DDoS or Leverage

Given the current performance of servers and the widespread use of load balancing and high availability, it is virtually impossible to cause a denial of service just as described in the previous chapter. It is often necessary to find a way to apply a multiplier effect in the initial attack.

The principle is to use multiple sources (daemons) for the attack and masters (masters) who control them.

The attacker uses masters to easily control the sources. Indeed, it needs to connect (TCP) for teachers to configure and prepare attacks. The masters only send commands to the UDP sources. If there were no teachers, the attacker would have to connect to each source. The source of the attack would be detected more easily and setting up much longer. Each master daemon and discuss exchanging specific messages depending on the tool used.

These communications may also be encrypted and / or authenticated. To install the daemons and the Masters, the attacker uses known vulnerabilities (buffer overflow on RPC services, FTP, etc).

The attack itself is a SYN Flooding, UDP Flooding or a Smurf Attack. The result of a denial of service is to create an unreachable network.

Disadvantages

The drawback here is the need to work in two stages:

1. Mass hack the systems to accommodate the zombies.
2. Launch orders.

In the second step, the control package can be blocked by a detection tool or filter. Thus the evolution is to automate the launch orders from the corruption of the relay. This technique has been implemented by CodeRed whose goal was to connect the servers to corrupt website white house on a specific date. In the same vein the DDoS based on the IRC channels as channels of communication.

The objective here is not to establish a direct connection between the master and the zombies, but to use an IRC server (or rather a channel) as relays. This method, initiated in July and August 2001 by Knight and Kaiten, has many advantages:

• The commands are sent asynchronously via a flow outgoing, whether in terms of the master or agent. It is more likely that the zombie can get his orders
• With SSL support it is impossible to detect orders, and therefore identify the IRC channel relaying. Similarly the teacher is virtually undetectable
• The attacker has a platform Relay (IRC channel) distributed.

The protection against attacks from denial of service

The denial of service distributed can not be countered by identifying the IP address of the machine issuing the attacks and the banning at the firewall or server. IP packets from the hostile machine are rejected without being treated to prevent the server service is overloaded and therefore can not be found offline.

Distributed denial of service attacks are more difficult to counter. The principle of the attack by distributed denial of service is to reduce the possibility of stopping the attack.

A distributed architecture consisting of multiple servers offering the same service managed so that each client is only supported by one of them, a way of distributing access points to services and offers, in situations of attack, a degraded mode (slower) often acceptable.

According to the attacks it is also possible to put a stamp server that filters and cleans the traffic. This server, “Cleaning Center” allows in case of attack to ensure that malicious applications can not reach the target server.

The use of SYN cookies is also an option to prevent attacks like SYN flood, but this approach does not avoid the saturation of network bandwidth.

After An Attack — Back To Normal

The return to normal after an attack may require human intervention, because some software does not restart properly after an attack.

Who Are Responsible For These Attacks

The denial of service is often performed by inexperienced hackers like ‘lamers’ and ’script kiddies’.

These attacks are also used by a hacker who fails to take control of a computer trying to impersonate a trusted machine by IP spoofing. Indeed, if session request (TCP SYN) with an IP address “spoofed” to be one of the trusted machine, it is the latter who receive the TCP SYN / ACK issued by the target, so it automatically reset the connection attempt with a RST packet (since it is not the source of the request for session establishment), prohibiting the attacker to establish session.

In recent years, the attack by distributed denial of service is also used for purposes of blackmail from companies whose business relies on the availability of their website. These frauds are usually committed by criminal organizations (mafia) and not isolated hackers.

Study: From Wikipedia, the free encyclopedia. The text is available under the Creative Commons.

Programs available on the Internet

• Ping ‘O Death: To saturate a router or a server by sending a large number of requests “ICMP REQUEST” datagrams whose size exceeds the maximum allowed. Patches exist to protect themselves from this type of aggression under the MacOS, Windows NT/9x, Sun Solaris, Linux and Novell Netware.
• Land – Blat: It is sending a package forged (spoofed) containing the SYN flag on a given port (like 113 or 139 for example) and identify the source as the address of the target station. There are a number of patches for this “bug” for UNIX and Windows.
• Jolt: Specially designed for Microsoft systems (NT, 9x and 2000), this attack can saturate the CPU of the station who suffered. IP fragmentation causes, when sending a large number of fragments of identical packets (150/sec), a total saturation of the processor during the entire duration of the attack. Pre-existing patches are used to try to counter this type of attack.
• Teardrop - SynDrop: problem discovered in the old system kernel in the Linux section on the fragmentation of IP packets. This is a problem of reconstruction package. When the system reconstructs the packet, it performs a loop that will allow to store in a new “buffer” all packets already received. There actually control the size of the package but only if it is too big. If it is too small it can cause a problem with the kernel and crash the system (alignment problem packages). This problem has also been observed on Windows systems (NT/9x) and patches are now available.
• Ident Attack: This problem in the identd daemon can easily destabilize a UNIX machine that uses it. A large number of requests for authorization results in a total instability of the machine. To avoid this problem, install a newer version of the daemon and then use identd daemon pidentd-2.8a4 (or later).
• Bonk - Boink: same problem as the Teardrop but slightly modified to not be affected by the patches provided for Teardrop. There are new patches better constructed that also prevent this new type of attack.
• Smurf: This program uses the technique of “ICMP Flood” and amplifies it in order to create a disaster on (or) machines specified. In fact, he uses the technique of “broadcast ping” so that the number of ICMP packets sent to the station to grow exponentially while causing a crash is almost inevitable. It is difficult to protect them from this type of attack, there is no patch but correct filter rules allow you to limit its effect.
• Winnuke: it is still a program to “crash” NT/95 Windows systems by sending data type “OOB” (Out Of Band) in connection with a Windows client. NetBIOS service seems to be most vulnerable to this type of attack. Apparently, Windows does not know how to react to receiving this type of package and “panic”. Several patches exist against this type of attack and recent versions of Windows (98/2000 onwards) are now protected.

