Ce hv8 module 10 denial of service

D e n ia l o f S e r v ic e

Module 10

Ethical Hacking and Countermeasures
Denial of Service

Exam 312-50 Certified Ethical Hacker

Denial‫־‬of‫־‬Service
Module 10

Engineered by Hackers. Presented by Professionals.

CEH

«!>

Ethical H acking and C ounterm easures v8
M odule 10: Denial-of-Service
Exam 312-50

Module 10 Page 1403

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.

Denial of Service


Security News

Kg■■!!■
Home I News

H S B C is L a te s t T arg et in C yb er A tta c k Sp re e

m

October 19, 2012

H C(H ) ex erien w esp d p n toseveral of itsw sitesT u ay,
SB BC p ced id read isru tio s
eb
h rsd
b co in o eofthe h h st- ro victim yet inaseriesof attacksb ag u claim g
e mg n
ig e p file
s
y ro p
in
tob alliedw Islam terro .
e
ith
ic
rism
"H serverscam undera denial of service attackw affectedanum of H C
SBC
e
hich
ber SB
w sites aroundthew rld th Lo d n b b n in g n sa inastatem t. "T is
eb
o ," e n o - ased a k g ia t id
en h
d n of serviceattackd n t affect anycu m d b t d p
e ial
id o
sto er ata, u id reven cu m u in
t sto ers s g
H Co lin services, in d g in et b n in ."
SB n e
clu in tern a k g
H Csa it h dth situ nu d co tro inth earlym rn g h u of Frid Lo d n
SB id a e atio n er n l e
o in o rs
ay n o
tim
e.
T e Iz a - ina Q
h z d D l- assamC erFig te tookresp n ilityforthe attackthat at p in
yb
h rs
o sib
o ts
crip led u accesstoh c.co an other H C o n p p
p sers'
sb m d
SB - w ed ro erties o th W T e
n e eb. h
g u , w ichh alsod p th w sites of sco of other b n sin d gJ.P.
ro p h as
isru ted e eb
res
a k clu in
M rg C ase(JPM an Ban of A erica (B C sa th attacksw co tin eu til th
o an h
) d k m
A ), id e
ill n u n e
an lslam 'Innocenceof M slim filmtrailer isrem vedfro th Internet
ti- ic
u s'
o
m e
http://www.foxbusiness.com

Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

&3>ujs

‫״‬mp p

S ecurity N ew s
HSBC is Latest Target in Cyber Attack Spree
Source: http://www.foxbusiness.com

HSBC (HBC) experienced widespread disruptions to several of its websites recently, becoming
one of the highest-profile victims yet in a series of attacks by a group claiming to be allied with
Islamic terrorism.
"HSBC servers came under a denial of service attack which affected a number of HSBC
websites around the world," the London-based banking giant said in a statement. "This denial
of service attack did not affect any customer data, but did prevent customers using HSBC online
services, including internet banking."
HSBC said it had the situation under control in the early morning hours of Friday London time.
The Izz ad-Din al-Qassam Cyber Fighters took responsibility for the attack that at points crippled
users' access to hsbc.com and other HSBC-owned properties on the Web. The group, which has
also disrupted the websites of scores of other banks including J.P. Morgan Chase (JPM ) and
Bank of America (BAC), said the attacks will continue until the anti-lslamic ‫׳‬Innocence of
Muslims' film trailer is removed from the Internet.

Module 10 Page 1404


Denial of Service


In this case, a group claiming to be aligned with the loosely-defined brigade of hackers called
Anonymous also took responsibility. However, a source in the computer security field who has
been monitoring the attacks told FOX Business "the technique and systems used against HSBC
were the same as the other banks." However, the person who requested anonymity noted that
Anonymous "may have joined in, but the damage was done by" al-Qassam.
The people behind al-Qassam have yet to be unmasked. Several published reports citing
unnamed U.S. officials have pointed to Iran as a potential culprit, but multiple security
researchers have told FOX Business the attacks don't show the hallmarks of an attack from that
country.
There is a consensus, however, that the group is likely using a fairly sophisticated type of
denial-of-service attack. Essentially, al-Qassam has leveraged exploits in W eb server software
to take servers over and then use them as weapons. Once they are taken over, they slam the
W eb servers hosting bank websites with a deluge of requests, making access either very slow or
completely impossible. Servers have an especially high level of connectivity to the Internet,
giving al-Qassam more horsepower with fewer machines.

copyright©2012 FOX News Network, LLC

By Adam Samson.
http://www.foxbu5ines5.com/industries/2012/10/19/hsbc-is-latest-target-in-cvber-attackspree/#ixzz2D14739cA

Module 10 Page 1405


Denial of Service


Module Objectives

CEH

'

*

J

What Is a Denial of Service Attack?

J

DoS Attack Tools

J

What Are Distributed Denial of
Service Attacks?

J

Detection Techniques

J

D0 S/DD0 S Countermeasure

J

Symptoms of a DoS Attack

J

Techniques to Defend against Botnets

J

DoS Attack Techniques

J

J

Botnet

Advanced DD0 S Protection
Appliances

J

Botnet Ecosystem

J

D0 S/DD0 S Protection Tools

J

Botnet Trojans

J

J

DD0 S Attack Tools

Denial of Service (DoS) Attack
Penetration Testing

r

n


M odule O b jectiv e s
ta

=

1

,

=1

This module looks at various aspects of denial‫־‬of‫־‬service attacks. The module starts

with a discussion of denial-of-service attacks. Real-world scenarios are cited to highlight the
implications of such attacks. Distributed denial-of-service attacks and the various tools to
launch such attacks are included to spotlight the technologies involved. The countermeasures
for preventing such attacks are also taken into consideration. Viruses and worms are briefly
discussed in terms of their use in such attacks. This module will familiarize you with:

2
2

W hat is a Denial of Service Attack?

