August 27, 2016

GHR 110 – Denial of Service (DoS)

Objectives:

Denial of Service attacks are now being used as a another way to extort ransom money in the form of BitCoins from a target.

  • Topic 110.1 – Bandwidth consumption
  • Topic 110.2 – SYN Flood Attack
  • Topic 110.3 – Application Attacks

Topic 110.1 – Bandwidth Consumption

  • RULE : The concept for a bandwidth consumption type of Denial of Service (DoS) is simple, use all of the bandwidth up so.  If the victim has a 1Gbps connection and an attacking botnet fires 400Gbps at the target, it’s going to appear offline because legitimate traffic can’t reach the servers.
  • RULE : A Smurf attack (bandwidth consumption DoS) is when the attacker sends many ICMP echo requests to a large number of machines via the broadcast address, but rather those machines then responding to the attacker, all of the responses go to the victim.  This happened because the attacker spoofed the source IP of the ICMP packet to be that of the victim.
  • BLUE TEAM : To defend against Smurf attacks on Cisco routers, use no ip directed-broadcast.
  • RULE : A Fraggle attack (bandwidth consumption DoS) is the same concept to Smurf, but uses UDP echo packets instead of ICMP.

Topic 110.2 – SYN Flood Attack

  • RULE : A SYN flood targets the TCP 3-way handshake, by sending a large amount spoofed TCP SYN packets to the target.  The target then has to response with a TCP SYN/ACK and leave the connection open waiting for the TCP ACK to return, but it never does.  The result is a large number of half-open TCP connections which fills the buffers on the target machine, which causes legitimate traffic to be missed by the server.
  • RULE : A SYN flood is most effective when directed to a single target machine on the Internet provide web or email services.

Topic 110.3 – Application Attacks

  • RULE : Ping of Death is caused when the attacker sends fragments of packets that when they arrive at the victim and are reassembled, are larger than 65,536 bytes.  This causes a buffer overflow and typically the target machine just hangs.
  • RULE : TearDrop is is caused when fragmented IP packets are sent with the fragment offset modified so the packets overlap on arrival.  This usually causes the target machine to hang up, because it doesn’t know how to handle the overlapping packets.
  • RULE : Sending ICMP packets of 65,535 bytes with the DF (Don’t Fragment) bit set to a load balanced Microsoft Windows server cluster address would take them offline during the time the packets are being sent.