DDoS Attack

Introduction

Distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users
In lay man term, it's a concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all.
DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing it's communication.
To neutralize common DoS attack methods like Deauth Floods, look for newer products that support 802.11w management frame protection. 

Symptoms and Manifestations

  • Unusually slow network performance (opening files or accessing web sites)
  • Unavailability of a particular web site
  • Inability to access any web site
  • Dramatic increase in the number of spam emails received—(this type of DoS attack is considered an e-mail bomb)

Methods of attack

The five basic types of attack are:

  1. Consumption of resources; such as bandwidth, disk space, or processor time
  2. Disruption of configuration information, such as routing information.
  3. Disruption of state information, such as unsolicited resetting of TCP sessions.
  4. Disruption of physical network components.
  5. Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
A DoS attack may include execution of malware intended to:
  • Max out the processor's usage, preventing any work from occurring.
  • Trigger errors in the microcode of the machine.
  • Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up.
  • Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up all available facilities so no real work can be accomplished.
  • Crash the operating system itself.

Popular DDoS Attack Technique

1) ICMP flood
Includes  Smurf attack, Ping flood, Ping of death, and SYN flood.
A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network. The network then serves as a smurf amplifier.

In other attacks, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination. a perpetrator sends a large amount of ICMP echo request (ping) traffic to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts (for example via a layer 2 broadcast), most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet
The fix :
  • Configure individual hosts and routers not to respond to ping requests or broadcasts.
  • Configure routers not to forward packets directed to broadcast addresses
  • Router(config-if)# no ip directed-broadcast

2) Teardrop Attack

Teardrop attack involves sending mangled IP fragments with overlapping, over-sized payloads to the target machine. This can crash various operating system due to a bug in their TCP/IP fragmentation re-assembly code. WinXP(SP1) and lower version are vulnerable to this sort of attack.

 

3)P2P Attack

The most aggressive of these peer-to-peer DDoas attacks exploits DC++. Peer-to-peer attacks are different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attackers acts as a "pupper master", instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead. As a result, several thousand computers may aggressively try to connect to a target website. While a typical web server can handle a few hundred connections/sec before performance begins to degrade, most web serves fail almost instantly under five or six thousand connections/sec.


4) Nuke

A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping
utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.
A specific example of a nuke attack that gained some prominence is the WinNuke, which exploited the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-band data was sent to TCP port 139 of the victim's machine, causing it to lock up and display a Blue Screen of Death (BSOD).


Prevention and response

1) Firewalls

Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.
Some stateful firewalls like OpenBSD's pF, can act as a proxy for connections, the handshake is validated (with the client) instead of simply forwarding the packet to the destination.

2) Switches

Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing)(prevents SYN Flood), deep packet inspection(prevent DoS) and Bogon filtering (bogus IP filtering)(prevent dark address) to detect and remediate denial of service attacks through automatic rate filtering(work with rite rate-thresholds) and WAN Link failover(prevent DoS/DDoS) and balancing.

3) Routers

Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevents flooding, i.e. example settings.[32]

4) Application front end hardware

Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management. Look for granularity of bandwidth management, hardware acceleration, and automation while selecting an appliance.

5) IPS based prevention

 Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks.
An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.
A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.

6) Prevention via proactive testing

Test platforms such as Mu Dynamics' Service Analyzer are available to perform simulated denial-of-service attacks that can be used to evaluate defensive mechanisms such IPS, RBIPS, as well as the popular denial-of-service mitigation products from Arbor Networks. An example of proactive testing of denial-of-service throttling capabilities in a switch was performed in 2008: The Juniper EX 4200 switch with integrated denial-of-service throttling was tested by Network Test and the resulting review was published in Network World.

7) Blackholing/Sinkholing

With blackholing, all the traffic to the attacked DNS or IP address is sent to a "black hole" (null interface, non-existent server, ...)
Sinkholing routes to a valid IP address which analyzes traffic and reject bad ones. Sinkholing is not efficient for most severe attacks.

8) Clean pipes

All traffic is passed through a "cleaning center" via a proxy, which separates "bad" traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service.
Prolexic and Verisign are examples of providers of this service
______________________________________________________________

Cited from CNET
How a "denial of service" attack works
In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server.
In a denial of service attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely.
Typical connection





"Denial of service" attack






How to block a "denial of service" attack
One of the more common methods of blocking a "denial of service" attack is to set up a filter, or "sniffer," on a network before a stream of information reaches a site's Web servers. The filter can look for attacks by noticing patterns or identifiers contained in the information. If a pattern comes in frequently, the filter can be instructed to block messages containing that pattern, protecting the Web servers from having their lines tied up.






_____________________________________________________________________________________________

1 comments:

Unknown said...

Informative blog.. thanks for sharing... please visit once at http://ddoscube.com/

Post a Comment