4
Information Systems Security Training DoS Attacks: Instigation and Mitigation Author: Jeremy Martin CISSP, ISSAP, CCNA, Network+, A+ [email protected] During the release of a new software product specialized to track spam, ACME Software Inc notice tha t there was not as much traff ic as they hoped to receiv e. Durin g further investigation, they found that they could not view their own website. At that moment, the VP of sales received a call from the company's broker stating that ACME Software Inc stock fell 4 point due to lack of confidence. Several states away, spammers didn't like the idea of lower profit margins do to an easy to install spam blocking software so they thought the y would fight bac k. Ear lie r that day, they too k cont rol of hundre ds of compromised computers and used them as DoS zombies to attack ACME Software Inc's Internet servers in a vicious act of cyber assault. During an emergency pr ess conference the next morning, ACME Software Inc's CIO announced his resignation as a result of a several million dollar corporate loss. Scenarios like the one above happen a more then people think and are more costly the n most wil l admi t. Denial of Servi ce (DoS) att acks are desi gned to deple te the resources of a target computer system in an attempt to take a node off line by crashing or overloading it. Distributed Denial of S ervice (DDoS) is a DoS att ack that is engaged by many different locations. The most common DDoS attacks ar e instigated through vir uses or zombie machines. There are many reasons that DoS attacks are executed, and most of them are out of mali cious intent. DoS attacks are almost impossible to prevent i f you are singl ed out as a target. It's dif ficul t to disti nguis h the diff erence bet ween a legitima te  packet and one used for a DoS attack. The purpose of this article is to give the reader with basic network knowledge a  bette r unders tandi ng of the challenges present ed by  Denial of Service attacks, how they work, and ways to protect systems and networks from them. The attendee should have a basic knowledge of computers systems, networking, and familiarity wi th the Microsoft Windows platforms. Programming knowledge is helpf ul. ***

DoS Attacks Instigation and Mitigation

Embed Size (px)

Citation preview

Page 1: DoS Attacks Instigation and Mitigation

8/14/2019 DoS Attacks Instigation and Mitigation

http://slidepdf.com/reader/full/dos-attacks-instigation-and-mitigation 1/4

Information Systems Security Training

DoS Attacks: Instigation and Mitigation

Author: Jeremy Martin CISSP, ISSAP, CCNA, Network+, A+

[email protected]

During the release of a new software product specialized to track spam, ACME SoftwareInc notice that there was not as much traffic as they hoped to receive. During further investigation, they found that they could not view their own website. At that moment, theVP of sales received a call from the company's broker stating that ACME Software Inc

stock fell 4 point due to lack of confidence. Several states away, spammers didn't like theidea of lower profit margins do to an easy to install spam blocking software so theythought they would fight back. Earlier that day, they took control of hundreds of compromised computers and used them as DoS zombies to attack ACME Software Inc'sInternet servers in a vicious act of cyber assault. During an emergency press conferencethe next morning, ACME Software Inc's CIO announced his resignation as a result of a

several million dollar corporate loss.

Scenarios like the one above happen a more then people think and are more costlythen most will admit. Denial of Service (DoS) attacks are designed to deplete theresources of a target computer system in an attempt to take a node off line by crashing or overloading it. Distributed Denial of Service (DDoS) is a DoS attack that is engaged bymany different locations. The most common DDoS attacks are instigated through virusesor zombie machines. There are many reasons that DoS attacks are executed, and most of them are out of malicious intent. DoS attacks are almost impossible to prevent if you aresingled out as a target. It's difficult to distinguish the difference between a legitimate packet and one used for a DoS attack.

The purpose of this article is to give the reader with basic network knowledge a better understanding of the challenges presented by Denial of Service attacks, how theywork, and ways to protect systems and networks from them.

The attendee should have a basic knowledge of computers systems, networking, andfamiliarity with the Microsoft Windows platforms. Programming knowledge is helpful.

***

Page 2: DoS Attacks Instigation and Mitigation

8/14/2019 DoS Attacks Instigation and Mitigation

http://slidepdf.com/reader/full/dos-attacks-instigation-and-mitigation 2/4

Instigation

 Spoofing  – Falsifying an Internet address (know as spoofing) is the method an attacker 

uses to fake an IP address. This is used to reroute traffic to a target network node or usedto deceive a server into identifying the attacker as a legitimate node. When most of us

think of this approach of hacking, we think of someone in another city essentially becoming you. The way TCP/IP is designed, the only way a criminal hacker or cracker can take over your Internet identity in this fashion is to blind spoof. This means that theimpostor knows exactly what responses to send to a port, but will not get the

corresponding response since the traffic is routed to the original system. If the spoofing isdesigned around a DoS attack, the internal address becomes the victim. Spoofing is usedin most of the well-known DoS attacks. Many attackers will start a DoS attack to drop anode from the network so they can take over the IP address of that device. IP Hijacking isthe main method used when attacking a secured network or attempting other attacks likethe Man in the Middle attack.