S

DDos Attack Tools

W hat Are

s

Detection Techniques

s

D0 S/DD0 S Countermeasure

S

Techniques

Distributed

Denial of

Service Attacks?
s


s


2

Botnet

2

Botnet Ecosystem

2

Botnet Trojans

£

D0 S/DD0 S Protection Tools

2

DD0S Attack Tools

s

Denial

Module 10 Page 1406

to

Defend

against

Botnets
a

Advanced

DD0S

Protection

Appliances

of

Service

(DoS)

Attack

Penetration Testing
Ethical H
acking and C
ounterm
easures C
opyright ©b E - 0 n il
y C C l1 C
A R h Reserved. Reproduction isStrictly Prohibited.
ll ig ts

Denial of Service


Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule Flow
In the present Internet world, many attacks are launched targeting organizations in
the banking sector, as well as IT service and resource providers. DoS (denial of service) and
DD0 S (distributed denial of service) were designed by attackers to breach organizations'
services.

m m
Dos/DDoS Attack Tools

Dos/DDoS Concepts

* Dos/DDoS Attack Techniques

d p g

Countermeasures

»‫* י ־׳‬
M p J

Botnets

Dos/DDoS Case Study

/ ^

M = 11

Dos/DDoS Protection Tools

Dos/DDoS Penetration Testing

This section describes the terms DoS, DD0 S, the working of DD0 S, and the symptoms of DoS. It
also talks about cyber criminals and the organizational chart.

Module 10 Page 1407


Denial of Service


W Is a Denial of Service
hat
Attack?

W hat is a D en ial of S ervice A ttack?
Denial-of-service (DoS) is an attack that prevents authorized users from accessing a
computer or network. DoS attacks target the network bandwidth or connectivity. Bandwidth
attacks overflow the network with a high volume of traffic using existing network resources,
thus depriving legitimate users of these resources. Connectivity attacks overflow a computer
with a large amount of connection requests, consuming all available operating system
resources, so that the computer cannot process legitimate user requests.
An Analogy
Consider a company (Target Company) that delivers pizza upon receiving a telephone
order. The entire business depends on telephone orders from customers. Suppose a
person intends to disrupt the daily business of this company. If this person came up with a way
to keep the company's telephone lines engaged in order to deny access to legitimate
customers, obviously Target Company would lose business.
DoS attacks are similar to the situation described here. The objective of the attacker is not to
steal any information from the target; rather, it is to render its services useless. In the process,
the attacker can compromise many computers (called zombies) and virtually control them. The
attack involves deploying the zombie computers against a single machine to overwhelm it with
requests and finally crash the target in the process.

Module 10 Page 1408


Denial of Service

r


Malicious Traffic

« • £ *

Malicious traffic takes control
overall the available bandwidth

r o
(R
Internet

4m

Regular Traffic

Router

Attack Traffic
Regular Traffic

Q C^
D
Server Cluster

Figure 10.1: Denial of Service Attack

Module 10 Page 1409


Denial of Service


W Are Distributed Denial
hat
of Service Attacks?
j

A distrbuted denial-of-service (DD0 S) attack involves amultitude of
compromised systems attack rig a single target, thereby causing den 01 of
service for users of the targeted system

j

To launch a DDoS attack, an attacker uses botnets and attacks a single system

Loss of
Goodwil

Disabled
Network

Financial
Loss

Disabled
Organization

Copyrights trf E t C M K l. AJ Rights Reserved. Re prod urtion is Striettf Piohbfted.

gjgg W hat Are D istrib u te d D en ial of S ervice A ttack s?
Source: www.searchsecurity.com
A distributed denial-of-service (DD0 S) attack is a large-scale, coordinated attack on the
availability of services on a target's system or network resources, launched indirectly through
many compromised computers on the Internet.
The services under attack are those of the "primary target," while the compromised systems
used to launch the attack are often called the "secondary target." The use of secondary targets
in performing a DD0S attack provides the attacker with the ability to wage a larger and more
disruptive attack, while making it more difficult to track down the original attacker.
As defined by the World W ide W eb Security FAQ: "A Distributed Denial-of-Service (DD0 S) attack
uses many computers to launch a coordinated DoS attack against one or more targets. Using
client/server technology, the perpetrator is able to multiply the effectiveness of the denial-ofservice significantly by harnessing the resources of multiple unwitting accomplice computers,
which serve as attack platforms."
If left unchecked, more powerful DD0 S attacks could cripple or disable essential Internet
services in minutes.

Module 10 Page 1410


Denial of Service


How Distributed Denial of
Service Attacks W
ork

CEH

131

m g m
m
m
m
. ...

Attacker sets a ,‫־‬
f
handler system /

H d
an ler

>1

Handler infects
a large number of
computers over
Internet

C p isedPC (Zom ies)
om rom
s
b


How D istrib u te d D e n ia l of S ervice A ttack s W ork
In a DD0S attack, the target browser or network is pounded by many applications with
fake exterior requests that make the system, network, browser, or site slow, useless, and
disabled or unavailable.
The attacker initiates the attack by sending a command to the zombie agents. These zombie
agents send a connection request to a genuine computer system, i.e., the reflector. The
requests sent by the zombie agents seem to be sent by the victim rather than the zombies.
Thus, the genuine computer sends the requested information to the victim.

The victim

machine gets flooded with unsolicited responses from several computers at once. This may
either reduce the performance or may cause the victim machine to shut down.

Module 10 Page 1411


Denial of Service


Handler infects
a largo num ber of
computers over
Internet
Attacker sets a
handler system

& I

;

I O

0

m

N [Ml
N INI
‫*־יי׳‬
M
M

%•<*

m

Zombie systems are instructed

• 0

Compromised PCs (Zombies)
Attacker

Q .

u 2 ‫־‬
.... j
□□□ ..... 0 ■
[05□

• ?

• <3>

Handler
Compromised PCs (Zombies)
FIGURE 10.2: Distributed Denial of Service Attacks

Module 10 Page 1412


Denial of Service



^

H
□

Unavailability of
a particular
website

Inability to
access any
website

Dramatic
increase in
the amount
of spam emails
received

Unusually
slow network
performance

$

Copyright © by E&CtuacO. All Rights Reserved Reproduction is Strictly Prohibited.

Sym ptom s of a DoS A ttack
Based on the target machine, the symptoms of a DoS attack may vary. There are four
main symptoms of a DoS attack. They are:
© Unavailability of a particular website
© Inability to access any website
© Dramatic increase in the amount of spam emails received
© Unusually slow network performance

Module 10 Page 1413


Denial of Service


Module Flow

Copyright © by E& C ain cil. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule Flow
^ =1

So far, we have discussed DoS, DD0 S, symptoms of DoS attacks, cybercriminals, and

the organizational chart of cybercrime. Now it's time to discuss the techniques used to perform
D0 S/DD0S attacks.

am

Dos/DDoS Concepts

Countermeasures

* Dos/DDoS Attack Techniques

Botnets

/*V 5 Dos/DDoS Protection Tools

Dos/DDoS Case Study

i—

In a DoS attack, the victim, website, or node is prevented from providing services to valid users.
Various techniques are used by the attacker for launching DoS or DD0S attacks on a target
computer or network. They are discussed in detail in this section.

Module 10 Page 1414


Denial of Service


-


Cl

CEH

Bandwidth Attacks

Service Request Floods
Attacker
SYN FloodingAttack

ICMP Flood Attack

Peer-to-Peer Attacks

J

Permanent Denial-of-Service Attack

Application-Level Flood Attacks

User

Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.

DoS A ttack T e c h n iq u e s
A denial-of-service attack (DOS) is an attack performed on a networking structure to
disable a server from serving its clients. The actual intent and impact of DoS attacks is to
prevent or impair the legitimate use of computer or network resources. There are seven kinds
of techniques that are used by the attacker to perform DOS attacks on a computer or a
network. They are:
©

Bandwidth Attacks

©

Service Request Floods

©

SYN Flooding Attacks

©

ICMP Flood Attacks

©


©

Permanent Denial-of-Service Attacks

©

Application-Level Flood Attacks

Module 10 Page 1415

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil

Denial of Service


Bandwidth Attacks
A single machine cannot make enough
requests to overwhelm network equipment;
hence DDoS attacks were created where
an attacker uses several computers
to flood a victim
X

C EH

When a DDoS attack is launched, flooding
a network, it can cause network
equipment such as switches and routers
^
to be overwhelmed due to the
significant statistical change in the

network traffic

'

Attackers use botnets and carry
out DDoS attacks by flooding the
network with ICMP ECHO
packets

Basically, all bandwidth is
used and no bandwidth remains
for legitimate use

Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.

B andw idth A ttacks
A bandwidth attack floods a network with a large volume of malicious packets in
order to overwhelm the network bandwidth. The aim of a bandwidth attack is to consume
network bandwidth of the targeted network to such an extent that it starts dropping packets.
The dropped packets may include legitimate users. A single machine cannot make enough
requests to overwhelm network equipment; therefore, DDoS attacks were created where an
attacker uses several computers to flood a victim.
Typically, a large number of machines is required to generate the volume of traffic required to
flood a network. As the attack is carried out by multiple machines that are combined together
to generate overloaded traffic, this is called a distributed-denial-of-service (DDoS) attack.
Furthermore, detecting the source of the attack and blocking it is difficult as the attack is
carried out by numerous machines that are part of different networks. All the bandwidth of the
target network is used by the malicious computers and no bandwidth remains for legitimate
use.
Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO
packets.

Module 10 Page 1416


An attacker or group of zombies attempts
to exhaust server resources by setting up
and tearing down TCP connections

Service request flood attacks flood servers with a
high rate of connections from a valid source

O

It initiates a request on every connection

Copyright © by E&Cauacil. All Rights Reserved. Reproduction is Strictly Prohibited.

Service R eq u est F loods
in
1D5n ‫ן‬

Service request floods work based on the connections per second principle. In this
method or technique of a DoS attack, the servers are flooded with a high rate of connections
from a valid source. In this attack, an attacker or group of zombies attempts to exhaust server
resources by setting up and tearing down TCP connections. This probably initiates a request on
each connection, e.g., an attacker may use his or her zombie army to fetch the home page from
a target web server repeatedly. The resulting load on the server makes it sluggish.

M
odule 1 Page 1417
0


Denial of Service


CEH

SYN Attack
The attacker sends a fake TCP SYN requests to the target
server (victim)

The target machine sends back a SYN ACK in response
to the request and waits for the ACK to complete the
session setup

The target machine does not get the response because
the source address is fake

Note: This attack exploits the three-way handshake method

Copyright © by

E C i a .All Rights Reserved. Reproduction is Strictly Prohibited.
&onl

SYN A ttack
A SYN attack is a simple form of DoS attack. In this attack, an attacker sends a series of
SYN requests to a target machine (victim). W hen a client wants to begin a TCP connection to
the server, the client and the server exchange a series of messages as follows:
© The attacker sends a fake TCP SYN requests to that target server (victim)
© The target machine sends back a SYN ACK in response to the request and waits for the
ACK to complete the session setup
0

The target machine never gets the response because the source's address is fake

Module 10 Page 1418


Denial of Service


SYN Flooding
J

J

J

CEH

C
«rt1fW
4

SYN Flooding takes advantage of a flaw in
how most hosts implement the TCP
three-way handshake

........©

When Host B receives the SYN request
from A, it must keep track of the
partially-opened connection in a "listen
queue" for at least 75 seconds

syN K
/P,C

A*
C
.... S N
Y
.... S N
Y
.... S N
Y
.... S N
Y

The victim's listen queue is quickly filled
up

J

......

