Distributed Reflection Denial of Service Attacks

As previously stated, DDoS attacks are becoming more common. Most such attacks rely on getting various machines (servers or workstations) to attack the target. A distributed reflection denial of service attack is a special type of DoS attack. As with all such attacks, it is accomplished by the hacker getting a number of machines to attack the selected target. However, this attack works a bit differently than other DoS attacks. Rather than getting computers to attack the target, this method tricks Internet routers into attacking a target.

Many of the routers on the Internet backbone communicate on port 179. This attack exploits that communication line and gets routers to attack a target system. What makes this attack particularly wicked is that it does not require the routers in question to be compromised in any way. The attacker does not need to get any sort of software on the router to get it to participate in the attack. Instead, the hacker sends a stream of packets to the various routers requesting a connection. The packets have been altered so that they appear to come from the target system’s IP address. The routers respond by initiating connections with the target system. A flood of connections from multiple routers all hit the same target system, rendering the target system unreachable.

Low Orbit Ion Cannon

Low Orbit Ion Cannon (LOIC) is one of the most widely known DoS tools available. It has a very easy-to-use graphical user interface, shown in Figure 4.2.

This tool is very easy to use. As you can see in Figure 4.2, it simply requires the user to put in the target URL or IP address and then begin the attack. Fortunately, this tool also does nothing to hide the attacker’s address and thus makes it relatively easy to trace the attack back to its source. It is an older tool, but still widely used today. There is a tool similar to this named High Orbit Ion Cannon (HOIC).

XOIC

XOIC is similar to LOIC. It has three modes, as shown in Figure 4.3: You can send a message, execute a brief test, or start a DoS attack.

Like LOIC, XOIC is very easy to use. It is just a point-and-click graphical user interface. Even attackers with minimal skill can use it to launch a DoS attack.

TFN and TFN2K

Tribal Flood Network (TFN) and TFN2K are two of the oldest DoS tools and not widely used today. They are included here for historical purposes. TFN and TFN2K have been around for many years and are still in use today, but not very widely. TFN2K is a newer version of TFN that supports both Windows Server and UNIX platforms (and can easily be ported to additional platforms). It has some features that make detection more difficult than with its predecessor, including sending decoy information to avoid being traced. Experts at using TFN2K can use the resources of a number of agents to coordinate an attack against one or more targets. In addition, TFN and TFN2K can perform various attacks such as UDP flood attacks, ICMP flood attacks, and TCP SYN flood attacks (all discussed later in this chapter).

TFN2K works on two fronts. First, there is a command-driven client on the master system. Second, there is a daemon process operating on an agent system. The attack works like this:

1. The master instructs its agents to attack a list of designated targets.

2. The agents respond by flooding the targets with a barrage of packets.

With this tool, multiple agents, coordinated by the master, can work together during the attack to disrupt access to the target. In addition, a number of “safety” features for the attacker significantly complicate development of effective and efficient countermeasures for TFN2K:

• Master-to-agent communications are encrypted and may be mixed with any number of decoy packets.

• Both master-to-agent communications and the attacks themselves can be sent via randomized TCP, UDP, and ICMP packets.

• The master can falsify (spoof) its IP address.

Stacheldraht

Stacheldraht is not as widely known as the previously mentioned DoS tools. Stacheldraht, which is German for “barbed wire,” is a DDoS attack tool that combines features of the Trinoo DDoS tool (another common tool) with the source code from the TFN DDoS attack tool. Like TFN2K, it adds encryption of communication between the attacker and the Stacheldraht masters. It also adds an automatic updating of the agents.

Stacheldraht can perform a variety of attacks, including UDP flood, ICMP flood, TCP SYN flood, and Smurf attacks. It also detects and automatically enables source address forgery.