 SYN Flood - Attackers send a series of SYN requests to a target (victim). The targetsends a SYN ACK in response and waits for an ACK to come back to complete thesession set up. Instead of responding with an ACK, the attacker responds with another SYN to open up a new connection. This causes the connection queues and memory buffer to fill up, thereby denying service to legitimate TCP users. At this time, the attacker can

hijack the system's IP address if that is the end goal. Spoofing the “source“ IP addresswhen sending a SYN flood will not only cover the offender's tracks, but is also a methodof attack in itself. SYN Floods are the most commonly used DoS in viruses and are easyto write. See http://www.infosecprofessionals.com/code/synflood.c.txt

 Smurf Attack - Smurf and Fraggle attacks are the easiest to prevent. A perpetrator sends a

large number of ICMP echo (ping) traffic at IP broadcast addresses, using a fake source

address. The “source” or spoofed address will be flooded with simultaneous replies (SeeCERT Advisory: CA-1998-01). This can be prevented by simply blocking broadcasttraffic from remote network sources using access control lists.

Fraggle Attack – This types of attack is the same as a Smurf attack except using UDP

instead if TCP. By sending an UDP echo (ping) traffic to IP broadcast addresses, thesystems on the network will all respond to the spoofed address and affect the targetsystem. This is a simple rewrite of the Smurf code. This can be prevented by simply blocking broadcast traffic from remote IP address.

 Ping of Death - An attacker sends illegitimate ICMP (ping) packets larger than 65,536

 bytes to a system with the intention of crashing it. These attacks have been outdated sincethe days of NT4 and Win95.

Teardrop - Otherwise known as an IP fragmentation attack, this DoS attack targetssystems that are running Windows NT 4.0, Win95 , Linux up to 2.0.32. Like the Ping of Death, the Teardrop is no longer effective.

Page 3: DoS Attacks Instigation and Mitigation

8/14/2019 DoS Attacks Instigation and Mitigation

http://slidepdf.com/reader/full/dos-attacks-instigation-and-mitigation 3/4

 Application Attack  - Thess are DoS attacks that involve exploiting an applicationvulnerability causing the target program to crash or restart the system.

Kazaa and Morpheus have a known flaw that will allow an attacker to consume allavailable bandwidth without being logged.

See http://www.infosecprofessionals.com/code/kazaa.pl.txt  

Microsoft's IIS 5 SSL also has an easy way to exploit vulnerability. Most exploits likethese are easy to find on the Internet and can be copied and pasted as working code.

There are thousands of exploits that can be used to DoS a target system/application. Seehttp://www.infosecprofessionals.com/code/IIS5SSL.c.txt 

Viruses, Worms, and Antivirus – Yes, Antivirus. Too many cases where the antivirusconfiguration is wrong or the wrong edition is installed. This lack of foresight causes anunintentional DDoS attack on the network by taking up valuable CPU resources and

 bandwidth. Viruses and worms also cause DDoS attacks by the nature of how theyspread. Some purposefully attack an individual target after a system has been infected.The Blaster worm that exploits the DCOM RPC vulnerability (described in MicrosoftSecurity Bulletin MS03-026) using TCP port 135 is a great example of this. The Blaster targeted Microsoft's windows update site by initiating a SYN FLOOD. Because of this,Microsoft decided to no longer resolve the DNS for 'windowsupdate.com'.

DoS attacks are impossible to stop. However, there are things you can do tomitigate potential damages they may cause to your environment. The main thing toremember is that you always need to keep up-to-date on the newest threats.

Mitigation

 Antivirus software – Installing an antivirus software with the latest virus definitions willhelp prevent your system from becoming a DoS zombie. Now, more then ever, this is animportant feature that you must have. With lawsuits so prevalent, not having the proper  protection can leave you open for downstream liability.

 Software updates - Keep your software up to date at all times. This includes antivirus,email clients, and network servers. You also need to keep all network Operating Systemsinstalled with the latest security patches. Microsoft has done a great job with makingthese patches available for their Windows distributions. Linux has been said to be moresecure, but the patches are far more scarce. RedHat is planning on incorporating the

 NSA's SE Linux kernel into future releases. This will give Mandatory Access Control

(MAC) capabilities to the Linux community.

 Network protection - Using a combination of firewalls and Intrusion Detection Systems(IDS) can cut down on suspicious traffic and can make the difference between loggedannoyance and your job. Firewalls should be set to deny all traffic that is not specifically

designed to pass through. Integrating an IDS will warn you when strange traffic is presenton your network. This will assist you in finding and stopping attacks.

