C ifi d H k
Certified Hacker
Forensic Investigator
g
Module XXIV
Investigating DoS Attacks
Case Study
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Case Study
Source: http://www.theregister.co.uk/2005/12/28/ebay_bots_ddos/
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Case Study
Source: http://www.theregister.co.uk/2004/09/23/authorize_ddos_attack/
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Module Objective
This module will familiarize you with the following:
DoS attack
DDoS attack
Types of DoS attacks
Working of DDoS attack
Working of DDoS attack
Indications of DoS/DDoS attack
Classification of DDoS attack
Classification of DDoS attack
Techniques to detect DoS attacks
Challenges in the detection of DoS attacks
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Module Flow
DoS Attack DDoS Attack
DoS Attack DDoS Attack
Working of DDoS Attack Types of DoS Attack
Indications of DDoS Attack
Classifications
DoS/DDoS attack
Challenges in DoS
DoS attack Detection
Att k D t ti
Attack Detection
Techniques
h i
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
DoS Attacks
 DoS attack is type of network attack intended to make a computer
resource unavailable to its intended users by flooding of network or
disruption of connections
The attacker may target a
particular server application
i l li i
(HTTP, FTP, ICMP, TCP so on..) or
th t k h l
the network as a whole
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Types of DoS Attacks
Major types of DoS attacks are as
follows:
" Ping of Death
" Teardrop
" SYN flooding
" Land
" Smurf
" fraggle
" Snork
" OOB Attack
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Types of DoS Attacks: Ping of Death
Attack
Attack
It uses an abnormal ICMP (Internet Control Message Protocol) data packet that
contains strangely large amounts of data that causes TCP/IP to crash or behave
irregularly
Attacker sends illegal ping request that is larger than 65,536 bytes to target
computer
Ping of Death Packet  112,000 Bytes
Normal Packet  65,536 Bytes
Hacker Victim
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Types of DoS Attacks: Teardrop Attack
Attacker sends fragments with invalid overlapping values in the Offset
fi ld hi h h h h i bl
field, which cause the target system to crash when it attempts to reassemble
the data
It targets the systems that run Windows NT 4 0 Win95 and Linux up to
It targets the systems that run Windows NT 4.0, Win95 and Linux up to
2.0.32
Normal IP packets offset
Normal ACK, IP packets
ACK, IP packets
Updated IP packets offset
Hacker System
Hacker System
Victim System
Victim System
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Types of DoS Attacks: SYN Flooding
Attacker sends a sequence of SYN requests to a target's system with
spoofed IP addresses
f d IP dd
It is an attack on a network that prevents a TCP/IP server from servicing
other users
other users
TCP SYN Packets
TCP SYN Packets
INTERNET
INTERNET
Vi ti System
Victim S t
Hacker System
k
TCP SYN ACK packets
TCP SYN ACK packets
BACKLOG
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Types of DoS Attacks: Land
Attacker sends a fake TCP SYN packet with the same source and destination IP
address and the same source and destination ports to a host computer
L d t th i ti  t k to be t t d i t k t i
Land wants the victim s network t b unprotected against packets coming
from outside with their own IP addresses
TCP packets, IP address
INTERNET
INTERNET
Victim System
Victim System
H k System
Hacker S t
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Types of DoS Attacks: Smurf
Attacker sends the ICMP echo requests
to a broadcast network node
b d k d
It is accomplished by sending ping
requests to a broadcast address on a target
network or intermediate network
IP address is spoofed and replaced by the
victim s own address
victim s own address
Attacker abuses  bounce-sites to attack
victims
Amplifier
Amplifier
Victim
Attacker
Smurf functions like an amplifier
generate hundreds of responses from one
request and eventually cause a traffic
qy
overload
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Types of DoS Attacks: Fraggle
Attacker sends spoofed UDP p p y (ping)
ppackets instead of ICMP echo reply (p g)
packets to the IP broadcast address of a large network, which has a fake
source address
dd
Fraggle attack affects the management console through the firewall
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Types of DoS Attacks: Snork
Snork is an attack against the Windows NT RPC service
g
It allows an attacker with minimal resources to cause a
remote NT system to consume 100% CPU usage for an
indefinite period of time
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Types of DoS Attacks: WINDOWS OUT-
OF-BAND (OOB) Attack
OF BAND (OOB) Attack
The "OOB attack" is a denial-of-service attack that takes advantage
of a bug in Microsoft s implementation of its IP stack, to crash or
make network interface unavailable
Vulnerability on the RPC port 135 can be exploited to launch a
denial-of-service attack against an NT system
de a o se v ce attac aga st a N syste
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Denial Of Service: Fighting Back (Case
Study)
Study)
Copyright © by EC-Council
Source: http://www.networkworld.com/cgi-bin/mailto/x.cgi
All Rights reserved. Reproduction is strictly prohibited
EC-Council
DDoS Attack
Distributed denial-of-service (DDoS) attack is a DoS attack where a