TCP SYN Flood Attacks

One popular version of the DoS attack is the SYN flood, which is a classic in the history of DoS attacks. This particular attack depends on the hacker’s knowledge of how connections to a server are made. When a session is initiated between the client and server in a network using TCP, a packet is sent to the server with a 1-bit flag called a SYN (or synchronize) flag set. This packet asks the target server to please synchronize communications. The server then allocates appropriate resources and sends to the client a packet with both the SYN (synchronize) and the ACK (acknowledge) flags set. The client machine is then supposed to respond with an ACK flag set. This process, called the three-way handshake, is summarized as follows:

1. The client sends a packet with the SYN flag set.

2. The server allocates resources for the client and then responds with the SYN and ACK flags set.

3. The client responds with the ACK flag set.

There have been a number of well-known SYN flood attacks on web servers. The reason for the popularity of this attack type is that any machine that engages in TCP communication is vulnerable to it—and all machines connected to the Internet engage in TCP communications. Such communication is obviously the entire reason for web servers. The easiest way to block DoS attacks is via firewall rules. (We will discuss firewalls in detail in Chapter 9, “Computer Security Technology.”) A properly configured firewall can prevent a SYN flood attack. There are, however, several methods and techniques you can implement on individual servers to protect against these attacks. The basic defensive techniques are as follows:

• Micro blocks

• SYN cookies

• RST cookies

• Stack tweaking

Some of these methods require more technical sophistication than others. These methods will be discussed in general here. When you are entrusted with defending a system against these forms of attacks, you can select the methods most appropriate for your network environment and your level of expertise and examine the system further at that time. The specifics of how to implement any of these methods will depend on the operating system that your web server is using. You will need to consult your operating system’s documentation, or appropriate websites, in order to find explicit instruction on how to implement methods.

Smurf IP Attacks

The Smurf attack is a very popular version of the DoS attack. An ICMP (Internet Control Message Protocol) packet is sent out to the broadcast address of the network. Since it is broadcast, it responds by echoing the packet out to the network hosts, which then send it to the spoofed source address. Also, the spoofed source address can be anywhere on the Internet, not just on the local subnet. If the hacker can continually send such packets, she will cause the network itself to perform a DoS attack on one or more of its member servers. This attack is clever and rather simple. The only problem for the hacker is getting the packets started on the target network. This task can be accomplished via some software, such as a virus or Trojan horse, that will begin sending the packets.

In a Smurf attack, there are three people/systems involved: the attacker, the victim, and the intermediary (who can also be a victim). The attacker first sends an ICMP echo request packet to the intermediary’s IP broadcast addresses. Since this is sent to the IP broadcast address, many of the machines on the intermediary’s network will receive this request packet and will send back an ICMP echo reply packet. If all the machines on a network are responding to this request, the network becomes congested, and there may be outages.

The attacker impacts the third party—the intended victim—by creating forged packets that contain the spoofed source address of the victim. Therefore, when all the machines on the intermediary’s network start replying to the echo request, those replies will flood the victim’s network. Thus, another network becomes congested and could become unusable. Figure 4.4 illustrates this attack.

The Smurf attack is an example of the creativity that some malicious parties can employ. It is sometimes viewed as the digital equivalent of the biological process in an auto-immune disorder. With such disorders, the immune system attacks the patient’s own body. In a Smurf attack, the network performs a DoS attack on one of its own systems. This method’s cleverness illustrates why it is important that you attempt to work creatively and in a forward-thinking manner if you are responsible for system security in a network. The perpetrators of computer attacks are inventive and always coming up with new techniques. If your defense is less creative and clever than the attackers’ offense, then it is simply a matter of time before your system is compromised.

There are several ways to protect your system against this problem. One is to guard against Trojan horses. More will be said about the Trojan horse attack in later chapters; however, having policies prohibiting employees from downloading applications will help. Also, having adequate virus scanners can go a long way in protecting your system from a Trojan horse and, thus, a Smurf attack. It is also imperative that you use a proxy server, as discussed in Chapter 2. If the internal IP addresses of your network are not known, then it is more difficult to target one in a Smurf attack. And, of course, the most obvious mitigation step you can take is to block all inbound broadcast packets at the firewall. Probably the best way to protect your system is to combine these defenses and also prohibit directed broadcasts and patch the hosts to refuse to reply to any directed broadcasts.

There is a variation of Smurf named Fraggle. Fraggle operates very much like Smurf with the exception of specifically using ports 7 (echo) and 19 (chargen) to a Broadcast Address, spoofing the intended victim’s source IP address.

