CEHv8 Module 10 Denial of Service

D e n ia l o f S e r v ic e
M o d u le 10
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D enialofService
M o d u le 10
E n g in e e re d b y H acke rs. P r e s e n te d b y P ro fe s s io n a ls .
!> C E H
E t h ic a l H a c k i n g
a n d
C o u n t e r m
e a s u r e s
v 8
M o d u le
1 0 :
D e n ia l-o f-S e rv ic e
E x a m
3 1 2 -5 0
M o d u le 1 0 P a g e 1 4 0 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
SecurityN ew s
Hom e I New s
K
m
! !
October 19, 2012
H S B C i s L a t e s t T a r g e t in C y b e r A t t a c k S p r e e
HSBC (HBC) experienced w idespread disruptions to several o f its w ebsites Thursday, becom ing one o f th e highest-profile victim s yet in a series o f attacks by a group claim ing to be allied w ith Islam ic terrorism . "H SBC servers ca m e u n d e r a d e n ia l o f service atta ck w h ich a ffe cte d a n u m b e r o f HSBC w eb sites a ro u n d th e w orld," the London-based banking giant said in a statem ent. "This denial o f service a ttack did not a ffe ct any cu stom er data, but did prevent custom ers using HSBC onlin e services, including internet banking." HSBC said it had the situ ation under co n tro l in the early m orning hours o f Friday London time. The Izzad-D in al-Q assam Cyber Fighters to o k responsibility fo r th e atta ck th at at points crippled users' access to hsbc.com and o th e r HSBC-owned properties on the W eb. The group, w hich has also disrupted the w ebsites o f scores o f o th er banks including J.P. M o rgan Chase (JPM) and Bank o f Am erica (BAC), said the attacks w ill continue until the anti-lslam ic 'Innocence o f M u slim s' film tra ile r is rem oved fro m the Internet
h t t p : / / w w w . f o x b u s i n e s s . c o m
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u r i t y &3>u j s m p p H S B C is
N e w s T a r g e t in C y b e r A t t a c k S p re e
L a te s t
Source: http://www.foxbusiness.com HSBC (HBC) experienced widespread disruptions to several of its websites recently, becoming one of the highest-profile victims yet in a series of attacks by a group claiming to be allied with Islamic terrorism. "HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world," the London-based banking giant said in a statement. "This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking." HSBC said it had the situation under control in the early morning hours of Friday London time. The Izz ad-Din al-Qassam Cyber Fighters took responsibility for the attack that at points crippled users' access to hsbc.com and other HSBC-owned properties on the Web. The group, which has also disrupted the websites of scores of other banks including J.P. Morgan Chase (JPM) and Bank of America (BAC), said the attacks will continue until the anti-lslamic Innocence of Muslims' film trailer is removed from the Internet.
M o d u le 1 0 P a g e 1 4 0 4
In this case, a group claiming to be aligned with the loosely-defined brigade of hackers called Anonymous also took responsibility. However, a source in the computer security field who has been monitoring the attacks told FOX Business "the technique and systems used against HSBC were the same as the other banks." However, the person who requested anonymity noted that Anonymous "may have joined in, but the damage was done by" al-Qassam. The people behind al-Qassam have yet to be unmasked. Several published reports citing unnamed U.S. officials have pointed to Iran as a potential culprit, but multiple security researchers have told FOX Business the attacks don't show the hallmarks of an attack from that country. There is a consensus, however, that the group is likely using a fairly sophisticated type of denial-ofservice attack. Essentially, al-Qassam has leveraged exploits in Web server software to take servers over and then use them as weapons. Once they are taken over, they slam the Web servers hosting bank websites with a deluge of requests, making access either very slow or completely impossible. Servers have an especially high level of connectivity to the Internet, giving al-Qassam more horsepower with fewer machines.
copyright2012 FOX News Network, LLC

By Adam Samson.
h ttp ://w w w .fo x b u 5 in e s 5 .c o m /in d u s trie s /2 0 1 2 /1 0 /1 9 /h s b c -is -la te s t-ta rg e t-in - c v b e r-a tta c k sp re e/# ix zz2 D 1 4 7 3 9 cA
M o d u le 1 0 P a g e 1 4 0 5
M oduleO bjectives
*
J J W hat Is a Denial of Service Attack? W hat Are D istributed Denial of Service Attacks? Sym ptom s of a DoS Attack DoS Attack Techniques B otnet B otnet Ecosystem B otnet Trojans DD0S Attack Tools ' J J J J DoS Attack Tools Detection Techniques D0S/DD 0S C o u n term easu re J J J J J J
Techniques to Defend against Botnets A dvanced DD0S Protection Appliances D0S/DD 0S Protection Tools Denial of Service (DoS) Attack P enetration Testing
n
J J
M
ta = ,
o d u l e
b j e c t i v e s lo o k s a t v a r i o u s a s p e c ts o f d e n i a l o f s e r v i c e a t t a c k s . T h e a tta c k s . R e a l-w o rld s c e n a rio s a tta c k s a re and c ite d th e to m o d u le s ta rts h ig h lig h t th e to o ls to
1
w ith
= 1
T h is m o d u le
a d is c u s s io n of
o f d e n ia l-o f-s e rv ic e a tta c k s .
im p lic a tio n s
such
D is tr ib u te d
d e n ia l-o f- s e rv ic e
v a rio u s
la u n c h s u c h a tta c k s a re in c lu d e d t o s p o t lig h t t h e te c h n o lo g ie s in v o lv e d . T h e c o u n te r m e a s u r e s fo r p re v e n tin g such a tta c k s a re a ls o t a k e n in to c o n s id e r a tio n . V iru s e s a n d w o rm s a re b rie fly
d is c u s s e d in t e r m s o f t h e i r u s e in s u c h a t t a c k s . T h is m o d u l e w i l l f a m i l i a r i z e y o u w i t h :
2 2
W h a t is a D e n i a l o f S e r v i c e A t t a c k ? W hat A re D is tr ib u te d D e n ia l of
S s s
D D o s A t t a c k T o o ls D e te c tio n T e c h n iq u e s D 0 S /D D 0 S C o u n te rm e a s u re T e c h n iq u e s B o tn e ts to D e fe n d a g a in s t
S e rv ic e A tta c k s ? s s 2
2 2
S y m p to m s o f a DoS A tta c k S DoS A tta c k T e c h n iq u e s B o tn e t B o tn e t E c o s y s te m B o tn e t T ro ja n s D D 0 S A tta c k T o o ls s a
Advanced A p p lia n c e s
DD0S
P ro te c tio n
D 0 S /D D 0 S P r o te c tio n T o o ls D e n ia l of S e rv ic e (D o S ) A tta c k
P e n e tr a tio n T e s tin g
M o d u le 1 0 P a g e 1 4 0 6
E th ica l H a ck in g a n d C o u n te rm e a s u re s
Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright by E&Cauactl. A ll Rights Reserved. Reproduction is Strictly Prohibited.
o d u l e
F l o w m a n y a tta c k s a re and reso u rce d e s ig n e d la u n c h e d ta rg e tin g o rg a n iz a tio n s in
In t h e th e b a n k in g
p re s e n t In te rn e t w o rld ,
s e c t o r , a s w e l l a s IT s e r v i c e d e n ia l of s e rv ic e )
p ro v id e rs . by
DoS to
(d e n ia l o f s e rv ic e ) a n d b re a c h o rg a n iz a tio n s '
DD0S
(d is trib u te d
w e re
a tta c k e rs
s e rv ic e s .
m m
Dos/DDoS Concepts
D o s /D D o S A t t a c k T o o ls
D o s /D D o S A tta c k T e c h n iq u e s
d p g
C o u n te rm e a s u re s
*
B o tn e ts
p J
/ \^
D o s /D D o S P r o te c tio n T o o ls
D o s /D D o S Case S tu d y
M = 11
D o s /D D o S P e n e tra tio n T e s tin g
T h i s s e c t i o n d e s c r i b e s t h e t e r m s D o S , D D 0 S, t h e w o r k i n g o f D D 0 S, a n d t h e s y m p t o m s o f D o S . I t a ls o ta lk s a b o u t c y b e r c r im in a ls a n d t h e o r g a n iz a t io n a l c h a r t.
M o d u le 1 0 P a g e 1 4 0 7
W A
h t t a
I s
i a
r v i c e
c k ?
h a t
is
e n i a l
o f S e r v ic e
A t t a c k ?
Denial-of-service (DoS) is an attack that prevents authorized users from accessing a computer or network. DoS attacks target the network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic using existing network resources, thus depriving legitimate users of these resources. Connectivity attacks overflow a computer with a large amount of connection requests, consuming all available operating system resources, so that the computer cannot process legitimate user requests. An Analogy Consider a company (Target Company) that delivers pizza upon receiving a telephone order. The entire business depends on telephone orders from customers. Suppose a person intends to disrupt the daily business of this company. If this person came up with a way to keep the company's telephone lines engaged in order to deny access to legitimate customers, obviously Target Company would lose business. DoS attacks are similar to the situation described here. The objective of the attacker is not to steal any information from the target; rather, it is to render its services useless. In the process, the attacker can compromise many computers (called zombies) and virtually control them. The attack involves deploying the zombie computers against a single machine to overwhelm it with requests and finally crash the target in the process.
M o d u le 1 0 P a g e 1 4 0 8
Malicious Traffic
r *
Malicious t r a f f i c takes control overall the available bandwidth

r o
(R
Internet
Router
Attack Traffic
4 m
Regular Traffic
Regular Traffic
QDC^
Server Cluster
Figure 10.1: Denial of Service Attack
M o d u le 1 0 P a g e 1 4 0 9
W o f
h S
r e
D A
i s
t r i b
t e
i a
e r v i c e
t t a
c k s ?
A d i s t r b u t e d den ia l- o f-s e rv ic e (D D o S ) attack invoh/es a m u l t i t u d e o f c o m p r o m is e d syste ms attack rig a single target, t h e r e b y causing d e n 01 o f service f o r users o f t h e t a rg e te d system
To launch a DDoS attack, a n attacker uses b o t n e t s a n d a tta cks a single sy stem
Loss of Goodwil
Disabled Network
Financial Loss
Disabled
Organization
C opyrights
t r fE t C M K l. AJ Rights Reserved. Reprod urtion is S triettf Piohbfted.
g jg g
h a t
A r e
i s t r i b u t e d
e n i a l
o f S e r v ic e
A t t a c k s ?
Source: www.searchsecurity.com A distributed denial-of-service (DDoS) attack is a large-scale, coordinated attack on the availability of services on a target's system or network resources, launched indirectly through many compromised computers on the Internet. The services under attack are those of the primary target," while the compromised systems used to launch the attack are often called the "secondary target." The use of secondary targets in performing a DDoS attack provides the attacker with the ability to wage a larger and more disruptive attack, while making it more difficult to track down the original attacker. As defined by the World Wide Web Security FAQ: "A Distributed Denial-of-Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial-ofservice significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms." If left unchecked, more powerful DDoS attacks could cripple or disable essential Internet services in minutes.
M o d u le 1 0 P a g e 1 4 1 0
H S
o e
i s
t r i b A t t a
t e
d W
D o
n r k
i a
f C E H
r v i c e 1 3 1
c k s
.... m
>1
Handler infects a large num ber of com puters over Inte rn et Attacker sets a handler system / ,f
m m m
H andler
C o m p ro m ise d PCs (Zom bies)
o w
i s t r i b u t e d
e n i a l
o f S e r v ic e
A t t a c k s
o r k
In a D D 0 S a t t a c k , t h e t a r g e t b r o w s e r o r n e t w o r k is p o u n d e d b y m a n y a p p l i c a t i o n s w i t h fa k e e x te rio r re q u e s ts th a t m ake th e s y s te m , n e tw o rk , b ro w se r, or s ite s lo w , u s e le s s , and
d is a b le d o r u n a v a ila b le . The a tta c k e r in itia te s th e send a a tta c k b y s e n d in g a c o m m a n d to a g e n u in e to to th e z o m b ie a g e n ts . T h e s e i.e ., th e z o m b ie The
a g e n ts
c o n n e c tio n
re q u e st
c o m p u te r
s y s te m , v ic tim to
r e fle c to r. th e
re q u e s ts s e n t b y th e Thus, th e g e n u in e
z o m b ie
a g e n ts se e m sends th e
be sent by th e
ra th e r th a n th e v ic tim .
z o m b ie s . v ic tim m ay
c o m p u te r w ith
re q u e s te d
in fo rm a tio n se ve ra l
The
m a c h in e
g e ts flo o d e d
u n s o lic ite d
resp o n se s fro m
c o m p u te rs
a t o n c e . T h is
e ith e r re d u c e th e p e rfo rm a n c e o r m a y cause th e v ic tim
m a c h in e to s h u t d o w n .
M o d u le 1 0 P a g e 1 4 1 1
Handler infects a largo number of computers over Internet Attacker sets a handler system & I ; IO
% <*
[Ml N \*
H M
INI M
Zombie systems are instructed
Compromised PCs (Zombies)
Attacker
Q .
u 2
.......j .........0 [0 5 ? < 3 >
Handler
Compromised PCs (Zombies)

FIGURE 10.2: Distributed Denial of Service Attacks
M o d u le 1 0 P a g e 1 4 1 2
S ym p tom sofaD o SA tta ck

U n a v a ila b ility o f a p a rtic u la r In a b ility to access a n y w e b s ite
w e b s ite
D ra m a tic H U n u s u a lly s lo w n e tw o rk p e rfo rm a n ce i n c r e a s e in th e a m o u n t o f s p a m e m a ils rece ive d
Copyright by E&CtuacO. All Rights Reserved Reproduction is Strictly Prohibited.
S y m
p t o m
o f a
D o S
A t t a c k
Based on the target machine, the symptoms of a DoS attack may vary. There are four main symptoms of a DoS attack. They are: Unavailability of a particular website Inability to access any website Dramatic increase in the amount of spam emails received Unusually slow network performance
M o d u le 1 0 P a g e 1 4 1 3
M oduleF low
Copyright by E & C aincil. All Rights Reserved. Reproduction is Strictly Prohibited.
M ^ = 1
o d u l e
F l o w h a v e d is c u s s e d D o S , D D 0 S, s y m p t o m s o f D o S a t t a c k s , c y b e r c r i m i n a l s , a n d
So fa r, w e
t h e o r g a n iz a t io n a l c h a r t o f c y b e r c r im e . N o w it's t i m e t o d is c u s s t h e t e c h n i q u e s u s e d t o p e r f o r m D 0 S /D D 0 S a tta c k s .
a m
D o s /D D o S C o n c e p ts D o s /D D o S A t t a c k T o o ls
B o tn e ts
/* V 5
D o s /D D o S P r o te c tio n T o o ls
D o s /D D o S Case S tu d y i
I n a D o S a t t a c k , t h e v i c t i m , w e b s i t e , o r n o d e is p r e v e n t e d f r o m V a rio u s te c h n iq u e s a re used by th e a tta c k e r fo r la u n c h in g
p r o v id in g s e rv ic e s t o v a lid u s e rs . or D D 0 S a tta c k s on a ta rg e t
DoS
c o m p u t e r o r n e t w o r k . T h e y a r e d is c u s s e d in d e t a i l in t h i s s e c t io n .
M o d u le 1 0 P a g e 1 4 1 4
D oSA ttackT echniques

C l
B a n d w id th A tta cks S e r v ic e R e q u e s t F lo o d s
C E H
Attacker
SYN F l o o d i n g A t t a c k
IC M P F lo o d A t t a c k
P e e r-to -P e e r Attacks
P e r m a n e n t D e n ia l-o f-S e rv ic e A tta c k
J
User
A p p l i c a t i o n - L e v e l F lo o d A t t a c k s
Copyright by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S
A t t a c k
T e c h n i q u e s
A denial-of-service attack (DOS) is an attack performed on a networking structure to disable a server from serving its clients. The actual intent and impact of DoS attacks is to prevent or impair the legitimate use of computer or network resources. There are seven kinds of techniques that are used by the attacker to perform DOS attacks on a computer or a network. They are: Bandwidth Attacks Service Request Floods SYN Flooding Attacks ICM P Flood Attacks Peer-to-Peer Attacks Permanent Denial-of-Service Attacks Application-Level Flood Attacks
M o d u le 1 0 P a g e 1 4 1 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 l1 n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
B andw idthA ttacks

A sin g l e machine cannot make enough requests to overwhelm network equipment; hence DDoS attacks were created where an attacker uses several computers
to flood a victim X
C E H
When a DDoS attack i slaunched, flooding a network, i tcan cause network equipment such as switches and routers ^ to be overwhelmed due to the s i g n i f i c a n ts t a t i s t i c a l change i nthe \ network t r a f f i c
'
Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO packets
B a s i c a l l y ,a l l bandwidth i s used and no bandwidth remains for legitimate use
B a n d w
i d t h
A t t a c k s
A bandwidth attack floods a network with a large volume of malicious packets in order to overwhelm the network bandwidth. The aim of a bandwidth attack is to consume network bandwidth of the targeted network to such an extent that it starts dropping packets. The dropped packets may include legitimate users. A single machine cannot make enough requests to overwhelm network equipment; therefore, DDoS attacks were created where an attacker uses several computers to flood a victim. Typically, a large number of machines is required to generate the volume of traffic required to flood a network. As the attack is carried out by multiple machines that are combined together to generate overloaded traffic, this is called a distributed-denial-of-service (DDoS) attack. Furthermore, detecting the source of the attack and blocking it is difficult as the attack is carried out by numerous machines that are part of different networks. All the bandwidth of the target network is used by the malicious computers and no bandwidth remains for legitimate use. Attackers use botnets and carry out DDoS attacks by flooding the network with ICM P ECHO packets.
M o d u le 1 0 P a g e 1 4 1 6
An attacker o r group of zom bies a tte m p ts to e x h au st server reso u rces by setting up and tearin g dow n TCP connections
Service re q u e st flood attacks flood servers with a high ra te of connections from a valid source
It initiates a re q u e s t on every connection
Copyright by E&Cauacil. All Rights Reserved. Reproduction is Strictly Prohibited.
S e r v ic e
in 1D5n
R e q u e s t
F l o o d s
Service request floods work based on the connections per second principle. In this method or technique of a DoS attack, the servers are flooded with a high rate of connections from a valid source. In this attack, an attacker or group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections. This probably initiates a request on each connection, e.g., an attacker may use his or her zombie army to fetch the home page from a target web server repeatedly. The resulting load on the server makes it sluggish.
Module 10 Page 1417
S Y NA ttack
The atta ck er sends a fa k e TCP SYN requests t o t h e ta rg e t s e rv e r (victim ) The ta rg e t m a ch in e sends back a SYN ACK in response t o t h e r e q u e s t a n d w a its f o r th e ACK t o c o m p le t e t h e session s etup
The ta rg e t m a c h in e does n o t get t h e resp o n se because t h e s o u rce ad d re ss is fa ke
N o te : This attack explo it s th e t h r e e - w a y h a n d s h a k e m e t h o d
S Y N
A t t a c k o f D o S a t t a c k . In t h i s a t t a c k , a n a t t a c k e r s e n d s a s e r i e s o f a c lie n t w a n ts to b e g in a TCP c o n n e c tio n to
A S Y N a t t a c k is a s i m p l e f o r m SYN re q u e s ts t o a ta rg e t m a c h in e
(v ic tim ). W h e n
th e s e rv e r, th e c lie n t a n d th e s e rv e r e x c h a n g e a s e rie s o f m e s s a g e s as fo llo w s : T h e a tta c k e r s e n d s a fa k e TC P SYN re q u e s ts t o t h a t ta r g e t s e rv e r (v ic tim ) T h e t a r g e t m a c h i n e s e n d s b a c k a S Y N A C K in r e s p o n s e t o t h e r e q u e s t a n d w a i t s f o r t h e A C K t o c o m p l e t e t h e s e s s io n s e t u p 0 T h e t a r g e t m a c h i n e n e v e r g e t s t h e r e s p o n s e b e c a u s e t h e s o u r c e ' s a d d r e s s is f a k e
M o d u le 1 0 P a g e 1 4 1 8
S Y NFlooding
J SYN Flooding takes advantage of a flaw in how most hosts implement the TCP three-w ay handshake When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a "listen queue" for at least 75 seconds A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN/ACK The victim's listen queue is quickly filled up This ability of removing a host from the network for at least 75 seconds can be used as a denial-of-service attack
............. ..........
C rt1 fW 4 ItkKjl K mIm
C E H
.......................
Sy/y
N o rm a l co n n e c tio n e s ta b lish m e n t
......................
syN/P,CK
ACK
..... S Y N ..... S Y N ..... S Y N ..... S Y N
<t11
SYN Floo d in g
...................... ................... . ...................... ......................
S Y N
F l o o d i n g
S Y N f l o o d i n g is a T C P v u l n e r a b i l i t y p r o t o c o l t h a t e m e r g e s i n a d e n i a l - o f - s e r v i c e a t t a c k . T h is a tta c k o ccu rs when th e in tru d e r sends u n lim ite d SYN p a c k e ts (re q u e s ts ) to th e host
s y s t e m . T h e p r o c e s s o f t r a n s m i t t i n g s u c h p a c k e t s is f a s t e r t h a n t h e s y s t e m c a n h a n d l e . T h e c o n n e c t i o n is e s t a b l i s h e d a s d e f i n e d b y t h e T C P t h r e e - w a y h a n d s h a k e a s : Q Q 6 W hen H o s t A s e n d s t h e SYN r e q u e s t t o t h e H o s t B H o s t B re c e iv e s t h e SYN r e q u e s t, a n d r e p lie s t o t h e r e q u e s t w it h a S Y N -A C K t o H o s t A
T h u s, H o s t A re s p o n d s w it h th e AC K p a c k e t, e s ta b lis h in g th e c o n n e c tio n Host B re c e iv e s th e SYN re q u e st fro m Host A, it m akes use of th e p a rtia lly open
c o n n e c t io n s t h a t a re a v a ila b le o n t h e lis te d lin e f o r a f e w s e c o n d s , e .g ., f o r a t le a s t 7 5 s e c o n d s . The in tru d e r tra n s m its c lie n t t o in fin ite n u m b e rs fa ls e o f such SYN re q u e s ts w ith a fo rg e d a d d re s s , w h ic h Such n u m e ro u s
a llo w s th e
p ro ce ss th e
a d d re ss e s
le a d in g t o
a m is p e rc e p tio n .
r e q u e s t s c a n p r o d u c e t h e T C P S Y N f l o o d i n g a t t a c k . It w o r k s b y f illin g t h e t a b le r e s e r v e d f o r h a lf open TCP c o n n e c tio n s in t h e o p e ra tin g s y s t e m ' s T C P IP s t a c k . W hen th e ta b le b e c o m e s fu ll, th e ta b le
n e w c o n n e c tio n s c a n n o t be o p e n e d (d u e to handshake
u n til a n d u n le s s s o m e e n tr ie s a re r e m o v e d f r o m be c a rrie d out u s in g fa k e
t i m e o u t ) . T h is a t t a c k c a n
I P a d d r e s s e s , s o i t is
d iffic u lt t o tra c e th e s o u rc e . T h e ta b le o f c o n n e c tio n s ca n b e fille d w it h o u t s p o o fin g th e s o u rc e
M o d u le 1 0 P a g e 1 4 1 9
IP a d d r e s s .
N o rm a lly , th e
space
e x is tin g f o r fix e d
ta b le s , s u c h
as a h a lf o p e n
TCP c o n n e c tio n
t a b l e , is l e s s t h a n t h e t o t a l .
*o r
Host B
Host A
...........
SYN
........
Normal connection establishm ent

