Professional Documents
Culture Documents
M o d u le 10
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D enialofService
M o d u le 10
E n g in e e re d b y H acke rs. P r e s e n te d b y P ro fe s s io n a ls .
!> C E H
E t h ic a l H a c k i n g
a n d
C o u n t e r m
e a s u r e s
v 8
M o d u le
1 0 :
D e n ia l-o f-S e rv ic e
E x a m
3 1 2 -5 0
M o d u le 1 0 P a g e 1 4 0 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
SecurityN ew s
Hom e I New s
K
m
! !
October 19, 2012
H S B C i s L a t e s t T a r g e t in C y b e r A t t a c k S p r e e
HSBC (HBC) experienced w idespread disruptions to several o f its w ebsites Thursday, becom ing one o f th e highest-profile victim s yet in a series o f attacks by a group claim ing to be allied w ith Islam ic terrorism . "H SBC servers ca m e u n d e r a d e n ia l o f service atta ck w h ich a ffe cte d a n u m b e r o f HSBC w eb sites a ro u n d th e w orld," the London-based banking giant said in a statem ent. "This denial o f service a ttack did not a ffe ct any cu stom er data, but did prevent custom ers using HSBC onlin e services, including internet banking." HSBC said it had the situ ation under co n tro l in the early m orning hours o f Friday London time. The Izzad-D in al-Q assam Cyber Fighters to o k responsibility fo r th e atta ck th at at points crippled users' access to hsbc.com and o th e r HSBC-owned properties on the W eb. The group, w hich has also disrupted the w ebsites o f scores o f o th er banks including J.P. M o rgan Chase (JPM) and Bank o f Am erica (BAC), said the attacks w ill continue until the anti-lslam ic 'Innocence o f M u slim s' film tra ile r is rem oved fro m the Internet
h t t p : / / w w w . f o x b u s i n e s s . c o m
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u r i t y &3>u j s m p p H S B C is
N e w s T a r g e t in C y b e r A t t a c k S p re e
L a te s t
Source: http://www.foxbusiness.com HSBC (HBC) experienced widespread disruptions to several of its websites recently, becoming one of the highest-profile victims yet in a series of attacks by a group claiming to be allied with Islamic terrorism. "HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world," the London-based banking giant said in a statement. "This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking." HSBC said it had the situation under control in the early morning hours of Friday London time. The Izz ad-Din al-Qassam Cyber Fighters took responsibility for the attack that at points crippled users' access to hsbc.com and other HSBC-owned properties on the Web. The group, which has also disrupted the websites of scores of other banks including J.P. Morgan Chase (JPM) and Bank of America (BAC), said the attacks will continue until the anti-lslamic Innocence of Muslims' film trailer is removed from the Internet.
M o d u le 1 0 P a g e 1 4 0 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
In this case, a group claiming to be aligned with the loosely-defined brigade of hackers called Anonymous also took responsibility. However, a source in the computer security field who has been monitoring the attacks told FOX Business "the technique and systems used against HSBC were the same as the other banks." However, the person who requested anonymity noted that Anonymous "may have joined in, but the damage was done by" al-Qassam. The people behind al-Qassam have yet to be unmasked. Several published reports citing unnamed U.S. officials have pointed to Iran as a potential culprit, but multiple security researchers have told FOX Business the attacks don't show the hallmarks of an attack from that country. There is a consensus, however, that the group is likely using a fairly sophisticated type of denial-ofservice attack. Essentially, al-Qassam has leveraged exploits in Web server software to take servers over and then use them as weapons. Once they are taken over, they slam the Web servers hosting bank websites with a deluge of requests, making access either very slow or completely impossible. Servers have an especially high level of connectivity to the Internet, giving al-Qassam more horsepower with fewer machines.
M o d u le 1 0 P a g e 1 4 0 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
M oduleO bjectives
*
J J W hat Is a Denial of Service Attack? W hat Are D istributed Denial of Service Attacks? Sym ptom s of a DoS Attack DoS Attack Techniques B otnet B otnet Ecosystem B otnet Trojans DD0S Attack Tools ' J J J J DoS Attack Tools Detection Techniques D0S/DD 0S C o u n term easu re J J J J J J
Techniques to Defend against Botnets A dvanced DD0S Protection Appliances D0S/DD 0S Protection Tools Denial of Service (DoS) Attack P enetration Testing
n
J J
M
ta = ,
o d u l e
1
w ith
= 1
T h is m o d u le
a d is c u s s io n of
im p lic a tio n s
such
D is tr ib u te d
d e n ia l-o f- s e rv ic e
v a rio u s
d is c u s s e d in t e r m s o f t h e i r u s e in s u c h a t t a c k s . T h is m o d u l e w i l l f a m i l i a r i z e y o u w i t h :
2 2
W h a t is a D e n i a l o f S e r v i c e A t t a c k ? W hat A re D is tr ib u te d D e n ia l of
S s s
D D o s A t t a c k T o o ls D e te c tio n T e c h n iq u e s D 0 S /D D 0 S C o u n te rm e a s u re T e c h n iq u e s B o tn e ts to D e fe n d a g a in s t
S e rv ic e A tta c k s ? s s 2
2 2
Advanced A p p lia n c e s
DD0S
P ro te c tio n
D 0 S /D D 0 S P r o te c tio n T o o ls D e n ia l of S e rv ic e (D o S ) A tta c k
P e n e tr a tio n T e s tin g
M o d u le 1 0 P a g e 1 4 0 6
E th ica l H a ck in g a n d C o u n te rm e a s u re s
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
o d u l e
In t h e th e b a n k in g
p re s e n t In te rn e t w o rld ,
s e c t o r , a s w e l l a s IT s e r v i c e d e n ia l of s e rv ic e )
p ro v id e rs . by
DoS to
(d e n ia l o f s e rv ic e ) a n d b re a c h o rg a n iz a tio n s '
DD0S
(d is trib u te d
w e re
a tta c k e rs
s e rv ic e s .
m m
Dos/DDoS Concepts
D o s /D D o S A t t a c k T o o ls
D o s /D D o S A tta c k T e c h n iq u e s
d p g
C o u n te rm e a s u re s
*
B o tn e ts
p J
/ \^
D o s /D D o S P r o te c tio n T o o ls
D o s /D D o S Case S tu d y
M = 11
T h i s s e c t i o n d e s c r i b e s t h e t e r m s D o S , D D 0 S, t h e w o r k i n g o f D D 0 S, a n d t h e s y m p t o m s o f D o S . I t a ls o ta lk s a b o u t c y b e r c r im in a ls a n d t h e o r g a n iz a t io n a l c h a r t.
M o d u le 1 0 P a g e 1 4 0 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
W A
h t t a
I s
i a
r v i c e
c k ?
h a t
is
e n i a l
o f S e r v ic e
A t t a c k ?
Denial-of-service (DoS) is an attack that prevents authorized users from accessing a computer or network. DoS attacks target the network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic using existing network resources, thus depriving legitimate users of these resources. Connectivity attacks overflow a computer with a large amount of connection requests, consuming all available operating system resources, so that the computer cannot process legitimate user requests. An Analogy Consider a company (Target Company) that delivers pizza upon receiving a telephone order. The entire business depends on telephone orders from customers. Suppose a person intends to disrupt the daily business of this company. If this person came up with a way to keep the company's telephone lines engaged in order to deny access to legitimate customers, obviously Target Company would lose business. DoS attacks are similar to the situation described here. The objective of the attacker is not to steal any information from the target; rather, it is to render its services useless. In the process, the attacker can compromise many computers (called zombies) and virtually control them. The attack involves deploying the zombie computers against a single machine to overwhelm it with requests and finally crash the target in the process.
M o d u le 1 0 P a g e 1 4 0 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Malicious Traffic
r *
(R
Internet
Router
Attack Traffic
4 m
Regular Traffic
Regular Traffic
QDC^
Server Cluster
Figure 10.1: Denial of Service Attack
M o d u le 1 0 P a g e 1 4 0 9
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
W o f
h S
r e
D A
i s
t r i b
t e
i a
e r v i c e
t t a
c k s ?
A d i s t r b u t e d den ia l- o f-s e rv ic e (D D o S ) attack invoh/es a m u l t i t u d e o f c o m p r o m is e d syste ms attack rig a single target, t h e r e b y causing d e n 01 o f service f o r users o f t h e t a rg e te d system
Loss of Goodwil
Disabled Network
Financial Loss
Disabled
Organization
C opyrights
g jg g
h a t
A r e
i s t r i b u t e d
e n i a l
o f S e r v ic e
A t t a c k s ?
Source: www.searchsecurity.com A distributed denial-of-service (DDoS) attack is a large-scale, coordinated attack on the availability of services on a target's system or network resources, launched indirectly through many compromised computers on the Internet. The services under attack are those of the primary target," while the compromised systems used to launch the attack are often called the "secondary target." The use of secondary targets in performing a DDoS attack provides the attacker with the ability to wage a larger and more disruptive attack, while making it more difficult to track down the original attacker. As defined by the World Wide Web Security FAQ: "A Distributed Denial-of-Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial-ofservice significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms." If left unchecked, more powerful DDoS attacks could cripple or disable essential Internet services in minutes.
M o d u le 1 0 P a g e 1 4 1 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
H S
o e
i s
t r i b A t t a
t e
d W
D o
n r k
i a
f C E H
r v i c e 1 3 1
c k s
.... m
>1
Handler infects a large num ber of com puters over Inte rn et Attacker sets a handler system / ,f
m m m
H andler
o w
i s t r i b u t e d
e n i a l
o f S e r v ic e
A t t a c k s
o r k
a g e n ts
c o n n e c tio n
re q u e st
c o m p u te r
s y s te m , v ic tim to
r e fle c to r. th e
re q u e s ts s e n t b y th e Thus, th e g e n u in e
z o m b ie
a g e n ts se e m sends th e
be sent by th e
ra th e r th a n th e v ic tim .
z o m b ie s . v ic tim m ay
c o m p u te r w ith
re q u e s te d
in fo rm a tio n se ve ra l
The
m a c h in e
g e ts flo o d e d
u n s o lic ite d
resp o n se s fro m
c o m p u te rs
a t o n c e . T h is
m a c h in e to s h u t d o w n .
M o d u le 1 0 P a g e 1 4 1 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Handler infects a largo number of computers over Internet Attacker sets a handler system & I ; IO
% <*
[Ml N \*
H M
INI M
Attacker
Q .
u 2
.......j .........0 [0 5 ? < 3 >
Handler
M o d u le 1 0 P a g e 1 4 1 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
w e b s ite
S y m
p t o m
o f a
D o S
A t t a c k
Based on the target machine, the symptoms of a DoS attack may vary. There are four main symptoms of a DoS attack. They are: Unavailability of a particular website Inability to access any website Dramatic increase in the amount of spam emails received Unusually slow network performance
M o d u le 1 0 P a g e 1 4 1 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
M oduleF low
M ^ = 1
o d u l e
F l o w h a v e d is c u s s e d D o S , D D 0 S, s y m p t o m s o f D o S a t t a c k s , c y b e r c r i m i n a l s , a n d
So fa r, w e
t h e o r g a n iz a t io n a l c h a r t o f c y b e r c r im e . N o w it's t i m e t o d is c u s s t h e t e c h n i q u e s u s e d t o p e r f o r m D 0 S /D D 0 S a tta c k s .
a m
D o s /D D o S C o n c e p ts D o s /D D o S A t t a c k T o o ls
D o s /D D o S A tta c k T e c h n iq u e s
C o u n te rm e a s u re s
B o tn e ts
/* V 5
D o s /D D o S P r o te c tio n T o o ls
D o s /D D o S Case S tu d y i
p r o v id in g s e rv ic e s t o v a lid u s e rs . or D D 0 S a tta c k s on a ta rg e t
DoS
c o m p u t e r o r n e t w o r k . T h e y a r e d is c u s s e d in d e t a i l in t h i s s e c t io n .
M o d u le 1 0 P a g e 1 4 1 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
Attacker
SYN F l o o d i n g A t t a c k
IC M P F lo o d A t t a c k
P e e r-to -P e e r Attacks
J
User
A p p l i c a t i o n - L e v e l F lo o d A t t a c k s
D o S
A t t a c k
T e c h n i q u e s
A denial-of-service attack (DOS) is an attack performed on a networking structure to disable a server from serving its clients. The actual intent and impact of DoS attacks is to prevent or impair the legitimate use of computer or network resources. There are seven kinds of techniques that are used by the attacker to perform DOS attacks on a computer or a network. They are: Bandwidth Attacks Service Request Floods SYN Flooding Attacks ICM P Flood Attacks Peer-to-Peer Attacks Permanent Denial-of-Service Attacks Application-Level Flood Attacks
M o d u le 1 0 P a g e 1 4 1 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 l1 n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
When a DDoS attack i slaunched, flooding a network, i tcan cause network equipment such as switches and routers ^ to be overwhelmed due to the s i g n i f i c a n ts t a t i s t i c a l change i nthe \ network t r a f f i c
'
Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO packets
B a n d w
i d t h
A t t a c k s
A bandwidth attack floods a network with a large volume of malicious packets in order to overwhelm the network bandwidth. The aim of a bandwidth attack is to consume network bandwidth of the targeted network to such an extent that it starts dropping packets. The dropped packets may include legitimate users. A single machine cannot make enough requests to overwhelm network equipment; therefore, DDoS attacks were created where an attacker uses several computers to flood a victim. Typically, a large number of machines is required to generate the volume of traffic required to flood a network. As the attack is carried out by multiple machines that are combined together to generate overloaded traffic, this is called a distributed-denial-of-service (DDoS) attack. Furthermore, detecting the source of the attack and blocking it is difficult as the attack is carried out by numerous machines that are part of different networks. All the bandwidth of the target network is used by the malicious computers and no bandwidth remains for legitimate use. Attackers use botnets and carry out DDoS attacks by flooding the network with ICM P ECHO packets.
M o d u le 1 0 P a g e 1 4 1 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
An attacker o r group of zom bies a tte m p ts to e x h au st server reso u rces by setting up and tearin g dow n TCP connections
Service re q u e st flood attacks flood servers with a high ra te of connections from a valid source
S e r v ic e
in 1D5n
R e q u e s t
F l o o d s
Service request floods work based on the connections per second principle. In this method or technique of a DoS attack, the servers are flooded with a high rate of connections from a valid source. In this attack, an attacker or group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections. This probably initiates a request on each connection, e.g., an attacker may use his or her zombie army to fetch the home page from a target web server repeatedly. The resulting load on the server makes it sluggish.
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
S Y NA ttack
The atta ck er sends a fa k e TCP SYN requests t o t h e ta rg e t s e rv e r (victim ) The ta rg e t m a ch in e sends back a SYN ACK in response t o t h e r e q u e s t a n d w a its f o r th e ACK t o c o m p le t e t h e session s etup
S Y N
A S Y N a t t a c k is a s i m p l e f o r m SYN re q u e s ts t o a ta rg e t m a c h in e
(v ic tim ). W h e n
M o d u le 1 0 P a g e 1 4 1 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
S Y NFlooding
J SYN Flooding takes advantage of a flaw in how most hosts implement the TCP three-w ay handshake When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a "listen queue" for at least 75 seconds A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN/ACK The victim's listen queue is quickly filled up This ability of removing a host from the network for at least 75 seconds can be used as a denial-of-service attack
............. ..........
C E H
.......................
Sy/y
N o rm a l co n n e c tio n e s ta b lish m e n t
......................
syN/P,CK
ACK
<t11
SYN Floo d in g
S Y N
F l o o d i n g
S Y N f l o o d i n g is a T C P v u l n e r a b i l i t y p r o t o c o l t h a t e m e r g e s i n a d e n i a l - o f - s e r v i c e a t t a c k . T h is a tta c k o ccu rs when th e in tru d e r sends u n lim ite d SYN p a c k e ts (re q u e s ts ) to th e host
T h u s, H o s t A re s p o n d s w it h th e AC K p a c k e t, e s ta b lis h in g th e c o n n e c tio n Host B re c e iv e s th e SYN re q u e st fro m Host A, it m akes use of th e p a rtia lly open
c o n n e c t io n s t h a t a re a v a ila b le o n t h e lis te d lin e f o r a f e w s e c o n d s , e .g ., f o r a t le a s t 7 5 s e c o n d s . The in tru d e r tra n s m its c lie n t t o in fin ite n u m b e rs fa ls e o f such SYN re q u e s ts w ith a fo rg e d a d d re s s , w h ic h Such n u m e ro u s
a llo w s th e
p ro ce ss th e
a d d re ss e s
le a d in g t o
a m is p e rc e p tio n .
n e w c o n n e c tio n s c a n n o t be o p e n e d (d u e to handshake
t i m e o u t ) . T h is a t t a c k c a n
I P a d d r e s s e s , s o i t is
M o d u le 1 0 P a g e 1 4 1 9
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
IP a d d r e s s .