UDP Flood Attacks

UDP, as you will recall from Chapter 2, is a connectionless protocol that does not require a connection setup procedure prior to transferring data. In a UDP flood attack, the attacker sends a UDP packet to a random port on a target system. When the target system receives a UDP packet, it automatically determines what application is waiting on the destination port. In this case, since there is no application waiting on the port, the target system will generate an ICMP packet of “destination unreachable” and attempt to send it back to the forged source address. If enough UDP packets are delivered to ports on the target, the system will become overloaded trying to determine awaiting applications (which do not exist) and then generating and sending packets back.

ICMP Flood Attacks

There are two basic types of ICMP flood attacks: floods and nukes. An ICMP flood is usually accomplished by broadcasting a large number of either pings or UDP packets. As with other flood attacks, the idea is to send so much data to the target system that it slows down. If it can be forced to slow down enough, the target will time out (that is, not send replies fast enough) and be disconnected from the Internet. ICMP nukes exploit known bugs in specific operating systems. The attacker sends a packet of information that he knows the operating system on the target system cannot handle. In many cases, this will cause the target system to lock up completely.

This type of attack is far less effective against modern computers than it was against older machines. Even a low-end desktop PC now will have 4GB (or more) of RAM and a dual-core processor. That makes it difficult to generate enough pings to knock the machine offline. However, at one time this was a very common form of DoS attack.

The Ping of Death

Recall from Chapter 2 that TCP packets are of limited size. In some cases, simply sending a packet that is too large can shut down a target machine. This action is referred to as the ping of death (PoD). It works simply by overloading the target system. The hacker sends a single ping, but he does so with a very large packet and thus can shut down some machines.

This attack is quite similar to the classroom example discussed earlier in this chapter. The aim in both cases is to overload the target system and cause it to quit responding. PoD works to compromise systems that cannot deal with extremely large packet sizes. If such an attack is successful, the server will actually shut down completely. It can, of course, be rebooted.

The only real safeguard against PoD is to ensure that all operating systems and software are routinely patched. This attack relies on vulnerabilities in the way a particular operating system (or application) handles abnormally large TCP packets. When such vulnerabilities are discovered, it is customary for the vendor to release a patch. The possibility of PoD is one reason, among many, you must keep patches updated on all of your systems.

Most denial of service attacks are properly mitigated with an appropriate firewall combined with an IDS/IPS or with a next-generation firewall. Chapter 9 discusses security devices and software in more detail.

Teardrop Attacks

In a teardrop attack, the attacker sends a fragmented message. The two fragments overlap in ways that make it impossible to reassemble them properly without destroying the individual packet headers. Therefore, when the victim attempts to reconstruct the message, the message is destroyed. This causes the target system to halt or crash. A number of variations on the basic teardrop attack are available, such as TearDrop2, Boink, targa, Nestea Boink, NewTear, and SYNdrop.

DHCP Starvation

If enough requests flooded a network, the attacker can completely exhaust the address space allocated by the DHCP servers for an indefinite period of time. This DoS attack is called DHCP starvation. An attacker can use a tool such as The Gobbler to easily commit this type of attack.

HTTP POST DoS Attacks

An HTTP POST DoS attack involves sending a legitimate HTTP POST message. Part of the POST message is the content length, which indicates the size of the message to follow. In this attack, the attacker sends the actual message body at an extremely slow rate. The web server is hung while waiting for that message to complete. For more robust servers, the attacker needs to send multiple HTTP POST messages simultaneously.

PDoS Attacks

A permanent denial of service (PDoS) attack damages the system so badly that the victim machine needs an operating system reinstall or even new hardware. This type of attack, sometimes called phlashing, usually involves a DoS attack on the device’s firmware.

Registration DoS Attacks

An attacker can create a program that submits registration forms repeatedly, adding a large number of spurious users to an application. This is one reason many registration websites use CAPTCHA.

Login DoS Attacks

An attacker may overload the login process by continually sending login requests that require the presentation tier to access the authentication mechanism, rendering it unavailable or unreasonably slow to respond. Many websites use CAPTCHA to prevent automated login attempts.

