D e n ia l o f S e r v ic e

Module 10
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Denial‫־‬of‫־‬Service
Module ...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Security News

Kg■■!!■
Home I...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

In this case, a group claimin...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Module Objectives

CEH

'

*
...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Copyright © by E&Cauactl. All...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

W Is a Denial of Service
hat
...
Ethical Hacking and Countermeasures
Denial of Service

r

Exam 312-50 Certified Ethical Hacker

Malicious Traffic

« • £ *...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

W Are Distributed Denial
hat
...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

How Distributed Denial of
Ser...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Handler infects
a largo num b...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Symptoms of a DoS Attack

^

...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Module Flow

Copyright © by E...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

-

DoS Attack Techniques

Cl
...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Bandwidth Attacks
A single ma...
An attacker or group of zombies attempts
to exhaust server resources by setting up
and tearing down TCP connections

Servi...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

CEH

SYN Attack
The attacker ...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

SYN Flooding
J

J

J

CEH

C
...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

IP address. Normally, the spa...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

ICMP Flood Attack
ICM is a ty...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

«*£?-...... &
Attacker

Targe...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Peer-to-Peer Attacks
0

CEH

...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

User-5

User-4

A tta c k Tra...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Permanent Denial-of-Service
A...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

FIGURE 10.5:

3■
Attacker

Se...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Application Level Flood Attac...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Attacker exploiting applicati...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

M odule Flow
So far, we have ...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Organized Crime Syndicates
C ...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Organized Cyber Crime:
Organi...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

O
Attackers Crim eware Toolki...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

CEH

Botnet
J

Bots are softw...
Ethical Hacking and Countermeasures
Denial of Service

6

Exam 312-50 Certified Ethical Hacker

Scans environment automati...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Botnet Propagation Technique
...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

.0

..‫״‬

C y b e r c r i m ...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

C EH

Botnet Ecosystem

Malic...
Exam 312-50 Certified Ethical Hacker

Ethical Hacking and Countermeasures
Denial of Service

The pictorial representation ...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Botnet Trojan: Shark

CEH

^
...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

9

Sortable and configurable ...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Poison Ivy: Botnet Command
Co...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Botnet Trojan: PlugBot
J

ttk...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

H d O A D M IN IU vtO U w 9««...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Botnet Trojans: Illusion Bot ...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Illusion M jk e i

1

Binary
...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Copyright © by E & C a in c i...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

DDoS Attack

H a ck e rs a d ...
Ethical Hacking and Countermeasures
Denial of Service

(ft

Exam 312-50 Certified Ethical Hacker

A
ttacker R
eleases Lo O...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

CEH

DDoS Attack Tool: LOIC

...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

FIGURE 10.18: DDoS Attack Too...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Hackers Advertise Links to
Do...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

FIGURE 10.19: Hackers Adverti...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Copyright © by E & C a in c i...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

c EH

DoS Attack Tools
DoSHTT...
Ethical Hacking and Countermeasures
Denial of Service

Q

Exam 312-50 Certified Ethical Hacker

It supports numeric addres...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

DoS Attack Tools

CEH

(Cont’...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

xJe■

Your IP:
IF

(Dont DoS ...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

DoS Attack Tools
(Cont’d)

q ...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

S upernove

!sup ernova 5

Po...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

DoS Attack Tools

CEH

(Cont’...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

BanglaDos
Mom

C w N u

00— t...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

DoS Attack Tools
(C o n ttt)
...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

M e g a D D o S A tta c k

FI...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Copyright © by E&Caincfl. All...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

This section describes variou...
Ethical Hacking and Countermeasures
Denial of Service

J

Exam 312-50 Certified Ethical Hacker

D e tectio n te c h n iq u...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Activity Profiling

r
An atta...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

W
avelet-based Signal Analysi...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Sequential C
hange-Point
Dete...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

D D Counterm
oS/D oS
easure
S...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

D oSAttack Counterm
D
easures...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

D D C
oS/D oS ounterm
easures...
Ethical Hacking and Countermeasures
Denial of Service

Q

Exam 312-50 Certified Ethical Hacker

their computers from becom...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

D D C
oS/D oS ounterm
easures...
Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

D D C
oS/D oS ounterm
easures...
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Ce hv8 module 10 denial of service
Upcoming SlideShare
Loading in …5
×

Ce hv8 module 10 denial of service

953
-1

Published on

Published in: Technology, News & Politics
1 Comment
1 Like
Statistics
Notes
  • thanks 4 uploading ceh v8 ........
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
953
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
273
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Ce hv8 module 10 denial of service