N rml co n ctio
o a ne n
S/
yy
..... ....... estab m t
lish en
............. .

A malicious host can exploit the small
size of the listen queue by sending
multiple SYN requests to a host, but
never replying to the SYN/ACK

J

ItkKjl Km Im

This ability of removing a host from the
network for at least 75 seconds can be
used as a denial-of-service attack

Copyright © by

<1 S NF o in
t Y lo d g
1
............. .
............ .
............. .
............. .

&onl

SYN F looding
SYN flooding is a TCP vulnerability protocol that emerges in a denial-of-service attack.
This attack occurs when the intruder sends unlimited SYN packets (requests) to the host
system. The process of transmitting such packets is faster than the system can handle.
The connection is established as defined by the TCP three-way handshake as:
Q

Host A sends the SYN request to the Host B

Q

Host B receives the SYN request, and replies to the request with a SYN-ACK to Host A

6

Thus, Host A responds with the ACK packet, establishing the connection

W hen Host B receives the SYN request from Host A, it makes use of the partially open
connections that are available on the listed line for a few seconds, e.g., for at least 75 seconds.
The intruder transmits infinite numbers of such SYN requests with a forged address, which
allows the client to process the false addresses leading to a misperception. Such numerous
requests can produce the TCP SYN flooding attack. It works by filling the table reserved for half
open TCP connections in the operating system's TCP IP stack. When the table becomes full,
new connections cannot be opened until and unless some entries are removed from the table
(due to handshake timeout). This attack can be carried out using fake IP addresses, so it is
difficult to trace the source. The table of connections can be filled without spoofing the source

Module 10 Page 1419


Denial of Service


IP address. Normally, the space existing for fixed tables, such as a half open TCP connection
table, is less than the total.

*

5

o

Host A

r

Host B

SY
N
........

Normal connection
establishment

.....

.......... ...
SVN/ACK ........
ACK

SYN

......5VN

SYN Flooding

.......... ...

..........................................
..................
...... .?‫.אז‬
......... ..
...............
FIGURE 10.3: SYN Flooding

Module 10 Page 1420


Denial of Service


ICMP Flood Attack
ICM is a type of D Sattack in
P
o
w
hich perpetrators sen a larg
d
e
num of packets with fake source
ber
addresses to a target server inorder
to crash it an cause it to sto
d
p
responding to T P/IP req ests
C
u

* 9
A
ttacker

T he a tta c k e r s e n d s
ICMP ECHO re q u e s ts
w ith s p o o fe d s o u rc e ad d re s s e s

ECHO Request

After the ICM threshold is reached
P
,
the router rejects further ICM echo
P
req ests froma addresses inthe
u
ll
sam security zon for the
e
e
rem
ainder of the current second
an the n t secon as w
d
ex
d
ell

ECHO Request

ECHO Reply

-Maximum limit of ICMP Echo Requests per SecondECHO Request

ECHO Request
Legitimate ICM Pechorequestfrom an
address in the same security zone

Copyright © by

ii’

E r o n l All Rights Reserved. Reproduction is Strictly Prohibited.
fCia.

O p IC M P Flood A ttack
Internet Control Message Protocol (ICMP) packets are used for locating network
equipment and determining the number of hops to get from the source location to the
destination. For instance, ICMP_ECHO_REPLY packets ("ping") allow the user to send a request
to a destination system and receive a response with the roundtrip time.
A DDoS ICM P flood attack occurs when zombies send large volumes of ICMP_ECHO packets to
a victim system. These packets signal the victim's system to reply, and the combination of
traffic saturates the bandwidth of the victim's network connection. The source IP address may
be spoofed.
In this kind of attack the perpetrators send a large number of packets with fake source
addresses to a target server in order to crash it and cause it to stop responding to TCP/IP
requests.
After the ICM P threshold is reached, the router rejects further ICM P echo requests from all
addresses in the same security zone.

Module 10 Page 1421


Denial of Service


«*£?-...... &
Attacker

Target Server

The attacker sends
ICMP ECHO requests
with spoofed source addresses

EC OR u
H eq est
EC OR ly
H ep
EC OR u
H eq est
EC OR ly
H ep

-Maximum limit of IC M P Echo Requests per Second-

EC OR u
H eq est
l:

EC OR u
H eq est
Le g itim a te IC M P e c h o re q u e s t fro m a n
a d d re s s in th e s a m e s e c u rity z o ne

,
tl

FIGURE 10.4: ICMP Flood Attack

Module 10 Page 1422


Denial of Service


0

CEH

(•itilwd 1 ItlMUl IlMhM

J U gp
sin eer-to eer attacks, attackers instruct clients of peer-to-peer file sharing hu s to
-p
b
disconnect fromtheir p
eer-to eer netw and to connect to the victim fake w
-p
ork
's
ebsite

0

J A
ttackers exploit flaw found inthe netw u g D + (D
s
ork sin C + irect C
onnect) p
rotocol, that is u
sed
for sharing a types of files betw instant m
ll
een
essag clien
ing
ts
J U g th m od, attackers lau m
sin is eth
nch assive denial-of-service attacks an com
d
prom w
ise ebsites
0

<,
d

U rse 1
Copyright © by

«I▼ /

fCia.