Page 4: DoS Attacks Instigation and Mitigation

8/14/2019 DoS Attacks Instigation and Mitigation

http://slidepdf.com/reader/full/dos-attacks-instigation-and-mitigation 4/4

 Network device configuration – Configuring perimeter devices like routers can detectand in some cases prevent DoS attacks. Cisco routers can be configured to actively prevent SYN attacks starting in Cisco IOS 11.3 and higher using the TCP intercept

command in global configuration mode.

access-list number {deny | permit} tcp any destination destination-wildcard ip tcp intercept list access-list-number ip tcp intercept ? ( will give you a good list of other options.)

Cisco routers can prevent Smurf and Fraggle attacks by blocking broadcast traffic. SinceCisco IOS 12.0, this is the default configuration. ACLs or access control lists should also be configured on all interfaces.

no ip directed-broadcast 

The Cisco router can also be used to prevent IP spoofing.

ip access-group list in interfaceaccess-list number deny icmp any any redirect access-list number deny ip 127.0.0.0 0.255.255.255 anyaccess-list number deny ip 224.0.0.0 31.255.255.255 any

access-list number deny ip host 0.0.0.0 anySee Improving Security on Cisco Routers - www.cisco.com/warp/public/707/21.html 

Old Cisco IOS versions are vulnerable to several DoS attacks. The “ Black Angels” wrotea program called Cisco Global Exploiter. This is a great software to use when testing thesecurity of your Cisco router version and configuration and can be found at

http://www.blackangels.it/Projects/cge.htm

Security is not as mystical as people believe. DoS attacks come in many differenttypes and can be devastating if you don't take the proper precautions. Keep up to date andtake steps to secure network nodes. Keeping security in mind can minimize damages,downtime, and save your career.

Resources

Security Resources

Black Angels: http://www.blackangels.it/

Cisco: http://www.cisco.comMicrosoft: http://www.microsoft.com/technet/security/current.aspx

Forum of Incident Response and Security Teams: http://www.first.org/SANS Institute: http://www.sans.org/resources/


Mitigation of Insider Attacks for Data Security in

Mitigation of Insider Attacks for Data Security in

Documents
Detection and Mitigation of DoS and DDoS Attacks in IoT

Detection and Mitigation of DoS and DDoS Attacks in IoT

Documents
Attacks and Mitigation Techniques

Attacks and Mitigation Techniques

Documents
Layer 2 Attacks and Mitigation

Layer 2 Attacks and Mitigation

Documents
Adversarial Attacks and Mitigation for Anomaly Detectors

Adversarial Attacks and Mitigation for Anomaly Detectors

Documents
Pass the Hash Attacks Tools Mitigation 33283

Pass the Hash Attacks Tools Mitigation 33283

Documents
Prevention, Protection and Mitigation of DDoS Attacks

Prevention, Protection and Mitigation of DDoS Attacks

Documents
Low-cost Mitigation against Cold Boot Attacks for an ...fms27/papers/2016-GoldbergJenSta-cold.pdf · Low-cost Mitigation against Cold Boot Attacks for an Authentication Token Ian

Low-cost Mitigation against Cold Boot Attacks for an ...fms27/papers/2016-GoldbergJenSta-cold.pdf · Low-cost Mitigation against Cold Boot Attacks for an Authentication Token Ian

Documents
Layer 2 Attacks and Mitigation Techniques for the Cisco ...Layer 2 Attacks and Mitigation Techniques for the Cisco Catalyst ... A Cisco Catalyst 6509E switch with a Supervisor 720-3B

Layer 2 Attacks and Mitigation Techniques for the Cisco ...Layer 2 Attacks and Mitigation Techniques for the Cisco Catalyst ... A Cisco Catalyst 6509E switch with a Supervisor 720-3B

Documents
Entrapment and Instigation

Entrapment and Instigation

Documents
MITIGATION OF CONTROL AND DATA TRAFFIC ATTACKS IN WIRELESS · MITIGATION OF CONTROL AND DATA TRAFFIC ATTACKS IN WIRELESS AD-HOC AND SENSOR NETWORKS A Thesis Submitted to the Faculty

MITIGATION OF CONTROL AND DATA TRAFFIC ATTACKS IN WIRELESS · MITIGATION OF CONTROL AND DATA TRAFFIC ATTACKS IN WIRELESS AD-HOC AND SENSOR NETWORKS A Thesis Submitted to the Faculty

Documents
Modeling, Early Detection, and Mitigation of Internet Worm Attacks

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

Documents
DefensePro: DDoS Protection and Attack Mitigation...usually undetected by traditional DDoS mitigation tools, such as SSL-based lood attacks, attacks on login pages and attacks behind

DefensePro: DDoS Protection and Attack Mitigation...usually undetected by traditional DDoS mitigation tools, such as SSL-based lood attacks, attacks on login pages and attacks behind

