This technique is used to attack the host in such a way that the host won't be able to serve any further requests to the user. Finally, the server crashes, resulting in a server unavailable condition.
There are various attack techniques used in this topic. We will cover SYN flood and ICMP flood detection with the help of Wireshark.
We learned about the TCP handshake process in Chapter 3, Analyzing the TCP Network. In this handshake process, a connection is established with SYN, SYN-ACK, and ACK between the client and server.
In the SYN flood attack scenario, what is happening is that:
In all these scenarios, the TCP/IP stack file descriptors are consumed, causing the server to slow down and finally crash.
Open the SYN_FLOOD.pcap
packet capture file in Wireshark and perform the following steps:
The IO graph statistics show the following summary:
tcp.flags.fin
tcp.flags.push
In real scenarios, this data will be mixed up with actual packet flows, but the analysis technique will remain the same. The moment you see an unexpected growth in SYN packets or a spike in SYN packets, it's a SYN flood from DoS or from the multiple-source DDoS.
SYN attacks can be mitigated. The following are a few mitigation plans:
/etc/sysctl.conf
file and make changes to these entries:#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_max_syn_backlog = 4096 # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks net.ipv4.tcp_max_tw_buckets = 1440000
sycltl
to apply the changes:bash#sysctl -p
# Netfilter (iptables) iptables -A INPUT -i eth0 -d 10.0.0.3/32 -j DROP ! Cisco IOS (standard) access-list NUMBER deny host 10.0.0.3 # IPFirewall (ipfw) add deny ip from 10.0.0.3 to any in # Windows Firewall (netsh) add portopening tcp 443 Wireshark DISABLE 10.0.0.3
Internet Control Message Protocol (ICMP) flood is also categorized as a Layer 3 DoS attack or a DDoS attack. It works as follows: an attacker is trying to flood the echo request (ping) packet with a spoofed IP address or the server is flooded with echo requests (ping packets) and not able to process the echo response for each ICMP echo request, resulting in host slowness and denial of service.
Open the ICMP_Flood_01.pcap
packet capture file in Wireshark and perform the following steps:
As shown in the screenshot, ICMP flood has the following characteristics:
The following are a few mitigation plans for the ICMP flood attack:
bash# iptables -I INPUT -p icmp --icmp-type 8 -j DROP bash# iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT bash# iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -i eth0 -j ACCEPT bash# iptables -A INPUT -p icmp --icmp-type destination-unreachable -s 0/0 -i eth0 -j ACCEPT bash# iptables -A INPUT -p icmp --icmp-type time-exceeded -s 0/0 -i eth0 -j ACCEPT bash# iptables -A INPUT -p icmp -i eth0 -j DROP bash# ip6tables -I INPUT -p icmpv6 –icmpv6-type 8 -j DROP bash# ip6tables -I INPUT -p icmpv6 -i eth0 -j DROP
sysctl.conf
file and adding the following entry in this file:net.ipv4.icmp_echo_ignore_all = 1
sycltl
to apply the changes:bash#sysctl -p
This kind of attack happens on Layer 7 and it is difficult to detect in the sense that it resembles legitimate website traffic. In Analyzing SSL/TLS, we learned about SSL and the handshake process. The attacker can use the handshake against the system to create a DoS/DDoS attack. As handshake involves larger exchange of message between client and the server, for example, in case of one way auth total number of packet exchanges to established a connection is approximate 12 (that is, 3 packets TCP handshake + 9 packets SSL handshake = 12 packets exchanged).
The attacker can flood the SSL connection and make the server busy, to just establish the connection and try to create the DoS/DDoS scenario.
Wireshark can help in identifying from which IP maximum number of packet has arrived. This feature is called Wireshark Conversations, and can be used in any kind of flood scenario (DoS attack).
Open the ICMP_Flood_01.pcap
packet capture file in Wireshark and perform the following steps:
Other categories of Layer 7 attacks are HTTP/HTTPS POST
flood and HTTP/HTTPS GET
flood.
3.149.250.11