P eer-to -P eer A ttacks
A peer-to-peer attack is one form of DD0 S attack. In this kind of attack, the attacker

exploits a number of bugs in peer-to-peer servers to initiate a DD0 S attack. Attackers exploit
flaws found in the network that uses DC++ (Direct Connect) protocol, which allows the
exchange of files between instant messaging clients. This kind of attack doesn't use botnets for
the attack. Unlike a botnet-based attack, a peer-to-peer attack eliminates the need of attackers
to communicate with clients. Here the attacker instructs the clients of peer-to-peer file sharing
hubs to disconnect from their network and to connect to the victim's website. With this,
several thousand computers may try to connect to the target website, which causes a drop in
the performance of the target website. These peer-to-peer attacks can be identified easily
based on their signatures. Using this method, attackers launch massive denial-of-service attacks
and compromise websites.

Module 10 Page 1423


Denial of Service


User-5

User-4

A tta c k Traffic

..‫7־‬

►•
'‫ל‬

u

‫ר‬

f it*

.....

User-3

Attacker
User-2
User-1
FIGURE 10.5: Peer-to-Peer Attacks

Module 10 Page 1424


Denial of Service


Permanent Denial-of-Service
Attack

CEH

Permanent DoS, also known as phlashing, refers to
attacks that cause irreversible damage to system
hardware

Unlike other DoS attacks, it sabotages the system
hardware, requiring the victim to replace or reinstall
the hardware

Bricking a
system method

1 This attack is carried out using a method known as
.
"bricking a system"
2. Using this method, attackers send fraudulent
hardware updates to the victims
Sends email, IRC chats, tw e e ts, post videos
w ith fraudulent content for hardw are updates

Attacker

Attacker gets access to
victim's com puter

V
ictim
(M alicious c o d e is e x e cu ted )

Copyright © by

&

0O

^

±

1^5

£

Process

&onl

P e rm a n e n t D e n ia l‫־‬of‫־‬S ervice A ttack
Permanent denial-of-service (PD0 S) is also known as plashing. This refers to an attack

that damages the system and makes the hardware unusable for its original purpose until it is
either replaced or reinstalled. A PD0 S attack exploits security flaws. This allows remote
administration on the management interfaces of the victim's hardware such as printers,
routers, and other networking hardware.
This attack is carried out using a method known as "bricking a system." In this method, the
attacker sends email, IRC chats, tweets, and posts videos with fraudulent hardware updates to
the victim by modifying and corrupting the updates with vulnerabilities or defective firmware.
W hen the victim clicks on the links or pop-up windows referring to the fraudulent hardware
updates, they get installed on the victim's system. Thus, the attacker takes complete control
over the victim's system.

Module 10 Page 1425


Denial of Service


FIGURE 10.5:

3■
Attacker

Sends email, IRC chats, tweets, post videos
with fraudulent contentfor hardware updates

Attacker gets access to
victim's computer

Victim
(Malicious code is executed)

FIGURE 10.6: Permanent Denial-of-Service Attack

Module 10 Page 1426


Denial of Service


Application Level Flood Attacks CEH
UrtrfW*

itfciul NMhM

J Application-level flood attacks result inthe loss of services of a particular
network, such as em networkresources, the tem
ails,
porary ceasingof
applications and services, and m
ore
J

Usingthis attack, attackers destroy program ing source code and files
m
in affected com
puter system
s
Using application-level flood attacks, attackers attempts to:

Flood w ap lication
eb p
s
to leg ate user traffic
itim

D
isrupt service to asp
ecific
systemor person, for ex p
am le,
b ckin a user’s access b
lo g
y
rep
eating in
valid lo in
g
attem
pts

Copyright © by

Jam the ap licatio p
n
database connection b
y
crafting m u SQ
alicio s L
q
ueries

&onl

A p p licatio n -lev el Flood A ttacks
Some DoS attacks rely on software-related exploits such as buffer overflows, whereas
most of the other kinds of DoS attacks exploit bandwidth. The attacks that exploit software
cause confusion in the application, causing it to fill the disk space or consume all available
memory or CPU cycles. Application-level flood attacks have rapidly become a conventional
threat for doing business on the Internet. W eb application security is more critical than ever.
This attack can result in substantial loss of money, service and reputation for organizations.
Usually, the loss of service is the incapability of a specific network service, such as email, to be
available or the temporary loss of all network connectivity and services. Using this attack,
attackers destroy programming source code and files in affected computer systems.
Using application-level flood attacks, attackers attempt to:
©
©

Flood web applications, thereby preventing legitimate user traffic.
Disrupt service to a specific system or person, for example, blocking user access by
repeated invalid login attempts.

Q

Jam the application-database connection by crafting CPU-intensive SQL queries.

Module 10 Page 1427


Denial of Service


Attacker exploiting application source code

4

^
Attacker

Victim
FIGURE 10.7: Application-level Flood Attacks

Module 10 Page 1428


Denial of Service


M odule Flow
So far, we have discussed D0 S/DD0S concepts and D0 S/DD0 S attack techniques. As
mentioned previously, DoS and DD0 S attacks are performed using botnets or zombies, a group
of security-compromised systems.

am

Dos/DDoS Concepts

Countermeasures

‫ ־‬Dos/DDoS Attack Techniques

Bot‫ ״‬ets

/^
s>

Dos/DDoS Case Study


-

This section describes botnets, as well as their propagation techniques and ecosystem.

