10.1 Understand a Denial of Service attack, and analyze symptoms of a DoS Attack
Exam Focus: Understand a Denial of Service attack, and analyze symptoms of a DoS attack.
Objective includes:





Understand a Denial of Service attack.
Assess DoS attack techniques.
Gain insights on Distributed Denial of Service attacks.
Examine the working of Distributed Denial of Service attacks.
Analyze symptoms of a DoS attack.
Denial of Service (DoS) attack
A Denial of Service (DoS) attack is mounted for causing a negative impact on the performance
of a computer or network. It is also referred to as network saturation attack or bandwidth
consumption attack. Attackers send a large number of protocol packets to a network for making
Denial of Service attacks. A DoS attack can cause the following:



Saturate network resources.
Disrupt connections between two computers, thereby preventing communications
between services.
Disrupt services to a specific computer.
Common DoS attacks
Some of the common DoS attacks are as follows:



SYN attack: A SYN attack is a common Denial of Service (DoS) technique. Using this
technique, an attacker sends multiple SYN packets to the target computer. For each SYN
packet received, the target computer allocates resources and sends an acknowledgement
(SYN-ACK) to the source IP address. Since the target computer does not receive a
response from the attacking computer, it attempts to resend the SYN-ACK. This leaves
TCP ports in a half-open state. When an attacker sends TCP SYNs repeatedly, the target
computer eventually runs out of resources and is unable to handle any more connections,
thereby denying services to legitimate users. A SYN attack affects computers running on
the TCP/IP protocol. It is a protocol-level attack that can render a computer's network
services unavailable. A SYN attack is also known as SYN flooding.
PING attack: A PING attack is a Denial of Service technique. In this technique, a
computer repeatedly sends illegitimate, oversized ICMP echo requests to another
computer. PING attacks are targeted to specific TCP stacks that cannot handle ICMP
packets. These attacks overload the targeted servers with fake packets.
Flood attack: In flood attack, an attacker sends more and more traffic to the victim than
it could handle. It is the simplest denial attack but most difficult to completely prevent.





Teardrop attack: In teardrop attack, corrupt packets are sent to the victim's computer by
using IP's packet fragmentation algorithm. As a result of this attack, the victim's
computer might hang.
Smurf attack: In a smurf attack, an attacker sends a large number of ICMP echo requests
at IP broadcast addresses using a fake source address. These requests appear to be
coming from the victim's network address. Therefore, every computer within the
broadcast domain starts sending responses to the victim. As a result, the victim's
computer is flooded with responses.
Replay attack: A replay attack is a type of attack in which attackers capture packets
containing passwords or digital signatures whenever packets pass between two hosts on a
network. These attackers then filter the data and extract the passwords, encryption keys,
or digital signatures from the captured packets. In an attempt to obtain an authenticated
connection, the attackers then resend this information to the system.
Magic Packets attack: A Magic Packets attack is a class of DoS. In this attack, the
attacker causes a DoS attack by exploiting an existing vulnerability in the OS running in
the target computer or applications of the target computer by sending some specially
designed data packets to particular ports, for instance, Ping of Death and WinNuke.
Resource exhaustion attack: A resource exhaustion attack is a type of denial of service
(DoS) which is implemented by intentional utilization of the maximum resources and
then stilling information. It is a flood of fake RPCs; such floods would waste resources of
the nodes, specially, disk seeks on affirmative GETs, entries in the RAM index for PUTs,
and CPU cycles to process RPCs.
DoS attack techniques
The following are DoS attack techniques:



Bandwidth attack: It is not possible for a single machine to make enough requests to
overwhelm network equipment. Therefore, DDoS attacks are performed where several
computers are used by an attacker to flood a victim. Due to the significant statistical
change in the network traffic, flooding a network with requests can cause network
equipment such as switches and routers to be overwhelmed when a DDoS attack is
launched. Basically, all bandwidth is used and no bandwidth remains for legitimate use.
Attackers use a botnet and flood the network with ICMP ECHO packets to perform
DDoS attacks.
Service request flood: An attacker or a group of zombies tries to exhaust server
resources by establishing and tearing down TCP connections. In a service request flood
attack, servers are flooded with a high rate of connections from a valid source. On every
connection, a request is initiated.
SYN attack: In this attack, the attacker sends multiple SYN packets to the target
computer. For each received SYN packet, the target computer allocates resources and
sends an acknowledgement (SYN-ACK) to the source IP address. Since the target
computer does not receive a response from the attacking computer, it attempts to resend
the SYN-ACK. This leaves TCP ports in a half-open state. When the attacker sends TCP
SYNs repeatedly, the target computer eventually runs out of resources and is unable to
handle any more connections, thereby denying services to legitimate users. A SYN attack


