CEHv8 Module 10 Denial of Service PDF

D e n ia l o f S e r v ic e
Module 10
Ethical Hacking and Countermeasures Denial of Service
Exam 312-50 Certified Ethical Hacker
DenialofService
Module 10
Engineered by Hackers. Presented by Professionals.

!>
CEH
Ethical H acking and C ounterm easures v8

M odule 10: Denial-of-Service Exam 312-50
Module 10 Page 1403
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Security News
Kg!!
Home I News
H S B C is L a te s t T arg et in C yb er A tta c k Sp re e
October 19, 2012
H SB C(H BC ) ex p erien cedw id esp read d isru p tio n s toseveral of itsw eb sitesT h u rsd ay, b e co m in go n eofthe h ig h e stp ro filevictim syet inaseriesof attacksb yag ro u pclaim in g tob ealliedw ithIslam icterro rism . "H SBCserverscam eundera denial of service attackw hichaffectedanum berof H SB C w eb sites aroundthew o rld ," th e Lo n d o n b asedb a n k in gg ia n t sa idinastatem en t. "T h is d e n ial of serviceattackd idn o t affect anycu sto m erd ata, b u td id p reven t cu sto m ersu s in g H SB Co n lin eservices, in clu d in g in tern et b a n k in g ." H SB Csa idit h a dth e situ atio nu n d er co n tro l inth eearlym o rn in gh o u rsof Frid ayLo n d o n tim e. T h e Iz z a d D ina lQ assamC yb erFig h te rs tookresp o n sib ilityforthe attackthat at p o in ts crip p led u sers' accesstoh sb c.co man dother H SB C o w n edp ro p erties o nth eW eb. T h e g ro u p ,w h ichh asalsod isru p tedth ew eb sites of sco resof other b a n k sin clu d in gJ.P. M o rg anC h ase(JPM ) an dBan kof A m erica (B A C ), sa idth e attacksw ill co n tin u eu n til th e an tilslam ic'Innocenceof M u slim s' filmtrailer isrem o vedfro mth e Internet
http://www.foxbusiness.com
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
&3>ujs
mp p
S ecurity N ew s HSBC is Latest Target in Cyber Attack Spree

Source: http://www.foxbusiness.com
HSBC (HBC) experienced widespread disruptions to several of its websites recently, becoming one of the highest-profile victims yet in a series of attacks by a group claiming to be allied with Islamic terrorism. "HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world," the London-based banking giant said in a statement. "This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking." HSBC said it had the situation under control in the early morning hours of Friday London time. The Izz ad-Din al-Qassam Cyber Fighters took responsibility for the attack that at points crippled users' access to hsbc.com and other HSBC-owned properties on the Web. The group, which has also disrupted the websites of scores of other banks including J.P. Morgan Chase (JPM ) and Bank of America (BAC), said the attacks will continue until the anti-lslamic Innocence of Muslims' film trailer is removed from the Internet.
Module 10 Page 1404
In this case, a group claiming to be aligned with the loosely-defined brigade of hackers called Anonymous also took responsibility. However, a source in the computer security field who has been monitoring the attacks told FOX Business "the technique and systems used against HSBC were the same as the other banks." However, the person who requested anonymity noted that Anonymous "may have joined in, but the damage was done by" al-Qassam. The people behind al-Qassam have yet to be unmasked. Several published reports citing unnamed U.S. officials have pointed to Iran as a potential culprit, but multiple security researchers have told FOX Business the attacks don't show the hallmarks of an attack from that country. There is a consensus, however, that the group is likely using a fairly sophisticated type of denial-of-service attack. Essentially, al-Qassam has leveraged exploits in W eb server software to take servers over and then use them as weapons. Once they are taken over, they slam the W eb servers hosting bank websites with a deluge of requests, making access either very slow or completely impossible. Servers have an especially high level of connectivity to the Internet, giving al-Qassam more horsepower with fewer machines.
copyright2012 FOX News Network, LLC
By Adam Samson. http://www.foxbu5ines5.com/industries/2012/10/19/hsbc-is-latest-target-in-cvber-attackspree/#ixzz2D14739cA
Module 10 Page 1405
Module Objectives
*
CEH
' J J J J J J J J What Is a Denial of Service Attack? What Are Distributed Denial of Service Attacks? Symptoms of a DoS Attack DoS Attack Techniques Botnet Botnet Ecosystem Botnet Trojans DD0 S Attack Tools n J J
r
J J J J J
DoS Attack Tools Detection Techniques D0 S/DD0 S Countermeasure Techniques to Defend against Botnets Advanced DD0 S Protection Appliances D0 S/DD0 S Protection Tools Denial of Service (DoS) Attack Penetration Testing
M odule O b jectiv e s
ta = ,
=1
This module looks at various aspects of denialofservice attacks. The module starts
with a discussion of denial-of-service attacks. Real-world scenarios are cited to highlight the implications of such attacks. Distributed denial-of-service attacks and the various tools to launch such attacks are included to spotlight the technologies involved. The countermeasures for preventing such attacks are also taken into consideration. Viruses and worms are briefly discussed in terms of their use in such attacks. This module will familiarize you with:
2 2
W hat is a Denial of Service Attack? W hat Are Distributed Denial of
S s s S
DDos Attack Tools Detection Techniques D0 S/DD0 S Countermeasure Techniques Botnets to Defend against
Service Attacks? s s 2 2 2 2 Symptoms of a DoS Attack DoS Attack Techniques Botnet Botnet Ecosystem Botnet Trojans DD0 S Attack Tools
Advanced Appliances
DD0 S
Protection
D0 S/DD0 S Protection Tools Denial of Service (DoS) Attack
Module 10 Page 1406
Penetration Testing Ethical H acking and C ounterm easures C opyright b yE C C 0 l1 n C il A ll R ig h ts Reserved. Reproduction isStrictly Prohibited.
Copyright by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
In the present Internet world, many attacks are launched targeting organizations in the banking sector, as well as IT service and resource providers. DoS (denial of service) and DD0 S (distributed denial of service) were designed by attackers to breach organizations' services.
m m
Dos/DDoS Concepts Dos/DDoS Attack Tools
* Dos/DDoS Attack Techniques * M p J Botnets
d p g
Countermeasures
/ \^
Dos/DDoS Protection Tools
Dos/DDoS Case Study
M = 11
Dos/DDoS Penetration Testing
This section describes the terms DoS, DD0 S, the working of DD0 S, and the symptoms of DoS. It also talks about cyber criminals and the organizational chart.
Module 10 Page 1407
W hat Is a Denial of Service Attack?
W hat is a D en ial of S ervice A ttack?

Denial-of-service (DoS) is an attack that prevents authorized users from accessing a computer or network. DoS attacks target the network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic using existing network resources, thus depriving legitimate users of these resources. Connectivity attacks overflow a computer with a large amount of connection requests, consuming all available operating system resources, so that the computer cannot process legitimate user requests. An Analogy Consider a company (Target Company) that delivers pizza upon receiving a telephone order. The entire business depends on telephone orders from customers. Suppose a person intends to disrupt the daily business of this company. If this person came up with a way to keep the company's telephone lines engaged in order to deny access to legitimate customers, obviously Target Company would lose business. DoS attacks are similar to the situation described here. The objective of the attacker is not to steal any information from the target; rather, it is to render its services useless. In the process, the attacker can compromise many computers (called zombies) and virtually control them. The attack involves deploying the zombie computers against a single machine to overwhelm it with requests and finally crash the target in the process.
Module 10 Page 1408
Malicious Traffic Malicious traffic takes control overall the available bandwidth
r o (R
Internet Router
4m
Attack Traffic Regular Traffic
Q D C^
Server Cluster
Regular Traffic
Figure 10.1: Denial of Service Attack
Module 10 Page 1409
W hat Are Distributed Denial of Service Attacks?

j A distrbuted denial-of-service (DD0 S) attack involves amultitude of compromised systems attack rig a single target, thereby causing den 01 of service for users of the targeted system To launch a DDoS attack, an attacker uses botnets and attacks a single system j
Loss of Goodwil
Disabled Network
Financial Loss
Disabled Organization
Copyrights trf E t C M K l. AJ Rights Reserved. Re prod urtion is Striettf Piohbfted.
gjgg W hat Are D istrib u te d D en ial of S ervice A ttack s?

Source: www.searchsecurity.com A distributed denial-of-service (DD0 S) attack is a large-scale, coordinated attack on the availability of services on a target's system or network resources, launched indirectly through many compromised computers on the Internet. The services under attack are those of the "primary target," while the compromised systems used to launch the attack are often called the "secondary target." The use of secondary targets in performing a DD0 S attack provides the attacker with the ability to wage a larger and more disruptive attack, while making it more difficult to track down the original attacker. As defined by the World W ide W eb Security FAQ: "A Distributed Denial-of-Service (DD0 S) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial-ofservice significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms." If left unchecked, more powerful DD0 S attacks could cripple or disable essential Internet services in minutes.
Module 10 Page 1410
How Distributed Denial of Service Attacks W ork

131
Handler infects a large number of computers over Internet Attacker sets a , f handler system /
CEH
H an d ler
m g m m m m
. ...
C om p rom isedPC s(Zom b ies)
How D istrib u te d D e n ia l of S ervice A ttack s W ork

In a DD0 S attack, the target browser or network is pounded by many applications with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable. The attacker initiates the attack by sending a command to the zombie agents. These zombie agents send a connection request to a genuine computer system, i.e., the reflector. The requests sent by the zombie agents seem to be sent by the victim rather than the zombies. Thus, the genuine computer sends the requested information to the victim. either reduce the performance or may cause the victim machine to shut down. The victim machine gets flooded with unsolicited responses from several computers at once. This may
Module 10 Page 1411
>1
Handler infects a largo num ber of computers over Internet Attacker sets a handler system & I ;
%<*
I O
0
Attacker
N [Ml N INI * \ M M
Zombie systems are instructed
Compromised PCs (Zombies)
Q .
u 2
.... j ..... 0 [05
Handler Compromised PCs (Zombies) FIGURE 10.2: Distributed Denial of Service Attacks
<3>
Module 10 Page 1412
Symptoms of a DoS Attack
Unavailability of a particular website
Inability to access any website
Unusually slow network performance
Dramatic increase in the amount of spam emails received
Copyright by E&CtuacO. All Rights Reserved Reproduction is Strictly Prohibited.
Sym ptom s of a DoS A ttack

Based on the target machine, the symptoms of a DoS attack may vary. There are four main symptoms of a DoS attack. They are: Unavailability of a particular website Inability to access any website Dramatic increase in the amount of spam emails received Unusually slow network performance
Module 10 Page 1413
Module Flow
Copyright by E& C ain cil. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
^ =1 So far, we have discussed DoS, DD0 S, symptoms of DoS attacks, cybercriminals, and the organizational chart of cybercrime. Now it's time to discuss the techniques used to perform D0 S/DD0 S attacks.
am
* Dos/DDoS Attack Techniques
Countermeasures
Botnets
/*V 5 Dos/DDoS Protection Tools
Dos/DDoS Case Study

i
In a DoS attack, the victim, website, or node is prevented from providing services to valid users. Various techniques are used by the attacker for launching DoS or DD0 S attacks on a target computer or network. They are discussed in detail in this section.
Module 10 Page 1414
DoS Attack Techniques
CEH
Cl
Bandwidth Attacks
Service Request Floods Attacker SYN FloodingAttack
ICMP Flood Attack
Peer-to-Peer Attacks
Permanent Denial-of-Service Attack
J
User
Application-Level Flood Attacks
Copyright by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack T e c h n iq u e s
A denial-of-service attack (DOS) is an attack performed on a networking structure to disable a server from serving its clients. The actual intent and impact of DoS attacks is to prevent or impair the legitimate use of computer or network resources. There are seven kinds of techniques that are used by the attacker to perform DOS attacks on a computer or a network. They are: Bandwidth Attacks Service Request Floods SYN Flooding Attacks ICMP Flood Attacks Peer-to-Peer Attacks Permanent Denial-of-Service Attacks Application-Level Flood Attacks
Module 10 Page 1415
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Bandwidth Attacks
A single machine cannot make enough requests to overwhelm network equipment; hence DDoS attacks were created where an attacker uses several computers to flood a victim X
C EH
When a DDoS attack is launched, flooding a network, it can cause network equipment such as switches and routers ^ to be overwhelmed due to the significant statistical change in the \ network traffic
'
Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO packets
Basically, all bandwidth is used and no bandwidth remains for legitimate use
Copyright by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
B andw idth A ttacks

A bandwidth attack floods a network with a large volume of malicious packets in order to overwhelm the network bandwidth. The aim of a bandwidth attack is to consume network bandwidth of the targeted network to such an extent that it starts dropping packets. The dropped packets may include legitimate users. A single machine cannot make enough requests to overwhelm network equipment; therefore, DDoS attacks were created where an attacker uses several computers to flood a victim. Typically, a large number of machines is required to generate the volume of traffic required to flood a network. As the attack is carried out by multiple machines that are combined together to generate overloaded traffic, this is called a distributed-denial-of-service (DDoS) attack. Furthermore, detecting the source of the attack and blocking it is difficult as the attack is carried out by numerous machines that are part of different networks. All the bandwidth of the target network is used by the malicious computers and no bandwidth remains for legitimate use. Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO packets.
Module 10 Page 1416
An attacker or group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections
Service request flood attacks flood servers with a high rate of connections from a valid source
It initiates a request on every connection
Copyright by E&Cauacil. All Rights Reserved. Reproduction is Strictly Prohibited.
Service R eq u est F loods

in 1D5n
Service request floods work based on the connections per second principle. In this method or technique of a DoS attack, the servers are flooded with a high rate of connections from a valid source. In this attack, an attacker or group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections. This probably initiates a request on each connection, e.g., an attacker may use his or her zombie army to fetch the home page from a target web server repeatedly. The resulting load on the server makes it sluggish.
M odule 1 0Page 1417
SYN Attack
The attacker sends a fake TCP SYN requests to the target server (victim)
CEH
The target machine sends back a SYN ACK in response to the request and waits for the ACK to complete the session setup
The target machine does not get the response because the source address is fake
Note: This attack exploits the three-way handshake method
Copyright by
E & C o i n a l .All Rights Reserved. Reproduction is Strictly Prohibited.
SYN A ttack
A SYN attack is a simple form of DoS attack. In this attack, an attacker sends a series of SYN requests to a target machine (victim). W hen a client wants to begin a TCP connection to the server, the client and the server exchange a series of messages as follows: The attacker sends a fake TCP SYN requests to that target server (victim) The target machine sends back a SYN ACK in response to the request and waits for the ACK to complete the session setup 0 The target machine never gets the response because the source's address is fake
Module 10 Page 1418
SYN Flooding
J SYN Flooding takes advantage of a flaw in how most hosts implement the TCP three-way handshake When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a "listen queue" for at least 75 seconds A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN/ACK The victim's listen queue is quickly filled up This ability of removing a host from the network for at least 75 seconds can be used as a denial-of-service attack
C rt1fW 4
CEH
ItkKjl Km Im
........
......
N o rm a l co n n e ctio n S y / y ..... ....... estab lish m en t ............. .

