CEHv12-10 - Network and Perimeter Hacking - Denial of Service

In

DoS and DDoS attacks

  • Definition: DOS (Denial of Service) and DDoS (Distributed Denial of Service) attacks aim to prevent services from being accessible.

    • DOS: (Single attacker) makes a service (e.g., web server, FTP) inaccessible to legitimate users.
    • DDoS: (Multiple attackers, harder to defend) nvolves multiple attack points (botnets) targeting the same service.

  • Techniques:

    1. Volumetric attacks: epletes the bandwidth of the target by flooding it with large amounts of data.
      • Amplification attacks: attack data grows larger than the original request (UDP flooding, ICMP flooding, Ping of Death, Smurf attacks).
      • Pulse wave attacks: particularly effective in hybrid cloud environments.
    2. Protocol attack: targets the protocols themselves (e.g., TCP).
      • SIN Flood: floods with SYN packets, exploiting the three-way handshake in TCP.
      • ACK Flood: sends ACK packets, overwhelming the target.
      • Fragmentation attacks: breaks packets into smaller pieces to exhaust the system.
    3. Application layer attacks: aimed at the application layer (like web servers. e.g. Slowloris Attack keeps the connection open, consuming server resources without closing it).
      • UDP application layer flood: utilizes UDP protocol to flood application layers with requests, causing resource starvation.
    4. Multi-Vector attacks, combinings multiple attack vectors.

  • Edge cases:

    • Permanent Denial of Service: malware can destroy the hardware or data, making the service permanently unavailable (e.g., bricking a device by corrupting BIOS).
    • Reflective Denial of Service Attacks: the attacker uses a third party (e.g., a server) to attack the victim, making it appear that the attack is coming from someone else.

  • Tools:

    • LOIC (Low Orbit Ion Cannon)*:
      • Purpose: open-source network stress testing and DoS attack tool.
      • Use: generates high traffic to target services.
    • HOIC (High Orbit Ion Cannon):
      • Purpose: advanced version of LOIC, used for DDoS attacks.
      • Features: aan target multiple URLs simultaneously.
    • Hping3:
      • Purpose: Network packet generator and analyzer.
      • Use: Can craft custom packets for security testing, including DoS attacks.

Volumetric attacks

Volumetric attacks are a category of Denial of Service (DoS) attacks that focus on overwhelming the bandwidth or resources of a network, application, or server. These attacks generate massive traffic to flood and exhaust the resources, causing legitimate requests to be denied.

  • Key characteristics:

    • High Traffic Volume: the attack aims to generate a massive volume of traffic, often in the form of requests or data packets, to overwhelm a target.
    • Network or Application-Level Impact: these attacks can affect both network infrastructure and application performance.
    • Resource Exhaustion: the goal is to consume all available resources (e.g., bandwidth, CPU, memory), rendering the service unavailable.

  • Types:

    • UDP Flood: Sends large volumes of UDP packets to random ports on a target server, consuming bandwidth and resources (e.g hping3 --udp -p 80 -i u1 192.168.1.1).
    • ICMP Flood (Ping Flood): Floods the target with ICMP Echo Request packets, consuming the network bandwidth (e.g. hping3 --icmp -i u1 192.168.1.1).
    • DNS Amplification: Exploits DNS servers to amplify the attack traffic, sending a small query that generates a large response, overwhelming the target.
    • NTP Amplification: Similar to DNS amplification but uses NTP servers to flood the target with responses.
    • HTTP Flood: Sends a large number of HTTP requests to a web server, attempting to exhaust its resources or overload the network.
    • Smurf Attack: Exploits the ICMP protocol by sending a small ping request to a network’s broadcast address, with the source address spoofed to that of the target. All devices in the network reply to the spoofed address, flooding the target with traffic (e.g. hping3 --icmp -a 192.168.1.1 --broadcast 192.168.1.255).
    • Fraggle Attack: Similar to the Smurf attack, but it uses UDP packets (typically to port 7 or 19, which are associated with echo and chargen services). The attacker sends a request to a broadcast address with the source address spoofed to the target, and all devices on the network respond, amplifying the traffic directed at the target (e.g. hping3 --udp -a 192.168.1.1 --broadcast -p 7 192.168.1.255).
    • Pulse Wave Attack (extra): involves sending short bursts or pulses of high traffic at regular intervals to overwhelm a target’s defenses. This type of attack aims to bypass traditional DDoS defenses by rapidly fluctuating the intensity of the attack (e.g. burst of hping3 --flood -p 80 192.168.1.1 -i u100).

