CEHv8 module 10 denial of service
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.86 MB, 101 trang )
D e n ia l o f S e r v ic e
M o d u le
10
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
Denial־of־Service
M o d u le
10
E n g in e e re d b y H acke rs. P r e s e n te d b y P ro fe s s io n a ls .
« !>
C
E
H
E t h ic a l H a c k i n g
M o d u le
a n d
1 0 :
e a s u r e s
v 8
D e n ia l-o f-S e rv ic e
E x a m
M o d u le 1 0 P a g e 1 4 0 3
C o u n t e r m
3 1 2 -5 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
SecurityNews
Hom e
K
g
■
I
New s
■
! ! ■
H S B C i s L a t e s t T a r g e t in C y b e r A t t a c k S p r e e
October 19, 2012
HSBC (HBC) experienced w idespread disruptions to several o f its w ebsites Thursday,
becom ing one o f th e highest-profile victim s yet in a series o f attacks by a group claim ing
to be allied w ith Islam ic terrorism .
m
"H SBC servers ca m e u n d e r a d e n ia l o f service atta ck w h ich a ffe cte d a n u m b e r o f HSBC
w eb sites a ro u n d th e w orld," the London-based banking giant said in a statem ent. "This
denial o f service a ttack did not a ffe ct any cu stom er data, but did prevent custom ers using
HSBC onlin e services, including internet banking."
HSBC said it had the situ ation under co n tro l in the early m orning hours o f Friday London
time.
The Izzad-D in al-Q assam Cyber Fighters to o k responsibility fo r th e atta ck th at at points
crippled users' access to hsbc.com and o th e r HSBC-owned properties on the W eb. The
group, w hich has also disrupted the w ebsites o f scores o f o th er banks including J.P.
M o rgan Chase (JPM) and Bank o f Am erica (BAC), said the attacks w ill continue until the
anti-lslam ic 'Innocence o f M u slim s' film tra ile r is rem oved fro m the Internet
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u r i t y
N e w s
&3>u j s
״m p
p
H S B C
is
L a te s t
T a r g e t
in
C y b e r
A t t a c k
S p re e
Source:
HSBC (HBC) experienced widespread disruptions to several of its websites recently, becoming
one of the highest-profile victims yet in a series of attacks by a group claiming to be allied with
Islamic terrorism.
"HSBC servers came under a denial of service attack which affected a number of HSBC
websites around the world," the London-based banking giant said in a statement. "This denial
of service attack did not affect any customer data, but did prevent customers using HSBC online
services, including internet banking."
HSBC said it had the situation under control in the early morning hours of Friday London time.
The Izz ad-Din al-Qassam Cyber Fighters took responsibility for the attack that at points crippled
users' access to hsbc.com and other HSBC-owned properties on the Web. The group, which has
also disrupted the websites of scores of other banks including J.P. Morgan Chase (JPM) and
Bank of America (BAC), said the attacks will continue until the anti-lslamic ׳Innocence of
Muslims' film trailer is removed from the Internet.
M o d u le 1 0 P a g e 1 4 0 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
In this case, a group claiming to be aligned with the loosely-defined brigade of hackers called
Anonymous also took responsibility. However, a source in the computer security field who has
been monitoring the attacks told FOX Business "the technique and systems used against HSBC
were the same as the other banks." However, the person who requested anonymity noted that
Anonymous "may have joined in, but the damage was done by" al-Qassam.
The people behind al-Qassam have yet to be unmasked. Several published reports citing
unnamed U.S. officials have pointed to Iran as a potential culprit, but multiple security
researchers have told FOX Business the attacks don't show the hallmarks of an attack from that
country.
There is a consensus, however, that the group is likely using a fairly sophisticated type of
denial-of־service attack. Essentially, al-Qassam has leveraged exploits in Web server software
to take servers over and then use them as weapons. Once they are taken over, they slam the
Web servers hosting bank websites with a deluge of requests, making access either very slow or
completely impossible. Servers have an especially high level of connectivity to the Internet,
giving al-Qassam more horsepower with fewer machines.
copyright©2012 FOX News Network, LLC
By Adam Samson.
h ttp ://w w w .fo x b u 5 in e s 5 .c o m /in d u s trie s /2 0 1 2 /1 0 /1 9 /h s b c -is -la te s t-ta rg e t-in - c v b e r-a tta c k sp re e/# ix zz2 D 1 4 7 3 9 cA
M o d u le 1 0 P a g e 1 4 0 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
ModuleObjectives
*
C
E
H
'
J
W hat Is a Denial of Service Attack?
