Module 10 Denial-of-ServiceThis page is intentionally left blank.BY Cte RO) ey tsetse [Sess ttn i Module Objectives Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks have become @ major threat to computer networks. These attacks attempt to make a machine or network resource tunavailable to its authorized users. Usually DoS/DD0S attacks exploit vulnerabilities in the Implementation of TCP/IP model protocol or bugs in a specifi OS. ‘This module starts with an overview of DoS and DDoS attacks. It provides an insight into diferent DoS/DD0S attack techniques. Later, it discusses about botnet network, DoS/DDOS attack tools, techniques to detect DoS/DD0S attacks, and DOS/DD0S countermeasures. The ‘module ends with an overview of penetration testing steps an ethical hacker should follow to perform a security assessment ofthe target. [Atthe end of this module, you will be able to perform the following: * Describe the Dos/0Dos concepts * Perform DoS/DDos using various attack techniques Describe Botnets * Describe Dos/0Dos case studies Explain diferent Dos/000S attack tools * Apply best practices to mitigate DoS/DDos attacks. Perform Dos/DDoS penetration testingDoS/DDoS Concepts For better understanding of DoS/DD0S attacks, one must be familiar with their concepts beforehand. This module discusses about what a DoS attack is, what a DD0S attack is, and how the DDos attacks work. =a cern ingame epctacen nay Peesarea Buseck msc 1 baatoSrie (5 eanatackana computer ontario een esily slemrurcertots ghee 1 nae ata, ats ode tn smth a gaa sen equ ao ‘What is a Denial-of Service Attack? DoS is an attack on a computer or network that reduces, restricts, oF prevents accessibility of system resources to Its legitimate users. In a DoS attack, attackers flaod a vietin’s system with nonlegitimate service requests or traffic to overload its resources, bringing the system down, leading to unavailabilty of the victim's website or at least significantly slowing the victim's ‘system or network performance. The goal of a DoS attackis not to gain unauthorized access to a system orto corrupt data tis to keep the legitimate users away from using the system. Following are the examples of types of DoS attacks: ‘+ Flooding the victim's system with more traffic than can be handled ‘Flooding service (eg, internet relay chat (RC)] with more events than itcan handle ‘Crashing a transmission control protocol (TCPYinternet protocol (IP) stack by sending corrupt packets ‘Crashing a service by interacting wit itin an unexpected way ‘+ Hanging a system by causing it to go into an infinite loop ‘DoS attacks come in a variety of forms and target a variety of services. The attacks may cause the following: ‘Consumption of scarce and nonrenewable resources ‘Consumption of bandwidth, disk space, CPU time, or data structures ‘+ Actual physical destruction or alteration of network components ‘+ Destruction of programming and files in @ computer system ese 0 rss 1023 nal einganecaunrmesee pg 6 > Le ct kg tccnud tplencon ray PonIn general, DoS attacks target network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic using existing network resources, thus depriving legitimate users of these resources. Connectivity attacks overflow a computer with a large amount of connection requests, consuming all available resources of the OS so that the ‘computer cannot process legitimate users’ requests. Imagine a pleza delivery company, which does much of its business over the phone. If an attacker wanted to disrupt this business, he could figure out 2 way to tie up the company’s phone lines, making it impossible for the company to do business. That is how a DoS attack \works—the attacker uses up al the ways to connect to the system, making legitimate business possible. DoS attacks are a kind of security break that does not generally result in the theft of Information. However, these attacks can harm the target in terms of time and resources However, fallure might mean the loss ofa service such as email. Ina worst-case scenario, a DoS, attack can mean the accidental destruction of the flles and programs of millions of people who hhappen to be surfing the Web at the time of attack. Meaie 0 Fe 10 alana and coum copy yf ame ite tenes ersucten tad eneWhat is Distributed Denial-of Service Attack? 12 Dineen tse S| ina none stackwlch nwo 2 mateo compromise ystems Bont atadknga singe wie Perby cus Joramerof te argcted ster What is Distributed Denial-of Service Kttack? Source: htt://searchsecurlty.techtarget.com [A DDeS attack isa large-scale, coordinated attack on the availabilty of services on a victim's system oF network resources, launched indirectly through many compromised computers (botnets) onthe Internet. ‘As defined by the World Wide Web Security FAQ: “A distributed denial-of-service (DDoS) attack ‘uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial of service significantly by harnessing the resources of multiple unwitting accomplice computers, Which serve as attack platforms.” The flood of incoming messages to the target system essentially forees it to shut down, thereby denying service to the legitimate users. ‘The services under attack are those of the “primary victim,” whereas the compromised systems used to launch the attack are the "secondary victims.” The use of secondary victims in performing a DDOS attack provides the attacker with the ability to wage a larger and a more lisruptive atack while making it more dificult to track down the original attacker. ‘The primary objective of any DDoS attacker isto first gain administrative access on as many systems as posible. In general, attackers use customized attack script to identify potentially vulnerable systems. Once the attacker gains access to the target systems, he or she will upload [DDoS software and run it on these systems but not until the time chosen to launch the attack, DDoS attacks have become popular because of the easy accessibility of exploit plans and the negligible amount of brainwork required while executing them. These attacks can be very dangerous because they can quickly consume the largest hosts on the Internet, rendering them ease 0 noes ‘hal heingandcounmeneaiscpygh fmm iti noenea Reson sts PomeUseless. The Impact of DD0S includes loss of goodwil, disabled network, financial loss, and disabled organizations. ‘How Distributed Denial-of-Service Attacks Work? ln a 0005 attack, many applications pound the target browser or network with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable, ‘The attacker initiates the DDoS attack by sending a command to the zombie agents. These zombie agents send a connection request to a large number of reflectar systems with the spoofed IP address ofthe victim, The raflector systems see these requests as coming from the Victim's machine instead of the zombie agents due to spoofing of source IP address. Hence, they send the requested information (response to connection request) to the victim. The victim’s machine is flooded with unsolicited responses from several reflector computers at once. Ths ether may reduce the pecformance of may cause the vietim’s machine ta shut down completely. esse ree ‘soared ommendDoS/DDoS Attack Techniques ‘Attackers implement various techniques to launch DoS/DDos attacks on target computers or networks. This section deals with the basic categories of DoS/DDoS attack vectors and various attack techniques mets mune eoereenn weetBasic Categories of DoS/DDoS Attack Vectors ma retworteriere IWecomection ste twbks presen resouesor ser ey The magne of atack i infeneworkintwsrcure rat arasteto wo rettnenncceses bans remy and “6 Tremagntuse of staki nes " spptenon sre rreonredin reqs «Meena gine =e emcee Sa vet teenigues peoek eee reset elas Basic Categories of DoS/DDoS Attack Vectors Dos attacks mainly alm at the network bandwidth, exhaustion of network, application, or service resources, thereby