.....................
SVN/ACK ...........
ACK
SYN
..........5VN
SYN Flooding
.....................
.............................................................. .... ............................. .......... . ? . .............. .... .......................
FIGURE 10.3: SYN Flooding
M o d u le 1 0 P a g e 1 4 2 0
IC M PF loodA ttack
IC M P is a ty p e o f DoS a tta ck in w h ic h p e rp e tra to rs se n d a large n u m b e r o f p a cke ts w it h fak e s o u rc e a d d re s s e s to a ta rg e t s e rv e r in o rd e r to crash it and ca u se it to stop re s p o n d in g to TCP/IP re q u ests A fte r th e IC M P th re s h o ld is reach ed, th e ro u te r rejects fu rth e r IC M P echo re q u ests fro m all a d d re s se s in th e sa m e s e c u rity zo n e fo r th e re m a in d e r o f th e c u rre n t se co n d and th e next se co n d as w ell
-M a x im u m lim it o f IC M P Echo R eq u ests p e r Second-
* 9
A tta cke r
T h e a tta c k e r sends IC M P EC H O re q u e s ts w ith s p o o f e d s o u rc e a d d re s s e s
ECHO Request
ECHO Request
ECHO Reply
ECHO Request
ECHO Request Legitimate ICMPechorequestfroman address in the same security zone
ii
I C
F l o o d
A t t a c k
Internet Control Message Protocol (ICMP) packets are used for locating network equipment and determining the number of hops to get from the source location to the destination. For instance, ICMP_ECHO_REPLY packets ("ping") allow the user to send a request to a destination system and receive a response with the roundtrip time. A DDoS ICMP flood attack occurs when zombies send large volumes of ICMP_ECHO packets to a victim system. These packets signal the victim's system to reply, and the combination of traffic saturates the bandwidth of the victim's network connection. The source IP address may be spoofed. In this kind of attack the perpetrators send a large number of packets with fake source addresses to a target server in order to crash it and cause it to stop responding to TCP/IP requests. After the ICMP threshold is reached, the router rejects further ICMP echo requests from all addresses in the same security zone.
M o d u le 1 0 P a g e 1 4 2 1
* ? - ......... &
Attacker
The attacke r sends ICMP ECHO requests w ith spoofed source addresses
Target Server
ECHO Request
ECHO Reply
ECHO Request
ECHO Reply
-M axim um lim it o f ICMP Echo Requests per Second-
ECHO Request
l
ECHO Request
L e g itim a te IC M P e c h o r e q u e st fro m an a d d re s s in th e s a m e s e c u rity zo n e t l
:
,
FIGURE 10.4: ICMP Flood Attack
M o d u le 1 0 P a g e 1 4 2 2
P eer-to-P eerA ttacks

0
J U sin g p e e r-to -p e e r a ttacks, attacke rs in s tru c t c lie n t s o f p e e r-t o -p e e r file sh a rin g h u b s to d isc o n n e c t fro m th e ir p e e r-to -p e e r n e tw o rk a n d to c o n n e c t to th e v ic tim 's fake w e b site J A tta c k e rs e x p lo it fla w s fo u n d in th e n e tw o rk u sin g DC++ (D ire ct C on n ect) p ro to co l, th a t is used fo r s h a rin g all ty p e s o f files b e tw e e n in s ta n t m essa g in g clien ts J
(itilwd 1 ItlMUl IlMhM
E H C
0
U sin g th is m eth o d , attacke rs lau n ch m a ss iv e d e n ia l- o f- s e rv ic e a tta c k s and c o m p ro m is e w e b site s
<d,
User-1
Copyright by E frC o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
I /
P e e r - t o - P e e r A p e e r-to -p e e r a tta c k
A t t a c k s is o n e f o r m o f D D 0 S a tta c k . In t h i s k in d o f a tta c k , th e a tta c k e r
e x p l o i t s a n u m b e r o f b u g s in p e e r - t o - p e e r s e r v e r s t o fla w s fo u n d in th e n e tw o rk th a t uses DC++
in itia te
a D D 0 S a tta c k . A tta c k e rs e x p lo it p ro to c o l, w h ic h a llo w s th e
( D ire c t
C o n n e c t)
e x c h a n g e o f file s b e t w e e n in s t a n t m e s s a g in g c lie n ts . T h is k in d o f a t ta c k d o e s n 't u s e b o t n e t s f o r th e a tta c k . U n lik e a b o tn e t- b a s e d a tta c k , a p e e r - to - p e e r a tta c k e lim in a te s th e n e e d o f a tta c k e rs t o c o m m u n ic a t e w it h c lie n ts . H e re t h e a tta c k e r in s tru c ts t h e c lie n ts o f p e e r - t o - p e e r f ile s h a r in g hubs to d is c o n n e c t fro m th e ir n e tw o rk and to connect to th e v ic tim 's w e b s ite . W ith th is , in
se ve ra l th o u s a n d th e p e rfo rm a n c e
c o m p u te r s m a y tr y to c o n n e c t to th e ta rg e t w e b s ite , w h ic h ca u se s a d ro p o f th e ta rg e t w e b s ite . These p e e r-to -p e e r a tta c k s can be id e n tifie d
e a s ily
b a s e d o n t h e ir s ig n a tu r e s . U s in g th is m e t h o d , a tta c k e r s la u n c h m a s s iv e d e n ia l- o f- s e r v ic e a tta c k s a n d c o m p r o m is e w e b s ite s .
M o d u le 1 0 P a g e 1 4 2 3
User-5
A t t a c k T ra ffic U se r-4
. . 7
'
u
.........
f iUser-3 t *
User-2
Attacker
User-1
FIGURE 10.5: Peer-to-Peer Attacks
M o d u le 1 0 P a g e 1 4 2 4
Perm anent Denial-of-Service Attack

P erm an en t DoS, also known as phlashing, refers to attacks th a t cause irreversible d am ag e to system h a rd w are
C E H
Unlike o th e r DoS attacks, it sab o ta g e s th e system h ard w are, requiring th e victim to replace o r reinstall th e h ard w are
B r ic k in g a s y s te m m e th o d
1. This attack is carried out using a method known as "bricking a system" 2. Using this method, attackers send fraudulent hardw are updates to the victims
Sends e m a il, IRC chats, tw e e ts , post videos w ith fra u d u le n t c o n te n t fo r h a rd w a re u p d ates
1 ^ 5
Victim
P ro c e s s
A tta c k e r gets access to
A tta c k e r
v ictim 's c o m p u te r
(Malicious code is executed)
Copyright by E & C o i n a l .All Rights Reserved. Reproduction is Strictly Prohibited.
&
0 O
^ P e r m a n e n t D e n ia lo f S e r v ic e A t t a c k
Perm anent denial-of-service (PD0 S) is also know n as plashing. This refers to an attack th a t damages the system and makes the hardw are unusable fo r its original purpose u ntil it is e ith e r replaced or re in stalled . A PD0 S attack exploits security flaws. This allows rem ote a dm in istra tio n on the m anagem ent interfaces o f the victim 's hardw are such as printers, routers, and o th e r n e tw o rkin g hardw are. This attack is carried o u t using a m ethod know n as "b ric k in g a system ." In this m ethod, the a ttacker sends em ail, IRC chats, tw e ets, and posts videos w ith fra u d u le n t hardw are updates to the victim by m o d ify in g and c o rru p tin g the updates w ith vu ln era b ilitie s or d e fe ctive firm w a re . W hen th e victim clicks on the links or pop-up w indow s re ferrin g to the fra u d u le n t h ardw a re updates, th e y get installed on the victim 's system. Thus, th e a tta cke r takes co m plete co n tro l over the v ictim 's system.
M o d u le 1 0 P a g e 1 4 2 5
FIGURE 10.5:
S e n d s e m a il, IRC c h a ts , t w e e t s , p o s t v id e o s w i t h f r a u d u le n t c o n t e n t f o r h a r d w a r e u p d a t e s
A t t a c k e r g e ts a cce ss t o
A tta c k e r
v ic t im 's c o m p u t e r
V ic tim (Malicious code is executed)
FIGURE 10.6: Perm anent Denial-of-Service Attack
M o d u le 1 0 P a g e 1 4 2 6
Application Level Flood Attacks C E H

U rtrfW * itfciul lUilwt
A p p lic a tio n -le v e l flo o d a ttacks re s u lt in th e loss o f services o f a p a rtic u la r n e tw o rk , such as em ails, n e tw o rk resources, th e te m p o ra ry ceasing o f a p p lic a tio n s and services, and m o re
-J
Using th is attack, attackers d e s tro y p ro g ra m m in g source code and file s in affected c o m p u te r system s
Using application-level flood attacks, attackers attempts t o:

Flood web applications to legitimate user tra ffic D isrupt service to a specific system or person, fo r example, blocking a users access by repeating invalid login attempts Jam the applicationdatabase connection by crafting malicious SQL queries
Copyright by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
p p lic a t io n - le v e l
F lo o d
t t a c k s
S o m e D o S a tta c k s r e ly o n s o f t w a r e - r e la t e d e x p lo its s u c h as b u f f e r o v e r flo w s , w h e r e a s m o s t o f th e cause o t h e r k in d s o f D o S a t t a c k s e x p l o i t b a n d w id t h . T h e a t t a c k s t h a t e x p lo it s o f t w a r e in th e a p p lic a t io n , c a u s in g it t o fill th e a tta c k s d is k have space r a p id ly or consum e becom e a ll a v a i l a b l e
c o n fu s io n o r CPU
m e m o ry
c y c le s . A p p l i c a t i o n - l e v e l b u s in e s s o n t h e r e s u l t in
f lo o d
a c o n v e n tio n a l e v e r.
t h r e a t f o r d o in g T h is a t t a c k can
In te rn e t. W e b
a p p lic a tio n
s e c u r i t y is m o r e c r i t i c a l t h a n and r e p u ta tio n
s u b s t a n t i a l lo s s o f m o n e y , s e r v i c e
f o r o r g a n iz a tio n s . be
U s u a l l y , t h e lo s s o f s e r v i c e is t h e i n c a p a b i l i t y o f a s p e c i f i c n e t w o r k s e r v i c e , s u c h a s e m a i l , t o a v a ila b le o r th e te m p o ra ry lo s s o f a ll n e tw o rk c o n n e c tiv ity and s e r v ic e s . U s in g th is
a tta c k ,
a t t a c k e r s d e s t r o y p r o g r a m m i n g s o u r c e c o d e a n d f i l e s in a f f e c t e d c o m p u t e r s y s t e m s . U s in g a p p lic a t io n - le v e l f l o o d a t t a c k s , a t t a c k e r s a t t e m p t t o : F lo o d w e b a p p lic a t io n s , t h e r e b y p r e v e n t i n g l e g i t i m a t e u s e r t r a f f i c . D is r u p t s e rv ic e to a s p e c ific s y s te m or p e rs o n , fo r e x a m p le , b lo c k in g u se r access by
r e p e a t e d in v a lid lo g in a t t e m p t s . Q J a m t h e a p p lic a t io n - d a t a b a s e c o n n e c t io n b y c r a f t in g C P U - in te n s iv e S Q L q u e r ie s .
M o d u le 1 0 P a g e 1 4 2 7
Attackerexploiting application source code
^
A tta c k e r
FIGURE 10 .7 : A p p lic a tio n -le v e l F lo o d A tta c k s
V ic tim
M o d u le 1 0 P a g e 1 4 2 8
o d u le
F lo w have d is c u s s e d D 0 S /D D 0 S c o n c e p ts and D 0 S /D D 0 S a tta c k te c h n iq u e s . A s u s in g b o t n e t s o r z o m b ie s , a g r o u p
So fa r, w e m e n tio n e d
p r e v io u s ly , D o S a n d D D 0 S a tta c k s a re p e r f o r m e d
o f s e c u r it y - c o m p r o m is e d s y s te m s .
a m
D o s / D D o S C o n c e p ts D o s / D D o S A t t a c k T o o ls
D o s / D D o S A t t a c k T e c h n iq u e s
B o t e ts
/s ^ >
D o s / D D o S P r o t e c t i o n T o o ls
D o s /D D o S C ase S tu d y -
D o s / D D o S P e n e t r a t i o n T e s t in g
T h is
s e c t io n
d e s c r ib e s
b o tn e ts ,
as
w e ll
as
t h e ir
p r o p a g a tio n
te c h n iq u e s
and
e c o s y s te m .
M o d u le 1 0 P a g e 1 4 2 9
O r g a n iz e d
Cyber C r im in a ls
C r im e
S y n d ic a t e s
Cyber criminals are increasingly being associated w ith organized crim e syndicates to take advantage o f the ir sophisticated techniques
H ie r a r c h ic a l S e tu p
There are organized groups o f cyber criminals w h o w o rk in a hierarchical setup w ith a predefined revenue sharing model, like a major corporation th a t offers criminal services
P ro c e ss
Organized groups create and re nt bo tnets and offer various services, fro m w ritin g malware, to hacking bank accounts, to creating massive denial-ofservice attacks against any target fo r a price
R e p o rt
According to Verizon's 2012 Data Breach Investigations Report, the m ajority o f breaches were driven by organized groups and almost all data stolen (98%) was the w o rk o f criminals outside the victim organization
M a tte r o f C o n c e rn
The grow ing involvem ent o f organized crim inal syndicates in p o litica lly m o tiva te d cyber w arfare and hactivism is a m atter o f concern fo r national security agencies
C opyright by E&Cauacfl. A ll Rights Reserved. Reproduction is S trictly Prohibited.
r g a n iz e d
r im
S y n d ic a t e s
C yber c rim in a ls have d e v e lo p e d v e ry re fin e d and stylish w ays to use tru s t to th e ir a d van ta g e and to m ake fin a n c ia l gains. C yber c rim in a ls are in cre a sin g ly b eing associated w ith o rg an ized c rim e synd icate s to ta k e a d va n ta g e o f th e ir re fin e d te c h n iq u e s . C yb e rcrim e is n o w g e ttin g m o re o rg a nized . C ybe r c rim in a ls are in d e p e n d e n tly d e v e lo p in g m a lw a re fo r fin a n c ia l gain. N ow th e y o p e ra te in g ro u p s. This has g ro w n as an in d u s try . T here are organized gro u p s o f c y b e r c rim in a ls w h o d e v e lo p plans fo r d iffe re n t kinds o f a tta cks and o ffe r c rim in a l services. O rganized g ro u p s c re a te and re n t b o tn e ts and o ffe r va rio u s services, fro m w ritin g m a lw a re , to a tta c k in g bank a cco un ts, to c re a tin g m assive d e n ia l-o f-s e rv ic e a tta c k s against any ta rg e t fo r a price. The increase in th e n u m b e r o f m a lw a re puts an e xtra load on s e c u rity system s. A c c o rd in g to V e riz o n 's 2010 D ata B reach In v e s tig a tio n s R e p o rt, th e m a jo rity o f breaches w e re d riv e n by orga n ized gro u p s and a lm o s t all data s to le n (70%) w as th e w o rk o f c rim in a ls o u ts id e th e ta rg e t o rg a n iz a tio n . The g ro w in g in v o lv e m e n t o f orga nized c rim in a l s y n d ic a te s in p o litic a lly m o tiv a te d cyb e r w a rfa re and h a c tiv is m is a m a tte r o f co n ce rn fo r n a tio n a l s e c u rity agencies.
M o d u le 1 0 P a g e 1 4 3 0
O r g a n iz e d C y b e r C r im e : O r g a n iz a t io n a l C h a r t
4 ^ - o
A tta c k e rs C rim ew are T o o lk it O w ners T ro ja n D is trib u tio n in L e g itim a te w e b s ite
O
:
Underboss: Trojan Provider and Manager of Trojan Command and Control
q
C a m p a ig n M a n a g e r C a m p a ig n M a n a g e r
t o
#
-
a
n II j r n M
' ^4 4 *'
C a m p a ig n M a n a g e r
# m
+ :
4 * > A ff ilia tio n N e t w o r k
n < A u A
A t t
: *
A ff ilia tio n N e t w o r k
*s A ff ilia tio n N e t w o r k
i r
S to le n D a ta R e s e lle r
Copyright by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited.
r g a n iz e d
y b e r
r im
e :
r g a n iz a t io n a l
h a r t
C yb e rcrim es are o rg a nize d in a h ie ra rc h ic a l m a n n e r. Each c rim in a l gets paid d e p e n d in g on th e ta sk th a t he o r she p e rfo rm s o r his o r h e r p o s itio n . The head o f th e c y b e rc rim e o rg a n iz a tio n , i.e., th e boss, acts as a business e n tre p re n e u r. He o r she does n o t c o m m it c y b e rc rim e s d ire c tly . The boss is th e firs t in th e h ie ra rc h y level. The person w h o is at th e n e xt level is th e "u n d e rb o s s ." The u n d e rb o ss is th e second person in co m m a n d and m anages th e o p e ra tio n o f cyb e rcrim e s. The "u n d e rb o s s " p ro v id e s th e necessary T ro ja n s fo r atta cks and also m anages th e T ro ja n s c o m m a n d and c o n tro l c e n te r. P eople w o rk in g u n d e r th e "u n d e rb o s s " are kn o w n as "c a m p a ig n m a n a g e rs ." These cam paign m anagers h ire and run th e ir o w n a tta c k cam paigns. T hey p e rfo rm a tta cks and steal data by using th e ir a ffilia tio n n e tw o rk s as d is trib u te d channe ls o f a tta ck. The s to le n data is th e n sold by "re s e lle rs ." These re sellers are n o t d ire c tly in vo lve d in th e c rim e w a re attacks. T h e y ju s t sell th e s to le n data o f g e n u in e users.
M o d u le 1 0 P a g e 1 4 3 1
O
Attackers Crimeware Toolkit Owners Trojan Distribution In Legitimate website
Underboss: Trojan Provider and Manager of Trojan Command and Control
r%
Campaign Manager
r> 1
Campaign Manager
rs
41!
i
Campaign Manager
t o
O u I t '
t o
U * > A r U ; < * < Affiliation Network i 4! v 4 A *Affiliation Network u ;
: u ; ^ * > Affiliation Network " i
-M
6
Stolen Data Reseller Stolen Data Reseller Stolen Data Reseller
FIGURE 10.8: Organizational Chart
M o d u le 1 0 P a g e 1 4 3 2
Botnet
J J Bots a re so ftw are applications th a t run a u to m a te d ta sk s over th e In te rn e t and perform sim ple repetitive tasks, such as w eb spidering and search engine indexing A b o tn e t is a huge n etw ork of th e com prom ised system s and can be used by an in tru d er to c re a te denial-of-service a tta ck s
C E H
Bots connect to C&C handler and w ait fo r instructions
vl
m
Bots attack a target server
Bot Com m and & C o n tro l C e n te r
Attacker sends commands to the bots through C&C
3
Z o m b ie s
Target S e rv e r
Sets a bot C&C handler Bot looks for other vulnerable systems and Infects them to create Botnet a machine
,a f t
A tta c k e r V ic tim (Bot)
Copyright by E&Cauacfl. A ll Rights Reserved. Reproduction is Strictly Prohibited.
The te rm b o tn e t is d e riv e d fro m th e w o rd roB O T N E T w ork, w h ic h is also called zo m b ie a rm y. A b o tn e t is a huge n e tw o rk o f c o m p ro m is e d system s. It can c o m p ro m is e huge n u m b e rs o f m achines w ith o u t th e in te rv e n tio n o f m a ch in e o w n e rs. B o tn e ts co n sist o f a set o f c o m p ro m is e d system s th a t are m o n ito re d fo r a specific co m m a n d in fra s tru c tu re . B o tn e ts are also re fe rre d to as agents th a t an in tru d e r can send to a se rve r system to p e rfo rm som e illegal a c tiv ity . T hey are th e h id d e n p ro g ra m s th a t a llo w id e n tific a tio n o f v u ln e ra b ilitie s . It is a d va n ta g e o u s fo r a tta c k e rs to use b o tn e ts to p e rfo rm ille g itim a te a ctio n s such as s te a lin g s e n s itiv e in fo r m a tio n (e.g., c re d it card n u m b e rs) and s n iffin g c o n fid e n tia l co m p a n y in fo rm a tio n . B o tn e ts are used fo r b o th p o s itiv e and n e g a tiv e purposes. They help in va rio u s useful services such as search e ng in e in d e x in g and w e b s p id e rin g , b u t can also be used by an in tru d e r to cre a te d e n ia l-o f-s e rv ic e attacks. System s th a t are n o t p a tch e d are m o s t v u ln e ra b le to th e se attacks. As th e size o f a n e tw o rk increases, th e p o s s ib ility o f th a t system being v u ln e ra b le also increases. An in tru d e r can scan n e tw o rk ranges to id e n tify w h ic h ones are v u ln e ra b le to a tta c k s . In o rd e r to a tta c k a system , an in tru d e r ta rg e ts m achines w ith Class B n e tw o rk ranges.
Ill
P urp ose o f B o tn e ts : 0 A llo w s th e in tru d e r to o p e ra te re m o te ly .
M o d u le 1 0 P a g e 1 4 3 3
Scans e n v iro n m e n t a u to m a tic a lly , and spreads th ro u g h v u ln e ra b le areas, g a in in g access v ia w e a k p a s s w o rd s and o th e r m eans.
Q Q 6
A llo w s c o m p ro m is in g a h o s t's m a ch in e th ro u g h a v a rie ty o f to o ls . C reates DoS a ttacks. Enables spam a tta cks th a t cause SMTP m ail relays. Enables click fra u d and o th e r illegal a c tiv itie s .
The d ia g ra m th a t fo llo w s sh ow s h o w an a tta c k e r launches a b o tn e t-b a s e d DoS a tta c k on a ta rg e t server.
Bots connect to C&C handler and w a it fo r Instructions
o 2
Bots attack a ta rg e t server
Bot Command & Control Center

