Examples of a denial-of-service (DoS) attack include flooding an identified system with more traffic than it can handle, flooding a service with more events than it can handle, or crashing a TCP/IP stack by sending corrupt packets. In this chapter, you will learn how to recognize and examine symptoms of a DoS attack and become informed about how to recognize detection techniques and countermeasure strategies.
- 1.
Identify characteristics of a DoS attack.
- 2.
Analyze symptoms of a DoS attack.
- 3.
Recognize DoS attack techniques.
- 4.
Identify detection techniques and countermeasure strategies.
Denial-of-Service Attack
The goal of a denial-of-service attack is not to gain unauthorized access to a system, but to prevent a legitimate user from accessing that resource. A DoS attack can cause problems such as the consumption of resources, alteration of network components, consumption of bandwidth, and destruction of programs and files.
Types of Attacks
A Smurf attack is when the attacker sends extra ICMP traffic to IP broadcast addresses with a spoofed source IP of the victim.
A buffer overflow attack sends excessive data to an application to bring down the application and crash the system.
A ping of death attack sends an ICMP packet that is larger than the allowed 65,536 bytes.
A teardrop attack manipulates the value of fragments so that they overlap, causing the receiving system an issue with reassembling the packet, which makes it crash, hang, or reboot.
A SYN flood attack exploits the three-way handshake of TCP by never responding to the server’s response.
In a coordinated attack against one target, a distributed denial-of-service (DDoS) attack utilizes several compromised systems.
Botnets
Distributed denial-of-service
Spamming
Sniffing traffic
Attacking IRC chat networks
Installing advertisement add-ons
Keylogging
Manipulating online polls and games
Identity theft
Conducting a DDoS Attack
The main objective of a DDoS attack is to gain administrative access to a number of computers to turn them into zombies. The zombies are woken up with a signal by activating them with certain data. Using zombies also makes it harder to track down the original attacker. An attacker creates a virus to send ping packets to the target. They infect a large number of computers with this virus to create zombies and then they trigger the zombies to launch the attack.
- 1.
Create a virus to send ping packets to the target.
- 2.
Infect a large number of computers with this virus to create zombies.
- 3.
Trigger the zombies to launch the attack.
- 4.
Zombies attack the target.
Distributed Denial of Service Attack
DDoS attack
An IRC-based DDoS attack is similar but is installed on a network server and connects the attacker to the agents by using the IRC communication channel.
Attack Classes
Attack classes
Countermeasures
Understanding communication protocols and traffic among handlers, clients, and agents is key to discovering handlers in the network and disabling them. Preventing secondary victims can be accomplished by proactive prevention techniques. Keeping antivirus programs and software patches up to date will protect against malicious code insertion.
Egress filtering is used to scan the headers of IP packets leaving the network. Establishing rules requiring legitimate packets leaving an organization’s network to have a proper source IP address can help mitigate attacks.
Ingress filtering is the technique to observe, control, and filter traffic entering a network with the goal of ensuring that only legitimate traffic enters and that unauthorized or malicious traffic does not.
Replicated servers or increasing bandwidth are both load balancing techniques. Throttling helps routers manage heavy incoming traffic so a server can handle it. The minimum and maximum throughput controls can be used to prevent the server from going down. Using a decoy such as a honeypot can protect an organization’s resources while providing a way to study an attacker’s techniques.
Tools that store post-attack data can be used to analyze the special characteristics of the traffic during the attack. With this data, adjustments can be made to update load balancing and throttling countermeasures.
Tools that trace the attacker’s traffic back can be used to reverse engineer the attack. This information can be used to implement different filtering techniques to block the traffic. Event logs assist in investigation.
Performing a DoS Attack
Captured network traffic with Tcpdump
Command used to start the DoS attack
Sample DoS packets
NEVER use this tool or these commands outside of the isolated virtual environment.
Summary
This chapter reviewed denial-of-service attacks and different types of attacks such as Smurf, buffer overflow, ping of death, teardrop, or SYN flood, including the various symptoms that occur during a DoS attack. It also covered techniques and countermeasures that are important for securing systems.