restricting the logitimate users from accessing their system or network resources, In general, following are the categories of DoS/DD0S attack vectors: Volumetric Attacks These attacks exhaust the bandwidth elther within the target network/service, oF between the target network/service and the rest of the Internet, and result in traffic blockage preventing access to legitimate users. The magnitude of attack is measured in bits per second (ps). Volumetric DDoS attacks generally target protocols that are stateless and do not have builtin congestion avoidance. Generation of a large number of packets can cause the ‘consumption of all the bandwidth on the network. A single machine cannot make ‘enough requests to overwhelm network equipment. Hence, in DDoS attacks, the attacker uses several computers to food a victim. In this case, the attacker can control all the machines and instruct them to direct traffic to the target system. DDoS attacks food a network overwhelming network equipments such as switches and routers with the significant statistical change in the network traffic. Attackers use the processing ower ofa large number of geographically distributed machines to generate huge traffic directed to the victim, which makes it a DDoS attack. ‘There are two types of bandwidth depletion attacks: © A fiaad attack involves zombies sending large volumes of traffic to victim's systems in order to clog these systems’ bandwidth ease 0 nesta ca acing ond counenaa op Oy Ee Aikgte weet eran sang Poh© An amplification attack engages the attacker or zombies to transfer messages to a broadcast IP address. This method amplifies malicious traffic that consumes victim systemy bandwidth, [Attackers use botnets and perform DDoS attacks by flooding the network. All bandwith 's used, and no bandwidth remains for legitimate use. Following are some of the volumetric attack techniques: (© User Datagram Protocol (UDP) flood attack © Internet Control Message Protocol ICMP) flood attack © Pingof Death attack © Smurf attack (© Malformed IP packet flood attack (© Spoofed IP packet flood attack + Protocol Attacks [Apart from volumetric attacks which consumes bandwidth, attackers can also prevent ‘access to a target by consuming other types of resources such as connection state ‘ables. Protocol DDoS attacks exhaust resources available on the target or on a specific device between the target and the Internet. These attacks consume the connection state tables present in the network infrastructure devices such as load-balancers, firewalls, and application servers, and no new connections willbe allowed since the device will be waiting for existing connections to close or expire. The magnitude of ‘attack is measured in packets per second (pps) or connections per second (cps). These attacks can even take over state of millions of connections maintained by high capacity devices, Following are some of the protocol attack techniques: © SYN flood attack (© ACK flood attack © TCP connection flood attack © TeP state exhaustion attack (© Fragmentation attack © RSTattack Application Layer attacks [Attacker tries to exploit the vulnerabilities in application layer protocol or in the application itself to prevent the access ofthe application tothe legitimate user. Attacks ‘on unpatched, vulnerable systems do not require as much bandwidth as elther protocol ‘volumetric DDoS attacks, in order to be successful in attacking. In application DDoS ‘attacks, the application layer or application resources wil be consumed by opening up ‘connections and then leaving them open until no new connections can be made. These Mee 0 fae 09 ‘seater ormnrre et hy Sametattacks destroy a specific aspect of an application or service and are effective with one fr few attacking machines producing a low traffic rate (very hard to detect and mitigate). The magnitude of attack ls measured in requests-per-second (rp), ‘Applicationevel flood attacks result inthe loss of services ofa particular network, such {as emails, network resources, temporary ceasing of applications and services, and soon, Using this attack, attackers exploit weaknesses in programming source code ta prevent the application from processing legitimate requests. Several kinds of DoS attacks rely on sofware-related exploits such as buffer overflows. A buffer overflow attack sends excessive data to an application that elther brings down the application or forces the data sent tothe application to run on the host system. The attack crashes a vulnerable system remotely by sending excessive traffic to an application. Sometimes, attackers are also able to execute arbitrary code on the remote system via buffer overflow vulnerability. Sending too much data to the application overwrites the data that controls the program, and runs the hacker's code instead. Using application-level flood attacks, attackers attempt to: (©. Flood web applications to legitimate user traffic (© Disrupt service to a specific system or person, for example, blocking a user's access by repeating invalid login attempts (©. Jam the application database connection by rafting malicious SQL queries Applicationevel flood attacks can result in substantial loss of money, service, and reputation for organizations. These attacks occur after the establishment of a connection. Because the connection is established and the traffic entering the target appears to be legitimate, tis dificult to detect these attacks. However, if the user Identifies the attack, he or she can stop it and trace it back to a specific source more easily than other types of DDoS attacks, Following are some of the application layer attack techniques: (© HTTP flood attack © Slowioris attack DoS/DDeS Attack Techniques Following are some of the DoS/DDoS attack techniques: + UDP flood attack HTTPS GET/POST attack = IMP flood attack * Slowloris attack Ping of Death attack = MultiVector attack + Smurf attack + Peer-to-Peer attack YN flood attack Permanent Denial-of Service attack * Fragmentation attack * Distributed Reflection Denial-of- Service (OrD0S) esse 38 P00 hal eingendcaunaenmnare cong byOID) Ba loleTo WN Cold UDP Flood Attack Ina UDP flood attack, an attacker sends spoofed UDP packets at a very high packet rate to a remote hast on random ports of a target server and by using a large source IP range. Flooding (of UDP packets causes server to check repeatedly for nonexistent applications at the ports. Legitimate applications are inaccessible by the system and gives an error reply with an ICMP “Destination Unreachable” packet. This attack consumes network resources and available bandwidth, exhausting the network until it goes offine. aie 0 rg 282 hal tedingaedeaunarmess cpg ye ame ‘ithe seme eorsuconstnay Pena== er ‘Eocene [ag —O- = ‘StownsntonmnandnetetstnnteTOPPrems Tope CP daa ts hk, | r ‘Te pcan yo ean | ICMP Flood Attack Network administrators use ICMP primarily for IP operations, troubleshooting, and error ‘messaging of undeliverable packets. In this attack, attackers send large volumes of ICMP echo request packets to a victi’s system directly or through reflection networks. These packets signal the victim's system to reply, and the combination of traffic saturates the bandwidth of the victim's network connection causing it to be overwhelmed and subsequently stop responding tothe legitimate TCP/IP requests. ‘To protect against ICMP flood attack, seta threshold limit that when it exceeds, it invokes the ICMP flood attack protection feature, When the ICMP threshold exceeds (ay dofault the ‘threshold value i 1000 packets/second), the router rejects further ICMP echo requests from all addresses in the same security zone for the remainder of the current second and the next second as wel, eae 0 rg al taingandcaumenes Cp EO ame ‘ifr eres eran stay Poees Ping of Death and Smurf Attack Png of Death Ata Smt Atak ntti aa ch srt cee cept mace aes, SES te eno