A
A ttacker sends commands to the bots through C&C
Target Server
" 6 *
!1
Zombies
Bot looks fo r o th e r vulnerable systems and infects the m to create Botnet
Attacker
Victim (Bot) FIGURE 10.9: BOTNET
In o rd e r to p e rfo rm th is kind o f a tta ck, th e a tta c k e r fir s t needs to cre a te a b o tn e t. For th is p u rp o se , th e a tta c k e r in fe c ts a m a ch in e , i.e., v ic tim b o t, and c o m p ro m is e s it. He o r she th e n uses th e v ic tim b o t to c o m p ro m is e som e m o re v u ln e ra b le syste m s in th e n e tw o rk . Thus, th e a tta c k e r cre ate s a g ro u p o f c o m p ro m is e d system s kn o w n as a b o tn e t. The a tta c k e r c o n fig u re s a b o t co m m a n d and c o n tro l (C&C) c e n te r and fo rce s th e b o tn e t to c o n n e c t to it. The zo m bies o r b o tn e t c o n n e c t to th e C&C c e n te r and w a it fo r in s tru c tio n s . The a tta c k e r th e n sends co m m a n d s to th e bots th ro u g h C&C to la u n c h DoS a tta c k on a ta r g e t s e rv e r. Thus, he o r she m akes th e ta rg e t se rve r u n a va ila b le o r n o n -re s p o n sive fo r o th e r g e n u in e hosts in th e n e tw o rk .
M o d u le 1 0 P a g e 1 4 3 4
Botnet PropagationTechnique
......./ 2 \ ........ C y b e rc rim e R e la te d IT O p e ra tio n s : (Servers, S o ftw a re , and Se rvices)
C E H
O
T ro ja n Crim e w are T o o lk it D ata b a se I C om m and a n d C o n tro l C enter
U-\
A ttackers
.I
(z) i
L e g itim a te C o m p ro m ise d W e b site s
0
/
\
Trojan upload stolen data and receives commands from command and control center
........
M a licio u s A ffilia tio n N e tw o rk
4$ ~
B o t n e t
r o p a g a t io n
T e c h n iq u e
B o tn e t p ro p a g a tio n is th e te c h n iq u e used to hack a syste m an d g ra b tra d a b le in fo r m a tio n fro m it w ith o u t th e v ic tim 's k n o w le d g e . The head o f th e o p e ra tio n s is th e boss o r th e c y b e rc rim in a l. B o tn e t p ro p a g a tio n invo lve s b o th c rim in a l (boss) and a tta cke rs (cam paign m anagers). In th is a tta c k , th e c rim in a l d o e s n 't a tta c k th e v ic tim system d ire c tly ; in ste a d , he o r she p e rfo rm s a tta cks w ith th e he lp o f a tta cke rs. The c rim in a l c o n fig u re s an a ffilia tio n n e tw o rk as d is trib u tio n channe ls. The jo b o f ca m p a ig n m a n a g e rs is to hack and in s e rt re fe re n c e to m a lic io u s code in to a le g itim a te site. The m a licio u s code is usually o p e ra te d by o th e r atta cke rs. W h e n th e m a lic io u s cod e runs, th e cam paign m anagers are paid a cco rd in g to th e v o lu m e o f in fe c tio n s a cco m p lis h e d . Thus, c y b e rc rim in a ls p ro m o te in fe c tio n flo w . The a tta c k e rs serve m a lic io u s code g e n e ra te d by th e a ffilia tio n s to v is ito rs o f th e c o m p ro m is e d sites. A tta c k e rs use c u s to m iz e d c rim e w a re fro m c rim e w a re to o lk its th a t is capable of e x tra c tin g tra d a b le in fo rm a tio n fro m th e v ic tim 's m achine.
M o d u le 1 0 P a g e 1 4 3 5
.0
..
Cybercrime Related IT Operations (Servers, Software, and Services)
Attackers Criminal
Trojan upload stolen data and receives com m ands from
) :
com m and and control center
FIGURE 10.10: Botnet Propagation Technique
M o d u le 1 0 P a g e 1 4 3 6
Botnet Ecosystem
Zero-Day Market Scan & Intrusion Botnet Market Licenses MP3, DivX
C E H
Malicious Site
o '6
Financial Diversion
B o tn e t
Data e f t ----- Theft
Owner
i
DDoS '
Crimeware Toolkit Database
Trojan Command and Control Center
s' \
Client-Side Vulnerab ility^ : Spam : Mass Mailing
Malware Market
B #
Stock Fraud Scams Adverts Copyright by E tC d in c il. All Rights Reserved. Reproduction is Strictly Prohibited.
B o t n e t
E c o s y s t e m
A g ro u p o f c o m p u te rs in fe c te d by bots is called b o tn e t. A b o t is a m a lic io u s p ro g ra m th a t a llo w s c y b e rc rim in a ls to c o n tro l and use c o m p ro m is e d m achines to a ccom plish th e ir o w n goals such as scams, la u n ch in g DDoS a ttacks, d is trib u tin g spam , etc. The a d v e n t o f b o tn e ts led to e n o rm o u s increase in cyb e rc rim e s . B o tn e ts fo rm th e core o f th e c y b e rc rim in a l a c tiv ity c e n te r th a t links and u n ite s v a rio u s pa rts o f th e c y b e rc rim in a l w o rld . C y b e rc rim in a l se rvice su p p lie rs are a p a rt o f c y b e rc rim e n e tw o rk . These su p p lie rs o ffe r services such as m a licio u s code d e v e lo p m e n t, b u lle tp ro o f h o stin g , c re a tio n o f b ro w s e r e x p lo its , and e n c y rp tio n and packing. M a lic io u s co d e is th e m ain to o l used by c rim in a l gangs to c o m m it cyb e rcrim e s. B o tn e t o w n e rs o rd e r b o th b o ts and o th e r m a lic io u s p ro g ra m s such as Trojans, viruses, w o rm s , keyloggers, spe cia lly c ra fte d a p p lic a tio n s to a tta c k re m o te c o m p u te rs via n e tw o rk , etc. M a lw a re services are o ffe re d by d e v e lo p e rs on p u b lic sites o r closed In te rn e t resources. T yp ica lly, th e b o tn e t eco syste m is d iv id e d in to th re e parts, n a m e ly tra d e m a rk e t, DDoS a tta ck, and spam . A b o tm a s te r is th e p erson w h o m akes m o n e y by fa c ilita tin g th e in fe c te d b o tn e t g ro u p s fo r service on th e black m a rk e t. The m a s te r searches fo r v u ln e ra b le p o rts and uses th e m as c a n d id a te z o m b ie s to in fe c t. The in fe c te d zo m b ie s fu r th e r can be used to p e rfo rm DDoS attacks. On th e o th e r hand, spam em ails are se n t to ra n d o m ly chosen users. All these a c tiv itie s to g e th e r g u a ra n te e th e c o n tin u ity o f m a licio u s b o tn e t a c tiv itie s .
M o d u le 1 0 P a g e 1 4 3 7
The p ic to ria l re p re s e n ta tio n o f b o tn e t ecosystem is sh o w n as fo llo w s :

M a licio u s Site Zero-Day M arket
b
B o tn e t
..................... Q
Licenses M P3, DivX
Financial Diversion Data Theft
Emails C&C
Crim ew are Toolkit Database Trojan Command and Control Center
Client-Side Vulnerability
Spam
Redirect
M a s s M a ilin g
DD0S M alw are M arket
S to c k Fraud
M
S ca m s A d v e rts
Extortion
FIGURE 10.11: Botnet Ecosystem
M o d u le 1 0 P a g e 1 4 3 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
Botnet Trojan: Shark

^
-^*harK.3.1 fw b
(rtifwtf itfciul lUilwt
C E H
:h a ,D e & o cP re v ie w [R C -C h a tm b sta
C o m m a n d C o n tro l C e n te r
f j incul BMMC ;5 * Jf ru on Port: 60123 4 0 * i k 3.1 , 1t ccrplcd: ; ,03.3 1 e*gUDdtto<*ocH.. <l- hj|hg_tkto ?1 _ p !o d-> A mW * Stfv*: 127.0 0.1 Sv*J<H*drtfi>W:*27*PM
t1M JnewV m ic n
S ail u p Ifan dF ito s O ao d Jrt rbD cb jx i o fA 5 te d th

. 6 Rrewdl Brass M llw>rvrr ftflv*nc*a Comale
ISe1ver2
1 Lcb*: y ilro l-cvfcccor v fcfrroxirrurr! loqsco of tw in
KByto <0 - Unlmtod
Q> jrn ro r >
Copyright by EC-Gouicil. All Rights Reserved Reproduction is Strictly Prohibited.
B o t n e t
T r o ja n :
s h a r K
S o u r c e : h ttp s ://s ite s .g o o g le .c o in s h a r K is a r e v e r s e - c o n n e c t i n g , f i r e w a l l - b y p a s s i n g r e m o t e a d m i n i s t r a t i o n t o o l w r i t t e n in V B 6 . W it h s h a r k , y o u w ill b e a b le t o a d m in is t r a t e a n y PC ( u s in g W in d o w s O S ) r e m o t e ly . F e a tu re s : 9 9 9 9 9 9 9 m R C 4 e n c ry p te d tr a ffic (n e w & m o d d e d ) z L ib c o m p r e s s e d t r a f f i c H ig h - s p e e d , s t a b l e s c r e e n / c a m K e y lo g g e r w i t h h ig h lig h t f e a t u r e R e m o te m e m o r y e x e c u tio n a n d in je c tio n V E R Y f a s t f ile m a n a g e r / r e g is t r y e d it o r lis t in g d u e t o u n iq u e t e c h n ic A n t i: D e b u g g e r , V m W a r e , N o r m a n S a n d b o x , S a n d b o x ie , V ir tu a lP C , S y m a n t e c S a n d b o x , V ir tu a l B o x 9 9 S u p p o r tin g r a n d o m s ta rtu p a n d ra n d o m s e rv e r n a m e s c C a p tu re
D e s k t o p p r e v i e w in S IN C o n s o le
M o d u le 1 0 P a g e 1 4 3 9
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y E C - C 0 lM C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
Q 0 Q Q
S o rta b le and c o n fig u ra b le SIN Console R em ote A u to s ta rt M a n a g e r O p tio n a l Fwb++ (Process In je c tio n , API U nhook) F old er m irro rin g
*sharK 3.1 fvb

sftarK Desktop Preview IRC-Chat Website
d d fx
| Country Username | PC N ane
iL W -ita a
l<
| Verson
| Pirq
C o m m a n d
C o n tro l
C e n te r
[5:4S:3S [9 :46 :5 5 [9 :46:38 [9 :46 :3 8 [9 :46 :4 0 [9 :50:25
AN ] Inrfj-atarg C lient... AW] Iw te n rx j on Port: 60123 AH ] sharK 3.1 fw b + + , Last Compiled: 30.03.2008 AN ] Updatecheck... AW] Hew Versicn ovoiloblc: < !- turing cluster_prod > AN ] * New Server: 127.0.0.1 -- Server 1 (Mockers < S >ECC-272FF53AA87)
W o lc o m to i h t i K 3 .1 .0 , H ackors T hi* it n in f o r m a tio n b o x r o fr o s h in g it* c o n t e n t o v a ry 24 h o u r * H a ' y o u will in f o r m a ti o n a b o u t (K trK d * v * lo p m * r tt i t a t ! a n d o th a r r l a ( i t o f fro r d C o d a r c .c o i ( o m ttim M . R e c a ds.
sN 1p*109 and ro ck Z
C o p y rig h t 2 0 0 7 -2 0 0 8 (c ) B o re d C o d e rs.c o m sharK 3.1 fw b + +
New Server - [Server2]
,4 Server Installation
- Startup Instal Everts f t Bind Files Q Blacklist Anti Debugging j Stealth Firewal Bypass d l Liteserver QU Advanced Q Summary Compile
Basic Settings
*5
Server name: Server Password: Connection Interval: |Server2 1plwUyQ|G6q|pl1t4mAD
k.
I
. . . . ............................................................... 4 seconds
1* Enable offline keylogger with maxmum logsue of [i 000
KByte (0 - Unkmted)
SIN-Addr esses: 1 ip Port I Status Add ----------------------- . Delete ( 1 1
Save Current Profile
Test Hosts
1 ___________________________________________________________________________________________________________________________________ 1
FIGURE 10.12: Botnet Trojan: sharK
M o d u le 1 0 P a g e 1 4 4 0
Poison Ivy: Botnet Com m and C ontrol Center
C E H
g M a ia y rP 3 tg o r d 1 js 1 |B d a y| A c I n ^ R :! ! ;P d c fc c iA n a tiz a jR e m o teS W ! kiw;.

DaptyNam u4a
aot
Pi*
Deacflpicr!
>Sjrrfaa1V1ytftBSDfi(VEP
%ACHfC
I..I1 *AM *. %mT9j2
*CHEC M 'Ul are AfO * *. AfcilSfa 4fc/9u2
< D < mccD H DwceDii.. Device Dii Dwce Dii Dwee n.i D*ce Dii Oe*c Dii Owe Dii DMee Dii Shmd Sor Slandaid D< M ca D1I Shotd 5w r> " *r!.1 fiiwco Dii Diwce Dii Dwce Dii
.% >hM- 0 > A # 1 < ttaaOTtOfWOI
AFD Mlv*jVrgSu
AM % ' -.*>onl*.. Alb *IV w rl % AjS* S* Ate 033Kt> * K jfi) At>ftfm\ % :4 f <fcp % ,,. A1J*. fc,iTM6PPCfc,r A1tdc6*v uW > <
C WNK*ANS1*>1}2W M C VWst M tn
rftcliijuti fV*dl i'XIBUil 1 9 !
SUA* STOPPED STOPPED RUNNING STOPPED 51 UlltD STOPPED RUNNING RUNNING STOPPED STWTO) TOPPED STOPPED STOPPED
stopped
Startup Type Dfcdfcd Dk* M Diaetfej D114M Manm l Auiomafo AulsmrfK D1.4M DMM Dlu*M D 1:.:tM M*l di*m Di.a>1 DiNfcM DutUrJ Mm m l A jio rr> a b 3 :1 -. LfcJ Meriml Aulorrrfc Manual 08/3
log on i f
Nl AllTHtlP T- 4cc.< m Nl UTH0n1TY<ioc4S.
....
fV*d1 nftivmh.,
STOPPFD STOI'TCD
stopped
RAS AtyAchKraii
\$>ifcari00i^ jy
DRIVER
f.B fIJ'irV tPi'.W lip.lvl C V*NCO\*S^>wm32^vcl0
ATMARP Ois*PMI D**ee r.ii Manajee ado devi.. Shaied Ssr D vncDii ifload:
STOPPED 51 ST0PPE0 RUNNING STOPPED STOPPED RUNNING RUNNING
! 1 I !
OB/*
IcoafSyttom >
DortoaJi
Copyright by E&Cawcil. All Rights Reserved. Reproduction is Strictly Prohibited.
P o is o n
I v y :
B o t n e t
o m
a n d
o n t r o l
e n t e r
Poison Ivy is an advanced e n c ry p te d "re v e rs e c o n n e c tio n " fo r fire w a ll bypassing re m o te a d m in is tra tio n to o ls . It gives an a tta c k e r th e o p tio n to access, m o n ito r, o r even ta ke c o n tro l o f a c o m p ro m is e d system . Using th is to o l, a tta cke rs can steal passw ords, b a n kin g o r c re d it card in fo rm a tio n , as w e ll as o th e r p e rsonal in fo rm a tio n .
FIGURE 10.13: Poison Ivy: Botnet Command Control Center
M o d u le 1 0 P a g e 1 4 4 1
Botnet Trojan: PlugBot

J J PlugBot is a h a rd w a re b o tn e t p roject It is a covert p en e tra tio n testing device (bot) designed for covert use during physical p e n e tra tio n te s ts
(tt.fwtf
C E H
ttk>l lUikw
PlugBot Statistics
* a rt* o rrc u ic *H M > 0 y o u
http://thephgbot.com
Copyright by H r C u n d l. A ll Rights Reserved. Reproduction isStrictly Prohibited.
B o t n e t
T r o ja n :
P lu g B
o t
Source: h ttp ://th e p lu g b o t.c o m P lugB ot is a h a rd w a re b o tn e t p ro je c t. It's a c o v e rt p e n e tra tio n te s tin g d e vice (b o t) is designed fo r c o v e rt use d u rin g physical p e n e tra tio n te sts. PlugB ot is a tin y c o m p u te r th a t looks like a p o w e r a d a p te r; th is sm all size a llo w s it to go p h y s ic a lly u n d e te c te d all w h ile being p o w e rfu l e n o ug h to scan, c o lle c t, and d e liv e r te s t results e x te rn a lly . S om e o f th e fe a tu re s in c lu d e : 6 e Q Q Issue scan co m m a n d s re m o te ly W ire le ss 8 0 2 .1 1 b ready G ig a b it E th e rn e t capable 1.2 Ghz proce sso r S u p p o rts Linux, Perl, PHP, MySQL o n -b o a rd C o v e rtly disguised as p o w e r a d a p te r C apable o f in v o k in g m o s t Linux-based scan apps and scripts
M o d u le 1 0 P a g e 1 4 4 2
HfliOAOMINIUvtOUw
L O O M (
5 f l5 r lt e
Dashboard
DropZorte
Account
I l f Settings
( ? ) Help
O M ttx M rd
Jobs
Dashboard
B o tn et S ta tis tic s
CM an w w o o s
Cb AddJoto
PlugBot Statistics
Shown oeiow are some aucx suss on your botnet. Statistics Bots: 2 Joas Pending 0 Jo&sComoieted:0 Chock-Ins: 14636
A p p lic a tio n s
1 M ena^A opa
C o AddApo
D ots Q ManagBet<
C6 AcUBot
FIGURE 10.14: B otnet Trojan: PlugBot
M o d u le 1 0 P a g e 1 4 4 3
Botnet Trojans: Illusion Bot and r cu NetBot Attacker ----P*ss *ten

P ks ****
1| Hotf 10001 * ho* 10001
P<r 6667Chtr * * tn Pa! 6667 O ar
PW P*
P+
Sort14 port SocAiVpart FTP p1
*R a n d o m .r n 0 e2 0 0 1
t o d * * port
0 p a s s w o r d
t A'*l 0 " * * IRCchaM *
MD5C.**
1 n r_
dV*
' < * ^ 2 ^ " * * / ** -
* -!*
Abou
r 0
^
s*
Copyright by E t C o in o l. All Rights Reserved. Reproduction is Strictly Prohibited.
B o t n e t M
l j
T r o ja n s : B o t
I llu s io n
B o t
a n d
e t B o t
t t a c k e r
I llu s io n
Source: h ttp ://w w w .te a m fu rr y .c o m Illu sio n B ot is a G UIt.