  1. 1. D e n ia l o f S e r v ic e Module 10
  2. 2. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Denial‫־‬of‫־‬Service Module 10 Engineered by Hackers. Presented by Professionals. CEH «!> Ethical H acking and C ounterm easures v8 M odule 10: Denial-of-Service Exam 312-50 Module 10 Page 1403 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Security News Kg■■!!■ Home I News H S B C is L a te s t T arg et in C yb er A tta c k Sp re e m October 19, 2012 H C(H ) ex erien w esp d p n toseveral of itsw sitesT u ay, SB BC p ced id read isru tio s eb h rsd b co in o eofthe h h st- ro victim yet inaseriesof attacksb ag u claim g e mg n ig e p file s y ro p in tob alliedw Islam terro . e ith ic rism "H serverscam undera denial of service attackw affectedanum of H C SBC e hich ber SB w sites aroundthew rld th Lo d n b b n in g n sa inastatem t. "T is eb o ," e n o - ased a k g ia t id en h d n of serviceattackd n t affect anycu m d b t d p e ial id o sto er ata, u id reven cu m u in t sto ers s g H Co lin services, in d g in et b n in ." SB n e clu in tern a k g H Csa it h dth situ nu d co tro inth earlym rn g h u of Frid Lo d n SB id a e atio n er n l e o in o rs ay n o tim e. T e Iz a - ina Q h z d D l- assamC erFig te tookresp n ilityforthe attackthat at p in yb h rs o sib o ts crip led u accesstoh c.co an other H C o n p p p sers' sb m d SB - w ed ro erties o th W T e n e eb. h g u , w ichh alsod p th w sites of sco of other b n sin d gJ.P. ro p h as isru ted e eb res a k clu in M rg C ase(JPM an Ban of A erica (B C sa th attacksw co tin eu til th o an h ) d k m A ), id e ill n u n e an lslam 'Innocenceof M slim filmtrailer isrem vedfro th Internet ti- ic u s' o m e http://www.foxbusiness.com Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. &3>ujs ‫״‬mp p S ecurity N ew s HSBC is Latest Target in Cyber Attack Spree Source: http://www.foxbusiness.com HSBC (HBC) experienced widespread disruptions to several of its websites recently, becoming one of the highest-profile victims yet in a series of attacks by a group claiming to be allied with Islamic terrorism. "HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world," the London-based banking giant said in a statement. "This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking." HSBC said it had the situation under control in the early morning hours of Friday London time. The Izz ad-Din al-Qassam Cyber Fighters took responsibility for the attack that at points crippled users' access to hsbc.com and other HSBC-owned properties on the Web. The group, which has also disrupted the websites of scores of other banks including J.P. Morgan Chase (JPM ) and Bank of America (BAC), said the attacks will continue until the anti-lslamic ‫׳‬Innocence of Muslims' film trailer is removed from the Internet. Module 10 Page 1404 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker In this case, a group claiming to be aligned with the loosely-defined brigade of hackers called Anonymous also took responsibility. However, a source in the computer security field who has been monitoring the attacks told FOX Business "the technique and systems used against HSBC were the same as the other banks." However, the person who requested anonymity noted that Anonymous "may have joined in, but the damage was done by" al-Qassam. The people behind al-Qassam have yet to be unmasked. Several published reports citing unnamed U.S. officials have pointed to Iran as a potential culprit, but multiple security researchers have told FOX Business the attacks don't show the hallmarks of an attack from that country. There is a consensus, however, that the group is likely using a fairly sophisticated type of denial-of-service attack. Essentially, al-Qassam has leveraged exploits in W eb server software to take servers over and then use them as weapons. Once they are taken over, they slam the W eb servers hosting bank websites with a deluge of requests, making access either very slow or completely impossible. Servers have an especially high level of connectivity to the Internet, giving al-Qassam more horsepower with fewer machines. copyright©2012 FOX News Network, LLC By Adam Samson. http://www.foxbu5ines5.com/industries/2012/10/19/hsbc-is-latest-target-in-cvber-attackspree/#ixzz2D14739cA Module 10 Page 1405 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Module Objectives CEH ' * J What Is a Denial of Service Attack? J DoS Attack Tools J What Are Distributed Denial of Service Attacks? J Detection Techniques J D0 S/DD0 S Countermeasure J Symptoms of a DoS Attack J Techniques to Defend against Botnets J DoS Attack Techniques J J Botnet Advanced DD0 S Protection Appliances J Botnet Ecosystem J D0 S/DD0 S Protection Tools J Botnet Trojans J J DD0 S Attack Tools Denial of Service (DoS) Attack Penetration Testing r n Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M odule O b jectiv e s ta = 1 , =1 This module looks at various aspects of denial‫־‬of‫־‬service attacks. The module starts with a discussion of denial-of-service attacks. Real-world scenarios are cited to highlight the implications of such attacks. Distributed denial-of-service attacks and the various tools to launch such attacks are included to spotlight the technologies involved. The countermeasures for preventing such attacks are also taken into consideration. Viruses and worms are briefly discussed in terms of their use in such attacks. This module will familiarize you with: 2 2 W hat is a Denial of Service Attack? S DDos Attack Tools W hat Are s Detection Techniques s D0 S/DD0 S Countermeasure S Techniques Distributed Denial of Service Attacks? s Symptoms of a DoS Attack s DoS Attack Techniques 2 Botnet 2 Botnet Ecosystem 2 Botnet Trojans £ D0 S/DD0 S Protection Tools 2 DD0S Attack Tools s Denial Module 10 Page 1406 to Defend against Botnets a Advanced DD0S Protection Appliances of Service (DoS) Attack Penetration Testing Ethical H acking and C ounterm easures C opyright ©b E - 0 n il y C C l1 C A R h Reserved. Reproduction isStrictly Prohibited. ll ig ts
  6. 6. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow In the present Internet world, many attacks are launched targeting organizations in the banking sector, as well as IT service and resource providers. DoS (denial of service) and DD0 S (distributed denial of service) were designed by attackers to breach organizations' services. m m Dos/DDoS Attack Tools Dos/DDoS Concepts * Dos/DDoS Attack Techniques d p g Countermeasures »‫* י ־׳‬ M p J Botnets Dos/DDoS Case Study / ^ M = 11 Dos/DDoS Protection Tools Dos/DDoS Penetration Testing This section describes the terms DoS, DD0 S, the working of DD0 S, and the symptoms of DoS. It also talks about cyber criminals and the organizational chart. Module 10 Page 1407 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker W Is a Denial of Service hat Attack? W hat is a D en ial of S ervice A ttack? Denial-of-service (DoS) is an attack that prevents authorized users from accessing a computer or network. DoS attacks target the network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic using existing network resources, thus depriving legitimate users of these resources. Connectivity attacks overflow a computer with a large amount of connection requests, consuming all available operating system resources, so that the computer cannot process legitimate user requests. An Analogy Consider a company (Target Company) that delivers pizza upon receiving a telephone order. The entire business depends on telephone orders from customers. Suppose a person intends to disrupt the daily business of this company. If this person came up with a way to keep the company's telephone lines engaged in order to deny access to legitimate customers, obviously Target Company would lose business. DoS attacks are similar to the situation described here. The objective of the attacker is not to steal any information from the target; rather, it is to render its services useless. In the process, the attacker can compromise many computers (called zombies) and virtually control them. The attack involves deploying the zombie computers against a single machine to overwhelm it with requests and finally crash the target in the process. Module 10 Page 1408 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Ethical Hacking and Countermeasures Denial of Service r Exam 312-50 Certified Ethical Hacker Malicious Traffic « • £ * Malicious traffic takes control overall the available bandwidth r o (R Internet 4m Regular Traffic Router Attack Traffic Regular Traffic Q C^ D Server Cluster Figure 10.1: Denial of Service Attack Module 10 Page 1409 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker W Are Distributed Denial hat of Service Attacks? j A distrbuted denial-of-service (DD0 S) attack involves amultitude of compromised systems attack rig a single target, thereby causing den 01 of service for users of the targeted system j To launch a DDoS attack, an attacker uses botnets and attacks a single system Loss of Goodwil Disabled Network Financial Loss Disabled Organization Copyrights trf E t C M K l. AJ Rights Reserved. Re prod urtion is Striettf Piohbfted. gjgg W hat Are D istrib u te d D en ial of S ervice A ttack s? Source: www.searchsecurity.com A distributed denial-of-service (DD0 S) attack is a large-scale, coordinated attack on the availability of services on a target's system or network resources, launched indirectly through many compromised computers on the Internet. The services under attack are those of the "primary target," while the compromised systems used to launch the attack are often called the "secondary target." The use of secondary targets in performing a DD0S attack provides the attacker with the ability to wage a larger and more disruptive attack, while making it more difficult to track down the original attacker. As defined by the World W ide W eb Security FAQ: "A Distributed Denial-of-Service (DD0 S) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial-ofservice significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms." If left unchecked, more powerful DD0 S attacks could cripple or disable essential Internet services in minutes. Module 10 Page 1410 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker How Distributed Denial of Service Attacks W ork CEH 131 m g m m m m . ... Attacker sets a ,‫־‬ f handler system / H d an ler >1 Handler infects a large number of computers over Internet C p isedPC (Zom ies) om rom s b Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited. How D istrib u te d D e n ia l of S ervice A ttack s W ork In a DD0S attack, the target browser or network is pounded by many applications with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable. The attacker initiates the attack by sending a command to the zombie agents. These zombie agents send a connection request to a genuine computer system, i.e., the reflector. The requests sent by the zombie agents seem to be sent by the victim rather than the zombies. Thus, the genuine computer sends the requested information to the victim. The victim machine gets flooded with unsolicited responses from several computers at once. This may either reduce the performance or may cause the victim machine to shut down. Module 10 Page 1411 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Handler infects a largo num ber of computers over Internet Attacker sets a handler system & I ; I O 0 m N [Ml N INI ‫*־יי׳‬ M M %•<* m Zombie systems are instructed • 0 Compromised PCs (Zombies) Attacker Q . u 2 ‫־‬ .... j □□□ ..... 