As a typical
result of DoS a system may hang, respond slowly, reboot or shutdown a
system. A worst case result may include loss of information, damage of network
resources and hardware and ultimately deletion, destruction of data and
programs of users that were online during attack. Thus DoS attack compromises
system without intruding and is enough to disorganize organized infrastructure
and functionality of an organization.
A DoS attack
is also called Distributed Denial of Service (DDoS) attack when DoS attack
is performed using several computers/laptops/zombies.
Now
depending on what factor attacker has planned to attack modes of attacks are
classified as follows,
1.Attack Against Connectivity:- In this kind
of attack an attacker tries to stop hosts or users from connecting and
communicating with another host or computer.
2.Misuse Of Internal Resources:- In this mode
of attack an attacker tries to bind resources to specific machines which
results in consumption network bandwidth and wastage and non-availability of
resources for others.
3.Bandwidth Consumption:- In this mode
of attack attacker generates large number of packets from system on which
attack has been planned to be performed. Resulting consumption of bandwidth
finally lead its unavailability for others and results in DoS attack.
4.Consumption Of Network Resources:- In this mode
of attack an attacker tries to consume resources on network.
5.Altering Configuration:- In this
attack mode an attacker may try to exploit misconfigured information present on
network for DoS.
Depending
upon selected mode of attack DOS attacks are classified as,
SYN Attack
Smurf DoS
Buffer Overflow
Ping of Death
Tear Drop
-:Types Of DoS:-
In this
section we are going to cover different ways that can be used to carry out
denial of service attacks. Note that no matter what kind of DoS attacker
selects his/her motives remain same i.e bandwidth consumption, disrupting
network connectivity or the destruction of configuration information.
1. Smurf DoS or Ping Flood:-
In this type
of attack an attacker sends large number of ICMP echo (ping) to IP broadcast
address and all the packets he/she sends have spoofed IP addresses. If the
victim accepts IP broadcast request packets, then it will take ICMP request and
reply thus multiplying the traffic by number of hosts resulting bandwidth
consumption. Modes of attack used are bandwidth consumption and network
connectivity
2. Fraggle DoS
Attack:-
It is same
as Smurf DoS attack but instead of ICMP packets it uses UDP echo requests.
Modes of attack used are bandwidth consumption and network connectivity.
3. Buffer Overflow Attack:-
Most
commonly used DoS attack, can be performed locally or remotely. Most commonly
used attack method is using a vulnerable application or program. Result of
compromise on security of network. Common modes of attacks are misuse of
internal resources and altering configuration
4. Ping Of Death:-
In this type
of attack an attacker deliberately sends an ICMP echo packet of more than 65536
bytes. IP packet with size of 65536 bytes is oversized packet for TCP/IP stack.
Many OS don’t know how to response to such huge packet resulting in freezing or
crashing down. Attack mode can be classified as altering of configuration and
misuse of resources.
5. Teardrop Attack:-
This attack
takes advantage of fragmentation of IP packets during transmission. A large
packet is chopped in pieces for easy transmission with each having sequence
number in offset so that when all chucks get received they can be easily
combined. In tear drop attack an attacker manipulates the offset value of the
second or later fragment to overlap with previous or next one. This attack may
cause hang and crash of system. Mode of attack is altering configuration.
6. SYN Half Open and SYN Flood:-
In SYN half
open attack attacker exploits weakness in TCP three way handshake method and
sends only SYN packet with spoofed IP and thus the target waits for opened
connection to completed and since IP is spoofed there remains hardly any chance
that connected will be completed. This results in non-availability of resources
builds overload on system and it crashes down. In SYN flood attack attacker
sends thousands of SYN packets to victim with huge frequency than it can handle
resulting in denial of further requests. Both can be categorized under attacks
against consumption of network resources and altering configuration.
-:Tools
that Can be Used for DoS:-
In this
section we will discuss a little about tools that can be used for DoS attacks.