ocr eS Ci TT Ping of Death Attack In Ping of Death (PoD) attack, an attacker tries to crash, destabilize, or freeze the target system or service by sending malformed or oversied packets using a simple ping command. For instance, the attacker sends a packet that has a sizeof 65,538 bytes to the target web server This size of the packet exceeds the size limit prescribed by RFC 791 IP, which is 65,535 bytes. ‘The reassembly process by the receiving system might cause the system to crash. In this type of attacks, the attacker's identity could be easily spoofed, and the attacker might not need {detailed knowledge ofthe target machine he/she was attacking, exceptits IP address. ‘Smurf Attack In a Smurf attack, the attacker spoofs the source IP address with the victim's IP address and. sends large number of ICMP ECHO request packets to an IP broadcast network. This causes all the hosts on the broadcast network to respond to the recelved ICMP ECHO requests. These responses will be sent to the victim's machine since the IP address is spoofed by the attacker ‘This causes significant traffic to the actual victim's machine, ultimately leading the machine to crash ay ‘skaineuan cour pret hy KameSYN Flood Attack © Tested aoa ana eaten wih Reese sont ne ee ci “6 Squiesre te seen twins wy mehr npc Nernwcesoyhonane Deanne oan ns nen oi cn ode "6 Amaisoucan en gt esa ste en gi sing ‘nce rerequee sho map eae “6 Tevet he ue go lie 1s Massy oh op ah nl comecion Taconic be ‘Slay tnd a Doraisontana SYN Flood Attack In aSYNattack, the attacker sends a large number of SYN requests to target server (victim) with fake source IP addresses. The attack creates incomplete TCP connections that use up network resources, Normally, when a client wants to begin @ TCP connection to a server, the client and the server exchange a series of messages, as follows: ‘+ ATCPSYN (synchronize packet) request i sent toa server. 1+ The server sends back a SYN/ACK (acknowledgement) in response to the request ‘+ The cient sends a response ACK tothe server to complete the session setup. This method is @ “three-way handshake", Ina SYN attack, the attacker exploits the “three-way handshake” method. First, the attacker sends a fake TCP SYN request to the target server and when the server sends back a SYN/ACK in response to the client's (attacker) request, the client never sends an ACK response. Ths leaves the server waiting to complete the connection, SYN flooding takes advantage of the flaw with regard to how most ofthe hosts implement the TCP three-way handshake. This attack occurs when the intruder sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets Is faster than the system can handle, Normally, the connection establishes with the TCP three-way handshake. ‘The host keeps track of the partially open connections, while waiting for response ACK packets ina listening queve, ‘As shown in the aboveslide, when Host 8 receives the SYN request from Host A, it must keep track of the partially opened connection in a“isten queue" for at least 75 seconds. iene neta et‘A malicious host can exploit the host managing many partial connections by sending many SYN requests to the host at once. When the queue is fll, the system cannot open new connections Lunt It drops some entries from the connection queue (due to handshake timeout). This ability Cf holding up each incomplete connection for 75 seconds can be cumulatively used in a DoS attack. This attack uses fake IP addresses, so itis difficult to trace the source, An attacker can fill table of connections even without spoofing the source IP address. Countermeasures Proper packet fikering s a viable solution. An administrator can also madify the TCP/IP stack, Tuning the TCP/IP stack will help reduce the impact of SYN attacks while allowing, legitimate client traffic through. ‘Some SYN attacks do not attempt to upset servers but instead try to consume all the bandwidth of the Internet connection. Two tools to counter this attack are SYN cookies and SyndttackProtect. To guard against an attacker trying to consume the bandwidth of an Internet connection, an administrator can implement some additional safety measures, for example, decreasing the time-out period to keep a pending connection in the "SYN RECEIVED” state in the queue. Normally, ifa client sends no response ACK, a server will retransmit the frst ACK packet. Decreasing the time of the first packet's retransmission, decreasing the number of packet retransmissions, oF turning off packet retransmissions entirely can erase this vulnerability.=== | Fagmeninton htc ‘Tse tis oy cn ayo sem fern pcs bod eh TEP LOP ayers Be ‘roczadpromans ens seeoge ma amare sc, be eas soe oes ane th a) (Sn th rosa te fagmenation ape ay that eta pre em row yon anece | Renseningandtopeig ee ne rtd ces comune esis Meant ota peat {egmens tersaoris ye ssa anche es oom are nn ane oy coh ‘rg Pct ———_____ ‘Fragmentation Attack “These attacks destroy a victim's ability to reassemble the fragmented packets by flooding it ‘with TCP or UDP fragments, resulting in reduced performance, In fragmentation attacks, the attacker sends large number of fragmented (1500+ byte) packets to a target web server with relatively small packet rate. Since the protocol allows fragmentation, these packets usually pass ‘through the network equipments uninspected such as routers, firewalls, and Intrusion Detection System (IDSV/intrusion Prevention System (IPS). Reessembling and inspecting these large fragmented packets consumes excessive resources. Moreover, the content in the packet fragments will be randomized by the attacker, which makes the process to consume more resource in turn leading the system to crash. ease 0g 6 ‘ong cman py amet‘HTTP GET/POST Attack HTTP attacks are layer 7 attacks. HTTP clients, such as web browsers, connect to a web server through HTTP protocol to send HTTP requests. These requests can be elther HTTP GET or HTTP POST. Attackers exploit these requests to perform DoS attacks. In a HTTP GET attack, the attacker uses time delayed HTTP header to hold on to HTTP connection and exhaust web server resources. The attacker never sends full request to the ‘target server. As a result, server holds on to the HTTP connection and keeps waiting making the ‘server down for the legitimate users. these types of attacks, all the network parameters will look good but the service will be down, In a HTTP POST attack, the attacker sends the HTTP requests with complete headers but incomplete message body to the target web server or application. Since the message body Is incomplete, the server keeps waiting for the rest of the body thereby making the web server or ‘web application not available to the legitimate users, ‘This is a sophisticated layer 7 attack, which does not use malformed packets, spoofing, or reflection techniques. This type of attack requires less bandwidth than that of other attacks to bring down the targeted site or web server. “The aim of this attacks to compel the server to allocate as many resources as possible to serve ‘the attack, thus denying legitimate users access to the server's resources. Slowloris Attack ‘Slowiors is @ DDOS attack tool. It is used to perform layer 7 DDoS attack to take down web infrastructure. itis dstinetly different from other tools, where it uses perfectly legtimate HTTP traffic to take down a target server. In case of lowioris attack, the attacker sends partial HTTP. requests to the target web server or application. Upon receiving the partial requests, the target ‘ithe con tay Poeserver opens multiple connections and keeps waiting for the requests to be complete. These requests will not be complete, and as a result, the target server's maximum concurrent connection pool will be filed up and additional attempt of connection willbe denied. ee 0 rope 1u8 hal einen cauemanrs cpg © by femBUSA Toi Cos Ct Cold pretoclan appcatnee atch