Professional Documents
Culture Documents
Submit Tips
Search
HOME
REVIEWS
HOW-TOS
CODING
INTERVIEWS
FEATURES
OVERVIEW
BLOGS
SERIES
IT ADMIN
Search for:
Search
Get Connected
In this part of the series, we focus on DoS/DDoS attacks, which have been among the major threats to Web servers since the beginning of the Web 2.0 era.
RSS Feed
Attack scenario
Here is a simple scenario: an attacker sends a large number of requests to a Web server for example, a website that hosts HD image files at a particular URL, say
w w w . e x a m p l e . c o m / i m a g e s / H D _ i m a g e s . h t m l . Lets also assume that this page contains about
50-60 images. Now, every time a user reloads this page, it consumes a large portion of the Web servers bandwidth. Now, here, an attacker could design a separate HTML page, with an i f r a m e embedded in it, like whats shown below:
< h t m l > < i f r a m es r c = h t t p : / / w w w . e x a m p l e . c o m / i m a g e s / H D _ i m a g e s . h t m lw i d t h = 2h e i g h t = 2 > < / i f r a m e < / h t m l >
Lets suppose that instead of a single i f r a m e , the attacker copies and pastes the above code 1,000 times in the same page, and also adds a m e t arefresh tag as follows:
< h t m l > < h e a d > < m e t ah t t p e q u i v = " r e f r e s h "c o n t e n t = " 2 " > < / h e a d > < i f r a m es r c = h t t p : / / w w w . e x a m p l e . c o m / i m a g e s / H D _ i m a g e s . h t m lw i d t h = 2h e i g h t = 2 > < / i f r a m e < i f r a m es r c = h t t p : / / w w w . e x a m p l e . c o m / i m a g e s / H D _ i m a g e s . h t m lw i d t h = 2h e i g h t = 2 > < / i f r a m e : : :( 1 0 0 0t i m e s ) < / h t m l >
Follow
+2,512
Find us on Facebook
Such a page, when loaded, will send the same request 1,000 times every 2 seconds, and will consume a lot of the Web servers bandwidth. Thus, the target server will not be able to respond to other clients, and eventually, legitimate clients will be denied services from the server. Now let us assume that an attacker would like to launch a DoS attack on e x a m p l e . c o mby bombarding it with numerous messages. Also assume that e x a m p l e . c o mhas abundant resources and considerable bandwidth (which is most often the case). It is then difficult for the attackers to generate a sufficient number of messages from a single machine (as in the above scenario) to overload those resources. However, imagine the consequences if they got 100,000 machines under their control, in order to simultaneously generate requests to e x a m p l e . c o m . Each of the attacking machines (compromised machines that have been infected by malicious code) may be only moderately provisioned (have a slow processor and be on a mere modem link), but together, they form a formidable attack network which, with proper use, could overwhelm even a well-provisioned victim site. This is a distributed denial-of-service (DDoS) attack, and the machines under the attackers control are termed as zombies/agents.
Popular
Comments
Tag cloud
In DDoS attacks, spoofed source IP addresses are used in the packets of the attack traffic. Attackers prefer to use such counterfeit source IP addresses for two major reasons: first, to hide the identity of the zombies, so that the victim cannot trace the attack back to them. The second reason is to discourage any attempt by the victim to filter out the malicious traffic.
DoS attacks often exploit stateful network protocols, because these protocols consume resources to maintain state. TCP SYN flooding is one such attack, and had a wide impact on many systems. When a client attempts to establish a TCP connection to a server, the client first sends a SYN message to the server. The server acknowledges this by sending a SYN-ACK message to the client. The client completes establishing of the connection by responding with an ACK message. The connection between the client and the server is then open, and servicespecific data can be exchanged between them. The abuse occurs at the half-open state when the server is waiting for the clients ACK message, after sending the SYN-ACK message to the client. The server needs to allocate memory to store information about the half-open connection, and this memory will not be released until the server either receives the final ACK message, or the half-open connection expires (times out). Attackers can easily create half-open connections by spoofing source IPs in SYN messages, or ignoring SYN-ACKs. The consequence is that the final ACK message will never be sent to the victim. Because the victim normally only allocates a limited amount of space in its process table, too many half-open connections will soon fill the space. Even though the half-open connections will eventually expire due to their timeout, zombies can aggressively send spoofed TCP SYN packets, requesting connections at a much higher rate than the expiration rate. Finally, the victim will be unable to accept any new incoming connections, and thus cannot provide services.