N o rm a lly , th e
space
e x is tin g f o r fix e d
ta b le s , s u c h
as a h a lf o p e n
TCP c o n n e c tio n
t a b l e , is l e s s t h a n t h e t o t a l .
*o r
Host B
Host A
...........
SYN
........
SVN/ACK ...........
ACK
SYN
..........5VN
SYN Flooding
.....................
M o d u le 1 0 P a g e 1 4 2 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
IC M PF loodA ttack
IC M P is a ty p e o f DoS a tta ck in w h ic h p e rp e tra to rs se n d a large n u m b e r o f p a cke ts w it h fak e s o u rc e a d d re s s e s to a ta rg e t s e rv e r in o rd e r to crash it and ca u se it to stop re s p o n d in g to TCP/IP re q u ests A fte r th e IC M P th re s h o ld is reach ed, th e ro u te r rejects fu rth e r IC M P echo re q u ests fro m all a d d re s se s in th e sa m e s e c u rity zo n e fo r th e re m a in d e r o f th e c u rre n t se co n d and th e next se co n d as w ell
-M a x im u m lim it o f IC M P Echo R eq u ests p e r Second-
* 9
A tta cke r
T h e a tta c k e r sends IC M P EC H O re q u e s ts w ith s p o o f e d s o u rc e a d d re s s e s
ECHO Request
ECHO Request
ECHO Reply
ECHO Request
ii
I C
F l o o d
A t t a c k
Internet Control Message Protocol (ICMP) packets are used for locating network equipment and determining the number of hops to get from the source location to the destination. For instance, ICMP_ECHO_REPLY packets ("ping") allow the user to send a request to a destination system and receive a response with the roundtrip time. A DDoS ICMP flood attack occurs when zombies send large volumes of ICMP_ECHO packets to a victim system. These packets signal the victim's system to reply, and the combination of traffic saturates the bandwidth of the victim's network connection. The source IP address may be spoofed. In this kind of attack the perpetrators send a large number of packets with fake source addresses to a target server in order to crash it and cause it to stop responding to TCP/IP requests. After the ICMP threshold is reached, the router rejects further ICMP echo requests from all addresses in the same security zone.
M o d u le 1 0 P a g e 1 4 2 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
* ? - ......... &
Attacker
The attacke r sends ICMP ECHO requests w ith spoofed source addresses
Target Server
ECHO Request
ECHO Reply
ECHO Request
ECHO Reply
ECHO Request
l
ECHO Request
L e g itim a te IC M P e c h o r e q u e st fro m an a d d re s s in th e s a m e s e c u rity zo n e t l
:
,
M o d u le 1 0 P a g e 1 4 2 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
E H C
0
<d,
User-1
Copyright by E frC o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
I /
P e e r - t o - P e e r A p e e r-to -p e e r a tta c k
in itia te
( D ire c t
C o n n e c t)
e x c h a n g e o f file s b e t w e e n in s t a n t m e s s a g in g c lie n ts . T h is k in d o f a t ta c k d o e s n 't u s e b o t n e t s f o r th e a tta c k . U n lik e a b o tn e t- b a s e d a tta c k , a p e e r - to - p e e r a tta c k e lim in a te s th e n e e d o f a tta c k e rs t o c o m m u n ic a t e w it h c lie n ts . H e re t h e a tta c k e r in s tru c ts t h e c lie n ts o f p e e r - t o - p e e r f ile s h a r in g hubs to d is c o n n e c t fro m th e ir n e tw o rk and to connect to th e v ic tim 's w e b s ite . W ith th is , in
se ve ra l th o u s a n d th e p e rfo rm a n c e
e a s ily
M o d u le 1 0 P a g e 1 4 2 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
User-5
A t t a c k T ra ffic U se r-4
. . 7
'
u
.........
f iUser-3 t *
User-2
Attacker
User-1
FIGURE 10.5: Peer-to-Peer Attacks
M o d u le 1 0 P a g e 1 4 2 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
Unlike o th e r DoS attacks, it sab o ta g e s th e system h ard w are, requiring th e victim to replace o r reinstall th e h ard w are
B r ic k in g a s y s te m m e th o d
1. This attack is carried out using a method known as "bricking a system" 2. Using this method, attackers send fraudulent hardw are updates to the victims
Sends e m a il, IRC chats, tw e e ts , post videos w ith fra u d u le n t c o n te n t fo r h a rd w a re u p d ates
1 ^ 5
Victim
P ro c e s s
A tta c k e r
v ictim 's c o m p u te r
&
0 O
^ P e r m a n e n t D e n ia lo f S e r v ic e A t t a c k
Perm anent denial-of-service (PD0 S) is also know n as plashing. This refers to an attack th a t damages the system and makes the hardw are unusable fo r its original purpose u ntil it is e ith e r replaced or re in stalled . A PD0 S attack exploits security flaws. This allows rem ote a dm in istra tio n on the m anagem ent interfaces o f the victim 's hardw are such as printers, routers, and o th e r n e tw o rkin g hardw are. This attack is carried o u t using a m ethod know n as "b ric k in g a system ." In this m ethod, the a ttacker sends em ail, IRC chats, tw e ets, and posts videos w ith fra u d u le n t hardw are updates to the victim by m o d ify in g and c o rru p tin g the updates w ith vu ln era b ilitie s or d e fe ctive firm w a re . W hen th e victim clicks on the links or pop-up w indow s re ferrin g to the fra u d u le n t h ardw a re updates, th e y get installed on the victim 's system. Thus, th e a tta cke r takes co m plete co n tro l over the v ictim 's system.
M o d u le 1 0 P a g e 1 4 2 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
FIGURE 10.5:
S e n d s e m a il, IRC c h a ts , t w e e t s , p o s t v id e o s w i t h f r a u d u le n t c o n t e n t f o r h a r d w a r e u p d a t e s
A t t a c k e r g e ts a cce ss t o
A tta c k e r
v ic t im 's c o m p u t e r
M o d u le 1 0 P a g e 1 4 2 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
A p p lic a tio n -le v e l flo o d a ttacks re s u lt in th e loss o f services o f a p a rtic u la r n e tw o rk , such as em ails, n e tw o rk resources, th e te m p o ra ry ceasing o f a p p lic a tio n s and services, and m o re
-J
Using th is attack, attackers d e s tro y p ro g ra m m in g source code and file s in affected c o m p u te r system s
p p lic a t io n - le v e l
F lo o d
t t a c k s
S o m e D o S a tta c k s r e ly o n s o f t w a r e - r e la t e d e x p lo its s u c h as b u f f e r o v e r flo w s , w h e r e a s m o s t o f th e cause o t h e r k in d s o f D o S a t t a c k s e x p l o i t b a n d w id t h . T h e a t t a c k s t h a t e x p lo it s o f t w a r e in th e a p p lic a t io n , c a u s in g it t o fill th e a tta c k s d is k have space r a p id ly or consum e becom e a ll a v a i l a b l e
c o n fu s io n o r CPU
m e m o ry
c y c le s . A p p l i c a t i o n - l e v e l b u s in e s s o n t h e r e s u l t in
f lo o d
a c o n v e n tio n a l e v e r.
t h r e a t f o r d o in g T h is a t t a c k can
In te rn e t. W e b
a p p lic a tio n
s e c u r i t y is m o r e c r i t i c a l t h a n and r e p u ta tio n
s u b s t a n t i a l lo s s o f m o n e y , s e r v i c e
f o r o r g a n iz a tio n s . be
a tta c k ,
r e p e a t e d in v a lid lo g in a t t e m p t s . Q J a m t h e a p p lic a t io n - d a t a b a s e c o n n e c t io n b y c r a f t in g C P U - in te n s iv e S Q L q u e r ie s .
M o d u le 1 0 P a g e 1 4 2 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
^
A tta c k e r
FIGURE 10 .7 : A p p lic a tio n -le v e l F lo o d A tta c k s
V ic tim
M o d u le 1 0 P a g e 1 4 2 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
o d u le
So fa r, w e m e n tio n e d
p r e v io u s ly , D o S a n d D D 0 S a tta c k s a re p e r f o r m e d
o f s e c u r it y - c o m p r o m is e d s y s te m s .
a m
D o s / D D o S C o n c e p ts D o s / D D o S A t t a c k T o o ls
D o s / D D o S A t t a c k T e c h n iq u e s
C o u n te rm e a s u re s
B o t e ts
/s ^ >
D o s / D D o S P r o t e c t i o n T o o ls
D o s /D D o S C ase S tu d y -
D o s / D D o S P e n e t r a t i o n T e s t in g
T h is
s e c t io n
d e s c r ib e s
b o tn e ts ,
as
w e ll
as
t h e ir
p r o p a g a tio n
te c h n iq u e s
and
e c o s y s te m .
M o d u le 1 0 P a g e 1 4 2 9
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
O r g a n iz e d
Cyber C r im in a ls
C r im e
S y n d ic a t e s
Cyber criminals are increasingly being associated w ith organized crim e syndicates to take advantage o f the ir sophisticated techniques
H ie r a r c h ic a l S e tu p
There are organized groups o f cyber criminals w h o w o rk in a hierarchical setup w ith a predefined revenue sharing model, like a major corporation th a t offers criminal services
P ro c e ss
Organized groups create and re nt bo tnets and offer various services, fro m w ritin g malware, to hacking bank accounts, to creating massive denial-ofservice attacks against any target fo r a price
R e p o rt
According to Verizon's 2012 Data Breach Investigations Report, the m ajority o f breaches were driven by organized groups and almost all data stolen (98%) was the w o rk o f criminals outside the victim organization
M a tte r o f C o n c e rn
The grow ing involvem ent o f organized crim inal syndicates in p o litica lly m o tiva te d cyber w arfare and hactivism is a m atter o f concern fo r national security agencies
r g a n iz e d
r im
S y n d ic a t e s
C yber c rim in a ls have d e v e lo p e d v e ry re fin e d and stylish w ays to use tru s t to th e ir a d van ta g e and to m ake fin a n c ia l gains. C yber c rim in a ls are in cre a sin g ly b eing associated w ith o rg an ized c rim e synd icate s to ta k e a d va n ta g e o f th e ir re fin e d te c h n iq u e s . C yb e rcrim e is n o w g e ttin g m o re o rg a nized . C ybe r c rim in a ls are in d e p e n d e n tly d e v e lo p in g m a lw a re fo r fin a n c ia l gain. N ow th e y o p e ra te in g ro u p s. This has g ro w n as an in d u s try . T here are organized gro u p s o f c y b e r c rim in a ls w h o d e v e lo p plans fo r d iffe re n t kinds o f a tta cks and o ffe r c rim in a l services. O rganized g ro u p s c re a te and re n t b o tn e ts and o ffe r va rio u s services, fro m w ritin g m a lw a re , to a tta c k in g bank a cco un ts, to c re a tin g m assive d e n ia l-o f-s e rv ic e a tta c k s against any ta rg e t fo r a price. The increase in th e n u m b e r o f m a lw a re puts an e xtra load on s e c u rity system s. A c c o rd in g to V e riz o n 's 2010 D ata B reach In v e s tig a tio n s R e p o rt, th e m a jo rity o f breaches w e re d riv e n by orga n ized gro u p s and a lm o s t all data s to le n (70%) w as th e w o rk o f c rim in a ls o u ts id e th e ta rg e t o rg a n iz a tio n . The g ro w in g in v o lv e m e n t o f orga nized c rim in a l s y n d ic a te s in p o litic a lly m o tiv a te d cyb e r w a rfa re and h a c tiv is m is a m a tte r o f co n ce rn fo r n a tio n a l s e c u rity agencies.
M o d u le 1 0 P a g e 1 4 3 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
O r g a n iz e d C y b e r C r im e : O r g a n iz a t io n a l C h a r t
4 ^ - o
A tta c k e rs C rim ew are T o o lk it O w ners T ro ja n D is trib u tio n in L e g itim a te w e b s ite
O
:
q
C a m p a ig n M a n a g e r C a m p a ig n M a n a g e r
t o
#
-
a
n II j r n M
' ^4 4 *'
C a m p a ig n M a n a g e r
# m
+ :
n < A u A
A t t
: *
A ff ilia tio n N e t w o r k
*s A ff ilia tio n N e t w o r k
i r
S to le n D a ta R e s e lle r
S to le n D a ta R e s e lle r
S to le n D a ta R e s e lle r
r g a n iz e d
y b e r
r im
e :
r g a n iz a t io n a l
h a r t
C yb e rcrim es are o rg a nize d in a h ie ra rc h ic a l m a n n e r. Each c rim in a l gets paid d e p e n d in g on th e ta sk th a t he o r she p e rfo rm s o r his o r h e r p o s itio n . The head o f th e c y b e rc rim e o rg a n iz a tio n , i.e., th e boss, acts as a business e n tre p re n e u r. He o r she does n o t c o m m it c y b e rc rim e s d ire c tly . The boss is th e firs t in th e h ie ra rc h y level. The person w h o is at th e n e xt level is th e "u n d e rb o s s ." The u n d e rb o ss is th e second person in co m m a n d and m anages th e o p e ra tio n o f cyb e rcrim e s. The "u n d e rb o s s " p ro v id e s th e necessary T ro ja n s fo r atta cks and also m anages th e T ro ja n s c o m m a n d and c o n tro l c e n te r. P eople w o rk in g u n d e r th e "u n d e rb o s s " are kn o w n as "c a m p a ig n m a n a g e rs ." These cam paign m anagers h ire and run th e ir o w n a tta c k cam paigns. T hey p e rfo rm a tta cks and steal data by using th e ir a ffilia tio n n e tw o rk s as d is trib u te d channe ls o f a tta ck. The s to le n data is th e n sold by "re s e lle rs ." These re sellers are n o t d ire c tly in vo lve d in th e c rim e w a re attacks. T h e y ju s t sell th e s to le n data o f g e n u in e users.
M o d u le 1 0 P a g e 1 4 3 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
O
Attackers Crimeware Toolkit Owners Trojan Distribution In Legitimate website
r%
Campaign Manager
r> 1
Campaign Manager
rs
41!
i
Campaign Manager
t o
O u I t '
t o
U * > A r U ; < * < Affiliation Network i 4! v 4 A *Affiliation Network u ;
-M
6
Stolen Data Reseller Stolen Data Reseller Stolen Data Reseller
M o d u le 1 0 P a g e 1 4 3 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Botnet
J J Bots a re so ftw are applications th a t run a u to m a te d ta sk s over th e In te rn e t and perform sim ple repetitive tasks, such as w eb spidering and search engine indexing A b o tn e t is a huge n etw ork of th e com prom ised system s and can be used by an in tru d er to c re a te denial-of-service a tta ck s
C E H
vl
m
3
Z o m b ie s
Target S e rv e r
Sets a bot C&C handler Bot looks for other vulnerable systems and Infects them to create Botnet a machine
,a f t
A tta c k e r V ic tim (Bot)
The te rm b o tn e t is d e riv e d fro m th e w o rd roB O T N E T w ork, w h ic h is also called zo m b ie a rm y. A b o tn e t is a huge n e tw o rk o f c o m p ro m is e d system s. It can c o m p ro m is e huge n u m b e rs o f m achines w ith o u t th e in te rv e n tio n o f m a ch in e o w n e rs. B o tn e ts co n sist o f a set o f c o m p ro m is e d system s th a t are m o n ito re d fo r a specific co m m a n d in fra s tru c tu re . B o tn e ts are also re fe rre d to as agents th a t an in tru d e r can send to a se rve r system to p e rfo rm som e illegal a c tiv ity . T hey are th e h id d e n p ro g ra m s th a t a llo w id e n tific a tio n o f v u ln e ra b ilitie s . It is a d va n ta g e o u s fo r a tta c k e rs to use b o tn e ts to p e rfo rm ille g itim a te a ctio n s such as s te a lin g s e n s itiv e in fo r m a tio n (e.g., c re d it card n u m b e rs) and s n iffin g c o n fid e n tia l co m p a n y in fo rm a tio n . B o tn e ts are used fo r b o th p o s itiv e and n e g a tiv e purposes. They help in va rio u s useful services such as search e ng in e in d e x in g and w e b s p id e rin g , b u t can also be used by an in tru d e r to cre a te d e n ia l-o f-s e rv ic e attacks. System s th a t are n o t p a tch e d are m o s t v u ln e ra b le to th e se attacks. As th e size o f a n e tw o rk increases, th e p o s s ib ility o f th a t system being v u ln e ra b le also increases. An in tru d e r can scan n e tw o rk ranges to id e n tify w h ic h ones are v u ln e ra b le to a tta c k s . In o rd e r to a tta c k a system , an in tru d e r ta rg e ts m achines w ith Class B n e tw o rk ranges.