Protocol attacks

Taking advantage of the TCP protocol (3-step handshake). They consume resources like connection state tables present in the network infrastructure components such as load-balancers, firewalls, and application servers

  • Techniques:

    • SYN flood attack: takes advantage of a flaw with regard to how most hosts implement the TCP three-way handshake. This attack occurs when the intruder sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. Normally, the connection establishes with the TCP three-way handshake, and the host keeps track of the partially open connections while waiting in a listening queue for response ACK packets.
    • Fragmentation attack: these attacks send fragmented packets that exploit vulnerabilities in the target’s packet reassembly process, causing crashes or resource exhaustion.
    • Spoofed session flood attack
    • ACK flood attack: attackers overwhelm servers by sending a massive number of TCP ACK packets, forcing the server to process these packets unnecessarily.
    • Ping of Death: by sending oversized ICMP packets, attackers can crash or freeze the target system due to buffer overflows.

  • Impacts:

    • Exhaustion of resources: targets can run out of available connections, memory, or processing power.
    • Disrupted services: legitimate users cannot access the network or application during the attack.
    • Performance degradation: even partial success in a protocol attack can slow down network performance significantly.
    • Operational costs: mitigating such attacks often requires costly infrastructure upgrades or third-party services.

  • Mitigations:

    • Web Application Firewalls (WAFs).
    • Stateful Firewalls.
    • Rate Limiting:
    • Deep Packet Inspection (DPI).
    • Anycast Networks.
    • Traffic Scrubbing Services.
    • Connection Timeouts and Limits.

Application layer attacks

They consume application resources or services, thereby making them unavailable to other legitimate users

  • Attack techniques:

    • HTTP GET/POST attack: threat actors send a large number of HTTP requests to a web server within a short span. This consumes resources and denies legitimate requests. Such attacks are difficult to distinguish from legitimate traffic.
    • Slowloris attack: involve sending partial HTTP requests to a server. This keeps connections open for as long as possible, and as a result, the server becomes overwhelmed. This eventually leads to denial of requests for many legitimate requests.
    • UDP application layer flood attack: sending numerous requests that can overwhelm the server, especially when it’s not properly configured to handle such traffic.
    • DDoS extortion attack: threaten to launch an application layer attack unless a ransom is paid. This can involve overwhelming the application with requests until the victim complies.

  • Mitigations:

    • Web Application Firewalls (WAFs)
    • Behavioral Analytics and Machine Learning
    • Rate Limiting and Throttling
    • CAPTCHA and JavaScript Challenges
    • IP Reputation Filtering and Rate Limiting
    • Cloud-based Mitigation Solutions

Botnets

“Robot Network”, a disperse group of compromised and remote controlled systems. IoT lack of security made it easy. Not only used for DdoS: also automated polls or cryptomining.

  • Require Internet connection, they can spread comrpomising more machines through internal networks.

DoS and DDoS countermeasures

  • Mitigations:

    • Traffic filtering: implement filtering solutions such as rate limiting and blocking suspicious traffic.
    • Content Delivery Networks (CDNs): CDNs can absorb high volumes of traffic, distributing the load across multiple servers.
    • Intrusion Prevention Systems (IPS): use IPS to detect and block attack traffic before it reaches critical systems.
    • Anti-DDoS solutions: dedicated services or appliances designed to detect and mitigate DoS/DDoS attacks.
    • Rate Limiting: restrict the number of requests a client can make to a server within a certain time frame to reduce the attack’s effectiveness.

  • Challenges in defense:

    • Volume and complexity: the sheer scale of the attack can overwhelm defenses, especially without prior detection and mitigation plans.
    • Botnets: volumetric attacks often use large botnets to generate traffic, making it difficult to distinguish malicious traffic from legitimate traffic.
    • Increased latency: while mitigating these attacks, organizations may experience increased latency or degraded performance for legitimate users.

  • Detection:

    • Traffic anomalies: monitoring for sudden spikes in traffic volume or unusual patterns can help detect volumetric attacks early.
    • Behavioral analysis: analyzing baseline traffic patterns and looking for deviations from normal behavior can be an effective detection method.
    • Rate of requests: unusual increases in the rate of requests to a particular service or endpoint may indicate an ongoing volumetric attack.