Module 10 Page 1429


Denial of Service


Organized Crime Syndicates
C yb er
C rim in a ls

H ie r a r c h ic a l
S e tu p

P ro c e s s

R e p o rt

M a tte r o f
C o n c e rn

C crim areincreasingly b gassociated w organizedcrim
yber
inals
ein
ith
e
syndicatestotake advantageof their sophisticatedtechniques

Thereareo anizedg sofcybercrim who w ina hierarchical
rg
roup
inals
ork
setupw a predefined revenuesharing m d lik a m corporation
ith
o el, e ajor
that offers crim services
inal
O
rganizedg screate andrent botnetsandoffervarious services, from
roup
w
riting m are, to hackin b kaccounts, tocreatingm
alw
g an
assived ial-o
en fservice attacksagainstanytargetfor a p
rice
A
ccordingtoV
erizon's 2 1 D Breach Investigations R
0 2 ata
eport, the
m
ajority of breaches w drivenb organizedg s andalm a d
ere
y
roup
ost ll ata
stolen (98%) w the w ofcrim outsidethevictimorg
as
ork
inals
anizatio
n
T e grow involvem of o anizedcrim syndicates inpolitically
h
ing
ent rg
inal
m
otivatedcyber w
arfare andhactivismisa m
atter of concernfor n al
ation
securityag cies
en
Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited.

O rg a n iz e d C rim e S y n d icates
Cyber criminals have developed very refined and stylish ways to use trust to their
advantage and to make financial gains. Cyber criminals are increasingly being associated with
organized crime syndicates to take advantage of their refined techniques. Cybercrime is now
getting more organized. Cyber criminals are independently developing malware for financial
gain. Now they operate in groups. This has grown as an industry. There are organized groups of
cyber criminals who develop plans for different kinds of attacks and offer criminal services.
Organized groups create and rent botnets and offer various services, from writing malware, to
attacking bank accounts, to creating massive denial-of-service attacks against any target for a
price. The increase in the number of malware puts an extra load on security systems.
According to Verizon's 2010 Data Breach Investigations Report, the majority of breaches were
driven by organized groups and almost all data stolen (70%) was the work of criminals outside
the target organization.
The growing involvement of organized criminal syndicates in politically motivated cyber
warfare and hactivism is a matter of concern for national security agencies.

Module 10 Page 1430


Denial of Service


Organized Cyber Crime:
Organizational Chart
4

^
o

Attackers Crimeware Toolkit Owners
Trojan Distribution in Legitimate website

- Underboss: Trojan Provider and

O

Manager of Trojan Command and Control

q
C am p aign M a n a g e r


to
#
-

u

#
>‫י‬
m


to
+
A ffiliatio n
:

N e tw o r k

©
S to le n D ata R e s e lle r

n <
‫ו‬
A tut A
A
‫*׳‬s
ir

m

♦
A ffiliatio n

n
II
N e tw o r k

©

n
It

‫י*'•־ 4 4 ' י^׳‬

jr

:

a

«

:
t
A ffiliatio n N e tw o r k

:

©




O rg a n iz e d C y b er C rim e: O rg a n iz a tio n a l C h art
Cybercrimes are organized in a hierarchical manner. Each criminal gets paid depending
on the task that he or she performs or his or her position. The head of the cybercrime
organization, i.e., the boss, acts as a business entrepreneur. He or she does not commit
cybercrimes directly. The boss is the first in the hierarchy level. The person who is at the next
level is the "underboss." The underboss is the second person in command and manages the
operation of cybercrimes.
The "underboss" provides the necessary Trojans for attacks and also manages the Trojans‫׳‬
command and control center. People working under the "underboss" are known as "campaign
managers." These campaign managers hire and run their own attack campaigns. They perform
attacks and steal data by using their affiliation networks as distributed channels of attack. The
stolen data is then sold by "resellers." These resellers are not directly involved in the crimeware
attacks. They just sell the stolen data of genuine users.

Module 10 Page 1431


Denial of Service


O
Attackers Crim eware Toolkit Owners
Trojan Distribution In Legitimate website

r%

r>
C a m p a ig n M a n a g e r

to
O
4!

4
J

U n d erb oss: Trojan P ro v id e r and
M a n a g e r o f Trojan C o m m a n d and C ontrol

o

rs

1

i


to
‫י׳‬
4!

:
v

4!
1

‫ >*׳‬A f f ilia t io n N e t w o r k

O '" O

4!
4A

|

‫י*׳‬

u

v
A f f ilia t io n N e t w o r k

;

6
S t o le n D a t a R e s e lle r



FIGURE 10.8: Organizational Chart

Module 10 Page 1432


Denial of Service


CEH

Botnet
J

Bots are software applications that run automated tasks over the Internet and perform
simple repetitive tasks, such as web spidering and search engine indexing

J

A botnet is a huge network of the compromised systems and can be used by an intruder
to create denial-of-service attacks

Bots connect to C&C

vl

handler and wait for instructions

B o t Com m and &

Attacker sends commands to
the bots through C&C

Bots attack

u

a target server

i

3‫יז‬

m

T arg et S e rv e r

C o n tro l C e n te r

0

Zo m b ie s
Sets a bot
C&C handler
Bot looks for other vulnerable
systems and Infects them to

,a f t©
O gk 0■^•=■• ft M e

create Botnet

a machine

A tta ck e r

V ic tim (B o t)


The term botnet is derived from the word roBOT NETwork, which is also called zombie
army. A botnet is a huge network of compromised systems. It can compromise huge numbers
of machines without the intervention of machine owners. Botnets consist of a set of
compromised systems that are monitored for a specific command infrastructure.
Botnets are also referred to as agents that an intruder can send to a server system to perform
some illegal activity. They are the hidden programs that allow identification of vulnerabilities. It
is advantageous for attackers to use botnets to perform illegitimate actions such as stealing
sensitive

information

(e.g.,

credit

card

numbers)

and

sniffing

confidential

company

information.
Botnets are used for both positive and negative purposes. They help in various useful services
such as search engine indexing and web spidering, but can also be used by an intruder to create
denial-of-service attacks. Systems that are not patched are most vulnerable to these attacks. As
the size of a network increases, the possibility of that system being vulnerable also increases.
An intruder can scan network ranges to identify which ones are vulnerable to attacks. In order
to attack a system, an intruder targets machines with Class B network ranges.

Ill
Module

Purpose of Botnets:
0

10 Page 1433

Allows the intruder to operate remotely.


Denial of Service

6


Scans environment automatically, and spreads through vulnerable areas, gaining access
via weak passwords and other means.

Q

Allows compromising a host's machine through a variety of tools.

Q

Creates DoS attacks.

6

Enables spam attacks that cause SMTP mail relays.

©

Enables click fraud and other illegal activities.

The diagram that follows shows how an attacker launches a botnet-based DoS attack on a
target server.

Bots connect to C C
&
handler an w for In
d ait
structions

Bots attack
atarget server

o

Bot Command &
Control Center

!1

Attacker sen s com andsto
d
m
the b ts through C C
o
&

Target Server

‫2 יי‬

A

" 6 *

Zombies

Bot lo ks for other vulnerable
o
system an infectsthemto
s d
create Botnet

Attacker

Victim (Bot)
FIGURE 10.9: BOTNET

In order to perform this kind of attack, the attacker first needs to create a botnet. For this
purpose, the attacker infects a machine, i.e., victim bot, and compromises it. He or she then
uses the victim bot to compromise some more vulnerable systems in the network. Thus, the
attacker creates a group of compromised systems known as a botnet. The attacker configures a
bot command and control (C&C) center and forces the botnet to connect to it. The zombies or
botnet connect to the C&C center and wait for instructions. The attacker then sends commands
to the bots through C&C to launch DoS attack on a target server. Thus, he or she makes the
target server unavailable or non-responsive for other genuine hosts in the network.

Module 10 Page 1434


Denial of Service


Botnet Propagation Technique
....... / 2 ........

>‫: ר <־‬

O

O

A
ttackers

i

@

v

.• I
♦

(S e rv e rs , S o ftw a r e , and S e rv ic e s )

0

(z)

/

;

™

‫© • ........... ■ ® § ז‬
M alicious
Affiliation N etw ork

C yb e rcrim e R e la te d IT O p e ra tio n s

U-

T rojan
C om m and
a n d C ontrol
C enter

Crime w are
Toolkit
D a ta b a s e I

C EH

Trojan upload stolen
data and receives
commands from
command and control
center

4$ ~

Legitim ate
C om prom ised W e b site s

Copyright © by

fCia.

^ B otnet P ro p a g a tio n T e ch n iq u e
Botnet propagation is the technique used to hack a system and grab tradable
information from it without the victim's knowledge. The head of the operations is the boss or
the cybercriminal. Botnet propagation involves both criminal (boss) and attackers (campaign
managers). In this attack, the criminal doesn't attack the victim system directly; instead, he or
she performs attacks with the help of attackers. The criminal configures an affiliation network
as distribution channels. The job of campaign managers is to hack and insert reference to
malicious code into a legitimate site. The malicious code is usually operated by other attackers.
W hen the malicious code runs, the campaign managers are paid according to the volume of
infections accomplished. Thus, cybercriminals promote infection flow. The attackers serve
malicious code generated by the affiliations to visitors of the compromised sites. Attackers use
customized crimeware from crimeware toolkits that is capable of extracting tradable
information from the victim's machine.

Module 10 Page 1435


Denial of Service


.0

..‫״‬

C y b e r c r i m e R e l a t e d IT O p e r a t i o n s
(S e r v e r s , S o f t w a r e , a n d S e rv ic e s )

©

Attackers

Criminal

Trojan upload stolen

)•:‫־‬

data and receives
commands from
command and control
center

FIGURE 10.10: Botnet Propagation Technique

Module 10 Page 1436


Denial of Service


C EH

Botnet Ecosystem

Malicious Site

Scan &
Intrusion

Zero-Day
Market

<s/y
>
'

Botnet

b

Market

o'6

Licenses

Botnet

MP3, DivX
Financial
Diversion
Data
e f
Theft t ----

-

Owner

i

Crimeware Toolkit
Database

:

Trojan Command
and Control Center s'

Client-Side
Vulnerab llity^

: Spam
: Mass Mailing

DDoS '
Malware Market

t

#

i

Scams

Adverts

B
Stock Fraud

Copyright © by E tC tm G il. All Rights Reserved. Reproduction is Strictly Prohibited.

B otnet E co sy stem
A group of computers infected by bots is called botnet. A bot is a malicious program
that allows cybercriminals to control and use compromised machines to accomplish their own
goals such as scams, launching DDoS attacks, distributing spam, etc. The advent of botnets led
to enormous increase in cybercrimes. Botnets form the core of the cybercriminal activity center
that links and unites various parts of the cybercriminal world. Cybercriminal service suppliers
are a part of cybercrime network. These suppliers offer services such as malicious code
development, bulletproof hosting, creation of browser exploits, and encyrption and packing.
Malicious code is the main tool used by criminal gangs to commit cybercrimes. Botnet owners
order both bots and other malicious programs such as Trojans, viruses, worms, keyloggers,
specially crafted applications to attack remote computers via network, etc. Malware services
are offered by developers on public sites or closed Internet resources.
Typically, the botnet ecosystem is divided into three parts, namely trade market, DDoS attack,
and spam.

A botmaster is the person who makes money by facilitating the infected botnet

groups for service on the black market. The master searches for vulnerable ports and uses
them as candidate zombies to infect. The infected zombies further can be used to perform
DDoS attacks. On the other hand, spam emails are sent to randomly chosen users. All these
activities together guarantee the continuity of malicious botnet activities.