F e a tu re s :
Q e e e e e 0 0
C&C can be m anaged o v e r IRC and HTTP Proxy fu n c tio n a lity (Socks4, Socks5) FTP service M D 5 s u p p o rt fo r passw ords R o o tk it C ode in je c tio n C olored IRC messages XP SP2 fire w a ll bypass DDOS c a p a b ilitie s
M o d u le 1 0 P a g e 1 4 4 4
Illusion Maker
Binary
CADocuments and S sitings\W nuA P 460** cron^BOTBIMARV EXE
Reload Pass 4lesl Pass: 4iest
IRC Administration 1) Host: 1 0 0 0 1 2) Host: 100.0.1 WEB Administration 1) Host: 10 2) Host: 1C Default services: Socks4, port v Socks5, pat FTP. port IRC Access BOT PASSWORD Options v Install Kernel Driver Save cervices state in registry Loloied IRC messages Auto OP admm on IRC channel * ln!ect code fit dnve< falsi + Ada to autoload * IRC serve! need passwotd / B>pas$ X P SP2 Fewall FkwU Valuer About qwerty MD5 Crypt R R R * Random, range: Bmdshefl. port: 2001 R 3000 Port Port: Path Path A Refresh time: j Port: 6667 Port: 6667 Chan Behan Chan Behan
sec.
E m(
Save
FIGURE 10.15 Illusion Maker

N e tB o t A tta c k e r
N e tB o t a tta c k e r has a s im p le W in d o w s user in te rfa c e to c o n tro l b o tn e ts . A tta cke rs
use it fo r c o m m a n d in g and re p o rtin g n e tw o rk s , even fo r co m m a n d attacks. It has tw o RAR file s; one is INI and th e o th e r one is a s im p le EXE. It is m o re p o w e rfu l w h e n m o re bots are used to a ffe c t th e servers. W ith th e he lp o f a b o t, a tta cke rs can e x e c u te o r d o w n lo a d a file , o p e n c e rta in w e b pages, and can even tu rn o ff all PCs.
(P
H tO M U m tckm I 4 l a i M > >
>1
On lin e h o s ts PC IP
Attack Area
Co Hed iv e o rd e r
U se help M em ory [S e rv k e e d itio n
jC om putef!system W io d o w tX P
1m m
!;*
*onfai pcrfSOwHeh t
h 0 i> wrw?
0ON
J PC 0 *
F IG U R E 1 0 .1 6 : N e t B o t A t t a c k e r
M o d u le 1 0 P a g e 1 4 4 5
Copyright by E & C a in c i. A ll Rights Reserved. Reproduction is Strictly Prohibited.
o d u le
F lo w
So fa r, w e have discussed D 0 S /D D 0 S concepts, a tta c k te c h n iq u e s , and b o tn e ts . For b e tte r u n d e rs ta n d in g o f th e a tta c k tra je c to rie s and to fin d possible w ays to lo ca te atta ck e rs, a fe w DD 0 S case stu d ie s are fe a tu re d here.
a m
B o tn e ts
/* V 5
D o s /D D o S C ase S tu d y i
This s e ctio n h ig h lig h ts som e o f re a l-w o rld scenarios o f DD 0 S attacks.
M o d u le 1 0 P a g e 1 4 4 6
DDoS Attack
H a ckers a d v e rtise LOIC to o l o n T w itte r, F aceb oo k, G o o g le , etc. V o lu n te e r
Copyright by E C -C a in d . A ll Rights Reserved. Reproduction is Strictly Prohibited.
D D o S
t t a c k
In a DDoS a tta c k , a g ro u p o f c o m p ro m is e d syste m s usually in fe c te d w ith T rojans are used to p e rfo rm a d e n ia l-o f-s e rv ic e a tta c k on a ta rg e t system o r n e tw o rk resource. The fig u re th a t fo llo w s show s h o w an a tta c k e r p e rfo rm s a DDoS a tta c k w ith th e he lp o f an LOIC to o l.
M o d u le 1 0 P a g e 1 4 4 7
(ft
Anonym ous Hacker
A ttacker Releases Low O rbit Ion Cannon (LOIC) Tool on the W eb
V olu nte e rs connect to IRC channel and w ait for instruction from a ttacker
Volunteer
e
DDoS Attack o Volunteer Hackers advertise LOIC tool on Tw itter, Facebook, Google, etc. Volunteer ! *
FIGURE 10.17: DDoS Attack
M o d u le 1 0 P a g e 1 4 4 8
DDoS Attack Tool: LOIC

fh is t o o l w a s u s e d t o b r in g d o w n P a y p a l a n d m a s t e r c a r d w e b s it e s
Low O b it Ion Cannon | U dun goofed | v. 1 J .D 5
M M
H CE
IU mjI NM hM
IC 3I
RC server Port Cnannel 9 FUCKWGHfVc UNO
1,'anujl Mode for pussies!

URL
f j i ::
- 2 . Rea<iy?--------------
r 1 Select your target---------------------------------www.davenD 0 rtV 0ns.c 01n
Stop flooding
v ! y
8 5 . 1 1 6 . 9 . 8 3
3 Attack o tf n t -------------------------------------------------------------------------------------------------Trneout HTTP Scbsle ZX Append ranJom chars to the URl 4000 /119/ TCP / U0P message U dun goofed
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP g 10 80 *Vat for rep*y --------------------- 1 faster Speed slower > Port Method Threads
tile
Connectong 9
Requestrg
Cowntoadng
Downloaded 419
Requested 419
Faded 9
Copyright by E&Cainci. A ll Rights Reserved. Reproduction is Strictly Prohibited
D D o S
V
t t a c k
T o o l:
L O
I C
LOIC is an o p e n source to o l, w r itte n in C#. The m ain pu rp o se o f th e to o l is to c o n d u c t stress te s ts o f w e b a p p lic a tio n s , so th a t th e d e ve lo p e rs can see h o w a w e b a p p lic a tio n behaves u n d e r a h e a v ie r load. O f course, a stress a p p lic a tio n , w h ic h could be classified as a le g itim a te to o l, can also be used in a DDoS a tta c k. LOIC basically tu rn s th e c o m p u te r's n e tw o rk c o n n e c tio n in to a fire h o u s e o f g a rb a g e req ue sts, d ire c te d to w a rd s a ta rg e t w e b server. On its o w n , one c o m p u te r ra re ly g e n e ra te s e n o u g h TCP, UDP, o r HTTP re q u e sts a t once to o v e rw h e lm a w e b s e rv e r garbage re qu ests can easily be ig n o re d w h ile le g it re q u e s ts fo r w e b pages are re sp o n d e d to as n o rm a l. B ut w h e n th o u s a n d s o f users run LOIC a t once, th e w a ve o f re quests b e co m e o v e rw h e lm in g , o fte n s h u ttin g a w e b se rve r (o r one o f its co n n e c te d m achines, like a database server) d o w n c o m p le te ly , o r p re v e n tin g le g itim a te re q u e sts fro m being a n sw e re d . LOIC is m o re fo cu se d on w e b a p p lic a tio n s ; w e can also call it an a p p lic a tio n -b a s e d DOS a tta c k . LOIC can be used on a ta rg e t site by flo o d in g th e s e rv e r w ith TCP packets, UDP packets, o r HTTP re q u e sts w ith th e in te n tio n o f d is ru p tin g th e service o f a p a rtic u la r host.
M o d u le 1 0 P a g e 1 4 4 9
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y E C - C 0 lin C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
FIGURE 10.18: DDoS Attack Tool: LOIC
M o d u le 1 0 P a g e 1 4 5 0
H ackers Advertise Links to Download Botnet
C E H
G o u g le
jfr _
sM sgS S S sasK si
- r - lS
'
% Si!Z*5LmaL O C *** * Copyright by E W io unci. A ll Rights Reserved. Reproduction is Strictly Prohibited.
a c k e r s
d v e r t is e
L in k s
to
o w
n lo a d
B o t n e t s
M o d u le 1 0 P a g e 1 4 5 1
FIGURE 10.19: Hackers Advertise Links to Download Botnets
M o d u le 1 0 P a g e 1 4 5 2
Copyright by E & C a in c i. A ll Rights Reserved. Reproduction is Strictly Prohibited.
o d u le
F lo w
So fa r, w e have discussed th e D 0 S /D D 0 S concepts, a tta c k te c h n iq u e s , b o tn e ts , and th e re a l-tim e sce n a rio s o f DDoS. The D 0 S /D D 0 S atta cks discussed so fa r can also be p e rfo rm e d w ith th e help o f to o ls . These to o ls m ake th e a tta c k e r's jo b easy.
a m
|i
B o tn e ts
/* V 5
D o s /D D o S C ase S tu d y I
This s e ctio n lists and describes v a rio u s D 0 S /D D 0 S a tta c k to o ls .
M o d u le 1 0 P a g e 1 4 5 3
DoS Attack Tools

DoSHTTP 2.5.1 Rle Optxxtt Help S o c k e ts o ft.n e t
(crtifwd
H cE
IU mjI Km Im
[Evaluation Mode]
X J
D oSH TTP
H T T P F lo o d D e n ia l o f S e r v ic e ( D o S ) T e s tin g T o o l T a ig e t U R L
3
Status:
M o z a /6 0 (compatible; MSIE 7.0a; W indows N T 5.2; S V1) "]
Connecting to 118.215.252.59:80... [ 1174 OK Peak: 74
Connected: Connect:
S o c k e ts
R equests jConhnuou' V e iify U R L | S to p Flood | C lose |
Disconnect: Multisystem TCP Denial of Service Attacker [Build #12]
Requests 1
Responses 0
Coded by Yarix (yarix@lut.by)
httpV/Varix bv ru/
DoS H TTP
S p ru t
In te r n e t
T a rg e t S e rv e r
Copyright by E&Caunc!. A ll Rights Reserved. Reproduction is Strictly Prohibited.
D o S
t t a c k
T o o ls
D o S
H T T P
Source: h ttp ://w w w .s o c k e ts o ft.n e t DoSHTTP is HTTP flo o d d e n ia l-o f-d e rv ic e (DoS) te s tin g s o ftw a re fo r W in d o w s . It inclu d e s URL v e rific a tio n , HTTP re d ire c tio n , and p e rfo rm a n c e m o n ito rin g . It uses m u ltip le a s y n c h ro n o u s s o cke ts to p e rfo rm an e ffe c tiv e HTTP flo o d . It can be used s im u lta n e o u s ly on m u ltip le c lie n ts to e m u la te a d is trib u te d -d e n ia l-o f-s e rv ic e (DD 0 S) a tta ck. It also a llo w s yo u to te s t w e b se rve r p e rfo rm a n c e and e v a lu a te w e b s e rv e r p ro te c tio n s o ftw a re .
F e a tu re s :
Q Q Q Q Q
S u p p o rts HTTP re d ire c tio n fo r a u to m a tic page re d ire c tio n It in clud e s URL v e r ific a tio n th a t displays th e response h e a d e r and d o c u m e n t It in clud e s p e rfo rm a n c e m o n ito rin g to tra c k re q u e sts issued and responses received It a llo w s cu sto m iz e d User A g e n t h e a d e r fie ld s It uses m u ltip le a s y n c h ro n o u s sockets to p e rfo rm an e ffe c tiv e HTTP flo o d It a llo w s user d e fin e d so cket and re q u e s t se ttin g s
M o d u le 1 0 P a g e 1 4 5 4
It s u p p o rts n u m e ric add re ssing fo r ta rg e t URLs

DoSHTTP 2.5.1
-
S o cke tso ft.n e t
[ E v a lu a t io n M o d e ]
xJ
file Options Help

D o S H T T P
H T T P F lo o d D e n ia l o f S e r v ic e ( D o S ) T e s t in g T o o l
Target URL____________________________________________ 1192.168.168.97 User Agent lMozilla/6.0 (compatible; MSIE 7.0a; Windows NT 5.2; SV1J S ockets |500
lQ D S C * m*T
21
Close
nttf
R equests | (Continuous
Verify URL | Stop Flood | http //w w w
Running..
Requests: 1 FIGURE 10.20: DoS HTTP
Responses: 0
S p ru t
S prut is a m u ltis y s te m TCP d e n ia l o f service a tta c k e r.
jJ in i- x J Hostnam e or IP-address:
Start
Stop
www. juggy boy.com

Port: [8 0 Status: Connected: Connect: Disconnect: Threads: [2 0
Reset
C onnecting to 118.215.252.59:80 ... 1174 OK N o error Peak: 1174
B S
Multisystem TCP Denial of Service A tta cke r [Build 8 12] Coded by Yarix (yarix@ tut.by) http:/Aatix b v.ru /
FIGURE 10.21: Sprut
M o d u le 1 0 P a g e 1 4 5 5
DoS Attack Tools

( C o n t d )
g d tM e wG oC a p ln tra!: a7 2 .1 1 O m s: I
UrtifwJ
C E H
ilhiul lUtbM
_1J
_ !lh
2 1
0 8 1 8 21 6 5 .2 8 9 7 1 71 9 2 .1 6 8 .1 6 8 .7 0 8 1 8 31 6 5 .2 8 9 8 3 81 9 2 .1 6 6 .1 6 8 .7 0 8 1 8 41 6 5 .2 8 9 9 6 8 192.1 6 8 .1 6 8 .7 0 8 1 8 51 6 5 .2 9 0 0 9 0 192.1 6 8 .1 6 8 .7
08186 165.290211 192.168.168.7
192.16a.1 6 8 .3 2 192.1 6 a. 1 6 8 .3 2 1 9 2 .1 6 4 .1 6 8 .3 2 1 9 2 .1 6 6 .1 6 8 .3 2
192.164.168. 32
0 8 1 8 81 6 5 .2 9 0 4 0 31 9 2 .1 6 8 .1 6 8 .7 0 8 1 8 91 6 5 .?9 0 S ?3 1 9 2 .1 6 8 .1 6 8 .7 0 8 1 9 01 6 5 .2 9 0 7 3 3 192.1 6 8 .1 6 8 .7
08191 16S. 290776 08192 165.290896 192.168.168.7 192.168.168.7
1 9 2 .1 6 8 .1 6 8 .3 2 1 9 2 .1 6 8 .1 6 8 .3 2 1 9 2 .1 6 8 .1 6 8 .3 2
192.168.168.32 192.168.168. 32
m
Your V:
0 8 1 9 41 6 5 .? 9 1 0 9 1 0 8 1 9 51 6 5 .2 9 1 2 1 0 0 8 1 9 61 6 5 .2 9 1 3 3 0 08197 165.291452 0 8 1 9 81 6 5 .2 9 1 5 8 2
1 9 ?. 1 6 8 .1 6 4 .7 1 9 2 .1 6 8 .1 6 8 .7 192.1 6 8 .1 6 4 .7 192.168.168 .7 192.1 6 8 .1 6 8 .7
192.164.168. 32 192.168.168. 32
1 9 2 .1 6 4 .1 6 8 .3 ? 1 9 2 .1 6 8 .1 6 8 .3 2 1 9 2 .1 6 8 .1 6 8 .3 2
|:n fo source port: 17795 D estination po F rag m en ted ip protocol (proto-uop F rag m en ted ip protocol (p ro co -u o p F rag m en ted IPprotocol (p ro to = U D P F rag m en ted ip protocol (p ro to = D 0 P frag m en ted IP protocol (p ro to -U O * * Source p o rt: 17795 D estin atio n po F rag m en ted ip protocol (proto -u o p F rag m en ted IPprotocol (proto-uop F rag m en ted IP protocol (p ro to = U O P F rag m en ted IP protocol (p ro to = U 0 P F rag m en ted IP protocol (p ro to -U O P source p o rt: 17706 t*s tlfw i1 0 n po F rag m en ted ip protocol (p ro to u o * > F rag m en ted IPprotocol (p ro to * u 0 P F rag m en ted ip protocol (p ro to = U O P
.\ss5tt1:i . DecwfcnKeyi...
<D0ntO03you!eNnub)
!: idr ! tne DoS attack, please wall utille the browser 1 0
? 1 rram e6 1 5 1 4 :4 1 5 3 b y tes, o nw ire (l?ll? blis). 1 5 1 4b y te;, captured (l?ll? bit) I- kth erret 1 1 . src: fclU egro 22:2d:if (00:2J:ll:22:2d:5f). ust: D e ll_fd:8 6 :6 3 (8 4:ba:db:fd:8 6 :6 3 ) I internet P rotocol, src: 192.1 6 8 .1 6 8 .7 (192.168.168.7). U S t: 1 9 2 .1 0 8 .1 6 8 .3 2 (1 9 2.168.168.32) |v iD ata (1 4 8 0 bytes) > 0 0 0 4 b *d b fd 8 66 30 02 5 1 12 216 5 f0 80 04 50 0 ........... ..c.ft ..t. >010 05 dc ab 21 22 2b 80 11 96 4b cO a4 48 07 cO a8 .K............ > 0 2 0 * 8 2 0 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 .X XXXXXX XXXXXXXX > 0 3 0 5 8 S B 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 4 5 8 5 8 5 8 5 8 X X X X X X X X X X X X X X X > 0 4 0 5 8 5 85 85 85 85 85 85 8 5 85 85 85 45 85 85 85 8 XXXXXXXX XXXXXXXX I^ K * C :tM > 1 A > 0 -:\> e c ^ a lo c jrr 1> V ~P * x ts :d G 2 /to C c w w r i:6 0 2 /6 3 M a r k e d :0 fre p p e d :9 5 3 T r a ffic a t V ic t im M a c h in e
PH P D oS
Copyright by E&Caunci. A ll Rights Reserved. Reproduction Is Strictly Prohibited.
D o S
t t a c k
T o o ls
( C
o n t d )
P H P
D o S
Source: h ttp ://c o d e .g o o g le .c o m This s c rip t is a PHP s c rip t th a t a llo w s users to p e rfo rm DoS (d e n ia l-o f-s e rv ic e ) attacks against an IP /w e b s ite w ith o u t any e d itin g o r s p e c ific k n o w le d g e .
M o d u le 1 0 P a g e 1 4 5 6
xJe
Your IP: IF Time (Dont DoS yourself nub) ort
iK s a a s ia L ^ ftii
Alter initiating the DoS attack, please wait while the browser loads
FIGURE 10.22: PHP DoS
M o d u le 1 0 P a g e 1 4 5 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C O U I lC il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
DoS Attack Tools

( C o n t d )
C E H
(itifw tf| tlfc itjl IlM k M
Copyright by EC-Cooncfl. A ll Rights Reserved Reproduction is Strictly Prohibited.
D o S
t t a c k
T o o ls
( C
o n t d )
J a n id o s
FIGURE 10.23: Janidos
M o d u le 1 0 P a g e 1 4 5 8
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y E C - C 0 lin C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
S u p e rn o v e
!supernova 5
Single targe( Port
1
Typical F rs t F;rT .:.vr [ Load I Q
Save
La ned
Discomect
Random P o c ts |
H arvest
Remove
Speed Speed
1
I
'
Remove
Multiple
Hub Harvester
1 0 BEHSI MSW I I
M M M M
Replace hubs on d o se replace hubs on errors r orbid Scanner log abuse nbuiid Scanner
23 Q S3
Debug connections Jetxtg replaces .ebug actions Debug User number
=1 I:I :1 I:I
jQ Debug socket errors
j Assign socks for every hub in the list Q
Search
j i;1 --r
]Produced by ]3/24/2009 [3/?4y?r0Q) CPU ________IRir<*11 .- r . 4 . I . * r <..H 7 * 2400 CmdLme
*'*^
FIGURE 10.24: Supernove
M o d u le 1 0 P a g e 1 4 5 9
DoS Attack Tools

