slowly) send HTTP headers
- Consume the thread pool and connections
Give examples of involuntary and voluntary WEB DOS
Involuntary: - Slashdotted - Distributed flood (spiders) Voluntary: - Target supporting services, e.g. DNS
List the three lines of defence against (D)DOS
- Attack prevention and preemption
- Attack detection and filtering
- Attack source traceback and identification
Give examples of general measures in order to prevent DOS
- Block external requests to broadcasts
- Block suspicious services (e.g. Echo)
- Block suspicious combinations (DNS to echo port)
- Manage application attacks with puzzles to distinguish legitimate human requests
- Good general system security practices
Give one example of a measure that can be implemented to protect against flood attacks
Rate controls in upstream.
- On specific packet types
- E.g., some ICMP, some UDP, TCP/SYN