syN /P,C K
A C * .... S Y N .... S Y N .... S Y N .... S Y N
J J
< t 1 1 S Y NF lo o d in g ............. . ............ . ............. . ............. .
Copyright by
SYN F looding
SYN flooding is a TCP vulnerability protocol that emerges in a denial-of-service attack. This attack occurs when the intruder sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. The connection is established as defined by the TCP three-way handshake as: Q Q 6 Host A sends the SYN request to the Host B Host B receives the SYN request, and replies to the request with a SYN-ACK to Host A Thus, Host A responds with the ACK packet, establishing the connection
W hen Host B receives the SYN request from Host A, it makes use of the partially open connections that are available on the listed line for a few seconds, e.g., for at least 75 seconds. The intruder transmits infinite numbers of such SYN requests with a forged address, which allows the client to process the false addresses leading to a misperception. Such numerous requests can produce the TCP SYN flooding attack. It works by filling the table reserved for half open TCP connections in the operating system's TCP IP stack. When the table becomes full, new connections cannot be opened until and unless some entries are removed from the table (due to handshake timeout). This attack can be carried out using fake IP addresses, so it is difficult to trace the source. The table of connections can be filled without spoofing the source
Module 10 Page 1419
IP address. Normally, the space existing for fixed tables, such as a half open TCP connection table, is less than the total.
5
Host A
Host B
SY N ........
.....
Normal connection establishment
.......... ...
SVN/ACK ........
ACK
SYN
SYN Flooding
......5VN
.......... ...
.......................................... .................. ...... .?. ......... .. ...............

FIGURE 10.3: SYN Flooding
Module 10 Page 1420
ICMP Flood Attack

ICM P is a type of D o Sattack in w hich perpetrators sen d a larg e num ber of packets with fake source addresses to a target server inorder to crash it an d cause it to sto p responding to T C P/IP req u ests After the ICM P threshold is reached , the router rejects further ICM P echo req u ests froma ll addresses inthe sam e security zon e for the rem ainder of the current second an d the n ex t secon d as w ell
* 9
A ttacker
T he a tta c k e r s e n d s ICMP ECHO re q u e s ts w ith s p o o fe d s o u rc e ad d re s s e s ECHO Request
ECHO Request
ECHO Reply
-Maximum limit of ICMP Echo Requests per SecondECHO Request
ECHO Request Legitimate ICM Pechorequestfrom an address in the same security zone
ii
Copyright by
E f r C o i n a l .All Rights Reserved. Reproduction is Strictly Prohibited.
O p IC M P Flood A ttack
Internet Control Message Protocol (ICMP) packets are used for locating network equipment and determining the number of hops to get from the source location to the destination. For instance, ICMP_ECHO_REPLY packets ("ping") allow the user to send a request to a destination system and receive a response with the roundtrip time. A DDoS ICM P flood attack occurs when zombies send large volumes of ICMP_ECHO packets to a victim system. These packets signal the victim's system to reply, and the combination of traffic saturates the bandwidth of the victim's network connection. The source IP address may be spoofed. In this kind of attack the perpetrators send a large number of packets with fake source addresses to a target server in order to crash it and cause it to stop responding to TCP/IP requests. After the ICM P threshold is reached, the router rejects further ICM P echo requests from all addresses in the same security zone.
Module 10 Page 1421
*?-...... &
Attacker
The attacker sends ICMP ECHO requests with spoofed source addresses
Target Server
EC H OR eq u est EC H OR ep ly EC H OR eq u est EC H OR ep ly
-Maximum limit of IC M P Echo Requests per Second-
EC H OR eq u est EC H OR eq u est
Le g itim a te IC M P e c h o re q u e s t fro m a n a d d re s s in th e s a m e s e c u rity z o ne tl
l:
,
FIGURE 10.4: ICMP Flood Attack
Module 10 Page 1422
Peer-to-Peer Attacks
0 J U sin gp eer-to -p eer attacks, attackers instruct clients of peer-to-peer file sharing hu b s to disconnect fromtheir p eer-to -p eer netw ork and to connect to the victim 's fake w ebsite
(itilwd 1 ItlMUl IlMhM
CEH
0
J A ttackers exploit flaw s found inthe netw ork u sin gD C + +(D irect C onnect) p rotocol, that is u sed for sharing a ll types of files betw een instant m essag ing clien ts J U sin g th is m eth od, attackers lau nch m assive denial-of-service attacks an d com prom ise w ebsites 0
< d ,
U se r1
Copyright by
I /
P eer-to -P eer A ttacks

A peer-to-peer attack is one form of DD0 S attack. In this kind of attack, the attacker
exploits a number of bugs in peer-to-peer servers to initiate a DD0 S attack. Attackers exploit flaws found in the network that uses DC++ (Direct Connect) protocol, which allows the exchange of files between instant messaging clients. This kind of attack doesn't use botnets for the attack. Unlike a botnet-based attack, a peer-to-peer attack eliminates the need of attackers to communicate with clients. Here the attacker instructs the clients of peer-to-peer file sharing hubs to disconnect from their network and to connect to the victim's website. With this, several thousand computers may try to connect to the target website, which causes a drop in the performance of the target website. These peer-to-peer attacks can be identified easily based on their signatures. Using this method, attackers launch massive denial-of-service attacks and compromise websites.
Module 10 Page 1423
User-5
A tta c k Traffic
User-4
..7
'
u
.....
f it*
User-3 User-2
Attacker
User-1 FIGURE 10.5: Peer-to-Peer Attacks
Module 10 Page 1424
Permanent Denial-of-Service Attack

Permanent DoS, also known as phlashing, refers to attacks that cause irreversible damage to system hardware
CEH
Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware
Bricking a system method
1 . This attack is carried out using a method known as "bricking a system" 2. Using this method, attackers send fraudulent hardware updates to the victims
Sends email, IRC chats, tw e e ts, post videos w ith fraudulent content for hardw are updates
1^5
V ictim
Attacker
Attacker gets access to victim's com puter
(M alicious c o d e is e x e cu ted )
Process
Copyright by
0O
&
P e rm a n e n t D e n ia lofS ervice A ttack

Permanent denial-of-service (PD 0 S) is also known as plashing. This refers to an attack
that damages the system and makes the hardware unusable for its original purpose until it is either replaced or reinstalled. A PD 0 S attack exploits security flaws. This allows remote administration on the management interfaces of the victim's hardware such as printers, routers, and other networking hardware. This attack is carried out using a method known as "bricking a system." In this method, the attacker sends email, IRC chats, tweets, and posts videos with fraudulent hardware updates to the victim by modifying and corrupting the updates with vulnerabilities or defective firmware. W hen the victim clicks on the links or pop-up windows referring to the fraudulent hardware updates, they get installed on the victim's system. Thus, the attacker takes complete control over the victim's system.
Module 10 Page 1425
FIGURE 10.5:
3
Attacker
Sends email, IRC chats, tweets, post videos with fraudulent contentfor hardware updates
Attacker gets access to victim's computer
Victim (Malicious code is executed)
FIGURE 10.6: Permanent Denial-of-Service Attack
Module 10 Page 1426
Application Level Flood Attacks CEH

UrtrfW* itfciul NMhM
J Application-level flood attacks result inthe loss of services of a particular network, such as em ails, networkresources, the tem porary ceasingof applications and services, and m ore J Usingthis attack, attackers destroy program m ing source code and files in affected com puter system s
Using application-level flood attacks, attackers attempts to:
Flood w eb ap p lication s to leg itim ate user traffic
D isrupt service to asp ecific systemor person, for ex am p le, b lo ckin g a users access b y rep eating in valid lo g in attem pts
Jam the ap p licatio n database connection b y crafting m alicio u s SQ L q ueries
Copyright by
A p p licatio n -lev el Flood A ttacks

Some DoS attacks rely on software-related exploits such as buffer overflows, whereas most of the other kinds of DoS attacks exploit bandwidth. The attacks that exploit software cause confusion in the application, causing it to fill the disk space or consume all available memory or CPU cycles. Application-level flood attacks have rapidly become a conventional threat for doing business on the Internet. W eb application security is more critical than ever. This attack can result in substantial loss of money, service and reputation for organizations. Usually, the loss of service is the incapability of a specific network service, such as email, to be available or the temporary loss of all network connectivity and services. Using this attack, attackers destroy programming source code and files in affected computer systems. Using application-level flood attacks, attackers attempt to: Flood web applications, thereby preventing legitimate user traffic. Disrupt service to a specific system or person, for example, blocking user access by repeated invalid login attempts. Q Jam the application-database connection by crafting CPU-intensive SQL queries.
Module 10 Page 1427
Attacker exploiting application source code
^
Attacker
FIGURE 10.7: Application-level Flood Attacks
Victim
Module 10 Page 1428
M odule Flow
So far, we have discussed D0 S/DD0 S concepts and D0 S/DD0 S attack techniques. As mentioned previously, DoS and DD0 S attacks are performed using botnets or zombies, a group of security-compromised systems.
am
Dos/DDoS Attack Techniques
Countermeasures
Bot ets
/ s ^ >
Dos/DDoS Case Study -
This section describes botnets, as well as their propagation techniques and ecosystem.
Module 10 Page 1429
Organized Crime Syndicates

C yb er C rim in a ls
C yber crim inals areincreasingly b ein gassociated w ith organizedcrim e syndicatestotake advantageof their sophisticatedtechniques
H ie r a r c h ic a l S e tu p
Thereareo rg anizedg roup sofcybercrim inals who w orkina hierarchical setupw itha predefined revenuesharing m o d el, lik ea m ajor corporation that offers crim inal services O rganizedg roup screate andrent botnetsandoffervarious services, from w riting m alw are, to hackin gb an kaccounts, tocreatingm assived en ial-o fservice attacksagainstanytargetfor a p rice A ccordingtoV erizon's 2 0 1 2D ataBreach Investigations R eport, the m ajority of breaches w ere drivenb y organizedg roup s andalm ost a ll d ata stolen (98%) w asthe w orkofcrim inals outsidethevictimorg anizatio n T h e grow inginvolvem ent of o rg anizedcrim inal syndicates inpolitically m otivatedcyber w arfare andhactivismisa m atter of concernfor n ation al securityag en cies
Copyright by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited.
P ro c e s s
R e p o rt
M a tte r o f C o n c e rn
O rg a n iz e d C rim e S y n d icates
Cyber criminals have developed very refined and stylish ways to use trust to their advantage and to make financial gains. Cyber criminals are increasingly being associated with organized crime syndicates to take advantage of their refined techniques. Cybercrime is now getting more organized. Cyber criminals are independently developing malware for financial gain. Now they operate in groups. This has grown as an industry. There are organized groups of cyber criminals who develop plans for different kinds of attacks and offer criminal services. Organized groups create and rent botnets and offer various services, from writing malware, to attacking bank accounts, to creating massive denial-of-service attacks against any target for a price. The increase in the number of malware puts an extra load on security systems. According to Verizon's 2010 Data Breach Investigations Report, the majority of breaches were driven by organized groups and almost all data stolen (70%) was the work of criminals outside the target organization. The growing involvement of organized criminal syndicates in politically motivated cyber warfare and hactivism is a matter of concern for national security agencies.
Module 10 Page 1430
Organized Cyber Crime: Organizational Chart

4
o
Attackers Crimeware Toolkit Owners Trojan Distribution in Legitimate website
- Underboss: Trojan Provider and Manager of Trojan Command and Control
q
C am p aign M a n a g e r C am p aign M a n a g e r C am p aign M a n a g e r
to
#
u
to
+ A ffiliatio n :
N e tw o r k
# > m
n < A u A A t t *s
ir m
A ffiliatio n :
n II
N e tw o r k
n It
: t
A ffiliatio n N e tw o r k
' ^4 4 *'
jr
S to le n D ata R e s e lle r
O rg a n iz e d C y b er C rim e: O rg a n iz a tio n a l C h art