( C o n t d )
(rtifwd
C E H
itkitjl
*It
T tfa rt< * 0
Try* 03 T rct *rct
H h *
* *t * '' I , [ p
! n* * *s [am *mlfH fAdlMM ! p ucw s i n 4 ! s & : r 85 TCT n }05 [~ 4 t _________ [051TC7 4^ O e iT C T ^_n -j.,.
J* * * * * 11*! %tt%ck ___ fOilcrw *
as
JVXf 103
U * 1 . ~u, itlKt U .C M 4 a.
ft."
, 0 ,* IB 1 "
k //** t (e1 W 1W 1 2 3 | ; tt> //** tw et < <WtK 1 * 123
tw j 1 0 : fc.
]* <T W .U1
.
t o t w t t K i l l r *l*ct tk t U i l 4 W lM t4M 111M 4>l TW*10
icn
" ,
Tr<t . . . < .!
U *,?nrsffs *. -. i i ./ m IL n
u u
* * 4 .
* ^ . i* 1 ' * a s s s _:a1 C h in e se C o m m e rc a ^
n |Y O O oS T ool
D o S
t t a c k
T o o ls
( C
o n t d )
C o m
e r c ia l C h in e s e
D IY
D D o S
T o o l
Figure 10.25: Commercial Chinese DIY DDoS Tool
M o d u le 1 0 P a g e 1 4 6 0
B a n g la D o s
Mom
cW N u
Oo to a s t
Yarn >tc rrr
b c iM M
UM C m t
k r tO ta o *
C D
SI
< 'f l
Hack Clarify
R^R
)O S (7) % > * * * * * * (4) ( T i m ( ) 7 )7(
ft> wyiogyn <4) xnoMM0 ) (iMm 10 tack )5(

m c Mnux ) 1 6 ( we d i mow ! ) nem % )5 ( n M !1) o n ln ond oflkrw M t u f y (S) apocoftng v rt*m % (11) p m w o rd rocowonot (?) p t w o f q O ) (MK*w n p c n o v f (3) c ) ** 1( w w ie p d ip ro o y < )em< rH ( )K w w iefs nm um% (1j tM re H entd )4 ( *) m ! s )1 )4 ( * oftware cracks ( t l ) oom <w o tf Mm f t ( *
00
S * c u r * y o u r b lo g r u n n i n g o n W o r d p r 10 14 PU A rte l t * S n r r J t
11 2
)2 (
tips and tricks FIGURE 10.26: BanglaDos
M o d u le 1 0 P a g e 1 4 6 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 l1 n C il A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
DoS Attack Tools

(C o n ttt)
C E H
D o S
t t a c k
T o o ls
( C
o n t d )
D o S
FIGURE 10.27: DoS
M o d u le 1 0 P a g e 1 4 6 2
e g a
D D o S
A tta c k
FIGURE 10.28: Mega DDoS Attack
M o d u le 1 0 P a g e 1 4 6 3
Copyright by E&Caincfl. A ll Rights Reserved. Reproduction is Strictly Prohibited.
A
*"2
o d u le
F lo w
So fa r, w e have discussed th e D 0 S/D D 0 S concepts, va rio u s th re a ts associated w ith th is
kind o f a tta c k , a tta c k te c h n iq u e s , b o tn e ts , and to o ls th a t help to p e rfo rm D 0 S/D D 0 S a ttacks. All th e s e to p ic s focu s on te s tin g y o u r n e tw o rk and its resources against D oS /D D oS v u ln e ra b ilitie s . If th e ta rg e t n e tw o rk is v u ln e ra b le , th e n as a pen te s te r, you should th in k a b o u t d e te c tin g and a p p ly in g possible w ays o r m e th o d s to secure th e n e tw o rk .
1 --1
J D o s / D D o S C o n c e p ts
D o s / D D o S A t t a c k T o o ls
c K * J
S *
B o tn e ts
aa
D o s /D D o S C ase S tu d y D o s / D D o S P e n e t r a t i o n T e s t in g
M o d u le 1 0 P a g e 1 4 6 4
This se ctio n describes v a rio u s te c h n iq u e s to d e te c t D 0 S /D D 0 S v u ln e ra b ilitie s and also h ig h lig h ts th e re sp e c tiv e c o u n te rm e a s u re s .
M o d u le 1 0 P a g e 1 4 6 5
D e tectio n te c h n iq u e s a re based on id e n tify in g and d is c rim in a tin g th e ille g itim a t e tra ffic in cre a se an d fla sh even ts fro m le g itim a te packet tra ffic
A ll d e te ctio n te c h n iq u e s d e fin e an atta ck as an a b n o rm a l and n o tic e a b le d e v ia tio n fro m a th re s h o ld o f n o rm a l n e tw o rk tra ffic sta tistics
A c t i v i t y P r o f ilin g
W a v e le t - b a s e d S ig n a l A n a ly s is
C h a n g e p o in t D e t e c t io n
Copyright by E&Caincfl. A ll Rights Reseivei.Rejproduction is Strictly Prohibited.
e t e c t io n
T e c h n iq u e s
M o s t o f th e DDoS to d a y are ca rrie d o u t by a tta c k to o ls , b o tn e ts , and w ith th e he lp o f o th e r m a licio u s p ro g ra m s. These a tta c k te c h n iq u e s e m p lo y va rio u s fo rm s o f a tta c k pa cke ts to d e fe a t d efe nse system s. A ll th e se p ro b le m s to g e th e r lead to th e re q u ire m e n t o f d efense system s fe a tu rin g v a rio u s d e te c tio n m e th o d s to id e n tify a tta c k s . The d e te c tio n te c h n iq u e s fo r DoS a tta cks are based on id e n tify in g and d is c rim in a tin g th e ille g itim a te tr a ffic increases and flash e ve n ts fro m le g itim a te p a c k e t tr a ffic . T he re are th re e kinds o f d e te c tio n te c h n iq u e s : a c tiv ity p ro filin g , c h a n g e -p o in t d e te c tio n , and w a v e le t-b a s e d signal analysis. All d e te c tio n te c h n iq u e s d e fin e an a tta c k as an a b n o rm a l and n o tic e a b le d e v ia tio n fro m a th re s h o ld o f n o rm a l n e tw o rk tr a ffic statistics.
M o d u le 1 0 P a g e 1 4 6 6
Activity Profiling
r
An attack is indicated by: An increase in activity levels among clusters e An increase in the overall num ber of distinct clusters (DDoS . attack)
It is the average packet rate for a network flow, which consists of consecutive packets with similar packet fields y
A c tiv ity p ro file is o b ta in e d by m o n ito rin g th e n e tw o rk packet's h e a d e r in fo rm a tio
c t iv it y
r o f ilin g
T yp ica lly, an a c tiv ity p ro file can be o b ta in e d by m o n ito r in g h e a d e r in fo r m a tio n o f a n e tw o rk packet. An a c tiv ity p ro file is d e fin e d as th e average p a cke t ra te fo r n e tw o rk flo w . It consists o f c o n s e c u tiv e p a c k e ts w ith s im ila r p acket fie ld s. The a c tiv ity level o r average packet ra te o f flo w is d e te rm in e d by th e elapsed tim e b e tw e e n th e c o n s e c u tiv e p a cke ts. The sum o f average p acke t rate s o f all in b o u n d and o u tb o u n d flo w s gives th e to ta l n e tw o rk a c tiv ity . If you w a n t to analyze in d iv id u a l flo w s fo r all possible UDP services, th e n you sh ould m o n ito r on th e o rd e r o f 264 flo w s because in c lu d in g o th e r p ro to c o ls such as TCP, ICMP, and SNMP g re a tly c o m p o u n d s th e n u m b e r o f possible flo w s . This m ay lead to h ig h -d im e n s io n a lity p ro b le m . This can be avo id e d by c lu s te rin g th e in d iv id u a l flo w s e x h ib itin g s im ila r ch a ra cte ristics. The sum o f c o n s titu e n t flo w s o f a c lu s te r d e fin e s its a c tiv ity level. in d ic a te d by: 0 An increase in a c tiv ity levels a m o n g clu ste rs An increase in th e o v e ra ll n u m b e r o f d is tin c t clu ste rs (DDoS a tta ck) Based on th is co n c e p t, an a tta c k is
M o d u le 1 0 P a g e 1 4 6 7
W avelet-based Signal Analysis

W avelet analysis describes an input signal in term s of \ sp ectral c o m p o n en ts
CE H
W avelets provide for co n cu rren t tim e and freq u en cy description
Analyzing each spectral w indow 's energy d eterm in es th e p resen ce of anom alies
They d ete rm in e th e tim e at which certain frequ en cy c o m p o n en ts a re p re se n t
a v e le t - b a s e d
S ig n a l A
n a ly s is
W a v e le t analysis describes an in p u t signal in te rm s o f sp e ctra l c o m p o n e n ts . It p ro v id e s a glo ba l fre q u e n c y d e s c rip tio n and no tim e lo ca liza tio n . W a ve le ts p ro v id e fo r c o n c u rre n t tim e and fre q u e n c y d e s c rip tio n s . This m akes it easy to d e te rm in e th e tim e a t w h ic h c e rta in fre q u e n c y c o m p o n e n ts are p re se n t. The in p u t signal co n ta in s b o th tim e -lo c a liz e d a n o m a lo u s signals and b a ckg ro u n d noise. In o rd e r to d e te c t th e a tta c k tra ffic , th e w a v e le ts s e p a ra te th e se tim e -lo c a liz e d signals and th e noise c o m p o n e n ts . The presence o f a n o m a lie s can be d e te rm in e d by a nalyzing each sp e ctra l w in d o w 's energy. The a n o m a lie s fo u n d m ay re p re s e n t m is c o n fig u ra tio n o r n e tw o rk fa ilu re , flash events, and atta cks such as DoS, etc.
M o d u le 1 0 P a g e 1 4 6 8
Sequential Change-Point Detection

Change-point detection algorithms isolate a traffic statistic's change caused by attacks
C E H
S e q u e n t ia l
h a n g e - P o in t
e t e c t io n
S e q ue n tia l c h a n g e -p o in t d e te c tio n a lg o rith m s segregate th e a b ru p t changes in tra ffic s ta tis tic s caused by a ttacks. This d e te c tio n te c h n iq u e in itia lly filte rs th e ta rg e t tra ffic data by p o rt, address, and p ro to c o l and sto res th e re s u lta n t flo w as a tim e series. This tim e series can be co n sid e re d as th e tim e -d o m a in re p re s e n ta tio n o f a c lu s te r's a c tiv ity . The tim e series show s a s ta tis tic a l change a t th e tim e th e DoS flo o d in g a tta c k begins. Cusum is a c h a n g e -p o in t d e te c tio n a lg o rith m th a t o p e ra te s on c o n tin u o u s ly slam ped data and re q u ire s o n ly c o m p u ta tio n a l re so u rce s and lo w m e m o ry v o lu m e . The Cusum id e n tifie s and localizes a DoS a tta c k by id e n tify in g th e d e v ia tio n s in th e actual versus e xp e cte d local average in th e tim e series. If th e d e v ia tio n is g re a te r th a n th e u p p e r b o u n d , th e n fo r each t,im e series sa m p le , th e C usum 's re cu rsive s ta tis tic increases. U n d e r n o rm a l tra ffic flo w c o n d itio n th e d e v ia tio n lies w ith in th e b o u n d and th e Cusum s ta tis tic decreases u n til it reaches zero. Thus, th is a lg o rith m a llo w s y o u to id e n tify a DoS a tta c k o n se t by a p p ly in g an a p p ro p ria te th re s h o ld against th e Cusum s ta tis tic .
M o d u le 1 0 P a g e 1 4 6 9
DoS/DDoS Counterm easure Strategies

A b s o r b in g th e A tta c k Q U se a d d it io n a l c a p a c ity t o a b s o r b a t ta c k ; it r e q u ir e s p re p la n n in g 9 It r e q u ir e s a d d it io n a l re s o u rc e s D e g r a d in g S e r v ic e s I d e n t if y c r itic a l s e r v ic e s a n d s to p n o n c r it ic a l s e r v ic e s _
C E H
S h u ttin g D o w n th e S e r v ic e s S h u t d o w n a ll t h e s e r v ic e s u n t il t h e a t t a c k h a s s u b s id e d
D o S /D D o S
o u n t e r m
e a s u r e
S t r a t e g ie s
T here are th re e ty p e s o f c o u n te rm e a s u re stra te g ie s ava ila b le fo r D 0 S/D D 0 S attacks:

A b s o rb th e a tta c k
Use a d d itio n a l c a p a c ity to abso rb th e a tta c k th is re q u ire s p re p la n n in g . It re q u ire s a d d itio n a l resources. O ne disa d va n ta g e associated is th e cost o f a d d itio n a l resources, even w h e n no a tta cks are u n d e r w ay.
D e g ra d e s e r v ic e s
If it is n o t possible to keep y o u r services fu n c tio n in g d u rin g an a tta ck, it is a good idea to keep a t least th e c ritic a l se rvices fu n c tio n a l. For th is , fir s t you need to id e n tify th e c ritic a l services. Then yo u can c u s to m iz e th e n e tw o rk , system s, and a p p lic a tio n designs in such a w a y to d e g ra de th e n o n c ritic a l se rvices. This m ay he lp yo u to keep th e critic a l services fu n c tio n a l. If th e a tta c k load is e x tre m e ly heavy, th e n you m ay need to d is a b le th e n o n c ritic a l services in o rd e r to keep th e m fu n c tio n a l by p ro v id in g a d d itio n a l ca p a city fo r th e m .
S h u t d o w n s e r v ic e s
S im ply s h u t d o w n all services u n til an a tta c k has subsided . T hough it m ay n o t be an o p tim a l choice, it m ay be a rea son a b le response fo r som e.
M o d u le 1 0 P a g e 1 4 7 0
DDoSAttack Countermeasures C E H
P ro tect seco n d ary victims
P revent p o ten tial a tta ck s
M itigate a tta ck s
D D o S
t t a c k
o u n t e r m
e a s u r e s
T h ere are m a ny w ays to m itig a te th e e ffe c ts o f DDoS a tta c k s . M a n y o f th e se s o lu tio n s and ideas help in p re v e n tin g c e rta in aspects o f a DDoS a tta ck. H o w e ve r, th e re is no single w a y th a t a lo n e can p ro v id e p ro te c tio n against all DDoS a ttacks. In a d d itio n , a tta c k e rs are fre q u e n tly d e v e lo p in g m an y n e w DDoS a tta cks to bypass each n e w c o u n te rm e a s u re e m p lo y e d . Basically, th e re are six c o u n te rm e a s u re s against DDoS a ttacks: P ro te c t se co n d a ry ta rg e ts N e u tra liz e h a n d le rs P re ve n t p o te n tia l a tta cks D e fle c t atta cks M itig a te a tta cks P o st-a tta c k fo re n s ic s
M o d u le 1 0 P a g e 1 4 7 1
DoS/DDoS Counterm easures: Protect SecondaryVictims

I n s t a ll a n t i- v ir u s a n d a n t i- T r o ja n s o f t w a r e a n d k e e p t h e s e u p -to -d a te
C E H
A n in c r e a s e d a w a r e n e s s o f s e c u r it y is s u e s a n d p r e v e n t io n t e c h n iq u e s f r o m a ll I n t e r n e t u s e rs
D is a b le u n n e c e s s a r y s e r v ic e s , u n in s t a ll u n u s e d a p p lic a t io n s , a n d s c a n a ll t h e f ile s r e c e iv e d f r o m e x t e r n a l s o u rc e s
C o n f ig u r a t io n a n d r e g u la r u p d a t e s o f b u i l t - i n d e f e n s iv e m e c h a n is m s in t h e c o r e h a r d w a r e a n d s o f t w a r e o f t h e s y s te m s
D o S /D D o S V ic t im s
o u n t e r m
e a s u r e s :
P r o t e c t
S e c o n d a r y
In d iv id u a l Users P o te n tia l se co n d a ry v ic tim s can be p ro te c te d fro m DDoS a ttacks, th u s p re v e n tin g th e m fro m b e c o m in g zom bies. This d e m a n d s in te n s ifie d s e c u rity aw areness, and th e use o f p re v e n tio n te c h n iq u e s . If a tta c k e rs are u n a b le to c o m p ro m is e s e c o n d a ry v ic tim s system s and seco n d a ry v ic tim s fro m b eing in fe c te d w ith DDoS, c lie n ts m u s t c o n tin u o u s ly m o n ito r th e ir o w n se cu rity. C hecking sh ou ld be ca rrie d o u t to ensure th a t no a g e n t p ro g ra m s have been in s ta lle d on th e ir system s and no DDoS a g e n t tr a ffic is se n t in to th e n e tw o rk . In s ta llin g a n tiv iru s and a n ti-T ro ja n s o ftw a re and k e e p in g th e se u p d a te d helps in th is regard, as does in s ta llin g s o ftw a re patches fo r n e w ly d isco ve re d v u ln e ra b ilitie s . Since th e se m easures m ay a p p e a r d a u n tin g to th e average w e b s u rfe r, in te g ra te d m a c h in e rie s in th e core p a rt o f c o m p u tin g system s (h a rd w a re and s o ftw a re ) can p ro v id e p ro te c tio n against m a lic io u s code in s e rtio n . This can co n s id e ra b ly red u ce th e risk o f a se co n d a ry system being c o m p ro m is e d . A tta c k e rs w ill have no a tta c k n e tw o rk fro m w h ic h to launch th e ir DDoS attacks. N e tw o rk S ervice P ro v id e rs Service p ro v id e rs and n e tw o rk a d m in is tra to rs can re s o rt to d yn a m ic p ric in g fo r th e ir n e tw o rk usage so th a t p o te n tia l seco n d a ry v ic tim s be co m e m o re a ctive in p re v e n tin g
M o d u le 1 0 P a g e 1 4 7 2
th e ir c o m p u te rs fro m b e c o m in g p a rt o f a DDoS a tta ck. P roviders can charge d iffe re n tly as p e r th e usage o f th e ir resources. This w o u ld fo rc e p ro v id e rs to a llo w o n ly le g itim a te c u s to m e rs o n to th e ir n e tw o rk s . A t th e tim e w h e n prices fo r services are changed, th e p o te n tia l s e co n d a ry v ic tim s w h o are paying fo r In te r n e t access m ay be co m e m o re c o g n iza n t of d a n g e ro u s tra ffic , and m ay do a b e tte r jo b of e n su rin g th e ir n o n p a rtic ip a tio n in a DDoS a ttack.
M o d u le 1 0 P a g e 1 4 7 3
DoS/DDoS Counterm easures: E H Detect and Neutralize H andlers C

N e u tr a liz e B o t n e t H a n d le r s S p o o fe d S o u rc e A d d re s s
Study of communication protocols and traffic patterns between handlers and clients or handlers and agents in order to identify the network nodes that might be infected with a handler
There are usuallyfew DDoS handlers deployed as compared to the number of agents Neutralizinga few handlers can possibly render multiple agents useless, thus thwarting DDoS attacks
T here is a good probability th a t th e spoofed so u rce a d d re ss of DDoS attack packets will n o t re p re se n t a valid so u rce a d d re ss of th e specific sub-n etw o rk
\
Copyright by E&Caunc!. A ll Rights Reserved. Reproduction is Strictly Prohibited
D o S /D D o S H a n d le r
o u n t e r m
e a s u r e s :
e t e c t
a n d
e u t r a liz e
The DDoS a tta c k can be s to p p e d by d e te c tin g and n e u tra liz in g th e h a n d le rs , w h ic h are in te rm e d ia rie s fo r th e a tta c k e r to in itia te a ttacks. Finding and s to p p in g th e ha n d le rs is a q uick and e ffe c tiv e w a y o f c o u n te ra c tin g ag ainst th e a tta ck. This can be d o n e in th e fo llo w in g ways: S tu d yin g th e c o m m u n ic a tio n p ro to c o ls and tr a ffic p a tte rn s b e tw e e n ha n d le rs and clie n ts o r h a n d le rs and agents in o rd e r to id e n tify n e tw o rk nodes th a t m ig h t be in fe c te d w ith a h a n d le r. T he re are u su a lly a fe w DDoS h a n d le rs d e p lo ye d as co m p a re d to th e n u m b e r o f agents, so n e u tra liz in g a fe w h a n d le rs can possibly re n d e r m u ltip le agents useless. Since agents fo rm th e co re o f th e a tta c k e r's a b ility to spread an a tta ck, n e u tra liz in g th e ha n d le rs to p re v e n t th e a tta c k e r fro m using th e m is an e ffe c tiv e s tra te g y to p re v e n t DDoS a tta c k s .
M o d u le 1 0 P a g e 1 4 7 4
DoS/DDoS Counterm easures: Detect Potential Attacks

