⚡︎ This chapter has practical labs
A Denial of Service (DoS) is a type of attack on a service that disrupts its normal function and prevents other users from accessing it. The most common target for a DoS attack is an online service such as a website, though attacks can also be launched against networks, machines or even a single program.
DoS attacks can cause the following problems:
- Ineffective services
- Inaccessible services
- Interruption of network traffic
- Connection interference
A distributed denial of service (DDoS) attack is launched from numerous compromised devices, often distributed globally in what is referred to as a botnet.
Goal:
- Seeks to take down a system or deny access to it by authorized users.
Network of zombie computers a hacker uses to start a distributed attack.
- Botnets can be designed to do malicious tasks including sending spam, stealing data, ransomware, fraudulently clicking on ads or distributed denial-of-service (DDoS) attacks.
- Can be controlled over HTTP, HTTPS, IRC, or ICQ
- Botnet Scanning Methods:
- Random - Randomly looks for vulnerable devices
- Hitlist - Given a list of devices to scan for vulnerabilities
- Topological - Scan hosts discovered by currently exploited devices
- Local subnet - Scans local network for vulnerable devices
- Permutation - Scan list of devices created through pseudorandom permutation algorithm
-
Consumes the bandwidth of target network or service.
-
Send a massive amount of traffic to the target network with the goal of consuming so much bandwidth that users are denied access.
-
Bandwitdh depletion attack: Flood Attack and Amplification attack.
- Attacks:
- UDP flood attack
- ICMP flood attack
- Ping of Death attack
- Smurf attack (IP)
- Fraggle (UDP)
- Malformed IP packet flood attack
- Spoofed IP packet flood attack
⚠️ Volumetric attacks is measured in Bits per second (Bps).
- Attacks:
-
Consume other types of resources like connection state tables present in the network infrastructure components such as load balancers, firewalls, and application servers.
- Attacks:
- SYN flood attack
- Fragmentation attack
- ACK flood attack
- TCP state exhaustion attack
- TCP connection flood attack
- RST attack
⚠️ Protocol attacks is measured in Packets per second (Pps).
- Attacks:
-
Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more.
-
Consume the resources necessary for the application to run.
-
Target web servers, web application and specific web-based apps.
-
Abuse higher-layer (7) protocols like HTTP/HTTPS and SNMP.
- Attacks:
- HTTP GET/POST attack
- Slowloris attack
⚠️ Application layer attacks is measured in Requests per second (Rps).
⚠️ Application level attacks are against weak code.
- Attacks:
-
IP / ICMP fragmentation attack is a common form of volumetric DoS. In such an attack, datagram fragmentation mechanisms are used to overwhelm the network.
-
Bombard the destination with fragmented packets, causing it to use memory to reassemble all those fragments and overwhelm a targeted network.
-
Can manifest in different ways:
- UDP Flooding - attacker sends large volumes of fragments from numerous sources.
- UDP and ICMP fragmentation attack - only parts of the packets is sent to the target; Since the packets are fake and can't be reassembled, the server's resources are quickly consumed.
- TCP fragmentation attack - also know as a Teardrop attack, targets TCP/IP reassembly mechanisms; Fragmented packets are prevented from being reassembled. The result is that data packets overlap and the targeted server becomes completely overwhelmed.
- Attempt to consume connection state tables like: Load balancers, firewalls and application servers.
Is an application layer attack which operates by utilizing partial HTTP requests. The attack functions by opening connections to a targeted Web server and then keeping those connections open as long as it can.
-
The attacker first opens multiple connections to the targeted server by sending multiple partial HTTP request headers.
-
The target opens a thread for each incoming request
-
To prevent the target from timing out the connections, the attacker periodically sends partial request headers to the target in order to keep the request alive. In essence saying, “I’m still here! I’m just slow, please wait for me.”
-
The targeted server is never able to release any of the open partial connections while waiting for the termination of the request.
-
Once all available threads are in use, the server will be unable to respond to additional requests made from regular traffic, resulting in denial-of-service.
- Sends thousands of SYN packets
- Uses a false source address / spoofed IP address.
- The server then responds to each one of the connection requests and leaves an open port ready to receive the response.
- Eventually engages all resources and exhausts the machine
-
Sends thousands of SYN packets
-
While the server waits for the final ACK packet, which never arrives, the attacker continues to send more SYN packets. The arrival of each new SYN packet causes the server to temporarily maintain a new open port connection for a certain length of time, and once all the available ports have been utilized the server is unable to function normally.
-
Eventually bogs down the computer, runs out of resources.
- Sends ICMP Echo packets with a spoofed address; eventually reaches limit of packets per second sent
- Is possible to use
hping3
to perform ICMP flood:hping -1 --flood --rand-source <target>
- Is possible to use
- The Smurf attack is a distributed denial-of-service attack in which large numbers of ICMP packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address.
- Same concept as Smurf attack but with UDP packets (UDP flood attack).
- Is possible to use
hping3
to perform Fraggle attack/ UDP floodhping3 --flood --rand-source --udp -p <target>
- Is possible to use
- Fragments ICMP messages; after reassembled, the ICMP packet is larger than the maximum size and crashes the system
- Performs by sending an IP packet larger than the 65,536 bytes allowed by the IP protocol.
- Old technique that can be acceptable to old systems.
- Overlaps a large number of garbled IP fragments with oversized payloads; causes older systems to crash due to fragment reassembly
- Clients of peer-to-peer file-sharing hub are disconnected and directed to connect to the target system
- Is a combination of Volumetric, protocol, and application-layer attacks.
- A DoS attack that causes permanent damage to a system.
- Modifies the firmware and can also cause a system to brick.
- e.g: Send fraudulent hardware update to victim; crashing BIOS.
- Sends a SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes
-
Low Orbit Ion Cannon (LOIC) - DDoS tool that floods a target with TCP, UDP or HTTP requests
-
High Orbit Ion Cannon (HOIC) - More powerful version of LOIC; Targets TCP and UDP; The application can open up to 256 simultaneous attack sessions at once, bringing down a target system by sending a continuous stream of junk traffic until legitimate requests are no longer able to be processed;
-
Other Tools
- HULK
- Metasploit
- Nmap
- Tsunami
- Trinity - Linux based DDoS tool
- Tribe Flood Network - uses voluntary botnet systems to launch massive flood attacks
- RUDY (R-U-Dead-Yet?) - DoS with HTTP POST via long-form field submissions
- Traffic analysis
- Filtering
- Firewalls
- ACLs
- Reverse Proxies
- Rate limiting - limiting the maximum number of connections a single IP address is allowed to make)
- Load balancers
- DoS prevention software