Comparing the two scenarios of DDoS attacks, we should note that a DRDoS attack is more detrimental than a typical DDoS attack, because a DRDoS attack has more machines to share the attack the attack is more distributed and so creates a greater volume of traffic.
Back-chaining propagation
In this mechanism, the attack toolkit is transferred to the newly compromised system from the attackers system. More specifically, the attack toolkits that are installed on the attackers system include special methods for accepting a connection from the compromised system, and sending a file to it that contains the attack tools. This back-channel file copy can be supported by simple port listeners that copy file contents, or by full intruder-installed Web servers, both of which use the Trivial File Transfer Protocol (TFTP).
Autonomous propagation
In this method, the attackers transfer the attack toolkit to the newly compromised system at the exact moment that they break into that system. This method differs from the previously mentioned methods in that the attack tools are planted into the compromised host by the attackers themselves, and not by an external file source.
Important note: Each of these propagation mechanisms depend on the system vulnerability thats exploited, since this dictates what system rights are enjoyed by the attackers. After the construction of the attack network, attackers use attack toolkits to specify the attack type and the victims address, and wait for the appropriate moment in order to mount the attack. They then remotely command the launch of the chosen attack to their zombies, using the attack toolkit, to begin the attack. The volume of traffic from a DDoS attack may be so high that the networks that connect the attacking machines to the victim may also suffer from lower performance. Hence, the provision of services over these networks is no longer possible, and in this way, their clients are denied those services.
Attack toolkits
While there are numerous scripts that are used for scanning, compromising and infecting vulnerable machines, there are only a handful of DDoS attack tools that have been used to carry out the actual attacks.
Trinoo
This tool uses a handler/agent architecture wherein an attacker sends commands to the handler (the first system compromised in the series) via TCP, and handlers and agents communicate via UDP. Both handlers and agents are password-protected to try to prevent them from being taken over by another attacker. Trinoo generates UDP packets of a given size to random ports on one or multiple target addresses, during a specified attack interval.
Trinity
This is the first DDoS tool that is controlled via IRC. Upon compromise and infection by Trinity, each zombie joins a specified IRC channel and waits for commands. The use of a legitimate IRC service for communication between attacker and zombie replaces the classic independent handler, and elevates the level of the threat. It is also capable of launching several types of flooding attacks on a victim site, including UDP, an IP fragment, TCP SYN, TCP RST, TCP ACK, and other floods. Now, due to regular security checks and patches, and signature-based IDS/IPS (Intrusion Detection/Prevention Systems), many of these tools have became less effective, and are not used by attackers. However, this has led to the next era of DDoS attacks, which is referred to as DDoS 2.0.
DDoS 2.0
Network firewalls today can detect the majority of flood and network DoS attacks. Many ICMP and UDP flood attacks can also be identified using intelligent packet filtering, and source and destination access-control lists. Hence, attackers today focus on application DDoS attacks, because these usually bypass most traditional network security devices. Application DDoS attacks exploit vulnerabilities in application servers or application business logic. For example, application DDoS attacks may simply flood a Web application server with seemingly legitimate requests designed to overwhelm Web application servers. An attacker may also attempt to exploit application vulnerabilities, such as sending Web requests with extremely long URLs. More sophisticated attacks exploit business logic flaws. For example, if an applications website search mechanism is poorly written, it could require excessive processing by a backend database server. An application DDoS attack could exploit this vulnerability by performing thousands of search requests using wildcard search terms to overwhelm the backend application database. Moreover, the generation of session IDs, and the resources used to manage sessions, can often be overwhelmed if an attacker has the ability to generate a large number of session IDs. Recently, Slowloris has emerged as a perilous application DDoS attack. It disrupts application services by exhausting Web server connections. In the Slowloris attack, the attackers send an incomplete HTTP header, and then periodically send header lines to keep the connection alive, but they never send the full header. Without requiring that much bandwidth, an attacker can open numerous connections, and overwhelm the targeted Web server. While multiple patches have been created for Apache to mitigate this vulnerability, it nonetheless demonstrates the power of more sophisticated DDoS attacks.
