Professional Documents
Culture Documents
C
Countermeasures
t
Version 6
M d l XIV
Module
Denial of Service
Module Objective
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Terminologies
A Distributed Denial-of-Service
Denial of Service (DDoS)
attack:
• On the Internet,, a distributed denial-of-service
(DDoS) attack is one in which a multitude of
compromised systems attack a single target,
thereby causing denial of service for users of the
targeted system
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Goal of DoS
Attackers may:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DoS Attack Classification
Smurf
Ping of death
Teardrop
SYN Attack
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Smurf Attack
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Smurf Attack
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Buffer Overflow Attack
Buffer overflow occurs any time the program writes more information
into the buffer than the space allocated in the memory
The attacker can overwrite the data that controls the program execution
path
th and
d hij
hijackk th
the control
t l off th
the program tto execute
t th
the attacker’s
tt k ’ code
d
instead of the process code
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ping of Death Attack
The
h attacker
k deliberately
d lb l sends
d an IP packet
k llarger than
h
the 65,536 bytes allowed by the IP protocol
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Teardrop Attack
IP requires that a packet that is too large for the next router to handle
should
h ld be
b divided
di id d iinto ffragments
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SYN Attack
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SYN Flooding
SYN Flooding
g takes advantage
g of a flaw in how most hosts
X A
implement the TCP three-way handshake
Normal connection
establishment
The
h victim’s
i i ’ listen
li queue iis quickly
i kl fill
filled
d up
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Bot (Derived from the Word
RoBOT)
The bot joins a specific IRC channel on an IRC server and waits for further
commands
The attacker can remotely control the bot and use it for fun and also for
profit
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Botnets
Hacker in Russia
5 Commands John (end user in Boston)
Attacker sends commands Downloads and executes chess.zip from freeware site
to the Bots
John’s machine is infected with Agabot
4
Bot
2
•Bots connect to 3
the “Master”
using IRC
channel and
waits for Bot
instructions
•Bot looks for other vulnerable systems and infects them
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What is DDoS Attack
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Characteristics of DDoS Attacks
The services under attack are those of the “primary victim,” while the compromised
systems
t usedd to
t llaunch
h th
the attack
tt k are often
ft called
ll d th
the ““secondary
d victims”
i ti ”
This makes it difficult to detect because attacks originate from several IP addresses
If a single IP address is attacking a company, it can block that address at its firewall. If
i is
it i 30,000, this
hi is
i extremely l diffi
difficult
l
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DDOS Unstoppable
Packets arriving at your firewall may be blocked there, but they may just as easily
overwhelm the incoming side of your Internet connection
If the source addresses of these packets have been spoofed, then you will have no way of
knowing g if theyy reflect the true source of the attack until yyou track down some of the
alleged sources
The sheer volume of sources involved in DDoS attacks makes it difficult to stop
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Conduct a DDoS Attack
Step 1:
Step 2:
• Infect a minimum of (30,000) computers with this virus and turn them into
“zombies”
Step 3:
• Trigger the zombies to launch the attack by sending wake-up signals to the
zombies or activated by certain data
Step 4:
• The zombies will start attacking the target server until they are disinfected
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Mitigate or Stop the Effects of
DDoS Attacks
Load Balancing
Throttling
• This method sets up routers that access a server with logic to adjust
(throttle) incoming traffic to levels that will be safe for the server to
process
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Deflect Attacks
Honeypots
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Post-attack Forensics
Event Logs:
• It keeps logs of the DDoS attack information in order to do a forensic analysis, and
to assist law enforcement in the event the attacker does severe financial damage
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
DoS attacks can prevent legitimate users from using the system by overloading the
resources
Smurf, Buffer overflow, Ping of death, Teardrop, SYN, and Tribal Flow Attacks are some of
the types of DoS attacks; and WinNuke,
WinNuke Targa,
Targa Land,
Land and Bubonic.c
Bubonic c are some of the tools
used to achieve DoS
A DDoS
oS attac
attack iss a
an attac
attack in which
c a multitude
u t tude o
of co
compromised
p o sed syste
systemss attac
attack a ssingle
ge
target