Saturday, December 27, 2008

DoS / DDoS Attacks-part1


Denial of Service (DoS) attack is one of the most simple and common attacks today. DoS attacks are not targeted at stealing, modifying or destroying information, but to prevent legitimate users from using a service. A DOS attack comes in many forms, from simply cutting of the power to a system, or flooding a system with seemingly legitimate network traffic, anything that will results in a denial of service. The public nature of the Internet makes it particularly vulnerable to DoS attacks. The DoS/DDoS attacks described below are all network-based DoS attacks. DoS/DDoS attacks are also active attacks, as the attacker actively attempts to change something, in this case the availability of a server or service.


TCP SYN Flood Attack:


A common example of a DoS attack is the TCP SYN flood attack, in which the attacker exploits behavior inherit to the TCP protocol. A TCP session is established by using a three-way handshake mechanism, which allows the client and the host to synchronize the connection and agree upon the initial sequence numbers. When the client connects to the host, it sends a SYN request to establish and synchronize the connection. The host replies with a SYN / ACK, again to synchronize. Then the client acknowledges it received the SYN/ ACK packet by sending and ACK. When the host receives the ACK the connection will become OPEN, allowing traffic from both sides (full-duplex). The connection remains open until the client or the host issues a FIN or RST packet, or the connection times out.



In a TCP SYN flood attack, the attacker creates half-open TCP connections by sending the initial SYN packet with a forged IP address, and never acknowledges the SYN /ACK from the host with an ACK. This will eventually lead to the host reaching a limit and stop accepting connections from legitimate users as well. Many routers and other network nodes today are able to detect SYN floods by monitoring the amount of unacknowledged TCP sessions and kill them before the session queue is full. They can often be configured to set the maximum allowed number of half-open connections, and limit the amount of time the host waits for the final acknowledgement. Without these preventive measures, the server could eventually run out of memory, causing it to crash entirely.



UDP Flood Attacks:


UDP is a connectionless protocol that doesn’t use a handshake mechanism to establish a connection. This makes it relatively easy to abuse for flood attacks. A common type of UDP flood attack often referred to as a Pepsi attack, is an attack in which the attacker sends a large number of forged UDP packets to random diagnostic ports on a target host. The CPU time, memory, and bandwidth required to process these packets may cause the target to become unavailable for legitimate users. To minimize the risk of a UDP flood attack, disabling all unused UDP services on hosts and block the unused UDP ports if you use a firewall to protect your network.


Ping of Death Attacks:


Another well-known DoS attack is the Ping of Death. It is also targeted at hosts with a weak implementation of the TCP/IP stack. The attacker sends an ICMP Echo request packet with a size larger than 65,535 bytes, causing the buffer at the receiver to overflow when the packet is included in the reassemble process. This can lead to the target system to crash and/or reboot. Especially older Windows versions (95/NT4), but also older MAC and Linux operating systems and other network devices such as routers were vulnerable to the Ping of Death. Modern operating systems and network devices safely disregard these oversized packets. Older systems can usually be updated with a patch.


Smurf Attacks:


A nasty type of DoS attack is the Smurf attack, which is made possible mostly because of badly configured network devices that respond to ICMP echoes sent to broadcast addresses. The attacker sends a large amount of ICMP traffic to a broadcast address and uses a victim’s IP address as the source IP so the replies from all the devices that respond to the broadcast address will flood the victim. The nasty part of this attack is that the attacker can use a low-bandwidth connection to kill high-bandwidth connections. The amount of traffic sent by the attacker is multiplied by a factor equal to the number of hosts behind the router that reply to the ICMP echo packets.


The diagram above depicts a Smurf attack in progress. The attacker sends a stream of ICMP echo packets to the router at 128Kbps. The attacker modifies the packets by changing the source IP to the IP address of the victim’s computer so replies to the echo packets will be sent to that address. The destination address of the packets is a broadcast address of the so-called bounce site, in this case 129.64.255.255. If the router is (mis-)configured to forward these broadcasts to hosts on the other side of the router (by forwarding layer 3 broadcasts to the layer 2 broadcast address FF:FF:FF:FF:FF:FF) all these host will reply. In the above example that would mean 640Kbps (5 x 128Kbps) of ICMP replies will be sent to the victim’s system, which would effectively disable its 512Kbps connection. Besides the target system, the intermediate router is also a victim, and thus also the hosts in the bounce site. A similar attack that uses UDP echo packets instead of ICMP echo packets is called a Fraggle attack.
It is difficult to prevent Smurf attacks entirely because they are made possible by incorrectly configured networks from a third party. The Smurf Amplifier Registry (SAR) http://www.powertech.no/smurf/ Netscan.org is one of several publicly available databases that can be used to configure routers and firewalls to block ICMP traffic from these networks. The Smurf Amplifier Registry (SAR) can be downloaded in Cisco ACL format. If you use Cisco routers, make sure all interfaces are configured with the no ip-directed broadcast command (default since IOS 12.0). The following three DoS attacks are not likely to appear on the Security+ exam, but are listed for completeness. Especially older versions of Windows but many other systems as well were vulnerable to these attacks. As many other attacks, they are aimed at the IP stack. The first two use packet fragmentation and reassembly vulnerabilities in specific. If older systems are patched, they are usually no longer vulnerable.

No comments: