You are on page 1of 32

Hacking Book 2:

Threats and Defensive


Mechanisms
Chapter 6: Denial of Service
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Objectives
Define what a denial-of-service attack is
Identify the types of denial-of-service attacks
List the tools that facilitate a denial-of-service attack
Define bots
Explain what a distributed denial-of-service attack is
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Objectives (contd.)
Identify the taxonomy of a distributed denial-of-
service attack
Define what a reflect denial-of-service attack is
List tools that facilitate a distributed denial-of-
service attack
List countermeasures to a distributed denial-of-
service attack
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Case Example 1
Henderson, an investigative journalist in the field of
information security, set up a new security portal
called HackzXposed4u
Portal claimed to expose the activities and identities
of all known hackers across the globe
He planned a worldwide launch on March 28
Portal received wide media coverage before its release
Within five minutes of launch, the server crashed
A large number of computers connected to the
Internet played the role of zombie machines, and all
were directed toward the HackzXposed4u portal
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Case Example 2
Blogging service wordpress.com was attacked with a
denial-of-service attack
Attack caused heavy loads on the server, making it
inaccessible
In the same attack, CNN Interactive was unable to
update its stories for two hours
Devastating problem for a news organization that
takes pride in its timeliness
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Introduction to Denial of Service
Denial-of-service (DoS) attack
Attacker overloads a systems resources, bringing the
system down, or at least significantly slowing system
performance
Targets network bandwidth or connectivity
Examples
Flooding the victim with more traffic than can be
handled
Flooding a service (like IRC) with more events than it
can handle
Crashing a TCP/IP stack by sending corrupt packets
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Overview
Goal of a DoS attack
Keep legitimate users from using the system
Attackers may do the following:
Attempt to flood a network in order to prevent
legitimate traffic
Attempt to disrupt connections in order to disrupt
access to a service
Attempt to prevent a particular user from accessing a
service
Attempt to disrupt service to a specific system
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Impact and the Modes of Attack
Denial-of-service attacks can compromise the
computers in a network
Network Connectivity
Goal is to stop hosts or networks from communicating
on the network or to disrupt network traffic
Misuse of Internal Resources
In a fraggle attack, forged UDP packets are used to
connect the echo service on one machine to the
character generator on another machine
Bandwidth Consumption
Attacker can consume all of the bandwidth on a
network by generating a large number of packets
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Impact and the Modes of Attack
(contd.)
Consumption of Other Resources
Attackers may be able to consume other resources
that systems need to operate
Destruction or Alteration of Configuration
Information
Alteration of the configuration of a computer, or the
components in the network, may disrupt the normal
functioning of the system
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Types of Attacks
DoS Attack Classification
Smurf
Buffer overflow attack
Ping of death
Teardrop
SYN flood
Distributed denial-of-service attacks
Multiple compromised systems are coordinated in an
attack against one target

Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Types of Attacks (contd.)
Figure 6-1 In this attack, the systems on the
network respond to the spoofed IP address.
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
DoS Attack Tools
Tools include:
Jolt2
Bubonic
Land and LaTierra
Targa
Blast
Nemesy
Panther2
Crazy Pinger
Some Trouble
UDP Flood
FSMax

Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
DoS Attack Tools (contd.)
Figure 6-3 Bubonics sending so many random
packets to a machine quickly overwhelms system
resources.
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Bots
Bots
Software applications that run automated tasks over
the Internet
Types of bots
Internet bots, IRC bots, and chatter bots
Botnets
Derived from the phrase roBOT NETwork
Can be composed of a huge network of compromised
systems
Also referred to as agents that an intruder can send to
a server system to perform some illegal activity
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Bots (contd.)
Uses of Botnets
Distributed denial-of-service attacks
Spamming
Sniffing traffic
Keylogging
Spreading new malware
Installing advertisement add-ons
Google AdSense abuse
Attacking IRC chat networks
Manipulating online polls and games
Mass identity theft
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Bots (contd.)
How Bots Infect: An Analysis of Agobot
Step 1: Method of Infection
Step 2: Massive Spreading Stage
Step 3: Connect Back to IRC
Step 4: Attacker Takes Control of the Victims
Computer
Process Termination
Agobots are also designed to interrupt programs that
appear to be antivirus or other security programs
NuclearBot
IRC bot that can be used for floods, managing,
utilities, spread, and IRC-related actions
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Bots (contd.)
Figure 6-8 This shows how an Agobot infection
spreads.
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
What Is a DDoS Attack?
Distributed denial-of-service (DDoS) attack
Large-scale, coordinated attack on the availability of
services on a victims system or network resources,
launched indirectly through many compromised
computers on the Internet
Main objective of any DDoS attacker
Gain administrative access on as many systems as
possible
Early Attacks
February 2000: One of the first major DDoS attacks
was waged against yahoo.com
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
What Is a DDoS Attack? (contd.)
Is DDoS Stoppable?
DDoS attack is common for noncommercial entities
Firewall does not guarantee 100% protection against
attacks, but it can prevent some DoS/DDoS attacks
How to Conduct a DDoS Attack
Write a virus that will send ping packets to a target
network/Web site
Infect a minimum of 30,000 computers (zombies)
Trigger the zombies to launch the attack by sending
wake-up signals
Zombies will start attacking the target server until it is
disinfected
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
What Is a DDoS Attack? (contd.)
Figure 6-11 Many distributed denial-of service attacks use
the agent/handler model.
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
What Is a DDoS Attack? (contd.)
Agent/Handler Model
Consists of clients, handlers, and agents
Agent software is installed in compromised systems
that will carry out the attack
Agents can be configured to communicate with a
single handler or multiple handlers
Handler software is placed on a compromised router
or network server
The terms master and daemon are often used for
handler and agent
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
What Is a DDoS Attack? (contd.)
DDoS IRC-Based Model
Internet Relay Chat (IRC): multiuser online
chatting system consisting of a network of servers
located throughout the Internet
IRC-based DDoS attack network is just like the
agent/handler DDoS attack model
It is installed on a network server instead of using a
handler program
It makes use of the IRC communication channel to
connect the attacker to the agents
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
DDoS Attack Taxonomy
Figure 6-12 The main types of attacks deplete either
bandwidth or system resources.
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
The Reflected DoS Attacks
TCP three-way handshake vulnerability is exploited
Zombies send out a large number of SYN packets with
the target system as the IP source address
For each SYN packet sent by a reflector, up to four
SYN/ACK packets will be generated
Bandwidth Multiplication
Emission of several times more SYN/ACK attack
traffic from the reflection servers than the triggering
SYN traffic they receive
Parallel Damage
Instead of sending SYN packets to the server under
attack, it reflects them off any router or server
connected to the Internet
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Reflective DNS Attacks
Figure 6-14 In reflective attacks, bots bounce requests off of servers
to amplify the number of requests and halt the victim system.
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
DDoS Tools
Classic tools include:
Tribal Flood Network (TFN)
TFN2K
Shaft
Trinity
Knight
Kaiten
Mstream
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Suggestions for Preventing DoS/DDoS
Attacks
Precautionary steps:
Prevent installation of distributed attack tools on the
systems
Prevent origination of IP packets with spoofed source
addresses
Monitor the network for signatures of distributed
attack tools
Employ stateful inspection firewalling
What to Do If Involved in a Denial-of-Service Attack
Security policies should include emergency out-of-
band communication procedures to network
operators and/or emergency response teams
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Suggestions for Preventing DoS/DDoS
Attacks (contd.)
Countermeasures for Reflected DoS
Router port 179 can be blocked as a reflector
Routers can also be configured to filter (drop) packets
destined for a particular address
Servers could be programmed to recognize a SYN
source IP address that never completes its
connections
ISPs could prevent the transmission of fraudulently
addressed packets

Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Suggestions for Preventing DoS/DDoS
Attacks (contd.)
XDCC Vulnerability
XDCC is a peer-to-peer variant that uses automated
bots to connect to IRC servers
IROffer
Most common bot
Connects to a predefined IRC channel and posts the
most popular files it has for downloading
Tools for Detecting DDoS Attacks
ipgrep
tcpdstat
findoffer
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Taxonomy of DDoS Countermeasures
Figure 6-17 Being fully prepared for an attack means using as many
of the countermeasures available as possible.
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Summary
Denial-of-service attacks prevent legitimate users
from accessing the resources and services in their
network
Smurf, buffer overflow, and ping of death are some
of the types of DoS attacks
SYN flooding takes advantage of a flaw in how most
hosts implement the TCP three-way handshake
In distributed denial-of-service attacks, a multitude
of compromised systems are engaged to bring down
a target system
There can be resource depletion attacks
Copyright by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Summary (contd.)
Trinoo, TFN, TFN2K, and MStream are some of the
tools attackers use to cause a DDoS attack
Countermeasures include preventing systems from
being compromised and becoming secondary
victims, detecting and neutralizing handlers,
detecting or preventing the attack, mitigating or
stopping the attack, and deflecting the attack