4. Denial of Service Attacks Flashcards
- Understand how DoS attacks are accomplished. - Know how certain DoS attacks work. - Protect against DoS attacks. - Defend against specific DoS attacks. (34 cards)
Denial-of-Service Attacks
One of the most common types of attacks
Malicious attempts to disrupt the availability of a system, network, or service by overwhelming it with excessive traffic or requests, preventing legitimate users from accessing resources.
List some physical limitations of computers:
- Number of users
- Size of files
- Speed of transmission
- Amount of data stored
Exceed any of these limits and the computer will cease to respond.
LOIC (Low Orbit Ion Cannon)
- Developed by Praetox Technologies, now open-source
- Mitigated by firewalls, rate limiting, or DDoS protection (e.g., Cloudflare); doesn’t exploit vulnerabilities like XSS or SQL Injection.
- Illegal for unauthorized use; used legally for stress testing with permission.
An open-source network stress testing tool, written in C#, used to perform Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks by flooding a target server with TCP, UDP, or HTTP packets, disrupting service availability.
LOIC sends high volumes of requests to a target’s IP address or URL, overwhelming resources (e.g., CPU, bandwidth). In “Hivemind” mode, it connects via IRC to form a voluntary botnet, coordinating multiple users for DDoS attacks. Operates at the Network (Layer 3) or Application (Layer 7) layers of the OSI model. It’s easily detectable as it doesn’t hide the attacker’s IP address.
XOIC
- Used for testing network resilience legally with permission; illegal otherwise (e.g., violates CFAA in the U.S.).
- Less effective than modern tools like HULK or DDOSIM due to detectability by firewalls and DDoS protection (e.g., Cloudflare).
- Often paired with phishing to distribute or amplify attacks via botnets, impacting HIPAA-compliant systems if unprotected.
An open-source Denial-of-Service (DoS) attack tool, similar to LOIC, used to flood target servers with TCP, UDP, or HTTP packets to disrupt service availability, primarily for stress testing but often misused for malicious attacks.
XOIC allows users to specify a target IP address or URL, select a port (e.g., 80 for HTTP), and choose a protocol (TCP, UDP, or HTTP) to send a high volume of requests, overwhelming the target’s resources (e.g., CPU, bandwidth). It operates at the Network (Layer 3) or Application (Layer 7) layers of the OSI model. Unlike LOIC, it offers simpler configuration but lacks advanced features like Hivemind mode for coordinated DDoS attacks. Attacks are easily detected due to unmasked IP addresses.
TFN (Tribe Flood Network)
- Predecessor to TFN2K; used by groups like Anonymous in early DDoS campaigns.
- Mitigated by ingress/egress filtering and firewalls; vulnerable to detection due to unencrypted traffic.
- Often delivered via trojans or phishing, requiring auditing to detect compromised agents.
An early Distributed Denial-of-Service (DDoS) attack tool that uses multiple compromised systems to flood a target with network traffic (ICMP, TCP SYN, UDP, or Smurf attacks), disrupting service availability.
TFN employs a client/server model where a master (controlled by the attacker) sends commands to agents (compromised systems) via remote shell, TCP, UDP, or ICMP, often with spoofed IP addresses. It overwhelms targets with traffic, targeting the availability component of the CIA Triad. Operates at Network (Layer 3) and Transport (Layer 4) layers of the OSI model. First attacks noted in CERT Incident Note 99-04 (1999).
TFN2K (Tribe Flood Network 2000)
- More sophisticated than TFN; uses encryption (BLOWFISH) and random protocols.
- Mitigated by modern DDoS protections (e.g., Cloudflare), rate limiting, or CAR on Cisco routers.
- Illegal for unauthorized use; ties to penetration testing for legal stress testing
An advanced DDoS attack tool, successor to TFN, developed by Mixter (a German security professional/hacker), using encrypted client/server communication to flood targets with TCP, UDP, ICMP, or Smurf attacks, making detection harder.