0 ■ [05□ • ? • <3> Handler Compromised PCs (Zombies) FIGURE 10.2: Distributed Denial of Service Attacks Module 10 Page 1412 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Symptoms of a DoS Attack ^ H □ Unavailability of a particular website Inability to access any website Dramatic increase in the amount of spam emails received Unusually slow network performance $ Copyright © by E&CtuacO. All Rights Reserved Reproduction is Strictly Prohibited. Sym ptom s of a DoS A ttack Based on the target machine, the symptoms of a DoS attack may vary. There are four main symptoms of a DoS attack. They are: © Unavailability of a particular website © Inability to access any website © Dramatic increase in the amount of spam emails received © Unusually slow network performance Module 10 Page 1413 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Module Flow Copyright © by E& C ain cil. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow ^ =1 So far, we have discussed DoS, DD0 S, symptoms of DoS attacks, cybercriminals, and the organizational chart of cybercrime. Now it's time to discuss the techniques used to perform D0 S/DD0S attacks. am Dos/DDoS Attack Tools Dos/DDoS Concepts Countermeasures * Dos/DDoS Attack Techniques Botnets /*V 5 Dos/DDoS Protection Tools Dos/DDoS Case Study Dos/DDoS Penetration Testing i— In a DoS attack, the victim, website, or node is prevented from providing services to valid users. Various techniques are used by the attacker for launching DoS or DD0S attacks on a target computer or network. They are discussed in detail in this section. Module 10 Page 1414 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker - DoS Attack Techniques Cl CEH Bandwidth Attacks Service Request Floods Attacker SYN FloodingAttack ICMP Flood Attack Peer-to-Peer Attacks J Permanent Denial-of-Service Attack Application-Level Flood Attacks User Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited. DoS A ttack T e c h n iq u e s A denial-of-service attack (DOS) is an attack performed on a networking structure to disable a server from serving its clients. The actual intent and impact of DoS attacks is to prevent or impair the legitimate use of computer or network resources. There are seven kinds of techniques that are used by the attacker to perform DOS attacks on a computer or a network. They are: © Bandwidth Attacks © Service Request Floods © SYN Flooding Attacks © ICMP Flood Attacks © Peer-to-Peer Attacks © Permanent Denial-of-Service Attacks © Application-Level Flood Attacks Module 10 Page 1415 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Bandwidth Attacks A single machine cannot make enough requests to overwhelm network equipment; hence DDoS attacks were created where an attacker uses several computers to flood a victim X C EH When a DDoS attack is launched, flooding a network, it can cause network equipment such as switches and routers ^ to be overwhelmed due to the significant statistical change in the network traffic ' Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO packets Basically, all bandwidth is used and no bandwidth remains for legitimate use Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited. B andw idth A ttacks A bandwidth attack floods a network with a large volume of malicious packets in order to overwhelm the network bandwidth. The aim of a bandwidth attack is to consume network bandwidth of the targeted network to such an extent that it starts dropping packets. The dropped packets may include legitimate users. A single machine cannot make enough requests to overwhelm network equipment; therefore, DDoS attacks were created where an attacker uses several computers to flood a victim. Typically, a large number of machines is required to generate the volume of traffic required to flood a network. As the attack is carried out by multiple machines that are combined together to generate overloaded traffic, this is called a distributed-denial-of-service (DDoS) attack. Furthermore, detecting the source of the attack and blocking it is difficult as the attack is carried out by numerous machines that are part of different networks. All the bandwidth of the target network is used by the malicious computers and no bandwidth remains for legitimate use. Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO packets. Module 10 Page 1416 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. An attacker or group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections Service request flood attacks flood servers with a high rate of connections from a valid source O It initiates a request on every connection Copyright © by E&Cauacil. All Rights Reserved. Reproduction is Strictly Prohibited. Service R eq u est F loods in 1D5n ‫ן‬ Service request floods work based on the connections per second principle. In this method or technique of a DoS attack, the servers are flooded with a high rate of connections from a valid source. In this attack, an attacker or group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections. This probably initiates a request on each connection, e.g., an attacker may use his or her zombie army to fetch the home page from a target web server repeatedly. The resulting load on the server makes it sluggish. M odule 1 Page 1417 0 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker CEH SYN Attack The attacker sends a fake TCP SYN requests to the target server (victim) The target machine sends back a SYN ACK in response to the request and waits for the ACK to complete the session setup The target machine does not get the response because the source address is fake Note: This attack exploits the three-way handshake method Copyright © by E C i a .All Rights Reserved. Reproduction is Strictly Prohibited. &onl SYN A ttack A SYN attack is a simple form of DoS attack. In this attack, an attacker sends a series of SYN requests to a target machine (victim). W hen a client wants to begin a TCP connection to the server, the client and the server exchange a series of messages as follows: © The attacker sends a fake TCP SYN requests to that target server (victim) © The target machine sends back a SYN ACK in response to the request and waits for the ACK to complete the session setup 0 The target machine never gets the response because the source's address is fake Module 10 Page 1418 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker SYN Flooding J J J CEH C «rt1fW 4 SYN Flooding takes advantage of a flaw in how most hosts implement the TCP three-way handshake ........© When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a "listen queue" for at least 75 seconds syN K /P,C A* C .... S N Y .... S N Y .... S N Y .... S N Y The victim's listen queue is quickly filled up J ...... N rml co n ctio o a ne n S/ yy ..... ....... estab m t lish en ............. . A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN/ACK J ItkKjl Km Im This ability of removing a host from the network for at least 75 seconds can be used as a denial-of-service attack Copyright © by <1 S NF o in t Y lo d g 1 ............. . ............ . ............. . ............. . E C i a .All Rights Reserved. Reproduction is Strictly Prohibited. &onl SYN F looding SYN flooding is a TCP vulnerability protocol that emerges in a denial-of-service attack. This attack occurs when the intruder sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. The connection is established as defined by the TCP three-way handshake as: Q Host A sends the SYN request to the Host B Q Host B receives the SYN request, and replies to the request with a SYN-ACK to Host A 6 Thus, Host A responds with the ACK packet, establishing the connection W hen Host B receives the SYN request from Host A, it makes use of the partially open connections that are available on the listed line for a few seconds, e.g., for at least 75 seconds. The intruder transmits infinite numbers of such SYN requests with a forged address, which allows the client to process the false addresses leading to a misperception. Such numerous requests can produce the TCP SYN flooding attack. It works by filling the table reserved for half open TCP connections in the operating system's TCP IP stack. When the table becomes full, new connections cannot be opened until and unless some entries are removed from the table (due to handshake timeout). This attack can be carried out using fake IP addresses, so it is difficult to trace the source. The table of connections can be filled without spoofing the source Module 10 Page 1419 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  19. 19. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker IP address. Normally, the space existing for fixed tables, such as a half open TCP connection table, is less than the total. * 5 o Host A r Host B SY N ........ Normal connection establishment ..... .......... ... SVN/ACK ........ ACK SYN ......5VN SYN Flooding .......... ... .......................................... .................. ...... .?‫.אז‬ ......... .. ............... FIGURE 10.3: SYN Flooding Module 10 Page 1420 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker ICMP Flood Attack ICM is a type of D Sattack in P o w hich perpetrators sen a larg d e num of packets with fake source ber addresses to a target server inorder to crash it an cause it to sto d p responding to T P/IP req ests C u * 9 A ttacker T he a tta c k e r s e n d s ICMP ECHO re q u e s ts w ith s p o o fe d s o u rc e ad d re s s e s ECHO Request After the ICM threshold is reached P , the router rejects further ICM echo P req ests froma addresses inthe u ll sam security zon for the e e rem ainder of the current second an the n t secon as w d ex d ell ECHO Request ECHO Reply -Maximum limit of ICMP Echo Requests per SecondECHO Request ECHO Request Legitimate ICM Pechorequestfrom an address in the same security zone Copyright © by ii’ E r o n l All Rights Reserved. Reproduction is Strictly Prohibited. fCia. O p IC M P Flood A ttack Internet Control Message Protocol (ICMP) packets are used for locating network equipment and determining the number of hops to get from the source location to the destination. For instance, ICMP_ECHO_REPLY packets ("ping") allow the user to send a request to a destination system and receive a response with the roundtrip time. A DDoS ICM P flood attack occurs when zombies send large volumes of ICMP_ECHO packets to a victim system. These packets signal the victim's system to reply, and the combination of traffic saturates the bandwidth of the victim's network connection. The source IP address may be spoofed. In this kind of attack the perpetrators send a large number of packets with fake source addresses to a target server in order to crash it and cause it to stop responding to TCP/IP requests. After the ICM P threshold is reached, the router rejects further ICM P echo requests from all addresses in the same security zone. Module 10 Page 1421 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker «*£?-...... & Attacker Target Server The attacker sends ICMP ECHO requests with spoofed source addresses EC OR u H eq est EC OR ly H ep EC OR u H eq est EC OR ly H ep -Maximum limit of IC M P Echo Requests per Second- EC OR u H eq est l: EC OR u H eq est Le g itim a te IC M P e c h o re q u e s t fro m a n a d d re s s in th e s a m e s e c u rity z o ne , tl FIGURE 10.4: ICMP Flood Attack Module 10 Page 1422 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Peer-to-Peer Attacks 0 CEH (•itilwd 1 ItlMUl IlMhM J U gp sin eer-to eer attacks, attackers instruct clients of peer-to-peer file sharing hu s to -p b disconnect fromtheir p eer-to eer netw and to connect to the victim fake w -p ork 's ebsite 0 J A ttackers exploit flaw found inthe netw u g D + (D s ork sin C + irect C onnect) p rotocol, that is u sed for sharing a types of files betw instant m ll een essag clien ing ts J U g th m od, attackers lau m sin is eth nch assive denial-of-service attacks an com d prom w ise ebsites 0 <, d U rse 1 Copyright © by «I▼ / E r o n l All Rights Reserved. Reproduction is Strictly Prohibited. fCia. P eer-to -P eer A ttacks A peer-to-peer attack is one form of DD0 S attack. In this kind of attack, the attacker exploits a number of bugs in peer-to-peer servers to initiate a DD0 S attack. Attackers exploit flaws found in the network that uses DC++ (Direct Connect) protocol, which allows the exchange of files between instant messaging clients. This kind of attack doesn't use botnets for the attack. Unlike a botnet-based attack, a peer-to-peer attack eliminates the need of attackers to communicate with clients. Here the attacker instructs the clients of peer-to-peer file sharing hubs to disconnect from their network and to connect to the victim's website. With this, several thousand computers may try to connect to the target website, which causes a drop in the performance of the target website. These peer-to-peer attacks can be identified easily based on their signatures. Using this method, attackers launch massive denial-of-service attacks and compromise websites. Module 10 Page 1423 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  23. 23. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker User-5 User-4 A tta c k Traffic ..‫7־‬ ►• '‫ל‬ u ‫ר‬ f it* ..... User-3 Attacker User-2 User-1 FIGURE 10.5: Peer-to-Peer Attacks Module 10 Page 1424 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  24. 24. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Permanent Denial-of-Service Attack CEH Permanent DoS, also known as phlashing, refers to attacks that cause irreversible damage to system hardware Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware Bricking a system method 1 This attack is carried out using a method known as . "bricking a system" 2. Using this method, attackers send fraudulent hardware updates to the victims Sends email, IRC chats, tw e e ts, post videos w ith fraudulent content for hardw are updates Attacker Attacker gets access to victim's com puter V ictim (M alicious c o d e is e x e cu ted ) Copyright © by & 0O ^ ± 1^5 £ Process E C i a .All Rights Reserved. Reproduction is Strictly Prohibited. &onl P e rm a n e n t D e n ia l‫־‬of‫־‬S ervice A ttack Permanent denial-of-service (PD0 S) is also known as plashing. This refers to an attack that damages the system and makes the hardware unusable for its original purpose until it is either replaced or reinstalled. A PD0 S attack exploits security flaws. This allows remote administration on the management interfaces of the victim's hardware such as printers, routers, and other networking hardware. This attack is carried out using a method known as "bricking a system." In this method, the attacker sends email, IRC chats, tweets, and posts videos with fraudulent hardware updates to the victim by modifying and corrupting the updates with vulnerabilities or defective firmware. W hen the victim clicks on the links or pop-up windows referring to the fraudulent hardware updates, they get installed on the victim's system. Thus, the attacker takes complete control over the victim's system. Module 10 Page 1425 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker FIGURE 10.5: 3■ Attacker Sends email, IRC chats, tweets, post videos with fraudulent contentfor hardware updates Attacker gets access to victim's computer Victim (Malicious code is executed) FIGURE 10.6: Permanent Denial-of-Service Attack Module 10 Page 1426 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Application Level Flood Attacks CEH UrtrfW* itfciul NMhM J Application-level flood attacks result inthe loss of services of a particular network, such as em networkresources, the tem ails, porary ceasingof applications and services, and m ore J Usingthis attack, attackers destroy program ing source code and files m in affected com puter system s Using application-level flood attacks, attackers attempts to: Flood w ap lication eb p s to leg ate user traffic itim D isrupt service to asp ecific systemor person, for ex p am le, b ckin a user’s access b lo g y rep eating in valid lo in g attem pts Copyright © by Jam the ap licatio p n database connection b y crafting m u SQ alicio s L q ueries E C i a .All Rights Reserved. Reproduction is Strictly Prohibited. &onl A p p licatio n -lev el Flood A ttacks Some DoS attacks rely on software-related exploits such as buffer overflows, whereas most of the other kinds of DoS attacks exploit bandwidth. The attacks that exploit software cause confusion in the application, causing it to fill the disk space or consume all available memory or CPU cycles. Application-level flood attacks have rapidly become a conventional threat for doing business on the Internet. W eb application security is more critical than ever. This attack can result in substantial loss of money, service and reputation for organizations. Usually, the loss of service is the incapability of a specific network service, such as email, to be available or the temporary loss of all network connectivity and services. Using this attack, attackers destroy programming source code and files in affected computer systems. Using application-level flood attacks, attackers attempt to: © © Flood web applications, thereby preventing legitimate user traffic. Disrupt service to a specific system or person, for example, blocking user access by repeated invalid login attempts. Q Jam the application-database connection by crafting CPU-intensive SQL queries. Module 10 Page 1427 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Attacker exploiting application source code 4 ^ Attacker Victim FIGURE 10.7: Application-level Flood Attacks Module 10 Page 1428 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker M odule Flow So far, we have discussed D0 S/DD0S concepts and D0 S/DD0 S attack techniques. As mentioned previously, DoS and DD0 S attacks are performed using botnets or zombies, a group of security-compromised systems. am Dos/DDoS Attack Tools Dos/DDoS Concepts Countermeasures ‫ ־‬Dos/DDoS Attack Techniques Bot‫ ״‬ets /^ s> Dos/DDoS Case Study Dos/DDoS Protection Tools Dos/DDoS Penetration Testing - This section describes botnets, as well as their propagation techniques and ecosystem. Module 10 Page 1429 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Organized Crime Syndicates C yb er C rim in a ls H ie r a r c h ic a l S e tu p P ro c e s s R e p o rt M a tte r o f C o n c e rn C crim areincreasingly b gassociated w organizedcrim yber inals ein ith e syndicatestotake advantageof their sophisticatedtechniques Thereareo anizedg sofcybercrim who w ina hierarchical rg roup inals ork setupw a predefined revenuesharing m d lik a m corporation ith o el, e ajor that offers crim services inal O rganizedg screate andrent botnetsandoffervarious services, from roup w riting m are, to hackin b kaccounts, tocreatingm alw g an assived ial-o en fservice attacksagainstanytargetfor a p rice A ccordingtoV erizon's 2 1 D Breach Investigations R 0 2 ata eport, the m ajority of breaches w drivenb organizedg s andalm a d ere y roup ost ll ata stolen (98%) w the w ofcrim outsidethevictimorg as ork inals anizatio n T e grow involvem of o anizedcrim syndicates inpolitically h ing ent rg inal m otivatedcyber w arfare andhactivismisa m atter of concernfor n al ation securityag cies en Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited. O rg a n iz e d C rim e S y n d icates Cyber criminals have developed very refined and stylish ways to use trust to their advantage and to make financial gains. Cyber criminals are increasingly being associated with organized crime syndicates to take advantage of their refined techniques. Cybercrime is now getting more organized. Cyber criminals are independently developing malware for financial gain. Now they operate in groups. This has grown as an industry. There are organized groups of cyber criminals who develop plans for different kinds of attacks and offer criminal services. Organized groups create and rent botnets and offer various services, from writing malware, to attacking bank accounts, to creating massive denial-of-service attacks against any target for a price. The increase in the number of malware puts an extra load on security systems. According to Verizon's 2010 Data Breach Investigations Report, the majority of breaches were driven by organized groups and almost all data stolen (70%) was the work of criminals outside the target organization. The growing involvement of organized criminal syndicates in politically motivated cyber warfare and hactivism is a matter of concern for national security agencies. Module 10 Page 1430 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Organized Cyber Crime: Organizational Chart 4 ^ o Attackers Crimeware Toolkit Owners Trojan Distribution in Legitimate website - Underboss: Trojan Provider and O Manager of Trojan Command and Control q C am p aign M a n a g e r C am p aign M a n a g e r to # - u # >‫י‬ m C am p aign M a n a g e r to + A ffiliatio n : N e tw o r k © S to le n D ata R e s e lle r n < ‫ו‬ A tut A A ‫*׳‬s ir m ♦ A ffiliatio n n II N e tw o r k © n It ‫י*'•־ 4 4 ' י^׳‬ jr : a « : t A ffiliatio n N e tw o r k : © S to le n D ata R e s e lle r S to le n D ata R e s e lle r Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited. O rg a n iz e d C y b er C rim e: O rg a n iz a tio n a l C h art Cybercrimes are organized in a hierarchical manner. Each criminal gets paid depending on the task that he or she performs or his or her position. The head of the cybercrime organization, i.e., the boss, acts as a business entrepreneur. He or she does not commit cybercrimes directly. The boss is the first in the hierarchy level. The person who is at the next level is the "underboss." The underboss is the second person in command and manages the operation of cybercrimes. The "underboss" provides the necessary Trojans for attacks and also manages the Trojans‫׳‬ command and control center. People working under the "underboss" are known as "campaign managers." These campaign managers hire and run their own attack campaigns. They perform attacks and steal data by using their affiliation networks as distributed channels of attack. The stolen data is then sold by "resellers." These resellers are not directly involved in the crimeware attacks. They just sell the stolen data of genuine users. Module 10 Page 1431 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker O Attackers Crim eware Toolkit Owners Trojan Distribution In Legitimate website r% r> C a m p a ig n M a n a g e r to O 4! 4 J U n d erb oss: Trojan P ro v id e r and M a n a g e r o f Trojan C o m m a n d and C ontrol o rs 1 i C a m p a ig n M a n a g e r C a m p a ig n M a n a g e r to ‫י׳‬ 4! : v 4! 1 ‫ >*׳‬A f f ilia t io n N e t w o r k O '" O 4! 4A | ‫י*׳‬ u v A f f ilia t io n N e t w o r k ; 6 S t o le n D a t a R e s e lle r S t o le n D a t a R e s e lle r S t o le n D a t a R e s e lle r FIGURE 10.8: Organizational Chart Module 10 Page 1432 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  32. 32. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker CEH Botnet J Bots are software applications that run automated tasks over the Internet and perform simple repetitive tasks, such as web spidering and search engine indexing J A botnet is a huge network of the compromised systems and can be used by an intruder to create denial-of-service attacks Bots connect to C&C vl handler and wait for instructions B o t Com m and & Attacker sends commands to the bots through C&C Bots attack u a target server i 3‫יז‬ m T arg et S e rv e r C o n tro l C e n te r 0 Zo m b ie s Sets a bot C&C handler Bot looks for other vulnerable systems and Infects them to ,a f t© O gk 0■^•=■• ft M e create Botnet a machine A tta ck e r V ic tim (B o t) Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited. The term botnet is derived from the word roBOT NETwork, which is also called zombie army. A botnet is a huge network of compromised systems. It can compromise huge numbers of machines without the intervention of machine owners. Botnets consist of a set of compromised systems that are monitored for a specific command infrastructure. Botnets are also referred to as agents that an intruder can send to a server system to perform some illegal activity. They are the hidden programs that allow identification of vulnerabilities. It is advantageous for attackers to use botnets to perform illegitimate actions such as stealing sensitive information (e.g., credit card numbers) and sniffing confidential company information. Botnets are used for both positive and negative purposes. They help in various useful services such as search engine indexing and web spidering, but can also be used by an intruder to create denial-of-service attacks. Systems that are not patched are most vulnerable to these attacks. As the size of a network increases, the possibility of that system being vulnerable also increases. An intruder can scan network ranges to identify which ones are vulnerable to attacks. In order to attack a system, an intruder targets machines with Class B network ranges. Ill Module Purpose of Botnets: 0 10 Page 1433 Allows the intruder to operate remotely. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  33. 33. Ethical Hacking and Countermeasures Denial of Service 6 Exam 312-50 Certified Ethical Hacker Scans environment automatically, and spreads through vulnerable areas, gaining access via weak passwords and other means. Q Allows compromising a host's machine through a variety of tools. Q Creates DoS attacks. 6 Enables spam attacks that cause SMTP mail relays. © Enables click fraud and other illegal activities. The diagram that follows shows how an attacker launches a botnet-based DoS attack on a target server. Bots connect to C C & handler an w for In d ait structions Bots attack atarget server o Bot Command & Control Center !1 Attacker sen s com andsto d m the b ts through C C o & Target Server ‫2 יי‬ A " 6 * Zombies Bot lo ks for other vulnerable o system an infectsthemto s d create Botnet Attacker Victim (Bot) FIGURE 10.9: BOTNET In order to perform this kind of attack, the attacker first needs to create a botnet. For this purpose, the attacker infects a machine, i.e., victim bot, and compromises it. He or she then uses the victim bot to compromise some more vulnerable systems in the network. Thus, the attacker creates a group of compromised systems known as a botnet. The attacker configures a bot command and control (C&C) center and forces the botnet to connect to it. The zombies or botnet connect to the C&C center and wait for instructions. The attacker then sends commands to the bots through C&C to launch DoS attack on a target server. Thus, he or she makes the target server unavailable or non-responsive for other genuine hosts in the network. Module 10 Page 1434 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  34. 34. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Botnet Propagation Technique ....... / 2 ........ >‫: ר <־‬ O O A ttackers i @ v .• I ♦ (S e rv e rs , S o ftw a r e , and S e rv ic e s ) 0 (z) / ; ™ ‫© • ........... ■ ® § ז‬ M alicious Affiliation N etw ork C yb e rcrim e R e la te d IT O p e ra tio n s U- T rojan C om m and a n d C ontrol C enter Crime w are Toolkit D a ta b a s e I C EH Trojan upload stolen data and receives commands from command and control center 4$ ~ Legitim ate C om prom ised W e b site s Copyright © by E r o n l All Rights Reserved. Reproduction is Strictly Prohibited. fCia. ^ B otnet P ro p a g a tio n T e ch n iq u e Botnet propagation is the technique used to hack a system and grab tradable information from it without the victim's knowledge. The head of the operations is the boss or the cybercriminal. Botnet propagation involves both criminal (boss) and attackers (campaign managers). In this attack, the criminal doesn't attack the victim system directly; instead, he or she performs attacks with the help of attackers. The criminal configures an affiliation network as distribution channels. The job of campaign managers is to hack and insert reference to malicious code into a legitimate site. The malicious code is usually operated by other attackers. W hen the malicious code runs, the campaign managers are paid according to the volume of infections accomplished. Thus, cybercriminals promote infection flow. The attackers serve malicious code generated by the affiliations to visitors of the compromised sites. Attackers use customized crimeware from crimeware toolkits that is capable of extracting tradable information from the victim's machine. Module 10 Page 1435 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker .0 ..‫״‬ C y b e r c r i m e R e l a t e d IT O p e r a t i o n s (S e r v e r s , S o f t w a r e , a n d S e rv ic e s ) © Attackers Criminal Trojan upload stolen )•:‫־‬ data and receives commands from command and control center FIGURE 10.10: Botnet Propagation Technique Module 10 Page 1436 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  36. 36. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker C EH Botnet Ecosystem Malicious Site Scan & Intrusion Zero-Day Market <s/y > ' Botnet b Market o'6 Licenses Botnet MP3, DivX Financial Diversion Data e f Theft t ---- - Owner i Crimeware Toolkit Database : Trojan Command and Control Center s' Client-Side Vulnerab llity^ : Spam : Mass Mailing DDoS ' Malware Market t # i Scams Adverts B Stock Fraud Copyright © by E tC tm G il. All Rights Reserved. Reproduction is Strictly Prohibited. B otnet E co sy stem A group of computers infected by bots is called botnet. A bot is a malicious program that allows cybercriminals to control and use compromised machines to accomplish their own goals such as scams, launching DDoS attacks, distributing spam, etc. The advent of botnets led to enormous increase in cybercrimes. Botnets form the core of the cybercriminal activity center that links and unites various parts of the cybercriminal world. Cybercriminal service suppliers are a part of cybercrime network. These suppliers offer services such as malicious code development, bulletproof hosting, creation of browser exploits, and encyrption and packing. Malicious code is the main tool used by criminal gangs to commit cybercrimes. Botnet owners order both bots and other malicious programs such as Trojans, viruses, worms, keyloggers, specially crafted applications to attack remote computers via network, etc. Malware services are offered by developers on public sites or closed Internet resources. Typically, the botnet ecosystem is divided into three parts, namely trade market, DDoS attack, and spam. A botmaster is the person who makes money by facilitating the infected botnet groups for service on the black market. The master searches for vulnerable ports and uses them as candidate zombies to infect. The infected zombies further can be used to perform DDoS attacks. On the other hand, spam emails are sent to randomly chosen users. All these activities together guarantee the continuity of malicious botnet activities. Module 10 Page 1437 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. Exam 312-50 Certified Ethical Hacker Ethical Hacking and Countermeasures Denial of Service The pictorial representation of botnet ecosystem is shown as follows: M a lic io u s S it e Z ro D y e -a M a rk et ............. Q b L ice n se s B o tn e t M P 3 , D iv X Financial Diversion Data Theft E m a ils C rim ew are Toolkit Trojan Command Database C& C and Control Center Client-Side R e d ir e c t Spam Vulnerability M a s s M a ilin g DD0S M a lw a r e M a r k e t □ S to c k Fraud M Scam s A d v e r ts E x to rtio n FIGURE 10.11: Botnet Ecosystem Module 10 Page 1438 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  38. 38. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Botnet Trojan: Shark CEH ^ (•rtifwtf I til1(41 NMhM -^*harK.3.1 fw b‫״‬ :ha♦, De&oc Preview [RC-Chat mbsta Command Control Center ISe1ver2 Sail up f j insul BrtMf 111 ;5 * Jv'.* wonPort: 60123 ‫ומי‬ 4 ‫סי* 0ג‬i »k 3.1 , 1«t ccrplcd: ;‫1נ 0, מ‬ 3.3 ‫מ‬ ■e*gUDdtto<*ocH.. ¥t ■MnewVmicn 1J □<l- hj|hg_tk‫״‬to _p!od-> » A m W * « Stfv*: 127.0 0 ‫1 ^ ^7 נ * »^5 ״‬ .1 ))‫> ג^ 1!72-»£יז‬ ‫י‬ ? 1 ■adits If nFo O aodJrt Arb Dcbjxi‫־‬o f 5dh tt e 1 L‫־‬cb*: yflro l-cvfcccor v fc rroxirrurr! loqsco of twin ‫׳י‬ ‫ »׳‬f» M ll«w>rvrr KByto < - Unlmtod 0 Q>jrnror‫>־‬ Comale Copyright© by EC-Gouicil. All Rights Reserved Reproduction is Strictly Prohibited. B otnet T rojan: sh arK Source: https://sites.google.coin sharK is a reverse-connecting, firewall- bypassing remote administration tool written in VB6. With shark, you will be able to administrate any PC (using Windows OS) remotely. Features: 9 mRC4 encrypted traffic (new & modded) 9 zLib compressed traffic 9 High-speed, stable screen/cam cCapture 9 Keylogger with highlight feature 9 Remote memory execution and injection 9 VERY fast file manager/registry editor listing due to unique technic 9 Anti: Debugger, Vm Ware, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox, Virtual Box 9 Supporting random startup and random server names 9 Desktop preview in SIN Console Module 10 Page 1439 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker 9 Sortable and configurable SIN Console 0 Remote Autostart Manager 9 Optional Fwb++ (Process Injection, API Unhook) 9 Folder mirroring d dfx * J sharK 3.1 fwb♦ sftarK Desktop Preview IRC-Chat Website | Country Usernam e lo s | PCNone iLW-itaa I Verson | Pirq C o m m a n d C o n tro l C e n te r [5:4S:3S AN] Inrfi.atarg Cfer*... [9:46:55 AW] Iwtenrxj on Port: 60123 [9:46:38 AH] sharK 3.1 fwb++, Last Compiled: 30.03.2008 [9:46:38 AN] Updotecheck... [9:46:40 AW] Hew Versicn ovoiloble: □<!-‫ ־‬turing cluster_prod ‫> ־‬ [9:50:25 AN] * New Serve!: 127.0.0.1 - Server 1 (HocLers « >ECC-272FF53AA87) 5 Wolcom • to i h t i K 3 .1.0, MacUor* Thi* it an information box rofroshing it* contant ovary 24 hour* H «r» you will inform ation about charK davalop m ant it a t • ! and othar ralaacac of kora dCodarc.eoi (o m a tim M . R e o a ‫׳‬ds. sN1p*109‫ ׳‬and rockZ Copyright 2007-2008 (c ) BoredCoders.com sharK 3.1 fwb++ * J N ew S e rv e r - [S e rv e r2 ] ,4 k. *5 Basic Settings Server Installation Server name: |Se rver2 Startup Instal Events Server Password: 1pLwUyQ|GEq|pl1t4mAD ft Bind Files Q Blacklist Connection Interval: j I ... ..................................................................... Anti Debugging 4 seconds Stealth Firewal Bypass dB Liteserver 1* Enable offline keylogger with mawnum logsue of [i 000 KByte (0 - Untmrted) QU Advanced Q Summary Compile SIN-Addr esses: 1i p Port I Status Add ---------------- . Delete ( 1 Save Current Profile 1 Test Hosts ‫ן‬ 1 ______________________________________________________________________________________________________________________________________________________________1 FIGURE 10.12: Botnet Trojan: sharK Module 10 Page 1440 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Poison Ivy: Botnet Command Control Center CEH gMaiayr P3 »«o 1 | Pday | Acn^ ■ ; PdcfcciAnatizaj R o SW! k iw ‫•.׳; ־י‬ tg rd js1 I R :!!■ em te DaptyNam• O eacflp icr! Pi* ‫«ז<ז‬ Dwct D ii DwceDii.. D evice D ii Dwce D ii ‫־‬u4a»‫״‬ aot %ACHfC I..I1 *A M *. %mT9j2 S*M r ao iy!k• ^ DP(V T iV C *CHEC oaA ■ -'u■ are AfO «*■ »*. AfctlSfa 4 u fc/9 2 *■BBHVUnenlMC 1 ! y ‫ %.׳‬hM- 0:!J> 32 > «1 < «r«m V v 1 • A■#1 < Ttff ‫ז‬WOI ‫>׳״‬ ‫•־־׳״‬ ttaaO AM• % '‫־‬ -«».*>o l«*.. Alb n * IV w rl % ...... Am MS‫־‬l A te CWNK*ANS1*>1}2W• m CVWst M tn •*‫״‬WW 0 0 £ < fcp A1J*. ! 1 I ! % :4 ‫׳‬f % ,,‫. ״ ־‬ «fc,iTM6PPCfc,r $ ifcari KayiKmCSDRIVER > f.Bf’IJ'IFVtPi'.Wlip.lvl A td *v 1 c6 «u»W> AFO M«lv*jVrgSu D ee n.i «w D«‫*׳‬ce D ii NdfiM»< Irdu•■ m fV*d»1 o«eo1l 11 9 Oe*c« D ii Owe• D ii DMee D ii Shiild So r Slandiid S nftivmh., 6 1 RAS y‫״‬chre«*u 1 D M DI < ca Shotd 5 w d‫ ״ ־‬r!.i m fiiwco D ii D-wteDH Dwce D ii ATMARP O is»*PM D**ee r.ii I M anajee ado d evi.. Shaied Ssr Dvnc■ D ii SUA* STOPPED STOPPED RUN IN N G STOPPED 5 Ul’ltD 1 STOPPED RUN IN N G RUN IN N G STOPPED 5TUI‫־‬ltD ‫־‬ iTOPPTO STOPPEO 51O D PTC stoppcd STOPPFD 5TUI‫־‬IVD ‫,׳‬oprrn j STOPPED STOPPED ST0PPC0 RUN IN N G STOPPED STOPPED RUN IN N G RUN IN N G Sta pT e rtu yp Dfcdfcd D *M k D iaetfej D114M M nrnnl A afo uiom Aulsm A; DMM DMM d1 *m u D:.:tM 1 logonif NIAJJTH[* T 4cc.