J
DoS Attack Tools
J
W hat Are D istributed Denial of
Service Attacks?
J
Detection Techniques
J
D0S/DD 0S C o u n term easu re
J
Sym ptom s of a DoS Attack
J
Techniques to Defend against Botnets
J
DoS Attack Techniques
J
J
B otnet
A dvanced DD0S Protection
Appliances
J
B otnet Ecosystem
J
D0S/DD 0S Protection Tools
J
B otnet Trojans
J
J
DD0S Attack Tools
Denial of Service (DoS) Attack
P enetration Testing
r
n
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M
ta
=
1
= 1
w ith
o d u l e
O
b j e c t i v e s
,
T h is m o d u le
a d is c u s s io n
im p lic a tio n s
of
lo o k s a t v a r i o u s a s p e c ts o f d e n i a l ־o f ־s e r v i c e a t t a c k s . T h e
o f d e n ia l-o f-s e rv ic e
such
a tta c k s .
a tta c k s .
D is tr ib u te d
R e a l-w o rld
s c e n a rio s
d e n ia l-o f- s e rv ic e
a tta c k s
a re
c ite d
and
th e
to
m o d u le s ta rts
h ig h lig h t th e
v a rio u s
to o ls
to
la u n c h s u c h a tta c k s a re in c lu d e d t o s p o t lig h t t h e te c h n o lo g ie s in v o lv e d . T h e c o u n te r m e a s u r e s
fo r
p re v e n tin g
such
a tta c k s
a re
a ls o t a k e n
in to
c o n s id e r a tio n . V iru s e s a n d
w o rm s
a re
b rie fly
d is c u s s e d in t e r m s o f t h e i r u s e in s u c h a t t a c k s . T h is m o d u l e w i l l f a m i l i a r i z e y o u w i t h :
2
2
W h a t is a D e n i a l o f S e r v i c e A t t a c k ?
S
D D o s A t t a c k T o o ls
W hat
s
D e te c tio n T e c h n iq u e s
s
D 0 S /D D 0 S C o u n te rm e a s u re
S
T e c h n iq u e s
A re
D is tr ib u te d
D e n ia l
of
S e rv ic e A tta c k s ?
s
S y m p to m s o f a DoS A tta c k
s
DoS A tta c k T e c h n iq u e s
2
B o tn e t
2
B o tn e t E c o s y s te m
2
B o tn e t T ro ja n s
2
D D 0 S A tta c k T o o ls
to
D e fe n d
a g a in s t
B o tn e ts
a
Advanced
DD0S
P ro te c tio n
A p p lia n c e s
£
D 0 S /D D 0 S P r o te c tio n T o o ls
s
D e n ia l
of
S e rv ic e
(D o S )
A tta c k
P e n e tr a tio n T e s tin g
M o d u le 1 0 P a g e 1 4 0 6
Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
E th ica l H a ck in g a n d C o u n te rm e a s u re s
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
Copyright © by E&Cauactl. A ll Rights Reserved. Reproduction is Strictly Prohibited.
M
o d u l e
In t h e
th e
b a n k in g
DD0S
F l o w
p re s e n t In te rn e t w o rld ,
s e c t o r , a s w e l l a s IT s e r v i c e
(d is trib u te d
d e n ia l
of
s e rv ic e )
m a n y a tta c k s a re
and
w e re
reso u rce
la u n c h e d
p ro v id e rs .
d e s ig n e d
by
ta rg e tin g
DoS
a tta c k e rs
to
o rg a n iz a tio n s
in
(d e n ia l o f s e rv ic e ) a n d
b re a c h
o rg a n iz a tio n s '
s e rv ic e s .
m m
D o s /D D o S A t t a c k T o o ls
Dos/DDoS Concepts
*
»־׳
M
D o s /D D o S A tta c k T e c h n iq u e s
d p g
C o u n te rm e a s u re s
*י
p J
B o tn e ts
D o s /D D o S Case S tu d y
/ \^
M = 11
D o s /D D o S P r o te c tio n T o o ls
D o s /D D o S P e n e tra tio n T e s tin g
T h i s s e c t i o n d e s c r i b e s t h e t e r m s D o S , D D 0 S, t h e w o r k i n g o f D D 0 S, a n d t h e s y m p t o m s o f D o S . I t
a ls o ta lk s a b o u t c y b e r c r im in a ls a n d t h e o r g a n iz a t io n a l c h a r t.
