Slide 1:DoS ATTACKS Module Number 16


Slide 2:DoS Attacks In Networking terminology DoS is short for Denial of Service. This is an attack that are commonly used by attackers to completely deny any service or resource that a computer can offer. Denies legitimate users to access the computer. Common way of doing this attack is to flood the target network with mushrooms of datapackets resulting in overwhelming of bandwidth thereby crashing the target machine.


Slide 3:Types of DoS Attacks The various variants of DoS attacks are, Ping of Death ICMP flooding Tear Drop attack Fragmentation attack Smurf attack Land Attack SYN flooding Snork


Slide 4:Ping The ‘PING’ command is short for “Packet Inter Net Gopher” which is used for testing the connectivity between two hosts on the same network. This command is also used to check whether the NIC (Network Interface Card) is in good working condition. The following example will show you the working of ping command, here we are going to ping the local machine with loopback IP 127.0.0.1


Slide 5:Ping Ping checks the connectivity by sending 4 ICMP(defualt) requests.


Slide 6:Ping ‘Ping’ do have its own switches for narrowing down the action need to be performed. Number of ICMP packets can be set to unlimited by using ‘-t’ switch.This will spawn unlimited ICMP packets till the remote system crashes. This is a type of DoS attack used by the intruders and it is also termed as “Flooding” attack. The ‘Ping’ command when used with the ‘-a’ switch is used to resolve the IP addresses into its equivalent hostnames, and the ‘- n’ switch is used to specify the number of packets need to be sent to the target machine.


Slide 7:Ping of Death The ‘-l’ switch is used to set the length of the ICMP packet, where the default size is 32 bytes. Note: The maximum size of a packet is 65,535 Kilobytes. By setting the size of the datagram above the maximum value, the remote system doesnot know how to handle such a big packet, so simply the machine crashes. For example, if an attacker want to crash the remote machine 192.22.155.10, then he should use the below command by setting the size more than the maximum size allowed, C:\>ping –l 65550 192.22.155.10


Slide 8:Ping of Death PING OF DEATH Attacker IP : 10.199.64.66 Victim IP : 192.22.122.10


Slide 9:ICMP Flooding ICMP flooding is nothing but ping flooding. The ICMP flooding is still prevalent on some small networks that share a low bandwidth. ICMP flooding can be carried out by using a simple batch program. The ICMP flooding script will be easy for those who know the Ping command. @echo off :flood Start flood.bat Ping –l 65500 –t 10.199.64.75 Goto flood I have saved the above file as flood.bat and executed it to flood the target machine 10.199.64.75 with mushrooms of ICMP request packets with a larger size of data.


Slide 10:ICMP flooding S OVER WHELMING BANDWIDTH INFINITE PING REQUEST INFINITE PING REPLY ICMP FLOODING


Slide 11:ICMP flooding Since mushrooms of ICMP requests and replies are generated, the bandwidth used by the target machine as well as the network will be flooded completely and overwhelms the bandwidth, which denies the legitimate users to access the resource offered by the target machine. After some time depending upon the bandwidth, the target machine simply hangs, reboots or crashes.


Slide 12:Teardrop Attack Teardrop attack is not going to flood the target machine or target network with infinite number of packets, but it’s a kind of logical attack that makes use of the fragments. The data transferred across the network is split into smaller chunks of data, which is also called as data fragments. The large chunk of data is divided into smaller chunks at the source host and transmitted over the network and the destination host will reassemble the smaller chunks into a larger one as sent by the source host.


Slide 13:Teardrop Attack The attacker will send overlapped chunks or overlapped fragments of data packets to the victim. Once the victim machine receives the overlapped fragmented packet, it doesn’t know how to reassemble such packet and as a result the victim simply hangs crashes or reboots. Following images gives clearcut idea about teardrop attack, HOST A HOST B 1 – 1000 Bytes 1001 – 1999 Bytes 2000 – 3000 Bytes CHUNK 1 CHUNK 2 CHUNK 3


Slide 14:Teardrop Attack ATTACKER VICTIM 1 – 1000 Bytes 998 – 2000 Bytes 1998 – 3000 Bytes CHUNK 1 CHUNK 2 CHUNK 3 OVERLAPPED CHUNKS TEARDROP ATTACK


Slide 15:Fragmentation Attack The Fragmentation attack is somewhat similar to the teardrop attack, since both of the attack won’t flood the network, where as deals with the fragments of the data packet. In the fragmentation attack the attacker will send identical fragments to the target machine and the target machine by receiving the identical fragments or fragments that are similar to each other, it doesn’t know how to reassemble such data packets with identical chunks of data and as a result the victim machine simply hangs, crashes or reboots.