Ill
M o d u le 1 0 P a g e 1 4 3 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Scans e n v iro n m e n t a u to m a tic a lly , and spreads th ro u g h v u ln e ra b le areas, g a in in g access v ia w e a k p a s s w o rd s and o th e r m eans.
Q Q 6
A llo w s c o m p ro m is in g a h o s t's m a ch in e th ro u g h a v a rie ty o f to o ls . C reates DoS a ttacks. Enables spam a tta cks th a t cause SMTP m ail relays. Enables click fra u d and o th e r illegal a c tiv itie s .
o 2
Target Server
" 6 *
!1
Zombies
Attacker
In o rd e r to p e rfo rm th is kind o f a tta ck, th e a tta c k e r fir s t needs to cre a te a b o tn e t. For th is p u rp o se , th e a tta c k e r in fe c ts a m a ch in e , i.e., v ic tim b o t, and c o m p ro m is e s it. He o r she th e n uses th e v ic tim b o t to c o m p ro m is e som e m o re v u ln e ra b le syste m s in th e n e tw o rk . Thus, th e a tta c k e r cre ate s a g ro u p o f c o m p ro m is e d system s kn o w n as a b o tn e t. The a tta c k e r c o n fig u re s a b o t co m m a n d and c o n tro l (C&C) c e n te r and fo rce s th e b o tn e t to c o n n e c t to it. The zo m bies o r b o tn e t c o n n e c t to th e C&C c e n te r and w a it fo r in s tru c tio n s . The a tta c k e r th e n sends co m m a n d s to th e bots th ro u g h C&C to la u n c h DoS a tta c k on a ta r g e t s e rv e r. Thus, he o r she m akes th e ta rg e t se rve r u n a va ila b le o r n o n -re s p o n sive fo r o th e r g e n u in e hosts in th e n e tw o rk .
M o d u le 1 0 P a g e 1 4 3 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Botnet PropagationTechnique
......./ 2 \ ........ C y b e rc rim e R e la te d IT O p e ra tio n s : (Servers, S o ftw a re , and Se rvices)
C E H
O
T ro ja n Crim e w are T o o lk it D ata b a se I C om m and a n d C o n tro l C enter
U-\
A ttackers
.I
(z) i
L e g itim a te C o m p ro m ise d W e b site s
0
/
\
Trojan upload stolen data and receives commands from command and control center
........
M a licio u s A ffilia tio n N e tw o rk
4$ ~
B o t n e t
r o p a g a t io n
T e c h n iq u e
B o tn e t p ro p a g a tio n is th e te c h n iq u e used to hack a syste m an d g ra b tra d a b le in fo r m a tio n fro m it w ith o u t th e v ic tim 's k n o w le d g e . The head o f th e o p e ra tio n s is th e boss o r th e c y b e rc rim in a l. B o tn e t p ro p a g a tio n invo lve s b o th c rim in a l (boss) and a tta cke rs (cam paign m anagers). In th is a tta c k , th e c rim in a l d o e s n 't a tta c k th e v ic tim system d ire c tly ; in ste a d , he o r she p e rfo rm s a tta cks w ith th e he lp o f a tta cke rs. The c rim in a l c o n fig u re s an a ffilia tio n n e tw o rk as d is trib u tio n channe ls. The jo b o f ca m p a ig n m a n a g e rs is to hack and in s e rt re fe re n c e to m a lic io u s code in to a le g itim a te site. The m a licio u s code is usually o p e ra te d by o th e r atta cke rs. W h e n th e m a lic io u s cod e runs, th e cam paign m anagers are paid a cco rd in g to th e v o lu m e o f in fe c tio n s a cco m p lis h e d . Thus, c y b e rc rim in a ls p ro m o te in fe c tio n flo w . The a tta c k e rs serve m a lic io u s code g e n e ra te d by th e a ffilia tio n s to v is ito rs o f th e c o m p ro m is e d sites. A tta c k e rs use c u s to m iz e d c rim e w a re fro m c rim e w a re to o lk its th a t is capable of e x tra c tin g tra d a b le in fo rm a tio n fro m th e v ic tim 's m achine.
M o d u le 1 0 P a g e 1 4 3 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
.0
..
Attackers Criminal
) :
M o d u le 1 0 P a g e 1 4 3 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Botnet Ecosystem
Zero-Day Market Scan & Intrusion Botnet Market Licenses MP3, DivX
C E H
Malicious Site
o '6
Financial Diversion
B o tn e t
Owner
i
DDoS '
s' \
Client-Side Vulnerab ility^ : Spam : Mass Mailing
Malware Market
B #
Stock Fraud Scams Adverts Copyright by E tC d in c il. All Rights Reserved. Reproduction is Strictly Prohibited.
B o t n e t
E c o s y s t e m
A g ro u p o f c o m p u te rs in fe c te d by bots is called b o tn e t. A b o t is a m a lic io u s p ro g ra m th a t a llo w s c y b e rc rim in a ls to c o n tro l and use c o m p ro m is e d m achines to a ccom plish th e ir o w n goals such as scams, la u n ch in g DDoS a ttacks, d is trib u tin g spam , etc. The a d v e n t o f b o tn e ts led to e n o rm o u s increase in cyb e rc rim e s . B o tn e ts fo rm th e core o f th e c y b e rc rim in a l a c tiv ity c e n te r th a t links and u n ite s v a rio u s pa rts o f th e c y b e rc rim in a l w o rld . C y b e rc rim in a l se rvice su p p lie rs are a p a rt o f c y b e rc rim e n e tw o rk . These su p p lie rs o ffe r services such as m a licio u s code d e v e lo p m e n t, b u lle tp ro o f h o stin g , c re a tio n o f b ro w s e r e x p lo its , and e n c y rp tio n and packing. M a lic io u s co d e is th e m ain to o l used by c rim in a l gangs to c o m m it cyb e rcrim e s. B o tn e t o w n e rs o rd e r b o th b o ts and o th e r m a lic io u s p ro g ra m s such as Trojans, viruses, w o rm s , keyloggers, spe cia lly c ra fte d a p p lic a tio n s to a tta c k re m o te c o m p u te rs via n e tw o rk , etc. M a lw a re services are o ffe re d by d e v e lo p e rs on p u b lic sites o r closed In te rn e t resources. T yp ica lly, th e b o tn e t eco syste m is d iv id e d in to th re e parts, n a m e ly tra d e m a rk e t, DDoS a tta ck, and spam . A b o tm a s te r is th e p erson w h o m akes m o n e y by fa c ilita tin g th e in fe c te d b o tn e t g ro u p s fo r service on th e black m a rk e t. The m a s te r searches fo r v u ln e ra b le p o rts and uses th e m as c a n d id a te z o m b ie s to in fe c t. The in fe c te d zo m b ie s fu r th e r can be used to p e rfo rm DDoS attacks. On th e o th e r hand, spam em ails are se n t to ra n d o m ly chosen users. All these a c tiv itie s to g e th e r g u a ra n te e th e c o n tin u ity o f m a licio u s b o tn e t a c tiv itie s .
M o d u le 1 0 P a g e 1 4 3 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
b
B o tn e t
..................... Q
Licenses M P3, DivX
Financial Diversion Data Theft
Emails C&C
Crim ew are Toolkit Database Trojan Command and Control Center
Client-Side Vulnerability
Spam
Redirect
M a s s M a ilin g
S to c k Fraud
M
S ca m s A d v e rts
Extortion
M o d u le 1 0 P a g e 1 4 3 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
:h a ,D e & o cP re v ie w [R C -C h a tm b sta
C o m m a n d C o n tro l C e n te r
f j incul BMMC ;5 * Jf ru on Port: 60123 4 0 * i k 3.1 , 1t ccrplcd: ; ,03.3 1 e*gUDdtto<*ocH.. <l- hj|hg_tkto ?1 _ p !o d-> A mW * Stfv*: 127.0 0.1 Sv*J<H*drtfi>W:*27*PM
t1M JnewV m ic n
ISe1ver2
B o t n e t
T r o ja n :
s h a r K
S o u r c e : h ttp s ://s ite s .g o o g le .c o in s h a r K is a r e v e r s e - c o n n e c t i n g , f i r e w a l l - b y p a s s i n g r e m o t e a d m i n i s t r a t i o n t o o l w r i t t e n in V B 6 . W it h s h a r k , y o u w ill b e a b le t o a d m in is t r a t e a n y PC ( u s in g W in d o w s O S ) r e m o t e ly . F e a tu re s : 9 9 9 9 9 9 9 m R C 4 e n c ry p te d tr a ffic (n e w & m o d d e d ) z L ib c o m p r e s s e d t r a f f i c H ig h - s p e e d , s t a b l e s c r e e n / c a m K e y lo g g e r w i t h h ig h lig h t f e a t u r e R e m o te m e m o r y e x e c u tio n a n d in je c tio n V E R Y f a s t f ile m a n a g e r / r e g is t r y e d it o r lis t in g d u e t o u n iq u e t e c h n ic A n t i: D e b u g g e r , V m W a r e , N o r m a n S a n d b o x , S a n d b o x ie , V ir tu a lP C , S y m a n t e c S a n d b o x , V ir tu a l B o x 9 9 S u p p o r tin g r a n d o m s ta rtu p a n d ra n d o m s e rv e r n a m e s c C a p tu re
D e s k t o p p r e v i e w in S IN C o n s o le
M o d u le 1 0 P a g e 1 4 3 9
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y E C - C 0 lM C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Q 0 Q Q
S o rta b le and c o n fig u ra b le SIN Console R em ote A u to s ta rt M a n a g e r O p tio n a l Fwb++ (Process In je c tio n , API U nhook) F old er m irro rin g
d d fx
| Country Username | PC N ane
iL W -ita a
l<
| Verson
| Pirq
C o m m a n d
C o n tro l
C e n te r
AN ] Inrfj-atarg C lient... AW] Iw te n rx j on Port: 60123 AH ] sharK 3.1 fw b + + , Last Compiled: 30.03.2008 AN ] Updatecheck... AW] Hew Versicn ovoiloblc: < !- turing cluster_prod > AN ] * New Server: 127.0.0.1 -- Server 1 (Mockers < S >ECC-272FF53AA87)
W o lc o m to i h t i K 3 .1 .0 , H ackors T hi* it n in f o r m a tio n b o x r o fr o s h in g it* c o n t e n t o v a ry 24 h o u r * H a ' y o u will in f o r m a ti o n a b o u t (K trK d * v * lo p m * r tt i t a t ! a n d o th a r r l a ( i t o f fro r d C o d a r c .c o i ( o m ttim M . R e c a ds.
sN 1p*109 and ro ck Z
C o p y rig h t 2 0 0 7 -2 0 0 8 (c ) B o re d C o d e rs.c o m sharK 3.1 fw b + +
,4 Server Installation
- Startup Instal Everts f t Bind Files Q Blacklist Anti Debugging j Stealth Firewal Bypass d l Liteserver QU Advanced Q Summary Compile
Basic Settings
*5
Server name: Server Password: Connection Interval: |Server2 1plwUyQ|G6q|pl1t4mAD
k.
I
. . . . ............................................................... 4 seconds
KByte (0 - Unkmted)
Test Hosts
1 ___________________________________________________________________________________________________________________________________ 1
FIGURE 10.12: Botnet Trojan: sharK
M o d u le 1 0 P a g e 1 4 4 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
Pi*
Deacflpicr!
>Sjrrfaa1V1ytftBSDfi(VEP
%ACHfC
< D < mccD H DwceDii.. Device Dii Dwce Dii Dwee n.i D*ce Dii Oe*c Dii Owe Dii DMee Dii Shmd Sor Slandaid D< M ca D1I Shotd 5w r> " *r!.1 fiiwco Dii Diwce Dii Dwce Dii
AFD Mlv*jVrgSu
AM % ' -.*>onl*.. Alb *IV w rl % AjS* S* Ate 033Kt> * K jfi) At>ftfm\ % :4 f <fcp % ,,. A1J*. fc,iTM6PPCfc,r A1tdc6*v uW > <
C WNK*ANS1*>1}2W M C VWst M tn
SUA* STOPPED STOPPED RUNNING STOPPED 51 UlltD STOPPED RUNNING RUNNING STOPPED STWTO) TOPPED STOPPED STOPPED
stopped
Startup Type Dfcdfcd Dk* M Diaetfej D114M Manm l Auiomafo AulsmrfK D1.4M DMM Dlu*M D 1:.:tM M*l di*m Di.a>1 DiNfcM DutUrJ Mm m l A jio rr> a b 3 :1 -. LfcJ Meriml Aulorrrfc Manual 08/3
log on i f
....
fV*d1 nftivmh.,
STOPPFD STOI'TCD
stopped
RAS AtyAchKraii
\$>ifcari00i^ jy
DRIVER
ATMARP Ois*PMI D**ee r.ii Manajee ado devi.. Shaied Ssr D vncDii ifload:
! 1 I !
OB/*
IcoafSyttom >
DortoaJi
P o is o n
I v y :
B o t n e t
o m
a n d
o n t r o l
e n t e r
Poison Ivy is an advanced e n c ry p te d "re v e rs e c o n n e c tio n " fo r fire w a ll bypassing re m o te a d m in is tra tio n to o ls . It gives an a tta c k e r th e o p tio n to access, m o n ito r, o r even ta ke c o n tro l o f a c o m p ro m is e d system . Using th is to o l, a tta cke rs can steal passw ords, b a n kin g o r c re d it card in fo rm a tio n , as w e ll as o th e r p e rsonal in fo rm a tio n .
M o d u le 1 0 P a g e 1 4 4 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
(tt.fwtf
C E H
ttk>l lUikw
PlugBot Statistics
http://thephgbot.com
Copyright by H r C u n d l. A ll Rights Reserved. Reproduction isStrictly Prohibited.