Distributed denial of service (DDoS) attack is a DoS attack where a
large number of compromised systems attack a single target, thereby
causing d i l f i for users of th t t d t
i denial-of-service f f the targeted system
In a DDoS attack, attackers first infect multiple systems called zombies,
which are then used to attack a particular target
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Working of DDoS Attacks
Attacker infects handler systems
Handler systems
then infect
h f
numerous systems
(zombies)
Attacked
Zombies then attack
Zombies then attack
the target system
together
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Classification of DDoS Attack
DDoS attacks can be classified according to:
" The Degree of Automation
 Manual attacks
 Semi-automatic attacks
S i t ti tt k
 Attack by direct communication
 Attack by indirect communication
 Automatic attacks
 Attacks using random scanning
 Attacks using hit list scanning
gg
 Attacks using topology scanning
 Attacks using Permutation Scanning
 Attacks using Local Subnet Scanning
Attacks using Local Subnet Scanning
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Classification of DDoS Attack (cont d)
" Attack Rate Dynamics
" Propagation mechanism
 Continuous Rate
 Attacks using Central Source
Attacks
Propagation
 Variable Rate
Variable Rate
 Attacks using Back-chaining
Att k i B k h i i
Attacks
Propagation
 Increasing Rate
 Attacks using Autonomous Propagation
Attacks
" Exploited Vulnerability
 Fluctuating Rate
Attacks
 Protocol Attacks
 Brute-force Attacks " Impact
 Filterable Attacks
 Disruptive Attacks
 Non-filterable Attacks
 Degrading Attacks
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
DoS Attack Modes
There are three basic modes of DoS attacks:
" Consumption of scarce, limited, or non-renewable
resources
" Destruction or alteration of configuration information
" Destruction or alteration of configuration information
" Physical destruction or alteration of network
components
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Indications of a DoS/DDoS Attack
Unusual slowdown of network
services
Unavailability of a particular
website
Dramatic increase in the volume
of spam
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Techniques to Detect DoS Attack
There are three basic techniques to detect denial-
There are three basic techniques to detect denial
0f-service attack
" Activity profiling
" Sequential Change-Point detection
" Sequential Change-Point detection
" Wavelet-based signal analysis
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Techniques to Detect DoS Attack:
Activity Profiling
Activity Profiling
Activity profiling is calculating the average packet rate for a network
flow, which consists of consecutive packets with similar packet fields
Time interval between consecutive matching packets determines the
Time interval between consecutive matching packets determines the
flow s average packet rate or activity level
Individual packet flows with similar characteristics can be clustered
Individual packet flows with similar characteristics can be clustered
together for easy monitoring
The following cluster activities indicate a DoS attack:
" Increased average packet rate
" Increase in the overall number of distinct clusters
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Techniques to Detect DoS Attack:
Sequential Change-Point Detection
Sequential Change Point Detection
Sequential Change-Point detection algorithms isolate a traffic statistic s
qg g
change caused by attacks
In this technique the target traffic data is filtered by address, port, or
protocol and the resultant flow data is stored as a time series
Statistical change in resultant data at a particular time indicates DoS
attack has occurred d th t ti
tt k h d around that time
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Techniques to Detect DoS Attack:
Wavelet-based Signal Analysis
Wavelet based Signal Analysis
Wavelet analysis describes an input signal in terms of spectral
yp p
g
components
Wavelets analysis provides concurrent time and frequency description,
and determines the time at which certain freqyp
quency components are
present
Any anomaly in frequency of data packets at a particular time indicate a
DoS attack
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Challenges in the Detection of DoS
Attack
Attack
The main challenges in DoS attack detection are:
g
" Detecting and distinguishing malicious packet traffic from legitimate
packet traffic
packet traffic
" No innate Internet mechanism for discerning malicious traffic
" False positives, missed detections, and detection delays
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Summary
This module has focused on DoS and DDoS attack, their types, working,
indications, and detection
DoS attack is a type of network attack intended to make a computer
resource unavailable to its intended b fl di the network or
il bl t it i t d d users by flooding th t k
disrupting the connections
Distributed denial-of-service (DDoS) attack is a DoS attack where a large
Distributed denial-of-service (DDoS) attack is a DoS attack where a large
number of compromised systems attack a single target, thereby causing
denial-of-service for users of the targeted system
Three basic techniques used to detect denial-0f-service attack are
Activity profiling, Sequential Change-Point detection and Wavelet-based
signal analysis
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council