Continued…

UDP Flooding

This denial of service exploits the connectionless mode of the UDP. It creates a UDP Packet Storm (a large amount of UDP packets) or destination of a machine or between two machines. Such an attack between two machines leads to congestion and a saturation of resources on both hosts. Congestion is more important that the UDP traffic has priority over the TCP traffic.

In fact, TCP has a mechanism for congestion control, if the acquittal of a packet arrives after a long period, this mechanism adjusts the transmission frequency of packets and the TCP throughput decreases. UDP has no such mechanism. After some time, the UDP traffic occupies all the bandwidth, leaving only a small part in TCP traffic.

The best known example of UDP Flooding is “Chargen Denial of Service Attack”. The implementation of this attack is simple, just do the chargen service provide a machine with the echo service of another. The first generates characters, while the second resends the data it receives. Just then the attacker to send UDP packets on port 19 (chargen) to victims spoofing the IP address and source port of another. In this case, the source port is UDP port 7 (echo). The UDP Flooding causes saturation of bandwidth between two machines, and it can completely disable a network.

Packet Fragment

Denial of Service type Packet Fragment uses weaknesses in the implementation of some TCP / IP defragmentation (IP reassembly of IP fragments).

A known attack using this principle is Teardrop. The fragmentation offset of the second segment is smaller than the size of the first and the offset plus the size of the second. This means that the second fragment contains the first (overlapping).

During defragmentation, some systems do not handle this exception and that entails a denial of service. There are variants of this attack, bonk, boink and newtear. Denial of Service Ping of Death uses a mismanagement of the ICMP defragmentation, sending more data than the maximum size of an IP packet. These different types of denial of service lead to a crash on the target machine.

Smurfing

This attack uses the ICMP protocol. When a ping (ICMP ECHO) is sent to a broadcast address (e.g., 10.255.255.255), it is reduced and sent to every machine on the network. The principle of attack is to spoof the ICMP ECHO REQUEST packets sent using as source IP address of the target. The attacker sends a continuous stream of ping to the broadcast address of a network and all machines answer for an ICMP ECHO REPLY target. The flow is then multiplied by the number of hosts in the network. In this case the entire target network suffers denial of service because the huge amount of traffic generated by this attack leads to network congestion.

Continued…

Types Of DoS Attacks

“Denial of Service” – All the evil actions resulting in the retirement-line server. Technically, it cuts power to a server in a malevolent purpose may be regarded as an denial of service attack. In fact, the ‘denial of service’ attacks are made by saturating one of the targeted web server.

Exploiting Flaws Or Limits Of Machines

One of the most common attacks was to send an ICMP packet of more than 65,535 bytes. Above this limit, the IP stacks do not know the package deal itself, which would cause errors in fragmented UDP or TCP packets contain “flags” illegal or incompatible.

The battery current resists such attacks. However, the processing time of such packets is longer than necessary to process legitimate packets. Thus, it becomes common or trivial to generate excessive consumption of processor (CPU) simply by issuing hundreds of thousands of abnormalities per second, a tool such as hping3 allows a single command line …

Ex: [root @ localhost root] # hping3-SARFU-L 0-M 0-p 80 www.cible.com – flood
~ Wikipedia.org

With the arrival of broadband and the increasing power of personal computers, potential attack was increased tenfold, highlighting the weakness of the facilities developed several years ago. This increase allows virtually any abnormalities to cause a denial of service, provided they are generated at a rate sufficient importance.

For example:

• Use fields “reserved” for the TCP header
• Setting a sequence number acknowledged in a SYN packet
• Packets whose header Layer 4 (TCP / UDP) is truncated despite correct checksums

Denial of Service SYN Flood

A SYN Flood attack is an attack designed to cause a denial of service by issuing a large number of requests for TCP incomplete synchronization with a server. When a system (client) attempts to establish a TCP connection to a system offering a service (server), client and server exchange a sequence of messages.