onthe (Leon 00 toons canpanys earnest ‘Multi-Vector Attack In multivector DDOS attacks, the attackers use combinations of volumetric, protocol, and applcation-ayer attacks to take down the target system or service. Attacker quickly changes from one form of DDoS attack (e.., SYN packets) to another one (Layer 7), and so on. These attacks are either launched one vector ata time, or in parallel, in order to confuse a company’s TT department and make them spend all their resources as well as divert their focus to the wrong side, inno saminaegtiemerern sanity tatSS Se ———— “4 ae we foe nd a theneno wing Cs ee Caro see ote ‘ye tierce nau mntagne ios 3 an mg en a Peer-to-Peer Attack ‘A peersto-peer attack is one form of DDoS attack, In this kind of attack, the attacker exploits @ ‘umber of bugs in peer-to-peer servers to initiate a DDoS attack. Attackers exploit flaws found Inthe network that uses DC++ (Direct Connect) protocol, which allows the exchange of flles between instant messaging dlients. This kind of attack does not use botnets for the attack. Unlike 2 botnet-based attack, a peer-to-peer attack eliminates the need of attackers to communicate with the cents It subverts. Here, the attacker instructs clients of large peer-to- peer file sharing hubs to disconnect from their peer-to-peer network and instead, to connect to the victim's website. With this, several thousand computers may aggressively try to connect to a target website, which causes 2 drop in the performance of the target website. It is easy to identify peer-to-peer attacks based on signatures. Using this method, attackers launch massive DoS attacks and compromise websites. You can minimize the peer-to-peer DDoS attacks by specifying ports for peer-to-peer communication. For example, specifying port 80 not to allow peer-to-peer communication minimizes the possibility of attacks on websites. SA, Pa ae —_ ete 0g 180 Sloiacryndcimemnars pis hy Ememanert Oo, to inoun aspng iden tostadettatease eerie nn cine saat bt eet eure ee "© Tsatack scored au wing method inown as “bing seen (© gt etd acts det anda pate oth ime Permanent DoS (PDS) attacks, also known as phiashing, purely targets hardware causing irreversible damage to the hardware. Unlike other DoS attacks, it sabotages the system's hardware, requiring the victim to replace or reinstall the hardware. The PDOS attack exploits security flaws in a device, thereby allowing the remote administration on the management interfaces ofthe victim's hardware, such as printers, routers, or other networking devices. ‘This attack is quicker and is more destructive than the traditional DoS attacks. It works with a limited number of resources, unlike a DDoS attack, in which attackers enforce a set of Zombies onto a target. Attackers perform this attack using a method known as “bricking a system.” In this method, the attacker sends emai, IRC chats, tweets, and posts videos with fraudulent content for hardware updates to the victim by modifying and corrupting the updates with ‘wlnerablities or defective firmware. When the victim clicks on the links or pop-up windows referring to the fraudulent hardware updates, the victim installs it in his/her system. Thus, the attacker gets complete control over the vitim’s system. oaie10 rope ‘hal agandcsunarger cpg Oy EO ame ‘aikgherccned tepaucon say eensMee hee CDT Reg Lio) Distributed Reflection Denial of Service (DRDoS) ‘A distributed reflection denial of service attack (ORD0S), also known as a “spoofed” attack, involves the use of multiple intermediary and secondary machines that contribute tothe actual DDoS attack against the target machine or application. The DRDOS attack exploits the TCP three-way handshake vulnerability. ‘This attack involves attacker machine, intermediary victims (zombies), secondary victims (reflectors, and the target machine. Attacker launches this attack by sending requests to the intermediary hosts, which in tuen reflects the attack traffic tothe target. ‘The process involved in DRDOS attack is as follows: First, the attacker commands the intermediary victims (zombies) to send a stream of packets (TCP SYN) with the primary target's IP address as the source IP address to other oncompromised machines (secondary victims of reflectors) to exhort them to establish connection with the primary target. As a result, the reflectors send a huge volume of traffic (SYN/ACK) tothe primary target to establish a new connection with it, as they believe It was the host that requested it. The primary target discards the SYN/ACK packets received from the reflectors, as they did not send the actual SYN packet. ‘The reflectors keep waiting for the acknowledgement (ACK) response from the primary target. ‘Assuming that the packet lost its path, these bunches of reflector machines resend SYN/ACK Packets tothe primary target in an attempt to establish the connection, until time-out occurs. This way, a heavy volume of teaffic Is flooded onta the target machine with the avalable reflector machines. The combined bandwidth of these reflector machines overwhelms the target machine, bie ta ree 28 nal adingand countess Cnr Oy Emme “atypia tanned nana ey peteDDRDoS attack is an intelligent attack, as it is very difficult or even impossible to trace the attacker. The secondary vietim (reflector) seems to directly attack the primary target but not ‘the actual attacker. This attack is more effective than a typical DDOS attack as multiple intermediary and secondary victims generate huge attack bandwidth, = Countermeasures ©. Turn off the Character Generator Protocol (CHARGEN) service to stop this attack method ‘0 Download the latest updates and patches for servers ete so ree aliagandcounemesrare cpa I Gm tgne rou opzacon roa PeesModule Flow ‘ectigere Botnets ‘The term “bot” i a contraction of the term “robot.” Attackers use bots to infect a large number of computers that form a network, or “botnet,” allowing them to launch DDoS attacks, ‘generate spam, spread viruses, and commit other types of crime. ‘This section deals with organized cyber-crime syndicates; organizational charts, botnet, and their propagation techniques; botnet ecosystems; scanning methods for finding vulnerable ‘machines; and propagation of malicious code. ete sarge lal asigandcounarnanrs Cot 0b 6 Ca ‘igh hanreoponscan tact Pennefore ratecRey eden me re reine Tt Organized Cyber Crime: Organizational Chart Organized Crime Syndicates Previously, cyber criminals used to work independently, but now they tend to operate in organized groups. They are increasingly associated with organized crime syndicates to take advantage of their sophisticated techniques to engage in illegal activity, usualy for monetary bonefit. There are organized groups of cyber criminals who work in a hierarchical setup with a Predefined revenue sharing model, which is a kind of major corporation that offers criminal services. Organized groups create and rent botnets and offer various services, from writing ‘malware to hacking bank accounts and to creating massive DoS attacks against any target for a Price, Example: ‘An organized crime syndicate might perform a DDoS attack against a bank to divert the bank's security team while they clean out bank accounts with stolen account credentials. ‘According to Corere DD0S Trends Report Q4 2016-1 2017, total attacks in Q1 2017 increased ‘9% compared to QA 2016. ‘The growing involvement of organized criminal syndicates in politically motivated cyber warfare !and hacktivismisa matter of concem for national security agencies. Cybercrime features a complicated range of players. Cyber criminals are paid according to the task they perform or the position they hold ‘The head of the cybercrime organization (Le, the boss) acts as a business entrepreneur. The boss does not commit any crimes directly, Just below the boss is the “underboss,” who sets up ‘command and control server and