B o t n e t
T r o ja n :
P lu g B
o t
Source: h ttp ://th e p lu g b o t.c o m P lugB ot is a h a rd w a re b o tn e t p ro je c t. It's a c o v e rt p e n e tra tio n te s tin g d e vice (b o t) is designed fo r c o v e rt use d u rin g physical p e n e tra tio n te sts. PlugB ot is a tin y c o m p u te r th a t looks like a p o w e r a d a p te r; th is sm all size a llo w s it to go p h y s ic a lly u n d e te c te d all w h ile being p o w e rfu l e n o ug h to scan, c o lle c t, and d e liv e r te s t results e x te rn a lly . S om e o f th e fe a tu re s in c lu d e : 6 e Q Q Issue scan co m m a n d s re m o te ly W ire le ss 8 0 2 .1 1 b ready G ig a b it E th e rn e t capable 1.2 Ghz proce sso r S u p p o rts Linux, Perl, PHP, MySQL o n -b o a rd C o v e rtly disguised as p o w e r a d a p te r C apable o f in v o k in g m o s t Linux-based scan apps and scripts
M o d u le 1 0 P a g e 1 4 4 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
HfliOAOMINIUvtOUw
L O O M (
5 f l5 r lt e
Dashboard
DropZorte
Account
I l f Settings
( ? ) Help
O M ttx M rd
Jobs
Dashboard
B o tn et S ta tis tic s
CM an w w o o s
Cb AddJoto
PlugBot Statistics
Shown oeiow are some aucx suss on your botnet. Statistics Bots: 2 Joas Pending 0 Jo&sComoieted:0 Chock-Ins: 14636
A p p lic a tio n s
1 M ena^A opa
C o AddApo
D ots Q ManagBet<
C6 AcUBot
M o d u le 1 0 P a g e 1 4 4 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
PW P*
P+
*R a n d o m .r n 0 e2 0 0 1
t o d * * port
0 p a s s w o r d
t A'*l 0 " * * IRCchaM *
MD5C.**
1 n r_
dV*
* -!*
Abou
r 0
^
s*
B o t n e t M
l j
T r o ja n s : B o t
I llu s io n
B o t
a n d
e t B o t
t t a c k e r
I llu s io n
Q e e e e e 0 0
C&C can be m anaged o v e r IRC and HTTP Proxy fu n c tio n a lity (Socks4, Socks5) FTP service M D 5 s u p p o rt fo r passw ords R o o tk it C ode in je c tio n C olored IRC messages XP SP2 fire w a ll bypass DDOS c a p a b ilitie s
M o d u le 1 0 P a g e 1 4 4 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Illusion Maker
Binary
IRC Administration 1) Host: 1 0 0 0 1 2) Host: 100.0.1 WEB Administration 1) Host: 10 2) Host: 1C Default services: Socks4, port v Socks5, pat FTP. port IRC Access BOT PASSWORD Options v Install Kernel Driver Save cervices state in registry Loloied IRC messages Auto OP admm on IRC channel * ln!ect code fit dnve< falsi + Ada to autoload * IRC serve! need passwotd / B>pas$ X P SP2 Fewall FkwU Valuer About qwerty MD5 Crypt R R R * Random, range: Bmdshefl. port: 2001 R 3000 Port Port: Path Path A Refresh time: j Port: 6667 Port: 6667 Chan Behan Chan Behan
sec.
E m(
Save
use it fo r c o m m a n d in g and re p o rtin g n e tw o rk s , even fo r co m m a n d attacks. It has tw o RAR file s; one is INI and th e o th e r one is a s im p le EXE. It is m o re p o w e rfu l w h e n m o re bots are used to a ffe c t th e servers. W ith th e he lp o f a b o t, a tta cke rs can e x e c u te o r d o w n lo a d a file , o p e n c e rta in w e b pages, and can even tu rn o ff all PCs.
(P
>1
On lin e h o s ts PC IP
Attack Area
Co Hed iv e o rd e r
jC om putef!system W io d o w tX P
1m m
!;*
*onfai pcrfSOwHeh t
h 0 i> wrw?
0ON
J PC 0 *
F IG U R E 1 0 .1 6 : N e t B o t A t t a c k e r
M o d u le 1 0 P a g e 1 4 4 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
o d u le
F lo w
So fa r, w e have discussed D 0 S /D D 0 S concepts, a tta c k te c h n iq u e s , and b o tn e ts . For b e tte r u n d e rs ta n d in g o f th e a tta c k tra je c to rie s and to fin d possible w ays to lo ca te atta ck e rs, a fe w DD 0 S case stu d ie s are fe a tu re d here.
a m
D o s / D D o S C o n c e p ts D o s / D D o S A t t a c k T o o ls
D o s / D D o S A t t a c k T e c h n iq u e s
C o u n te rm e a s u re s
B o tn e ts
/* V 5
D o s / D D o S P r o t e c t i o n T o o ls
D o s /D D o S C ase S tu d y i
D o s / D D o S P e n e t r a t i o n T e s t in g
M o d u le 1 0 P a g e 1 4 4 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
DDoS Attack
D D o S
t t a c k
In a DDoS a tta c k , a g ro u p o f c o m p ro m is e d syste m s usually in fe c te d w ith T rojans are used to p e rfo rm a d e n ia l-o f-s e rv ic e a tta c k on a ta rg e t system o r n e tw o rk resource. The fig u re th a t fo llo w s show s h o w an a tta c k e r p e rfo rm s a DDoS a tta c k w ith th e he lp o f an LOIC to o l.
M o d u le 1 0 P a g e 1 4 4 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
(ft
Anonym ous Hacker
V olu nte e rs connect to IRC channel and w ait for instruction from a ttacker
Volunteer
e
DDoS Attack o Volunteer Hackers advertise LOIC tool on Tw itter, Facebook, Google, etc. Volunteer ! *
M o d u le 1 0 P a g e 1 4 4 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
M M
H CE
IU mjI NM hM
IC 3I
RC server Port Cnannel 9 FUCKWGHfVc UNO
f j i ::
- 2 . Rea<iy?--------------
Stop flooding
v ! y
8 5 . 1 1 6 . 9 . 8 3
3 Attack o tf n t -------------------------------------------------------------------------------------------------Trneout HTTP Scbsle ZX Append ranJom chars to the URl 4000 /119/ TCP / U0P message U dun goofed
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP g 10 80 *Vat for rep*y --------------------- 1 faster Speed slower > Port Method Threads
tile
Connectong 9
Requestrg
Cowntoadng
Downloaded 419
Requested 419
Faded 9
D D o S
V
t t a c k
T o o l:
L O
I C
LOIC is an o p e n source to o l, w r itte n in C#. The m ain pu rp o se o f th e to o l is to c o n d u c t stress te s ts o f w e b a p p lic a tio n s , so th a t th e d e ve lo p e rs can see h o w a w e b a p p lic a tio n behaves u n d e r a h e a v ie r load. O f course, a stress a p p lic a tio n , w h ic h could be classified as a le g itim a te to o l, can also be used in a DDoS a tta c k. LOIC basically tu rn s th e c o m p u te r's n e tw o rk c o n n e c tio n in to a fire h o u s e o f g a rb a g e req ue sts, d ire c te d to w a rd s a ta rg e t w e b server. On its o w n , one c o m p u te r ra re ly g e n e ra te s e n o u g h TCP, UDP, o r HTTP re q u e sts a t once to o v e rw h e lm a w e b s e rv e r garbage re qu ests can easily be ig n o re d w h ile le g it re q u e s ts fo r w e b pages are re sp o n d e d to as n o rm a l. B ut w h e n th o u s a n d s o f users run LOIC a t once, th e w a ve o f re quests b e co m e o v e rw h e lm in g , o fte n s h u ttin g a w e b se rve r (o r one o f its co n n e c te d m achines, like a database server) d o w n c o m p le te ly , o r p re v e n tin g le g itim a te re q u e sts fro m being a n sw e re d . LOIC is m o re fo cu se d on w e b a p p lic a tio n s ; w e can also call it an a p p lic a tio n -b a s e d DOS a tta c k . LOIC can be used on a ta rg e t site by flo o d in g th e s e rv e r w ith TCP packets, UDP packets, o r HTTP re q u e sts w ith th e in te n tio n o f d is ru p tin g th e service o f a p a rtic u la r host.
M o d u le 1 0 P a g e 1 4 4 9
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y E C - C 0 lin C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
M o d u le 1 0 P a g e 1 4 5 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
G o u g le
jfr _
sM sgS S S sasK si
- r - lS
'
a c k e r s
d v e r t is e
L in k s
to
o w
n lo a d
B o t n e t s
M o d u le 1 0 P a g e 1 4 5 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
M o d u le 1 0 P a g e 1 4 5 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
o d u le
F lo w
So fa r, w e have discussed th e D 0 S /D D 0 S concepts, a tta c k te c h n iq u e s , b o tn e ts , and th e re a l-tim e sce n a rio s o f DDoS. The D 0 S /D D 0 S atta cks discussed so fa r can also be p e rfo rm e d w ith th e help o f to o ls . These to o ls m ake th e a tta c k e r's jo b easy.
a m
D o s / D D o S C o n c e p ts D o s / D D o S A t t a c k T o o ls
D o s / D D o S A t t a c k T e c h n iq u e s
|i
C o u n te rm e a s u re s
B o tn e ts
/* V 5
D o s / D D o S P r o t e c t i o n T o o ls
D o s /D D o S C ase S tu d y I
D o s / D D o S P e n e t r a t i o n T e s t in g
M o d u le 1 0 P a g e 1 4 5 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
(crtifwd
H cE
IU mjI Km Im
[Evaluation Mode]
X J
D oSH TTP
H T T P F lo o d D e n ia l o f S e r v ic e ( D o S ) T e s tin g T o o l T a ig e t U R L
3
Status:
M o z a /6 0 (compatible; MSIE 7.0a; W indows N T 5.2; S V1) "]
Connected: Connect:
S o c k e ts
Requests 1
Responses 0
httpV/Varix bv ru/
DoS H TTP
S p ru t
In te r n e t
T a rg e t S e rv e r
D o S
t t a c k
T o o ls
D o S
H T T P
Source: h ttp ://w w w .s o c k e ts o ft.n e t DoSHTTP is HTTP flo o d d e n ia l-o f-d e rv ic e (DoS) te s tin g s o ftw a re fo r W in d o w s . It inclu d e s URL v e rific a tio n , HTTP re d ire c tio n , and p e rfo rm a n c e m o n ito rin g . It uses m u ltip le a s y n c h ro n o u s s o cke ts to p e rfo rm an e ffe c tiv e HTTP flo o d . It can be used s im u lta n e o u s ly on m u ltip le c lie n ts to e m u la te a d is trib u te d -d e n ia l-o f-s e rv ic e (DD 0 S) a tta ck. It also a llo w s yo u to te s t w e b se rve r p e rfo rm a n c e and e v a lu a te w e b s e rv e r p ro te c tio n s o ftw a re .
F e a tu re s :
Q Q Q Q Q
S u p p o rts HTTP re d ire c tio n fo r a u to m a tic page re d ire c tio n It in clud e s URL v e r ific a tio n th a t displays th e response h e a d e r and d o c u m e n t It in clud e s p e rfo rm a n c e m o n ito rin g to tra c k re q u e sts issued and responses received It a llo w s cu sto m iz e d User A g e n t h e a d e r fie ld s It uses m u ltip le a s y n c h ro n o u s sockets to p e rfo rm an e ffe c tiv e HTTP flo o d It a llo w s user d e fin e d so cket and re q u e s t se ttin g s
M o d u le 1 0 P a g e 1 4 5 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
[ E v a lu a t io n M o d e ]
xJ
Target URL____________________________________________ 1192.168.168.97 User Agent lMozilla/6.0 (compatible; MSIE 7.0a; Windows NT 5.2; SV1J S ockets |500
lQ D S C * m*T
21
Close
nttf
R equests | (Continuous
Running..
Responses: 0
S p ru t
jJ in i- x J Hostnam e or IP-address:
Start
Stop
Reset
B S
Multisystem TCP Denial of Service A tta cke r [Build 8 12] Coded by Yarix (yarix@ tut.by) http:/Aatix b v.ru /
M o d u le 1 0 P a g e 1 4 5 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
UrtifwJ
C E H
ilhiul lUtbM
_1J
_ !lh
2 1
0 8 1 8 21 6 5 .2 8 9 7 1 71 9 2 .1 6 8 .1 6 8 .7 0 8 1 8 31 6 5 .2 8 9 8 3 81 9 2 .1 6 6 .1 6 8 .7 0 8 1 8 41 6 5 .2 8 9 9 6 8 192.1 6 8 .1 6 8 .7 0 8 1 8 51 6 5 .2 9 0 0 9 0 192.1 6 8 .1 6 8 .7
08186 165.290211 192.168.168.7
192.16a.1 6 8 .3 2 192.1 6 a. 1 6 8 .3 2 1 9 2 .1 6 4 .1 6 8 .3 2 1 9 2 .1 6 6 .1 6 8 .3 2
192.164.168. 32
0 8 1 8 81 6 5 .2 9 0 4 0 31 9 2 .1 6 8 .1 6 8 .7 0 8 1 8 91 6 5 .?9 0 S ?3 1 9 2 .1 6 8 .1 6 8 .7 0 8 1 9 01 6 5 .2 9 0 7 3 3 192.1 6 8 .1 6 8 .7
08191 16S. 290776 08192 165.290896 192.168.168.7 192.168.168.7
1 9 2 .1 6 8 .1 6 8 .3 2 1 9 2 .1 6 8 .1 6 8 .3 2 1 9 2 .1 6 8 .1 6 8 .3 2
192.168.168.32 192.168.168. 32
m
Your V:
0 8 1 9 41 6 5 .? 9 1 0 9 1 0 8 1 9 51 6 5 .2 9 1 2 1 0 0 8 1 9 61 6 5 .2 9 1 3 3 0 08197 165.291452 0 8 1 9 81 6 5 .2 9 1 5 8 2
192.164.168. 32 192.168.168. 32
1 9 2 .1 6 4 .1 6 8 .3 ? 1 9 2 .1 6 8 .1 6 8 .3 2 1 9 2 .1 6 8 .1 6 8 .3 2
|:n fo source port: 17795 D estination po F rag m en ted ip protocol (proto-uop F rag m en ted ip protocol (p ro co -u o p F rag m en ted IPprotocol (p ro to = U D P F rag m en ted ip protocol (p ro to = D 0 P frag m en ted IP protocol (p ro to -U O * * Source p o rt: 17795 D estin atio n po F rag m en ted ip protocol (proto -u o p F rag m en ted IPprotocol (proto-uop F rag m en ted IP protocol (p ro to = U O P F rag m en ted IP protocol (p ro to = U 0 P F rag m en ted IP protocol (p ro to -U O P source p o rt: 17706 t*s tlfw i1 0 n po F rag m en ted ip protocol (p ro to u o * > F rag m en ted IPprotocol (p ro to * u 0 P F rag m en ted ip protocol (p ro to = U O P
.\ss5tt1:i . DecwfcnKeyi...
<D0ntO03you!eNnub)
? 1 rram e6 1 5 1 4 :4 1 5 3 b y tes, o nw ire (l?ll? blis). 1 5 1 4b y te;, captured (l?ll? bit) I- kth erret 1 1 . src: fclU egro 22:2d:if (00:2J:ll:22:2d:5f). ust: D e ll_fd:8 6 :6 3 (8 4:ba:db:fd:8 6 :6 3 ) I internet P rotocol, src: 192.1 6 8 .1 6 8 .7 (192.168.168.7). U S t: 1 9 2 .1 0 8 .1 6 8 .3 2 (1 9 2.168.168.32) |v iD ata (1 4 8 0 bytes) > 0 0 0 4 b *d b fd 8 66 30 02 5 1 12 216 5 f0 80 04 50 0 ........... ..c.ft ..t. >010 05 dc ab 21 22 2b 80 11 96 4b cO a4 48 07 cO a8 .K............ > 0 2 0 * 8 2 0 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 .X XXXXXX XXXXXXXX > 0 3 0 5 8 S B 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 8 5 4 5 8 5 8 5 8 5 8 X X X X X X X X X X X X X X X > 0 4 0 5 8 5 85 85 85 85 85 85 8 5 85 85 85 45 85 85 85 8 XXXXXXXX XXXXXXXX I^ K * C :tM > 1 A > 0 -:\> e c ^ a lo c jrr 1> V ~P * x ts :d G 2 /to C c w w r i:6 0 2 /6 3 M a r k e d :0 fre p p e d :9 5 3 T r a ffic a t V ic t im M a c h in e
PH P D oS
D o S
t t a c k
T o o ls
( C
o n t d )
P H P
D o S
Source: h ttp ://c o d e .g o o g le .c o m This s c rip t is a PHP s c rip t th a t a llo w s users to p e rfo rm DoS (d e n ia l-o f-s e rv ic e ) attacks against an IP /w e b s ite w ith o u t any e d itin g o r s p e c ific k n o w le d g e .