M o d u le 1 0 P a g e 1 4 0 7
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
W
W
h
A
t t a
h a t
is
a
t
I s
a
D
e
n
i a
l
o
f
S
e
r v i c e
c k ?
a
D
e n i a l
o f S e r v ic e
A t t a c k ?
Denial-of-service (DoS) is an attack that prevents authorized users from accessing a
computer or network. DoS attacks target the network bandwidth or connectivity. Bandwidth
attacks overflow the network with a high volume of traffic using existing network resources,
thus depriving legitimate users of these resources. Connectivity attacks overflow a computer
with a large amount of connection requests, consuming all available operating system
resources, so that the computer cannot process legitimate user requests.
An Analogy
Consider a company (Target Company) that delivers pizza upon receiving a telephone
order. The entire business depends on telephone orders from customers. Suppose a
person intends to disrupt the daily business of this company. If this person came up with a way
to keep the company's telephone lines engaged in order to deny access to legitimate
customers, obviously Target Company would lose business.
DoS attacks are similar to the situation described here. The objective of the attacker is not to
steal any information from the target; rather, it is to render its services useless. In the process,
the attacker can compromise many computers (called zombies) and virtually control them. The
attack involves deploying the zombie computers against a single machine to overwhelm it with
requests and finally crash the target in the process.
M o d u le 1 0 P a g e 1 4 0 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
Malicious Traffic
r
«
• £
*
Malicious traffic takes control
overall the available bandwidth
r
o
(R
Internet
Router
Attack Traffic
4 m
Regular Traffic
Regular Traffic
QDC^
Server Cluster
Figure 10.1: Denial of Service Attack
M o d u le 1 0 P a g e 1 4 0 9
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
W
o
j
h
f
a
S
t
A
r e
e r v i c e
D
i s
A
t r i b
t t a
u
t e
d
D
e
n
i a
l
c k s ?
A d i s t r b u t e d den ia l- o f-s e rv ic e (D D o S ) attack invoh/es a m u l t i t u d e o f
c o m p r o m is e d syste ms attack rig a single target, t h e r e b y causing d e n 01 o f
service f o r users o f t h e t a rg e te d system
j
To launch a DDoS attack, a n attacker uses b o t n e t s a n d a tta cks a single sy stem
Loss of
Goodwil
Financial
Disabled
Loss
Organization
C opyrights
g jg g
W
h a t
A r e
D
i s t r i b u t e d
D
Disabled
Network
trfE t C M K l. AJ Rights Reserved. Reprod urtion is S triettf Piohbfted.
e n i a l
o f S e r v ic e
A t t a c k s ?
Source: www.searchsecurity.com
A distributed denial-of-service (DDoS) attack is a large-scale, coordinated attack on the
availability of services on a target's system or network resources, launched indirectly through
many compromised computers on the Internet.
The services under attack are those of the ״primary target," while the compromised systems
used to launch the attack are often called the "secondary target." The use of secondary targets
in performing a DDoS attack provides the attacker with the ability to wage a larger and more
disruptive attack, while making it more difficult to track down the original attacker.
As defined by the World Wide Web Security FAQ: "A Distributed Denial-of-Service (DDoS) attack
uses many computers to launch a coordinated DoS attack against one or more targets. Using
client/server technology, the perpetrator is able to multiply the effectiveness of the denial-ofservice significantly by harnessing the resources of multiple unwitting accomplice computers,
which serve as attack platforms."
If left unchecked, more powerful DDoS attacks could cripple or disable essential Internet
services in minutes.
M o d u le 1 0 P a g e 1 4 1 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
H
o
w
D
i s
S
e
r v i c e
t r i b
u
t e
d
D
e
n
i a
l
o
f
C
A
t t a
c k s
W
o
E
H
r k
1 3 1
Attacker sets a
handler system /
g
m
m
>1
Handler infects
a large num ber of
com puters over
Inte rn et
....
,־f
m
m
H andler
m
C o m p ro m ise d PCs (Zom bies)
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
H
o w
D
i s t r i b u t e d
D
e n i a l
o f S e r v ic e
A t t a c k s
W
o r k
In a D D 0 S a t t a c k , t h e t a r g e t b r o w s e r o r n e t w o r k is p o u n d e d b y m a n y a p p l i c a t i o n s w i t h
fa k e
e x te rio r
re q u e s ts
th a t
m ake
th e
s y s te m ,
n e tw o rk ,
b ro w se r,
or
s ite
s lo w ,
u s e le s s ,
and
d is a b le d o r u n a v a ila b le .