Cybercrimes are organized in a hierarchical manner. Each criminal gets paid depending on the task that he or she performs or his or her position. The head of the cybercrime organization, i.e., the boss, acts as a business entrepreneur. He or she does not commit cybercrimes directly. The boss is the first in the hierarchy level. The person who is at the next level is the "underboss." The underboss is the second person in command and manages the operation of cybercrimes. The "underboss" provides the necessary Trojans for attacks and also manages the Trojans command and control center. People working under the "underboss" are known as "campaign managers." These campaign managers hire and run their own attack campaigns. They perform attacks and steal data by using their affiliation networks as distributed channels of attack. The stolen data is then sold by "resellers." These resellers are not directly involved in the crimeware attacks. They just sell the stolen data of genuine users.
Module 10 Page 1431
O
Attackers Crim eware Toolkit Owners Trojan Distribution In Legitimate website
U n d erb oss: Trojan P ro v id e r and M a n a g e r o f Trojan C o m m a n d and C ontrol
o
1
r%
C a m p a ig n M a n a g e r
r> to
rs
i
to
O 4!
4 J
4!
: v |
4 1 !
4A
4!
*
v
A f f ilia t io n N e t w o r k
>*A f f ilia t io n N e t w o r k
O '" O
6
S t o le n D a t a R e s e lle r S t o le n D a t a R e s e lle r S t o le n D a t a R e s e lle r
FIGURE 10.8: Organizational Chart
Module 10 Page 1432
Botnet
J J Bots are software applications that run automated tasks over the Internet and perform simple repetitive tasks, such as web spidering and search engine indexing A botnet is a huge network of the compromised systems and can be used by an intruder to create denial-of-service attacks
CEH
Bots connect to C&C handler and wait for instructions
vl
m
Bots attack a target server
B o t Com m and & C o n tro l C e n te r
Attacker sends commands to the bots through C&C
3
Zo m b ie s Bot looks for other vulnerable
T arg et S e rv e r
0
Sets a bot C&C handler
, a gk f t 0^= ft M e O
a machine A tta ck e r V ic tim (B o t)
systems and Infects them to create Botnet
The term botnet is derived from the word roBOT NETwork, which is also called zombie army. A botnet is a huge network of compromised systems. It can compromise huge numbers of machines without the intervention of machine owners. Botnets consist of a set of compromised systems that are monitored for a specific command infrastructure. Botnets are also referred to as agents that an intruder can send to a server system to perform some illegal activity. They are the hidden programs that allow identification of vulnerabilities. It is advantageous for attackers to use botnets to perform illegitimate actions such as stealing sensitive information (e.g., credit card numbers) and sniffing confidential company information. Botnets are used for both positive and negative purposes. They help in various useful services such as search engine indexing and web spidering, but can also be used by an intruder to create denial-of-service attacks. Systems that are not patched are most vulnerable to these attacks. As the size of a network increases, the possibility of that system being vulnerable also increases. An intruder can scan network ranges to identify which ones are vulnerable to attacks. In order to attack a system, an intruder targets machines with Class B network ranges.
Ill
Module
Purpose of Botnets: 0 Allows the intruder to operate remotely.
10 Page 1433
Scans environment automatically, and spreads through vulnerable areas, gaining access via weak passwords and other means.
Q Q 6
Allows compromising a host's machine through a variety of tools. Creates DoS attacks. Enables spam attacks that cause SMTP mail relays. Enables click fraud and other illegal activities.
The diagram that follows shows how an attacker launches a botnet-based DoS attack on a target server.
Bots connect to C & C handler an dw ait for In structions o Attacker sen d s com m andsto the b o ts through C & C
Bots attack atarget server
Bot Command & Control Center
Target Server
!1
" 6 *
Zombies
Bot lo o ks for other vulnerable system s an d infectsthemto create Botnet
Attacker
Victim (Bot) FIGURE 10.9: BOTNET
In order to perform this kind of attack, the attacker first needs to create a botnet. For this purpose, the attacker infects a machine, i.e., victim bot, and compromises it. He or she then uses the victim bot to compromise some more vulnerable systems in the network. Thus, the attacker creates a group of compromised systems known as a botnet. The attacker configures a bot command and control (C&C) center and forces the botnet to connect to it. The zombies or botnet connect to the C&C center and wait for instructions. The attacker then sends commands to the bots through C&C to launch DoS attack on a target server. Thus, he or she makes the target server unavailable or non-responsive for other genuine hosts in the network.
Module 10 Page 1434
Botnet Propagation Technique

....... / 2 \ ........
C EH
> <:
C yb e rcrim e R e la te d IT O p e ra tio n s (S e rv e rs , S o ftw a r e , and S e rv ic e s )
O
Crime w are Toolkit D a ta b a s e I T rojan C om m and a n d C ontrol C enter
U-\
A ttackers
. I
(z)
;
Trojan upload stolen data and receives commands from command and control center
...........
M alicious Affiliation N etw ork Legitim ate C om prom ised W e b site s
4$ ~
Copyright by
^ B otnet P ro p a g a tio n T e ch n iq u e
Botnet propagation is the technique used to hack a system and grab tradable information from it without the victim's knowledge. The head of the operations is the boss or the cybercriminal. Botnet propagation involves both criminal (boss) and attackers (campaign managers). In this attack, the criminal doesn't attack the victim system directly; instead, he or she performs attacks with the help of attackers. The criminal configures an affiliation network as distribution channels. The job of campaign managers is to hack and insert reference to malicious code into a legitimate site. The malicious code is usually operated by other attackers. W hen the malicious code runs, the campaign managers are paid according to the volume of infections accomplished. Thus, cybercriminals promote infection flow. The attackers serve malicious code generated by the affiliations to visitors of the compromised sites. Attackers use customized crimeware from crimeware toolkits that is capable of extracting tradable information from the victim's machine.
Module 10 Page 1435
.0
..
C y b e r c r i m e R e l a t e d IT O p e r a t i o n s (S e r v e r s , S o f t w a r e , a n d S e rv ic e s )
Attackers
Criminal
Trojan upload stolen data and receives commands from command and control center
):
FIGURE 10.10: Botnet Propagation Technique
Module 10 Page 1436
Botnet Ecosystem
Scan & Zero-Day Market Intrusion Botnet Market
C EH
Malicious Site
b
i
< > 's/y

Licenses
o'6
Financial Diversion
Botnet
MP3, DivX
Data e f t ---Theft
Owner
Crimeware Toolkit Database
Trojan Command and Control Center s'
Client-Side Vulnerab llity^
: Spam : Mass Mailing
DDoS ' Malware Market
i
Adverts
#
B otnet E co sy stem
B
Stock Fraud Scams Copyright by E tC tm G il. All Rights Reserved. Reproduction is Strictly Prohibited.
A group of computers infected by bots is called botnet. A bot is a malicious program that allows cybercriminals to control and use compromised machines to accomplish their own goals such as scams, launching DDoS attacks, distributing spam, etc. The advent of botnets led to enormous increase in cybercrimes. Botnets form the core of the cybercriminal activity center that links and unites various parts of the cybercriminal world. Cybercriminal service suppliers are a part of cybercrime network. These suppliers offer services such as malicious code development, bulletproof hosting, creation of browser exploits, and encyrption and packing. Malicious code is the main tool used by criminal gangs to commit cybercrimes. Botnet owners order both bots and other malicious programs such as Trojans, viruses, worms, keyloggers, specially crafted applications to attack remote computers via network, etc. Malware services are offered by developers on public sites or closed Internet resources. Typically, the botnet ecosystem is divided into three parts, namely trade market, DDoS attack, and spam. A botmaster is the person who makes money by facilitating the infected botnet groups for service on the black market. The master searches for vulnerable ports and uses them as candidate zombies to infect. The infected zombies further can be used to perform DDoS attacks. On the other hand, spam emails are sent to randomly chosen users. All these activities together guarantee the continuity of malicious botnet activities.
Module 10 Page 1437
The pictorial representation of botnet ecosystem is shown as follows:

M a lic io u s S it e
Z e ro D a y
M a rk et
b
B o tn e t
............. Q
L ice n se s M P 3 , D iv X Financial Diversion
Data
Theft
E m a ils C rim ew are Toolkit C& C Database Trojan Command and Control Center
Client-Side
Vulnerability
Spam
R e d ir e c t
M a s s M a ilin g DD0S M a lw a r e M a r k e t
S to c k Fraud E x to rtio n
M
Scam s A d v e r ts
FIGURE 10.11: Botnet Ecosystem
Module 10 Page 1438
Botnet Trojan: Shark

^ -^*harK.3.1 fw b :ha, De&oc Preview [RC-Chat
(rtifwtf
CEH
I til1(41 NMhM
mbsta
Command Control Center
ISe1ver2
;5 * Jv'.* wonPort: 60123 4 0 *i k 3.1 , 1t ccrplcd: ; ,0 3.31 e*gUDdtto<*ocH.. t 1 M JnewVmicn <l- hj|hg_tkto _p!od-> A m W * Stfv*: 127.0 0 .1 5^ * 7^ ^ 1 ))-27!1 > ^
111
Sail up f j insul BrtMf
Ifa n d F it o s
? 1
f5 t e d t h
Comale
O aodJrt Arb Dcbjxio
M llw>rvrr
1 Lcb*: yflro l-cvfcccor v fc frroxirrurr! loqsco of twin
KByto < 0- Unlmtod
Q>jrnror>
Copyright by EC-Gouicil. All Rights Reserved Reproduction is Strictly Prohibited.
B otnet T rojan: sh arK

Source: https://sites.google.coin sharK is a reverse-connecting, firewall- bypassing remote administration tool written in VB6. With shark, you will be able to administrate any PC (using Windows OS) remotely.
Features:
9 9 9 9 9 9 9 mRC4 encrypted traffic (new & modded) zLib compressed traffic High-speed, stable screen/cam cCapture Keylogger with highlight feature Remote memory execution and injection VERY fast file manager/registry editor listing due to unique technic Anti: Debugger, Vm Ware, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox, Virtual Box 9 9 Supporting random startup and random server names Desktop preview in SIN Console
Module
10 Page 1439
9 0 9 9
Sortable and configurable SIN Console Remote Autostart Manager Optional Fwb++ (Process Injection, API Unhook) Folder mirroring
* J sharK 3.1 fwb sftarK Desktop Preview IRC-Chat Website
d dfx
| Country Usernam e | PCNone
iLW-itaa
lo s
I Verson
| Pirq
C o m m a n d C o n tro l C e n te r
[5:4S:3S AN] Inrfi.atarg Cfer*... [9:46:55 AW] Iwtenrxj on Port: 60123 [9:46:38 AH] sharK 3.1 fwb++, Last Compiled: 30.03.2008 [9:46:38 AN] Updotecheck... [9:46:40 AW] Hew Versicn ovoiloble: <!- turing cluster_prod > [9:50:25 AN] * New Serve!: 127.0.0.1 - Server 1 (HocLers 5 >ECC-272FF53AA87)
Wolcom to i h t i K 3 .1.0, MacUor* Thi* it an information box rofroshing it* contant ovary 24 hour* H r you will inform ation about charK davalop m ant it a t ! and othar ralaacac of kora dCodarc.eoi (o m a tim M . R e o a ds. sN1p*109 and rockZ Copyright 2007-2008 (c ) BoredCoders.com
sharK 3.1 fwb++
* J N ew S e rv e r - [S e rv e r2 ]
,4
Q j
Basic Settings Server Installation Startup Instal Events Server name:
k. *5 |Se rver2 1pLwUyQ|GEq|pl1t4mAD I ... ..................................................................... 4 seconds 1* Enable offline keylogger with mawnum logsue of [i 000 KByte (0 - Untmrted)
Server Password: Connection Interval:
ft Bind Files Blacklist Anti Debugging Stealth Firewal Bypass dB Liteserver QU Advanced Q Summary Compile SIN-Addr esses: 1i p Port I Status Add ---------------- . Delete
( 1 Save Current Profile Test Hosts
1 ______________________________________________________________________________________________________________________________________________________________1
FIGURE 10.12: Botnet Trojan: sharK
Module 10 Page 1440
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
Poison Ivy: Botnet Command Control Center
CEH
gMaiayr P3 tg o rd 1 js1 | Pday | Ac In^ R :!! ; PdcfcciAnatizaj R em o te SW! k iw ; . DaptyNam u4a

aot
Pi*
O eacflp icr!
\S*M r ao iV iy!k ^ DP(V C T *BBHVUnenlMC 1 y ! .% <hM- 0:!\J> rm 32 V > v1 1 \ > A#1 < ttaaO Ttff WOI
%ACHfC
I..I1 *A M *. %mT9j2
*CHEC oaA -'u are AfO * *. AfctlSfa 4 fc/9 u 2
< Dwct D ii DwceDii.. D evice D ii Dwce D ii D w ee n.i D*ce D ii Oe*c D ii Owe D ii DMee D ii Shiild So r Slandiid S D < M ca DI Shotd 5 w d m r!.i fiiwco D ii D-wteDH Dwce D ii
AFO Mlv*jVrgSu
AM % ' -.*>o nl*.. Alb * IV w rl % ...... Am MSl A te *WW % :4 f % ,, . fc,iTM6PPCfc,r < fcp A1J*. A 1 td c6 *v uW> < DortoaJi
CWNK*ANS1*>1}2W m CVWst M tn
NdfiM< mIrdu fV*d1 oeo1l 1 9 1
SUA* STOPPED STOPPED RUN N IN G STOPPED 5 1UlltD STOPPED RUN N IN G RUN N IN G STOPPED 5TUIltD iTOPPTO STOPPEO 51O PTC D
stoppcd
Sta rtu pT yp e Dfcdfcd D k* M D iaetfej D114M M nrnnl A uiom afo Aulsm A; DMM DMM d1 u*m D 1 :.:tM D I*M DI.1M r>l!*W DiNfcM DutUrJ Hyiv ( A jio rr> a b 3 D i.o LfcJ MnrivJ Aulorrrfc M 0 1* .* 0 1 08/3
logonif
NIAJJTH[* T - 4cc.< m Nl UTH0n1TY<toc4S.
nftivmh.,
\$ > ifcari KayiKmCSDRIVER f.BfIJ'IFVtPi'.Wlip.lvl
0 0
RAS ychre*u
6 1
ATMARP O is*PM I D**ee r.ii M anajee ado d evi.. Shaied Ssr Dvnc D ii ifload:
STOPPFD 5TUIIVD , joprrn STOPPED STOPPED ST0PPC0 RUN N IN G STOPPED STOPPED RUN N IN G RUN N IN G
Copyright by E& C a w c il. All Rights Reserved. Reproduction is Strictly Prohibited.
P oison Ivy: B otnet C o m m an d C ontrol C e n te r