M o d u le 1 0 P a g e 1 4 5 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
xJe
Your IP: IF Time (Dont DoS yourself nub) ort
iK s a a s ia L ^ ftii
Alter initiating the DoS attack, please wait while the browser loads
M o d u le 1 0 P a g e 1 4 5 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C O U I lC il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
(itifw tf| tlfc itjl IlM k M
D o S
t t a c k
T o o ls
( C
o n t d )
J a n id o s
M o d u le 1 0 P a g e 1 4 5 8
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t b y E C - C 0 lin C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
S u p e rn o v e
!supernova 5
Single targe( Port
1
Typical F rs t F;rT .:.vr [ Load I Q
Save
La ned
Discomect
Random P o c ts |
H arvest
Remove
Speed Speed
1
I
'
Remove
Multiple
Hub Harvester
1 0 BEHSI MSW I I
M M M M
Replace hubs on d o se replace hubs on errors r orbid Scanner log abuse nbuiid Scanner
23 Q S3
=1 I:I :1 I:I
Search
j i;1 --r
]Produced by ]3/24/2009 [3/?4y?r0Q) CPU ________IRir<*11 .- r . 4 . I . * r <..H 7 * 2400 CmdLme
*'*^
M o d u le 1 0 P a g e 1 4 5 9
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
(rtifwd
C E H
itkitjl
*It
T tfa rt< * 0
Try* 03 T rct *rct
H h *
* *t * '' I , [ p
! n* * *s [am *mlfH fAdlMM ! p ucw s i n 4 ! s & : r 85 TCT n }05 [~ 4 t _________ [051TC7 4^ O e iT C T ^_n -j.,.
as
JVXf 103
U * 1 . ~u, itlKt U .C M 4 a.
ft."
, 0 ,* IB 1 "
tw j 1 0 : fc.
]* <T W .U1
.
icn
" ,
Tr<t . . . < .!
U *,?nrsffs *. -. i i ./ m IL n
u u
* * 4 .
* ^ . i* 1 ' * a s s s _:a1 C h in e se C o m m e rc a ^
n |Y O O oS T ool
D o S
t t a c k
T o o ls
( C
o n t d )
C o m
e r c ia l C h in e s e
D IY
D D o S
T o o l
M o d u le 1 0 P a g e 1 4 6 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
B a n g la D o s
Mom
cW N u
Oo to a s t
b c iM M
UM C m t
k r tO ta o *
C D
SI
< 'f l
Hack Clarify
R^R
00
S * c u r * y o u r b lo g r u n n i n g o n W o r d p r 10 14 PU A rte l t * S n r r J t
11 2
)2 (
M o d u le 1 0 P a g e 1 4 6 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 l1 n C il A l l R i g h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
D o S
t t a c k
T o o ls
( C
o n t d )
D o S
M o d u le 1 0 P a g e 1 4 6 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
e g a
D D o S
A tta c k
M o d u le 1 0 P a g e 1 4 6 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
A
*"2
o d u le
F lo w
kind o f a tta c k , a tta c k te c h n iq u e s , b o tn e ts , and to o ls th a t help to p e rfo rm D 0 S/D D 0 S a ttacks. All th e s e to p ic s focu s on te s tin g y o u r n e tw o rk and its resources against D oS /D D oS v u ln e ra b ilitie s . If th e ta rg e t n e tw o rk is v u ln e ra b le , th e n as a pen te s te r, you should th in k a b o u t d e te c tin g and a p p ly in g possible w ays o r m e th o d s to secure th e n e tw o rk .
1 --1
J D o s / D D o S C o n c e p ts
D o s / D D o S A t t a c k T o o ls
c K * J
D o s / D D o S A t t a c k T e c h n iq u e s
S *
C o u n te rm e a s u re s
B o tn e ts
D o s / D D o S P r o t e c t i o n T o o ls
aa
D o s /D D o S C ase S tu d y D o s / D D o S P e n e t r a t i o n T e s t in g
M o d u le 1 0 P a g e 1 4 6 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
M o d u le 1 0 P a g e 1 4 6 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e tectio n te c h n iq u e s a re based on id e n tify in g and d is c rim in a tin g th e ille g itim a t e tra ffic in cre a se an d fla sh even ts fro m le g itim a te packet tra ffic
A ll d e te ctio n te c h n iq u e s d e fin e an atta ck as an a b n o rm a l and n o tic e a b le d e v ia tio n fro m a th re s h o ld o f n o rm a l n e tw o rk tra ffic sta tistics
A c t i v i t y P r o f ilin g
W a v e le t - b a s e d S ig n a l A n a ly s is
C h a n g e p o in t D e t e c t io n
e t e c t io n
T e c h n iq u e s
M o s t o f th e DDoS to d a y are ca rrie d o u t by a tta c k to o ls , b o tn e ts , and w ith th e he lp o f o th e r m a licio u s p ro g ra m s. These a tta c k te c h n iq u e s e m p lo y va rio u s fo rm s o f a tta c k pa cke ts to d e fe a t d efe nse system s. A ll th e se p ro b le m s to g e th e r lead to th e re q u ire m e n t o f d efense system s fe a tu rin g v a rio u s d e te c tio n m e th o d s to id e n tify a tta c k s . The d e te c tio n te c h n iq u e s fo r DoS a tta cks are based on id e n tify in g and d is c rim in a tin g th e ille g itim a te tr a ffic increases and flash e ve n ts fro m le g itim a te p a c k e t tr a ffic . T he re are th re e kinds o f d e te c tio n te c h n iq u e s : a c tiv ity p ro filin g , c h a n g e -p o in t d e te c tio n , and w a v e le t-b a s e d signal analysis. All d e te c tio n te c h n iq u e s d e fin e an a tta c k as an a b n o rm a l and n o tic e a b le d e v ia tio n fro m a th re s h o ld o f n o rm a l n e tw o rk tr a ffic statistics.
M o d u le 1 0 P a g e 1 4 6 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Activity Profiling
r
An attack is indicated by: An increase in activity levels among clusters e An increase in the overall num ber of distinct clusters (DDoS . attack)
It is the average packet rate for a network flow, which consists of consecutive packets with similar packet fields y
c t iv it y
r o f ilin g
T yp ica lly, an a c tiv ity p ro file can be o b ta in e d by m o n ito r in g h e a d e r in fo r m a tio n o f a n e tw o rk packet. An a c tiv ity p ro file is d e fin e d as th e average p a cke t ra te fo r n e tw o rk flo w . It consists o f c o n s e c u tiv e p a c k e ts w ith s im ila r p acket fie ld s. The a c tiv ity level o r average packet ra te o f flo w is d e te rm in e d by th e elapsed tim e b e tw e e n th e c o n s e c u tiv e p a cke ts. The sum o f average p acke t rate s o f all in b o u n d and o u tb o u n d flo w s gives th e to ta l n e tw o rk a c tiv ity . If you w a n t to analyze in d iv id u a l flo w s fo r all possible UDP services, th e n you sh ould m o n ito r on th e o rd e r o f 264 flo w s because in c lu d in g o th e r p ro to c o ls such as TCP, ICMP, and SNMP g re a tly c o m p o u n d s th e n u m b e r o f possible flo w s . This m ay lead to h ig h -d im e n s io n a lity p ro b le m . This can be avo id e d by c lu s te rin g th e in d iv id u a l flo w s e x h ib itin g s im ila r ch a ra cte ristics. The sum o f c o n s titu e n t flo w s o f a c lu s te r d e fin e s its a c tiv ity level. in d ic a te d by: 0 An increase in a c tiv ity levels a m o n g clu ste rs An increase in th e o v e ra ll n u m b e r o f d is tin c t clu ste rs (DDoS a tta ck) Based on th is co n c e p t, an a tta c k is
M o d u le 1 0 P a g e 1 4 6 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
CE H
Analyzing each spectral w indow 's energy d eterm in es th e p resen ce of anom alies
a v e le t - b a s e d
S ig n a l A
n a ly s is
W a v e le t analysis describes an in p u t signal in te rm s o f sp e ctra l c o m p o n e n ts . It p ro v id e s a glo ba l fre q u e n c y d e s c rip tio n and no tim e lo ca liza tio n . W a ve le ts p ro v id e fo r c o n c u rre n t tim e and fre q u e n c y d e s c rip tio n s . This m akes it easy to d e te rm in e th e tim e a t w h ic h c e rta in fre q u e n c y c o m p o n e n ts are p re se n t. The in p u t signal co n ta in s b o th tim e -lo c a liz e d a n o m a lo u s signals and b a ckg ro u n d noise. In o rd e r to d e te c t th e a tta c k tra ffic , th e w a v e le ts s e p a ra te th e se tim e -lo c a liz e d signals and th e noise c o m p o n e n ts . The presence o f a n o m a lie s can be d e te rm in e d by a nalyzing each sp e ctra l w in d o w 's energy. The a n o m a lie s fo u n d m ay re p re s e n t m is c o n fig u ra tio n o r n e tw o rk fa ilu re , flash events, and atta cks such as DoS, etc.
M o d u le 1 0 P a g e 1 4 6 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
S e q u e n t ia l
h a n g e - P o in t
e t e c t io n
S e q ue n tia l c h a n g e -p o in t d e te c tio n a lg o rith m s segregate th e a b ru p t changes in tra ffic s ta tis tic s caused by a ttacks. This d e te c tio n te c h n iq u e in itia lly filte rs th e ta rg e t tra ffic data by p o rt, address, and p ro to c o l and sto res th e re s u lta n t flo w as a tim e series. This tim e series can be co n sid e re d as th e tim e -d o m a in re p re s e n ta tio n o f a c lu s te r's a c tiv ity . The tim e series show s a s ta tis tic a l change a t th e tim e th e DoS flo o d in g a tta c k begins. Cusum is a c h a n g e -p o in t d e te c tio n a lg o rith m th a t o p e ra te s on c o n tin u o u s ly slam ped data and re q u ire s o n ly c o m p u ta tio n a l re so u rce s and lo w m e m o ry v o lu m e . The Cusum id e n tifie s and localizes a DoS a tta c k by id e n tify in g th e d e v ia tio n s in th e actual versus e xp e cte d local average in th e tim e series. If th e d e v ia tio n is g re a te r th a n th e u p p e r b o u n d , th e n fo r each t,im e series sa m p le , th e C usum 's re cu rsive s ta tis tic increases. U n d e r n o rm a l tra ffic flo w c o n d itio n th e d e v ia tio n lies w ith in th e b o u n d and th e Cusum s ta tis tic decreases u n til it reaches zero. Thus, th is a lg o rith m a llo w s y o u to id e n tify a DoS a tta c k o n se t by a p p ly in g an a p p ro p ria te th re s h o ld against th e Cusum s ta tis tic .
M o d u le 1 0 P a g e 1 4 6 9
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
S h u ttin g D o w n th e S e r v ic e s S h u t d o w n a ll t h e s e r v ic e s u n t il t h e a t t a c k h a s s u b s id e d
D o S /D D o S
o u n t e r m
e a s u r e
S t r a t e g ie s
Use a d d itio n a l c a p a c ity to abso rb th e a tta c k th is re q u ire s p re p la n n in g . It re q u ire s a d d itio n a l resources. O ne disa d va n ta g e associated is th e cost o f a d d itio n a l resources, even w h e n no a tta cks are u n d e r w ay.
D e g ra d e s e r v ic e s
If it is n o t possible to keep y o u r services fu n c tio n in g d u rin g an a tta ck, it is a good idea to keep a t least th e c ritic a l se rvices fu n c tio n a l. For th is , fir s t you need to id e n tify th e c ritic a l services. Then yo u can c u s to m iz e th e n e tw o rk , system s, and a p p lic a tio n designs in such a w a y to d e g ra de th e n o n c ritic a l se rvices. This m ay he lp yo u to keep th e critic a l services fu n c tio n a l. If th e a tta c k load is e x tre m e ly heavy, th e n you m ay need to d is a b le th e n o n c ritic a l services in o rd e r to keep th e m fu n c tio n a l by p ro v id in g a d d itio n a l ca p a city fo r th e m .
S h u t d o w n s e r v ic e s
S im ply s h u t d o w n all services u n til an a tta c k has subsided . T hough it m ay n o t be an o p tim a l choice, it m ay be a rea son a b le response fo r som e.
M o d u le 1 0 P a g e 1 4 7 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
DDoSAttack Countermeasures C E H
P ro tect seco n d ary victims
M itigate a tta ck s
D D o S
t t a c k
o u n t e r m
e a s u r e s
T h ere are m a ny w ays to m itig a te th e e ffe c ts o f DDoS a tta c k s . M a n y o f th e se s o lu tio n s and ideas help in p re v e n tin g c e rta in aspects o f a DDoS a tta ck. H o w e ve r, th e re is no single w a y th a t a lo n e can p ro v id e p ro te c tio n against all DDoS a ttacks. In a d d itio n , a tta c k e rs are fre q u e n tly d e v e lo p in g m an y n e w DDoS a tta cks to bypass each n e w c o u n te rm e a s u re e m p lo y e d . Basically, th e re are six c o u n te rm e a s u re s against DDoS a ttacks: P ro te c t se co n d a ry ta rg e ts N e u tra liz e h a n d le rs P re ve n t p o te n tia l a tta cks D e fle c t atta cks M itig a te a tta cks P o st-a tta c k fo re n s ic s
M o d u le 1 0 P a g e 1 4 7 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
A n in c r e a s e d a w a r e n e s s o f s e c u r it y is s u e s a n d p r e v e n t io n t e c h n iq u e s f r o m a ll I n t e r n e t u s e rs
D is a b le u n n e c e s s a r y s e r v ic e s , u n in s t a ll u n u s e d a p p lic a t io n s , a n d s c a n a ll t h e f ile s r e c e iv e d f r o m e x t e r n a l s o u rc e s
C o n f ig u r a t io n a n d r e g u la r u p d a t e s o f b u i l t - i n d e f e n s iv e m e c h a n is m s in t h e c o r e h a r d w a r e a n d s o f t w a r e o f t h e s y s te m s
D o S /D D o S V ic t im s
o u n t e r m
e a s u r e s :
P r o t e c t
S e c o n d a r y
In d iv id u a l Users P o te n tia l se co n d a ry v ic tim s can be p ro te c te d fro m DDoS a ttacks, th u s p re v e n tin g th e m fro m b e c o m in g zom bies. This d e m a n d s in te n s ifie d s e c u rity aw areness, and th e use o f p re v e n tio n te c h n iq u e s . If a tta c k e rs are u n a b le to c o m p ro m is e s e c o n d a ry v ic tim s system s and seco n d a ry v ic tim s fro m b eing in fe c te d w ith DDoS, c lie n ts m u s t c o n tin u o u s ly m o n ito r th e ir o w n se cu rity. C hecking sh ou ld be ca rrie d o u t to ensure th a t no a g e n t p ro g ra m s have been in s ta lle d on th e ir system s and no DDoS a g e n t tr a ffic is se n t in to th e n e tw o rk . In s ta llin g a n tiv iru s and a n ti-T ro ja n s o ftw a re and k e e p in g th e se u p d a te d helps in th is regard, as does in s ta llin g s o ftw a re patches fo r n e w ly d isco ve re d v u ln e ra b ilitie s . Since th e se m easures m ay a p p e a r d a u n tin g to th e average w e b s u rfe r, in te g ra te d m a c h in e rie s in th e core p a rt o f c o m p u tin g system s (h a rd w a re and s o ftw a re ) can p ro v id e p ro te c tio n against m a lic io u s code in s e rtio n . This can co n s id e ra b ly red u ce th e risk o f a se co n d a ry system being c o m p ro m is e d . A tta c k e rs w ill have no a tta c k n e tw o rk fro m w h ic h to launch th e ir DDoS attacks. N e tw o rk S ervice P ro v id e rs Service p ro v id e rs and n e tw o rk a d m in is tra to rs can re s o rt to d yn a m ic p ric in g fo r th e ir n e tw o rk usage so th a t p o te n tia l seco n d a ry v ic tim s be co m e m o re a ctive in p re v e n tin g
M o d u le 1 0 P a g e 1 4 7 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
th e ir c o m p u te rs fro m b e c o m in g p a rt o f a DDoS a tta ck. P roviders can charge d iffe re n tly as p e r th e usage o f th e ir resources. This w o u ld fo rc e p ro v id e rs to a llo w o n ly le g itim a te c u s to m e rs o n to th e ir n e tw o rk s . A t th e tim e w h e n prices fo r services are changed, th e p o te n tia l s e co n d a ry v ic tim s w h o are paying fo r In te r n e t access m ay be co m e m o re c o g n iza n t of d a n g e ro u s tra ffic , and m ay do a b e tte r jo b of e n su rin g th e ir n o n p a rtic ip a tio n in a DDoS a ttack.