The
a tta c k e r in itia te s th e
a g e n ts
send
a
c o n n e c tio n
re q u e s ts s e n t b y th e
Thus,
th e
m a c h in e
a tta c k
g e n u in e
re q u e st
z o m b ie
c o m p u te r
g e ts flo o d e d
w ith
b y s e n d in g a c o m m a n d
to
a
a g e n ts se e m
sends
th e
u n s o lic ite d
g e n u in e
to
th e
c o m p u te r
be sent by th e
re q u e s te d
z o m b ie
s y s te m ,
v ic tim
in fo rm a tio n
resp o n se s fro m
e ith e r re d u c e th e p e rfo rm a n c e o r m a y cause th e v ic tim
M o d u le 1 0 P a g e 1 4 1 1
to
se ve ra l
to
a g e n ts . T h e s e
i.e .,
th e
r e fle c to r.
ra th e r th a n
th e
v ic tim .
c o m p u te rs
z o m b ie
th e
The
z o m b ie s .
The
v ic tim
a t o n c e . T h is
m ay
m a c h in e to s h u t d o w n .
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
Handler infects
a largo number of
computers over
Internet
Attacker sets a
handler system
& I ;
IO
N
[Ml
m
H
N
\*־יי׳
INI
% •<*
M
0
Zombie systems are instructed
•
0
M
Compromised PCs (Zombies)
Attacker
Q
.
u 2 ־
.......j
□ □ □ .........0
[0 5 □
•
?
•
< 3 >
■
Handler
Compromised PCs (Zombies)
FIGURE 10.2: Distributed Denial of Service Attacks
M o d u le 1 0 P a g e 1 4 1 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
SymptomsofaDoSAttack
U n a v a ila b ility o f
^
In a b ility to
a p a rtic u la r
access a n y
w e b s ite
w e b s ite
D ra m a tic
H
U n u s u a lly
i n c r e a s e in
s lo w n e tw o rk
□
th e a m o u n t
p e rfo rm a n ce
o f s p a m e m a ils
rece ive d
$
Copyright © by E&CtuacO. All Rights Reserved Reproduction is Strictly Prohibited.
S y m
p t o m
s
o f a
D o S
A t t a c k
Based on the target machine, the symptoms of a DoS attack may vary. There are four
main symptoms of a DoS attack. They are:
© Unavailability of a particular website
© Inability to access any website
© Dramatic increase in the amount of spam emails received
© Unusually slow network performance
M o d u le 1 0 P a g e 1 4 1 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
ModuleFlow
Copyright © by E & C aincil. All Rights Reserved. Reproduction is Strictly Prohibited.
M
^
= 1
o d u l e
So fa r, w e
F l o w
h a v e d is c u s s e d
D o S , D D 0 S, s y m p t o m s o f D o S a t t a c k s , c y b e r c r i m i n a l s , a n d
t h e o r g a n iz a t io n a l c h a r t o f c y b e r c r im e . N o w it's t i m e t o d is c u s s t h e t e c h n i q u e s u s e d t o p e r f o r m
D 0 S /D D 0 S a tta c k s .
a m
D o s /D D o S A t t a c k T o o ls
D o s /D D o S C o n c e p ts
*
C o u n te rm e a s u re s
D o s /D D o S A tta c k T e c h n iq u e s
/* V 5
B o tn e ts
D o s /D D o S Case S tu d y
D o s /D D o S P r o te c tio n T o o ls
D o s /D D o S P e n e tra tio n T e s tin g
i —
I n a D o S a t t a c k , t h e v i c t i m , w e b s i t e , o r n o d e is p r e v e n t e d f r o m
V a rio u s te c h n iq u e s
a re
used
by th e
a tta c k e r fo r
la u n c h in g
p r o v id in g s e rv ic e s t o v a lid u s e rs .
DoS
or
D D 0 S a tta c k s
on
a ta rg e t
c o m p u t e r o r n e t w o r k . T h e y a r e d is c u s s e d in d e t a i l in t h i s s e c t io n .