E g r e s s F ilt e r in g
C E H
In g r e s s F ilte r in g
9 Protects from flooding attacks which originate from the valid prefixes (IP addresses) It enables the originator to be traced to its true
TC P In te rc e p t
e ConfiguringTCP Intercept prevents DoS attacks by intercepting and validating theTCP connection requests
D o S /D D o S A t t a c k s
o u n t e r m
e a s u r e s :
e t e c t
o t e n t ia l
To d e te c t o r p re v e n t a p o te n tia l DDoS a tta c k th a t is being la u nche d, ingress filte rin g , engress filte rin g , and TCP in te rc e p t can be used.
In g r e s s f ilt e r in g
Ingress filte r in g d o e s n 't o ffe r p ro te c tio n against flo o d in g a tta c k s o rig in a tin g fro m valid p re fixe s (IP addresses); ra th e r, it p ro h ib its an a tta c k e r fro m la u n ch in g an a tta c k using fo rg e d source addresses th a t do n o t o b e y ingress filte r in g ru le s. W h e n th e In te rn e t service p ro v id e r (ISP) aggregates ro u tin g a n n o u n c e m e n ts fo r m u ltip le d o w n s tre a m n e tw o rk s , s tric t tra ffic filte r in g m u s t be a p p lie d in o rd e r to p r o h ib it tr a ffic o rig in a tin g fro m o u ts id e th e aggregated a n n o u n c e m e n ts . The ad van ta ge o f th is filte rin g is th a t it a llo w s tra c in g th e o rig in a to r to its tru e source, as th e a tta c k e r needs to use a va lid and le g itim a te ly re a c h a b le source address.
E g re s s F ilte r in g
In th is m e th o d o f tr a ffic filte rin g , th e IP p a cke t heade rs th a t are leaving a n e tw o rk are in itia lly scanned and checked to see w h e th e r th e y m e e t c e rta in c rite ria . O nly th e packets th a t pass th e c rite ria are ro u te d o u ts id e o f th e s u b -n e tw o rk fro m w h ic h th e y o rig in a te d ; th e packets
M o d u le 1 0 P a g e 1 4 7 5
w h ic h d o n 't pass th e c rite ria w ill n o t be sent. T here is a good p o s s ib ility th a t th e source addresses o f DDoS a tta c k packets w ill n o t re p re s e n t th e source address o f a va lid user on a sp e cific s u b -n e tw o rk as th e DDoS a tta cks o fte n use sp o o fe d IP addresses. M a n y DDoS packets w ith s p o o fe d IP addresses w ill be d iscarded, if th e n e tw o rk a d m in is tra to r places a fire w a ll in th e s u b -n e tw o rk to f ilt e r o u t any tr a ffic w ith o u t an o rig in a tin g IP address fro m th e su b n e t. Egress filte r in g ensures th a t u n a u th o riz e d o r m a licio u s tra ffic n e ve r leaves th e in te rn a l n e tw o rk . If a w e b se rve r is v u ln e ra b le to a z e ro -d a y a tta c k kn o w n o n ly to th e u n d e rg ro u n d hacker c o m m u n ity , even if all a va ila b le patches have been a p p lie d , a se rve r can still be v u ln e ra b le . H o w e ve r, if egress filte r in g is e n a b le d , th e in te g rity o f a system can be saved by d is a llo w in g th e se rve r to e stab lish a c o n n e c tio n back to th e a tta c k e r. This w o u ld also lim it th e e ffe ctive n e ss o f m a n y payload s used in c o m m o n e x p lo its . This can be achieved by re s tric tin g o u tb o u n d e xpo su re to th e re q u ire d tr a ffic o n ly, th u s lim itin g th e a tta c k e r's a b ility to c o n n e c t to o th e r system s and gain access to to o ls th a t can e n a b le fu r th e r access in to th e n e tw o rk .
T C P In te r c e p t
------------
TCP in te rc e p t is a tr a ffic filte rin g fe a tu re in te n d e d to p ro te c t TCP servers fro m a TCP
S Y N -flooding a tta c k , a kind o f d e n ia l-o f-s e rv ic e a tta ck. In a S Y N -flo o d in g a tta c k , th e a tta c k e r sends a huge v o lu m e o f re q u e sts fo r c o n n e c tio n s w ith u n re a ch a b le re tu rn addresses. As th e addresses are n o t reachable , th e c o n n e c tio n s c a n n o t be e sta b lish e d and re m a in u n re so lve d . This huge v o lu m e o f u n re s o lv e d o p e n c o n n e c tio n s o v e rw h e lm s th e se rve r and m ay cause it to d e n y service even to va lid req u ests. C o n se q u e n tly, le g itim a te users m ay n o t be able to c o n n e c t to a w e b s ite , access em a il using FTP se rvice , and so on. For th is reason, th e TCP in te rc e p t fe a tu re is in tro d u c e d . In TCP in te rc e p t m o d e , th e s o ftw a re in te rc e p ts th e SYN packets se n t by th e c lie n ts to th e server and m a tch es w ith an e x te n d e d s o ftw a re access list. If th e m a tch is fo u n d , th e n on b e h a lf o f th e establishe s a c o n n e c tio n w ith th e c lie n t. S im ila r to th is, th e d e s tin a tio n se rve r, th e
s o ftw a re also esta blishe s a c o n n e c tio n w ith th e d e s tin a tio n se rve r on b e h a lf o f th e c lie n t. Once th e tw o h a lf c o n n e c tio n s are e s ta b lis h e d , th e s o ftw a re c o m b in e s th e m tra n s p a re n tly . Thus, th e TCP in te rc e p t TCP in te rc e p t c o n n e c tio n . s o ftw a re p re v e n ts s o ftw a re acts as a th e fa k e c o n n e c tio n a tte m p ts fro m re a ch in g th e server. The m e d ia to r b e tw e e n th e se rve r and th e c lie n t th ro u g h o u t th e
M o d u le 1 0 P a g e 1 4 7 6
DoS/DDoS Counterm easures: Deflect Attacks
C E H --
System s th a t have o n ly p a rtia l s e c u rity and can act as a lu re fo r a tta cke rs are called
h o n e y p o ts . This is re q u ire d so th a t th e a tta cke rs w ill a tta c k th e h o n e y p o ts and th e actual system w ill be safe. H o n e y p o ts n o t o n ly p ro te c t th e a ctual system fro m a tta cke rs, b u t also keep tra c k o f d e ta ils a b o u t w h a t th e y are a tte m p tin g to a cco m p lish , by s to rin g th e in fo rm a tio n in a re c o rd th a t can be used to tra c k th e ir a c tiv itie s . This is useful fo r g a th e rin g in fo r m a tio n re la te d to th e kinds o f attacks b eing a tte m p te d and th e to o ls b eing used fo r th e attacks. R ecent research reveals th a t a h o n e y p o t can im ita te all aspects o f a n e tw o rk in c lu d in g its w e b servers, m ail servers, and clie n ts. This is d o n e to gain th e a tte n tio n o f th e DD 0 S a tta cke rs. A h o n e y p o t is designe d to a ttra c t DDoS a tta c k e rs , so th a t it can in sta ll th e h a n d le r o r an a gent code w ith in th e h o n e y p o t. This stops legal system s fro m being c o m p ro m is e d . In a d d itio n , th is m e th o d g ra n ts th e o w n e r o f th e h o n e y p o t a w a y to keep a re co rd o f h a n d le r a n d /o r a gent a c tiv ity . This k n o w le d g e can be used fo r d e fe n d in g against any fu tu re DDoS in s ta lla tio n attacks. T he re are tw o d iffe r e n t ty p e s o f h o n e y p o ts : L o w -in te ra c tio n h o n e y p o ts H ig h -in te ra c tio n h o n e y p o ts
An e x a m p le o f h ig h -in te ra c tio n h o n e y p o ts are h o n e yn e ts. H oneyne ts are th e in fra s tru c tu re ; in o th e r w o rd s , th e y s im u la te th e c o m p le te la y o u t o f an e n tire n e tw o rk o f c o m p u te rs , b u t th e y
M o d u le 1 0 P a g e 1 4 7 7
are designed fo r th e pu rp o se o f "c a p tu rin g " attacks. The goal is to d e v e lo p a n e tw o rk w h e re in all a c tiv itie s are c o n tro lle d and tra c k e d . This n e tw o rk co n ta in s p o te n tia l v ic tim decoys, and th e n e tw o rk even has real c o m p u te rs ru n n in g re a l a p p lic a tio n s .
K F S e n s o r
Source: h ttp ://w w w .k e y fo c u s .n e t KFSensor acts as a h o n e y p o t to a ttra c t and d e te c t hackers and w o rm s by s im u la tin g v u ln e ra b le system services and T rojans. By a c tin g as a decoy server, it can d iv e r t a tta c k s fro m c ritic a l system s and p ro v id e a h ig h e r level o f in fo rm a tio n th a n can be achieved by using fire w a lls and NIDS a lo n e. The scre e n s h o t o f KFSensor P ro fe s s io n a l is sh o w n as fo llo w s :
KFSensor Professional - Evaluation Trial
File < , View 9 j Scenario 4 i Signatures : t; Y Settings Help i : a Start o ( &
! = ID
Duration
\ Pro... UDP UDP UDP UDP UDP UDP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP Sens... 49270 65260 58278 138 138 N am e UOP Packet UOP Packet UOP Packet NBT Datagram... NBT Datagram... DHCP Client TCP Connection UOP Packet sunrpc sunrpc sunrpc Port Scan War... NBT Datagram... UOP Packet UOP Packet DHCP NBT Datagram... NBT Datagram... DHCP NBT Datagram... NBT Datagram... DHCP Visitor W 1ndows 8 W 1ndows 8 W 1ndows 8 Windows 8 W 1ndows 8 Received |99]u[80 0( h (02 80 00 (E0M 80 0C NBT DGRfi NBT DGR (0 2 0 1 0 6 0 (1 7 0 3 0 1 0 1(80 80 0 0 Pt(FO8C0< Pt(F08C 01 Pt(F08C 01 Possible P NBT DG ftf 2(94 80 00 (C4)L(800I DHCP: Bo< NBT DGFtfl NBT
k fs e m o r * 3 TCP ^
k x a lh m t
M ain Sc a
0 Closed TCP Ports FTP
22 < y 21
3
10/ 10/2012 1a 11 K)6 A.^ 10/ 10/2012 10:11:05A...

10/10/2012 10:1105 A ~ 10/10/2012 10:1105 A .10/10/2012 10:1105 A .10/10/2012 10:10:51 A... 10/10/2012 1005:49 A .10/10/2012 10:10:33 A 10/10/2012 10:10:32 A .10/10/2012 10:10:27 A... 10/10/2012 10:10^2 A .10/10/2012 10:10:22 A...
0.000 0.000 0.000 0.000 0.000 0.000

232413
J 2 1
20
19
25 SMTP
S3 53 DNS J
68
# 1 8 9 1 7
DHCP
68
1041 63120
1000.1
ni*in-f125.1e100.... W1N-2N9STOSGIEN WIN-2N9STOSG1EN W1N-2N9STOSGIEN W1N-2N9STOSGIEN WIN-2N9STOSGIEN W1N-2N9ST OSGIEN W1N-2N9STOSGIEN W IN -2N9ST OSGIEN WIN-2N9STOSGIEN W1N-MSSELCK4K41 W1N-MSSELCK4K41 WIN-MSSELCK4K41 WIN-MSSELCK4K41 W1N-MSSELCK4K41 W1N-MSSELCK4K41
110 POP3 119 NNTP I t t MS W C - W 139 NBT Session Service
G
$ A A
16 15 14 13
0000 0.000 0.000 0.000 0.000 0000 0.000 0000 0.000 0.000 0000 0.000 0000 0.000 0.000
M
g
J ^
111 111 111 111

138 54140 60681 67 138 138 67 138 138 67
389 LDAP 443 HTTPS
12
/'1 1
9 1 0
g Hi NBT SMB t w j 593 CIS g $ J g ^ j ^ < [ I f t i i M S CIS - t n t 1060 s o c k s 1433 S a Server 2234 Directplay 3128 IIS Proxy 3268 Global Catalog Sef 3389 Term inal Server 5000 MS Uni Plug and P .. 5357 W eb Services for D ...v
hi
10/ 10/2012
10:10:06A.-
0 9 0 8 $7
9 6 9 5 3 4 9 3 9 2 jjl
10/10/2012 1009:59 A._ 10/10/2012 1009:58 A .10/10/2012 H O f t S I A...
10/ 10/2012
U H :23 A ...
10/10/2012 1009:13 A .10/10/2012 1 0 0 8 0 4 A .10/10/2012 1(H)3.-03 A .10/10/2012 1O 02:54A .-
DGRfi
DHCP: Bor NBT DOR* NBT
DORA
10/ 10/2012
1002:16 a . -
DHCP: Bor >
>
<1
1
Server Running Visitor* 11 Events: 39/39
FIGURE 10.29: kfsENSOR
M o d u le 1 0 P a g e 1 4 7 8
DoS/DDoS Counterm easures: M itigate Attacks

1 ))(7( L o a d B a la n c in g T h r o t t lin g
C E H
P roviders can increase th e b a n d w id th o n c ritic a l con n e ctio n s to p re v e n t th e m fro m g o in g d o w n in th e e v e n t o f an a tta c k R eplica ting servers can p ro v id e a d d itio n a l fa ils a fe p ro te c tio n Balancing th e load to each server in a m u ltip le -s e rv e r a rc h ite c tu re can im p ro v e b o th n o rm a l pe rfo rm a n c e s as w e ll as m itig a te th e effects o f a DDoS a tta c k
This m e th o d sets up ro u te rs th a t access a server w ith logic to a d ju s t (th ro ttle ) in co m in g tra ffic to levels th a t w ill be safe fo r th e server to process
This process can p re v e n t flo o d dam age to servers
This process can be e xte n d e d to th r o ttle DDoS a tta c k in g tra ffic versus le g itim a te user tra ffic fo r b e tte r results
D o S /D D o S
o u n t e r m
e a s u r e s :
it ig a t e
t t a c k s
T h ere are tw o w ays in w h ic h th e D 0 S /D D 0 S a tta cks can be m itig a te d o r sto p p e d . They are:
L o a d B a la n c in g
B a n d w id th p ro v id e rs can increase th e ir b a n d w id th in case o f a DDoS a tta c k to p re v e n t th e ir servers fro m going d o w n . A re p lic a te d s e rv e r m o d e l can also be used to m in im iz e th e risk. R e p lic a te d servers he lp in b e tte r load m a n a g e m e n t and e n h a n cin g th e n e tw o rk 's p e rfo rm a n c e .
U
tra ffic .
T h r o ttlin g
M in -m a x fa ir s e rv e r-c e n tric ro u te r th r o ttle s can be used to p re v e n t th e servers fro m
g o ing d o w n . This m e th o d e nables th e ro u te rs in m anaging heavy in c o m in g tr a ffic so th a t th e se rve r can h a n d le it. It can also be used to filte r le g itim a te user tr a ffic fro m fa ke DDoS a tta c k
T h ough th is m e th o d can be c o n s id e re d to be in th e e x p e rim e n ta l stage, n e tw o rk o p e ra to rs are im p le m e n tin g s im ila r te c h n iq u e s o f th r o ttlin g . The m a jo r lim ita tio n w ith th is m e th o d is th a t it m ay trig g e r false alarm s. S o m e tim e s, it m ay a llo w m a lic io u s tr a ffic to pass w h ile d ro p p in g som e le g itim a te tra ffic .
M o d u le 1 0 P a g e 1 4 7 9
Post-Attack Forensics
DDoS attack tra ffic patterns can help the netw ork adm inistrators to develop new filte rin g techniques fo r preventing it fro m entering or leaving their networks
C E H
Analyze router, firew all, and IDS logs to identify the source o f the DoS tra ffic. Although attackers generally spoof the ir source addresses, an IP trace back w ith the help o f interm ediary ISPs and law enforce m ent agencies may enable to book the perpetrators
Traffic p a tte rn analysis: Data can be analyzed post-attack - to look fo r specific characteristics w ithin the attacking tra ffic
<
Using these characteristics, data can be used fo r updating load-balancing and th ro ttlin g countermeasures
P o s t - A t t a c k
F o r e n s ic s
'
S o m e tim e s by pa ying a lo t o f a tte n tio n to th e s e c u rity o f a c o m p u te r o r n e tw o rk ,
m a lic io u s hackers m anage to b rea k in to th e system . In such cases, one can u tiliz e th e p o sta tta c k fo re n s ic m e th o d to g e t rid o f DDoS a tta c k s .
T r a ffic P a tte r n A n a ly s is
D u ring a DDoS a tta c k , th e tra ffic p a tte rn to o l stores p o s t-a tta c k data th a t can be analyzed fo r th e special c h a ra c te ris tic s o f th e a tta c k in g tra ffic . This data is h e lp fu l in u p d a tin g load b a lan cin g and th r o ttlin g c o u n te rm e a s u re s to enhance a n ti-a tta c k m easures. DDoS a tta c k tr a ffic p a tte rn s can also he lp n e tw o rk a d m in is tra to rs to d e v e lo p n e w filte rin g te c h n iq u e s th a t p re v e n t DDoS a tta c k tr a ffic fro m e n te rin g o r leaving th e ir n e tw o rk s . Needless to say, analyzing DDoS tr a ffic p a tte rn s can help n e tw o rk a d m in is tra to rs to ensu re th a t an a tta c k e r c a n n o t use th e ir servers as a DDoS p la tfo rm to b reak in to o th e r sites. Analyze ro u te r, fire w a ll, and IDS logs to id e n tify th e source o f th e DoS tra ffic . A lth o u g h a tta cke rs g e n e ra lly s p o o f th e ir source addresses, an IP tra c e b a c k w ith th e help o f in te rm e d ia ry ISPs and la w e n fo rc e m e n t agencies m ay en a b le b o o k in g th e p e rp e tra to rs .
M o d u le 1 0 P a g e 1 4 8 0
R u n
th e
Z o m
b ie
Z a p p e r T o o l
W h e n a c o m p a n y is u n a b le to ensure th e s e c u rity o f its servers and a DDoS a tta c k begins, th e n e tw o rk IDS (in tru s io n d e te c tio n system ) no tice s a high v o lu m e o f tra ffic
th a t in d ic a te s a p o te n tia l p ro b le m . In such a case, th e ta rg e te d v ic tim can run Z o m b ie Z a p p e r to s to p th e system fro m b eing flo o d e d by packets. T he re are tw o ve rsio n s o f Z o m b ie Z a p p e r. One runs on UNIX, and th e o th e r runs on W in d o w s system s. C u rre n tly , Z a p p e r T o o l acts as a d efense m e ch a n ism against T rin o o , TFN, Shaft, and S ta c h e ld ra h t.
M o d u le 1 0 P a g e 1 4 8 1
Techniques to Defend against Botnets

RFC 3704 Filtering
A n y tra ffic co m in g fro m unused o r reserved IP addresses is bogus and sho u ld be filtered at the ISP b efore it enters th e Internet link
C E H
Black Hole Filtering

Black h ole refers to n e tw o rk nodes w h ere in co m in g tra ffic is discarded o r d ro p p e d w ith o u t in fo rm in g th e sou rce th a t th e data did n ot reach its in te n d e d recip ien t Black h ole filterin g refers to discardin g packets at th e rou tin g level
Cisco IPS Source IP R eputation Filtering

R e putation services help in d e te rm in in g if an IP o r service is a source o f th re a t o r not, Cisco IPS regularly up d ates its datab ase w ith k n ow n threats such as b otn ets, b o tn e t harvesters, m alw ares, etc. and helps in filterin g DoS tra ffic
T e c h n iq u e s
to
e f e n d
a g a in s t
B o tn e ts
T h ere are fo u r w ays to d e fe n d against b o tn e ts :

