Denial of service
- Attacker overloads the target system with a lot of traffic
- Goal is to reduce, restrict or prevent accessibility of system resources to its legitimate users
Botnets
- Bots are software applications that run-automated tasks over the internet
- A botnet is a huge network of compromised systems and can be used by an attacker to launch a DoS attack
- Controlled by Command and Control server owned by the attacker
- Distributed Denial of Service (DDoS)
- Using botnets (compromised systems) to perform a DoS attack.
- DoS and DDoS attack tools: • LOIC • GoldenEye or Petya
- See also Botnet and Botnet trojans
Attack vectors
Volumetric attacks
- Goal is to use up bandwidth of the target network or service.
Volumetric attacks types
- Flood attacks
- Sending high volume traffic, can utilize zombies
- Amplification attacks
- Sending magnified traffic, can utilize zombies
Volumetric attack techniques
- UDP flood attack
- Flooding random ports of the target server with a huge number of spoofed UDP packets
- Causes the server to continuously check for applications on the ports.
- When not found, system responds with
ICMP Destination Unreachable
packet increasing its traffic.
- When not found, system responds with
- ICMP flood attack or Ping flood
- Flooding with ICMP echo request packets.
Smurf attack
- 📝 Flooding a IP broadcast network with ICMP echo request packets with victim IP address as source
- Causes hosts in the network respond to received requests/responds targeting the victim.
- Leads to server overloads in victim caused by too many replies.
- The reason to attack broadcast address is to send so many ICMP requests going to the target that all its resources are taken up.
- Mitigated by either
- configuring routers/hosts to not respond to ICMP broadcasts/requests
- configuring routers to not forward packets directed to broadcast addresses
- See also Broadcast ICMP ping
Ping of death attack
- 📝 Sending irregular or big packets using
ping
command - Attacker fragments ICMP message to send to target.
- When the fragments are reassembled, the resultant ICMP packet is larger than max size and crashes the system
Protocol attacks
- Also known as state exhaustion flood attacks
- Goal is to make target device reject new connections
- Targets connection state tables, that are present in e.g. load balancers, firewalls, app servers
Protocol attack techniques
SYN flood attack
- Also known as SYN Attack or SYN ACK flood attack
- Exploits a flaw in TCP three-way handshake
- Floods SYN requests with fake source IPs
- Target responds with a SYN ACK packet and waits for the sender to complete the session
- Sender never completes the session as source IP is fake.
- OS kernels usually implements a backlog of open connections
- So the attack does not attempt to overload memory or resources
- It overloads backlog of half-open connections
- Causes legitimate requests to be rejected
SYN flood countermeasures
- 🤗 Defined in RFC 4987
- Same countermeasures also resists against IP spoofing
- Filtering
- Packet filtering based on IP addresses
- Increasing backlog
- Larger backlogs allow more connections
- Reducing
SYN-RECEIVED
timer- Shorter time will prevent half-open connections to persist in backlog
- Recycling the oldest half-open TCP
- When backlog is full, overwrite the oldest half-open entry
- SYN cache
- Not allocating full state to minimize space until connection has been established
- SYN cookies
- Resists IP spoofing
- Encodes SYN queue entry in sequence number sent in the
SYN+ACK
response - When server receives
ACK
, it reconstructs SYN entry from sequence number to establish the connection
- Hybrid approaches
- Combining SYN cache and cookies
- E.g. sending cookies when cache is full
- Firewalls and proxies
- Firewalls/proxies sends connection to end host when connection is established
- Moves away problem to firewalls/proxies
ACK flood attack
- Overloading a server with TCP ACK packets
- TCP ACK packet is any TCP packet with the ACK flag set in the header.
- ACK is short for "acknowledgement"
- TCP protocol requires that connected devices acknowledge they have received all packets in order
- E.g. when all packets for an image is sent, ACK packet is required otherwise image is sent again.
DNS query/NXDOMAIN floods
- Attackers send valid but spoofed DNS request packets at a very high packet rate
- Victim's DNS servers proceeds to respond to all requests
Fragmentation attack
- Flooding TCP/UDP fragmented packets with small packet rate to the system
- Exhausts the system through forcing it to reassembling packets.
TCP fragmentation attack
- Also known as teardrop attack
- 📝 Type of DoS attack also known as teardrop attack.
- Sends invalid packets with overlapping, oversized payloads to the victim.
- Sends gigantic payloads to crash vulnerable systems:
- Windows 3.1x, Windows 95 and Windows NT
- Linux prior to versions 2.0.32 and 2.1.63
RST
attack
- Also known as TCP reset attack
- Attacker sends TCP packets with the
RST
flag set to1
to host A, host B, or both using spoofed IPs- Causes termination of valid TCP connection between the two hosts.
