Chapter 11: DoS

Question 1

DoS goal

Answer 1

To remove the A from the Confidentiality, Integrity, & Availability triad

Question 2

Denial of service

Answer 2

an attack that aims at preventing normal communication with a resource

Question 3

What is the most common form of DoS?

Answer 3

to flood a victim w/ so much traffic that all available resources of the system are overwhelmed & unable to handle additional requests

Question 4

What are signs of a potential DoS attack?

Answer 4

• Unavailability of a resource
• Loss of access to a website
• Slow performance
• Increase in spam e-mails

Question 5

Hactivism

Answer 5

hackers who take action against a target based on “principle” or a sense of personal mission

They are a threat bc their focus is not for personal gain, but measured by how much their actions benefit their CAUSE.

Question 6

DoS Targets (3)

Answer 6

1) Web Server Compromise - loss of uptime for company web page
2) Back-end Resources - include infrastructure items that support a public-facing resource, Dos take down back end which makes front-end unavailable
3) NW or Computer Specific

Question 7

*** Types of Attacks (12)

Answer 7

1) SERVICE REQUEST FLOODS - flooding web server or web app w/ requests until all resources are used up; These are typically carried out by setting up repeated TCP connection to a system
2) SYN ATTACK/FLOOD - This exploits the 3-way handshake; Done by forging SYN packets w/ a bogus source address. When victim system responds w/ a SYN-ACK, it goes to this bogus address, & since the address doesn’t exist, it causes the victim system to wait for a response that will never come; This ties up a connection up for 75 seconds, attacker can keep opening half open connections to keep systems out of service //THE ACK RESPONSE IS MISSING; Syn is sent, syn-ack replied;
3) ICMP FLOOD ATTACK - an ICMP request requires the server to process the request & respond; Attacks include smurf attacks, ICMP floods, ping floods, all of which flood the server w/ ICMP requetss w/ out waiting for the response
4) PING OF DEATH - used back in the day; a ping packet that was larger than the allowable 64K was sent
5) TEARDROP - sending custom-crafted fragmented packets w/ offset values that overlap during the attempted rebuild making the target machine unstable
6) SMURF - spoofs the target IP & sends numerous ICMP echo requests to the broadcast address of intermediary sites; The intermediary sites amplify the ICMP traffic back to the source IP, saturating the NW
7) FRAGGLE - like SMURF attack but uses UDP instead of ICMP. Still uses an intermediary for amplification & spoofs target IP; The attack targets the UDP echo requests to the CHARGEN (character generator) port of the intermediary systems
8) LAND - sends traffic to the target machine w/ the source spoofed as the target machine itself; The victim attempts to acknowledge the requests repeatedly w/ no end.

PERMANENT DOS ATTACKS - most DoS attacks are temporary, some destroy a system & cause it to be permanently offline;

9) PHLASHING is one of them (pushes bogus/incorrect updates to a system’s firmware, this system is said to be BRICKED, aka worthless computer)

APPLICATION-LEVEL ATTACKS - those that result in a loss or degradation of a service to the point it is unusable; Can result in loss of data

10) FLOOD - overwhelm target w/ traffic
11) DISRUPT - attacking w/ intent of locking out or blocking a user (i.e. logging into system several times to lock up acct)
12) JAM - crafted SQL queries to lock up DB;

Question 8

Performing a SYN Flood

Answer 8

Tool: HPING3 //Linux utility used to craft custom packets such as packets that have specific flags activated

1) Have Wireshark up & running; get sniffer started;
2) In your BackTrack box, open cmd, hping3 for a list of commands
3) hping3 –flood -p 80 -S 192.168.1.2 //Flood SYN packets
4) Check out the traffic
5) Go back to BackTrack & terminate cmd with ctrl+C

Question 9

Buffer Overflow

Answer 9

takes adv. of a flaw in a program’s coding by inputting more data than the program’s buffer, or memory space, has room for; once the buffer of a program is an overflow state, it can crash, etc

Question 10

C functions & signs of buffer overflow

Answer 10

Some C functions do not perform bounds checking, making it vulnerable to buffer overflow

gets(), scanf(), strcpy(), strcat() are common functions for buffer overflow

Question 11

The HEAP and STACK

Answer 11

Two areas of memory a program uses for storage

HEAP //dynamic storage location that does not have sequential constraints or organizational scheme; considered the larger pool of free storage for programs to use as needed; once dynamic memory space is no longer needed, it is freed

STACK // linear in operation (top, bottom, LIFO); smaller pool of storage; memory allocated to a program for short-term processing, main action area where program variables are temporarily stored, added, & removed as needed; Can only see values from top down; LIFO; PUSH describes adding to a stack, POP is removing