R F C 3 7 0 4 F ilte r in g
RFC3704 is a basic ACL f ilte r . The basic re q u ire m e n t o f th is filte r is th a t packets should be source d fro m va lid , a llo c a te d address space, c o n s is te n t w ith th e to p o lo g y and space a llo c a tio n . A list o f all unused o r reserved IP addresses th a t c a n n o t be seen u n d e r n o rm a l o p e ra tio n s is u su a lly called a "b o g o n lis t." If you are able to see any o f th e IP addresses fro m th is list, th e n you s h ou ld d ro p th e packets co m in g fro m it co n s id e rin g it as a s p o o fe d sou rce IP. Also yo u s h ou ld check w ith y o u r ISP to d e te rm in e w h e th e r th e y m anage th is kind o f filte rin g in th e clo ud b e fo re th e bogus tr a ffic e n te rs y o u r In te rn e t pipe. This bogon list changes fre q u e n tly .
B la c k
SL
H o le
F ilte r in g
Black hole filte r in g is a c o m m o n te c h n iq u e to d e fe n d against b o tn e ts and th u s to p re v e n t DoS attacks. You can d ro p th e u n d e sira b le tr a ffic b e fo re it e n te rs y o u r p ro te c te d n e tw o rk w ith a te c h n iq u e called R e m o te ly T rig g e re d B lack H ole F ilte rin g , i.e., RTBH. As th is is a re m o te ly trig g e re d process, yo u need to c o n d u c t th is filte rin g in c o n ju n c tio n w ith y o u r ISP. W ith th e he lp o f BGP h o st ro u te s , th is te c h n iq u e ro u te s th e tra ffic headin g to v ic tim servers to a nullO n e x t hop. Thus, yo u can a void DoS atta cks w ith th e help o f RTBH.
M o d u le 1 0 P a g e 1 4 8 2
ao
y
D D o S
P r e v e n tio n
O ffe r in g s
fr o m
IS P
o r D D o S
S e r v ic e
M o s t ISPs o ffe r som e fo rm o f in -th e -c lo u d DDoS p ro te c tio n fo r y o u r In te rn e t links. The
idea is th a t th e tra ffic w ill be c le a n e d by th e In te rn e t service p ro v id e r b e fo re it reaches y o u r In te rn e t pipe. T ypica lly, th is is d o n e in th e cloud. Hence, y o u r In te r n e t lin k s w ill be safe fro m b eing s a tu ra te d by a DDoS a tta c k . The in -th e -c lo u d DDoS p re v e n tio n service is also o ffe re d by som e th ird p a rtie s. These t h ir d - p a r ty service p ro v id e rs usually d ire c t th e tr a ffic in te n d e d to you to th e m , clean th e tra ffic , and th e n send th e cleaned tra ffic back to yo u . Thus, y o u r In te rn e t pipes w ill be safe fro m b eing o v e rw h e lm e d .
C is c o IP S S o u rc e IP R e p u ta tio n F ilte r in g
----------- '
Cisco G lobal C o rre la tio n , a n e w s e c u rity c a p a b ility o f Cisco IPS 7.0, uses im m e n s e
s e c u rity in te llig e n c e . The Cisco SensorBase N e tw o rk co n ta in s all th e in fo rm a tio n a b o u t kn o w n th re a ts on th e In te rn e t, serial a tta c k e rs, m a lw a re o u tb re a k s , d a rk nets, and b o tn e t h a rvesters. The Cisco IPS m akes use o f th is n e tw o rk to filte r o u t th e a tta cke rs b e fo re th e y a tta c k c ritic a l assets. In o rd e r to d e te c t and p re v e n t m a lic io u s a c tiv ity even e a rlie r, it in c o rp o ra te s th e global th r e a t data in to its system .
M o d u le 1 0 P a g e 1 4 8 3
DoS/DDoS Countermeasures
1 ...... 7 against eavesdropping r::::-..
cE H
(tkMjl NMhM
//
//
(...................................
Use strong en cryption mechanisms such as WPA2, AES 256, etc. fo r broadband netw orks to w ith sta n d
VI
//
FA
Ensure th a t th e softw a re and protocols used are up-to-date and scan th e machines th o ro u g h ly to d e te c t fo r any anomalous behavior
Disable unused and insecure services
Block all inbound packets o rig inatin g fro m th e service po rts to block th e tra ffic fro m re fle ctio n servers
Cl 0
Update kernel to th e la te s t release

/ / j ...... / / .....................................................
Prevent th e transm ission o f th e fra u d u le n tly addressed packets at ISP level

/ / i / /
//'
Im plem ent cognitive radios in the physical layer to handle th e jam m ing and scrambling kind of attacks
Copyright by E tC m n cj. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S /D D o S
o u n t e r m
e a s u r e s
The s tre n g th o f an o rg a n iz a tio n 's n e tw o rk se c u rity can be increased by p u ttin g th e p ro p e r co u n te rm e a su re s in th e rig h t places. M a n y such co u n te rm e a s u re s are available fo r DoS/DDoS attacks. The fo llo w in g is th e list o f c o u n te rm e a s u re s to be a p p lie d against DoS/DDoS attacks: E ffic ie n t e n c ry p tio n m echanism s need to be p roposed fo r each piece o f b ro a d b a n d te c h n o lo g y Im p ro ve d ro u tin g p ro to c o ls are desirable, p a rtic u la rly fo r th e m u lti-h o p W M N Disable unused and insecure services Block all in b o u n d p a ckets o rig in a tin g fro m th e service p o rts to block th e tra ffic fro m th e re fle c tio n servers U pdate kernel to th e la te s t release P revent th e tra n s m iss io n o f th e fr a u d u le n tly a ddressed p a ckets a t th e ISP level Im p le m e n t c o g n itiv e ra d io s in th e physical layer to h andle th e ja m m in g and scra m b lin g kind o f attacks
M o d u le 1 0 P a g e 1 4 8 4
DoS/DDoS Countermeasures
( C o n t d )
C o n fig u re th e fir e w a ll t o d e n y e x te rn a l In te rn e t C o n tro l M e s s a g e P ro to c o l (IC M P) tr a f fic a ccess P re v e n t u se o f u n n e c e s s a ry fu n c tio n s s u c h as g e ts, s trc p y e tc . S e cu re th e re m o te
E H
a d m in is t ra tio n and c o n n e c tiv ity t e s t in g
The netw ork card is the gatew ay to the packets. Use a b e tte r netw ork card to handle a large num ber of packets
P e r fo rm th e th o ro u g h in p u t v a lid a tio n
P re v e n t th e re tu rn a d d re s s e s fro m b e in g o v e r w r it te n
D ata p ro c e s s e d by th e a tta c k e r s h o u ld be s to p p e d fro m b e in g e x e c u te d
Copyright by E&Counci. A ll RightsReservecTReprodiiction is Strictly Prohibited.
>
D o S /D D o S
o u n t e r m
e a s u r e s
( C
o n t d )
The lis t o f c o u n te rm e a s u re s against D 0 S /D D 0 S a tta c k c o n tin u o u s as fo llo w s :
C o n fig u re th e fire w a ll to d e n y e x te rn a l In te r n e t C o n tro l M essage P ro to c o l (ICMP) tr a ffic access
P re ve n t th e use o f u n n e c e s s a ry fu n c tio n s such as gets, strcp y, etc. Secure th e re m o te a d m in is tra tio n and c o n n e c tiv ity te s tin g P re ve n t th e re tu rn addresses fro m being o v e r w r itte n Data processed by th e a tta c k e r sh ould be sto p p e d fro m being e xe cu te d P e rfo rm th e th o ro u g h in p u t v a lid a tio n The n e tw o rk card is th e g a te w a y to th e packets. Hence, h a n d le a large n u m b e r o f packets use a b e tte r n e tw o rk card to
M o d u le 1 0 P a g e 1 4 8 5
o S
/ D
o S
r o t e c t i o n
a t
I S P
L e v e l
Most ISPs simply blocks all the requests during a DDoS attack, denying legitimate traffic from accessing the
I ISPs offer in-the-cloud DDoS protection for Internet links so th at they do not become saturated by the attack ri Attack traffic is redirected to the ISP during the attack to be filtered and sent back Administrators can request ISPs to block the original affected IP and move their site to another IP after performing DNS propagation
h ttp : //w w w .c e r t,o r g

---------------------------C opyright by E C -C a in d . A ll Rights Reserved. Reproduction is S trictly Prohibited.
D o S / D D o S
P r o t e c t i o n
a t
t h e
I S P
L e v e l
Source: http://www.cert.org M o st ISPs simply block all the requests during a DDoS attack, denying legitim ate traffic from accessing the service. ISPs offer in-the-cloud DDoS protection for Internet links so that they do not becom e saturated by an attack. Attack traffic is redirected to the ISP during the attack to be filtered and sent back. Adm inistrators can request ISPs to block the original affected IP and move their site to a nother IP after perform ing DNS propagation.
M o d u le 1 0 P a g e 1 4 8 6
M o d u le 1 0 P a g e 1 4 8 7
E I O
n a b l i n g S S o f t w
T C a r e
I n t e r c e p t
o n
i s c o
[ 7 1
E H
| IU m jI N M h M
To en ab le TCP in te rc ep t, use th e s e co m m and s in global configuration m ode:
S te p 1 2
C om m and access-list access-list-number {deny | permit} tcp any destination destination-wildcard ip tcp Intercept list access-list-number
P u rp o se Define an IP extended access list Enable TCP Intercept
T C P in t e r c e p t ca n o p e r a t e in e it h e r a c t iv e in t e r c e p t m o d e o r p a s s iv e w a tc h m o d e . T h e d e f a u lt is in t e r c e p t m o d e .
n a b l i n g
T C P
I n t e r c e p t
o n
C i s c o
I O
S o f t w a r e
The TCP intercept can be enabled by executing the follow ing com m ands in global configuration mode: Command
S te p 1 a c c e s s -lis t p e rm it} tc p a c c e s s -lis t-n u m b e r any d e s tin a tio n {d e n y I
Purpose Defines an IP extended access list. Enables TCP intercept.
d e s tin a tio n - w ild c a rd S te p 2 ip tc p in te rc e p t l i s t a c c e s s -lis t-
num ber
An access list can be defined for three purposes: 1. To intercept all requests 2. 3. To intercept only those coming from specific networks To inte rcept only those destined for specific servers
Typically the access list defines the source as any and the destination as specific networks or servers. As it is not im portant to know w h o to intercept packets from, do not filter on the source addresses. Rather, you identify the d e stin atio n server or netw ork to protect.
M o d u le 1 0 P a g e 1 4 8 8
TCP intercept can operate in tw o modes, i.e., active interce pt m o d e and passive w a tch m ode. The default is intercept mode. In intercept mode, the Cisco IOS Software intercepts all incoming connection requests (SYN), gives a response on behalf of the server with an ACK and SYN, and then waits for an ACK of the SYN from the client. W hen the ACK is received from the client, the software performs a thre e -w a y handshake with the server by setting the original SYN to the server. Once the thre e -w a y handshake is complete, the tw o-half connections are joined. The com m and to set the TCP intercept m ode in global configuration mode:
Command ip tc p w a tc h } in te rc e p t m ode {in te rc e p t |
p u rp o s e
Set the TCP intercept mode
M o d u le 1 0 P a g e 1 4 8 9
A A
d p
v a p
c e n
d s
o S
r o
t e
c t i o
n C E H
l i a
c e
C is c o G u a rd XT 5 6 5 0
h ttp : //w w w .c is c o .c o m
A d v a n c e d
f
h ttp : //w w w .a r b o r n e tw o r k s .c o m
C opyright by E & C au nc!. A ll Rights Reserved. Reproduction is S trictly Prohibited.
D D o S
P r o t e c t i o n
A p p l i a n c e s
F o r t i D D o S 3 0 0 A
^ ^
Source: http://w w w .fortinet.com
The FortiDDoS 300A provides visibility into your Internet-facing n e tw o rk and can detect and block reconnaissance and DDoS attacks while leaving legitim ate traffic untouched. It features autom atic traffic profiling and rate limiting. Its continuous learning capability differentiates between gradual build-ups in legitimate traffic and attacks.
FIGURE 10.31: FortiDDoS-300A
M o d u le 1 0 P a g e 1 4 9 0
D D o S
P r o te c to r
Source: http://w w w .checkpoint.com DDoS Protector provides protection against n e tw o rk flo o d and a p plica tion layer attacks by blocking the destructive DDOS attacks w ithou t causing any damage. It blocks the abnormal traffic w ithout touching the legitimate traffic. It protects your netw ork and w eb services by filtering the traffic before it reaches the firewall.
FIGURE 10.32: DDoS Protector

C is c o G u a r d X T 5 6 5 0
Source: http://www.cisco.com The Cisco Guard XT is a DDoS M itig a tio n Appliance from Cisco Systems. It performs he detailed per-flow level attack analysis, identification, and mitigation services required to block attack traffic and prevent it from disrupting n e tw o rk operations.
FIGURE 10.33: Cisco Guard XT 5650
f e
A r b o r
P r a v a il:
A v a ila b ilit y
P r o te c tio n
S y s te m
Source: http://w w w .arbornetw orks.com
A rb o r Pravail allows you to detect and remove known and em erging threats such as DDOS attacks autom atically before your vital services go down. It increases your internal network visibility and im proves the efficiency of the network.
FIGURE 10.34: Availability Protection System
M o d u le 1 0 P a g e 1 4 9 1
l e
l o
E H
C opyright by E & C a in c i. A ll Rights Reserved. Reproduction is S trictly Prohibited.
o d u l e
F l o w
In addition to the counterm easures discussed so far, you can also adopt D 0 S/DD 0 S tools to protect your netw ork or netw ork resources against D 0 S/DD 0 S attacks.
D o s /D D o S C o n c e p ts
d p g
B o tn e ts
/%*?
Dos/DDoS Protection Tools
This section lists and describes various tools that offer protection against D 0 S/DD 0 S attacks.
M o d u le 1 0 P a g e 1 4 9 2
D o S / D D o S A n t i - D D o S
P r o t e c t i o n F i r e w a l l
T o o l:
u a r d C E H
D -G u a rd A n ti-D D o S F irew all p ro v id e s th e m o st re lia b le and fa s te s t D D oS p ro te ctio n fo r o n lin e e n te r p ris e s , p u b lic and m e d ia s e rv ic e s , e s s e n tia l in fra s tr u c tu re , and I n te rn e t s e rv ic e p r o v id e rs
.. ....... M o n ito r
F e a tu re s : Pro tection against alm ost all kinds o f attacks Built-in intrusion prevention system TCP flo w co ntrol IP blacklist and w hite list, ARP w hite list, and M A C Binding
i "
Up
f t
1 ^1
C opyright by EC-Cauncl. A ll Rights Reserved. Reproduction is S trictly Prohibited.
D o S / D D o S F i r e w a l l
P r o t e c t i o n
T o o l:
u a r d
A n t i - D D o S
S o u rce : h ttp ://w w w .d - g u a r d .c o m D G u a rd A n ti- D D o S F ir e w a ll p r o v id e s D D o S p r o t e c t i o n . It o f f e r s p r o t e c t i o n a g a i n s t D 0 S / D D 0 S,
S u p e r D D o S , D r D o S , f r a g m e n t a t t a c k s , S Y N f l o o d i n g a t t a c k s , IP f l o o d i n g a t t a c k s , U D P , m u t a t i o n UDP, ra n d o m F e a tu re s : B u ilt-in in tru s io n p r e v e n tio n s y s te m P r o te c tio n a g a in s t SYN, TCP flo o d in g , a n d o t h e r ty p e s o f D D o S a tta c k s TCP flo w c o n tro l U D P /IC M P /IG M P p a c k e ts ra te m a n a g e m e n t IP b l a c k l i s t a n d w h i t e l i s t C o m p a c t a n d c o m p r e h e n s i v e lo g file U D P f lo o d in g a tta c s k , IC M P , IC M P f lo o d a tta c k s , A R P s p o o fin g a tta c k s , e tc .
M o d u le 1 0 P a g e 1 4 9 3
FIGURE 10.35: D-Guard Anti-DDoS Firewall
M o d u le 1 0 P a g e 1 4 9 4
/ D
r o
t e
t i o
l s
[JJ 5
------- ^
NetFlow Analyzer
http://www.m anageengine.com
FortiDDoS
h ttp :/ / www .fortine t. com
i *
SDL Regex Fuzzer

http://w w w .m icrosoft.com
D efensePro
h ttp ://w w w . radware. com
WANGuard Sensor
h ttp://w w w .andrisoft.com
PW
DOSarrest
http:,//w w w . dos arres t. com
NetScaler Application Firewall