affects computers running on the TCP/IP protocol. It is a protocol-level attack that can
render a computer's network services unavailable. A SYN attack is also known as SYN
flooding.
ICMP flood attack: An ICMP flood attack occurs when ICMP echo requests overload a
victim device with a large number of requests such that the victim's device expends all its
resources responding to these requests until the victim can no longer process valid
network traffic.
Peer-to-peer attack: Attackers use peer-to-peer attacks to instruct clients of peer-to-peer
file sharing hubs for the following purposes:
o To disconnect from their network
o To connect to the victim's fake website
Attackers exploit flaws appeared in the network that uses the DC++ (Direct Connect)
protocol. The DC++ (Direct Connect) protocol permits the exchange of files between
instant message clients. Attackers use peer-to-peer attacks to launch massive Denial of
Service attacks and compromise websites.

Permanent Denial of Service attack: Permanent DoS is also known as phlashing. It is
an attack that causes irreversible damage to system hardware. This attack is performed
using a method referred to as bricking a system. Attackers send fraudulent hardware
updates to the victims by using the "bricking a system" method.

Application-level flood attack: The application-level flood attack leads to the loss of
service of a specific network, such as emails, network resources, and the temporary
ceasing of applications and services. Attackers use the application-level flood attack to
destroy programming source code and files in affected computer systems. Attackers try to
do the following by using application-level flood attacks:
o Flood web applications in order to legitimate user traffic.
o
o
Disrupt service to a specific system or person. For example, repeat invalid login
attempts to block a user's access.
Craft malicious SQL queries to jam the application-database connection.
Symptoms of a DoS attack
The following are the symptoms of a DOS attack:




A particular website is unavailable.
A user cannot access any website.
There is a dramatic increase in the amount of spam emails received.
There is unusual slow network performance.
DDoS attack
In a Distributed Denial of Service (DDoS) attack, the attacker uses multiple computers
throughout the network that it has previously infected. Such computers act as zombies and work
together to send out bogus messages, thereby increasing the amount of phony traffic. The major
advantages to an attacker of using a Distributed Denial of Service attack are that multiple
machines can generate more attack traffic than one machine, multiple attack machines are harder
to turn off than one attack machine, and that the behavior of each attack machine can be
stealthier, making it harder to track down and shut down. TFN, TRIN00, etc. are tools used for
the DDoS attack. An attacker uses botnets and attacks a single system to launch a DDoS attack.
Working of a Distributed Denial of Service (DDOS) attack
An attacker sets a handler system. A large number of computers over Internet are infected by
handlers. Compromised PCs (zombies) are instructed to attack a target server.
Organized cybercrime: organizational chart
The following is the organized cybercrime: organizational chart:
Mail bombing attack
Mail bombing is an attack that is used to overwhelm mail servers and clients by sending a large
number of unwanted e-mails. The aim of this type of attack is to completely fill the recipient's
hard disk with immense, useless files, causing at best irritation, and at worst total computer
failure. E-mail filtering and properly configuring email relay functionality on mail servers can be
helpful for the protection against this type of attack.
UDP flood attack
The UDP flood attack takes place when an attacker sends IP packets containing UDP datagram
with the purpose of slowing down the victim so that the victim can no longer handle valid
connections.
10.2 Understand Internet Chat Query (ICQ), Internet Relay Chat (IRC), and botnets
Exam Focus: Understand Internet Chat Query (ICQ), Internet Relay Chat (IRC), and botnets.
Objective includes:



Understand Internet Chat Query (ICQ).
Understand Internet Relay Chat (IRC).
Understand botnets.
Internet Chat Query
Internet Chat Query (ICQ) is a chat client used for chatting with people. It assigns a Universal
Identifier Number (UIN). The Universal Identifier Number recognizes the user univocally among
other ICQ users. An ICQ user wakes up and attempts to connect to the Mirabilis, where there is a
database including all ICQ users' information when the ICQ user connects to the Internet. The
Mirabilis Company developed ICQ. At the Mirabilis server, ICQ looks for the requested UIN
number inside its database and updates its information. Now, as ICQ knows the IP address, the
user can contact his friend.
Internet Relay Chat
Internet Relay Chat (IRC) is a system used for chatting involving a set of rules and conventions
and client/server software. For easy file sharing between clients, IRC permits direct computer-tocomputer connections. A few websites such as Talk City or IRC networks such as Undernet
provide servers and help users in downloading IRC clients to a PC. A user can start a chat group,
known as a channel, or join an existing one after the user has downloaded the client application.
#hottub and #riskybus are popular ongoing IRC channels. Transmission Control Protocol is used
by the IRC protocol.
Bots
Bots are software applications. They run automated tasks over the Internet and carry out simple
repetitive tasks, such as web spidering and search engine indexing. A botnet is a huge network of
the compromised systems. An attacker can use the botnet to create Denial of Service attacks.
Botnet propagation technique
Botnet ecosystem
Working of bots
The following is the working of bots:





An attacker sets a bot C&C handler.
The attacker infects the machine.
Bots look for vulnerable systems and infect them to create a botnet.
Bots connect to C&C handler and wait for instructions.
An attacker sends command to the bot through C&C.

Bots attack a target server.
PlugBot
PlugBot is a hardware botnet project. It is a covert penetration device (bot). It is designed for
covert use during physical penetration tests.
Defending against botnets
The following techniques are used to defend against botnets:




RFC 3704 filtering: Packets should be originated from a valid, assigned address space,
consistent with the topology and space allocation. Before entering the Internet link, any
traffic that comes from unused or reserved IP addresses should be filtered as it is bogus.
Black hole filtering: In the network where traffic is forwarded and dropped, black holes
are placed. The RTBH filtering technique uses routing protocol updates in order to
manipulate route tables at the network edge. Before the undesired traffic enters the
service provider network, the RTBH filtering technique can be used to drop the
undesirable traffic.
Cisco IPS source IP reputation filtering: Cisco IPS receives threat updates from the
Cisco SensorBase Network, including serial attackers, botnet harvesters, malware
outbreaks, and dark nets. The Cisco SensorBase Network includes detailed information
regarding known threats on the Internet.
DDoS prevention offerings from ISP or DDoS service: A host can be prevented from
sending out spoofed packets as it becomes a bot itself by turning on the IP Source Guard
on the network switches.
10.3 Assess DoS/DDoS attack tools
Exam Focus: Assess DoS/DDoS attack tools. Objective includes:


Assess DoS/DDoS attack tools.
Describe detection techniques.
DoS attack tools
The following are some DoS attack tools:




Low Orbit Ion Canon (LOIC)
HTTP flood denial of service (DoS) testing tool
Sprut
PHP DoS
LOIC performs a Denial of Service (DoS) attack on a target site. It floods the server with TCP
packets or UDP packets for disrupting the service of a particular host. People have used LOIC to
join voluntary botnets. Trinoo, Tribe Flood Net, and TFN2K are DDoS attack tools.
Detection techniques
In detection techniques, the illegitimate traffic increase and flash events are identified and
discriminated from legitimate packet traffic. According to all detection techniques, an attack is
an abnormal and noticeable deviation from a threshold of normal network traffic statistics. The
following are detection techniques:



Active profiling: An attack is indicated by an increase in activity levels among clusters
and an increase in the overall number of distinct clusters. Active profiling is defined as
the average packet rate for a network flow, which comprises consecutive packets with
similar packet fields. Monitoring of the network packet's header information is required
to obtain an active profile.
Change-point detection: A traffic statistic's change that is caused by attacks is isolated
by change-point detection algorithms. In change-point detection algorithm, the traffic
data is initially filtered by address, port, or protocol and then the resultant flow is stored
as a time series. The custom algorithm identifies deviations in the actual versus
exceptional local average in the traffic time series to identify and localize a DoS attack.
Change-point detection is also required to identify the typical scanning activities of the
network worms.
Wavelet analysis: Wavelet analysis specifies an input signal in terms of spectral
components. Wavelets provide for concurrent time and frequency description. They find
the time at which certain frequency components are available. The presence of anomalies
is determined by analyzing each spectral window's energy.
10.4 Identify DoS/DDoS countermeasure, post-attack forensics, and Penetration Testing
Exam Focus: Understand DoS/DDoS countermeasure, post-attack forensics, and penetration
Testing. Objective includes:




Identify DoS/DDoS countermeasure strategies.
Analyze post-attack forensics.
Identify DoS/DDoS protection tools.
Understand DoS/DDoS penetration testing.
DoS/DDoS countermeasures
The following are DoS/DDoS countermeasures:







The firewall should be configured to deny external Internet Control Message Protocol
(ICMP) traffic access.
The use of unnecessary functions such as gets, strcpy, etc. should be prevented.
The remote administration and connectivity testing should be secured.
The return addresses should be prevented from being overwritten.
Data processed by the attacker should be stopped from being executed.
Thorough input validation should be performed.
A better network gateway card should be used to handle a large number of packets. The
network card is the gateway to the packets.