Land Attacks

A land attack is probably the simplest attack in concept. The attacker sends a forged packet with the same source IP address and destination IP address (the target’s IP address). The method is to drive the target system “crazy” by having it attempt to send messages to and from itself. The victim system will often be confused and will crash or reboot. More modern computers are not susceptible to this attack, but it is presented here for historical purposes.

DDoS Attacks

Perhaps the most common form of DoS attack today is the DDoS attack. This is accomplished by getting various machines to attack the target. A typical way this is done is by sending out a Trojan horse that will cause infected computers to attack a specified target at a particular date and time. This is a very effective way to execute a DDoS attack on any target. In this form of attack, the attacker does not have direct control of the various machines involved. These machines are simply infected by some malware that causes them to participate in the attack on a particular date and time.

Another method is to use a botnet to orchestrate the attack. Botnets are networks of computers that have been compromised by the attacker, giving said attacker control of the infected system. This is often accomplished via delivery of a Trojan horse. However, unlike with the form of DDoS attack just mentioned, the attacker has direct control of the attacking machines in the botnet.

Boston Globe Attack

On November 8, 2017, the Boston Globe was hit with a large-scale DDoS attack against bostonglobe.com and other websites owned by the company. The attack also interrupted the company’s telephones. The attack was only stopped by the company’s Internet service provider implementing anti-DDoS measures, such as throttling bandwidth.

Memcache Attacks

In February 2017 a new DDoS attack vector emerged. Attackers used memcache, a database caching system, to amplify traffic volume. A request could be amplified by a factor of several thousand by using this method. The aforementioned GitHub attack involved memcaching.

MyDoom

This is an old attack, but a classic in the history of DDoS, and thus worthy of mention. One of the most well-publicized DoS attacks was the MyDoom attack. While this attack is a few years old, it is an excellent one to study as it is a classic example of a virus being used to propagate a DDoS attack. This threat was a classically distributed DoS attack. The virus/worm emailed itself to everyone in someone’s address book and replicated further in the same manner, and then, at a preset time, all the infected machines began a coordinated attack on the Santa Cruz Operations (SCO) website, www.sco.com (Network World, 2004). Estimates put the number of infected machines between 500,000 and 1 million. This attack was successful and promptly shut down the SCO website. It should be noted that well before the day that the DoS attack was actually executed, network administrators and home users were well aware of what MyDoom would do. There were also several tools available free of charge on the Internet for removing the virus/worm. However, it appears that many people did not take the steps necessary to clean their machines of this virus/worm.

Interestingly, MyDoom was still causing problems many years after its discovery. As late as July 2009, an attacker utilized MyDoom as a backdoor to launch a DoS attack against South Korean and U.S. web servers.

One thing that makes this attack so interesting is that it is clearly an example of domestic cyber terrorism (although it is certain that the creators of MyDoom would probably see it differently). (Cyber terrorism will be discussed further in Chapter 12, “Cyber Terrorism and Information Warfare.”) For those readers who do not know the story, it will be examined here briefly. SCO makes a version of the UNIX operating system. Like most other UNIX versions, the SCO version is copyright protected. Several months before this attack, SCO began accusing certain Linux distributions of containing segments of SCO UNIX code. SCO sent letters to many Linux users, demanding license fees. Many people in the Linux community viewed this request as simply an attempt to undermine the growing popularity of Linux, an open-source operating system. SCO went even further and filed suit against major companies that were distributing Linux This claim by SCO seemed unfounded to many legal and technology analysts. It was also viewed with great suspicion because SCO had close ties to Microsoft, which had been trying desperately to stop the growing popularity of Linux.

Many analysts believe that the MyDoom virus/worm was created by some individual (or group of individuals) who felt that SCO’s tactics were unacceptable. The hackers wished to cause economic harm to SCO and damage its public image. This probable motive makes this case clearly one of domestic economic terrorism: One group attacks the technological assets of another group based on an ideological difference. Prior to this virus/worm, there were numerous website defacements and other small-scale attacks that were part of ideological conflicts. However, this virus/worm was the first such attack to be so widespread and successful. This incident began a new trend in information warfare. As technology becomes less expensive and the tactics more readily available, we can expect to see an increase in this sort of attack in the coming years.