h ttp ://w w w . citrix. com
Anti DDoS Guardian

h ttp ://w w w . bee think, com
FortG uard DDoS Firewall

h ttp ://w w w .fo rt guard, com
DDoSDefend
h ttp ://d do s defend, com
D o S / D D o S
P r o t e c t i o n
T o o ls p ro te c tio n
In a d d i t i o n t o D - G u a r d A n t i - D D o S F i r e w a l l , t h e r e a r e m a n y t o o l s t h a t o f f e r
a g a in s t D o S /D D o S a tta c k s . A f e w t o o ls t h a t o f f e r D o S /D D o S p r o t e c t io n a re lis te d asf o llo w s : Q Q 0 Q e Q N e tF lo w A n a ly z e r a v a ila b le a t h t t p :/ / w w w .m a n a e e e n g in e . c o m SDL R e g e x F u z z e r a v a ila b le a t h t t p : / / w w w . m ic r o s o f t . c o m W A N G u a r d S e n s o r a v a ila b le a t h t t p : / / w w w . a n d r is o f t . c o m N e tS c a le r A p p lic a tio n F ire w a ll a v a ila b le a t h t t p : / / w w w . c i t r ix . c o m F o r tG u a rd D D o S F ire w a ll a v a ila b le a t h t t p : / / w w w . f o r t g u a r d . c o m In tru G u a rd a v a ila b le a t h t t p : / / w w w . i n t r u g u a r d . c o m D e fe n s e P ro a v a ila b le a t h t t p : / / w w w . r a d w a r e . c o m D O S a rre s t a v a ila b le a t h t t p : / / w w w . d o s a r r e s t . c o m A n ti D D oS G u a rd ia n a v a ila b le a t h t t p : / / w w w . b e e t h in k . c o m D D o S D e fe n d a v a ila b le a t h t t p :/ / d d o s d e fe n d . c o m
M o d u le 1 0 P a g e 1 4 9 5
C opyright by E & C a in cfl. A ll Rights Reserved. Reproduction is S trictly Prohibited.
IIL
-- -
o d u l e m a in th e
F l o w o f e v e ry e th ic a l hacker or pen reso u rce s te s te r is t o conduct and p e n e tra tio n m in o r p o s s ib le
-------------- T h e te s tin g on
o b je c tiv e
ta rg e t
n e tw o rk
o r s y s te m
a g a in s t e v e ry
m a jo r
a t t a c k i n o r d e r t o e v a l u a t e t h e i r s e c u r i t y . T h e p e n e t r a t i o n t e s t i n g is c o n s i d e r e d a s t h e s e c u r i t y e v a lu a tio n m e th o d o lo g y . D 0 S /D D 0 S p e n e tra tio n te s tin g is o n e phase in th e o v e ra ll s e c u rity
e v a lu a tio n m e th o d o lo g y .
D o s /D D o S C o n c e p ts
0
B o tn e ts D o s /D D o S P r o te c tio n T o o ls
M o d u le 1 0 P a g e 1 4 9 6
T h i s s e c t i o n d e s c r i b e s D o S a t t a c k p e n e t r a t i o n t e s t i n g a n d t h e s t e p s i n v o l v e d in D o S a t t a c k p e n e tr a tio n te s tin g .
M o d u le 1 0 P a g e 1 4 9 7
D P
e e
n n
i a e
l - o t r a
f - S t i o n
e T
r v i c e e s t i n
( D g
o S )
t t a
c k c
(rtifwtf
E H
tUMJl Km Im
DoS attack should be incorporated into Pen testing to find out if the netw ork server is susceptible to DoS attack
I L
A vulnerable netw ork cannot handle a large am ount of traffic sent to it and subsequently crashes or slows down, thus preventing access by authentic users
DoS Pen Testing determ ines minimum thresholds for DoS attacks on a system , but the tester cannot ensure that the system is resistant to DoS attacks
] ]
The main objective of DoS Pen testing is to flood a target netw ork w ith traffic, sim ilar to hundreds of people repeatedly requesting a service, to keep the server busy and unavailable
r r
' Ll_:------
v :
-----------1
D In
e n i a l o f S e r v ic e an a tte m p t to s e c u re
( D o S ) your
A t t a c k firs t
P e n e t r a t i o n you s h o u ld try to
T e s t i n g fin d th e s e c u rity
n e tw o rk ,
w e a k n e s s e s a n d t r y t o fix t h e m y o u r n e tw o r k . T h e m a in a im o r c r a s h it in o r d e r t o ille g itim a te c o n n e c tio n SYN or
as th e s e w e a k n e s s e s p ro v id e a p a th f o r a tta c k e rs to b re a k in to p e rfo r m a n c e o f th e ta rg e t w e b s ite b y s e n d in g L e g itim a te th e re m o te
o f a D o S a t t a c k is t o l o w e r t h e
in te rru p t th e p in g re q u e s ts
b u s i n e s s c o n t i n u i t y . A D o S a t t a c k is p e r f o r m e d th a t o v e rw h e lm when th is th e c a p a c ity of a n e tw o rk . on
re q u e s ts
c a n n o t be
h a n d le d
h a p p e n s . S e rv ic e s
ru n n in g
m a c h i n e s c r a s h d u e t o t h e s p e c i a l l y c r a f t e d p a c k e t s t h a t a r e f l o o d e d o v e r t h e n e t w o r k . In s u c h cases, th e n e tw o rk cannot d iffe re n tia te b e tw e e n le g itim a te and ille g itim a te d a ta tra ffic .
D e n ia l-o f-s e rv ic e a tta c k s a re e a s y w a y s t o have a g re a t deal of k n o w le d g e to
b rin g d o w n a s e rv e r. T h e a tta c k e r d o e s n o t n e e d to th e m , m a k in g th e it e s s e n tia l to te s t fo r fin d DoS th e
conduct
v u ln e ra b ilitie s . As a p e n te s te r, y o u s e c u rity lo o p h o le s . Y o u need to
need to
s im u la te
a c tio n s o f th e w ith s ta n d s
a tta c k e r to
c h e c k w h e th e r y o u r s y s te m
D oS a tta c k s
(behaves
n o r m a lly ) o r it g e ts c ra s h e d . T o c h e c k th is , y o u n e e d t o f o llo w a s e rie s o f s te p s d e s ig n e d f o r D oS p e n e tra tio n te s t.
M o d u le 1 0 P a g e 1 4 9 8
D P
e e
n n
i a e
l - o t r a
f - S t i o n
e T
r v i c e e s t i n
( D g
o S )
t t a
c k
( c o n t d )
START U ,
Test the web server using automated tools such as Webserver Stress Tool, Web Stress Tester, and JMeterfor load capacity, server-side performance, locks, and other scalability issues Scan the network using automated tools such as Nmap, G FI LanGuard, and Nessus to discover any systems that are vulnerable to DoS attacks Flood the target with connection request packets using tools such as DoS HTTP, Sprut, and PHP DoS
C h e c k fo r DoS v u ln e ra b le s y s te m s
f
F lo o d th e w e b s ite fo rm s an d g u e s tb o o k w it h bog u s e n trie s
Use a port flooding attack to flood the port and increase the CPU usage by maintaining all the connection requests on the ports under blockade. Use tools Mutilate and PepsiS to automate a port flooding attack Use tools Mail Bomber and Advanced Mail Bomber to send a large number of emails to a target mail server Fill the forms with arbitrary and lengthy entries
Run SYN a tta c k on th e s e rv e r
R u n p o rt flo o d in g a tta c k s on th e s e rv e r
R u n e m a il b o m b e r on th e e m a il s e rv e rs
Copyright by E C -C a in d . All Rights Reserved. Reproduction isStrictly Prohibited.
\ ' *
D ( C
e n i a l o f S e r v ic e o n t d )
( D o S )
A t t a c k
P e n e t r a t i o n
T e s t i n g
T h e s e rie s o f D oS p e n e t r a t io n t e s t in g s te p s a re lis te d a n d d e s c r ib e d as f o llo w s : S te p 1: D e fin e th e o b je c tiv e T h e f i r s t s t e p i n a n y p e n e t r a t i o n t e s t i n g is t o d e f i n e t h e o b j e c t i v e o f t h e t e s t i n g . T h i s h e l p s y o u t o p l a n a n d d e t e r m i n e t h e a c t i o n s t o b e t a k e n in o r d e r t o a c c o m p l i s h t h e g o a l o f t h e t e s t . S te p 2: T e s t f o r h e a v y lo a d s o n th e s e rv e r Load te s tin g is p e rfo rm e d by p u ttin g an a rtific ia l lo a d on a s e rv e r o r a p p lic a tio n to te s t its
s ta b ility a n d p e rfo rm a n c e . It in v o lv e s t h e s im u l a t i o n o f a r e a l - t i m e s c e n a r io . A w e b s e r v e r c a n b e t e s t e d f o r lo a d c a p a c it y u s in g t h e f o llo w in g to o ls : W e b s e r v e r S t r e s s T o o l : W e b s e r v e r S t r e s s T o o l is t h e s o f t w a r e f o r l o a d a n d p e r f o r m a n c e te s tin g o f w e b a llo w s y o u t o you s e rve rs a n d w e b in f r a s t r u c t u r e s . It h e lp s y o u a t th e in p e r f o r m i n g lo a d t e s t . It
te s t y o u r e n tire w e b s ite URLs, th e
n o r m a l ( e x p e c te d ) lo a d . F o r lo a d te s tin g tim e b e tw e e n c lic k s o f y o u r
s im p ly e n te r th e
n u m b e r o f u se rs, a n d th e
w e b s i t e t r a f f i c . T h i s is a " r e a l - w o r l d " t e s t .
M o d u le 1 0 P a g e 1 4 9 9
W e b S tre s s T e s te r S o u rce : h ttp ://w w w .s e r v e tru e .c o m W e b S t r e s s T e s t e r is a t o o l t h a t a l l o w s y o u t o t e s t t h e p e r f o r m a n c e a n d s t a b i l i t y o f a n y W e b s e r v e r a n d p r o x y s e r v e r w i t h S S L /T L S -e n a b le d .
J M e te r
S o u rce : h ttp ://im e te r.a p a c h e .o r g J M e t e r is a n o p e n - s o u r c e w e b to o l is a Java It a p p lic a tio n was a p p lic a tio n to lo a d -te s tin g to o l d e v e lo p e d lo a d fo r te s t fu n c tio n a l web b y A p a c h e . T h is and but m ea su re has s in c e
d e s ig n e d
b e h a v io r
p e rfo rm a n c e .
o rig in a lly
d e s ig n e d
te s tin g
a p p lic a tio n s
e x p a n d e d to o th e r te s t fu n c tio n s . S te p 3: C h e c k f o r D oS v u ln e ra b le s y s te m s T h e p e n e t r a t io n t e s t e r s h o u ld c h e c k t h e s y s te m f o r a D oS a tta c k v u ln e r a b ilit y b y s c a n n in g th e n e tw o r k . T h e fo llo w in g to o ls ca n be u se d to scan n e tw o r k s f o r v u ln e ra b ilitie s : Nm ap
S o u rce : h ttp ://n m a p .o r g N m a p is a t o o l t h a t c a n b e u s e d t o f i n d t h e s t a t e o f p o r t s , t h e s e r v i c e s r u n n i n g o n t h o s e p o rts , th e o p e ra tin g s y s te m s , a n d a n y fir e w a lls a n d filte rs . N m a p can be run fro m th e
c o m m a n d lin e o r as a G U I a p p lic a tio n . GFI L A N g u a r d
S o u rce : h ttp ://w w w .g fi.c o m G F I L A N g u a r d is a s e c u r i t y - a u d i t i n g t o o l t h a t i d e n t i f i e s v u l n e r a b i l i t i e s a n d s u g g e s t s f i x e s fo r n e tw o rk v u ln e ra b ilitie s . of IP GFI L A N g u a rd scans th e n e tw o rk , about based th e on th e IP
a d d re s s /ra n g e
a d d re sse s
s p e c ifie d ,
and
a le rts
u se rs
v u ln e ra b ilitie s
e n c o u n te re d o n th e ta rg e t s y s te m . Nessus
S o u rce : h ttp ://w w w .n e s s u s .o rg N e s s u s is a v u l n e r a b i l i t y a n d c o n f i g u r a t i o n a s s e s s m e n t p r o d u c t . I t f e a t u r e s c o n f i g u r a t i o n a u d itin g , a s s e t p ro filin g , s e n s itiv e v u l n e r a b i l i t y a n a ly s is . S te p 4: R un a SYN a tta c k o n th e s e rv e r A p e n e t r a t i o n t e s t e r s h o u l d t r y t o r u n a S Y N a t t a c k o n t h e m a i n s e r v e r . T h i s is a c c o m p l i s h e d b y b o m b a r d in g t h e t a r g e t w it h c o n n e c tio n re q u e s t p a c k e ts . T h e fo llo w in g to o ls ca n b e u s e d t o ru n SYN a tta c k s : DoS HTTP, S p ru t, a n d PHP DoS. S te p 5: R un p o r t flo o d in g a tta c k s o n th e s e rv e r P o r t f lo o d in g s e n d s a la rg e n u m b e r o f T C P o r U D P p a c k e ts t o a p a r t ic u la r p o r t , c r e a tin g a d e n ia l o f s e r v i c e o n t h a t p o r t . T h e m a i n p u r p o s e o f t h i s a t t a c k is t o m a k e t h e p o r t s u n u s a b l e a n d d a ta d is c o v e ry , p a tc h m a n a g e m e n t in te g ra tio n , and
M o d u le 1 0 P a g e 1 5 0 0
in c r e a s e t h e C P U 's u s a g e t o 1 0 0 % . T h is a t t a c k c a n b e c a r r i e d o u t o n b o t h T C P a n d U P D p o r t s . T h e fo llo w in g to o ls can be use d to c o n d u c t a p o rt- flo o d in g a tta c k : Q M u t i l a t e : M u t i l a t e is m a i n l y u s e d t o d e t e r m i n e w h i c h p o r t s o n t h e t a r g e t a r e o p e n . T h i s t o o l m a i n l y t a r g e t s T C P / I P n e t w o r k s . T h e f o l l o w i n g c o m m a n d is u s e d t o e x e c u t e M u tila te : m u tila te Q < ta rg e t _ IP > < p o rt>
P e p s i5 : T h e P e p s i5 t o o l m a i n l y t a r g e t s U D P p o r t s a n d s e n d s a s p e c if ia b le n u m b e r a n d s iz e o f d a t a g r a m s . T h is t o o l c a n r u n in t h e b a c k g r o u n d a n d u s e a s t e a l t h o p t i o n t o m a s k t h e p ro c e s s n a m e u n d e r w h ic h it ru n s .
S te p 6: R un an e m a il b o m b e r o n th e e m a il s e rv e rs In t h i s s te p , th e p e n e tra tio n te s te r sends a la rg e num ber o f e m a ils to te s t th e ta rg e t m a il
s e r v e r . I f t h e s e r v e r is n o t p r o t e c t e d o r s t r o n g e n o u g h , i t c r a s h e s . T h e t e s t e r u s e s v a r i o u s s e r v e r to o ls t h a t h e lp s e n d th e s e a tta c k : Q M a il B o m b e r S o u rce : h ttp ://w w w .g e tfr e e file .c o m /b o m b e r .h tm l M a il Bom ber lis ts . is a s e r v e r It is to o l of used to send a b u lk e m a ils of by u s in g s u b s c rip tio n -b a s e d lis ts based on b u lk e m a ils . T h e f o llo w in g to o ls a re used to c a rry o u t th is ty p e of
m a ilin g
c a p a b le
h o ld in g
num ber
s e p a ra te
m a ilin g
s u b s c rip tio n s , e m a il m e ssa g e s, a n d S M T P s e rv e rs f o r v a rio u s re c ip ie n ts . A d v a n c e d M a il B o m b e r S o u rce : h ttp ://w w w .s o fth e a p .c o m Advanced M a il Bom ber is a b l e to send p e rs o n a liz e d m essages to a la rg e num ber of
s u b s c rib e rs o n a w e b s ite f r o m it c a n h a n d le up to 48 SMTP
p r e d e f i n e d t e m p l a t e s . T h e m e s s a g e d e l i v e r y is v e r y f a s t ; s e rve rs in 48 d iffe re n t th re a d s . A m a ilin g lis t c o n t a in s keep
b o u n d le s s s tr u c tu r e d tra c k o f u se r fe e d b a c k .
re c ip ie n ts , S M T P se rve rs,
m e s s a g e s , e tc . T h is t o o l c a n a ls o
S te p 7: F lo o d t h e w e b s it e f o r m s a n d g u e s tb o o k w i t h b o g u s e n trie s In t h i s s t e p , t h e p e n e tra tio n te s te r fills o n lin e fo r m s w ith a rb itra ry a n d le n g th y e n trie s . If a n
a t t a c k e r s e n d s a la rg e n u m b e r o f s u c h b o g u s a n d a b le t o h a n d le it a n d m a y c ra s h . S te p 8 : D o c u m e n t a ll t h e f in d in g s In th is s te p , th e p e n e tra tio n te s te r s h o u ld
le n g th y e n trie s , th e
d a ta s e rv e r m a y n o t be
docum ent
a ll
h is
or
her
te s t
fin d in g s
in
th e
p e n e tra tio n te s tin g re p o rt.
M o d u le 1 0 P a g e 1 5 0 1
l e
D enial o f S e rv ice (DoS) is an attack on a co m p u te r o r n e tw o rk th a t pre v e n ts le g itim ate u se o f its re so u rc e s
A d istrib u te d d e n ia l-o f-se rv ic e (D D 0 S) a tta ck is o n e in w h ic h a m u ltitu d e o f th e c o m p ro m is e d syste m s a tta ck a sin gle targ et, th e re b y cau sin g den ia l o f se rv ic e fo r u se rs o f th e ta rg e te d system
In te rn e t Relay C h at (IRC) is a s yste m fo r ch a ttin g th a t in v o lve s a set o f ru les a n d co n v e n tio n s and c lie n t/s e rv e r s o ftw a re
V a rio u s a tta ck te c h n iq u e s a re used p e rfo rm a DoS atta ck su ch as b a n d w id th a tta cks, s e rv ic e re q u e st flo o d s , SYN flo o d in g attack, IC M P flo o d atta ck, P e e r-to -P e e r a tta cks etc.
Bots a re s o ftw a re ap p lic a tio n s th a t ru n a u to m a te d ta sks o v e r th e In te rn e t and p e rfo rm sim p le re p e titiv e ta sks such as w e b s p id e rin g a n d sea rch e n g in e indexing
DoS d e te ctio n te c h n iq u e s a re based on id e n tify in g a n d d isc rim in a tin g th e ille g itim a te tra ffic in cre a se and fla sh even ts fro m le g itim ate packet tra ffic
DoS Pen Testing d e te rm in e s m in im u m th re s h o ld s fo r DoS a tta cks on a syste m , b u t th e te s te r ca n n o t e n s u re th a t th e s yste m is re s is ta n t to D oS a ttack
o d u l e
S u m
a r y ( D o S ) is a n a tta c k o n a c o m p u te r o r n e tw o rk th a t p re v e n ts
D e n ia l o f s e rv ic e
l e g i t i m a t e u s e o f its r e s o u r c e s . A d is trib u te d d e n ia l-o f-s e rv ic e (D D oS ) a tta c k is one in w h ic h a m u ltitu d e of th e
c o m p ro m is e d
s y s te m s a t ta c k a s in g le t a r g e t, t h e r e b y c a u s in g d e n ia l o f s e rv ic e f o r u s e rs
o f th e ta rg e te d s y s te m . In te rn e t R e la y Chat (IR C ) is a s y s te m fo r c h a ttin g th a t in v o lv e s a set of ru le s and
c o n v e n tio n s a n d c lie n t/s e rv e r s o ftw a re . V a rio u s a t ta c k te c h n iq u e s s e rv ic e e tc . B o ts a re s o ftw a r e a p p lic a tio n s t h a t ru n a u t o m a t e d ta s k s o v e r th e I n te r n e t a n d s im p le r e p e t i t i v e ta s k s s u c h as w e b s p id e r in g a n d s e a rc h e n g in e in d e x in g . DoS d e te c tio n te c h n iq u e s a re based on id e n tify in g and d is c rim in a tin g th e ille g itim a te p e rfo rm a re used p e rfo rm a tta c k s , a DoS a tta c k such IC M P f lo o d as b a n d w id t h a tta c k s , a tta c k s ,
r e q u e s t f lo o d s , SYN f lo o d in g
a tta c k s , p e e r- to -p e e r
t r a f f ic in c r e a s e a n d fla s h e v e n ts f r o m DoS p e n te s tin g d e te rm in e s
le g itim a te p a c k e t tra ffic . th re s h o ld s fo r DoS a tta c k o n a s y s te m , b u t th e
m in im u m
t e s t e r c a n n o t e n s u r e t h a t t h e s y s t e m is r e s i s t a n t t o D o S a t t a c k s .
M o d u le 1 0 P a g e 1 5 0 2

CEHv8 Module 10 Denial of Service

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 10 Denial of Service

Uploaded by

Copyright:

Available Formats

D e n ia l o f S e r v ic e

copyright2012 FOX News Network, LLC

Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

b j e c t i v e s lo o k s a t v a r i o u s a s p e c ts o f d e n i a l o f s e r v i c e a t t a c k s . T h e a tta c k s . R e a l-w o rld s c e n a rio s a tta c k s a re and c ite d th e to m o d u le s ta rts h ig h lig h t th e to o ls to

o f d e n ia l-o f-s e rv ic e a tta c k s .

la u n c h s u c h a tta c k s a re in c lu d e d t o s p o t lig h t t h e te c h n o lo g ie s in v o lv e d . T h e c o u n te r m e a s u r e s fo r p re v e n tin g such a tta c k s a re a ls o t a k e n in to c o n s id e r a tio n . V iru s e s a n d w o rm s a re b rie fly

S y m p to m s o f a DoS A tta c k S DoS A tta c k T e c h n iq u e s B o tn e t B o tn e t E c o s y s te m B o tn e t T ro ja n s D D 0 S A tta c k T o o ls s a

Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.

Copyright by E&Cauactl. A ll Rights Reserved. Reproduction is Strictly Prohibited.

F l o w m a n y a tta c k s a re and reso u rce d e s ig n e d la u n c h e d ta rg e tin g o rg a n iz a tio n s in

D o s /D D o S P e n e tra tio n T e s tin g

Malicious t r a f f i c takes control overall the available bandwidth

To launch a DDoS attack, a n attacker uses b o t n e t s a n d a tta cks a single sy stem

t r fE t C M K l. AJ Rights Reserved. Reprod urtion is S triettf Piohbfted.

C o m p ro m ise d PCs (Zom bies)

Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

In a D D 0 S a t t a c k , t h e t a r g e t b r o w s e r o r n e t w o r k is p o u n d e d b y m a n y a p p l i c a t i o n s w i t h fa k e e x te rio r re q u e s ts th a t m ake th e s y s te m , n e tw o rk , b ro w se r, or s ite s lo w , u s e le s s , and

d is a b le d o r u n a v a ila b le . The a tta c k e r in itia te s th e send a a tta c k b y s e n d in g a c o m m a n d to a g e n u in e to to th e z o m b ie a g e n ts . T h e s e i.e ., th e z o m b ie The

e ith e r re d u c e th e p e rfo rm a n c e o r m a y cause th e v ic tim

Zombie systems are instructed

Compromised PCs (Zombies)

Compromised PCs (Zombies)

S ym p tom sofaD o SA tta ck

D ra m a tic H U n u s u a lly s lo w n e tw o rk p e rfo rm a n ce i n c r e a s e in th e a m o u n t o f s p a m e m a ils rece ive d

Copyright by E&CtuacO. All Rights Reserved Reproduction is Strictly Prohibited.

Copyright by E & C aincil. All Rights Reserved. Reproduction is Strictly Prohibited.

D o s /D D o S P e n e tra tio n T e s tin g

I n a D o S a t t a c k , t h e v i c t i m , w e b s i t e , o r n o d e is p r e v e n t e d f r o m V a rio u s te c h n iq u e s a re used by th e a tta c k e r fo r la u n c h in g

D oSA ttackT echniques

P e r m a n e n t D e n ia l-o f-S e rv ic e A tta c k

Copyright by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.

B andw idthA ttacks

B a s i c a l l y ,a l l bandwidth i s used and no bandwidth remains for legitimate use

Copyright by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.

It initiates a re q u e s t on every connection

Copyright by E&Cauacil. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 10 Page 1417

The ta rg e t m a c h in e does n o t get t h e resp o n se because t h e s o u rce ad d re ss is fa ke

N o te : This attack explo it s th e t h r e e - w a y h a n d s h a k e m e t h o d

Copyright by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.

A t t a c k o f D o S a t t a c k . In t h i s a t t a c k , a n a t t a c k e r s e n d s a s e r i e s o f a c lie n t w a n ts to b e g in a TCP c o n n e c tio n to

C rt1 fW 4 ItkKjl K mIm

..... S Y N ..... S Y N ..... S Y N ..... S Y N

...................... ................... . ...................... ......................

Copyright by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.

r e q u e s t s c a n p r o d u c e t h e T C P S Y N f l o o d i n g a t t a c k . It w o r k s b y f illin g t h e t a b le r e s e r v e d f o r h a lf open TCP c o n n e c tio n s in t h e o p e ra tin g s y s t e m ' s T C P IP s t a c k . W hen th e ta b le b e c o m e s fu ll, th e ta b le

u n til a n d u n le s s s o m e e n tr ie s a re r e m o v e d f r o m be c a rrie d out u s in g fa k e

d iffic u lt t o tra c e th e s o u rc e . T h e ta b le o f c o n n e c tio n s ca n b e fille d w it h o u t s p o o fin g th e s o u rc e

Normal connection establishm ent

.............................................................. .... ............................. .......... . ? . .............. .... .......................

FIGURE 10.3: SYN Flooding

ECHO Request Legitimate ICMPechorequestfroman address in the same security zone

Copyright by E&Cauacil. All Rights Reserved. Reproduction is Strictly Prohibited.

-M axim um lim it o f ICMP Echo Requests per Second-

FIGURE 10.4: ICMP Flood Attack

P eer-to-P eerA ttacks

(itilwd 1 ItlMUl IlMhM

U sin g th is m eth o d , attacke rs lau n ch m a ss iv e d e n ia l- o f- s e rv ic e a tta c k s and c o m p ro m is e w e b site s

A t t a c k s is o n e f o r m o f D D 0 S a tta c k . In t h i s k in d o f a tta c k , th e a tta c k e r

e x p l o i t s a n u m b e r o f b u g s in p e e r - t o - p e e r s e r v e r s t o fla w s fo u n d in th e n e tw o rk th a t uses DC++

a D D 0 S a tta c k . A tta c k e rs e x p lo it p ro to c o l, w h ic h a llo w s th e

c o m p u te r s m a y tr y to c o n n e c t to th e ta rg e t w e b s ite , w h ic h ca u se s a d ro p o f th e ta rg e t w e b s ite . These p e e r-to -p e e r a tta c k s can be id e n tifie d

b a s e d o n t h e ir s ig n a tu r e s . U s in g th is m e t h o d , a tta c k e r s la u n c h m a s s iv e d e n ia l- o f- s e r v ic e a tta c k s a n d c o m p r o m is e w e b s ite s .

Perm anent Denial-of-Service Attack

I..I1 AM . %mT9j2

CHEC M 'Ul are AfO *. AfcilSfa 4fc/9u2

f.B fIJ'irV tPi'.W lip.lvl C VNCO\S^>wm32^vcl0