M o d u le 1 0 P a g e 1 4 1 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
-
DoSAttackTechniques
C l
CEH
B a n d w id th A tta cks
S e r v ic e R e q u e s t F lo o d s
Attacker
SYN F l o o d i n g A t t a c k
IC M P F lo o d A t t a c k
P e e r-to -P e e r Attacks
P e r m a n e n t D e n ia l-o f-S e rv ic e A tta c k
A p p l i c a t i o n - L e v e l F lo o d A t t a c k s
J
User
Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S
A t t a c k
T e c h n i q u e s
A denial-of-service attack (DOS) is an attack performed on a networking structure to
disable a server from serving its clients. The actual intent and impact of DoS attacks is to
prevent or impair the legitimate use of computer or network resources. There are seven kinds
of techniques that are used by the attacker to perform DOS attacks on a computer or a
network. They are:
© Bandwidth Attacks
© Service Request Floods
© SYN Flooding Attacks
© ICMP Flood Attacks
© Peer-to-Peer Attacks
© Permanent Denial-of-Service Attacks
© Application-Level Flood Attacks
M o d u le 1 0 P a g e 1 4 1 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 l1 n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
BandwidthAttacks
A single machine cannot make enough
requests to overwhelm network equipment;
hence DDoS attacks were created where
an attacker uses several computers
to flood a victim
X
CEH
When a DDoS attack islaunched, flooding
a network, itcan cause network
equipment such as switches and routers
^
to be overwhelmed due to the
significantstatistical change inthe
\
network traffic
'
Attackers use botnets and carry
out DDoS attacks by flooding the
network with ICMP ECHO
packets
Basically, all bandwidth is
used and no bandwidth remains
for legitimate use
Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
B a n d w
i d t h
A t t a c k s
A bandwidth attack floods a network with a large volume of malicious packets in
order to overwhelm the network bandwidth. The aim of a bandwidth attack is to consume
network bandwidth of the targeted network to such an extent that it starts dropping packets.
The dropped packets may include legitimate users. A single machine cannot make enough
requests to overwhelm network equipment; therefore, DDoS attacks were created where an
attacker uses several computers to flood a victim.
Typically, a large number of machines is required to generate the volume of traffic required to
flood a network. As the attack is carried out by multiple machines that are combined together
to generate overloaded traffic, this is called a distributed-denial-of-service (DDoS) attack.
Furthermore, detecting the source of the attack and blocking it is difficult as the attack is
carried out by numerous machines that are part of different networks. All the bandwidth of the
target network is used by the malicious computers and no bandwidth remains for legitimate
use.
Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO
packets.
M o d u le 1 0 P a g e 1 4 1 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
An attacker o r group of zom bies a tte m p ts
to e x h au st server reso u rces by setting up
and tearin g dow n TCP connections
Service re q u e st flood attacks flood servers with a
high ra te of connections from a valid source
O
It initiates a re q u e s t on every connection
Copyright © by E&Cauacil. All Rights Reserved. Reproduction is Strictly Prohibited.
S e r v ic e
R e q u e s t
F l o o d s
in
1D5n
ן
Service request floods work based on the connections per second principle. In this
method or technique of a DoS attack, the servers are flooded with a high rate of connections
from a valid source. In this attack, an attacker or group of zombies attempts to exhaust server
resources by setting up and tearing down TCP connections. This probably initiates a request on
each connection, e.g., an attacker may use his or her zombie army to fetch the home page from
a target web server repeatedly. The resulting load on the server makes it sluggish.
Module 10 Page 1417
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
SYNAttack
C
E
H
The atta ck er sends a fa k e TCP SYN requests t o t h e ta rg e t
s e rv e r (victim )
The ta rg e t m a ch in e sends back a SYN ACK in response
t o t h e r e q u e s t a n d w a its f o r th e ACK t o c o m p le t e t h e
session s etup
The ta rg e t m a c h in e does n o t get t h e resp o n se because
t h e s o u rce ad d re ss is fa ke
N o te : This attack explo it s th e t h r e e - w a y h a n d s h a k e m e t h o d
Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
S Y N
A t t a c k
A S Y N a t t a c k is a s i m p l e f o r m
SYN re q u e s ts t o
a ta rg e t m a c h in e
o f D o S a t t a c k . In t h i s a t t a c k , a n a t t a c k e r s e n d s a s e r i e s o f
(v ic tim ). W h e n
a c lie n t w a n ts to
b e g in
a TCP c o n n e c tio n to
th e s e rv e r, th e c lie n t a n d th e s e rv e r e x c h a n g e a s e rie s o f m e s s a g e s as fo llo w s :
©
T h e a tta c k e r s e n d s a fa k e TC P SYN re q u e s ts t o t h a t ta r g e t s e rv e r (v ic tim )
©
T h e t a r g e t m a c h i n e s e n d s b a c k a S Y N A C K in r e s p o n s e t o t h e r e q u e s t a n d w a i t s f o r t h e
A C K t o c o m p l e t e t h e s e s s io n s e t u p
0
T h e t a r g e t m a c h i n e n e v e r g e t s t h e r e s p o n s e b e c a u s e t h e s o u r c e ' s a d d r e s s is f a k e
M o d u le 1 0 P a g e 1 4 1 8
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
SYNFlooding
J
J
J
J
J
CEH
C«rt1fW4 ItkKjl KmIm
SYN Flooding takes advantage of a flaw in
how most hosts implement the TCP
three-w ay handshake
.............©
When Host B receives the SYN request
from A, it must keep track of the
partially-opened connection in a "listen
queue" for at least 75 seconds
..........