crimeware toolkit database and manages implementation oade1o rages hal agandczunargere cpg Oy EO ame “aitgherccned eraucon aay Penaof attacks and providing the Trojans. Beneath the underboss are various “campaign managers” with thelr own affilation networks for implementing attacks and stealing data. Finally, the resellers sell the stolen data. mae |"© sare soar apolitions that ru automated tasks Sol tepetiive sts ss web pring and earch ee nse bometies nue network of cangromsed stom andean be used by an ate to ‘bunch denataFsenc ce Bots are software applications that run automated tasks over the Internet, Attackers use Bots {for benign data collection or data mining, such as “Web spidering,” 2s well asto coordinate DoS attacks. The main purpose of 2 bot isto collect data. There are different types of bots, such as Internet bots, IRC bots, ané chatter bots. Some IRC bots are Fggérop, Winbot, Supybot, Infobot, and EnergyMech. ‘A botnet (from "roBOT NETwork") is thus a group of computers “infected” by bots; however, botnets can be used for both positive and negative purposes. As a hacking tool, a botnet can be composed of a huge network of compromised systems. A relatively small botnet of only 1,000, bots has a combined bandwidth that is larger than the Internet connection of most corporate systems. ‘The advent of botnets led to an enormous increase in cybercrime. Botnets form the core of the cybercriminal activity center that links and unites various parts of the eybercriminal world Cybercriminal service suppliers are a part of cybercrime network, They offer services such a5, malicious code development, bulletproof hosting, cation of browser exploits, and encryption and packing. Malicious code is the primary tool used by criminal gangs to commit cybercrimes. Botnet owners order both bots and other malicious programs such as Trojans, viruses, worms, keyloggers, and specially crafted applications to attack remote computers via networks Developers offer malware services on public sites or closed Internet resources. Botnets are agents that an intruder can send to a server system to perform some illegal activity ‘They are the hidden programs that allow identification of system vulnerabilities. Attackers can Use botnets to perform the tedious tasks Involved in probing a system for known vulnerabilities.Attackers can use botnets to perform the following tasks: DOS attacks: Botnets can generate DDoS attacks, which eat up the bandwidth of the Vietims’ computers. Botnets can also overload a system, wasting valuable host system resources and destroying network connectivity ‘Spamming: Attackers use SOCKS proxy for spamming, They harvest email addresses from web pages or some other sources. Sniffing traffic: A packet sniffer observes the data traffic entering a compromised ‘machine, It allows an attacker to collect sensitive information such as credit card ‘numbers and passwords, The sriffer also allows an attacker to steal information from ‘one botnet and uses it against another botnet. In other words, botnets can rob one another. Keylogging: Keylogging provides sensitive information, such as system passwords [Attackers use keylogging to harvest PayPal account login information. Spreading new malware: fotnets can be used to spread new bots. Installing advertisement add-ons: Botnets can be used to perpetrate “click fraud” by automating clicks. Google AdSense abuse: Some AdSense companies permit showing Google ads on thelr websites for economic benefits. This allows an intruder to automate clicks on an ad, thus producing a percentage increase In the click queue. [Attacking IRC chat networks: Also called as clone attacks, these are similar to a DDoS attack. A master agent instructs each bot to link to thousands of clones within the IRC network, which can flood the network ‘Manipulating online polls and games: Every botnet has a unique address, enabling it to ‘manipulate online polls and games. ‘Mass identity theft: Botnets can produce @ large number of emails pretending to be some reputable site such as eBay. This technique allows attackers to steal information for identity theft. ‘The diagram above illustrates how an attacker launches a botnet-based DoS attack on a target server. The attacker sets up a bot Command and Control (C&C) Center. He/she then infects 3 ‘machine (bot), and compromises it. Later on, they use this bot to infect and compromise other ‘winerable systems avalable in the network, resulting In a botnet. The bots (also known as zombies) connect to the C&C center and waits for instructions. The attacker then sends ‘malicious commands to the bots through the CRC center, Finally, 35 per the instructions given by the attacker the bots launch DoS attack ona target server, making its services unavailable to the legitimate users in the network. etic sa reese al singandcounarnasrs Cont © 8 Cae ‘igh han opanszan fan Pennesheiadngdconmmmnes am st: ceed Nar ese 0 rae hcalnatgandcouememre cpg Oy F-Cume ‘ike tcctes aucon ay eneScanning Methods for Finding Vulnerable a eens ‘heinfeed machin pote Paras andl am get net Prange eee een rece tat cles ef ctetalyvraabe machines ae then seas hem fra wrerabe machine rates pnudorndom permuttion tf abese tof new wale machines ‘Scanning Methods for Finding Vulnerable Machines Discussed below ate the scanning methods that an attacker uses to find vulnerable machines available in a networ Random Scanning. In this technique, the infected machine (an attacker's machine or a zombie) probes IP addresses randomiy from the target network's IP range and checks their vulnerability. On finding a vulnerable machine, it breaks into it and tries to Infect it by installing the same malicious code installed on it. This technique generates a significant traffic as many compromised machines probe and check the same IP addresses. Malware propagation takes place quickly in the initial stage, and later on, it reduces as the ‘number of new IP addresses available will be less as the time passes. Hitlist Scanning ‘Through scanning, an attacker first collects a list of potentially vulnerable machines and ‘then creates a zombie army. Then the attacker performs scanning down thelist to find 2 vulnerable machine. On finding one, the attacker installs a malicious code on it and divides the ist in half In one half, the attacker continues to scan; the other half is glven ‘to the newly compromised machine to find the vulnerable machine in its list and continue the same process as discussed before. This goes on simultaneously from an everlasting increasing number of compromised machines. This technique ensures Installation of malicious code on all the potential vulnerable machines in the hit lst within a short time,Topological Scanning, This technique uses the Information obtained from the Infected machine to find new vulnerable machines. An infected host checks for URLs in the disk of a machine that it ‘wants to infect. Then it shortlists the URLS, targets, and checks their vulnerability, This technique yields accurate results, and the performance i similar to the hitlist scanning technique. + Local Subnet Scanning ‘The Infected machine looks for new vulnerable machines ints local network, behind the firewall using the Information hidden in the local addresses. Attackers use this technique in combination with other scanning mechanisms. ‘+ Permutation Scanning In this technique, attackers share @ common pseudorandom permutation list of IP addresses among all machines that is created by using a biock cipher of 32 bits and a preselected key. a compromised host has been infected either during hits scanning F local subnet scanning, It begins to scan Just after Its point in the permutation list and Scans through the lst to identify new targets. In case, if 2 compromised hos is infected during permutation scanning, it starts scanning at a random point. If it encounters an already