In this video, Mike discusses attacks that prevent servers from providing their essential services.
- The big challenge to attacks is that once we discover an attack, it's usually repaired, or prevented, or mitigated in some fashion fairly quickly. But there's one big exception to that, probably the biggest attack problem we have today, and that is a denial of service attack. A denial of service attack is designed to do one thing, to deny service. Imagine that you've got some type of server out there, could be a web server, an email server, a DNS server, don't care what it is. The whole idea behind a denial of service attack is that you have so many people coming in to talk to that server, that it can't take care of anybody else.
So imagine, you've got a little store, and you got a whole bunch of people trying to push in the front door, that is a denial of service attack. Now there are lots and lots of denial of service attacks out there. They've been around for close to 20 years, but I like to break them down into three big groups. The first one, I'm gonna call a Volume attack. A Volume attack is we're not really doing anything evil in terms of how we're talking to the server, we're just doing a lot of talking so the server can't help anybody else. The next type of denial of service attack is a Protocol attack.
A Protocol attack does something with the underlying protocol. The web http protocol, or a DNS protocol, if you're talking to a DNS server, that does something not normally accepted to the protocol that causes the server to do weird things, and keep it from answering quickly. The third type is what we call an Application attack. An Application attack works within the application conversation itself, doing naughty things, that keeps the application that that server is running from being able to respond in a timely fashion.
So let's go ahead and start off with the grand daddy of all, a good old Volumetric attack. So here's my little network. I've got one server on this network, and other computers doing something. Now, one example of a Volumetric attack would be a Ping flood. In essence, one or more the machines starts sending pings to the server. Now, the trick is is they just keep sending pings, and they don't wait for a response, and that can overwhelm the server. Another example could be a UDP flood. In this case, the attacking machine is sending out all kinds of strange UDP requests to all kinds of different ports on the server.
So the server has to deal with all of these incoming requests and has to respond back, and that could overwhelm the machine. Now, the Volumetric attacks I just showed you are pretty much easily negated today. For one thing, we're not going to let people from the outside try to fake these types of attacks. Routers are by definition, designed to stop that type of stuff. However, we can still see, as we get a little bit more into this episode, where we can still do Volumetric attacks, although we make 'em a little bit smarter than this.
Okay, so that's a Volumetric attack. Remember, a Volumetric attack doesn't really do anything wrong, it just does a lot of it. We're gonna change that now, with what's known as a Protocol attack. So here we have our little server doing its server thing, it could be a web server, a DNS server again, I don't care. Now, a Protocol attack is going to do naughty things to the protocol to create confusion. So in this particular example, we're gonna create what's known as a SYN flood, or a TCP SYN Attack. Now, in this particular case, what we're talking about within a TCP/IP conversation, is that the client will send a SYN, and then the server sends back an SYN Ack.
And this initiates conversation within TCP/IP. However, what we're going to do with this case, is we're gonna have the client send out a SYN, after a SYN, after a SYN, keep trying to make all these connections. Each one of these creates an extra connection to the server itself, and the client never responds, no matter how many SYN Acks are sent back in response. This can clog the system up beautifully. Protocol attacks are still a huge problem out there when it comes to denial of service, and they are arguably the most common form of denial of service attack out there.
But there is another thing we can do, what we can also do is take advantage of problems within applications themselves, and let's go ahead, and do an example of an Application attack. Okay, in this situation, I've got an old copy of the very, very popular Apache Web Server, and we're gonna take advantage of something within the application to do something naughty. And in this case, we're gonna do what's known as a Slow Loris Attack. The Slow Loris is named because the Loris is a slow animal, and it just does things really slow.
So, what it's gonna do is the client is going to initiate a conversation with the Apache Web Server. And it will get the conversation going, but then it just stops talking. And the poor Apache Web Server is sitting there waiting for a response. In the meantime, the attacker is sending out more conversations, and just not talking back, and as a result of that the poor Apache Server simply gets overwhelmed waiting for these clients to talk which never do. Now, this is fairly easy to fix, and later versions of Apache simply lower their timeout value, and slow Loris is not nearly as big of problem as it used to be.
Now, you can get into a lot more detail than simply the big three that I've broken down. For example, one great thing we can do, is what's known as Amplification. Let me show you that in action. So, here's my little web server again. Now, in this case, what we're going to do is what we call a Smurf Attack. A Smurf Attack is a great example of an Amplification Attack because it simply does this. We send in an ICMP packet into the network. Now, what we do is that the attacker spoofs the website's IP address.
So it sends out a broadcast into the network, and then everybody in the network starts responding back except the responding back to the target. And that would be a great example where one packet being sent into a network can generate lots and lots of packets, and that's amplification. Now, of all the examples of denial of service I've shown you so far, we basically only have one attacker. Now, think about this for a minute, how hard would it be if we got a bunch of computers to work together to all attack one client? And that's really the big problem today.
Distributed denial-of-service attacks. Let's take a look at DDoS. So here's that poor little server one more time. Now this time what we're going to do is we're going to attack that server, but not with just one individual computer some place. What we can do is add a bunch of computers to it, and each one of these will start attacking. Now the problem here is that how do you do this? Well, you could call your buddies up and you could all basically say go, and start attacking simultaneously. But usually what we will do instead, is we will create a form of malware that generates what we call a BotNet.
Now, in this situation, all of these computers over here on the left, have some form of malware on them. And they're controlled by a single computer somewhere else. So these individual computers are called Zombies. And collectively, all of these computers under the control of a single system are known as a BotNet. Distributed Denial-of-Service attacks are the nightmare of the internet these days. To give you an idea of just how bad DDoS attacks are, there are a number of websites from security companies that provide real-time tracking of attacks as they're taking place, and I just happen to have one of my favorites up right now.
This is from Norse Corporation. And you can actually see, it has this pretty graphics showing who's attacking who right now. And you can see the attack origins. You can see the types of attacks. You can see who they're going after. And then you can actually see what's taking place in terms of the attack. For example, you can see attack type, and the port numbers that are actually being attacked in real-time right now. DDoS is a huge issue today, and it's something we've always gotta watch out for. Make sure you're comfortable with the basic types of denial of service attacks cause you're gonna see it on the exam.
- What is risk management?
- Managing change to a network
- Mitigating network threats
- Training users
- Denial of service and social engineering attacks
- Hardening devices
- Testing network security
- Network monitoring
- Security information and event management (SIEM) tools