N o rm a l co n n e c tio n
Sy/y
.......................
e s ta b lish m e n t
......................
syN/P,CK
A malicious host can exploit the small
size of the listen queue by sending
multiple SYN requests to a host, but
never replying to the SYN/ACK
ACK
..... SYN
..... SYN
..... SYN
..... SYN
The victim's listen queue is quickly filled
up
This ability of removing a host from the
network for at least 75 seconds can be
used as a denial-of-service attack
SYN Floo d in g
......................
................... .
......................
......................
Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
S Y N
F l o o d i n g
S Y N f l o o d i n g is a T C P v u l n e r a b i l i t y p r o t o c o l t h a t e m e r g e s i n a d e n i a l - o f - s e r v i c e a t t a c k .
T h is
a tta c k
o ccu rs
when
th e
in tru d e r
sends
u n lim ite d
SYN
p a c k e ts
(re q u e s ts )
to
th e
host
s y s t e m . T h e p r o c e s s o f t r a n s m i t t i n g s u c h p a c k e t s is f a s t e r t h a n t h e s y s t e m c a n h a n d l e .
T h e c o n n e c t i o n is e s t a b l i s h e d a s d e f i n e d b y t h e T C P t h r e e - w a y h a n d s h a k e a s :
Q
H o s t A s e n d s t h e SYN r e q u e s t t o t h e H o s t B
Q
H o s t B re c e iv e s t h e SYN r e q u e s t,
6
T h u s, H o s t A re s p o n d s w it h th e AC K p a c k e t, e s ta b lis h in g th e c o n n e c tio n
W hen
Host
B
re c e iv e s
th e
SYN
a n d r e p lie s t o t h e r e q u e s t w it h a S Y N -A C K t o H o s t A
re q u e st
fro m
Host
A,
it
m akes
use
of
th e
p a rtia lly
open
c o n n e c t io n s t h a t a re a v a ila b le o n t h e lis te d lin e f o r a f e w s e c o n d s , e .g ., f o r a t le a s t 7 5 s e c o n d s .
The
in tru d e r tra n s m its
a llo w s th e
c lie n t t o
in fin ite
n u m b e rs
p ro ce ss th e
fa ls e
o f such
a d d re ss e s
SYN
re q u e s ts
le a d in g t o
w ith
a fo rg e d
a m is p e rc e p tio n .
a d d re s s , w h ic h
Such
n u m e ro u s
r e q u e s t s c a n p r o d u c e t h e T C P S Y N f l o o d i n g a t t a c k . It w o r k s b y f illin g t h e t a b le r e s e r v e d f o r h a lf
open
TCP c o n n e c tio n s
in t h e
o p e ra tin g
n e w c o n n e c tio n s c a n n o t be o p e n e d
(d u e
to
handshake
s y s t e m ' s T C P IP s t a c k .
W hen
th e
ta b le
b e c o m e s fu ll,
u n til a n d u n le s s s o m e e n tr ie s a re r e m o v e d f r o m
t i m e o u t ) . T h is a t t a c k c a n
be
c a rrie d
out
u s in g
fa k e
th e ta b le
I P a d d r e s s e s , s o i t is
d iffic u lt t o tra c e th e s o u rc e . T h e ta b le o f c o n n e c tio n s ca n b e fille d w it h o u t s p o o fin g th e s o u rc e
M o d u le 1 0 P a g e 1 4 1 9
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
IP a d d r e s s .
N o rm a lly , th e
space
e x is tin g f o r fix e d
ta b le s , s u c h
as a h a lf o p e n
TCP c o n n e c tio n
t a b l e , is l e s s t h a n t h e t o t a l .
*o r
5
Host A
Host B
SYN
...........
Normal connection
establishm ent
........
.....................
SVN/ACK ...........
ACK
SYN
..........5VN
SYN Flooding
.....................
.............................................................. ....
.............................
.......... . ? א ז.