infected machine, then it chooses a new random start point in the permutation list and proceeds from there. The process of scanning stops when the compromised host encounters a predefined numbar of already infected machines sequentially ailing to find the new targets. Now generate 2 new permutation key to initiate a new scanning phase. Following are the advantages: © Reinfection ofthe same target is avoided (© New targets are scanned at random (thus ensuring high scanning speed). esecen ean wokeHow Malicious Code Propagate? praca etre tecnico promap aleoscode tne econrd ere ter | eae ee eed Sao gem oo SSS How Malicious Code Propagates? Discussed below are the three techniques that an attacker uses to propagate malicious code and build attack networks: Central Source Propagation In this technique, attacker places attack toolkt on the central source, and copy of the attack toolkit is transferred to the newly discovered vulnerable system. Once the attacker finds @ wnerable machine, he/she instructs the central source to transfer @ copy of the attack toolkit to the newly compromised machine, on which automatic Installation of attack tools takes place, managed by a scripting mechanism. This initiates 2 new attack cycle, in which the newly infected machine looks for other vulnerable ‘machine and repeats the same process to install the attack toolkit on it. In general, this technique uses HTTP, FTP, and RPC protocols * Back-chaining Propagation In this technique, attacker places the attack toolkit on his/her system Itself, and copy of the attack toolkit is transferred to the newly discovered vulnerable system. The attack tools installed on the attacking machine has some special methods to accept a connection from the compromised system and then transfer a file containing attack tools to it. Simple port listeners (which copy file contents) or full intruder installed web servers, both of which use the Trivial File Transfer protocol (TFTP) support this back- channel file copy. oases rg 82 athena coum 5 eae ‘ile tance fanoscon sry robes‘+ Autonomous Propagation Unlike previously mentioned mechanisms, which transfer the extemal fle source to the attack toolkit, here the attacking host Itself transfers the attack toolkit to the newly discovered vulnerable system, exactly at the time it breaks ito that system, eae oreo ‘oval cnrandcounarmeane Coprt by He amet ‘Alnor sees arahcbn stay Monaerey TES DDoS Case Study DDoS is sophisticated and complex attack based on DoS attack and multiple distributed attack sources. Ina DDoS attack, a large number of compromised computers (zombies) are involved to interrupt or suspend network services. This section deals with a DDoS case study, oie 0 Pg 004DDoS Attack DDoS Attack In a DD0S attack, attackers use 3 group of compromised systems (bots or zombies) usually infected with Trojans to perform a DoS attack on a target system or network resource. In the diagram above, an anonymous hacker hosts a HOIC DDoS attack tool on the web server he/she owns or on any other compromised web server. The hacker then advertises the HOIC 'D00S attack tool onthe social networking sites or on search engines such as Twitter, Facebook, ‘and Google, providing a malicious download link tai inthe ad. Users, who desire to perform the DDdS attack, may download the HOIC DDoS attack tool by Clicking on the malicious link provided by the hacker. These users are termed “volunteers.” ll the volunteers connect via IRC channel to the anonymous hacker and await their instructions to proceed further. The hacker instructs the volunteers to flood the target web server (e8., PayPal, MasterCard, and PAYBACK) with multiple requests. On receiving their instructions, the volunteers take action accordingly, which results in the target server being overwhelmed. Thus, ‘twill no longer respond to requests from even legitimate users. nie 0 rae 08 ‘hc inetngandcoveeranes cpg ¢ 9 Kea Sikinescned fewanscnHackers Advertise Links to Download Botnet Hackers advertise botnets on various blogs, search engines, social networking sites, emails, and s0 on providing download links for them. Hackers also use fake updates and security alerts to trick the victim to download the malware. The intension in doing so is to spread the botnet and increase the size ofthe attack network This method of attacks very quick and effective,Peron Presid ‘hee ecient ecm mary ae rte sacar ear ea ‘ioscan aoe aur sno peters tnd Gage yom andy downlod tteeeso ‘The cr bind th ats AP senate ppatnpclge AP ey Fesurnorts ear dpe nmson erechirbarg os mo ges p2 ‘nce er id dood nisl Sh spit, th vt device tan or the ‘ocr eae hein once te sana ooo spor tena ee! ne nin Ds utr webinneon te Use of Mobile Devices as Botnets far Launching DDoS Attacks Android devices are passively vulnerable to various malwares such as Trojans, bots, RATS, and 0 0n, which are often found in third-party application stores. These unsecure android devicos ‘are becoming the primary targets for the attackers in order to enlarge their botnet network since they ate highly vulnerable to malware, Malicious android applications fund in Google Play Store and drive-by download are just a few examples of methods of infection, The attacker binds the malicious APK server to the android application package (APK file, encrypts it, and removes unwanted features and permissions before distributing the malicious package to 2 third-party app store such as Google Play Store. Once the victims are tricked to download and. instal such applications, the victim's device will be taken over by the attacker, enslaving the targeted device into the attacker's mobile botnet to perform malicious activites such as launch BOOS attacks, web injections, and so on. ee 0 fee? nal eingandcaunamerscnyrgh © fC “itis urea open sinay fesspope Rer ees ay BOSE Led ‘a Saree ecco be ents Wave ‘pesto nano prom ese whch Ine arma eh rae ‘Reamer amet weer wat exons DDoS Case Study: Dyn DDoS Attack Source: https//mycourses.cakto,fi Dyn isan internet Performance Management (1PM) company, which is believed to be a pioneer domain name system (ONS) service provider. They also offer internet infrastructure services and products such as monitoring and analytics, control, online infrastructure optimization, and email ease s8 gee at ecinganacaumarmenrs cop gh 2 ‘greene erzuson tna esas‘The Dyn attack, which took place on 21 October 2016, is one of the largest data breaches in history. This attack overturned a large portion of the internet in the United States and Europe and affected plenty of services. The source of the attack was the Mirai botnet. This botnet is Unlike other botnets, consisting of oT devices such as IP cameras, printers, and digital video recorders. The objective of a DoS attackis to deny or disrupt authorized users from accessing a resource or service, According to Oyn, Mirai botnets have contributed to a major volume of attack traffic, Mira is 2 piece of malware, which infects and exploits the vulnerable network devices on the Internet, preferably oT devices. Upon successful infection, the bot gets registered to a C&C which ‘controls the botnet during attacks. Mirai malware exploits those network devices that authenticate using default credentials. + Attack Timeline ‘The frst attack was staged between approximately 11:10 UTC to 13:20 UTC. Initially, a huge inclination in the bandwidth consumption was witnessed at various locations of Dyn DNS infrastructure, which imitated a situation like that of a DDoS attack The attack began to target the US-East region. This large volume of data originated from various source IP addresses and were destined for destination port 53, where the data packets ‘were composed of TCP and UDP packets. “The next attack was performed between 15:50 UTC and 17:00 UTC. Unlike the previous attempt, this attack was targeting almost all the avallable Managed Infrastructures of Dyn around