For each piece of broadband technology, efficient encryption mechanisms should be
proposed.
Particularly for the multi-hop WMN, improved routing protocols are desirable.
Unused and insecure services should be disabled.
All inbound packets that originate from the service ports should be blocked to block the
traffic from the reflection servers.
Kernel should be updated to the latest version.
The transmission of the fraudulently addressed packets at the ISP level should be
prevented.
Cognitive radios should be implemented in the physical layer so that the jamming and
scrambling kind of attacks can be handled.
Mitigate attacks
The following are mitigate attacks:


Load balancing: In the event of an attack, providers can increase the bandwidth on
critical connections in order to prevent them from going down. Additional failsafe
protection can be provided by replicating servers. Normal performances can be improved
and the effect of a DDoS attack can be mitigated by balancing the load to each server in a
multiple-server architecture.
Throttling: This method allows a user to set up routers that access a server to adjust
(throttle) incoming traffic to the level that is safe for the server to process. Flood damage
to servers can be prevented using throttling. Throttling can also be used to throttle DDoS
attacking traffic versus legitimate user traffic for better results.
Honeypots
Honeypots are systems established with limited security. They work as an enticement for an
attacker. They serve as a means to gain information about attackers. They facilitate storing a
record of activities of attackers and identifying types of attacks and software tools used by
attackers. The defense-in-depth approach should be used with IPSec at different network points
in order to divert suspicious DoS traffic to several honeypots.
Detecting potential attacks
The following techniques can be used to detect potential attacks:



Ingress filtering: It is used to protect from flooding attacks that originate from the valid
prefixes (IP addresses). It enables the tracing of originator to its true source.
Egress filtering: It scans the packet headers of IP packets that leave a network. It ensures
that unauthorized or malicious traffic never leaves the internal network.
TCP intercept: It should be configured to prevent DoS attacks by intercepting and
validating the TCP connection requests.
Detecting and neutralizing handlers
The following can be used to detect and neutralize handlers:



Network traffic analysis: To identify the network nodes that might be infected with a
handler, network traffic analysis involves study of communication protocols and traffic
patterns between handlers and clients or handlers and agents.
Neutralize botnet handlers: Usually few DDoS handlers are deployed in comparison to
the number of agents. Multiple agents can possibly be rendered useless by neutralizing
few handlers. This prevents the occurrence of DDoS attacks.
Spoofed source address: A good probability exists that the spoofed source address of
DDoS attack packets will not show a valid source address of the specific sub-networks.
Protecting secondary victims
The following actions should be taken to protect secondary victims:




Anti-virus and anti-Trojan software should be installed and kept updated.
Awareness of security issues and prevention techniques of all Internet users should be
increased.
Unnecessary services should be disabled, unused applications should be uninstalled, and
all the files received from external sources should be scanned.
Built-in defensive mechanisms in the core hardware and software of the systems should
be configured and regularly updated.
DoS/DDoS countermeasure strategies
The following are DoS/DDoS countermeasure strategies:



Absorb the attack: Additional capacity can be used to absorb the attack. It needs
preplanning and additional resources.
Degrade services: Critical services should be identified and non-critical services should
be stopped.
Shut down the services: All the services should be shut-down until the attack has
subsided.
Techniques to prevent DDoS attacks
The techniques to prevent DDoS attacks are as follows:







Applying router filtering
Blocking undesired IP addresses
Permitting network access only to desired traffic
Disabling unneeded network services
Updating antivirus software regularly
Establishing and maintaining appropriate password policies, especially for access to
highly privileged accounts such as UNIX root or Microsoft Windows NT Administrator
Limiting the amount of network bandwidth


Using network-ingress filtering
Using automated network-tracing tools
Post-attack forensics
To identify the source of the DoS traffic, router, firewall, and IDS logs should be identified. The
network administrators can use DDoS attack traffic patterns to develop new filtering techniques.
The new filtering techniques are useful in preventing DDoS attack traffic from entering or
leaving their networks.
Traffic pattern analysis: Data can be analyzed - post-attack-to look for particular characteristics
within the attacking traffic. Data can be used to update load-balancing and throttling
countermeasures by using these characteristics.
DoS/DDoS protection tools
The following are the various DoS/DDoS protection tools:




Find_ddos: It is used to scan a local system that contains a DDoS program. It can detect
several known DoS attack tools.
SARA: It is used to gather information about remote hosts and networks by examining
the network services.
RID: It is a scanning tool that is used to detect the presence of Trinoo, TFN, or
Stacheldraht clients.
Zombie Zapper: It is used to instruct zombie routines to go to sleep; thus stopping their
attacks.
The following are some more DoS/DDoS protection tools:









NetFlow Analyzer
D-Guard Anti-DDoS Firewall
NetScaler
SDL Regex Fuzzer
FortGuard
WANGuard
IntruGuard
Arbor Peakflow
Advanced Denial of Service Protection
IntelliGuard DPS
IntelliGuard DPS is used to mitigate DDoS attacks using a design that involves passing the
legitimate traffic rather than discarding attack traffic. The Learn-Rank-Protect strategy identifies
sites that are accessed by customers and its access is continuously prioritized and ranked. The
multi-level management of IntelliGuard DPS configures traffic limits and guarantees the
management of traffic at each part of the network.
Anti-DoS ACLs
Anti-DoS ACLs work by recognizing the protocol and port selection of the DoS attacks.
Precautions must be taken while using such type of ACLs, as they might block legitimate
applications that may have chosen the same high port values. In order to prevent internal hosts
(hosts inside the network) from participating in a DoS on an Internet host, these ACLs should be
placed on all interfaces and in both directions. At the minimum, these ACLs should be placed on
all the inbound interfaces that are connected to the Internet. To block the TRINOO DDoS, port
27665, 31335, and 27444 should be designed. To block the SubSeven DDoS, port 6776, 6669,
2222, and 7000 should be designed.
DoS/DDoS protection at ISP level
All requests are blocked by most ISPs during a DDoS attack to deny legitimate traffic from
accessing the service. ISPs provide in-the-cloud DDoS protection for Internet links to prevent
them from being saturated by the attack. During the attack, attack traffic is redirected to the ISP
so that it can be filtered and sent back. Administrators can request ISPs for the following
purposes:


Block the original affected IP
Move their site to another IP after performing DNS propagation
DoS attack penetration testing
In order to find out if the network server is susceptible to a DoS attack, the DoS attack should be
implemented into pen testing. A large amount of traffic sent to a vulnerable network cannot be
handled. It leads to subsequent crash or slowdown of the network and thus prevents authentic
users from accessing the network. A minimum threshold for a DoS attack on a system is
determined by DoS pen testing. The tester cannot ensure that the system is resident to DoS
attacks. DoS pen testing is required to flood a target network with traffic to keep the server busy
and unavailable.
The following actions should be taken during DoS attack pen testing:






Test the web server using automated tools such as Web Application Stress (WAS) and
Jmeter for load capacity, server-side performance, locks, and other scalability issues.
Discover any systems that are vulnerable to DoS attacks by scanning the network using
automated tools such as NMAP, GFI LANGuard, and Nesssus.
Use tools such as Trin00, Tribe Flood, and TFN2K to flood the target with connection
request packets.
Flood the port by using a port flooding attack and maintain all the connection requests on
the ports under blockade to increase the CPU usage. Automate the port flooding attack by
using Mutilate and Pepsi5 tools.
Send a large number of emails to a target mail server by using Mail Bomber, Attache
Bomber, and Advanced Mail Bomber tools.
Fill the forms with arbitrary and lengthy entries.
Chapter Summary
In this chapter, we learned about Denial of Service attacks, Distributed Denial of Service attacks,
working of Distributed Denial of Service attacks, and symptoms of a DoS attack. This chapter
focused on DoS/DDoS attack tools, detection techniques, DoS/DDoS countermeasure strategies,
post-attack forensics, DoS/DDoS protection tools, and DoS/DDoS penetration testing.
Glossary
Anti-DoS ACL
Anti-DoS ACLs work by recognizing the protocol and port selection of the DoS attacks.
Precautions must be taken while using such type of ACLs, as they might block legitimate
applications that may have chosen the same high port values.
Botnet
A botnet is a huge network of the compromised systems.
Bots
Bots are software applications. They run automated tasks over the Internet and perform simple
repetitive tasks, such as web spidering and search engine indexing.
DDOS
In a Distributed Denial of Service (DDOS) attack, the attacker uses multiple computers
throughout the network that it has previously infected.
Denial of Service (DoS) attack
A Denial of Service (DoS) attack is mounted with the objective of causing a negative impact on
the performance of a computer or network.
IntelliGuard DPS
IntelliGuard DPS is used to mitigate DDoS attacks using a design that involves passing the
legitimate traffic rather than discarding attack traffic.
Internet Chat Query
Internet Chat Query (ICQ) is a chat client used for chatting with people.
Internet Relay Chat
Internet Relay Chat (IRC) is a system used for chatting involving a set of rules and conventions
and client/server software.