9.2 DoS/DDoS Attack Techniques
Basic Categories of DoS/DDoS Attack Vectors
- Volumetric Attacks: Consumes the bandwidth of target network or service.
- Fragmentation Attacks: Overwhelms target's ability of re-assembling the fragmented packets.
- TCP State-Exhaustion Attacks: Consumes the connection state tables present in the network infrastructure components such as load-balancers, firewalls, and application servers.
- Application Layer Attacks: Consumes the application resources or service thereby making it unavailable to other legitimate users.
DoS/DDoS Attack Techniques
- Bandwidth Attacks and Service Request Floods
- SYN Flooding Attack
- ICMP Flood Attack
- Peer-to-Peer Attacks
- Application-Level Flood Attacks
- Permanent Denial-of-Service Attack
- Distributed Reflection Denial of Service (DrDoS)
Bandwidth Attacks
- A single machine cannot make enough requests to overwhelm network equipment; hence DDoS attacks were created where an attacker uses several computers to flood a victim.
- When a DDoS attack is launched, flooding a network, it can cause network equipment such as switches and routers to be overwhelmed due to the significant statistical change in the network traffic.
- Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO packets.
- Basically, all bandwidths is used and no bandwidth remains for legitimate use.
Service Request Floods
- An attacker or group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections.
- Service request flood attacks flood servers with a high rate of connections from a valid source.
- It initiates a request on every connection.
SYN Attack
- The attacker sends a large number of SYN request to target server (victim) with fake source IP addresses.
- The target machine sends back a SYN/ACK in response to the request and waits for the ACK to complete the session setup.
- The target machine does not get the response because the source address is fake.
利用不完整的three-way handshake進行攻擊:
- 攻擊者送TCP SYN request給受害者
- 受害者回應SYN/ACK給攻擊者
- 但攻擊者卻不回送ACK response,造成受害者一直在等待連線的完成。
- 預防的工具有:SYN cookie和SynAttackProtect
SYN Flooding
- SYN Flooding takes advantage of a flaw in how most hosts implement the TCP three-way handshake.
- When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a "listen queue" for at least 75 seconds.
- A malicious host can exploit the small size of the listen queue by sending multiple SYN requests the a host, but never replying to the SYN/ACK.
- The victim's listen queue is quickly filled up.
- The ability of holding up each incomplete connection for 75 seconds can be cumulatively used as a Denial-of-Service attack.
ICMP Flood Attack
- ICMP flood attack is a type DoS attack in which perpetrators send a large number of ICMP packets directly or through reflection networks to victims causing it to be overwhelmed and subsequently stop responding to legitimate TCP/IP requests.
- To protect against ICMP flood attack, set a threshold limit that when exceeds invokes the ICMP flood attack protection feature.
Peer-to-Peer Attacks
- Using peer-to-peer attacks, attackers instruct clients of peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's fake website.
- Attackers exploit flaws found in the network using DC++ (Direct Connect) protocol, that is used for sharing all types of files between instant messaging clients.
- Using this method, attackers launch massive denial-of-service attacks and compromise websites.
- 利用DC++ (Direct Connect) protocol的漏洞,改變client端之間的連線,不需botnet介入,the attacker acts as a "puppet master," instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead.
- 可設定80 port不允許點對點傳輸,降低網站被攻擊的風險
Permanent Denial-of-Service (PDoS) Attack
- Phlashing:
- Permanent DoS, also known as phlashing, refers to attacks that cause irreversible damage to system hardware.
- Sabotage:
- Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware.
- Bricking a system:
- This attack is carried out using a method known as "bricking a system"
- Using this method, attackers send fraudulent hardware updates to the victims.
- Process:
Application-Level Flood Attacks
- Application-level flood attacks result in the loss of services of a particular network, such as emails, network resources, the temporary ceasing of applications and services, and more.
- Using this attack, attackers exploit weaknesses in programming source code to prevent the application from processing legitimate requests.
- Using application-level flood attacks, attackers attempts to:
- Flood web applications to legitimate user traffic.
- Disrupt service to a specific system or person, for example, blocking a user's access by repeating invalid login attempts.
- Jam the application-database connection by crafting malicious SQL queries.
Distributed Reflection Denial of Service (DRDoS)
- A distributed reflected denial of service attack (DRDoS), also known as spoofed attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application.
- Attacker launches this attack by sending requests to the intermediary hosts, these requests are then redirected to the secondary machines which in turn reflects the attack traffic to the target.
- Advantage:
- The primary target seems to be directly attacked by the secondary victim, not the actual attacker.
- As multiple intermediary victim servers are used which results into increase in attack bandwidth.
預防Chargen service放大攻擊:關閉Character Generator Protocol (CHARGEN) TCP/UDP 19 port。
DoS -> Service/System Destruction
DDoS/DRDDoS -> Resource Consumption
- Bandwidth
- CPU
- Memory
- Connection
預防:
- Cloud/CDN
- ISP/DDoS Prevention Service
- DDoS Firewall