Understanding DoS & DDoS
Distributed denial-of-service (DDoS) attacks have the same goals, but the implementation is much more complex and wields more power. Whereas a DoS attack relies on a single system or a very small number of systems to attack a victim, a DDoS attack scales this up by having several attackers go after a victim. How many attackers? Anywhere from a few hundred to a few million in some cases.
DDoS attacks have the same goal as regular DoS methods; however, the difference lies in the implementation of the attack. A standard DoS attack can be launched from a single malicious client, whereas a DDoS attack uses a distributed group of computers to attack a single target. Check out Figure 11.3 to see a diagram of a DDoS setup.
As you can see in Figure 11.3, quite a few parts are involved when launching a DDoS attack. Conceptually, the process is quite simple. The attacker first infects the handler, or master computer, with a specific DDoS software build commonly known as a bot. The bot in turn sifts through the victim’s network searching for potential clients to make slaves, or zombies. Note that the attacker purposely chooses their handler unit or units based on the positional advantage it will give them for their DDoS attack. This equates to a unit that has maneuverability in the network, such as a file server or the like. Once the handler systems have been compromised and the zombie clients are infected and listening, the attacker need only identify the target and send the go signal to the handlers.
A common method of covertly installing a bot on a handler or client is a Trojan horse that carries the bot as a payload. Once the handler and subsequent zombies have been infected, the attacker communicates remotely with the so-called botnet via communication channels such as Internet Relay Chat (IRC) or Peer-to-Peer (P2P).
Tools for Creating Botnets
Various tools are used to create botnets, including the following:
• Poison Ivy
• Low Orbit Ion Cannon (LOIC)
The following is a list of DoS tools:
DoSHTTP is an HTTP flood DoS tool. It can target URLs, and it uses port designation.
This utility generates UDP packets at a specified rate and to a specific network.
This IP packet fragmentation DoS tool can send large numbers of fragmented packets to a Windows host.
This 8-in-1 tool can perform DoS attacks using one or many of the included options. Attacks Targa is capable of land, WinNuke, and teardrop attacks.
The following is a list of DDoS tools:
This DDoS tool uses UDP flooding. It can attack single or multiple IPs.
Low Orbit Ion Cannon (LOIC) has become popular because of its easy one-button operation. Some people suspect that groups such as Anonymous, which use DDoS attacks as their primary weapon, use LOIC as their main tool.
This DDoS attack tool is based on TFN (Tribe Flood Network) and can perform UDP, SYN, and UDP flood attacks.
This DDoS tool has similar attack capabilities as TFN2K. Attacks can be configured to run for a specified duration and to specific ports.
DoS Defensive Strategies
Let’s look at some DoS defensive strategies:
Disabling Unnecessary Services you can help protect against DoS and DDoS attacks by hardening individual systems and by implementing network measures that protect against such attacks.
Using Anti-Malware Real-time virus protection can help prevent bot installations by reducing Trojan infections with bot payloads. This has the effect of stopping the creation of bots for use in a botnet. Though not a defense against an actual attack, it can be a proactive measure.
Enabling Router Throttling DoS attacks that rely on traffic saturation of the network can be thwarted, or at least slowed down, by enabling router throttling on your gateway router. This establishes an automatic control on the impact that a potential DoS attack can inflict, and it provides a time buffer for network administrators to respond appropriately.
Using a Reverse Proxy A reverse proxy is the opposite of a forward or standard proxy. The destination resource rather than the requestor enacts traffic redirection. For example, when a request is made to a web server, the requesting traffic is redirected to the reverse proxy before it is forwarded to the actual server. The benefit of sending all traffic to a middleman is that the middleman can take protective action if an attack occurs.
Enabling Ingress and Egress Filtering Ingress filtering prevents DoS and DDoS attacks by filtering for items such as spoofed IP addresses coming in from an outside source. In other words, if traffic coming in from the public side of your connection has a source address matching your internal IP scheme, then you know it’s a spoofed address. Egress filtering helps prevent DDoS attacks by filtering outbound traffic that may prevent malicious traffic from getting back to the attacking party.
Degrading Services In this approach, services may be throttled down or shut down in the event of an attack automatically in response to an attack. The idea is that degraded services make an attack tougher and make the target less attractive.
Absorbing the Attack Another possible solution is to add enough extra services and power in the form of bandwidth and another means to have more power than the attacker can consume. This type of defense does require a lot of extra planning, resources, and of course money. This approach may include the use of load balancing technologies or similar strategies.
The following are botnet-specific defensive strategies:
RFC 3704 Filtering This defense is designed to block or stop packets from addresses that are unused or reserved in any given IP range. Ideally this filtering is done at the ISP level prior to reaching the main network.
Black Hole Filtering: This technique in essence creates a black hole or area on the network where offending traffic is forwarded and dropped.
Source IP Reputation Filtering: Cisco offers a feature in their products, specifically their IPS technologies, that filters traffic based on reputation. Reputation is determined by past history of attacks and other factors.
DoS Pen Testing Considerations
When you’re pen testing for DoS vulnerabilities, a major area of concern is taking down integral resources during the testing phase. The ripple effect of taking out a file server or web resource can be pretty far reaching, especially if bringing the system back online proves challenging after a successful DoS test attack. As with all pen testing activities, an agreement between the tester and the client should explicitly define what will be done and the client’s timeframe for when the testing will occur. Also, as always, documenting every step is crucial in every part of the process.
To sum it all up a denial-of-service attack involves the removal of availability of a resource. That resource can be anything from a web server to a connection to the LAN. DoS attacks can focus on flooding the network with bogus traffic, or they can disable a resource without affecting other network members. We also discussed buffer overflow, which pushes data beyond the normal memory limit, thereby creating a DoS condition. Additionally, you saw that a NOP sled can be used to pad the program stack, which lets the attacker run malicious code within the compromised stack. You learned about compromised handlers and their role in infecting and controlling zombie clients in a DDoS attack. Lastly, we reviewed some preventive measures, such as router throttling, that you can use to defend against DoS attacks.
I will later post a rough guide on how to use Low Orbit Ion Cannon (LOIC) to create a Distributed denial-of-service (DDoS) attack.