M o d u le 1 0 P a g e 1 4 7 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Study of communication protocols and traffic patterns between handlers and clients or handlers and agents in order to identify the network nodes that might be infected with a handler
There are usuallyfew DDoS handlers deployed as compared to the number of agents Neutralizinga few handlers can possibly render multiple agents useless, thus thwarting DDoS attacks
T here is a good probability th a t th e spoofed so u rce a d d re ss of DDoS attack packets will n o t re p re se n t a valid so u rce a d d re ss of th e specific sub-n etw o rk
\
Copyright by E&Caunc!. A ll Rights Reserved. Reproduction is Strictly Prohibited
D o S /D D o S H a n d le r
o u n t e r m
e a s u r e s :
e t e c t
a n d
e u t r a liz e
The DDoS a tta c k can be s to p p e d by d e te c tin g and n e u tra liz in g th e h a n d le rs , w h ic h are in te rm e d ia rie s fo r th e a tta c k e r to in itia te a ttacks. Finding and s to p p in g th e ha n d le rs is a q uick and e ffe c tiv e w a y o f c o u n te ra c tin g ag ainst th e a tta ck. This can be d o n e in th e fo llo w in g ways: S tu d yin g th e c o m m u n ic a tio n p ro to c o ls and tr a ffic p a tte rn s b e tw e e n ha n d le rs and clie n ts o r h a n d le rs and agents in o rd e r to id e n tify n e tw o rk nodes th a t m ig h t be in fe c te d w ith a h a n d le r. T he re are u su a lly a fe w DDoS h a n d le rs d e p lo ye d as co m p a re d to th e n u m b e r o f agents, so n e u tra liz in g a fe w h a n d le rs can possibly re n d e r m u ltip le agents useless. Since agents fo rm th e co re o f th e a tta c k e r's a b ility to spread an a tta ck, n e u tra liz in g th e ha n d le rs to p re v e n t th e a tta c k e r fro m using th e m is an e ffe c tiv e s tra te g y to p re v e n t DDoS a tta c k s .
M o d u le 1 0 P a g e 1 4 7 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
In g r e s s F ilte r in g
9 Protects from flooding attacks which originate from the valid prefixes (IP addresses) It enables the originator to be traced to its true
TC P In te rc e p t
e ConfiguringTCP Intercept prevents DoS attacks by intercepting and validating theTCP connection requests
D o S /D D o S A t t a c k s
o u n t e r m
e a s u r e s :
e t e c t
o t e n t ia l
To d e te c t o r p re v e n t a p o te n tia l DDoS a tta c k th a t is being la u nche d, ingress filte rin g , engress filte rin g , and TCP in te rc e p t can be used.
In g r e s s f ilt e r in g
Ingress filte r in g d o e s n 't o ffe r p ro te c tio n against flo o d in g a tta c k s o rig in a tin g fro m valid p re fixe s (IP addresses); ra th e r, it p ro h ib its an a tta c k e r fro m la u n ch in g an a tta c k using fo rg e d source addresses th a t do n o t o b e y ingress filte r in g ru le s. W h e n th e In te rn e t service p ro v id e r (ISP) aggregates ro u tin g a n n o u n c e m e n ts fo r m u ltip le d o w n s tre a m n e tw o rk s , s tric t tra ffic filte r in g m u s t be a p p lie d in o rd e r to p r o h ib it tr a ffic o rig in a tin g fro m o u ts id e th e aggregated a n n o u n c e m e n ts . The ad van ta ge o f th is filte rin g is th a t it a llo w s tra c in g th e o rig in a to r to its tru e source, as th e a tta c k e r needs to use a va lid and le g itim a te ly re a c h a b le source address.
E g re s s F ilte r in g
In th is m e th o d o f tr a ffic filte rin g , th e IP p a cke t heade rs th a t are leaving a n e tw o rk are in itia lly scanned and checked to see w h e th e r th e y m e e t c e rta in c rite ria . O nly th e packets th a t pass th e c rite ria are ro u te d o u ts id e o f th e s u b -n e tw o rk fro m w h ic h th e y o rig in a te d ; th e packets
M o d u le 1 0 P a g e 1 4 7 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
w h ic h d o n 't pass th e c rite ria w ill n o t be sent. T here is a good p o s s ib ility th a t th e source addresses o f DDoS a tta c k packets w ill n o t re p re s e n t th e source address o f a va lid user on a sp e cific s u b -n e tw o rk as th e DDoS a tta cks o fte n use sp o o fe d IP addresses. M a n y DDoS packets w ith s p o o fe d IP addresses w ill be d iscarded, if th e n e tw o rk a d m in is tra to r places a fire w a ll in th e s u b -n e tw o rk to f ilt e r o u t any tr a ffic w ith o u t an o rig in a tin g IP address fro m th e su b n e t. Egress filte r in g ensures th a t u n a u th o riz e d o r m a licio u s tra ffic n e ve r leaves th e in te rn a l n e tw o rk . If a w e b se rve r is v u ln e ra b le to a z e ro -d a y a tta c k kn o w n o n ly to th e u n d e rg ro u n d hacker c o m m u n ity , even if all a va ila b le patches have been a p p lie d , a se rve r can still be v u ln e ra b le . H o w e ve r, if egress filte r in g is e n a b le d , th e in te g rity o f a system can be saved by d is a llo w in g th e se rve r to e stab lish a c o n n e c tio n back to th e a tta c k e r. This w o u ld also lim it th e e ffe ctive n e ss o f m a n y payload s used in c o m m o n e x p lo its . This can be achieved by re s tric tin g o u tb o u n d e xpo su re to th e re q u ire d tr a ffic o n ly, th u s lim itin g th e a tta c k e r's a b ility to c o n n e c t to o th e r system s and gain access to to o ls th a t can e n a b le fu r th e r access in to th e n e tw o rk .
T C P In te r c e p t
------------
S Y N -flooding a tta c k , a kind o f d e n ia l-o f-s e rv ic e a tta ck. In a S Y N -flo o d in g a tta c k , th e a tta c k e r sends a huge v o lu m e o f re q u e sts fo r c o n n e c tio n s w ith u n re a ch a b le re tu rn addresses. As th e addresses are n o t reachable , th e c o n n e c tio n s c a n n o t be e sta b lish e d and re m a in u n re so lve d . This huge v o lu m e o f u n re s o lv e d o p e n c o n n e c tio n s o v e rw h e lm s th e se rve r and m ay cause it to d e n y service even to va lid req u ests. C o n se q u e n tly, le g itim a te users m ay n o t be able to c o n n e c t to a w e b s ite , access em a il using FTP se rvice , and so on. For th is reason, th e TCP in te rc e p t fe a tu re is in tro d u c e d . In TCP in te rc e p t m o d e , th e s o ftw a re in te rc e p ts th e SYN packets se n t by th e c lie n ts to th e server and m a tch es w ith an e x te n d e d s o ftw a re access list. If th e m a tch is fo u n d , th e n on b e h a lf o f th e establishe s a c o n n e c tio n w ith th e c lie n t. S im ila r to th is, th e d e s tin a tio n se rve r, th e
s o ftw a re also esta blishe s a c o n n e c tio n w ith th e d e s tin a tio n se rve r on b e h a lf o f th e c lie n t. Once th e tw o h a lf c o n n e c tio n s are e s ta b lis h e d , th e s o ftw a re c o m b in e s th e m tra n s p a re n tly . Thus, th e TCP in te rc e p t TCP in te rc e p t c o n n e c tio n . s o ftw a re p re v e n ts s o ftw a re acts as a th e fa k e c o n n e c tio n a tte m p ts fro m re a ch in g th e server. The m e d ia to r b e tw e e n th e se rve r and th e c lie n t th ro u g h o u t th e
M o d u le 1 0 P a g e 1 4 7 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H --
System s th a t have o n ly p a rtia l s e c u rity and can act as a lu re fo r a tta cke rs are called
h o n e y p o ts . This is re q u ire d so th a t th e a tta cke rs w ill a tta c k th e h o n e y p o ts and th e actual system w ill be safe. H o n e y p o ts n o t o n ly p ro te c t th e a ctual system fro m a tta cke rs, b u t also keep tra c k o f d e ta ils a b o u t w h a t th e y are a tte m p tin g to a cco m p lish , by s to rin g th e in fo rm a tio n in a re c o rd th a t can be used to tra c k th e ir a c tiv itie s . This is useful fo r g a th e rin g in fo r m a tio n re la te d to th e kinds o f attacks b eing a tte m p te d and th e to o ls b eing used fo r th e attacks. R ecent research reveals th a t a h o n e y p o t can im ita te all aspects o f a n e tw o rk in c lu d in g its w e b servers, m ail servers, and clie n ts. This is d o n e to gain th e a tte n tio n o f th e DD 0 S a tta cke rs. A h o n e y p o t is designe d to a ttra c t DDoS a tta c k e rs , so th a t it can in sta ll th e h a n d le r o r an a gent code w ith in th e h o n e y p o t. This stops legal system s fro m being c o m p ro m is e d . In a d d itio n , th is m e th o d g ra n ts th e o w n e r o f th e h o n e y p o t a w a y to keep a re co rd o f h a n d le r a n d /o r a gent a c tiv ity . This k n o w le d g e can be used fo r d e fe n d in g against any fu tu re DDoS in s ta lla tio n attacks. T he re are tw o d iffe r e n t ty p e s o f h o n e y p o ts : L o w -in te ra c tio n h o n e y p o ts H ig h -in te ra c tio n h o n e y p o ts
M o d u le 1 0 P a g e 1 4 7 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
are designed fo r th e pu rp o se o f "c a p tu rin g " attacks. The goal is to d e v e lo p a n e tw o rk w h e re in all a c tiv itie s are c o n tro lle d and tra c k e d . This n e tw o rk co n ta in s p o te n tia l v ic tim decoys, and th e n e tw o rk even has real c o m p u te rs ru n n in g re a l a p p lic a tio n s .
K F S e n s o r
Source: h ttp ://w w w .k e y fo c u s .n e t KFSensor acts as a h o n e y p o t to a ttra c t and d e te c t hackers and w o rm s by s im u la tin g v u ln e ra b le system services and T rojans. By a c tin g as a decoy server, it can d iv e r t a tta c k s fro m c ritic a l system s and p ro v id e a h ig h e r level o f in fo rm a tio n th a n can be achieved by using fire w a lls and NIDS a lo n e. The scre e n s h o t o f KFSensor P ro fe s s io n a l is sh o w n as fo llo w s :
KFSensor Professional - Evaluation Trial
File < , View 9 j Scenario 4 i Signatures : t; Y Settings Help i : a Start o ( &
! = ID
Duration
\ Pro... UDP UDP UDP UDP UDP UDP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP Sens... 49270 65260 58278 138 138 N am e UOP Packet UOP Packet UOP Packet NBT Datagram... NBT Datagram... DHCP Client TCP Connection UOP Packet sunrpc sunrpc sunrpc Port Scan War... NBT Datagram... UOP Packet UOP Packet DHCP NBT Datagram... NBT Datagram... DHCP NBT Datagram... NBT Datagram... DHCP Visitor W 1ndows 8 W 1ndows 8 W 1ndows 8 Windows 8 W 1ndows 8 Received |99]u[80 0( h (02 80 00 (E0M 80 0C NBT DGRfi NBT DGR (0 2 0 1 0 6 0 (1 7 0 3 0 1 0 1(80 80 0 0 Pt(FO8C0< Pt(F08C 01 Pt(F08C 01 Possible P NBT DG ftf 2(94 80 00 (C4)L(800I DHCP: Bo< NBT DGFtfl NBT
k fs e m o r * 3 TCP ^
k x a lh m t
M ain Sc a
22 < y 21
3
J 2 1
20
19
25 SMTP
S3 53 DNS J
68
# 1 8 9 1 7
DHCP
68
1041 63120
1000.1
ni*in-f125.1e100.... W1N-2N9STOSGIEN WIN-2N9STOSG1EN W1N-2N9STOSGIEN W1N-2N9STOSGIEN WIN-2N9STOSGIEN W1N-2N9ST OSGIEN W1N-2N9STOSGIEN W IN -2N9ST OSGIEN WIN-2N9STOSGIEN W1N-MSSELCK4K41 W1N-MSSELCK4K41 WIN-MSSELCK4K41 WIN-MSSELCK4K41 W1N-MSSELCK4K41 W1N-MSSELCK4K41
G
$ A A
16 15 14 13
0000 0.000 0.000 0.000 0.000 0000 0.000 0000 0.000 0.000 0000 0.000 0000 0.000 0.000
M
g
J ^
12
/'1 1
9 1 0
g Hi NBT SMB t w j 593 CIS g $ J g ^ j ^ < [ I f t i i M S CIS - t n t 1060 s o c k s 1433 S a Server 2234 Directplay 3128 IIS Proxy 3268 Global Catalog Sef 3389 Term inal Server 5000 MS Uni Plug and P .. 5357 W eb Services for D ...v
hi
10/ 10/2012
10:10:06A.-
0 9 0 8 $7
9 6 9 5 3 4 9 3 9 2 jjl
10/ 10/2012
U H :23 A ...
DGRfi
DORA
10/ 10/2012
1002:16 a . -
>
<1
1
Server Running Visitor* 11 Events: 39/39
M o d u le 1 0 P a g e 1 4 7 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
P roviders can increase th e b a n d w id th o n c ritic a l con n e ctio n s to p re v e n t th e m fro m g o in g d o w n in th e e v e n t o f an a tta c k R eplica ting servers can p ro v id e a d d itio n a l fa ils a fe p ro te c tio n Balancing th e load to each server in a m u ltip le -s e rv e r a rc h ite c tu re can im p ro v e b o th n o rm a l pe rfo rm a n c e s as w e ll as m itig a te th e effects o f a DDoS a tta c k
This m e th o d sets up ro u te rs th a t access a server w ith logic to a d ju s t (th ro ttle ) in co m in g tra ffic to levels th a t w ill be safe fo r th e server to process
This process can be e xte n d e d to th r o ttle DDoS a tta c k in g tra ffic versus le g itim a te user tra ffic fo r b e tte r results
D o S /D D o S
o u n t e r m
e a s u r e s :
it ig a t e
t t a c k s
T h ere are tw o w ays in w h ic h th e D 0 S /D D 0 S a tta cks can be m itig a te d o r sto p p e d . They are:
L o a d B a la n c in g
B a n d w id th p ro v id e rs can increase th e ir b a n d w id th in case o f a DDoS a tta c k to p re v e n t th e ir servers fro m going d o w n . A re p lic a te d s e rv e r m o d e l can also be used to m in im iz e th e risk. R e p lic a te d servers he lp in b e tte r load m a n a g e m e n t and e n h a n cin g th e n e tw o rk 's p e rfo rm a n c e .
U
tra ffic .
T h r o ttlin g
g o ing d o w n . This m e th o d e nables th e ro u te rs in m anaging heavy in c o m in g tr a ffic so th a t th e se rve r can h a n d le it. It can also be used to filte r le g itim a te user tr a ffic fro m fa ke DDoS a tta c k
T h ough th is m e th o d can be c o n s id e re d to be in th e e x p e rim e n ta l stage, n e tw o rk o p e ra to rs are im p le m e n tin g s im ila r te c h n iq u e s o f th r o ttlin g . The m a jo r lim ita tio n w ith th is m e th o d is th a t it m ay trig g e r false alarm s. S o m e tim e s, it m ay a llo w m a lic io u s tr a ffic to pass w h ile d ro p p in g som e le g itim a te tra ffic .