Documents
Timely Detection and Mitigation of Stealthy DDoS Attacks

Timely Detection and Mitigation of Stealthy DDoS Attacks

Documents
Layer 2 Attacks and Their Mitigation - · PDF fileLayer 2 Attacks and Their Mitigation Louis Senecal ... focus is on L2 attacks and their mitigation. 4 Host B Why Worry about Layer

Layer 2 Attacks and Their Mitigation - · PDF fileLayer 2 Attacks and Their Mitigation Louis Senecal ... focus is on L2 attacks and their mitigation. 4 Host B Why Worry about Layer

Documents
Attacks, Mitigation and fundamental software problems

Attacks, Mitigation and fundamental software problems

Documents
DDoS Attacks : Preparation Detection Mitigation

DDoS Attacks : Preparation Detection Mitigation

Internet
Lightweight Mitigation of Hardware Trojan Attacks …sudeep/wp-content/...Lightweight Mitigation of Hardware Trojan Attacks in NoC-based Manycore Computing Venkata Yaswanth Raparti,

Lightweight Mitigation of Hardware Trojan Attacks …sudeep/wp-content/...Lightweight Mitigation of Hardware Trojan Attacks in NoC-based Manycore Computing Venkata Yaswanth Raparti,

Documents
Layer 2 Attacks and Mitigation Techniques for the Cisco · PDF fileLayer 2 Attacks and Mitigation Techniques for the Cisco Catalyst 6500 Series Switches Running Cisco IOS Software

Layer 2 Attacks and Mitigation Techniques for the Cisco · PDF fileLayer 2 Attacks and Mitigation Techniques for the Cisco Catalyst 6500 Series Switches Running Cisco IOS Software

Documents
Layer 2 Attacks and Mitigation Techniques for the Cisco

Layer 2 Attacks and Mitigation Techniques for the Cisco

Documents
Attacks Against the Cloud: A Mitigation Strategy · (@grnet_cert) Cloud Attack Mitigation & Firewall on Demand. Content Cloud Attack Mitigation & Firewall on Demand HiPEAC –CSW

Attacks Against the Cloud: A Mitigation Strategy · (@grnet_cert) Cloud Attack Mitigation & Firewall on Demand. Content Cloud Attack Mitigation & Firewall on Demand HiPEAC –CSW

Documents
Analysis and Mitigation of Recent Attacks on Mobile … · 2017-04-28 · Analysis and Mitigation of Recent Attacks on Mobile Communication Backend Master’s Thesis Espoo, 25 June

Analysis and Mitigation of Recent Attacks on Mobile … · 2017-04-28 · Analysis and Mitigation of Recent Attacks on Mobile Communication Backend Master’s Thesis Espoo, 25 June

Documents
Layer 2 Attacks and Their Mitigation · 3 Caveats • All attacks and mitigation techniques assume a switched Ethernet network running IP If shared Ethernet access is used (WLAN,

Layer 2 Attacks and Their Mitigation · 3 Caveats • All attacks and mitigation techniques assume a switched Ethernet network running IP If shared Ethernet access is used (WLAN,

Documents
Distributed Denial of Service Attacks Detection and Mitigation · PDF fileDistributed Denial of Service Attacks Detection and Mitigation ... Definitely get that presentation and do

Distributed Denial of Service Attacks Detection and Mitigation · PDF fileDistributed Denial of Service Attacks Detection and Mitigation ... Definitely get that presentation and do

Documents
Vehicle-Borne Attacks: Tactics and Mitigation

Vehicle-Borne Attacks: Tactics and Mitigation

Documents
Network-aware Mitigation of Data Integrity Attacks on ...gyuri/Pub/Vukovic-JSAC2012.pdf · Network-aware Mitigation of Data Integrity Attacks on Power System State Estimation

Network-aware Mitigation of Data Integrity Attacks on ...gyuri/Pub/Vukovic-JSAC2012.pdf · Network-aware Mitigation of Data Integrity Attacks on Power System State Estimation

Documents
DDoS Attacks - Scenery, Evolution and Mitigation

DDoS Attacks - Scenery, Evolution and Mitigation

Internet
attacks using BGP Flowspec Adaptive mitigation of DDoS · Adaptive mitigation of DDoS attacks using BGP Flowspec How to utilize BGP extension to fight with volumetric DOS attacks

attacks using BGP Flowspec Adaptive mitigation of DDoS · Adaptive mitigation of DDoS attacks using BGP Flowspec How to utilize BGP extension to fight with volumetric DOS attacks

Documents
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches

Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches

Internet
Detection and mitigation of localized attacks in a widely ......Detection and mitigation of localized attacks in a widely deployed P2P network 3 DHT attacks when a peer uses the DHT

Detection and mitigation of localized attacks in a widely ......Detection and mitigation of localized attacks in a widely deployed P2P network 3 DHT attacks when a peer uses the DHT

Documents