TFN2K’s client issues encrypted commands to daemons (agents) on compromised systems via TCP, UDP, or ICMP (using ICMP_ECHOREPLY), which then flood targets with randomized packet headers. Supports spoofed IPs and decoy packets, complicating traceback. Operates at Network (Layer 3) and Application (Layer 7) layers. Noted for attacks on high-profile sites in 2000.
Example: A TFN2K attack floods a corporate website with SYN packets, causing downtime, detected during an audit via abnormal HTTP traffic patterns similar to XOIC or LOIC attacks.
TFN and TFN2K properties?
- Can perform various protocol floods
- Master controls agents.
- Agents flood designated targets.
- Communications are encrypted.
- Communications can be hidden in traffic.
- Master can spoof its IP.
Stacheldracht properties?
- Combines Trinoo with TFN
- Detects source address forgery
- Performs a variety of attacks
Stacheldracht
- More advanced than TFN; superseded by Blitzkrieg; used by groups like Anonymous in early 2000s.
- Mitigated by ingress/egress filtering, firewalls, and DDoS protection (e.g., Cloudflare); vulnerable systems often compromised via phishing or trojans.
- Illegal for unauthorized use; used legally for penetration testing with permission.
A Distributed Denial-of-Service (DDoS) attack tool, named after the German for “barbed wire,” developed by “Random” for Linux and Solaris systems in 1999, used to flood targets with TCP, UDP, ICMP, or Smurf attacks, disrupting service availability.
Stacheldraht uses a three-tier structure: a client (attacker’s system), handlers (compromised systems relaying commands), and agents (zombie systems launching attacks). It supports IP address spoofing, encrypted attacker-handler communication, and automated agent updates, combining features of Trinoo and TFN. Operates at Network (Layer 3) and Application (Layer 7) layers of the OSI model. First noted in CERT Incident Note 99-04 (1999).
Example: A hacker deploys Stacheldraht to flood a hospital’s HIPAA-compliant server with SYN packets via 1,000 zombie agents, causing downtime, detected via abnormal HTTP traffic during an audit using Tracert.
DoS Weaknesses?
- The flood must be sustained.
- When machines are disinfected, the attack stops.
- Hacker’s own machine are at risk of discovery.
TCP SYN Flood Attack
- Hacker sends out a SYN packet.
- Receiver must hold space in buffer.
- Bogus SYNs overflow buffer.
SYN Cookies Method of preventing DOS Attack:
SYN Cookies
- Initially no buffer is created.
- Client response is verified using a cookie.
- Only then is the buffer created.
- Resource-intensive.
RST Cookies Method of preventing DOS Attack:
RST Cookies
- Sends a false SYNACK back
- Should receive an RST in reply
- Verifies that the host is legitimate
- Not compatible with Windows 95
Stack Tweaking Method of preventing DOS Attack
Stack Tweaking
- Complex method
- Alters TCP stack
- Makes attack difficult but not impossible
Smurf IP Attack
Hacker sends out ICMP broadcast with spoofed source IP.
- Intermediaries respond with replies.
- ICMP echo replies flood victim.
- The network performs a DDoS on itself.
A Distributed Denial-of-Service (DDoS) amplification attack that exploits ICMP Echo Requests (pings) by sending spoofed packets to a network’s broadcast address, causing all devices to respond to the victim, overwhelming its resources and disrupting availability.
Spoofing
A cyberattack technique where an attacker falsifies data (e.g., IP addresses, email headers, DNS records) to impersonate a trusted entity, enabling attacks like DDoS, phishing, or unauthorized access, targeting the CIA Triad’s integrity and confidentiality.
Spoofing manipulates packet headers or metadata (e.g., source IP in Smurf attacks) to deceive systems or users. Common types include IP spoofing (altering IP addresses), email spoofing (faking sender addresses), and ARP spoofing (falsifying MAC addresses). Used in amplification attacks like Smurf or Memcached, or to deliver malware like MyDoom. Operates at Network (Layer 3) or Application (Layer 7) layers of the OSI model.