Please note that tools used for DoS attacks and DDoS are different, here we
will discuss only those tools which are used for DoS attack not those which are
used for DDoS. Most of the DoS tools are nothing but programs written by
programmers, by the way you don't need to know about programming to understand
and run these tools. These tools may be OS specific or platform independent
depending on what condition the programmers has built the code.
-:JOLT:-
Jolt is DoS
tool used to exploit vulnerability in windows networking code. It allows
attacker to consume 100% of CPU time by sending packets that needs heavy CPU
usage for processing. Though it is specially designed for windows it really
isn't platform specific. The most vulnerable server to it is Windows 2000
Server.
-:BUBONIC:-
It is a C
program when compiled can be used against windows and Linux. Linux versions
which were not updated since 2.0.3.0 kernel are vulnerable along with windows
2003 server
-:LAND:-
Land tool
sends victim request by spoofing IP address of packet with IP address of
victim. Since IP address of source and destination are same, system crashes as
system starts flooding itself with packets.
-:LATIERRA:-
It also
works as Land tool but it sends TCP packets to more than one port number.
-:TARGA:-
One of the
most horrible DoS tool in list is Targa. Targa can launch DoS attack in all
possible types of DoS attacks. Its efficiency increases exponentially with more
number of PC's.
-:BLAST:-
Blast is TCP
services stress test tool but can also be used for launching DoS attack against
unprotected server.
-:NEMSEY:-
It is a
program that generates random packets with random port number and IP address
and floods victim with it.
-:PANTHER:-
Its a packet
flooding program that can overload a network connection with ICMP packets by
sending fast ping requests causing a DoS attack.
-:CRAZY PINGER:-
It is also
DoS tool of category flooder. It sends very large packets of ICMP to target.
-:FSMAX:-
It is a
scrip-table server stress testing tool. This takes a text file as input and
runs a server through a series of tests based on input. The purpose of this
tool is to find buffer overflows of DoS points in a server.
Distributed Denial Of
Service (DdoS)
Distributed
Denial Of Service (DDoS) Attack is large scale DoS attack conducted with help
of zombie systems or botnets on vulnerable target systems. Indirectly we can
say a DDoS is launched via huge network of compromised systems. DDoS attack
uses many computers to
launch a coordinated DoS attack against one or
more target. Using client/server technology (same as we do it in RAT clients),
the attacker is able to multiply the effectiveness of the denial of service
significantly by harnessing the resources of multiple computers to serve for attack.
In most of the cases the zombie system user never come to know about his/her
system is performing a DoS attack since an attacker can put condition to be low
on bandwidth usage per zombie.
The victims
compromised for performing an attack are known as “secondary victim” whereas
the attack on the target is known as “primary victim”. An attacker generally
gains administrative privilege on secondary targets to launch attack on primary
target. Once attacker gains administrative privilege on secondary victim,
he/she uploads DDoS program or script to launch an attack on primary victim. If
an attacker has network of 30000 plus zombies then launched attack is nearly
impossible to counter because number of IP address is too much for a single
server to handle per second. DDoS are dangerous because they can even pull down
very big hosts like Yahoo and Bing to their feet.
Most
organizations secure themselves with a firewall but a firewall does not really
guarantee against DDoS. A very good but badly administrated firewall can even
lead to fall down of service. Conducting a DDoS attack is much simple than it
appears if you already have thousands of compromised system. In fact in most
cases you don't even need already created tools you can manually create your
own tools if you have little programming knowledge of C and C++ and little
about windows and Linux commands. In future posts I’ll show you how you can
create your own script to launch a DDoS attack.
Following are
steps involved in conducting DDoS attack:
1. Compromise
thousands of systems using RAT clients or botnets.
2. Write a
program or script that can conduct attack
3. Trigger
Zombies for attack
4. Don't
stop until the target is down.
For more information about denial of service attack and distributed denial of service attack you can check out these other blog post Legendary DDoS Attack and DOS vs DDOS
Thanks For Visiting
No comments:
Post a Comment