< « m Nl «UTH0n1TY<toc4S«. D I‫*״‬M DI.1M r>l!*W DiNfcM DutUrJ Hyiv ( Ajio a 3 « rr>b D .o i- LfcJ MnrivJ Aulorrrfc M1*0 0 .*1 IcoafSyttom < Do«rtoaJi V > OB/* ifload: 08/3 Copyright © by E& C a w c il. All Rights Reserved. Reproduction is Strictly Prohibited. P oison Ivy: B otnet C o m m an d C ontrol C e n te r Poison Ivy is an advanced encrypted "reverse connection" for firewall bypassing remote administration tools. It gives an attacker the option to access, monitor, or even take control of a compromised system. Using this tool, attackers can steal passwords, banking or credit card information, as well as other personal information. FIGURE 10.13: Poison Ivy: Botnet Command Control Center Module 10 Page 1441 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Botnet Trojan: PlugBot J ttk>«l lUikw PlugBot is a hardware botnet project J CEH (•tt.fwtf It is a covert penetration testing device (bot) designed for covert use during physical penetration tests PlugBot Statistics W >wn S*»o* art *arr•cui* U*» *nyou http://thephgbot.com Copyright © by HrCunol.All Rights Reserved. Reproduction isStrictly Prohibited. B otnet T rojan: PlugB ot Source: http://theplugbot.com PlugBot is a hardware botnet project. It's a covert penetration testing device (bot) is designed for covert use during physical penetration tests. PlugBot is a tiny computer that looks like a power adapter; this small size allows it to go physically undetected all while being powerful enough to scan, collect, and deliver test results externally. Some of the features include: 6 Issue scan commands remotely e Wireless 802.11b ready Q Gigabit Ethernet capable © 1.2 Ghz processor © Supports Linux, Perl, PHP, MySQL on-board Q Covertly disguised as power adapter © Capable of invoking most Linux-based scan apps and scripts Module 10 Page 1442 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  42. 42. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker H d O A D M IN IU vtO U w 9««ng»| Logout 5fl5rlt® e Dashboard ^ DropZone £ Account I l f ‫ ־‬Settings ( ? ) Help OMttxMrd- ‫פ‬ Jobs C Dashboard Botnot Statistics Manwwoos P lu g Bo t Statistics Cb AddJoto Shown oeiow are some aucx suss on your botnet. Applications • Mn^oa 1 eaAp Statistics • Bots: 2 Co AddApo • Joas Pending 0 • Jo&sComoi«ed:0 • Chock-Ins: 14636 Dots Q Manage Bet* C6 A03B0‫׳‬ FIGURE 10.14: Botnet Trojan: PlugBot Module 10 Page 1443 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Botnet Trojans: Illusion Bot and r c u NetBot Attacker ----- ACa o m m o ‫״‬ P « 8667 * a h # 10001 o 0 *0 P*ss *ten Chm p * 6667 1| Hotf 10001 Pot **** P* Pt o Pk s * * • ‫י׳‬ P«* Sort1 p rt 4 o * Rno.rne 20 adm«0 01 * SocAiVpart FT p«1 P Bethel part ‫ ז0 י‬password MD5C.ypl ‫*• י׳0 '•** ״‬wonIRCchaml * t '‫««.*»*״-*׳‬ I— ^ 1 n r_ ‫ ־ ״‬O d v*‫״‬ ‫כ^-־ט‬ s M Abou Copyright © by E C i a .All Rights Reserved. Reproduction is Strictly Prohibited. &onl B otnet T rojans: Illu sio n Bot a n d N etBot A ttack er M l j Illu sio n Bot Source: http://www.teamfurry.com Illusion Bot is a GUIt. Features: Q C&C can be managed over IRC and HTTP e Proxy functionality (Socks4, Socks5) e FTP service e MD5 support for passwords e Rootkit e Code injection 0 Colored IRC messages e XP SP2 firewall bypass 6 DDOS capabilities Module 10 Page 1444 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  44. 44. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Illusion M jk e i 1 Binary CADocuments and SettingsVWinux'J’ afio‫ * •׳‬cron^BOTBIMARV EXE Reload IRC Administration 1) Host: 100 0 1 Port: 6667 Chan Behan Pass 4lest 2) Host: 100.0.1 Port: 6667 Chan Pass: 4iesi Behan WEB Administration 1) Host: 10 Port Path 2) Host: 1C Port: Path A Refresh time: j sec. Default services: Socks4, port R v Socks5, pat R FTP. port R * Random, range: 2001 - 3000 R Bmdshefl. port: IRC Access BOT PASSWORD qwerty MD5 Crypt Options v• Install Kernel Drivei IRC serve! need passwotd Auto OP admm on IRC channel ‫ ׳ י‬Loloied IRC messages ‫ם‬ * * ln!ect code fit dnve< falsi «/ B>pass XP SP2 F»ewall + Save cervices state in registry Ada to autoload Ewt Fluod Values Save About FIGURE 10.15 Illusion Maker NetBot A ttack er — NetBot attacker has a simple Windows user interface to control botnets. Attackers use it for commanding and reporting networks, even for command attacks. It has two RAR files; one is INI and the other one is a simple EXE. It is more powerful when more bots are used to affect the servers. With the help of a bot, attackers can execute or download a file, open certain web pages, and can even turn off all PCs. (P • HtOMUmtckm I 4 laiM « ■> •> » ■ 3 ■ >1 On line hosts Attack Area Co Hedive order Use kelp PC IP jComputef!system Memory !;* ‫ן‬ WiodowiXP ►*onfai pcrfSOwHeh t [Servke edition 1m m 1‫•י״ יי‬ |^«cu*r •••wg »taeft«oe « N FIGURE 10.16: NetBot Attacker Module 10 Page 1445 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  45. 45. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Copyright © by E & C a in c i. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow So far, we have discussed D0 S/DD0 S concepts, attack techniques, and botnets. For better understanding of the attack trajectories and to find possible ways to locate attackers, a few DD0 S case studies are featured here. am Dos/DDoS Attack Tools Dos/DDoS Concepts Countermeasures ‫ ־‬Dos/DDoS Attack Techniques Botnets ^ /*V 5 Dos/DDoS Protection Tools Dos/DDoS Penetration Testing Dos/DDoS Case Study i— This section highlights some of real-world scenarios of DD0 S attacks. Module 10 Page 1446 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  46. 46. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker DDoS Attack H a ck e rs a d v e rtis e LOIC to o l on T w itte r, F ace b o o k, G o o g le , e tc. V o lu n te e r Copyright © by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited. DDoS A ttack In a DDoS attack, a group of compromised systems usually infected with Trojans are used to perform a denial-of-service attack on a target system or network resource. The figure that follows shows how an attacker performs a DDoS attack with the help of an LOIC tool. Module 10 Page 1447 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  47. 47. Ethical Hacking and Countermeasures Denial of Service (ft Exam 312-50 Certified Ethical Hacker A ttacker R eleases Lo O it w rb Io C n o (LO ) T o o th W n a n n IC o l n e eb o V o lunteers connect to IRC A o ym u H ck r nn os a e channel and w a it for instruction from attack er V lu teer o n e DDoS Attack o ! * V lu teer o n H ck rsad a e vertiseL ICto l O o o T itter, F ce o k n w a bo, G o le, e o g tc. V lu teer o n FIGURE 10.17: DDoS Attack Module 10 Page 1448 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  48. 48. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker CEH DDoS Attack Tool: LOIC MM tU Jl N h M MM ‫ו‬fhis tool was used to bring down Paypal and mastercard websites IC I 0 3 Low O bit Ion Cannon | U dun goofed | v. 1J.D5 RC server • 1,'anujl Mode for pu ssies! 9 Port Cnannel fji■ :: ■ FUCKWGHfVc UNO r 1 Select your target----------------------URL - 2 . Rea<iy?-------------- ww w .davenD 0 1n 0rtV ns.c0 Stop flooding v y ! 85.116.9.83 3 ‫ ־‬Attack otf» n s ------------------------------------------------------Trneout HT7PSU>s<e ZX Append ranJom chars to the URl 4000 TCP / U0P message /119/ U dun goofed ----------------------------------------------------------------------------------------------------------------------- — HTTP g 10 80 ■ *Vat for rep*y ------------ 1 Port Method Threads «• faster Speed slower ■ > V Idle Connectrg Requestrg Cowntoadmg Downloaded Requested Faded 1 9 0 0 419 419 9 Copyright © by ‫ב‬ E C i c .All Rights Reserved. Reproduction is Strictly Prohibited &ani DDoS A ttack Tool: LOIC LOIC is an open source tool, written in C#. The main purpose of the tool is to conduct stress tests of web applications, so that the developers can see how a web application behaves under a heavier load. Of course, a stress application, which could be classified as a legitimate tool, can also be used in a DDoS attack. LOIC basically turns the computer's network connection into a firehouse of garbage requests, directed towards a target web server. On its own, one computer rarely generates enough TCP, UDP, or HTTP requests at once to overwhelm a web server—garbage requests can easily be ignored while legit requests for web pages are responded to as normal. But when thousands of users run LOIC at once, the wave of requests become overwhelming, often shutting a web server (or one of its connected machines, like a database server) down completely, or preventing legitimate requests from being answered. LOIC is more focused on web applications; we can also call it an application-based DOS attack. LOIC can be used on a target site by flooding the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host. Module 10 Page 1449 Ethical Hacking and Countermeasures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
  49. 49. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker FIGURE 10.18: DDoS Attack Tool: LOIC Module 10 Page 1450 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  50. 50. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Hackers Advertise Links to Download Botnet CEH Gougle £jfr _ sM sg SSSsa sK si E - r - l S 2‫—־‬ “ ' rr- 8•TVA rg.? ‫־״—י‬ tr *‫ - -~'־‬r!rrj.« * — ‫"*־-׳‬ ‫־‬ • , !S ^ iS S S '0 ’‫׳‬a‫ ״‬L C‫*־*״־* — ׳*״׳ — ״ ״ סי‬O Copyright © by E W io u n c i. All Rights Reserved. Reproduction is Strictly Prohibited. H ack ers A d v ertise L inks to D ow nload B otnets Module 10 Page 1451 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker FIGURE 10.19: Hackers Advertise Links to Download Botnets Module 10 Page 1452 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Copyright © by E & C a in c i. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow So far, we have discussed the D0 S/DD0S concepts, attack techniques, botnets, and the real-time scenarios of DDoS. The D0 S/DD0 S attacks discussed so far can also be performed with the help of tools. These tools make the attacker's job easy. am Dos/DDoS Attack Tools Dos/DDoS Concepts ji Countermeasures ‫ ־‬Dos/DDoS Attack Techniques Botnets /*V 5 Dos/DDoS Protection Tools Dos/DDoS Case Study Dos/DDoS Penetration Testing I— This section lists and describes various D0 S/DD0 S attack tools. Module 10 Page 1453 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  53. 53. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker c EH DoS Attack Tools DoSHTTP 2.5.1 Rle Options (crtifwd IU mjI Nm Im X J S o c k e ts o ft.n e t [E valuation M ode] Help DoSHTTP H T T P F lo o d D e n ia l o f S e r v i c e ( D o S ) T e s tin g To ol T a ig e t U R L 3‫־‬ Status: M oz«a/60 (compatible; MSIE 7.0a; Windows NT 5.2; SV1) S o c k e ts Connect: R e q u e s ts ‫ף י‬ Connecting to 118.215.252.59:80... Connected: "‫] ״ ־‬ [Conhnuous V e r ify U R L | S t o p F lo o d | Requests 1 C lo s e Peak: [ 1174 74‫ח‬ OK Disconnect: | a Responses 0 Multisystem TCP Denial of Service Attacker [Build #12] Coded by Yarix (yarix@tut.by) http://varbt.bv.r11/ DoS H TTP Sprut Internet Target Server Copyright © by E& C aunc!. All Rights Reserved. Reproduction is Strictly Prohibited. DoS A ttack Tools DoS HTTP Source: http://www.socketsoft.net DoSHTTP is HTTP flood denial-of-dervice (DoS) testing software for Windows. It includes URL verification, HTTP redirection, and performance monitoring. It uses multiple asynchronous sockets to perform an effective HTTP flood. It can be used simultaneously on multiple clients to emulate a distributed-denial-of-service (DD0 S) attack. It also allows you to test web server performance and evaluate web server protection software. Features: © Supports HTTP redirection for automatic page redirection 0 It includes URL verification that displays the response header and document © It includes performance monitoring to track requests issued and responses received © It allows customized User Agent header fields © It uses multiple asynchronous sockets to perform an effective HTTP flood © It allows user defined socket and request settings Module 10 Page 1454 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. Ethical Hacking and Countermeasures Denial of Service Q Exam 312-50 Certified Ethical Hacker It supports numeric addressing for target URLs ‫ ■״‬DoSHTTP 2.5.1 - Socketsoft.net xJ [E valuation M o de] file O ptions H elp D oSH TTP HTTP Flood Denial of Service (D o S ) Testing Tool Target URL_________________________________________ 1 192.168.168.97 d User Agent lM ozilla/6.0 (com patible; MSIE 7.0a; Windows NT 5.2; SV1J 21 Sockets |500 Requests ▼| (Continuous ‫ ■׳י‬Verify URL | Stop Flood | ] Close h //www so ttp cketso n fi ttf l«Q » D S C * m*T Running.. Requests: 1 Responses: 0 FIGURE 10.20: DoS HTTP Sprut Sprut is a multisystem TCP denial of service attacker. Hostname or IP-address: Start www. juggyboy.com Port: [80 Stop Threads: [20 Reset Status: Connecting to 118.215.252.59:80 ... Connected: 1174 Connect: OK Disconnect: No error B S Peak: 1174 Multisystem TCP Denial of Service Attacker [Build 812] Coded by Yarix (yarix@tut.by) http:/A»atix bv.ru/ FIGURE 10.21: Sprut Module 10 Page 1455 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  55. 55. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker DoS Attack Tools CEH (Cont’d) Urtifw* ilhiul lUtbM gdt M ew G Capln tra!: o a72.11 O m s: I 3 ‫־‬ - I _1J 08182 165.289717 08183 165.289838 08184 165.289968 08185 165.290090 08186 165.290211 Your V: <DontClo3you>«eNnub) ‫ : !׳‬id ! tn *DoS iBju k please wall M the browser 1 r « . tillo 0 192.16a.168. 32 192.16a. 168. 32 192.164.168. 32 192.166.168. 32 192.164.168. 32 08188 165.290403 08189 165.?90S? J 08190 165.290733 08191 16S. 290776 08192 165.290896 m u m 192.168.168. 7 192.166.168. 7 192.168.168.7 192.168.168.7 192.168.168.7 192.168.168.7 192. 168.168.7 192.168.168.7 192.168.168.7 192.168.168.7 192.168.168.32 192.168.168.32 192.168.168. 32 192.168.168.32 192.168.168. 32 08194 165. ?91091 08195 165.291210 08196 165.291330 08197 165.291452 08198 165.291582 19?. 168.164.7 192.168.168.7 192.168.164.7 192.168.168.7 192.168.168.7 192.164.168.3? 192.168.168. 3 2 192.168.168.32 192.164.168. 32 192.168.168. 32 _ !lh « 2 1 . ‫£־־׳־‬ss5‫־‬tt1‫ . ־‬DecwfcnKeyi... :i |:nfo source port: 17795 Destination po Fragmented ip p ro to c o l (p ro to -u o p Fragmented ip p ro to c o l (proco-uop Fragmented IP p ro to c o l (proto=UDP Fragmented ip p ro to c o l (proto=u0P fragm ented IP p ro to c o l (proto-UO** Source port: 17795 Destination po Fragmented ip p ro to c o l ( p r o to-uop Fragmented IP p ro to c o l (p ro to -u o p Fragmented IP p ro to c o l (proto=UOP Fragmented IP p ro to c o l (proto=U0P Fragmented IP p ro to c o l (proto-UOP source port: 17706 t*‫־‬stlfwi10n po Fragmented ip p r o to c o l (proto»uo*> Fragmented IP p ro to c o l (proto*u0P Fragmented ip p ro to c o l (proto=UOP 1 rrame 6?4153: 1514 bytes, on wire ( l ? l l ? b it s ). 1514 byte•;, captured ( l ? l l ? bit•‫)״‬ • I- kt her ret 11. Src: fclUegro 22:2d: if (0 0:25 :ll:22 :2 d:5 f). u st: 0«1 l_ f d : 86:63 (84 :b»:dt>:fd: 86:63) I ‫ ״‬in ternet Protocol, src: 192.168.168.7 (192.168.168.7). USt: 192.108.168.32 (192.168.168.32) | vi Oat a (1480 bytes) .. t . < C 4» 000‫ ־‬fd 86 63 00 25 11 22 2d 5f 08 00 45 00..... ........ c.ft b« b dc ab 21 22 2b 80 11 96 4b cO a4 .18 07 cO a8 .K 05 010> ......... XXXXXX XXXXXXXX . 58 58 58 58 58 58 58 58 58 58 58 58 58 *5 20 8* 020> SB 58 58 58 58 58 58 58 58 58 54 58 58 58 58 XXXXXXXX XXXXXXXX 58 030> XXXXXXXX XXXXXXXX 58 58 58 58 54 58 58 58 58 58 58 58 58 58 58 58 040> ‫?־־‬ I ^K*C:tM>1A>0£-:>ec£^alocjrr«1 >~ P«*xts: 80^/630< V nUr«d: 602/63M arked: 0frepped: 9 3 5 PHP DoS Traffic at Victim Machine Copyright © by E& C aunci. All Rights Reserved. Reproduction is Strictly Prohibited. DoS A ttack Tools (C ont’d) PHP DoS Source: http://code.google.com This script is a PHP script that allows users to perform DoS (denial-of-service) attacks against an IP/website without any editing or specific knowledge. Module 10 Page 1456 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  56. 56. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker xJe■ Your IP: IF (Dont DoS yourself nub) Time ort iK sa a sia L^ ftii Alter initiating the DoS attack, please wait while the browser loads FIGURE 10.22: PHP DoS Module 10 Page 1457 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  57. 57. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker DoS Attack Tools (Cont’d) q eH (•itifwtf | tlfcitjl IlMkM Copyright © by EC-Cooncfl. All Rights Reserved Reproduction is Strictly Prohibited. DoS A ttack Tools (C ont’d) I d Jan id o s FIGURE 10.23: Janidos Module 10 Page 1458 Ethical Hacking and Countermeasures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
  58. 58. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker S upernove !sup ernova 5 Port Single targe( 1 □ ‫כ ם‬ Ty?** Frst Q F;‫׳‬rT.:.v‫־‬ r [ L a ned Load I Save Random Ports| Discomect Harvest Speed 1 ‫כ ם‬ Speed ! □ ‫*י״‬ « Remove Remove ‫כ ם‬ Hub Harvester M M M M fl ^eptoce hubs on dose replace hubs on errors rorbid Scanner log abuse nbuiia Scanner Assign socks for every hub in the list 23 Debug connections Q Jebug replaces jQ Debug socxet errors S3 .»ebug actions Q Debug User number 1 0 1 ‫כ ם‬ BEHSI MSW ■ 1 I ‫ = כ ם‬I: I I ‫ 1 : כ ם‬I: I Search ■ j‫׳1;־‬r i‫־‬ ]Produced by ]3/24/2009 [W A Q C m ) CPt I _________ Rtr^ii Multiple * ‫י‬ ‫ -ו‬R . 4 .‫ ־‬P« 1.■;:1V.H7 * ‫ז‬ : ‫־‬ :• 1 4 ‫.־!־‬ Cmdune FIGURE 10.24: Supernove Module 10 Page 1459 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited. *‫' ^י‬ *‫־‬
  59. 59. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker DoS Attack Tools CEH (Cont’d) *It 9 ft.• "‫־‬ Tr« kt /»*t f<<tW•‫ןי»;21*וי‬ «ct M /* l«et W» •123| ‫ק‬ t> * we 1 1« 3 » * K Tfa < t r* * 0 totw*(1<111r itkitjl H h *£ l J•**1 *! *if‫•י‬f* ' ' ‫*«י ״‬ ***1■ tcc • c fOilcrw * I, » !m ‫׳‬p* »susin4 «•* lfH * fAdlMM * [a c ‫ •!״־‬n * mw !s&‫ :״‬r 85 ‫™״‬ TCT n }05[~‫_ __________ גז‬ [051TC7 4^ 4 tO eiTC T^n-j.,. ■ ~u, «U ‫ ״ ״‬a . • »«u»%lly i t l K t U . CM4*1. (•rtifwd •‫״ ז‬ ® • • as [‫ » ״‬p J VXf 103 ‫ *,0 ,״‬IB1" tw ‫ ״‬j 1 : 0 ]‫* <י‬T .U 1 W * .‫״״‬ < • U i l ••4• W 1 m («4 m i i i « m 4•! 1 Ty 0 ‫ ״‬T«»0 I*•» in "T< ... <.! . r* 3 W 1 »«<c , « « ‫«״‬ * ! rt • ‫ .«-־‬i‫»/ .״‬L‫׳‬n*• r ,?nrsffs ‫ ״‬i m UI ■ ‫. . י י•*״‬ ‫ ״‬u‫ ״‬u *■ *^} Sr SSJ . ‫־‬ ‫•״׳־־‬ ‫״‬ _ :a 1 C h in e s e C o r n m e r e ‫״י ' 3׳‬ *»«* qiy ‫4־‬ ‫־־‬ ■ ooos t °°» ‫די ס‬ Copyright © by EG-Goinci. All Rights Reserved. Reproduction is Strictly Prohibited. DoS A ttack Tools (C ont’d) Commercial Chinese DIY DDoS Tool Figure 10.25: Commercial Chinese DIY DDoS Tool Module 10 Page 1460 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  60. 60. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker BanglaDos Mom C w N u 00— ten et Yow •tcaamr t a c i * • * UmOmt tm 01 w » C D SI H a c k C la r ify < ‫ '׳‬f l R ^ R )O S (7) %M dm t (4) d i m ( ) 7 )7( > ft> w y i o g y n <4) x n o M M 0 • ) ‫ ( י‬iM m 10 •tack )5 ( •m c 1 1 B n u x ) 1 6 ( ‫ ״‬we d i m o w • ! ) nem % )5 ( naM• ! ) onln• and oflhrw (S) apacaftng vrt*m ( ) pm w ord recowen•• (?) p*sa«ora % O ) {MX**• n» p c n o v f ) 3 ( ) 1( 11 e w w ie p d ip ro a y < 2)«em < 1»rH »(2)KW W im 1 tM re (1jna * S * c u r * y o u r b l o g r u n n in g o n W o r d p r • ■ 10 14 PU Artel• t* S « n r r « J t • and tricks tips 1 1 7 )4 ( *‫) •יי׳‬xm % <) aoftw are c r a c k s (11) •*am ‫ ן‬p o o t 1 )3( )4 ( m H• > ( * FIGURE 10.26: BanglaDos Module 10 Page 1461 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  61. 61. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker DoS Attack Tools (C o n ttt) CEH DoS A ttack Tools (C ont’d) DoS FIGURE 10.27: DoS Module 10 Page 1462 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  62. 62. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker M e g a D D o S A tta c k FIGURE 10.28: Mega DDoS Attack Module 10 Page 1463 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  63. 63. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Copyright © by E&Caincfl. All Rights Reserved. Reproduction is Strictly Prohibited. A M o d u le F lo w So far, we have discussed the D0 S/DD0 S concepts, various threats associated with this ‘ ‘* 2 ‫׳־־ "־‬ kind of attack, attack techniques, botnets, and tools that help to perform D0 S/DD0 S attacks. All these topics focus on testing your network and its resources against DoS/DDoS vulnerabilities. If the target network is vulnerable, then as a pen tester, you should think about detecting and applying possible ways or methods to secure the network. 1 •--1 J ‘ Dos/DDoS Attack Techniques c * K J Dos/DDoS Attack Tools Dos/DDoS Concepts d S Counterm easures * Botnets Dos/DDoS Protection Tools Dos/DDoS Case Study Dos/DDoS Penetration Testing Module 10 Page 1464 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  64. 64. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker This section describes various techniques to detect D0 S/DD0S vulnerabilities and also highlights the respective countermeasures. Module 10 Page 1465 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  65. 65. Ethical Hacking and Countermeasures Denial of Service J Exam 312-50 Certified Ethical Hacker D e tectio n te c h n iq u e s a re b ased on id e n tify in g and d is c rim in a tin g th e ille g itim a t e tra ffic in cre as e an d fla sh e v e n ts fr o m leg itim ate packet tra ffic J All d e te ctio n te c h n iq u e s d e fin e an a tta ck as an a b n o rm a l and n o tic e a b le d e v ia tio n fro m a th re sh o ld o f n o rm al n e tw o rk tra ffic statistics Activity Profiling Wavelet-based Signal Analysis Changepoint Detection Copyright © by E&Caincfl. All Rights Reseivei.Rejproduction is Strictly Prohibited. D e te c tio n T e c h n iq u e s Most of the DDoS today are carried out by attack tools, botnets, and with the help of other malicious programs. These attack techniques employ various forms of attack packets to defeat defense systems. All these problems together lead to the requirement of defense systems featuring various detection methods to identify attacks. The detection techniques for DoS attacks are based on identifying and discriminating the illegitimate traffic increases and flash events from legitimate packet traffic. There are three kinds of detection techniques: activity profiling, change-point detection, and wavelet-based signal analysis. All detection techniques define an attack as an abnormal and noticeable deviation from a threshold of normal network traffic statistics. Module 10 Page 1466 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  66. 66. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Activity Profiling r An attack is indicated by: © An increase in activity levels among clusters It is th e a v e r a g e ‫ץ‬ p a ck et r a te fo r a n e tw o r k flo w , w h ic h co n s is ts o f c o n s e c u tiv e pa ck ets w ith s im ila r p a ck et e An increase in the overall number of distinct clusters (DDoS . attack) fie ld s y A ctivity profile is obtained by m onitoring the netw ork packet's header informatio A c tiv ity P r o filin g Typically, an activity profile can be obtained by monitoring header information of a network packet. An activity profile is defined as the average packet rate for network flow. It consists of consecutive packets with similar packet fields. The activity level or average packet rate of flow is determined by the elapsed time between the consecutive packets. The sum of average packet rates of all inbound and outbound flows gives the total network activity. If you want to analyze individual flows for all possible UDP services, then you should monitor on the order of 264 flows because including other protocols such as TCP, ICMP, and SNM P greatly compounds the number of possible flows. This may lead to high-dimensionality problem. This can be avoided by clustering the individual flows exhibiting similar characteristics. The sum of constituent flows of a cluster defines its activity level. Based on this concept, an attack is indicated by: 0 An increase in activity levels among clusters © An increase in the overall number of distinct clusters (DDoS attack) Module 10 Page 1467 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  67. 67. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker W avelet-based Signal Analysis Wavelet analysis describes an input signal in terms of ‫־־‬ spectral components CE H Wavelets provide for concurrent time and frequency description They determine the time at which certain frequency components are present Analyzing each spectral window's energy determines the presence of anomalies Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited. W a v e le t - b a s e d S ig n a l A n a ly s is W avelet analysis describes an input signal in terms of spectral components. It provides a global frequency description and no time localization. W avelets provide for concurrent time and frequency descriptions. This makes it easy to determine the time at which certain frequency components are present. The input signal contains both time-localized anomalous signals and background noise. In order to detect the attack traffic, the wavelets separate these time-localized signals and the noise components. The presence of anomalies can be determined by analyzing each spectral window's energy. The anomalies found may represent misconfiguration or network failure, flash events, and attacks such as DoS, etc. Module 10 Page 1468 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  68. 68. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker Sequential C hange-Point Detection C EH Change-point detection algorithms isolate a traffic statistic's change caused by attacks S e q u e n t ia l C h a n g e - P o in t D e t e c t io n Sequential change-point detection algorithms segregate the abrupt changes in traffic statistics caused by attacks. This detection technique initially filters the target traffic data by port, address, and protocol and stores the resultant flow as a time series. This time series can be considered as the time-domain representation of a cluster's activity. The time series shows a statistical change at the time the DoS flooding attack begins. Cusum is a change-point detection algorithm that operates on continuously slamped data and requires only computational resources and low memory volume. The Cusum identifies and localizes a DoS attack by identifying the deviations in the actual versus expected local average in the time series. If the deviation is greater than the upper bound, then for each t,ime series sample, the Cusum's recursive statistic increases. Under normal traffic flow condition the deviation lies within the bound and the Cusum statistic decreases until it reaches zero. Thus, this algorithm allows you to identify a DoS attack onset by applying an appropriate threshold against the Cusum statistic. Module 10 Page 1469 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  69. 69. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker D D Counterm oS/D oS easure Strategies A b s o r b in g th e A tta c k Q Use additional capacity to absorb attack; it requires preplanning D e g r a d in g S e r v ic e s Identify critical services and stop non critical services C EH S h u ttin g D o w n th e S e r v ic e s _ Shut down all the services until the attack has subsided 9 It requiresadditional resources Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited. a D o S / D D o S C o u n t e r m e a s u r e S tr a te g ie s There are three types of countermeasure strategies available for DoS/DDoS attacks: A b s o r b th e a tta c k Use additional capacity to absorb the attack this requires preplanning. It requires additional resources. One disadvantage associated is the cost of additional resources, even when no attacks are under way. D e g r a d e s e r v ic e s If it is not possible to keep your services functioning during an attack, it is a good idea to keep at least the critical services functional. For this, first you need to identify the critical services. Then you can customize the network, systems, and application designs in such a way to degrade the noncritical services. This may help you to keep the critical services functional. If the attack load is extremely heavy, then you may need to disable the noncritical services in order to keep them functional by providing additional capacity for them. S h u t d o w n s e r v ic e s Simply shut down all services until an attack has subsided. Though it may not be an optimal choice, it may be a reasonable response for some. Module 10 Page 1470 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  70. 70. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker D oSAttack Counterm D easures CE H Protect secondary victims Prevent potential attacks Mitigate attacks Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited. D D o S A tta c k C o u n te rm e a s u re s There are many ways to mitigate the effects of DDoS attacks. Many of these solutions and ideas help in preventing certain aspects of a DDoS attack. However, there is no single way that alone can provide protection against all DDoS attacks. In addition, attackers are frequently developing many new DDoS attacks to bypass each new countermeasure employed. Basically, there are six countermeasures against DDoS attacks: © Protect secondary targets 0 Neutralize handlers 0 Prevent potential attacks 0 Deflect attacks © Mitigate attacks © Post-attack forensics Module 10 Page 1471 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  71. 71. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker D D C oS/D oS ounterm easures: Protect SecondaryVictim s C EH Install anti-virus and anti-Trojan software and keep these up-to-date An increased awareness of security issues and prevention techniques from all Internet users Disable unnecessary services, uninstall unused applications, and scan all the files received from external sources a Configuration and regular updates of built-in defensive mechanisms in the core hardware and software of the systems Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited. D o S / D D o S C o u n te rm e a s u re s : P ro te c t S e c o n d a ry V ic t im s Individual Users Potential secondary victims can be protected from DD0 S attacks, thus preventing them from becoming zombies. This demands intensified security awareness, and the use of prevention techniques. If attackers are unable to compromise secondary victims‫ ׳‬systems and secondary victims from being infected with DD0 S, clients must continuously monitor their own security. Checking should be carried out to ensure that no agent programs have been installed on their systems and no DD0 S agent traffic is sent into the network. Installing antivirus and anti-Trojan software and keeping these updated helps in this regard, as does installing software patches for newly discovered vulnerabilities. Since these measures may appear daunting to the average web surfer, integrated machineries in the core part of computing systems (hardware and software) can provide protection against malicious code insertion. This can considerably reduce the risk of a secondary system being compromised. Attackers will have no attack network from which to launch their DD0 S attacks. N etw o rk Service Providers © Service providers and network administrators can resort to dynamic pricing for their network usage so that potential secondary victims become more active in preventing Module 10 Page 1472 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  72. 72. Ethical Hacking and Countermeasures Denial of Service Q Exam 312-50 Certified Ethical Hacker their computers from becoming part of a DD0 S attack. Providers can charge differently as per the usage of their resources. This would force providers to allow only legitimate customers onto their networks. At the time when prices for services are changed, the potential secondary victims who are paying for Internet access may become more cognizant of dangerous traffic, and may do a better job of ensuring their nonparticipation in a DD0 S attack. Module 10 Page 1473 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  73. 73. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker D D C oS/D oS ounterm easures: EH Detect andNeutralize Handlers C Neutralize Botnet Handlers Study of communication protocols and traffic patterns between handlers and clients or handlers and agents in order to identify the network nodes that might be infected with a handler Spoofed Source Address ‫ ׳׳‬There are usuallyfew DDoS handlers deployed as compared to the number of agents There is a good probability that the spoofed source address of DDoS attack packets will not represent a valid source address of the specific sub-network ‫ ׳׳‬Neutralizinga few handlers can possibly render multiple agents useless, thus thwarting DDoS attacks Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited D o S / D D o S C o u n te r m e a s u r e s : D e te c t a n d N e u tr a liz e H a n d le r The DDoS attack can be stopped by detecting and neutralizing the handlers, which are intermediaries for the attacker to initiate attacks. Finding and stopping the handlers is a quick and effective way of counteracting against the attack. This can be done in the following ways: Studying the communication protocols and traffic patterns between handlers and clients or handlers and agents in order to identify network nodes that might be infected with a handler. There are usually a few DDoS handlers deployed as compared to the number of agents, so neutralizing a few handlers can possibly render multiple agents useless. Since agents form the core of the attacker's ability to spread an attack, neutralizing the handlers to prevent the attacker from using them is an effective strategy to prevent DDoS attacks. Module 10 Page 1474 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  74. 74. Ethical Hacking and Countermeasures Denial of Service Exam 312-50 Certified Ethical Hacker D D C oS/D oS ounterm easures: Detect Potential Attacks C EH Egress Filtering Ingress Filtering 9 Protects from flooding attacks which originate from the valid prefixes (IP addresses) ‫ ט‬It enables the originator to be traced to its true TCP Intercept e ConfiguringTCP Intercept prevents DoS attacks by intercepting and validating theTCP connection requests Copyright © by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited. D o S / D D o S C o u n te r m e a s u r e s : D e te c t P o te n tia l A tta c k s To detect or prevent a potential DDoS attack that is being launched, ingress filtering, engress filtering, and TCP intercept can be used. In g r e s s filt e r in g Ingress filtering doesn't offer protection against flooding attacks originating from valid prefixes (IP addresses); rather, it prohibits an attacker from launching an attack using forged source addresses that do not obey ingress filtering rules. When the Internet service provider (ISP) aggregates routing announcements for multiple downstream networks, strict traffic filtering must be applied in order to prohibit traffic originating from outside the aggregated announcements. The advantage of this filtering is that it allows tracing the originator to its true source, as the attacker needs to use a valid and legitimately reachable source address. E g re s s F ilt e r in g In this method of traffic filtering, the IP packet headers that are leaving a network are initially scanned and checked to see whether they meet certain criteria. Only the packets that pass the criteria are routed outside of the sub-network from which they originated; the packets Module 10 Page 1475 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

×