M o d u le 1 0 P a g e 1 4 7 9
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
Post-Attack Forensics
DDoS attack tra ffic patterns can help the netw ork adm inistrators to develop new filte rin g techniques fo r preventing it fro m entering or leaving their networks
C E H
Analyze router, firew all, and IDS logs to identify the source o f the DoS tra ffic. Although attackers generally spoof the ir source addresses, an IP trace back w ith the help o f interm ediary ISPs and law enforce m ent agencies may enable to book the perpetrators
Traffic p a tte rn analysis: Data can be analyzed post-attack - to look fo r specific characteristics w ithin the attacking tra ffic
<
Using these characteristics, data can be used fo r updating load-balancing and th ro ttlin g countermeasures
P o s t - A t t a c k
F o r e n s ic s
'
m a lic io u s hackers m anage to b rea k in to th e system . In such cases, one can u tiliz e th e p o sta tta c k fo re n s ic m e th o d to g e t rid o f DDoS a tta c k s .
T r a ffic P a tte r n A n a ly s is
D u ring a DDoS a tta c k , th e tra ffic p a tte rn to o l stores p o s t-a tta c k data th a t can be analyzed fo r th e special c h a ra c te ris tic s o f th e a tta c k in g tra ffic . This data is h e lp fu l in u p d a tin g load b a lan cin g and th r o ttlin g c o u n te rm e a s u re s to enhance a n ti-a tta c k m easures. DDoS a tta c k tr a ffic p a tte rn s can also he lp n e tw o rk a d m in is tra to rs to d e v e lo p n e w filte rin g te c h n iq u e s th a t p re v e n t DDoS a tta c k tr a ffic fro m e n te rin g o r leaving th e ir n e tw o rk s . Needless to say, analyzing DDoS tr a ffic p a tte rn s can help n e tw o rk a d m in is tra to rs to ensu re th a t an a tta c k e r c a n n o t use th e ir servers as a DDoS p la tfo rm to b reak in to o th e r sites. Analyze ro u te r, fire w a ll, and IDS logs to id e n tify th e source o f th e DoS tra ffic . A lth o u g h a tta cke rs g e n e ra lly s p o o f th e ir source addresses, an IP tra c e b a c k w ith th e help o f in te rm e d ia ry ISPs and la w e n fo rc e m e n t agencies m ay en a b le b o o k in g th e p e rp e tra to rs .
M o d u le 1 0 P a g e 1 4 8 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
R u n
th e
Z o m
b ie
Z a p p e r T o o l
W h e n a c o m p a n y is u n a b le to ensure th e s e c u rity o f its servers and a DDoS a tta c k begins, th e n e tw o rk IDS (in tru s io n d e te c tio n system ) no tice s a high v o lu m e o f tra ffic
th a t in d ic a te s a p o te n tia l p ro b le m . In such a case, th e ta rg e te d v ic tim can run Z o m b ie Z a p p e r to s to p th e system fro m b eing flo o d e d by packets. T he re are tw o ve rsio n s o f Z o m b ie Z a p p e r. One runs on UNIX, and th e o th e r runs on W in d o w s system s. C u rre n tly , Z a p p e r T o o l acts as a d efense m e ch a n ism against T rin o o , TFN, Shaft, and S ta c h e ld ra h t.
M o d u le 1 0 P a g e 1 4 8 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
C E H
T e c h n iq u e s
to
e f e n d
a g a in s t
B o tn e ts
RFC3704 is a basic ACL f ilte r . The basic re q u ire m e n t o f th is filte r is th a t packets should be source d fro m va lid , a llo c a te d address space, c o n s is te n t w ith th e to p o lo g y and space a llo c a tio n . A list o f all unused o r reserved IP addresses th a t c a n n o t be seen u n d e r n o rm a l o p e ra tio n s is u su a lly called a "b o g o n lis t." If you are able to see any o f th e IP addresses fro m th is list, th e n you s h ou ld d ro p th e packets co m in g fro m it co n s id e rin g it as a s p o o fe d sou rce IP. Also yo u s h ou ld check w ith y o u r ISP to d e te rm in e w h e th e r th e y m anage th is kind o f filte rin g in th e clo ud b e fo re th e bogus tr a ffic e n te rs y o u r In te rn e t pipe. This bogon list changes fre q u e n tly .
B la c k
SL
H o le
F ilte r in g
Black hole filte r in g is a c o m m o n te c h n iq u e to d e fe n d against b o tn e ts and th u s to p re v e n t DoS attacks. You can d ro p th e u n d e sira b le tr a ffic b e fo re it e n te rs y o u r p ro te c te d n e tw o rk w ith a te c h n iq u e called R e m o te ly T rig g e re d B lack H ole F ilte rin g , i.e., RTBH. As th is is a re m o te ly trig g e re d process, yo u need to c o n d u c t th is filte rin g in c o n ju n c tio n w ith y o u r ISP. W ith th e he lp o f BGP h o st ro u te s , th is te c h n iq u e ro u te s th e tra ffic headin g to v ic tim servers to a nullO n e x t hop. Thus, yo u can a void DoS atta cks w ith th e help o f RTBH.
M o d u le 1 0 P a g e 1 4 8 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
ao
y
D D o S
P r e v e n tio n
O ffe r in g s
fr o m
IS P
o r D D o S
S e r v ic e
idea is th a t th e tra ffic w ill be c le a n e d by th e In te rn e t service p ro v id e r b e fo re it reaches y o u r In te rn e t pipe. T ypica lly, th is is d o n e in th e cloud. Hence, y o u r In te r n e t lin k s w ill be safe fro m b eing s a tu ra te d by a DDoS a tta c k . The in -th e -c lo u d DDoS p re v e n tio n service is also o ffe re d by som e th ird p a rtie s. These t h ir d - p a r ty service p ro v id e rs usually d ire c t th e tr a ffic in te n d e d to you to th e m , clean th e tra ffic , and th e n send th e cleaned tra ffic back to yo u . Thus, y o u r In te rn e t pipes w ill be safe fro m b eing o v e rw h e lm e d .
C is c o IP S S o u rc e IP R e p u ta tio n F ilte r in g
----------- '
Cisco G lobal C o rre la tio n , a n e w s e c u rity c a p a b ility o f Cisco IPS 7.0, uses im m e n s e
s e c u rity in te llig e n c e . The Cisco SensorBase N e tw o rk co n ta in s all th e in fo rm a tio n a b o u t kn o w n th re a ts on th e In te rn e t, serial a tta c k e rs, m a lw a re o u tb re a k s , d a rk nets, and b o tn e t h a rvesters. The Cisco IPS m akes use o f th is n e tw o rk to filte r o u t th e a tta cke rs b e fo re th e y a tta c k c ritic a l assets. In o rd e r to d e te c t and p re v e n t m a lic io u s a c tiv ity even e a rlie r, it in c o rp o ra te s th e global th r e a t data in to its system .
M o d u le 1 0 P a g e 1 4 8 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
DoS/DDoS Countermeasures
1 ...... 7 against eavesdropping r::::-..
cE H
(tkMjl NMhM
//
//
(...................................
Use strong en cryption mechanisms such as WPA2, AES 256, etc. fo r broadband netw orks to w ith sta n d
VI
//
FA
Ensure th a t th e softw a re and protocols used are up-to-date and scan th e machines th o ro u g h ly to d e te c t fo r any anomalous behavior
Block all inbound packets o rig inatin g fro m th e service po rts to block th e tra ffic fro m re fle ctio n servers
Cl 0
//'
Im plem ent cognitive radios in the physical layer to handle th e jam m ing and scrambling kind of attacks
D o S /D D o S
o u n t e r m
e a s u r e s
The s tre n g th o f an o rg a n iz a tio n 's n e tw o rk se c u rity can be increased by p u ttin g th e p ro p e r co u n te rm e a su re s in th e rig h t places. M a n y such co u n te rm e a s u re s are available fo r DoS/DDoS attacks. The fo llo w in g is th e list o f c o u n te rm e a s u re s to be a p p lie d against DoS/DDoS attacks: E ffic ie n t e n c ry p tio n m echanism s need to be p roposed fo r each piece o f b ro a d b a n d te c h n o lo g y Im p ro ve d ro u tin g p ro to c o ls are desirable, p a rtic u la rly fo r th e m u lti-h o p W M N Disable unused and insecure services Block all in b o u n d p a ckets o rig in a tin g fro m th e service p o rts to block th e tra ffic fro m th e re fle c tio n servers U pdate kernel to th e la te s t release P revent th e tra n s m iss io n o f th e fr a u d u le n tly a ddressed p a ckets a t th e ISP level Im p le m e n t c o g n itiv e ra d io s in th e physical layer to h andle th e ja m m in g and scra m b lin g kind o f attacks
M o d u le 1 0 P a g e 1 4 8 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
DoS/DDoS Countermeasures
( C o n t d )
C o n fig u re th e fir e w a ll t o d e n y e x te rn a l In te rn e t C o n tro l M e s s a g e P ro to c o l (IC M P) tr a f fic a ccess P re v e n t u se o f u n n e c e s s a ry fu n c tio n s s u c h as g e ts, s trc p y e tc . S e cu re th e re m o te
E H
The netw ork card is the gatew ay to the packets. Use a b e tte r netw ork card to handle a large num ber of packets
P e r fo rm th e th o ro u g h in p u t v a lid a tio n
P re v e n t th e re tu rn a d d re s s e s fro m b e in g o v e r w r it te n
>
D o S /D D o S
o u n t e r m
e a s u r e s
( C
o n t d )
P re ve n t th e use o f u n n e c e s s a ry fu n c tio n s such as gets, strcp y, etc. Secure th e re m o te a d m in is tra tio n and c o n n e c tiv ity te s tin g P re ve n t th e re tu rn addresses fro m being o v e r w r itte n Data processed by th e a tta c k e r sh ould be sto p p e d fro m being e xe cu te d P e rfo rm th e th o ro u g h in p u t v a lid a tio n The n e tw o rk card is th e g a te w a y to th e packets. Hence, h a n d le a large n u m b e r o f packets use a b e tte r n e tw o rk card to
M o d u le 1 0 P a g e 1 4 8 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
o S
/ D
o S
r o t e c t i o n
a t
I S P
L e v e l
Most ISPs simply blocks all the requests during a DDoS attack, denying legitimate traffic from accessing the
I ISPs offer in-the-cloud DDoS protection for Internet links so th at they do not become saturated by the attack ri Attack traffic is redirected to the ISP during the attack to be filtered and sent back Administrators can request ISPs to block the original affected IP and move their site to another IP after performing DNS propagation
D o S / D D o S
P r o t e c t i o n
a t
t h e
I S P
L e v e l
Source: http://www.cert.org M o st ISPs simply block all the requests during a DDoS attack, denying legitim ate traffic from accessing the service. ISPs offer in-the-cloud DDoS protection for Internet links so that they do not becom e saturated by an attack. Attack traffic is redirected to the ISP during the attack to be filtered and sent back. Adm inistrators can request ISPs to block the original affected IP and move their site to a nother IP after perform ing DNS propagation.
M o d u le 1 0 P a g e 1 4 8 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
M o d u le 1 0 P a g e 1 4 8 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
E I O
n a b l i n g S S o f t w
T C a r e
I n t e r c e p t
o n
i s c o
[ 7 1
E H
| IU m jI N M h M
S te p 1 2
C om m and access-list access-list-number {deny | permit} tcp any destination destination-wildcard ip tcp Intercept list access-list-number
T C P in t e r c e p t ca n o p e r a t e in e it h e r a c t iv e in t e r c e p t m o d e o r p a s s iv e w a tc h m o d e . T h e d e f a u lt is in t e r c e p t m o d e .
n a b l i n g
T C P
I n t e r c e p t
o n
C i s c o
I O
S o f t w a r e
The TCP intercept can be enabled by executing the follow ing com m ands in global configuration mode: Command
S te p 1 a c c e s s -lis t p e rm it} tc p a c c e s s -lis t-n u m b e r any d e s tin a tio n {d e n y I
num ber
An access list can be defined for three purposes: 1. To intercept all requests 2. 3. To intercept only those coming from specific networks To inte rcept only those destined for specific servers
Typically the access list defines the source as any and the destination as specific networks or servers. As it is not im portant to know w h o to intercept packets from, do not filter on the source addresses. Rather, you identify the d e stin atio n server or netw ork to protect.
M o d u le 1 0 P a g e 1 4 8 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
TCP intercept can operate in tw o modes, i.e., active interce pt m o d e and passive w a tch m ode. The default is intercept mode. In intercept mode, the Cisco IOS Software intercepts all incoming connection requests (SYN), gives a response on behalf of the server with an ACK and SYN, and then waits for an ACK of the SYN from the client. W hen the ACK is received from the client, the software performs a thre e -w a y handshake with the server by setting the original SYN to the server. Once the thre e -w a y handshake is complete, the tw o-half connections are joined. The com m and to set the TCP intercept m ode in global configuration mode:
Command ip tc p w a tc h } in te rc e p t m ode {in te rc e p t |
p u rp o s e
M o d u le 1 0 P a g e 1 4 8 9
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
A A
d p
v a p
c e n
d s
o S
r o
t e
c t i o
n C E H
l i a
c e
C is c o G u a rd XT 5 6 5 0
h ttp : //w w w .c is c o .c o m
A d v a n c e d
f
h ttp : //w w w .a r b o r n e tw o r k s .c o m
D D o S
P r o t e c t i o n
A p p l i a n c e s
F o r t i D D o S 3 0 0 A
^ ^
The FortiDDoS 300A provides visibility into your Internet-facing n e tw o rk and can detect and block reconnaissance and DDoS attacks while leaving legitim ate traffic untouched. It features autom atic traffic profiling and rate limiting. Its continuous learning capability differentiates between gradual build-ups in legitimate traffic and attacks.
M o d u le 1 0 P a g e 1 4 9 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D D o S
P r o te c to r
Source: http://w w w .checkpoint.com DDoS Protector provides protection against n e tw o rk flo o d and a p plica tion layer attacks by blocking the destructive DDOS attacks w ithou t causing any damage. It blocks the abnormal traffic w ithout touching the legitimate traffic. It protects your netw ork and w eb services by filtering the traffic before it reaches the firewall.
Source: http://www.cisco.com The Cisco Guard XT is a DDoS M itig a tio n Appliance from Cisco Systems. It performs he detailed per-flow level attack analysis, identification, and mitigation services required to block attack traffic and prevent it from disrupting n e tw o rk operations.
f e
A r b o r
P r a v a il:
A v a ila b ilit y
P r o te c tio n
S y s te m
A rb o r Pravail allows you to detect and remove known and em erging threats such as DDOS attacks autom atically before your vital services go down. It increases your internal network visibility and im proves the efficiency of the network.
M o d u le 1 0 P a g e 1 4 9 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
l e
l o
E H
o d u l e
F l o w
In addition to the counterm easures discussed so far, you can also adopt D 0 S/DD 0 S tools to protect your netw ork or netw ork resources against D 0 S/DD 0 S attacks.
D o s /D D o S C o n c e p ts
D o s /D D o S A t t a c k T o o ls
D o s /D D o S A tta c k T e c h n iq u e s
d p g
C o u n te rm e a s u re s
B o tn e ts
/%*?
D o s /D D o S Case S tu d y
This section lists and describes various tools that offer protection against D 0 S/DD 0 S attacks.
M o d u le 1 0 P a g e 1 4 9 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D o S / D D o S A n t i - D D o S
P r o t e c t i o n F i r e w a l l
T o o l:
u a r d C E H
D -G u a rd A n ti-D D o S F irew all p ro v id e s th e m o st re lia b le and fa s te s t D D oS p ro te ctio n fo r o n lin e e n te r p ris e s , p u b lic and m e d ia s e rv ic e s , e s s e n tia l in fra s tr u c tu re , and I n te rn e t s e rv ic e p r o v id e rs
.. ....... M o n ito r
F e a tu re s : Pro tection against alm ost all kinds o f attacks Built-in intrusion prevention system TCP flo w co ntrol IP blacklist and w hite list, ARP w hite list, and M A C Binding
i "
Up
f t
1 ^1
D o S / D D o S F i r e w a l l
P r o t e c t i o n
T o o l:
u a r d
A n t i - D D o S
S u p e r D D o S , D r D o S , f r a g m e n t a t t a c k s , S Y N f l o o d i n g a t t a c k s , IP f l o o d i n g a t t a c k s , U D P , m u t a t i o n UDP, ra n d o m F e a tu re s : B u ilt-in in tru s io n p r e v e n tio n s y s te m P r o te c tio n a g a in s t SYN, TCP flo o d in g , a n d o t h e r ty p e s o f D D o S a tta c k s TCP flo w c o n tro l U D P /IC M P /IG M P p a c k e ts ra te m a n a g e m e n t IP b l a c k l i s t a n d w h i t e l i s t C o m p a c t a n d c o m p r e h e n s i v e lo g file U D P f lo o d in g a tta c s k , IC M P , IC M P f lo o d a tta c k s , A R P s p o o fin g a tta c k s , e tc .