- Setting
RST
flag- Indicates that receiving computer should immediately kill the TCP connection
- An real-life scenario
- Two computers (computer A and computer B) communicate with each other
- Computer B kills the communication without knowledge of computer A
- E.g. computer B has crashed
- Computer A continues to send packets to computer B
- Computer B sends
RST
packet to computer A to kill the communication
- See also: TCP flags
- 🤗 Used often for internet censorship e.g. • The Great Firewall of China • Iranian Internet censors.
Application layer DoS attacks
- Send "legitimate" traffic to a web application than it can handle.
- Goal is to make target application reject new connections by creating new connections and keeping them open as long as possible.
- Flow
- Attacker opens multiple connections to the targeted server by sending partial HTTP request headers.
- Target opens a thread for each incoming request to close once connection is completed.
- If connection takes too long, the server will timeout, freeing the thread up.
- Attacker sends partial request headers to prevent target from timing out
Application layer attack techniques
- HTTP flooding attacks
- Goal is to make server hold on to connections waiting for the full requests which it never receives.
- HTTP GET attack: Sending requests with time delayed HTTP headers
- HTTP POST attack: Sending requests with incomplete bodies delayed HTTP headers
- Slow-rate attacks
- Also known ass low and slow attacks
- Apparently legitimate traffic arriving at a seemingly legitimate albeit slow
- E.g. Slowloris and R-U-Dead-Yet
Other attack types
- Multi-vector attack
- Combining volumetric, protocol, and application layer attacks into one and launching
- Can be sequentially or in parallel
- Peer-to-Peer Attack
- Caused by bugs in a peer-to-peer server
- Instructs clients to disconnect and reconnect to a victims website.
- Permanent DoS Attack (PDoS) or phlashing
- Does irreversible (without replacement or reinstalling) damage to the hardware or its firmware.
- E.g. replacing firmware (e.g. through fake updates) with a corrupt one, also known as flashing.
- Fraggle attack
- Similar to Smurf but uses UDP.
- TCP state-exhaustion
- Attempts to consume connection state tables.
- Tergets load balancers, firewalls, and application servers
DRDoS
- Also known as distributed reflection denial of service (DRDoS) attack or spoofed attack
- Multiple intermediary machines send the attack at the behest of the attacker is correct.
- Secondary systems carry out attacks so the attacker remains hidden.
- Attacker instructs zombie machines (called secondary machines) to send packets to uncompromised machines (called secondary machines)
- Packets contain target's IP address as the source address
- Secondary machines try to connect to the target.
DoS Tools
- Slowloris
- Floods HTTP with headers for each request without actually completing them.
- 🤗 Slowloris presentation
- 📝 R-U-Dead-Yet
- Also known as RUDY, R.U.D.Y. or R U Dead yet
- Submits long form fields using HTTP posts to the target server.
- Sends concurrenct small pakets at incredibly slow rate
- Keeps connection open as long as possible
- HULK
- HTTP DoS tool
- Metasploit
- with modules for DoS e.g. TCPSYNFlooder
- Nmap with DoS scripts
- DAVOSET
- DAVOSET = DDoS attacks via other sites execution tool
- DDoS attacks on the sites via Abuse of Functionality and XML External Entities vulnerabilities on other sites.
- High Orbit Ion Cannon (HOIC)
- High-speed multi-threaded HTTP flood
- Other tools include • Stacheldraht • Trinoo • TFN2k • WinTrinoo • T-Sight
Low Orbit Ion Cannon (LOIC)
- DoS attack tool (C#) using layer (TCP, UDP) and layer 7 (HTTP) packets
- Used for successful attacks to big companies by including Anonymous group.
- Open-source
- Improved version: Tsunami
Mobile tools
- LOIC
- AnDOSID
Denial of Service countermeasures
DoS analysis
- Activity Profiling: Detect Increases in activity levels, distinct clusters, average packet rate etc.
- Changepoint detection: Stores and presents graph of traffic flow rate vs time for each IP/port.
- Wavelet-based signal analysis: Divides incoming signal into various frequencies as spectral components.
DoS prevention strategies
- Absorb the attack with additional resources e.g. through using a CDN.
- Degrade or shut down services (start with non-critical services)
- Deflect attacks using honeypots.
- Ingress filtering to enable originator be traced to its true source.
- Egress Filtering to ensure unauthorized or malicious traffic never leaves the internal network
- Load balancing and throttling
DoS post-attack forensics
- Traffic patterns for new filtering techniques
- Router, firewall, and IDS logs
- Update load-balancing and throttling countermeasures