the globe, Though the second attempt consisted of same set of attack vectors and protocols used during the first attack, it still managed to disrupt the functionalities of the service provider despite the deployed incident response mechanism, Attack Mechanism ‘A DNS protocol was used to perform the DDoS attack on the DNS servers of the Dyn. “The attack vectors used to perform DDoS attack include recursive DNS query mechanism fr DNS Waterfall Torture, or authoritative ONS exhaustion attack Architecture of ONS server infrastructure consists of Recursive DNS resolver and Authoritative DNS resolve. ‘A recursive DNS resolver receives the DNS query from the bot to resolve 2 12-cigit pseudo random host from the domain of the authoritative ONS resolver. It is ensured ‘that the recursive DNS resolver fails to resolve the DNS record of random host, so that the query gets forwarded to the authoritative resolver, as seen inthe figure above. ‘This mechanism removes the protection of caching layer from authoritative ONS resolvers, The aim of ths attack vectors to forward exceptionally large amount of ONS queries to the authoritative DNS resolver and exhaust the capacity of authoritative ONS resolver to resolve queries. impact ‘This DDoS attack affected the anycast servers of Dyn, it also prevented the services for resolving legitimate DNS queries. It is estimated to have generated more than 40 to 50 ee 0 Fg oaetgend Countess pay He Game Aftahienned ohcon sey eeetimes ofthe normal traffic volume, and the expected number of involved botnets during ‘the attack amounts to 100,000. According to few reports, the total volume of data involved during this attack is estimated to be 1.2 Thps. A few major US websites including PayPal, Spotty, Twitter, and Amazon faced connectivity issues. The various lother web services of companies such as BankWest, HSBC, and Ticketmaster were also affected. According to Bisight, approximately 8% of the Dyn ONS customer base ‘terminated their contract after the attack. ee 0 rset al einganccaunmenee pg © > Ke ct sige tcrnud plencon tray Pondaa eres stag DoS/DDoS Attack Tools This section deals with various DoS/DD0S attack tools used to take over @ single or multiple network machines to exhaust their computing resources or render them unavailable to thelr intended users. ease 0 not at iedingancounrmmara copy oy Koga hii sence Pewrancon say PoeDoS/DDoS Attack Tools Mee 0 faesor2 men 6) a —ae =a High orbit fon Cannon (HOIC) Source: htps://sourceforge.net HOICis @ network stress and DS/OD0S attack application. Ths tool is written in BASIC language. It is designed to attack up to 256 target URLs simultancousl. It sends HTTP POST and GET requests at a computer that uses lu inspired GUIs, Features: (© High-speed multi-threaded HTTP Flood (© Simultaneously flood up to 256 websites at once (© Built-in scripting system to allow the deployment of “boosters,” scripts designed to thwart DDoS counter measures and increase DoS output © Canbe ported over to Linux/Mac with a few bug fixes (I do not have either systems) © Ability to select the number of threads in an ongoing attack (© Ability to throttle attacks individually wth three settings: LOW, MEDIUM, and HIGH tow Orbit lon Cannon (LOIC) Source: https//sourceforge.net LOIC is a network stress testing and DoS attack application. We can also call it an application-based DOS attack as It mostly targets web applications, We can use LOIC on a target site to flood the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service ofa particular host. rdCouermenres Cnr by EmFollowing are some of the additional DoS/DD0S attack tools: HULK (htepi//wmw.sectori.com) + Metasploit (httosi//wwmmetasploit.cam) Nmap (https//nmap.ora) ‘Blackhat Hacking Tools (htps://sourceforge.net) ‘+ DAVOSET (htepss//packetstormsecurty.com) ‘© Tsunami (https://sourceforge.net) + RU-Dead-vet (https:/sourceforge.net) ‘+ UDP Flooder (https://sourceforge.net) 1+ DLR_DosS (ittos:/sourceforge.net) ‘+ Moihack Port-looder (htips://sourceforge.net) ‘= DDOSIM (https//sourceforge.net) Meaie 10 aetna hal adiogandcouneme ns ny 8 me ‘ith tanned feponaun sare PokedDoS and DDoS Attack Tool for Mobile ‘DoS/DDoS Attack Tools for Mobile Loic Source: https//play.google.com Android version of LOIC software is used for floading packets which allows attacker to perform DDoS attack on target organization. This application can perform UPD, HTTP, ot TCP flood attacks. Anbosid Source: https://andosiddroidinformer.org ‘AnDOSid allows attacker to simulate a DoS attack (a HTTP POST flood attack to be exact) ‘and DDoS attack on a web server from mobile phones. Following are some of the additional DoS/DDoS attack tools for mobile: 00S (hetpsi//nlay. google.com) eS (htts:/olay. google.com) Packets Generator (hetps://play.gooale.com) PingTools Pro (https7/pingtoo'.org) Mose 0 aco hal ang counemeannes oy KE ened itgie seve Perancton wana Honoree'D0S/D00S is one of the foremost security threats on the Internet, thus there is a greater necessity for solutions to mitigate these attacks. This section deals with detection methods, verious preventive measures, and response to DoS/DDoS attacks, etic x0 rigs nal ioganecoumermemee prey £0 ame ike tucnus pleco ay orahetaargsacomemenee ‘am st50confectnatiader pepo} 2 tne ‘sSeme earl sero S tmmocuenzomccesnoyne ——Euipseauese te eran + Imegeeeante SR mleone in Detection Techniques Early detection techniques help to prevent 005/DD0S attacks. Detecting @ DoS/DD0S attack is 2 Iticky job. A D0S/DD0S attack traffic detector needs to distinguish between @ genuine and a ‘bogus data packet, which is not always possible; the techniques employed for this purpose are ‘not perfect. There is always a chance of confusion between traffic generated by a legitimate network user and trafic generated by 2 DoS/DD0S attack. Detection techniques are based on Identifying and isriminating the legitimate traffic increase and flash events from legitimate packet trafic ‘One problem in filtering bogus traffic from legitimate traffic is the volume of traffic. It is Impossible to scan each data packet to ensure security from a DoS/DDdS attack ‘All the detection techniques used today to define an attack as an abnormal and noticeable deviation in network traffic statistics and characteristics. These techniques involve statistical anaysis of deviations to categorize malicious and genuine traffi. Following are the three types of detection techniques: Activity Profiting Activity profiling is done based on the average packet rate for 2 network flow, which Consists of consecutive packets with similar packet header information. Packet header information inchudes the destination and sender IP addresses, ports, and transport protocols used, An attack sindicated by © Aninerease in activity levels among the network flow clusters (© Anincrease in the overall number of distinct clusters (DDoS attack) Meate 0 noes ‘that ingens cpygh © Ee cd ‘ite ene taco say ee“The higher a flow’s average packet rate or activity level, the less time there is between consecutive matching packets. Randomness in average packet rate or activity level can indicate suspicious activity, The entropy calculation method measures randomness in activity levels. Ifthe network is under attack, entropy of network activity levels wil One of the major hurdles for an activity profiling method is the volume of the traffic: ‘This problem can be overcome by clustering packet flows with similar characteristics. DoS attacks generste a large number of data packets that are very similar, so an increase in the average packet rate or an increase in the diversity of packets could Indicate @ Dos attack ‘+ Sequential Change-point Detection ‘The sequential change-point detection technique filters network trafic by IP addresses, targeted port numbers, and communication protocols used, and stores the traffic flow data in a graph that shows the traffic