.............. ....
.......................
FIGURE 10.3: SYN Flooding
M o d u le 1 0 P a g e 1 4 2 0
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
ICMPFloodAttack
IC M P is a ty p e o f DoS a tta ck in
w h ic h p e rp e tra to rs se n d a large
n u m b e r o f p a cke ts w it h fak e s o u rc e
* 9
A tta cke r
T h e a tta c k e r sends
IC M P EC H O re q u e s ts
w ith s p o o f e d s o u rc e a d d re s s e s
a d d re s s e s to a ta rg e t s e rv e r in o rd e r
to crash it and ca u se it to stop
ECHO Request
re s p o n d in g to TCP/IP re q u ests
A fte r th e IC M P th re s h o ld is reach ed,
th e ro u te r rejects fu rth e r IC M P echo
ECHO Request
re q u ests fro m all a d d re s se s in th e
sa m e s e c u rity zo n e fo r th e
ECHO Reply
re m a in d e r o f th e c u rre n t se co n d
and th e next se co n d as w ell
-M a x im u m lim it o f IC M P Echo R eq u ests p e r Second-
ECHO Request
ECHO Request
Legitimate ICMPechorequestfroman
address in the same security zone
ii’
Copyright © by E&Cauacil. All Rights Reserved. Reproduction is Strictly Prohibited.
O
p
I C
M
P
F l o o d
A t t a c k
Internet Control Message Protocol (ICMP) packets are used for locating network
equipment and determining the number of hops to get from the source location to the
destination. For instance, ICMP_ECHO_REPLY packets ("ping") allow the user to send a request
to a destination system and receive a response with the roundtrip time.
A DDoS ICMP flood attack occurs when zombies send large volumes of ICMP_ECHO packets to
a victim system. These packets signal the victim's system to reply, and the combination of
traffic saturates the bandwidth of the victim's network connection. The source IP address may
be spoofed.
In this kind of attack the perpetrators send a large number of packets with fake source
addresses to a target server in order to crash it and cause it to stop responding to TCP/IP
requests.
After the ICMP threshold is reached, the router rejects further ICMP echo requests from all
addresses in the same security zone.
M o d u le 1 0 P a g e 1 4 2 1
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
« * £ ? - ......... &
Attacker
Target Server
The attacke r sends
ICMP ECHO requests
w ith spoofed source addresses
ECHO Request
ECHO Reply
ECHO Request
ECHO Reply
-M axim um lim it o f ICMP Echo Requests per Second-
ECHO Request
l
:
ECHO Request
L e g itim a te IC M P e c h o r e q u e st fro m an
a d d re s s in th e s a m e s e c u rity zo n e
,
t l
FIGURE 10.4: ICMP Flood Attack
M o d u le 1 0 P a g e 1 4 2 2
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
CEH
Peer-to-PeerAttacks
(•itilwd 1 ItlMUl IlMhM
0
0
J
U sin g p e e r-to -p e e r a ttacks, attacke rs in s tru c t c lie n t s o f p e e r-t o -p e e r file sh a rin g h u b s to
d isc o n n e c t fro m th e ir p e e r-to -p e e r n e tw o rk a n d to c o n n e c t to th e v ic tim 's fake w e b site
J
A tta c k e rs e x p lo it fla w s fo u n d in th e n e tw o rk u sin g DC++ (D ire ct C on n ect) p ro to co l, th a t is used
fo r s h a rin g all ty p e s o f files b e tw e e n in s ta n t m essa g in g clien ts
J
U sin g th is m eth o d , attacke rs lau n ch m a ss iv e d e n ia l- o f- s e rv ic e a tta c k s and c o m p ro m is e w e b site s
0
User-1
Copyright © by E frC o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
«-
P e e r - t o - P e e r
I ▼
A t t a c k s
/
A
p e e r-to -p e e r a tta c k
is o n e f o r m
o f D D 0 S a tta c k .
e x p l o i t s a n u m b e r o f b u g s in p e e r - t o - p e e r s e r v e r s t o
fla w s
fo u n d
in
th e
n e tw o rk
th a t
uses
DC++
In t h i s
in itia te
( D ire c t
k in d
o f a tta c k , th e
a tta c k e r
a D D 0 S a tta c k . A tta c k e rs e x p lo it
C o n n e c t)
p ro to c o l,
w h ic h
a llo w s
th e
e x c h a n g e o f file s b e t w e e n in s t a n t m e s s a g in g c lie n ts . T h is k in d o f a t ta c k d o e s n 't u s e b o t n e t s f o r
th e a tta c k . U n lik e a b o tn e t- b a s e d a tta c k , a p e e r - to - p e e r a tta c k e lim in a te s th e n e e d o f a tta c k e rs
t o c o m m u n ic a t e w it h c lie n ts . H e re t h e a tta c k e r in s tru c ts t h e c lie n ts o f p e e r - t o - p e e r f ile s h a r in g
hubs
to
d is c o n n e c t
fro m
th e ir
n e tw o rk
and
to
connect
to
th e
v ic tim 's
w e b s ite .