ICMP (Internet Control Message Protocol)
A Network Layer (Layer 3) protocol used for diagnostic and error-reporting functions in IP networks, supporting tools like Ping and Tracert to test connectivity and diagnose issues, but also exploited in attacks like Smurf or DDoS.
Prevent Smurf IP Attack
- Configure individual hosts and routers to not respond to ICMP requests or broadcasts; or
- Configure routers to not forward packets directed to broadcast addresses.
DHCP (Dynamic Host Control Protocol) Starvation
If enough requests flooded a network, the attacker can completely exhaust the address space allocated by the DHCP servers for an indefinite period of time. This DoS attack is called DHCP starvation. An attacker can use a tool such as The Gobbler to easily commit this type of attack.
The attacker sends multiple DHCP Discover packets with spoofed MAC addresses, causing the server to assign all available IPs from its scope (e.g., 192.168.1.0/24). Legitimate devices can’t connect, impacting availability (CIA Triad). Often uses tools like Yersinia or Gobbler, operating at the Application Layer (Layer 7) and Network Layer (Layer 3) of the OSI model. Can enable man-in-the-middle attacks post-starvation.
HTTP (Hypertext Transfer Protocol) POST
An HTTP POST DoS attack involves sending a legitimate HTTP POST message. Part of the POST message is the content length, which indicates the size of the message to follow. In this attack, the attacker sends the actual message body at an extremely slow rate. The web server is hung while waiting for that message to complete. For more robust servers, the attacker needs to send multiple HTTP POST messages simultaneously.
Unlike HTTP GET (retrieves data), POST sends data in the request body (e.g., form inputs, JSON), which is not cached or logged in URLs, making it suitable for sensitive data like passwords. The server processes the data (e.g., updating a database) and responds with a status code (e.g., 200 OK). Vulnerable to attacks like DDoS (e.g., flooding POST requests) or SQL Injection if inputs are not sanitized.
PDoS ( Permanent Denial-of-Service )
A permanent denial of service (PDoS) attack damages the system so badly that the victim machine needs an operating system reinstall or even new hardware. This type of attack, sometimes called phlashing, usually involves a DoS attack on the devices firmware.
PDoS exploits vulnerabilities in device management interfaces (e.g., Telnet, firmware updates) to overwrite firmware or corrupt hardware, often via malware like BrickerBot. It targets the availability component of the CIA Triad, operating at Network (Layer 3) or Application (Layer 7) layers of the OSI model. Typically spread via phishing or weak authentication, not HTTP floods.
BIOS (Basic Input/Output System)
A firmware interface stored on a computer’s motherboard that initializes hardware during boot-up and provides runtime services for operating systems, acting as a bridge between hardware and software.
BIOS, stored in a ROM chip, performs the Power-On Self-Test (POST) to check hardware (e.g., CPU, RAM) and loads the operating system from storage. It operates below the OSI model, at the hardware level, and supports protocols like DHCP for network booting. Vulnerable to attacks like PDoS (e.g., firmware corruption) or malware (e.g., CIH virus).
UDP Flood Attack
- Hacker sends UDP packets to a random port.
- Generates illegitimate UDP packets
- Causes system to tie up resources sending back packets
Attackers send rapid UDP packets (often spoofed, like in Smurf or Memcached attacks) to random or specific ports on a target’s IP address, forcing the server to process or respond, consuming CPU or bandwidth. Unlike TCP, UDP is connectionless, making floods easier to execute. Operates at the Transport (Layer 4) and Network (Layer 3) layers of the OSI model. Often used in amplification attacks (e.g., via Memcached servers).
ICMP (Internet Control Message Protocol) Flood Attack
- Floods – Broadcasts of pings or UDP packets
- Nukes – Exploit known bugs in operating systems
Attackers send rapid ICMP Echo Requests (pings), often with spoofed source IPs (similar to Smurf attacks), to a target’s IP address, forcing it to respond with Echo Replies or process errors. This exhausts network resources, especially in amplification scenarios like Smurf attacks. Operates at the Network Layer (Layer 3) of the OSI model, using ICMP within IP packets, and can be executed by tools like TFN2K or Stacheldraht.