The client system begins by sending a SYN message to the server. The server then acknowledges the message by sending a SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open and service-specific data can be exchanged between client and server.

The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) to the client, but does not receive the ACK message. The server built into its system memory a data structure describing all connections. This data structure is of finite size and can be overwhelmed by intentionally creating too many partially open connections.

Creating half-open connections is easily accomplished with IP spoofing. The system of the attacker sends SYN messages to the victim machine, they seem to be legitimate, but refer a client unable to respond to the SYN-ACK. This means that the final ACK message will never be sent to the victim server.

Normally there is a timeout associated with an incoming connection, semi-open connections will expire and the victim server can handle the attack. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim.

In most cases, the victim will have difficulty accepting any new incoming network connection. In these cases, the attack does not affect incoming connections nor the ability to establish outgoing network connections. However, the system can saturate the memory, causing a crash, making the system inoperable.

Continued…

What Is A Denial of Service Attack DoS?

An attack by DoS (denial of service attack, DoS) attack is designed to make available a service, preventing legitimate users of a service to use. It can be:

1. Flooding of a network to prevent its operation
2. Disruption of connections between two machines, preventing access to a particular service
3. Obstruction of access to a service to a particular person

The Denial of service and can block a file server, making it impossible to access a web server, preventing the distribution of mail in a business or make available a website).

The attacker does not necessarily require sophisticated equipment. Thus, some DOS attacks can be executed with limited resources against a much more modern and large. Sometimes called such attacks “asymmetric attack” (due to the difference in resources between the actors). An attacker with an outdated computer and a slow modem may well offset machines or networks much more important. The denial of service attacks have changed over time.

Firstly, the materials were perpetrated by one “forward” quickly, attacks appeared more sophisticated, involving a multitude of “soldiers”, also known as “zombies.” This is called DDoS (distributed denial of service attack). Second, DoS and DDoS attacks were perpetrated by hackers only attracted by the achievement and reputation. Today it is mostly criminal organizations, primarily motivated by money.

Thus, some hackers have specialized in the “lifting” of armies of “zombie” which they can then rent to other hackers to attack a particular target. With the sharp increase in trade over the Internet, the number of blackmail to denial of service has increased dramatically (an attacker launches a DoS attack or DDoS against a company and asked for a ransom to stop this attack

The denial of service have emerged in the 80s. The DDoS (Distributed DoS attacks or) are much more recent (late first appearance in June 1999). The first official DDoS attack took place in August 1999: a tool called “Trinoo DDO” has been deployed in at least 227 systems, of which 114 were on the Internet to flood the servers at the University of Minnesota. Following this attack, internet access university remained blocked for more than two days.

The DDOS attack first publicized in the mainstream press took place in February 2000. On February 7, Yahoo! has been the victim of a DDOS attack that made its Internet portal inaccessible for three hours. On February 8, Amazon.com, Buy.com, CNN and eBay were hit by DDOS attacks that have caused either stop or a sharp slowdown in their operation. On February 9, E Trade and ZDNet have in turn been victims of DDOS attacks.

Analysts estimate that within three hours of inaccessibility, Yahoo! suffered a loss of e-commerce and advertising revenues totaling approximately $ 500 000. According to Amazon.com, the attack caused a loss of $ 600 000 in 10 hours.

During the attacks, eBay.com has increased 100% availability to 9.4%; CNN.com fell below 5% of normal; Zdnet.com ETrade.com and were, themselves, almost inaccessible. Schwab.com, the online broker Charles Schwab, has also been affected but declined to give exact figures on its losses. One can only assume that in a society that is 2 billion dollars a week on business online, the loss was not negligible.

In September 2001, a Code Red virus infected thousands of systems, and a second version, called Code Red II installs a DDOS agent. Rumors say it was an attack against the White House. In a political crisis, the U.S. government announced that security measures will be undertaken. But from summer 2002, it was the turn of the Internet to undergo a DDOS attack against the 13 root servers.

These servers are the key points of the referral system from the Internet, called Domain Name System (DNS). This attack will only last an hour but could cripple the entire Internet. The incident is taken seriously by experts who claim to enhance the future security of their machines.

The first version of Slapper, appeared in mid-September 2002, has infected more than 13 000 Linux servers in two weeks. Slapper uses a security hole present in the module OpenSSL1 and vehicle DDOS agent. This is detected and stopped in time.

Nevertheless, Monday, October 21, 2002, a new DOS attack blocks 9 of the 13 key servers, making their resources inaccessible for three hours. Some businesses and organizations that run the key server responds and decides to review its security arrangements. The FBI opened an investigation, but locate the offender or the attack be difficult.

Shortly after server MySQL database to Microsoft Corporation, misconfigured, are infected by the SQL Slammer worm latter carries an agent that launches a DDOS attack January 25, 2003 Internet cons. This time, only 4 of the 13 root servers responsible for routing Internet were affected. Despite the virulence of the attack, the overall network performance has hardly been reduced by 15%.

Continued…