DDoS Flashcards
DDoS
Compromise availability by hindering/blocking the provision of some service
Prevents/impairs authorized use of system resources by exhaustion
last up to 30 mins
diversion from real attack, simple to setup, difficult to stop
SYN Spoofing
Attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage them
Subsequent legitimate requests will fail
Attacker generates SYN connection request packets with forged source address. All valid addresses will respond a RST (reset) to close connection.
If no system, keeps sending SYN-ACK until accepting failure (while this happens an entry in table is occupied)
once table is full all legitimate and non are rejected
volume is much lower than flooding traffic, enough just to fill table
SYN flooding differs because of the total volume of packets of the attack
Countermeasures
randomly dropping connections (selective drop or random drop)
Modify SYN handshake by sending cryptographic cookie in initial request to user, so user sends it back and server confirms it is a legitimate user (SYN cookies, FreeBSD)
extend TCP connection tables size and the timeout period to remove entries
Poison packet
packets whose structure triggers a bug in the system’s network handling software, causing it to crash
Ping of death / teardrop attacks -> ICMP echo request packets / packet fragmentation
Cyberslam / Flooding
attacker generates a large number of requests to load the server
flooding attack on an organization -> most common attack
Overload the server’s ability to handle and respond to this traffic
Valid traffic competes against malicious traffic.
It can use ICMP, UDP or TCP SYN even other IP packet types.
ICMP
destination unreachable and time exceeded are critical unless break TCP/IP
UDP directed to some port
UDP echo port attack, responds with ICMP unreachable if service is not running
zombie addresses can be used
DDoS - Source address spoofing
Via raw socket interface
Historically used to test network interfaces/research into network protocols. Packets can be sent with forged attributes.
Forges source addresses that (if exist) will respond with an error and augment current traffic
TCP/IP does not include the ability to ensure source address is real.
Honeynets (unused IP addresses) can be used to trace back originator of attack (Backscatter traffic)
ISP can enforce by ensuring packet conserves origin address through routers with ACL “ip verify unicast reverse-path” (not all ISPs enforce)
Application based bandwidth attacks
execute resource-consuming activities disproportionate to the attack effort.
SIP Flood
Session Initiation Protocol text-based similar to http
requests and responses, SIP INVITE establish session between agents.
INVITE requests trigger considerable resource consumption
flood attacks exerts proxy servers with requests to block access to VoIP call service.
Countermeasures
check with captchas
HTTP based attacks
HTTP Flood
execute resource-intensive actions on server like downloading a report
spidering -> follows all links on the website recursively
Slowloris -> exploits the common server technique of using multiple threads to support multiple requests to the same server applications.
sends incomplete request without terminating newline seq, keeps sending header lines to keep connection alive until threads are exhausted
IDS systems do not identify it as it mixes with legitimate HTTP traffic
Countermeasures
limit rate of incoming connections per host
timeout on connections
delayed binding -> load balancing (HTTP request header completeness check)
Reflection attacks
attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system.
The intermediary is used to initiate the attack against the target system
Use UDP, DNS, SNMP, ISAKMP due to providing large response packets
If the attack is spread in a cyclic manner
Aim is to generate high enough volumes of packets
SYN flooding through intermediary, attacker can filter volume of traffic.
Hard to separate normal traffic from attacking traffic and intermediaries with high capacities exist in the internet.
self-contained loop between the intermediary and the target system. both become reflectors
botnets to have many intermediaries and hide source
harder due to no backscatter traffic
Countermeasures
Network/Host based firewall rules reject combinations of source and destination ports
Amplification attacks
Variant of reflection attacks
Sends original request to a network broadcaster so every host generates a response back
uses ICMP (smurf) and UDP (fraggle) attacks. Not TCP because broadcasts are inherently connectionless
Countermeasures
Disallow directed broadcasts to be routed into network from outside (ISP or organization)
limite network access to echo/ping services
DNS Amplification attacks
packets directed at a legitimate DNS server as intermediary
60 byte UDP request -> 512 byte UDP response
nameservers respond to the target flooding with larger responses.
using high-capacity well connected systems, intermediate systems can continue without flooding
Defenses against DDoS attacks
slashdotted, flash crowd, flash event when flood occurs due to popularity or linked from a more popular source.
attack prevention and preemption -> enforcing policies for resource consumption, providing backup resources, prevent modifying systems or protocols.
attack detection and filtering -> looking for suspicious patterns, filtering out packets
attack source traceback and identification -> identify source
attack reaction -> eliminate or reduce effects