DDoS Blackmail

In November 2015, the Australian company FastMail was the victim of a DDoS attack. First the system was attacked and knocked offline. After the second attack, the victim received a ransom demand. The attackers demanded 20 bitcoins to call off the attack. A similar attack had been previously launched against Protonmail, also demanding ransom to stop the attacks.

Mirai

Mirai was malware that turned Linux-based machines into a botnet to be used in DDoS attacks. This was first seen in August 2016. This malware targets Internet of Things (IoT) devices as the basis for DDoS attacks.

Multiple Choice Questions

1. When considering the various attacks that can be executed on your system, it is important to understand which attacks are most common. Of the following, which is one of the most common and simplest attacks on a system?

A. Denial of service attack

B. Buffer overflow

C. Session hacking

D. Password cracking

2. All DoS attacks are predicated on overwhelming a system’s workload capacity. Therefore, measuring the workload of a system is critical. Which of the following is not a valid way to define a computer’s workload?

A. Number of simultaneous users

B. Storage capacity

C. Maximum voltage

D. Speed of network connection

3. What do you call a DoS attack launched from several machines simultaneously?

A. Wide-area attack

B. Smurf attack

C. SYN flood

D. DDoS attack

4. It is important to understand the different types of DoS attacks and the symptoms of those attacks. Leaving a connection half open is a symptom of which type of attack?

A. Smurf attack

B. Partial attack

C. SYN flood attack

D. DDoS attack

5. While there are a wide range of different ways to execute a DoS attack, they all are predicated on the same idea. What is the basic concept behind a DoS attack?

A. Computers don’t handle TCP packets well.

B. Computers can handle only a finite load.

C. Computers cannot handle large volumes of TCP traffic.

D. Computers cannot handle large loads.

6. What is the most significant weakness in a DoS attack from the attacker’s viewpoint?

A. The attack is often unsuccessful.

B. The attack is difficult to execute.

C. The attack is easy to stop.

D. The attack must be sustained.

7. What is the most common class of DoS attacks?

A. Distributed denial of service

B. Smurf attacks

C. SYN floods

D. Ping of death

8. A range of countermeasures can help defend against DoS attacks. What are three methods for protecting against SYN flood attacks?

A. SYN cookies, RST cookies, and stack tweaking

B. SYN cookies, DoS cookies, and stack tweaking

C. DoS cookies, RST cookies, and stack deletion

D. DoS cookies, SYN cookies, and stack deletion

9. Juan is explaining various DoS attacks to security operators at his company. Which attack mentioned in this chapter causes a network to perform a DoS attack on one of its own servers?

A. SYN flood

B. Ping of death

C. Smurf attack

D. DDoS

10. What is the name for a defense that depends on a hash being sent back to the requesting client?

A. Stack tweaking

B. RST cookies

C. SYN cookies

D. Hash tweaking

11. What type of defense depends on sending the client an incorrect SYN/ACK?

A. Stack tweaking

B. RST cookies

C. SYN cookies

D. Hash tweaking

12. You are attempting to explain various DoS attacks to a new security technician. You want to make sure she can differentiate between these different attacks and notice the signs of a specific attack. What type of defense depends on changing the server so that unfinished handshaking times out sooner?

A. Stack tweaking

B. RST cookies

C. SYN cookies

D. Hash tweaking

13. What type of attack is dependent on sending packets that are too large for the server to handle?

A. Ping of death

B. Smurf attack

C. Slammer attack

D. DDoS

14. You want to make sure your team can identify the various DoS attack vectors. What type of attack uses the victim’s own network routers to perform a DoS attack on the target?

A. Ping of death

B. Smurf attack

C. Slammer attack

D. DDoS

15. There have been many different types of attacks over the years. Which of the following is an example of a DDoS attack?