W ith
th is ,
se ve ra l th o u s a n d
c o m p u te r s m a y tr y to c o n n e c t to th e ta rg e t w e b s ite , w h ic h ca u se s a d ro p
th e
o f th e
p e rfo rm a n c e
ta rg e t w e b s ite .
These
p e e r-to -p e e r
a tta c k s
can
be
id e n tifie d
in
e a s ily
b a s e d o n t h e ir s ig n a tu r e s . U s in g th is m e t h o d , a tta c k e r s la u n c h m a s s iv e d e n ia l- o f- s e r v ic e a tta c k s
a n d c o m p r o m is e w e b s ite s .
M o d u le 1 0 P a g e 1 4 2 3
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
User-5
U se r-4
A t t a c k T ra ffic
..־7
u
ר
►'•ל
f iUser-3
t *
.........
Attacker
User-2
User-1
FIGURE 10.5: Peer-to-Peer Attacks
M o d u le 1 0 P a g e 1 4 2 4
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
Permanent Denial-of-Service
Attack
CEH
P erm an en t DoS, also known as phlashing, refers to
attacks th a t cause irreversible d am ag e to system
h a rd w are
Unlike o th e r DoS attacks, it sab o ta g e s th e system
h ard w are, requiring th e victim to replace o r reinstall
th e h ard w are
1. This attack is carried out using a method known as
"bricking a system"
2. Using this method, attackers send fraudulent
hardw are updates to the victims
B r ic k in g a
s y s te m m e th o d
Sends e m a il, IRC chats, tw e e ts , post videos
w ith fra u d u le n t c o n te n t fo r h a rd w a re u p d ates
±
1^5
P ro c e s s
A tta c k e r gets access to
v ictim 's c o m p u te r
A tta c k e r
£
Victim
(Malicious code is executed)
Copyright © by E&Coinal.All Rights Reserved. Reproduction is Strictly Prohibited.
&
0
^
O
P e r m
a n e n t
D
e n ia l־o f ־S e r v ic e
A
t t a c k
Perm anent denial-of-service (PD0 S) is also know n as plashing. This refers to an attack
th a t damages the system and makes the hardw are unusable fo r its original purpose u ntil it is
e ith e r replaced or re in stalled . A PD0 S attack exploits security flaws. This allows rem ote
a dm in istra tio n on the m anagem ent interfaces o f the victim 's hardw are such as printers,
routers, and o th e r n e tw o rkin g hardw are.
This attack is carried o u t using a m ethod know n as "b ric k in g a system ." In this m ethod, the
a ttacker sends em ail, IRC chats, tw e ets, and posts videos w ith fra u d u le n t hardw are updates to
the victim by m o d ify in g and c o rru p tin g the updates w ith vu ln era b ilitie s or d e fe ctive firm w a re .
W hen th e victim clicks on the links or pop-up w indow s re ferrin g to the fra u d u le n t h ardw a re
updates, th e y get installed on the victim 's system. Thus, th e a tta cke r takes co m plete co n tro l
over the v ictim 's system.
M o d u le 1 0 P a g e 1 4 2 5
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
E t h ic a l H a c k in g a n d C o u n t e r m e a s u r e s
E x a m 3 1 2 - 5 0 C e r t if ie d E t h ic a l H a c k e r
D e n ia l o f S e r v ic e
FIGURE 10.5:
S e n d s e m a il, IRC c h a ts , t w e e t s , p o s t v id e o s
w i t h f r a u d u le n t c o n t e n t f o r h a r d w a r e u p d a t e s
A t t a c k e r g e ts a cce ss t o
3
■
A tta c k e r
v ic t im 's c o m p u t e r
V ic tim
(Malicious code is executed)
FIGURE 10.6: Perm anent Denial-of-Service Attack
M o d u le 1 0 P a g e 1 4 2 6
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s C o p y r i g h t © b y E C - C 0 U n C il
A l l R ig h t s R e s e r v e d . R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d .