Poison Ivy is an advanced encrypted "reverse connection" for firewall bypassing remote administration tools. It gives an attacker the option to access, monitor, or even take control of a compromised system. Using this tool, attackers can steal passwords, banking or credit card information, as well as other personal information.
FIGURE 10.13: Poison Ivy: Botnet Command Control Center
! 1 I !
OB/*
Module 10 Page 1441
IcoafSyttom V >
Botnet Trojan: PlugBot

J J PlugBot is a hardware botnet project It is a covert penetration testing device (bot) designed for covert use during physical penetration tests
(tt.fwtf
CEH
ttk>l lUikw
PlugBot Statistics
W >wn S*o* art *arrcui* U* *nyou
http://thephgbot.com
Copyright by
HrCunol.All Rights Reserved. Reproduction isStrictly Prohibited.
B otnet T rojan: PlugB ot

Source: http://theplugbot.com PlugBot is a hardware botnet project. It's a covert penetration testing device (bot) is designed for covert use during physical penetration tests. PlugBot is a tiny computer that looks like a power adapter; this small size allows it to go physically undetected all while being powerful enough to scan, collect, and deliver test results externally. Some of the features include: 6 e Q Q Issue scan commands remotely Wireless 802.11b ready Gigabit Ethernet capable 1.2 Ghz processor Supports Linux, Perl, PHP, MySQL on-board Covertly disguised as power adapter Capable of invoking most Linux-based scan apps and scripts
Module
10 Page 1442
H d O A D M IN IU vtO U w 9ng| Logout
5fl5rlt e
OMttxMrd-
Dashboard
DropZone
Account
I l f Settings
( ? ) Help
Jobs
C Manwwoos
Dashboard
Botnot Statistics
Cb AddJoto
P lu g Bo t Statistics
Shown oeiow are some aucx suss on your botnet. Statistics Bots: 2 Joas Pending 0 Jo&sComoied:0
Applications
1M e n a ^ A o p a
Co AddApo
Dots Q Manage Bet*
Chock-Ins: 14636
C6 A03B0
FIGURE 10.14: Botnet Trojan: PlugBot
Module 10 Page 1443
Botnet Trojans: Illusion Bot and r c u NetBot Attacker -----
ACa o m m o 1| Hotf 10001
P 8667 p * 6667
Chm 0 *0 * *
P*ss *ten
Pk s ****
* ah o # 10001
Pot
P*
P o t
Sort1 4p o rt * SocAiVpart
P*
*R a n d o m .r n 0 e2 0 0 1
Bethel part
FT P p1
0 password
MD5C.ypl t '** 0* wonIRCchaml *

1 n
'*-**.
I
r_
-^
O d v*
s M
Abou
Copyright by
B otnet T rojans: Illu sio n Bot a n d N etBot A ttack er

M
l j
Illu sio n Bot
Source: http://www.teamfurry.com Illusion Bot is a GUIt.
Features:
Q e e e e e 0 e 6 C&C can be managed over IRC and HTTP Proxy functionality (Socks4, Socks5) FTP service MD5 support for passwords Rootkit Code injection Colored IRC messages XP SP2 firewall bypass DDOS capabilities
Module 10 Page 1444
Illusion M jk e i
Binary
CADocuments and SettingsVWinux'J afio * cron^BOTBIMARV EXE
Reload
IRC Administration 1) Host: 100 0 1 2) Host: 100.0.1 WEB Administration 1) Host: 10 2) Host: 1C Default services: Socks4, port v Socks5, pat FTP. port IRC Access BOT PASSWORD Options v Install Kernel Drivei Save cervices state in registry Loloied IRC messages
* +
Port: 6667 Port: 6667
Chan Behan Chan Behan
Pass 4lest Pass: 4iesi
Port Port:
Path Path
Refresh time:
sec.
R R R
*
Random, range: Bmdshefl. port:
2001
3000
qwerty
MD5 Crypt
Auto OP admm on IRC channel ln!ect code fit dnve< falsi Ada to autoload Save
IRC serve! need passwotd
/ B>pass XP SP2 Fewall Fluod Values About
Ewt
FIGURE 10.15 Illusion Maker
NetBot A ttack er
NetBot attacker has a simple Windows user interface to control botnets. Attackers use it for commanding and reporting networks, even for command attacks. It has two RAR files; one is INI and the other one is a simple EXE. It is more powerful when more bots are used to affect the servers. With the help of a bot, attackers can execute or download a file, open certain web pages, and can even turn off all PCs.
(P
HtOMUmtckm I 4 laiM > >
3 >1
On line hosts Attack Area Co Hedive order Use kelp PC IP jComputef!system WiodowiXP Memory [Servke edition
1m m
!;*
*onfai pcrfSOwHeh t
|^cu*r wg
taeftoe N
FIGURE 10.16: NetBot Attacker
Module 10 Page 1445
Copyright by E & C a in c i. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
So far, we have discussed D0 S/DD0 S concepts, attack techniques, and botnets. For better understanding of the attack trajectories and to find possible ways to locate attackers, a few DD0 S case studies are featured here.
am
Countermeasures
Botnets
Dos/DDoS Case Study i
This section highlights some of real-world scenarios of DD0 S attacks.
Module 10 Page 1446
DDoS Attack
H a ck e rs a d v e rtis e LOIC to o l on T w itte r, F ace b o o k, G o o g le , e tc. V o lu n te e r
Copyright by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
DDoS A ttack
In a DDoS attack, a group of compromised systems usually infected with Trojans are used to perform a denial-of-service attack on a target system or network resource. The figure that follows shows how an attacker performs a DDoS attack with the help of an LOIC tool.
Module 10 Page 1447
(ft
A ttacker R eleases Lo wO rb it Io nC a n n o n (LO IC )T o o lo nth eW eb

V o lunteers connect to IRC
A n o n ym o u sH a ck e r
channel and w a it for instruction from attack er
V o lu n teer e
DDoS Attack o ! *
V o lu n teer H a ck e rsad vertiseL O ICto o l o nT w itter, F a ce b o o k , G o o g le, e tc. V o lu n teer

FIGURE 10.17: DDoS Attack
Module 10 Page 1448
DDoS Attack Tool: LOIC

fhis tool was used to bring down Paypal and mastercard websites
Low O bit Ion Cannon | U dun goofed | v. 1J.D5
RC server 1,'anujl Mode for pu ssies! 9 FUCKWGHfVc UNO Port Cnannel
MM
CEH
tU M Jl N M h M
IC 3I 0 fji ::
- 2 . Rea<iy?--------------
r 1 Select your target----------------------URL
w w w .davenD 0rtV 0 ns.c0 1n

Stop flooding
v ! y
4000
85.116.9.83
3 Attack otf n s ------------------------------------------------------Trneout HT7PSU>s<e ZX Append ranJom chars to the URl /119/ TCP / U0P message U dun goofed ----------------------------------------------------------------------------------------------------------------------- HTTP g 10 80 *Vat for rep*y ------------ 1 Port Method Threads faster Speed slower >
Idle 1
Connectrg 9
Requestrg 0
Cowntoadmg 0
Downloaded 419
Requested 419
Faded 9
Copyright by
E & C a i n c i .All Rights Reserved. Reproduction is Strictly Prohibited
DDoS A ttack Tool: LOIC

LOIC is an open source tool, written in C#. The main purpose of the tool is to conduct
stress tests of web applications, so that the developers can see how a web application behaves under a heavier load. Of course, a stress application, which could be classified as a legitimate tool, can also be used in a DDoS attack. LOIC basically turns the computer's network connection into a firehouse of garbage requests, directed towards a target web server. On its own, one computer rarely generates enough TCP, UDP, or HTTP requests at once to overwhelm a web servergarbage requests can easily be ignored while legit requests for web pages are responded to as normal. But when thousands of users run LOIC at once, the wave of requests become overwhelming, often shutting a web server (or one of its connected machines, like a database server) down completely, or preventing legitimate requests from being answered. LOIC is more focused on web applications; we can also call it an application-based DOS attack. LOIC can be used on a target site by flooding the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host.
Module 10 Page 1449
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
FIGURE 10.18: DDoS Attack Tool: LOIC
Module 10 Page 1450
Hackers Advertise Links to Download Botnet
CEH
Gougle jfr _ sM sg SSSsa sK si E - r - l S 2 '
rrtr8 * , '~ T V A r!rrj. rg * .? *"
!S ^ iS S S '0 a L O C*** * -
Copyright by E W io u n c i. All Rights Reserved. Reproduction is Strictly Prohibited.
H ack ers A d v ertise L inks to D ow nload B otnets
Module 10 Page 1451
FIGURE 10.19: Hackers Advertise Links to Download Botnets
Module 10 Page 1452
Copyright by E & C a in c i. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
So far, we have discussed the D0 S/DD0 S concepts, attack techniques, botnets, and the real-time scenarios of DDoS. The D0 S/DD0 S attacks discussed so far can also be performed with the help of tools. These tools make the attacker's job easy.
am
ji Countermeasures
Botnets Dos/DDoS Case Study
Dos/DDoS Penetration Testing I
This section lists and describes various D0 S/DD0 S attack tools.
Module 10 Page 1453
DoS Attack Tools

DoSHTTP 2.5.1 Rle Options Help S o c k e ts o ft.n e t [E valuation M ode]
(crtifwd
c EH
IU mjI Nm Im
X J
DoSHTTP
H T T P F lo o d D e n ia l o f S e r v i c e ( D o S ) T e s tin g To ol
T a ig e t U R L
3
Status: Connecting to 118.215.252.59:80... [ 1174 OK Peak:
"]
M oza/60 (compatible; MSIE 7.0a; Windows NT 5.2; SV1)

S o c k e ts R e q u e s ts [Conhnuous V e r ify U R L | S t o p F lo o d | C lo s e
Connected: Connect:
74
Disconnect:
Requests 1
Responses 0
Multisystem TCP Denial of Service Attacker [Build #12] Coded by Yarix (yarix@tut.by) http://varbt.bv.r11/
DoS H TTP
Sprut
Internet
Target Server
Copyright by E& C aunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack Tools

DoS HTTP
Source: http://www.socketsoft.net DoSHTTP is HTTP flood denial-of-dervice (DoS) testing software for Windows. It includes URL verification, HTTP redirection, and performance monitoring. It uses multiple asynchronous sockets to perform an effective HTTP flood. It can be used simultaneously on multiple clients to emulate a distributed-denial-of-service (DD 0 S) attack. It also allows you to test web server performance and evaluate web server protection software. Features: 0 Supports HTTP redirection for automatic page redirection It includes URL verification that displays the response header and document It includes performance monitoring to track requests issued and responses received It allows customized User Agent header fields It uses multiple asynchronous sockets to perform an effective HTTP flood It allows user defined socket and request settings
Module 10 Page 1454
It supports numeric addressing for target URLs

DoSHTTP 2.5.1 -
Socketsoft.net
[E valuation M o de]
xJ
file O ptions H elp
D oSH TTP
HTTP Flood Denial of Service (D o S ) Testing Tool Target URL_________________________________________ 1 192.168.168.97 User Agent lM ozilla/6.0 (com patible; MSIE 7.0a; Windows NT 5.2; SV1J Sockets |500
lQ D S C * m*T
21
Requests | (Continuous
] Verify URL | Stop Flood |
Close
h ttp//www so cketso fi n ttf Requests: 1 FIGURE 10.20: DoS HTTP Responses: 0
Running..
Sprut
Sprut is a multisystem TCP denial of service attacker.
Hostname or IP-address:
www. juggyboy.com
Start
Stop
Port:
Threads:
[80
Status: Connected: Connect: Disconnect:
[20
Reset
Connecting to 118.215.252.59:80 ... 1174 OK No error Peak: 1174
B S
Multisystem TCP Denial of Service Attacker [Build 812] Coded by Yarix (yarix@tut.by) http:/Aatix bv.ru/
FIGURE 10.21: Sprut
Module 10 Page 1455
DoS Attack Tools

(Contd)
gdt M ew G o Capln tra!:
Urtifw*
CEH
ilhiul lUtbM
a 72.11 O m s: I
_1J
_ !lh
2 1 .\ ss5tt1 :i . DecwfcnKeyi... |:nfo source port: 17795 Destination po Fragmented ip p ro to c o l (p ro to -u o p Fragmented ip p ro to c o l (proco-uop Fragmented IP p ro to c o l (proto=UDP Fragmented ip p ro to c o l (proto=u0P fragm ented IP p ro to c o l (proto-UO** Source port: 17795 Destination po Fragmented ip p ro to c o l ( p r o t o-uop Fragmented IP p ro to c o l (p ro to -u o p Fragmented IP p ro to c o l (proto=UOP Fragmented IP p ro to c o l (proto=U0P Fragmented IP p ro to c o l (proto-UOP source port: 17706 t*stlfwi10n po Fragmented ip p r o to c o l (protouo*> Fragmented IP p ro to c o l (proto*u0P Fragmented ip p ro to c o l (proto=UOP
08182 165.289717 08183 165.289838 08184 165.289968 08185 165.290090 08186 165.290211 08188 165.290403 08189 165.?90S? J 08190 165.290733 08191 16S. 290776 08192 165.290896 08194 165. ?91091 08195 165.291210 08196 165.291330 08197 165.291452 08198 165.291582
192.168.168. 7 192.166.168. 7 192.168.168.7 192.168.168.7 192.168.168.7 192.168.168.7 192. 168.168.7 192.168.168.7 192.168.168.7 192.168.168.7 19?. 168.164.7 192.168.168.7 192.168.164.7 192.168.168.7 192.168.168.7
192.16a.168. 32 192.16a. 168. 32 192.164.168. 32 192.166.168. 32 192.164.168. 32 192.168.168.32 192.168.168.32 192.168.168. 32 192.168.168.32 192.168.168. 32 192.164.168.3? 192.168.168. 3 2 192.168.168.32 192.164.168. 32 192.168.168. 32
m u m
Your V: <DontClo3you>eNnub)
!: id r ! tn *DoS iBju k . please wall M tillothe browser 1 0
1 rrame 6?4153: 1514 bytes, on wire ( l ? l l ? b it s ). 1514 byte;, captured ( l ? l l ? bit) I- kt her ret 11. Src: fclUegro 22:2d: if (0 0:25 :ll:22 :2 d:5 f). u st: 01 l_ f d : 86:63 (84 :b:dt>:fd: 86:63) I in ternet Protocol, src: 192.168.168.7 (192.168.168.7). USt: 192.108.168.32 (192.168.168.32) | vi Oat a (1480 bytes) .. t . < b C 4 000 b fd 86 63 00 25 11 22 2d 5f 08 00 45 00..... ........ c.ft dc ab 21 22 2b 80 11 96 4b cO a4 .18 07 cO a8 .K 05 010> ......... XXXXXX XXXXXXXX . 58 58 58 58 58 58 58 58 58 58 58 58 58 *5 20 8* 020> SB 58 58 58 58 58 58 58 58 58 54 58 58 58 58 XXXXXXXX XXXXXXXX 58 030> XXXXXXXX XXXXXXXX 58 58 58 58 54 58 58 58 58 58 58 58 58 58 58 58 040> I ^K*C:tM>1A>0-:\>ecâlocjrr1 > V ~ P*xts: 80^/630< nUrd: 602/63M arked: 0frepped: 9 5 3
PHP DoS
Traffic at Victim Machine