Slide 16:Fragmentation Attack ATTACKER VICTIM 1 – 1000 Bytes 1 – 1000 Bytes 1– 1000 Bytes CHUNK 1 CHUNK 2 CHUNK 3 IDENTICAL FRAGMENTS FRAGMENTATION ATTACK


Slide 17:Smurf Attack The smurf attack will flood the target network with infinite loads of data packets that results in the overwhelming of the bandwidth and results in a Denial of Service attack. The attacker first spoofs his IP address in such a way that it looks similar to the host in the target network. Then the attacker will send infinite ICMP requests to the broadcasting host in the target network. Brodcasting host thinks that the following request is from one of the network’s host and broadcast the packets to all the nodes connected to it and also will send infinite ICMP replies to the victim host. As a result network gets flooded,victim’s hosts will crash,hangs or reboot


Slide 18:Smurf Attack ATTACKER SPOOFED IP : 10.199.64.66 BROADCASTING HOST INFINITE PING REQUEST VICTIM IP : 10.199.64.66 10.199.64.01 10.199.64.50 INFINITE PING REPLY BANDWIDTH OVER WHELMING BANDWIDTH SMURF ATTACK


Slide 19:Land Attack The land attack is somewhat similar to the smurf attack,In this the attacker will send infinite ICMP echo requests to the victim host. The attacker will first spoof his IP address that resembles the IP address of the victim and then will send infinite ICMP ECHO requests to the victim host. The Victim host on receiving those requests will think that the requests are generated by itself, and then will sends infinite ICMP ECHO replies to itself and commits suicide by itself. Due to infinite ICMP requests and replies are sent to and forth to the same host, the victim host will simply hangs, crashes and reboots.


Slide 20:Land Attack ATTACKER SPOOFED IP : 10.199.64.66 VICTIM IP : 10.199.64.66 INFINITE PING REQUEST INFINITE PING REPLY LAND ATTACK


Slide 21:SYN Flooding Unlike the DoS attack technique that we have seen so far, SYN flooding attack will use crafted TCP packets instead of ICMP packets or UDP packets.. The SYN Flooding attack has three different variants of attacks and they were, The Spoofed IP is alive and is from outside network. The Spoofed IP is not alive or offline. The Spoofed IP exists in the target network itself.


Slide 22:SYN flooding : Spoofing external IP ATTACKER SPOOFED IP : 10.199.64.66 VICTIM IP : 204.154.21.22 INFINITE TCP SYN PACKETS IP : 10.199.64.66 INFINITE SYN/ACK PACKETS INFINITE RST/ACK PACKETS SYN FLOODING ATTACK CASE : SPOOFING AN EXTERNAL IP (HOST ALIVE)


Slide 23:SYN Flooding : Spoofing an offline IP ATTACKER SPOOFED IP : 10.199.64.66 VICTIM IP : 204.154.21.22 INFINITE TCP SYN PACKETS SPOOFED HOST NOT ALIVE INFINITE SYN/ACK PACKETS ICMP : DESTINATION UNREACHABLE SYN FLOODING ATTACK CASE : SPOOFING AN IP (HOST NOT ALIVE)


Slide 24:SYN Flooding : Spoofing Internal IP ATTACKER SPOOFED IP : 10.199.64.66 INFINITE TCP SYN PACKETS IP : 10.199.64.66 INFINITE SYN/ACK PACKETS INFINITE RST/ACK PACKETS VICTIM IP : 10.199.64.75 OVERWHELMS NETWORK BW SYN FLOODING ATTACK CASE : SPOOFING IP FROM THE SAME NETWORK


Slide 25:DDoS Attack DDoS is short for Distributed Denial of Service attack. We have already learned learnt about zombies. Zombie is a computer that is already compromised by an attacker and the Zombie’s always looks forward for the attackers command and will respond accordingly. The prime reason for keeping zombies is to launch a DDoS attack. Group of Zombies form a botnet. DoS attack can be performed by an attacker at a time, but DDoS attack can be performed by more than one attacker or more zombies (botnet) at a time; hence the destruction becomes way too worse.


Slide 26:DDoS Attack The attacker controls the entire botnet and launch attack against the target network all together, and the target network will be flooded with mushrooms of data packets infinitely, there by clogging up the bandwidth and brings down the entire network.


Slide 27:DDoS Attack ATTACKER VICTIM CONTROLS BOTNET BOTNET


Slide 28:Countermeasures Implement both ingress and egress packet filtering mechanism that filters out data packets that contains large chunk of unwanted data. Filter out infinite requests made by both hosts inside and outside the network. It’s always better to use unlimited bandwidth. Regular Bandwidth and CPU usage monitoring is good to detect such attacks. Implementation of firewall may prevent from external threats, but not internal threats. IDS will monitor anomalies and reports it. Load balancing must be kept in mind