Denial of Service

Objectives

Overview of DOS attacks and DDoS attacks, understanding the techniques of DoS/DDoS Attack Techniques, Understanding the Botnet Network, Understanding Various DoS and DDoS attack tools, DoS/DDoS countermeasures, Overview of DoS attack penetration testing

DoS/DDoS Concepts

  • Denial of Service (DoS) is an attack on a computer or network that reduces, restricts or prevents accessibility of system resource to its legitimate users
    • Attackers flood a victim system with non-legitimate service requests
  • DDoS attack involves a multitude of compromised systems attacking a single targeted system (botnet)

DoS/DDoS Attack Techniques

  • Basic categories of the attacks
    • Volumetric Attacks: consumes the bandwidth of the target network or service
    • Fragmentation: overwhelms target’s ability of reassembling fragmented packets
    • TCP state-exhaustion attack: consumes connection state table present such as load balancers ,firewalls, app servers
    • Application layer attack: consumes app resources or service making it unavailable to other legitimate users
  • SYN Attack
    • Attacker sends a large number of SYN request to target server
      • Target machine sends back a SYN ACK in response to the request waiting for the ACK to complete session
      • Attacker never sends ack
  • ICMP flood attack: type of DoS where perpetrators send a large number of ICMP packets causing the system to stop responding to legitimate TCP/IP requests
    • To protect yourself: set a threshold limit that invokes a ICMP protection feature
  • Peer to Peer Attack: attackers instruct clients of p2p file sharing hubs to disconnect for their p2p network and connect to victims fake website. Attackers can launch massive DoS attacks and compromise websites
  • Permanent Denial-of-Service Attack: Also known as phlashing, refers to attacks that cause irreversible damage to system hardware
    • Unlike other DoS attacks,, it sabotages the system hardware
  • Application-Level Flood Attack: Application-level flood attacks results in the loss of services
    • Using this attack , attackers exploit weaknesses in programming source code to prevent in the application from processing legitimate requests
  • Distributed Reflection Denial of Service (DRDoS)
    • Also known as a spoofed attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application

Botnets

  • Bots are software applications that run-automated tasks over the internet
    • A botnet is a huge network of compromised systems and can be used by an attacker to launch a DoS attack
  • Scanning Methods for Finding Vulnerable Machines: Random Scanning, Hit-list scanning, topological scanning, local subnet scanning, permutation scanning
  • DoS and DDoS attack tools
    • LOIC, GoldenEye

Countermeasures

  • Techniques

    • Activity Profiling
      • Increases in activity levels, distinct clusters, average packet rate etc
    • Changepoint detection
      • Filters network traffic by IP addresses, targeted port numbers, stores traffic flow data in a graph that shows the traffic flow rate vs time
    • Wavelet-based signal analysis
      • Analyzes network traffic in terms of spectral components. Divides incoming signal into various frequencies for analyzation

  • DoS/DDoS countermeasure strategies

    • Absorbing the attack (requiring additional resources)
    • Degrading services (identify critical services and stop non-critical)
    • Shutting down the services

  • Deflect Attacks: Honeypots act as an enticement for an attacker. Serve as a means for gaining information about attackers, stores their activities

  • Ingress filtering: protects from flooding attacks. Enables originator be traced to its true source
  • Egress Filtering: scanning packet headers of IP address leaving a network. Ensures unauthorized or malicious traffic never leaves the internal network
  • Mitigate Attack: Load balancing, throttling
  • Post-Attack Forensics
    • Analyze traffic patterns for new filtering techniques, analyze router, firewall, and IDS logs , can update load-balancing and throttling countermeasures

results matching ""

    No results matching ""