Copyright by E& C aunci. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack Tools (C ontd)

PHP DoS
Source: http://code.google.com This script is a PHP script that allows users to perform DoS (denial-of-service) attacks against an IP/website without any editing or specific knowledge.
Module 10 Page 1456
xJe
Your IP:
IF Time
(Dont DoS yourself nub)

ort
iK sa a sia L^ ftii
Alter initiating the DoS attack, please wait while the browser loads
FIGURE 10.22: PHP DoS
Module 10 Page 1457
Ethical Hacking and Countermeasures Copyright by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
DoS Attack Tools

(Contd)
q eH
(itifwtf
tlfcitjl IlMkM
Copyright by EC-Cooncfl. All Rights Reserved Reproduction is Strictly Prohibited.

I d Jan id o s
FIGURE 10.23: Janidos

10 Page 1458
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
Module
S upernove
!sup ernova 5
Single targe( 1 Ty?** Frst Q

F;rT.:.v r
Port
[
L a ned
Load
Save
Discomect Harvest Speed
Random Ports| 1 *
Speed ! Remove
Remove
Multiple
Hub Harvester
1 0
M M M M fl
êptoce hubs on dose replace hubs on errors rorbid Scanner log abuse nbuiia Scanner Assign socks for every hub in the list
23 Debug connections Q Jebug replaces jQ Debug socxet errors S3 .ebug actions Q Debug User number
BEHSI MSW 1 I: I I = I : 1 I: I
Search
j i;1 r
]Produced by ]3/24/2009 [W A Q C m ) CPt I _________ Rtrîi 1 R . 4 . P : 1. ;:1V.H7 * : 4 1 !.
*
Cmdune
*^ *'
FIGURE 10.24: Supernove
Module 10 Page 1459
DoS Attack Tools

(Contd)
(rtifwd
CEH
itkitjl
J * * * * * 1 1 * !* t if c c f c * * fOilcrw * ' ' * I, ! lfH n * * *susin4 [a m c w *m fAdlMM ! p !s&: r 85 TCT n }05 [~ 4 __________ _ [051TC7 4^ tO eiTC T^n-j.,.
u%lly U . ~ u , it lK t U . CM4 * a1.
*It
H h *
as [ p
1 0 : * . J VXf 103 , 0,* IB1" tw j
T t fa r* < *
T t t / * * *t l f< t< 1 W 123| * r c t k M > / w e e W t K 1 *12 3;

0
ft. "
]* <T W .U 1
T r y *0 3 T W * 1 0 I* ! <i c n" ,T r < t... < . !.
totw*(1<111r
< 1 U i l 4 W 1 m (4 m i i i m 4!
*. .
-. / * ,?nrsffs i i . m UI L n r
u u
**
qiy

* }^*Sr SSJ .
ooos t
_ :a 1 C h in e s e C o r n m e r e 3 '
Copyright by EG-Goinci. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack Tools (C ontd) Commercial Chinese DIY DDoS Tool
Figure 10.25: Commercial Chinese DIY DDoS Tool
Module 10 Page 1460
BanglaDos
Mom C w N u 00 ten et Yow tcaamr t a c i * * UmOmt
tm 01 w
C D
SI
< 'f l
H a c k C la r ify
R ^ R
)O S (7)
m c
% > M dm t (4) d i m ( ) 7 )7(
ft> w y i o g y n <4) x n o M M 0 ) ( iM m 10 tack )5 (
naM ! ) onln and oflhrw (S) apacaftng vrt*m % ( ) pm w ord recowen (?) p*saora O ) {MX** n p c n o v f ) 3 ( ) 1(
B n u x ) 1 6 ( we d i m o w ! ) nem % )5 (
11
e w w ie p d ip ro a y < 2)em < 1rH (2)KW W im S * c u r * y o u r b l o g r u n n in g o n W o r d p r
tM re (1jna *
aoftw are c r a c k s (11) *am p o o t
)4 ( *) xm < % )
10 14 PU Artel t* S n r r J t
tips and tricks FIGURE 10.26: BanglaDos
m H > ( *
1 1 7
)3(
)4 (
Module 10 Page 1461
DoS Attack Tools

(C o n ttt)
CEH

DoS
FIGURE 10.27: DoS
Module 10 Page 1462
M e g a D D o S A tta c k
FIGURE 10.28: Mega DDoS Attack
Module 10 Page 1463
Copyright by E&Caincfl. All Rights Reserved. Reproduction is Strictly Prohibited.
A
*"2
M o d u le F lo w So far, we have discussed the D0 S/DD0 S concepts, various threats associated with this
kind of attack, attack techniques, botnets, and tools that help to perform D0 S/DD0 S attacks. All these topics focus on testing your network and its resources against DoS/DDoS vulnerabilities. If the target network is vulnerable, then as a pen tester, you should think about detecting and applying possible ways or methods to secure the network.
1 --1
c * K J
Dos/DDoS Concepts
Dos/DDoS Attack Tools
S *
Counterm easures
Botnets
Dos/DDoS Case Study
Module 10 Page 1464
This section describes various techniques to detect D0 S/DD0S vulnerabilities and also highlights the respective countermeasures.
Module 10 Page 1465
D e tectio n te c h n iq u e s a re b ased on id e n tify in g and d is c rim in a tin g th e ille g itim a t e tra ffic in cre as e an d fla sh e v e n ts fr o m leg itim ate packet tra ffic
All d e te ctio n te c h n iq u e s d e fin e an a tta ck as an a b n o rm a l and n o tic e a b le d e v ia tio n fro m a th re sh o ld o f n o rm al n e tw o rk tra ffic statistics
Activity Profiling
Wavelet-based Signal Analysis
Changepoint Detection
Copyright by E&Caincfl. All Rights Reseivei.Rejproduction is Strictly Prohibited.
D e te c tio n T e c h n iq u e s Most of the DDoS today are carried out by attack tools, botnets, and with the help of other malicious programs. These attack techniques employ various forms of attack packets to defeat defense systems. All these problems together lead to the requirement of defense systems featuring various detection methods to identify attacks. The detection techniques for DoS attacks are based on identifying and discriminating the illegitimate traffic increases and flash events from legitimate packet traffic. There are three kinds of detection techniques: activity profiling, change-point detection, and wavelet-based signal analysis. All detection techniques define an attack as an abnormal and noticeable deviation from a threshold of normal network traffic statistics.
Module 10 Page 1466
Activity Profiling
r
An attack is indicated by: An increase in activity levels among clusters e An increase in the overall number of distinct clusters (DDoS . attack)
It is th e a v e r a g e p a ck et r a te fo r a
n e tw o r k flo w , w h ic h co n s is ts o f c o n s e c u tiv e pa ck ets w ith s im ila r p a ck et fie ld s
A ctivity profile is obtained by m onitoring the netw ork packet's header informatio
A c tiv ity P r o filin g Typically, an activity profile can be obtained by monitoring header information of a network packet. An activity profile is defined as the average packet rate for network flow. It consists of consecutive packets with similar packet fields. The activity level or average packet rate of flow is determined by the elapsed time between the consecutive packets. The sum of average packet rates of all inbound and outbound flows gives the total network activity. If you want to analyze individual flows for all possible UDP services, then you should monitor on the order of 264 flows because including other protocols such as TCP, ICMP, and SNM P greatly compounds the number of possible flows. This may lead to high-dimensionality problem. This can be avoided by clustering the individual flows exhibiting similar characteristics. The sum of constituent flows of a cluster defines its activity level. indicated by: 0 An increase in activity levels among clusters An increase in the overall number of distinct clusters (DDoS attack) Based on this concept, an attack is
Module 10 Page 1467
W avelet-based Signal Analysis

Wavelet analysis describes an input signal in terms of \ spectral components
CE H
Wavelets provide for concurrent time and frequency description
Analyzing each spectral window's energy determines the presence of anomalies
They determine the time at which certain frequency components are present
Copyright by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
W a v e le t - b a s e d S ig n a l A n a ly s is W avelet analysis describes an input signal in terms of spectral components. It provides a global frequency description and no time localization. W avelets provide for concurrent time and frequency descriptions. This makes it easy to determine the time at which certain frequency components are present. The input signal contains both time-localized anomalous signals and background noise. In order to detect the attack traffic, the wavelets separate these time-localized signals and the noise components. The presence of anomalies can be determined by analyzing each spectral window's energy. The anomalies found may represent misconfiguration or network failure, flash events, and attacks such as DoS, etc.
Module 10 Page 1468
Sequential C hange-Point Detection

Change-point detection algorithms isolate a traffic statistic's change caused by attacks
C EH
S e q u e n t ia l C h a n g e - P o in t D e t e c t io n Sequential change-point detection algorithms segregate the abrupt changes in traffic statistics caused by attacks. This detection technique initially filters the target traffic data by port, address, and protocol and stores the resultant flow as a time series. This time series can be considered as the time-domain representation of a cluster's activity. The time series shows a statistical change at the time the DoS flooding attack begins. Cusum is a change-point detection algorithm that operates on continuously slamped data and requires only computational resources and low memory volume. The Cusum identifies and localizes a DoS attack by identifying the deviations in the actual versus expected local average in the time series. If the deviation is greater than the upper bound, then for each t,ime series sample, the Cusum's recursive statistic increases. Under normal traffic flow condition the deviation lies within the bound and the Cusum statistic decreases until it reaches zero. Thus, this algorithm allows you to identify a DoS attack onset by applying an appropriate threshold against the Cusum statistic.
Module 10 Page 1469
D oS/D D oS Counterm easure Strategies
C EH
A b s o r b in g th e A tta c k
Q Use additional capacity to absorb attack; it requires preplanning 9 It requiresadditional resources
D e g r a d in g S e r v ic e s
Identify critical services and stop non critical services
S h u ttin g D o w n th e S e r v ic e s
_ Shut down all the services until the attack has subsided
D o S / D D o S C o u n t e r m e a s u r e S tr a te g ie s There are three types of countermeasure strategies available for DoS/DDoS attacks: A b s o r b th e a tta c k Use additional capacity to absorb the attack this requires preplanning. It requires
additional resources. One disadvantage associated is the cost of additional resources, even when no attacks are under way. D e g r a d e s e r v ic e s If it is not possible to keep your services functioning during an attack, it is a good idea to keep at least the critical services functional. For this, first you need to identify the critical services. Then you can customize the network, systems, and application designs in such a way to degrade the noncritical services. This may help you to keep the critical services functional. If the attack load is extremely heavy, then you may need to disable the noncritical services in order to keep them functional by providing additional capacity for them. S h u t d o w n s e r v ic e s Simply shut down all services until an attack has subsided. Though it may not be an optimal choice, it may be a reasonable response for some.
Module 10 Page 1470 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
D D oSAttack Counterm easures CE H

Protect secondary victims
Prevent potential attacks
Mitigate attacks
D D o S A tta c k C o u n te rm e a s u re s There are many ways to mitigate the effects of DDoS attacks. Many of these solutions and ideas help in preventing certain aspects of a DDoS attack. However, there is no single way that alone can provide protection against all DDoS attacks. In addition, attackers are frequently developing many new DDoS attacks to bypass each new countermeasure employed. Basically, there are six countermeasures against DDoS attacks: 0 0 0 Protect secondary targets Neutralize handlers Prevent potential attacks Deflect attacks Mitigate attacks Post-attack forensics
Module 10 Page 1471
D oS/D D oS C ounterm easures: Protect SecondaryVictim s

Install anti-virus and anti-Trojan software and keep these up-to-date
C EH
An increased awareness of security issues and prevention techniques from all Internet users
Disable unnecessary services, uninstall unused applications, and scan all the files received from external sources
Configuration and regular updates of built-in defensive mechanisms in the core hardware and software of the systems
D o S / D D o S C o u n te rm e a s u re s : P ro te c t S e c o n d a ry V ic t im s
Individual Users
Potential secondary victims can be protected from DD0 S attacks, thus preventing them from becoming zombies. This demands intensified security awareness, and the use of prevention techniques. If attackers are unable to compromise secondary victims systems and secondary victims from being infected with DD0 S, clients must continuously monitor their own security. Checking should be carried out to ensure that no agent programs have been installed on their systems and no DD0 S agent traffic is sent into the network. Installing antivirus and anti-Trojan software and keeping these updated helps in this regard, as does installing software patches for newly discovered vulnerabilities. Since these measures may appear daunting to the average web surfer, integrated machineries in the core part of computing systems (hardware and software) can provide protection against malicious code insertion. This can considerably reduce the risk of a secondary system being compromised. Attackers will have no attack network from which to launch their DD0 S attacks.
N etw o rk Service Providers
Service providers and network administrators can resort to dynamic pricing for their network usage so that potential secondary victims become more active in preventing
Module 10 Page 1472
their computers from becoming part of a DD0 S attack. Providers can charge differently as per the usage of their resources. This would force providers to allow only legitimate customers onto their networks. At the time when prices for services are changed, the potential secondary victims who are paying for Internet access may become more cognizant of dangerous traffic, and may do a better job of ensuring their nonparticipation in a DD0 S attack.
Module 10 Page 1473
D oS/D D oS C ounterm easures: EH Detect andNeutralize Handlers C

Neutralize Botnet Handlers
Study of communication protocols and traffic patterns between handlers and clients or handlers and agents in order to identify the network nodes that might be infected with a handler There are usuallyfew DDoS handlers deployed as compared to the number of agents Neutralizinga few handlers can possibly render multiple agents useless, thus thwarting DDoS attacks
Spoofed Source Address

There is a good probability that the spoofed source address of DDoS attack packets will not represent a valid source address of the specific sub-network
\
Copyright by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited
D o S / D D o S C o u n te r m e a s u r e s : D e te c t a n d N e u tr a liz e H a n d le r The DDoS attack can be stopped by detecting and neutralizing the handlers, which are intermediaries for the attacker to initiate attacks. Finding and stopping the handlers is a quick and effective way of counteracting against the attack. This can be done in the following ways: Studying the communication protocols and traffic patterns between handlers and clients or handlers and agents in order to identify network nodes that might be infected with a handler. There are usually a few DDoS handlers deployed as compared to the number of agents, so neutralizing a few handlers can possibly render multiple agents useless. Since agents form the core of the attacker's ability to spread an attack, neutralizing the handlers to prevent the attacker from using them is an effective strategy to prevent DDoS attacks.
Module 10 Page 1474
D oS/D D oS C ounterm easures: Detect Potential Attacks

Egress Filtering
C EH
Ingress Filtering
9 Protects from flooding attacks which originate from the valid prefixes (IP addresses) It enables the originator to be traced to its true
TCP Intercept
e ConfiguringTCP Intercept prevents DoS attacks by intercepting and validating theTCP connection requests
D o S / D D o S C o u n te r m e a s u r e s : D e te c t P o te n tia l A tta c k s To detect or prevent a potential DDoS attack that is being launched, ingress filtering, engress filtering, and TCP intercept can be used. In g r e s s filt e r in g Ingress filtering doesn't offer protection against flooding attacks originating from valid prefixes (IP addresses); rather, it prohibits an attacker from launching an attack using forged source addresses that do not obey ingress filtering rules. When the Internet service provider (ISP) aggregates routing announcements for multiple downstream networks, strict traffic filtering must be applied in order to prohibit traffic originating from outside the aggregated announcements. The advantage of this filtering is that it allows tracing the originator to its true source, as the attacker needs to use a valid and legitimately reachable source address. E g re s s F ilt e r in g In this method of traffic filtering, the IP packet headers that are leaving a network are initially scanned and checked to see whether they meet certain criteria. Only the packets that pass the criteria are routed outside of the sub-network from which they originated; the packets
Module 10 Page 1475
which don't pass the criteria will not be sent. There is a good possibility that the source addresses of DDoS attack packets will not represent the source address of a valid user on a specific sub-network as the DDoS attacks often use spoofed IP addresses. Many DDoS packets with spoofed IP addresses will be discarded, if the network administrator places a firewall in the sub-network to filter out any traffic without an originating IP address from the subnet. Egress filtering ensures that unauthorized or malicious traffic never leaves the internal network. If a web server is vulnerable to a zero-day attack known only to the underground hacker community, even if all available patches have been applied, a server can still be vulnerable. However, if egress filtering is enabled, the integrity of a system can be saved by disallowing the server to establish a connection back to the attacker. This would also limit the effectiveness of many payloads used in common exploits. This can be achieved by restricting outbound exposure to the required traffic only, thus limiting the attacker's ability to connect to other systems and gain access to tools that can enable further access into the network. T C P In te r c e p t -----TCP intercept is a traffic filtering feature intended to protect TCP servers from a TCP
SYN-flooding attack, a kind of denial-of-service attack. In a SYN-flooding attack, the attacker sends a huge volume of requests for connections with unreachable return addresses. As the addresses are not reachable, the connections cannot be established and remain unresolved. This huge volume of unresolved open connections overwhelms the server and may cause it to deny service even to valid requests. Consequently, legitimate users may not be able to connect to a website, access email using FTP service, and so on. For this reason, the TCP intercept feature is introduced. In TCP intercept mode, the software intercepts the SYN packets sent by the clients to the server and matches with an extended software access list. If the match is found, then on behalf ofthe establishes a connection with the client. Similar to this,the destination server, the
software also establishes a connection with the destination server on behalf of the client. Once the two half connections are established, the software combines them transparently. Thus, the TCP intercept software prevents the fake connection attempts from reaching the server.The TCP intercept connection. software acts as a mediator between the serverand the client throughoutthe
Module 10 Page 1476
D oS/D D oS Counterm easures: Deflect Attacks
fE H --
Systems that have only partial security and can act as a lure for attackers are called
honeypots. This is required so that the attackers will attack the honeypots and the actual system will be safe. Honeypots not only protect the actual system from attackers, but also keep track of details about what they are attempting to accomplish, by storing the information in a record that can be used to track their activities. This is useful for gathering information related to the kinds of attacks being attempted and the tools being used for the attacks. Recent research reveals that a honeypot can imitate all aspects of a network including its web servers, mail servers, and clients. This is done to gain the attention of the DDoS attackers. A honeypot is designed to attract DDoS attackers, so that it can install the handler or an agent code within the honeypot. This stops legal systems from being compromised. In addition, this method grants the owner of the honeypot a way to keep a record of handler and/or agent activity. This knowledge can be used for defending against any future DDoS installation attacks. There are two different types of honeypots: Low-interaction honeypots High-interaction honeypots
An example of high-interaction honeypots are honeynets. Honeynets are the infrastructure; in other words, they simulate the complete layout of an entire network of computers, but they
are designed for the purpose of "capturing" attacks. The goal is to develop a network wherein all activities are controlled and tracked. This network contains potential victim decoys, and the network even has real computers running real applications. KFSensor Source: http://www.keyfocus.net KFSensor acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information than can be achieved by using firewalls and NIDS alone. The screenshot of KFSensor Professional is shown as follows:
KFSensor Professional - Evaluation Trial
File View S i Scenario 4 i Signatures :t :u Y Settings Help i : a Start
10/ 1 0/2012 1a 11 K)6 A.^ 10/ 1 0/2012 10:11:05A...
-1 ! = ID 22 < y 21 20 3 19 #18 917 G 16 $ 15 A 14 A 13 12 / '1 1 910 0 9 0 8 $7 9 6 9 5 34 93 92 jjl
o ( & n
Duration 0.000 0.000

0.000 0.000 0.000
\ Pro... UDP UDP UDP UDP UDP UDP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP Sens... 49270 Name UOP Packet Visitor W 1ndows8 W 1ndows8 W1 ndows8 Windows8 W 1ndows8
1 0 0 0 .1
, kfsem or - *3 TCP ^ J g J ^
kxalhm t
Main Sc a
Received (99]u[80 0( h(02 80 00 (E0M80 0C NBT DGftf NBT DGR* (0201060 (1703010 1(80 8000 Pt(F08C 0( Pt(F08C 0 1 Pt(F08C 0 1 Possible P NBT DGftf 2(94 80 00 (C4]L[80 0i DHCP. Bo< NBT DGRfi NBT DGRfi DHCP: Bo< NBT DOR* NBT DORA DHCP: Bo< > Events: 39/39
0 Closed TCP Ports FTP 25 SMTP

6 8 DHCP
65260 UOP Packet 58278 UOP Packet 138 NBT Datagram... 138 NBT Datagram...
68
J2 1
10/10/2012 10:1105 A~ 10/10/2012 10:11:05 a ... 10/10/2012 10:1105 A.10/10/2012 10:10:51 A... 10/10/2012 1005:49 A.10/10/2012 10:10:33 A 10/10/2012 10:10:32 A.10/10/2012 10:10:27 A... 10/10/2012 10:10^2 A.10/10/2012 10:10:22 A...
10 / 1 0/2012 10:10:06A.-
S3 5 J DNS
0.000 232413
0000 0.000 0.000
DHCP Client TCP Connection sunrpc sunrpc sunrpc Port Scan War...
110 POP3 119 NNTP U S M S W C -W 139 NBT Session Service 389 LDAP 443 HTTPS
1041
ni*in-f125.1e100.... W1N-2N9STOSGIEN WIN-2N9STOSG1EN W1N-2N9STOSGIEN W1N-2N9STOSGIEN WIN-2N9STOSGIEN W1N-2N9STOSGIEN W1N-2N9STOSGIEN WIN-2N9STOSGIEN WIN-2N9STOSGIEN WIN-MSSELCK4K41 W1N-MSSELCK4K41 WIN-MSSELCK4K41 WIN-MSSELCK4K41 W1N-MSSELCK4K41 W1N-MSSELCK4K41
63120 UOP Packet

111 111 111 111
0.000
0.000 0000 0.000 0000
g Hi NBT SMB t w j 593 CIS g $ J g ^ j ^ <[ If t ii M i CIS tn. 1060 so c k s 1433 S a Server 2234 Directplay 3128 IIS Proxy 3268 Global Catalog Sef 3389 Terminal Server 5000 MS Uni Plug and P~. 5357 Web Services for D ...v hi >
138 NBT Datagram... 54140 UOP Packet 60681 UOP Packet 67 DHCP 138 NBT Datagram... 138 NBT Datagram... 67 DHCP 138 NBT Datagram... 138 NBT Datagram... 67 DHCP
10/10/2012 1009:59 A._ 10/10/2012 1009:58 A.10/10/2012 10=09:58 A... 10/10/2012 1009:23 A... 10/10/2012 1(k09:13 A.10/10/2012 100804 A.10/10/2012 1(H)3.-03 A.10/10/2012 1002:54 a .10 / 1 0/2012 1002:16 a.-
0.000
0.000 0000 0.000 0000
0.000
0.000
< 1
1 Server Running Visitors: 1 1
FIGURE 10.29: kfsENSOR
Module 10 Page 1478
D oS/D D oS C ounterm easures: Mitigate A ttacks

1 ))(7(
C EH
Load Balancing
Throttling
P r o v id e r s c a n in c r e a s e t h e b a n d w id t h o n c r itic a l c o n n e c t io n s t o p r e v e n t t h e m fr o m g o in g d o w n in t h e e v e n t o f a n a t t a c k
T h is m e t h o d s e ts u p r o u t e r s t h a t a c c e s s a s e r v e r w it h lo g ic t o a d ju s t ( t h r o t t l e ) in c o m in g t r a f f ic to le v e ls t h a t w ill b e s a fe f o r t h e s e r v e r t o p ro c e s s
R e p lic a tin g s e r v e r s c a n p r o v id e a d d it io n a l f a ils a fe p r o t e c t io n T h is p r o c e s s c a n p r e v e n t f lo o d d a m a g e t o s e r v e r s B a la n c in g t h e lo a d t o e a c h s e r v e r in a m u ltip le - s e r v e r a r c h it e c t u r e c a n im p r o v e b o th n o r m a l p e r f o r m a n c e s a s w e l l a s m it ig a te t h e e ffe c ts o f a D D 0 S a t t a c k T h is p r o c e s s c a n b e e x t e n d e d t o t h r o t t l e D D 0 S a t t a c k in g t r a f f ic v e r s u s le g it im a t e u s e r t r a f f ic f o r b e t t e r r e s u lts
D o S / D D o S C o u n te rm e a s u re s : M itig a te A tta c k s There are two ways in which the DoS/DDoS attacks can be mitigated or stopped. They are: L o a d B a la n c in g Bandwidth providers can increase their bandwidth in case of a DD0 S attack to prevent their servers from going down. A replicated server model can also be used to minimize the risk. Replicated servers help in better load management and enhancing the network's performance. T h r o t t lin g
Min-max fair server-centric router throttles can be used to prevent the servers from going down. This method enables the routers in managing heavy incoming traffic so that the server can handle it. It can also be used to filter legitimate user traffic from fake DD0 S attack traffic. Though this method can be considered to be in the experimental stage, network operators are implementing similar techniques of throttling. The major limitation with this method is that it may trigger false alarms. Sometimes, it may allow malicious traffic to pass while dropping some legitimate traffic.
Module 10 Page 1479
Post-Attack Forensics
D D o S a tta ck tra ffic p a tte rn s can h elp th e n e tw o rk a d m in is tra to rs to d e ve lo p n e w filte r in g te c h n iq u e s fo r p re ve n tin g it fro m en terin g o r leaving th e ir n e tw o rk s
C EH
A n a lyz e router, fire w a ll, and ID S logs to id en tify th e s o u rc e o f th e D o S tra ffic. A lth o u g h atta cke rs g en era lly sp o o f th e ir s o u rc e a d d re ss e s, an IP tr a c e b ack w ith th e help o f in te r m e d ia ry IS P s a nd la w e n fo r c e m e n t a gencies m a y e n a b le to b o o k th e p e rp e tra to rs
T raffic p a tte r n a n a ly s is : D ata can b e a n a lyz ed post-attack - to look fo r specific ch ara cteristics w ith in th e a ttacking tra ffic
Using th e s e ch ara cte ristics, da ta can be used fo r u p datin g lo a d - b a la n cin g and th r o ttlin g
<
c o u n te rm e a s u re s
P o s t- A tta c k F o r e n s ic s L ' Sometimes by paying a lot of attention to the security of a computer or network,
malicious hackers manage to break in to the system. In such cases, one can utilize the postattack forensic method to get rid of DDoS attacks. T r a f f ic P a t t e r n A n a ly s is During a DDoS attack, the traffic pattern tool stores post-attack data that can be analyzed for the special characteristics of the attacking traffic. This data is helpful in updating load balancing and throttling countermeasures to enhance anti-attack measures. DDoS attack traffic patterns can also help network administrators to develop new filtering techniques that prevent DDoS attack traffic from entering or leaving their networks. Needless to say, analyzing DDoS traffic patterns can help network administrators to ensure that an attacker cannot use their servers as a DDoS platform to break into other sites. Analyze router, firewall, and IDS logs to identify the source of the DoS traffic. Although attackers generally spoof their source addresses, an IP traceback with the help of intermediary ISPs and law enforcement agencies may enable booking the perpetrators.
Module 10 Page 1480
R u n th e Z o m b ie Z a p p e r T o o l
When a company is unable to ensure the security of its servers and a DDoS attack begins, the network IDS (intrusion detection system) notices a high volume of traffic
that indicates a potential problem. In such a case, the targeted victim can run Zombie Zapper to stop the system from being flooded by packets. There are two versions of Zombie Zapper. One runs on UNIX, and the other runs on Windows systems. Currently, Zapper Tool acts as a defense mechanism against Trinoo, TFN, Shaft, and Stacheldraht.
Module 10 Page 1481
Techniques toDefend against B otnets

RFC 3704 Filtering
A n y traffic com ing fro m unused o r reserved IP addresses is bogus and should be filtered at th e IS P be fo re it en ters th e In tern et link
C EH
Black Hole Filtering

Black hole refers to n e tw o rk no des w h e re incom ing traffic is discarded o r dro p p e d w ith o u t inform ing th e source th a t th e da ta did not reach its in ten d ed recip ient Black hole filtering refers to discarding packets a t th e routing level
Cisco IPS Source IP Reputation Filtering

R ep u ta tio n services help in d eterm in in g if an IP o r service is a source o f th re a t o r not, Cisco IP S regularly u p d ates its d a ta b a se w ith kn ow n th re ats such as bo tnets, b o tn e t harvesters, m alw ares, etc. an d helps in filtering DoS traffic
T e c h n iq u e s to D e f e n d a g a in s t B o t n e t s There are four ways to defend against botnets: R F C 3704 F ilt e r in g RFC3704 is a basic ACL filter. The basic requirement of this filter is that packets should be sourced from valid, allocated address space, consistent with the topology and space allocation. A list of all unused or reserved IP addresses that cannot be seen under normal operations is usually called a "bogon list." If you are able to see any of the IP addresses from this list, then you should drop the packets coming from it considering it as a spoofed source
IP.
Also you should check with your ISP to determine whether they manage this kind of filtering in the cloud before the bogus traffic enters your Internet pipe. This bogon list changes frequently. B l a c k H o le F ilt e r in g
SL
Black hole filtering is a common technique to defend against botnets and thus to prevent DoS attacks. You can drop the undesirable traffic before it enters your protected network with a technique called Remotely Triggered Black Hole Filtering, i.e., RTBH. As this is a remotely triggered process, you need to conduct this filtering in conjunction with your ISP. With the help of BGP host routes, this technique routes the traffic heading to victim servers to a nullO next hop. Thus, you can avoid DoS attacks with the help of RTBH.
Module 10 Page 1482
y y
ao
D D o S P r e v e n t io n O ffe r in g s fr o m I S P o r D D o S S e r v ic e Most ISPs offer some form of in-the-cloud DDoS protection for your Internet links. The
idea is that the traffic will be cleaned by the Internet service provider before it reaches your Internet pipe. Typically, this is done in the cloud. Hence, your Internet links will be safe from being saturated by a DDoS attack. The in-the-cloud DDoS prevention service is also offered by some third parties. These third-party service providers usually direct the traffic intended to you to them, clean the traffic, and then send the cleaned traffic back to you. Thus, your Internet pipes will be safe from being overwhelmed. C is c o I P S S o u r c e I P R e p u t a t io n F ilt e r in g ------' Cisco Global Correlation, a new security capability of Cisco IPS 7.0, uses immense
security intelligence. The Cisco SensorBase Network contains all the information about known threats on the Internet, serial attackers, malware outbreaks, dark nets, and botnet harvesters. The Cisco IPS makes use of this network to filter out the attackers before they attack critical assets. In order to detect and prevent malicious activity even earlier, it incorporates the global threat data into its system.
Module 10 Page 1483
DoS/DDoS Countermeasures
1 .... 7
U se
cE H
(tkMjl NMhM
//
//
(.....................................
strong encryption mechanisms su ch r : :: . .
as W P A 2 , A E S 2 56 , e tc . fo r b ro a d b a n d n e tw o r k s t o w ith s ta n d
a g a in st e a v e s d ro p p in g
VI
//
up-to-date an d
F A
sca n th e m a c h in e s th o r o u g h ly t o
E n s u re t h a t th e s o ftw a r e and p ro to c o ls u se d a re d e t e c t fo r a n y
anomalous behavior
D is a b le
unused an d insecure services
Block all inbound packets o rig in a tin g
fro m th e s e r v ic e p o rts to b lo ck th e tr a ffic fro m r e f le c tio n s e r v e r s
C l 0
I /> '
Update kernel t o
t h e la te s t r e le a s e
// //
Im p le m e n t
) ...... / /
.................................................... IS P le v e l // I
P r e v e n t t h e tr a n s m is s io n o f t h e
fraudulently addressed packets a t

i
cognitive radios in
th e p h ys ica l la y e r t o h a n d le t h e ja m m in g an d s cra m b lin g kind o f a tta c k s
Copyright by E tC m n cj. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S C o u n te rm e a s u re s The strength of an organization's network security can be increased by putting the proper countermeasures in the right places. Many such countermeasures are available for D0 S/DD0S attacks. The following is the list of countermeasures to be applied against D0 S/DD0 S attacks: Efficient encryption mechanisms need to be proposed for each piece of broadband technology Improved routing protocols are desirable, particularly for the multi-hop W M N Disable unused and insecure services Block all inbound packets originating from the service ports to block the traffic from the reflection servers Update kernel to the latest release Prevent the transmission of the fraudulently addressed packets at the ISP level Implement cognitive radios in the physical layer to handle the jamming and scrambling kind of attacks
Module 10 Page 1484
DoS/DDoS Countermeasures
( C o n t d j C o n fig u re t h e f ir e w a ll t o d e n y e x te r n a l In te r n e t C o n tro l M e s s a g e P ro to c o l ( IC M P ) tr a ffic a cce ss P r e v e n t u se o f u n n e c e s s a r y fu n c tio n s su c h as g e ts , s tr c p y e tc . S e c u r e th e r e m o te
E H
a d m in is tr a tio n and c o n n e c tiv ity te s tin g
The network card is the gateway to the packets. Use a better network card to handle a large number of packets
W W W
P e r f o r m th e th o ro u g h in p u t v a lid a tio n
P r e v e n t th e re tu rn a d d re s s e s fro m b e in g o v e r w r it t e n
D a ta p ro c e s s e d b y th e a tta c k e r sh o u ld be s to p p e d fro m b e in g e x e c u te d
Copyright by E&Counci. All RightsReservecTReprodiiction is Strictly Prohibited.
>
D o S / D D o S C o u n t e r m e a s u r e s ( C o n t d )
The list of countermeasures against DoS/DDoS attack continuous as follows: Configure the firewall to deny external Internet Control Message Protocol (ICMP) traffic access Prevent the use of unnecessary functions such as gets, strcpy, etc. Secure the remote administration and connectivity testing
Prevent the return addresses from being overwritten Data processed by the attacker should be stopped frombeing executed Perform the thorough input validation The network card is the gateway to the packets. Hence, handle a large number of packets use a better network card to
Module 10 Page 1485
D o S /D D o SP rotectionat IS PLevel
B Most ISPs simply blocks all the requests during a DDoS attack, denying legitimate traffic from accessing the
I ISPs offer in-the-cloud DDoS protection for Internet links so that they do not become saturated by the attack ri Attack traffic is redirected to the ISP during the attack to be filtered and sent back Administrators can request ISPs to block the original affected IP and move their site to another IP after performing DNS propagation
h ttp :// w w w . c e rt, org
----------Copyright by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S P r o t e c tio n a t th e I S P L e v e l Source: http://www.cert.org Most ISPs simply block all the requests during a DDoS attack, denying legitimate traffic from accessing the service. ISPs offer in-the-cloud DDoS protection for Internet links so that they do not become saturated by an attack. Attack traffic is redirected to the ISP during the attack to be filtered and sent back. Administrators can request ISPs to block the original affected IP and move their site to another IP after performing DNS propagation.
Module 10 Page 1486
Module 10 Page 1487
E nabling TC PIntercept o nC isco IO SS o ftw are

1 S To enable TCP intercept, use these commands in global configuration mode:
H [7 E
(*rtifxd | IU mjI NMhM
S te p a cce ss- list 1 tc p a n y
C o m m a n d
P u r p o s e D e fin e an IP ex tend ed acce ss list
a cce sslistn u m b e r {d e n y | p e r m it} destination destination-w ildcard a cce sslistn u m b e r
ip tc p In te r c e p t lis t
E n a b le TCP In te rc e p t
I TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.
E n a b lin g T C P In t e r c e p t o n C is c o IO S
S o ftw a re
The TCP intercept can be enabled by executing the following commands in global configuration mode: Command
Step 1
Purpose Defines an IP extended access list. Enables TCP intercept.
access-list access-list-number {deny I permit} tcp any destination destination-wildcard ip tcp intercept list access-listnumber
Step2
An access list can be defined for three purposes: 1. To intercept all requests 2. To intercept only those coming from specific networks 3. To intercept only those destined for specific servers Typically the access list defines the source as any and the destination as specific networks or servers. As it is not important to know who to intercept packets from, do not filter on the source addresses. Rather, you identify the destination server or network to protect.
Module 10 Page 1488
TCP intercept can operate in two modes, i.e., active intercept mode and passive watch mode. The default is intercept mode. In intercept mode, the Cisco IOS Software intercepts all incoming connection requests (SYN), gives a response on behalf of the server with an ACK and SYN, and then waits for an ACK of the SYN from the client. When the ACK is received from the client, the software performs a three-way handshake with the server by setting the original SYN to the server. Once the three-way handshake is complete, the two-half connections are joined. The command to set the TCP intercept mode in global configuration mode: Command
ip tcp intercept mode {intercept watch} |
purpose Set the TCP intercept mode
Module 10 Page 1489
A dvanced D D o S Protection Appliances
C EH
C isco G u a rd XT 5650
h ttp :/ /w w w .c is c o .c o m
h ttp :/ /w w w .a rb o rn e tw o rk s.c o m Copyright by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
A d v a n c e d D D o S P r o t e c tio n A p p lia n c e s
f
F o r t i D D o S 3 0 0 A Source: http://www.fortinet.com
^ ^
The FortiDDoS 300A provides visibility into your Internet-facing network and can detect and block reconnaissance and DDoS attacks while leaving legitimate traffic untouched. It features automatic traffic profiling and rate limiting. Its continuous learning capability differentiates between gradual build-ups in legitimate traffic and attacks.
FIGURE 10.31: FortiDDoS-300A
Module 10 Page 1490
D D o S P ro te c to r Source: http://www.checkpoint.com DDoS Protector provides protection against network flood and application layer attacks by blocking the destructive DDOS attacks without causing any damage. It blocks the abnormal traffic without touching the legitimate traffic. It protects your network and web services by filtering the traffic before it reaches the firewall.
FIGURE 10.32: DDoS Protector
C is c o G u a r d X T 5650 Source: http://www.cisco.com The Cisco Guard XT is a DDoS Mitigation Appliance from Cisco Systems. It performs he detailed per-flow level attack analysis, identification, and mitigation services required to block attack traffic and prevent it from disrupting network operations.
FIGURE 10.33: Cisco Guard XT 5650
f e \
A r b o r P r a v a il: A v a ila b ilit y P r o t e c tio n S y s t e m Source: http://www.arbornetworks.com
Arbor Pravail allows you to detect and remove known and emerging threats such as DDOS attacks automatically before your vital services go down. It increases your internal network visibility and improves the efficiency of the network.
FIGURE 10.34: Availability Protection System
Module 10 Page 1491
Module Flow
CE H
Copyright by E&Cainci. All Rights Reserved. Reproduction Is Strictly Prohibited.
M o d u le F lo w In addition to the countermeasures discussed so far, you can also adopt D0 S/DD0 S tools to protect your network or network resources against D0 S/DD0 S attacks.
Dos/DDoS Concepts
d p g
Countermeasures
H T j
Botnets
/% *?
Dos/DDoS Case Study
This section lists and describes various tools that offer protection against D0 S/DD0 S attacks.
Module 10 Page 1492
D o S / D D o S P r o t e c t i o n T o o l: D G u a r d A n ti- D D o S F i r e w a l l
C EH
D -G uard A nti-D D oS F irew a ll p ro v id e s th e m o st reliab le and fa s te s t D D o S p ro tec tio n fo r o n lin e e n te r p r is e s , p u b lic an d m e d ia s e r v ic e s , e s s e n tia l in fr a s tr u c tu r e , an d In te r n e t s e r v ic e p ro v id e rs
... .
Mooitcf
F e a tu r e s : Protectio n against alm o st all kinds o f attacks Built-in intrusion prevention system TCP flo w control
i "
U*
ft

a
1
IP blacklist and w h ite list, A RP w h ite list, and M AC Binding
Copyright by EC-Cauncl. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S P r o t e c t io n T o o l: D G u a r d A n t i- D D o S F ir e w a ll Source: http://www.d-guard.com D-Guard Anti-DDoS Firewall provides DDoS protection. It offers protection against DoS/DDoS, Super DDoS, DrDoS, fragment attacks, SYN flooding attacks, IP flooding attacks, UDP, mutation UDP, random UDP flooding attacsk, ICMP, ICMP flood attacks, ARP spoofing attacks, etc. Features: Built-in intrusion prevention system Protection against SYN, TCP flooding, and other types of DDoS attacks
TCP flow control UDP/ICMP/IGMP packets rate management IP blacklist and whitelist Compact and comprehensive log file
Module 10 Page 1493
FIGURE 10.35: D-Guard Anti-DDoS Firewall
Module 10 Page 1494
DoS/DDoS ProtectionTools
[JJ 5
---- ^
C EH
NetFlow Analyzer
http://www.m anageengine.com
FortiDDoS
http:/ / ww w .fortine f. com
SDL Regex Fuzzer

h ttp://w w w .m icrosoft.com
DefensePro
h ttp ://w w w . r adware. com
WANGuard Sensor