A. MyDoom virus

B. Bagle virus

C. DoS virus

D. Smurf virus

16. How can securing internal routers help protect against DoS attacks?

A. Attacks cannot occur if the internal router is secured.

B. Because attacks originate outside the network, securing internal routers cannot help protect against DoS.

C. Securing the router will only stop router-based DoS attacks.

D. It will prevent an attack from propagating across network segments.

17. What can you do to your internal network routers to help defend against DoS attacks?

A. Disallow all traffic that is not encrypted

B. Disallow all traffic that comes from outside the network

C. Disallow all traffic that comes from inside the network

D. Disallow all traffic that comes from untrusted sources

18. There are classic attacks that, while several years old, are worthy of study due to their significance in the history of cybersecurity. Which of the following was rated by many experts (at the time) to be the fastest growing virus on the Internet?

A. MyDoom virus

B. Bagle virus

C. Slammer virus

D. Smurf virus

19. No attack mitigation strategy is perfect, and you need to allow at least some traffic into and out of your network, or else your network is of no use. What can you do with your firewall to defend against at least some DoS attacks?

A. Block all incoming traffic

B. Block all incoming TCP packets

C. Block all incoming traffic on port 80

D. Block all incoming ICMP packets

20. You are trying to identify all potential DoS attack vectors. In doing so, you hope to provide mitigation for each of these attack vectors. Why will protecting against Trojan horse attacks reduce DoS attacks?

A. Many denial of service attacks are conducted by using a Trojan horse to get an unsuspecting machine to execute the DoS attack.

B. If you can stop a Trojan horse attack, you will also stop DoS attacks.

C. A Trojan horse will often open ports and thus allow DoS attacks.

D. A Trojan horse has much the same effect as a DoS attack.

Exercises

Exercise 4.1: Executing a DoS Attack

Note that this exercise is best done in a laboratory setting where there are several machines available for use.

1. Set up one machine (preferably a machine with very limited capacity) to run a small web server. (You can download Apache for free for either Windows or Linux from www.apache.org.)

2. Use the ping utility with various other computers to attempt to perform a simple DoS attack on that web server. This attempt is accomplished by getting other machines to begin a continuous ping of that target machine, using the command ping -l 65000 -w0 -t <target address>.

3. You should add only one to three lab machines to the “attack” at a time. (Start with one, add on a few more, and then add a few more.)

4. As you add more machines, time how long it takes for another machine to bring up the home page of the target server. Also note the threshold (that is, when that server quits responding completely).

Exercise 4.2: Stopping SYN Flood Attacks

Note that this exercise is advanced. Some students may wish to work in groups.

1. Search the Web or your operating system’s documentation for instructions on implementing either the RST cookie or the SYN cookie.

2. Follow those implementation instructions on either your own machine or on a machine designated by your instructor. The following websites might be of help to you in this matter:

   • Linux: www.linuxjournal.com/article.php?sid=3554

   • Windows: http://cr.yp.to/syncookies.html and www.securityfocus.com/infocus/1729

   • Both Linux and Windows: www.securiteam.com/tools/6D00K0K01O.html

Exercise 4.3: Using Firewall Settings

This exercise is only for students with access to a lab firewall.

1. Use your firewall’s documentation to see how to block ICMP packets.

2. Set your firewall to block those packets.

Exercise 4.4: Using Router Settings

This exercise is only for students with access to a lab router.

1. Use your router’s documentation to see how to block all traffic not originating on your own network.

2. Set your router to block that traffic.

Projects

Project 4.1: Employing Alternative Defenses

1. Using the Web or another research tool, search for alternative means of defending against either general DoS attacks or a specific type of DoS attack. This can be any defense other than the ones already mentioned in this chapter.

2. Write a brief paper concerning this defense technique.

Project 4.2: Defending Against Specific Denial of Service Attacks

1. Using the Web or other tools, find a DoS attack that has occurred in the past 6 months. You might find some resources at www.f-secure.com.

2. Note how that attack was conducted.

3. Write a brief explanation of how you might have defended against that specific attack.

Project 4.3: Hardening the TCP Stack Against DoS

Note that this project requires access to a lab machine. It is also a long project, requiring some research time on the part of the students.

1. Using manuals, vendor documentation, and other resources, find one method for altering TCP communications to help prevent DoS attacks.

2. Using this information, implement one of these methods on your lab computer.