flow rate versus time. Change-point detection algorithms isolate changes in network traffic statistics and in traffic flow rate caused by attack. f there isa drastic change in traffic low rate, a DoS attack may be occurring ‘This technique uses Cumulative Sum (Cusum) algorithm to identify and locate the Dos attacks; the algorithm calculates deviations in the actual versus expacted local average in the traffic time series. The sequential change-point detection technique identifies the ‘typical scanning activities of the network worms. + Wavelet-based Signal Analysis ‘The wavelet analysis technique analyzes network traffic in terms of spectral components. It divides incoming signals into various frequencies and analyzes different {frequency components separately. Analyzing each spectral window's energy determines ‘the presence of anomalies. These techniques check frequency components present at 2 specific time and provide a descriation of those components, Presence of an unfamiliar frequency indicates suspicious network activity {A network signal consists of a time-localized data packet flow signal and background noise, Wavelet-based signal analysis fiters aut the anomalous traffic flow Input signals from background noise. Normal network traffic is generally low-frequency traffic. During an attack, the high-frequency components ofa signal increase. Moaie 18 feet? (i Hetigand Counters Cpe © y FS ‘Nii esonederoscon esa eseal cg nacautimesees ‘am 31250: ceraatne ier BOTT pp racLer trance ‘DoS/DDeS Countermeasure Strategies Absorbing the Attack: Use additional capacity to absorb the attack; it requires preplanning, it also requires adaltional resources. One disadvantage associated Is the cost of additional resources, even when no attacks are under way. + Degrading Services: If it is not possible to keep all your services functioning during an attack, it s a good idea to keep at least the critical services functional. For this, fist ‘dantity the critical services and then customize the network, systems, and application ‘designs in such a way to cut down the nonaitical serviees. This may help you to keep ‘the etal services functional "Shutting Down the Services: Simply shut down all services until an attack has subsided. ‘Though it may not be an ides! choice, it may be a reasonable response in some cases obie1o reer hal agandcounarnere cpg Oy EO ame ‘ithe recned feraucon ay PeersDDoS Attack Countermeasures Protect Secondary Vietims Detect and Neutralize Handlers Provent Potential Attacks ‘Mitigate Atacks Postattack Forensics DDoS Attack Countermeasures ‘There are many proposed solutions for mitigating the effects of a DDoS attack. However, no single complete solution exsts that can provide protection against all known forms af DDoS attacks. Moreover, attackers are continually devising with new ways to perform DDS attacks in ‘order to bypass security solutions employed. Following are some of the DOS attack countermeasures Protect Secondary Vietims = Deflect Attacks Neutralize Handlers Mitigate attacks Prevent Potential Attacks * Post-attack Forensles ee 0 rae io7> ‘lol cnr counarmsane opt by Ke ame After tocncs anon rosa eesProtect Secondary Victims and Detect and Reteree ceed Protecestrom os anne | Ina ane sear to ftom aoe nm mares ity "© Dial mecesr ser nisl mised eta Tae Anis © ihc tt ee pan "8 Pope ewnfgue and ety nts then Protect Secondary Victims Individual Users ‘The best method to prevent DDS attacks Is for secondary victim systems to prevent ‘themselves from taking part in the attack. This demands intensified security awareness {and prevention techniques. Secondary victims must monitor their securty on regular basis to remain protected from DDoS agent software. It must be ensured that the system does not install any DDoS agent program and OD0$ agent traffic is not ‘vansferted into the network. Anti-virus and Anti-Trojan software must be installed and updated on a regular basis, as well as software patches to fix known vulnerabilities. Increase awareness of security issues and prevention techniques among all Internet users. It is important to disable Unnecessary services, uninstall unused applications, and scan all files received from ‘external sources. Because these tasks may appear daunting to the average Web surfer, the core hardware and software of computing systems come with integrated mechanisms that defend against malicious code insertion. So, properly configure and regulary update the builtin defensive mechanisms in the core hardware and software ‘of the systems to avold DDoS attacks. Empioying the above countermeasures will leave attackers with no DDoS attack network from which they can launch DDoS attacks. 1+ Network Service Providers Service providers and network administrators can enter dynamic pricing (altering price) for their network usage to encourage potential secondary victims and charge them for ‘accessing the Intemet to become more active in preventing themselves from becoming part ofa DDoS attack,Detect and Neutralize Handlers ‘An important method used to stop DD0S attacks isto detect and neutralize handlers, This can be achieved by network traffic analysis, neutralizing botnet handlers, identifying spoofed source address. In the agent-handler DD0S attack-ool arsenal, the handler works as an Intermediary for the attacker to initiate the attacks. Analyzing communication protocols and traffic patterns between handlers and clients or handlers and agents can identiy the network nodes that are infected by the handlers, Discovering the handlers in the network and disabling ‘them can be a quick method of disrupting the ODoS attack network. Because there are usually ‘ew DDoS handlers deployed in the network, as compared to the number of agents, neutralizing afew handlers can possibly render multiple agents useless thus thwarting DDoS attacks. Furthermore, there is @ decent probabilty that the spoofed source address of DDoS attack packets will not represent 2 valid source address of the definite sub-network. Identifying spoofed source address will prevent from DDoS attack. The prevention of DDoS attacks is possible by a thorough comprehension of communication protocols and traffic among handlers, clients, and agents. MosierPea SCHL VB a Prevent Potential Attacks Egress Filtering Egress filtering scans the headers of IP packets leaving a network. If the packets pass the specifications, they can route out of the sub-network from which they originated. The packets will not reach the targeted address if they do not meet the necessary specifications. Egress fering ensures that unauthorized or malicious traffic never leaves the intemal network. DDoS attacks generate spoofed IP addresses. Establishing protocols to require any legitimate packet that leaves a company’s network to have a source address where the network portion matches the internal network can help mitigate attacks. A properly eveloped firewall for the sub-network can fier out many DD9S packets with spoofed IP source addresses Ia web server is vulnerable toa zero-day attack known only to the underground hacker community, even after applying fall avallable patches tothe server, a server can stil be ‘vulnerable. However, if user enables egress filtering, they can save the integrity of a system by keeping the server from establishing a connection back to the attacker. This ‘would also limit the effectiveness of many payloads used in common exploits. Outbound exposure can be restricted to the required traffic only, thus limiting the attacker's ability to.connect to other systems and gain access to tools that can enable further access into ‘the network. Ingress Filtering Ingress filtering is @ packet fering technique used by many Intemet Service Providers (SPs) to prevent source address spoofing of Internet traffic, and thus indirectly combat ee ge oes ‘hal nga connemean apy hy Kem hits ewes Revlon ss esas