M o d u le 1 0 P a g e 1 4 9 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
M o d u le 1 0 P a g e 1 4 9 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
/ D
r o
t e
t i o
l s
[JJ 5
------- ^
NetFlow Analyzer
http://www.m anageengine.com
FortiDDoS
h ttp :/ / www .fortine t. com
i *
D efensePro
h ttp ://w w w . radware. com
WANGuard Sensor
h ttp://w w w .andrisoft.com
PW
DOSarrest
http:,//w w w . dos arres t. com
DDoSDefend
h ttp ://d do s defend, com
D o S / D D o S
P r o t e c t i o n
T o o ls p ro te c tio n
In a d d i t i o n t o D - G u a r d A n t i - D D o S F i r e w a l l , t h e r e a r e m a n y t o o l s t h a t o f f e r
a g a in s t D o S /D D o S a tta c k s . A f e w t o o ls t h a t o f f e r D o S /D D o S p r o t e c t io n a re lis te d asf o llo w s : Q Q 0 Q e Q N e tF lo w A n a ly z e r a v a ila b le a t h t t p :/ / w w w .m a n a e e e n g in e . c o m SDL R e g e x F u z z e r a v a ila b le a t h t t p : / / w w w . m ic r o s o f t . c o m W A N G u a r d S e n s o r a v a ila b le a t h t t p : / / w w w . a n d r is o f t . c o m N e tS c a le r A p p lic a tio n F ire w a ll a v a ila b le a t h t t p : / / w w w . c i t r ix . c o m F o r tG u a rd D D o S F ire w a ll a v a ila b le a t h t t p : / / w w w . f o r t g u a r d . c o m In tru G u a rd a v a ila b le a t h t t p : / / w w w . i n t r u g u a r d . c o m D e fe n s e P ro a v a ila b le a t h t t p : / / w w w . r a d w a r e . c o m D O S a rre s t a v a ila b le a t h t t p : / / w w w . d o s a r r e s t . c o m A n ti D D oS G u a rd ia n a v a ila b le a t h t t p : / / w w w . b e e t h in k . c o m D D o S D e fe n d a v a ila b le a t h t t p :/ / d d o s d e fe n d . c o m
M o d u le 1 0 P a g e 1 4 9 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
IIL
-- -
o d u l e m a in th e
-------------- T h e te s tin g on
o b je c tiv e
ta rg e t
n e tw o rk
o r s y s te m
a g a in s t e v e ry
m a jo r
e v a lu a tio n m e th o d o lo g y .
D o s /D D o S C o n c e p ts
D o s /D D o S A t t a c k T o o ls
D o s /D D o S A tta c k T e c h n iq u e s
C o u n te rm e a s u re s
0
B o tn e ts D o s /D D o S P r o te c tio n T o o ls
D o s /D D o S Case S tu d y
M o d u le 1 0 P a g e 1 4 9 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
T h i s s e c t i o n d e s c r i b e s D o S a t t a c k p e n e t r a t i o n t e s t i n g a n d t h e s t e p s i n v o l v e d in D o S a t t a c k p e n e tr a tio n te s tin g .
M o d u le 1 0 P a g e 1 4 9 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D P
e e
n n
i a e
l - o t r a
f - S t i o n
e T
r v i c e e s t i n
( D g
o S )
t t a
c k c
(rtifwtf
E H
tUMJl Km Im
DoS attack should be incorporated into Pen testing to find out if the netw ork server is susceptible to DoS attack
I L
A vulnerable netw ork cannot handle a large am ount of traffic sent to it and subsequently crashes or slows down, thus preventing access by authentic users
DoS Pen Testing determ ines minimum thresholds for DoS attacks on a system , but the tester cannot ensure that the system is resistant to DoS attacks
] ]
The main objective of DoS Pen testing is to flood a target netw ork w ith traffic, sim ilar to hundreds of people repeatedly requesting a service, to keep the server busy and unavailable
r r
' Ll_:------
v :
-----------1
D In
e n i a l o f S e r v ic e an a tte m p t to s e c u re
( D o S ) your
A t t a c k firs t
P e n e t r a t i o n you s h o u ld try to
T e s t i n g fin d th e s e c u rity
n e tw o rk ,
o f a D o S a t t a c k is t o l o w e r t h e
in te rru p t th e p in g re q u e s ts
b u s i n e s s c o n t i n u i t y . A D o S a t t a c k is p e r f o r m e d th a t o v e rw h e lm when th is th e c a p a c ity of a n e tw o rk . on
re q u e s ts
c a n n o t be
h a n d le d
h a p p e n s . S e rv ic e s
ru n n in g
m a c h i n e s c r a s h d u e t o t h e s p e c i a l l y c r a f t e d p a c k e t s t h a t a r e f l o o d e d o v e r t h e n e t w o r k . In s u c h cases, th e n e tw o rk cannot d iffe re n tia te b e tw e e n le g itim a te and ille g itim a te d a ta tra ffic .
conduct
need to
s im u la te
a c tio n s o f th e w ith s ta n d s
a tta c k e r to
c h e c k w h e th e r y o u r s y s te m
D oS a tta c k s
(behaves
M o d u le 1 0 P a g e 1 4 9 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D P
e e
n n
i a e
l - o t r a
f - S t i o n
e T
r v i c e e s t i n
( D g
o S )
t t a
c k
( c o n t d )
START U ,
Test the web server using automated tools such as Webserver Stress Tool, Web Stress Tester, and JMeterfor load capacity, server-side performance, locks, and other scalability issues Scan the network using automated tools such as Nmap, G FI LanGuard, and Nessus to discover any systems that are vulnerable to DoS attacks Flood the target with connection request packets using tools such as DoS HTTP, Sprut, and PHP DoS
C h e c k fo r DoS v u ln e ra b le s y s te m s
f
F lo o d th e w e b s ite fo rm s an d g u e s tb o o k w it h bog u s e n trie s
Use a port flooding attack to flood the port and increase the CPU usage by maintaining all the connection requests on the ports under blockade. Use tools Mutilate and PepsiS to automate a port flooding attack Use tools Mail Bomber and Advanced Mail Bomber to send a large number of emails to a target mail server Fill the forms with arbitrary and lengthy entries
R u n p o rt flo o d in g a tta c k s on th e s e rv e r
R u n e m a il b o m b e r on th e e m a il s e rv e rs
\ ' *
D ( C
e n i a l o f S e r v ic e o n t d )
( D o S )
A t t a c k
P e n e t r a t i o n
T e s t i n g
T h e s e rie s o f D oS p e n e t r a t io n t e s t in g s te p s a re lis te d a n d d e s c r ib e d as f o llo w s : S te p 1: D e fin e th e o b je c tiv e T h e f i r s t s t e p i n a n y p e n e t r a t i o n t e s t i n g is t o d e f i n e t h e o b j e c t i v e o f t h e t e s t i n g . T h i s h e l p s y o u t o p l a n a n d d e t e r m i n e t h e a c t i o n s t o b e t a k e n in o r d e r t o a c c o m p l i s h t h e g o a l o f t h e t e s t . S te p 2: T e s t f o r h e a v y lo a d s o n th e s e rv e r Load te s tin g is p e rfo rm e d by p u ttin g an a rtific ia l lo a d on a s e rv e r o r a p p lic a tio n to te s t its
s im p ly e n te r th e
n u m b e r o f u se rs, a n d th e
w e b s i t e t r a f f i c . T h i s is a " r e a l - w o r l d " t e s t .
M o d u le 1 0 P a g e 1 4 9 9
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
J M e te r
S o u rce : h ttp ://im e te r.a p a c h e .o r g J M e t e r is a n o p e n - s o u r c e w e b to o l is a Java It a p p lic a tio n was a p p lic a tio n to lo a d -te s tin g to o l d e v e lo p e d lo a d fo r te s t fu n c tio n a l web b y A p a c h e . T h is and but m ea su re has s in c e
d e s ig n e d
b e h a v io r
p e rfo rm a n c e .
o rig in a lly
d e s ig n e d
te s tin g
a p p lic a tio n s
S o u rce : h ttp ://n m a p .o r g N m a p is a t o o l t h a t c a n b e u s e d t o f i n d t h e s t a t e o f p o r t s , t h e s e r v i c e s r u n n i n g o n t h o s e p o rts , th e o p e ra tin g s y s te m s , a n d a n y fir e w a lls a n d filte rs . N m a p can be run fro m th e
a d d re s s /ra n g e
a d d re sse s
s p e c ifie d ,
and
a le rts
u se rs
v u ln e ra b ilitie s
e n c o u n te re d o n th e ta rg e t s y s te m . Nessus
S o u rce : h ttp ://w w w .n e s s u s .o rg N e s s u s is a v u l n e r a b i l i t y a n d c o n f i g u r a t i o n a s s e s s m e n t p r o d u c t . I t f e a t u r e s c o n f i g u r a t i o n a u d itin g , a s s e t p ro filin g , s e n s itiv e v u l n e r a b i l i t y a n a ly s is . S te p 4: R un a SYN a tta c k o n th e s e rv e r A p e n e t r a t i o n t e s t e r s h o u l d t r y t o r u n a S Y N a t t a c k o n t h e m a i n s e r v e r . T h i s is a c c o m p l i s h e d b y b o m b a r d in g t h e t a r g e t w it h c o n n e c tio n re q u e s t p a c k e ts . T h e fo llo w in g to o ls ca n b e u s e d t o ru n SYN a tta c k s : DoS HTTP, S p ru t, a n d PHP DoS. S te p 5: R un p o r t flo o d in g a tta c k s o n th e s e rv e r P o r t f lo o d in g s e n d s a la rg e n u m b e r o f T C P o r U D P p a c k e ts t o a p a r t ic u la r p o r t , c r e a tin g a d e n ia l o f s e r v i c e o n t h a t p o r t . T h e m a i n p u r p o s e o f t h i s a t t a c k is t o m a k e t h e p o r t s u n u s a b l e a n d d a ta d is c o v e ry , p a tc h m a n a g e m e n t in te g ra tio n , and
M o d u le 1 0 P a g e 1 5 0 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
in c r e a s e t h e C P U 's u s a g e t o 1 0 0 % . T h is a t t a c k c a n b e c a r r i e d o u t o n b o t h T C P a n d U P D p o r t s . T h e fo llo w in g to o ls can be use d to c o n d u c t a p o rt- flo o d in g a tta c k : Q M u t i l a t e : M u t i l a t e is m a i n l y u s e d t o d e t e r m i n e w h i c h p o r t s o n t h e t a r g e t a r e o p e n . T h i s t o o l m a i n l y t a r g e t s T C P / I P n e t w o r k s . T h e f o l l o w i n g c o m m a n d is u s e d t o e x e c u t e M u tila te : m u tila te Q < ta rg e t _ IP > < p o rt>
P e p s i5 : T h e P e p s i5 t o o l m a i n l y t a r g e t s U D P p o r t s a n d s e n d s a s p e c if ia b le n u m b e r a n d s iz e o f d a t a g r a m s . T h is t o o l c a n r u n in t h e b a c k g r o u n d a n d u s e a s t e a l t h o p t i o n t o m a s k t h e p ro c e s s n a m e u n d e r w h ic h it ru n s .
s e r v e r . I f t h e s e r v e r is n o t p r o t e c t e d o r s t r o n g e n o u g h , i t c r a s h e s . T h e t e s t e r u s e s v a r i o u s s e r v e r to o ls t h a t h e lp s e n d th e s e a tta c k : Q M a il B o m b e r S o u rce : h ttp ://w w w .g e tfr e e file .c o m /b o m b e r .h tm l M a il Bom ber lis ts . is a s e r v e r It is to o l of used to send a b u lk e m a ils of by u s in g s u b s c rip tio n -b a s e d lis ts based on b u lk e m a ils . T h e f o llo w in g to o ls a re used to c a rry o u t th is ty p e of
m a ilin g
c a p a b le
h o ld in g
num ber
s e p a ra te
m a ilin g
s u b s c rip tio n s , e m a il m e ssa g e s, a n d S M T P s e rv e rs f o r v a rio u s re c ip ie n ts . A d v a n c e d M a il B o m b e r S o u rce : h ttp ://w w w .s o fth e a p .c o m Advanced M a il Bom ber is a b l e to send p e rs o n a liz e d m essages to a la rg e num ber of
b o u n d le s s s tr u c tu r e d tra c k o f u se r fe e d b a c k .
re c ip ie n ts , S M T P se rve rs,
m e s s a g e s , e tc . T h is t o o l c a n a ls o
a t t a c k e r s e n d s a la rg e n u m b e r o f s u c h b o g u s a n d a b le t o h a n d le it a n d m a y c ra s h . S te p 8 : D o c u m e n t a ll t h e f in d in g s In th is s te p , th e p e n e tra tio n te s te r s h o u ld
le n g th y e n trie s , th e
d a ta s e rv e r m a y n o t be
docum ent
a ll
h is
or
her
te s t
fin d in g s
in
th e
M o d u le 1 0 P a g e 1 5 0 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s D e n ia l o f S e r v ic e
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
l e
A d istrib u te d d e n ia l-o f-se rv ic e (D D 0 S) a tta ck is o n e in w h ic h a m u ltitu d e o f th e c o m p ro m is e d syste m s a tta ck a sin gle targ et, th e re b y cau sin g den ia l o f se rv ic e fo r u se rs o f th e ta rg e te d system
In te rn e t Relay C h at (IRC) is a s yste m fo r ch a ttin g th a t in v o lve s a set o f ru les a n d co n v e n tio n s and c lie n t/s e rv e r s o ftw a re
V a rio u s a tta ck te c h n iq u e s a re used p e rfo rm a DoS atta ck su ch as b a n d w id th a tta cks, s e rv ic e re q u e st flo o d s , SYN flo o d in g attack, IC M P flo o d atta ck, P e e r-to -P e e r a tta cks etc.
Bots a re s o ftw a re ap p lic a tio n s th a t ru n a u to m a te d ta sks o v e r th e In te rn e t and p e rfo rm sim p le re p e titiv e ta sks such as w e b s p id e rin g a n d sea rch e n g in e indexing
DoS d e te ctio n te c h n iq u e s a re based on id e n tify in g a n d d isc rim in a tin g th e ille g itim a te tra ffic in cre a se and fla sh even ts fro m le g itim ate packet tra ffic
o d u l e
S u m
a r y ( D o S ) is a n a tta c k o n a c o m p u te r o r n e tw o rk th a t p re v e n ts
D e n ia l o f s e rv ic e
c o m p ro m is e d
s y s te m s a t ta c k a s in g le t a r g e t, t h e r e b y c a u s in g d e n ia l o f s e rv ic e f o r u s e rs
c o n v e n tio n s a n d c lie n t/s e rv e r s o ftw a re . V a rio u s a t ta c k te c h n iq u e s s e rv ic e e tc . B o ts a re s o ftw a r e a p p lic a tio n s t h a t ru n a u t o m a t e d ta s k s o v e r th e I n te r n e t a n d s im p le r e p e t i t i v e ta s k s s u c h as w e b s p id e r in g a n d s e a rc h e n g in e in d e x in g . DoS d e te c tio n te c h n iq u e s a re based on id e n tify in g and d is c rim in a tin g th e ille g itim a te p e rfo rm a re used p e rfo rm a tta c k s , a DoS a tta c k such IC M P f lo o d as b a n d w id t h a tta c k s , a tta c k s ,
r e q u e s t f lo o d s , SYN f lo o d in g
a tta c k s , p e e r- to -p e e r
m in im u m
t e s t e r c a n n o t e n s u r e t h a t t h e s y s t e m is r e s i s t a n t t o D o S a t t a c k s .
M o d u le 1 0 P a g e 1 5 0 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t b y E C - C 0 U n C il A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .