This movie describes the basics of communications and processing resource management, as well as how resources can be overloaded. It will explain the various motivations for DOS attacks, and describe the Xmas tree attack as one of the first examples of real world denial of service.
- [Voiceover] Denial of service attacks have been a threat on the internet starting as far back as when Robert Morris released his internet worm in 1988. The internet was in its infancy, and the result was a little more than an inconvenience. In the age of cyberspace and ubiquitous connectivity, online business depends upon accessible services, but denial of service becomes a much more serious issue, and once which can have devastating consequences. The digital attack map provides a view of daily attacks based on data collected by all the networks.
Additional information is available by hovering over the streams. In an assessment carried out by Kaspersky Labs in 2015, the cost of such an incident is between $52,000 and $444,000, as a result of the inability to carry out core business, loss of contracts and opportunities, credit rating impact, and insurance premium increases. This is significant enough to justify external testing to ensure the business is resilient.
There are many different ways to achieve a denial of service, and it would take a very long time to enumerate them all, but we'll look at the general approaches, and the number of typical attacks in this course. Denial of service is name given to class of cyber attacks for which the aim is to destruct or deny use of a business service, be that a website, or some other service accessible from outside the organization. An attack might be from one source, in which case it's called simply, a denial of service.
Typically, it starts with a phishing attack on an employee to gain access to the enterprise. This kind of attack requires the use of an attack workstation and a tool, but no other additional infrastructure. The attack may be from multiple sources, in which case it's known as a distributed denial of service. This is more complicated because it firstly requires access to a large number of compromised systems, a botnet, which can be used as distributed sources, all controlled from one master attack workstation.
One of them issues a phishing email, and when activated, the enterprise is then a target for all. Distributed denial of service attacks were first seen in 1999, a DOS tool called trinoo was deployed on over 200 hosts to flood a server at the University of Minnesota. It successfully took the server offline for two days. A third type of attack, known as a reflection attack, so-called because it goes in directly to the target, by being reflected from a third-party service. This is a sophisticated attack, which takes advantage of legitimate functions on third-party services to act as the reflection surface that is used in the attack.
Typically, the reflected volume of data is much larger than the request data, and so the reflection also amplifies the effects of the attack. Because of this, these attacks are sometimes called amplification attacks. The domain name service, and the network time service have both been used to run these forms of attack. An interesting variation on each of these classes of attack, known as intermittent, or pulsing, flooding can be used to navigate through anti-DOS defenses.
This is successful when a defense mechanism, such as a firewall, is more tolerant to a flooding attack than the server it's protecting. There are many attack techniques which can be used to deny services, and these will result in one of three classes of impact. The first is choking access to the service, in which the pathway from the client to the service is overloaded or congested, in such a way as to make it difficult or impossible for a legitimate request to get through. The second is disabling the service, typically by sending a malformed packet which causes some form of internal malfunction in the service or application.
The third type of impact is downgrading service performance, typically done by exhausting host resources for providing services. In addition to the three classes of attack, and the three types of impact, there are three classes of attack techniques. The first is network-based attack techniques, which depend on some form of protocol manipulation to exhaust resources. These include the following attacks. The TCP SYN flooding attack, which partially creates a TCP session, but does not complete the session handshake, and so consumes resources to maintain status information on the half-open connection.
The ICMP Smurf flooding attack, which a reflective attack using the ICMP echo, because the source address is forged as the target address, and the ICMP response is sent back to the target. If sufficient ICMP requests are made, the response packets flood the target's bandwidth. UDP flooding. A UDP flooding attack is just a distributed denial of service attack in which any form of UDP packet is sent to the target, and flooding occurs because, with a large number of omitting sources, the volume of packet data can easily exceed the target's incoming bandwidth.
ARP flooding. The ARP protocol is used in local area networks to identify the association between MAC address and IP addresses, so the internet routing can be done using MAC addresses. By corrupting the ARP caches and individual network hosts, these hosts can be isolated from the network, thus denying resources. The DNS amplification or reflection attack, a variant of the Smurf attack, this is another reflective attack in which a request is made to a DNS server, and the DNS response, which is over 50 times larger, is returned.
This leverages not only the number of responses, but their size, to congest the network. A similar approach can be achieved using the NTP service, gaining up to 50 times the amplification effect. A global NTP flooding attack took place in early-2014, causing hour-long outages in many data centers around the world. The second class of attack, is wireless network attacks. These often require the attack to be in close proximity to the wireless network and are focused on stopping workstations connecting.
These include the following attacks. The de-authentication attack, in which the attack monitors for workstations trying to authenticate and issues a specific de-authentication request to that workstation. Alternatively, a broadcast de-authentication can be sent, which affects all workstation. The routing congestion attack, in which an adversary can flood the network by sending a large number of route requests, causing high-levels of congestion, which, in turn, disrupts routing. The final class of attack techniques is known as application or host-based attack, which exploit vulnerabilities in the operating and application code on the target host.
This class of attack can exploit certain algorithms, memory structures, implementation specifics, and so on. Each of these attacks is typically system inversion specific. One of the key application level attacks is HTTP flooding to create a denial of service. Similar to ICMP, the HTTP flooding attack sends a large number of HTTP messages to a web server, typically in a way that resources are held open by the request, and causes it to consume all its connections. Many other applications are also vulnerable to attack, and I'll cover FTP later in the course.
SIP services are increasingly becoming a key target as internet voice becomes a major carrier for businesses. There are a number of techniques that can be used to protect against denial of service attacks. These are often ineffective due to a lack of testing prior to the incident, and either fail when used or are not used because of the risk of failure. They can be implemented as an in-house capability or used in the form of DOS mitigation as a service. Mitigation typically involved diagnosing an attack and discarding packets that are identified as part of the attack.
Okay, that's an overall look at the topic of denial of service. So now let's get into the detail.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. This course maps to the 09 Denial of Service domain.
- What is denial of service?
- SYN flooding
- Smurf and URL flooding
- Deauthenticating a wireless host
- Flooding HTTP
- Using BlackEnergy
- Flooding SIP
- Detecting DoS with PeerShark
- Defeating DoS attacks