During a buffer overflow, the heap if overflowed. The malicious code soon resides in the STACK & the EIP points to the malicious code executing it

Question 12

Smashing the Stack

Answer 12

use of buffer overflow to compromise the stack & gain program-level access; submit excess data to stack

Question 13

Stack pointer represents

Answer 13

the top of a stack; in a buffer overflow, the stack pointer is ignored an data is stacked over top of it creating False EIPs (Extended instruction pointer/point of execution) and False Stack pointers

When smashing the stack, the EIP points to injected malicious code

Question 14

NOP sled

Answer 14

shellcode (or machine code) used in buffer overflow attack; uses multiple “NO OPERATION” commands in a sequenced chunk; 0x90 will instruct an Intel processor to perform one clock cycle on empty process

Equates to a full CPU cycle w/ no acutal work being accomplished

Question 15

DDOS

Answer 15

Distributed Denial of Service

multiple comprised systems (by a trojan) target a single system causing a DoS attack; same goals as DoS, but more complex & powerful; DoS relies on a single system to attack a victim whereas DDOS is multiple attackers;

Concept: The MASTER/ATTACKER affects the HANDLER (typically server, a unit that has maneuverability in the NW) computers w/ DDoS SW build commonly known as a BOT; The bot sifts through victim’s NW searching for potential clients to make ZOMBIES; Once all compromised, attack!

Question 16

Installing a Bot on a HANDLER

Answer 16

they are covertly installed; Trojan horses carry bots as payload; Once handler & zombies are infected, the attacker communicates remotely w/ the BOTNET via communication channels such as IRC or P2P

Question 17

DoS & DDoS Tools

Tools for creating Botnets

Answer 17

DoS Tools: DoSHTTP, UDP Flood, Jolt2, Targa

DDoS Tools: Trinoo, LOIC Low Orbit Ion Cannon, TFN2K, Stacheldraht

Botnet Tools: Shark, Plugbot, Poison Ivy, LOIC (one of the easiest tools for DDoS)

Question 18

Seeing LOIC in action

Answer 18

Use a Windows Server 2008 client w/ LOIC installed & Windows 7 target w/ Wireshark for traffic capture

1) Run LOIC.exe (avoid in-depth installation, just run executable)
2) Can target URL or IP, enter IP of your Windows 7
3) Click ‘Lock On’
4) Use Port 80, & the rest default
5) FIRE & view traffic

Question 19

*** DoS Defensive Strategies (7)

Answer 19

1) DISABLE UNNECESSARY SERVICES
2) USE ANTI-MALWARE REAL-TIME VIRUS PROTECTION //helps stay away from trojans w/ bots
3) ENABLE ROUTER THROTTLING //some DoS rely on traffic saturation, router throttling thwarts
4) USE REVERSE PROXY //request made to a web server is redirected to the reverse proxy before forwarded to actual server (sending traffic to a middleman)

5) ENABLE INGRESS AND EGRESS FILTERING //Ingress filtering prevents DoS and DDoS by filtering for items such as spoofed IP address coming in from an outside source (if traffic coming in from the public side of your connection has a source address matching your internal IP, then it's spoofed) 
//Egress filtering helps prevent DDoS attacks by filtering outbound traffic that may prevent malicious traffic from getting back to the attacking party

6) DEGRADE SERVICES //the idea is that it makes an attack tougher & the target less attractive
7) ABSORB THE ATTACK //Add extra services & power in the form of bandwidth; have more power than the attacker can consume; This may include Load Balancing technologies

Question 20

Define Load Balancing

Answer 20

distributing workloads across multiple computer resources

Question 21

*** Botnet-specific Defenses (3)

Answer 21

1) RFC 3704 FILTERING //designed to block or stop packets from addresses that are unused or reserved in any given IP range
2) BLACK HOLE FILTERING //a black hole or area is created on the NW where offending traffic is fowarded or dropped
3) SOURCE IP REPUTATION FILTERING //filters traffic based on reputation (determined by past history of attacks & other factors)

Question 22

Buffer Overflow vs. Stack Overflow

Answer 22

Stack overflow is when the execution stack grows beyond the memory reserved whereas Buffer Overflow is any case in which a program writes beyond the end of the memory allocated (INCLUDING in the heap, not just the stack)

Question 23

Dealing w/ possible DoS attacks: Internal clients making requests from outside the internal LAN. Based on traffic, what action should be taken?

Answer 23

Implement Ingress filtering, this will check for internal addresses coming in from the public side of your NW