PW h
DOSarrest
h ttp ://w w w . dos arres t. com
h ttp://w w w .andrisoft.com
NetScaler Application Firewall

h ttp ://w w w . citrix. com
Anti DDoS Guardian

h ttp ://w w w . beethink. com
FortGuard DDoS Firewall

h ttp ://w w w .fort guard, com
DDoSDefend
h ttp://ddos defend, com
D o S / D D o S P r o t e c t io n T o o ls In addition to D-Guard Anti-DDoS Firewall, there are many tools thatoffer protection
against DoS/DDoS attacks. A few tools that offer DoS/DDoS protection arelisted asfollows: NetFlow Analyzer available at http://www.manaeeengine.com SDL Regex Fuzzer available at http://www.microsoft.com WANGuard Sensor available at http://www.andrisoft.com NetScaler Application Firewall available at http://www.citrix.com FortGuard DDoS Firewall available at http://www.fortguard.com
IntruGuard available at http://www.intruguard.com DefensePro available at http://www.radware.com DOSarrest available at http://www.dosarrest.com Anti DDoS Guardian available at http://www.beethink.com
DDoSDefend available at http://ddosdefend.com
Module 10 Page 1495
Copyright by E&Caincfl. All Rights Reserved. Reproduction is Strictly Prohibited.
IIL
-- -
M o d u le F lo w
------ The main objective of every ethical hacker or pen tester is to conduct penetration testing on the target network or system resources against every major and minor possible attack in order to evaluate their security. The penetration testing is considered as the security evaluation methodology. D0S/DD0 S penetration testing is one phase in the overall security evaluation methodology.
Dos/DDoS Concepts

0
Countermeasures
Botnets
Dos/DDoS Case Study
Module 10 Page 1496
This section describes DoS attack penetration testing and the steps involved in DoS attack penetration testing.
Module 10 Page 1497
Denial-of-Service (D o S ) Attack PenetrationTesting

DoS attack should be incorporated into Pen testing to find out if the netw ork server is susceptible to DoS attack
(rtifwtf
cE H
tUMJl Km Im
D
access by authentic users
IL
A vulnerable netw ork cannot handle a large amount of traffic sent to it and subsequently crashes or slows down, thus preventing
DoS Pen Testing determ ines minimum thresholds for DoS attacks on a system , but the tester cannot ensure that the system is resistant to DoS attacks
] ]
Th e main objective of DoS Pen testing is to flood a
rr
'
Ll_:---
v:
----- 1
target netw ork w ith traffic, similar to hundreds of people repeatedly requesting a service, to keep the server busy and unavailable
^ -
D e n i a l o fS e r v ic e (D o S ) A t t a c k P e n e t r a t io n T e s t in g In an attempt to secure your network, first you should try to find the security
weaknesses and try to fix them as these weaknesses provide a path for attackers to break into your network. The main aim of a DoS attack is to lower the performance of the target website or crash it in order to interrupt the business continuity. A DoS attack is performed by sending illegitimate SYN or ping requests that overwhelm the capacity of a network. Legitimate connection requests cannot be handled when this happens. Services running on the remote machines crash due to the specially crafted packets that are flooded over the network. In such cases, the network cannot differentiate between legitimate and illegitimate data traffic. Denial-of-service attacks are easy ways to bring down a server. The attacker does not need to have a great deal of knowledge to conduct them, making it essential to test for DoS vulnerabilities. As a pen tester, you need to simulate the actions of the attacker to find the security loopholes. You need to check whether your system withstands DoS attacks (behaves normally) or it gets crashed. To check this, you need to follow a series of steps designed for DoS penetration test.
Module 10 Page 1498
Denial-of-Service (D o S ) Attack PenetrationTesting(c o n t d )

START U ,
Test the web server using automated tools such as W ebserver Stress Tool, W eb Stress Tester, and JM eterfo r load capacity, server-side performance, locks, and other scalability issues Scan the network using automated tools such as Nmap, GFI LanGuard, and Nessus to discover any systems that are vulnerable to DoS attacks Flood the target with connection request packets using tools such as DoS HTTP, Sprut, and PHP DoS Use a port flooding attack to flood the port and C h e ck fo r D o S v u ln e r a b le s y s te m s
f
Flood the website
fo rm s a n d g u e s tb o o k w it h bogus e n tr ie s
increase the CPU usage by maintaining all the connection requests on the ports under blockade. Use tools Mutilate and PepsiS to automate a port flooding attack Use tools Mail Bomber and Advanced Mail Bomber to send a large number of emails to a target mail server Fill the forms with arbitrary and lengthy entries
R u n SY N a tta c k on th e s e r v e r
R u n p o rt flo o d in g a tta c k s on th e s e r v e r
R u n e m a il b o m b e r on t h e e m a il s e r v e r s
\ ' *
D e n ia lo fS e r v ic e (D o S ) A t t a c k P e n e t r a t io n T e s t in g (C o n t d )
The series of DoS penetration testing steps are listed and described as follows: Step 1: Define the objective The first step in any penetration testing is to define the objective of the testing. This helps you to plan and determine the actions to be taken in order to accomplish the goal of the test. Step 2: Test for heavy loads on the server Load testing is performed by putting an artificial load on a server or application to test its stability and performance. It involves the simulation of a real-time scenario. A web server can be tested for load capacity using the following tools: W ebserver Stress Tool: Webserver Stress Tool is the software for load and performance testing of web servers and web infrastructures. It helps you in performing load test. It allows you to test your entire website at the normal (expected) load. For load testing you simply enter the URLs, the number of users, and the time between clicks of your website traffic. This is a "real-world" test.
Module 10 Page 1499
W eb Stress Tester Source: http://www.servetrue.com W eb Stress Tester is a tool that allows you to test the performance and stability of any Webserver and proxy server with SSL/TLS-enabled.
JM e te r
Source: http://imeter.apache.org JM eter is an open-source web application load-testing tool developed by Apache. This tool is a Java application designed to load test functional behavior and measure performance. It was originally designed for testing web applications but has since expanded to other test functions. Step 3: Check for DoS vulnerable systems The penetration tester should check the system for a DoS attack vulnerability by scanning the network. The following tools can be used to scan networks for vulnerabilities: Nmap
Source: http://nmap.org Nmap is a tool that can be used to find the state of ports, the services running on those ports, the operating systems, and any firewalls and filters. Nmap can be run from the command line or as a GUI application. GFI LANguard
Source: http://www.gfi.com GFI LANguard is a security-auditing tool that identifies vulnerabilities and suggests fixes for network vulnerabilities. GFI encountered on the target system. Nessus LANguard scans the network, based on the IP address/range of IP addresses specified, and alerts users about the vulnerabilities
Source: http://www.nessus.org Nessus is a vulnerability and configuration assessment product. It features configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis. Step 4: Run a SYN attack on the server A penetration tester should try to run a SYN attack on the main server. This is accomplished by bombarding the target with connection request packets. The following tools can be used to run SYN attacks: DoS HTTP, Sprut, and PHP DoS. Step 5: Run port flooding attacks on the server Port flooding sends a large number of TCP or UDP packets to a particular port, creating a denial of service on that port. The main purpose of this attack is to make the ports unusable and
increase the CPU's usage to 100%. This attack can be carried out on both TCP and UPD ports. The following tools can be used to conduct a port-flooding attack: Mutilate: Mutilate is mainly used to determine which ports on the target are open. This tool mainly targets TCP/IP networks. The following command is used to execute Mutilate:
mutilate <target _ IP> <port>
Pepsi5: The Pepsi5 tool mainly targets UDP ports and sends a specifiable number and size of datagrams. This tool can run in the background and use a stealth option to mask the process name under which it runs.
Step 6: Run an email bomber on the email servers In this step, the penetration tester sends a large number of emails to test the target mail server. If the server is not protected or strong enough, it crashes. The tester uses various server tools that help send these bulk emails. The following tools are used to carry out this type of attack: Mail Bomber Source: http://www.getfreefile.com/bomber.html Mail Bomber is a server tool used to send bulk emails by using subscription-based mailing lists. It is capable of holding a number of separate mailing lists based on subscriptions, email messages, and SMTP servers for various recipients. Advanced Mail Bomber Source: http://www.softheap.com Advanced Mail Bomber is able to send personalized messages to a large number of subscribers on a website from predefined templates. The message delivery is very fast; it can handle up to 48 SMTP servers in 48 different threads. A mailing list contains boundless structured recipients, SMTP servers, messages, etc. This tool can also keep track of user feedback. Step 7: Flood the website forms and guestbook with bogus entries In this step, the penetration tester fills online forms with arbitrary and lengthy entries. If an attacker sends a large number of such bogus and lengthy entries, the data server may not be able to handle it and may crash. Step 8: Document all the findings In this step, the penetration tester should document all his or her test findings in the penetration testing report.
Module 10 Page 1501
Module Summary
D enial o f S e rv ic e (D o S ) is an a tta ck on a c o m p u te r o r n e tw o rk th a t p re ve n ts leg itim ate u se o f its reso u rc e s
CE H
A d istrib u ted denial-of-service (D D o S ) a tta ck is o n e in w h ich a m u ltitu d e o f th e co m p ro m ise d sy stem s a tta ck a single ta rg e t, th e re b y causing denial o f s e rv ic e fo r use rs o f th e ta rg e te d sy stem
In te r n e t R elay C h at (IR C ) is a sy ste m fo r ch attin g th a t in v o lv e s a set o f rules an d c o n v e n tio n s and c lie n t/se rv e r s o ftw a r e
V a rio u s a tta ck te c h n iq u e s a re used p e rfo rm a D o S a tta ck su ch as b a n d w id th a tta cks, s e rv ic e re q u e st flo o d s, SYN flo od in g attack, IC M P flo o d a tta ck , P eer- to -Peer a tta cks etc.
Bo ts a r e s o ftw a r e a p p lication s th a t run a u to m a te d tasks o v e r th e In te r n e t and p e rfo rm sim ple re p e titiv e tasks such as w e b sp id e rin g an d se a rch e n g in e indexing
D o S d e te ctio n te c h n iq u e s a re b ased on iden tifyin g an d discrim in a tin g th e illegitim ate tra ffic in cre as e an d flash e v e n ts fr o m leg itim ate packet tra ffic
D o S P e n Testing d e te rm in e s m in im u m th re sh o ld s fo r D o S a tta cks on a syste m , bu t th e te s te r ca n n o t e n s u re th a t th e sy ste m is re sista n t to D o S atta ck
M o d u le S u m m a r y Q Denial of service (DoS) is an attack on a computer or network that prevents
legitimate use of its resources. A distributed denial-of-service (DDoS) attack is one in which a multitude of the compromised systems attack a single target, thereby causing denial of service for users of the targeted system. Q Internet Relay Chat (IRC) is a system for chatting that involves a set of rules and conventions and client/server software. Various attack techniques are used perform a DoS attack such as bandwidth attacks, service request floods, SYN flooding attacks, ICMP flood attacks, peer-to-peer attacks, etc. Bots are software applications that run automated tasks over the Internet and perform simple repetitive tasks such as web spidering and search engine indexing. Q DoS detection techniques are based on identifying and discriminating the illegitimate traffic increase and flash events from legitimate packet traffic. DoS pen testing determines minimum thresholds for DoS attack on a system, but the tester cannot ensure that the system is resistant to DoS attacks.
Module 10 Page 1502

CEHv8 Module 10 Denial of Service PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 10 Denial of Service PDF

Uploaded by

Copyright:

Available Formats

D e n ia l o f S e r v ic e

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

Engineered by Hackers. Presented by Professionals.

Ethical H acking and C ounterm easures v8

Module 10 Page 1403

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

October 19, 2012

Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

S ecurity N ew s HSBC is Latest Target in Cyber Attack Spree

Module 10 Page 1404

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

copyright2012 FOX News Network, LLC

By Adam Samson. http://www.foxbu5ines5.com/industries/2012/10/19/hsbc-is-latest-target-in-cvber-attackspree/#ixzz2D14739cA

Module 10 Page 1405

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

W hat is a Denial of Service Attack? W hat Are Distributed Denial of

D0 S/DD0 S Protection Tools Denial of Service (DoS) Attack

Module 10 Page 1406

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

Copyright by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

* Dos/DDoS Attack Techniques * M p J Botnets

Dos/DDoS Protection Tools

Dos/DDoS Case Study

Dos/DDoS Penetration Testing

Module 10 Page 1407

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

W hat Is a Denial of Service Attack?

W hat is a D en ial of S ervice A ttack?

Module 10 Page 1408

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

Attack Traffic Regular Traffic

Figure 10.1: Denial of Service Attack

Module 10 Page 1409

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

W hat Are Distributed Denial of Service Attacks?

Copyrights trf E t C M K l. AJ Rights Reserved. Re prod urtion is Striettf Piohbfted.

gjgg W hat Are D istrib u te d D en ial of S ervice A ttack s?

Module 10 Page 1410

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

How Distributed Denial of Service Attacks W ork

C om p rom isedPC s(Zom b ies)

Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

How D istrib u te d D e n ia l of S ervice A ttack s W ork

Module 10 Page 1411

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

Zombie systems are instructed

Compromised PCs (Zombies)

Module 10 Page 1412

Ethical Hacking and Countermeasures Denial of Service

Exam 312-50 Certified Ethical Hacker

Symptoms of a DoS Attack