The f r m M a i n . c sfile generates the main part of the user interface, and where the user specifies the URL or IP address of the target server, the program does a series of checks for valid addresses, port numbers, payload, etc., before running the DDoS code for whichever of the three methods (TCP, UDP or HTTP) is selected. In the hive mode, commands are sent to the LOIC client through IRC. The IRC server, channel and port are set initially in the forms and defined in P r o g r a m . c s , which uses the C#
S m a r t I R C 4 N E Tlibrary. In LOICs default mode, the user has volunteered to join the rest of the
LOIC users all over the world, thus forming a botnet, which collectively sends mass requests to the target server. If you face some difficulty in compiling LOIC, you can go for its binary here. However, besides LOIC, attackers also use a variety of other tools. Some of them are available here.
Administrators could adjust their network gateways in order to filter input and output traffic. The source IP address of output traffic should belong to the local subnet, whereas the source IP address of input traffic should not. In this way, they can reduce traffic on the network that has spoofed IP addresses. If you own a Web server, dont just rely on anti-viruses, but instead use fully updated antimalware and anti-botnet software too. In this way, you can prevent auto-installation of DDoS toolkits on your system. Moreover, always keep your systems updated and fully patched. Intrusion detection systems (IDS/IPS) can be a great help here in notifying the administrator if someone is trying to break in to install attack toolkits or bots.
generated by popular virtual hosts, directories, locations, or users. Download from here.
m o d _ b w s h a r eaccepts or rejects HTTP requests from each client IP address, based on
past downloads by that client IP address. More here. Apart from the above, one module that is designed specifically as a remedy for Apache DoS attacks is m o d _ d o s e v a s i v e(Download link). This module will allow you to specify a maximum number of requests executed by the same IP address. If the threshold is reached, the IP address is blacklisted for the time period you specify. The only problem with this module is that users, in general, do not have unique IP addresses. Many users browse through proxies, or are hidden behind a NAT (network address translation) system. Blacklisting a proxy will cause all users behind it to be blacklisted. Hence, it is recommended to keep traffic shaping modules higher in your priority list.
Related Posts:
Cyber Attacks Explained: DoS and DDoS SYN Flooding using SCAPY and Prevention using iptables Cyber Attacks Explained: Packet Spoofing Cyber Attacks Explained: Packet Crafting Securing Apache, Part 2: XSS Injections
Tags: abuse, Apache, attacker, C/C++, CPU, cpu time, critical resources, database server, DDoS, DDoS attacks, dos attacks, html, ICMP, IDS, image files, intrusion-detection systems, ISPs, LFY April 2011, LOIC, malicious code, malware, network bandwidth, network infrastructure, packets, reboot, routers, RPC, Securing Apache series, Security, sending messages, syn flood, syn flood attack, SYN flooding, target application, target machine, TCP, TFTP, Trinity, web applications, Web server
Previous Post
Next Post
manish kumar these articles are really good Kevin Daniel *********** *__* / ********* . ( )*. */.*.* ______*** *** . ( . .) . / .*./_______/~**** * .* (.. ..) * .*** *** MERRY CHRISTMAS!!!! Sukhdeep Sedha Ddos attacks are posing threat to servers.. Nilesh Dhodad nice series Rakesh Jain very useful this is .. Tomas Cirip Good article, very easy to read. Thanks
Reviews
How-Tos
Coding
Interviews
Features
Overview
Blogs
Search
Popular tags
Linux , ubuntu, Java, MySQL, Google, python, Fedora, Android, PHP, C, html, w eb applications , India, Microsoft, unix , Window s , Red Hat, Oracle, Security , Apache, xml, LFY April 2012, FOSS, GNOME, http, JavaScript, LFY June 2011, open source, RAM, operating systems
All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherw ise noted. LINUX For You is pow ered by WordPress, w hich gladly sits on top of a CentOS-based LEMP stack.