Module 10 Page 1437



Denial of Service

The pictorial representation of botnet ecosystem is shown as follows:
M a lic io u s S it e

Z ro D y
e -a
M a rk et

............. Q

b

L ice n se s

B o tn e t

M P 3 , D iv X
Financial
Diversion

Data
Theft

E m a ils
C rim ew are Toolkit

Trojan Command

Database

C& C

and Control Center

Client-Side

R e d ir e c t

Spam

Vulnerability
M a s s M a ilin g
DD0S
M a lw a r e M a r k e t

□
S to c k Fraud

M
Scam s

A d v e r ts

E x to rtio n

FIGURE 10.11: Botnet Ecosystem

Module 10 Page 1438


Denial of Service


Botnet Trojan: Shark

CEH

^

(•rtifwtf

I til1(41 NMhM

-^*harK.3.1 fw b‫״‬
:ha♦, De&oc Preview [RC-Chat

mbsta

Command Control Center

ISe1ver2
Sail up
f j insul BrtMf

111

;5 * Jv'.* wonPort: 60123
‫ומי‬
4 ‫סי* 0ג‬i »k 3.1
, 1«t ccrplcd: ;‫1נ 0, מ‬
3.3 ‫מ‬
■e*gUDdtto<*ocH..
¥t ■MnewVmicn
1J
□<l- hj|hg_tk‫״‬to _p!od->
» A m W * « Stfv*: 127.0 0 ‫1 ^ ^7 נ * »^5 ״‬
.1
))‫> ג^ 1!72-»£יז‬
‫י‬

?
1

■adits
If nFo

O aodJrt
Arb Dcbjxi‫־‬o

f 5dh
tt
e

1 L‫־‬cb*: yflro l-cvfcccor v fc rroxirrurr! loqsco of twin
‫׳י‬
‫ »׳‬f»

M ll«w>rvrr

KByto < - Unlmtod
0

Q>jrnror‫>־‬
Comale

Copyright© by EC-Gouicil. All Rights Reserved Reproduction is Strictly Prohibited.

B otnet T rojan: sh arK
Source: https://sites.google.coin
sharK is a reverse-connecting, firewall- bypassing remote administration tool written in VB6.
With shark, you will be able to administrate any PC (using Windows OS) remotely.

Features:
9

mRC4 encrypted traffic (new & modded)

9

zLib compressed traffic

9

High-speed, stable screen/cam cCapture

9

Keylogger with highlight feature

9

Remote memory execution and injection

9

VERY fast file manager/registry editor listing due to unique technic

9

Anti: Debugger, Vm Ware, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox,
Virtual Box

9

Supporting random startup and random server names

9

Desktop preview in SIN Console

Module

10 Page 1439


Denial of Service


9

Sortable and configurable SIN Console

0

Remote Autostart Manager

9

Optional Fwb++ (Process Injection, API Unhook)

9

Folder mirroring
d dfx

* J sharK 3.1 fwb♦
sftarK Desktop Preview IRC-Chat Website

| Country

Usernam
e

lo
s

| PCNone

iLW-itaa

I Verson

| Pirq

C o m m a n d C o n tro l C e n te r

[5:4S:3S AN] Inrfi.atarg Cfer*...
[9:46:55 AW] Iwtenrxj on Port: 60123
[9:46:38 AH] sharK 3.1 fwb++, Last Compiled: 30.03.2008
[9:46:38 AN] Updotecheck...
[9:46:40 AW] Hew Versicn ovoiloble: □<!-‫ ־‬turing cluster_prod ‫> ־‬
[9:50:25 AN] * New Serve!: 127.0.0.1 - Server 1 (HocLers « >ECC-272FF53AA87)
5

Wolcom • to i h t i K 3 .1.0, MacUor*
Thi* it an information box rofroshing it* contant ovary 24
hour* H «r» you will
inform ation about
charK
davalop m ant it a t • ! and othar ralaacac of kora dCodarc.eoi
(o m a tim M .
R e o a ‫׳‬ds.
sN1p*109‫ ׳‬and rockZ
Copyright 2007-2008 (c ) BoredCoders.com

sharK 3.1 fwb++

* J N ew S e rv e r - [S e rv e r2 ]

,4

k.
*5

Basic Settings
Server Installation

Server name:

|Se rver2

Startup
Instal Events

Server Password:

1pLwUyQ|GEq|pl1t4mAD

ft Bind Files
Q

Blacklist

Connection Interval:

j

I
... .....................................................................

Anti Debugging

4 seconds

Stealth
Firewal Bypass

dB Liteserver

1* Enable offline keylogger with mawnum logsue of [i 000

KByte (0 - Untmrted)

QU Advanced
Q

Summary
Compile

SIN-Addr esses:
1i p

Port

I Status

Add
---------------- .
Delete

(
1
Save Current Profile

1
Test Hosts

‫ן‬

1
______________________________________________________________________________________________________________________________________________________________1

FIGURE 10.12: Botnet Trojan: sharK

Module 10 Page 1440

Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

Denial of Service


Poison Ivy: Botnet Command
Control Center

CEH

gMaiayr P3 »«o 1 | Pday | Acn^ ■ ; PdcfcciAnatizaj R o SW! k iw ‫•.׳; ־י‬
tg rd js1
I R :!!■
em te
DaptyNam•

O
eacflp
icr!

Pi*

‫«ז<ז‬
Dwct D
ii
DwceDii..
D
evice D
ii
Dwce D
ii

‫־‬u4a»‫״‬
aot

%ACHfC

I..I1
*A M *.
%mT9j2

S*M r ao iy!k• ^ DP(V T
iV
C

*CHEC
oaA ■
-'u■
are
AfO
«*■
»*.
AfctlSfa
4 u
fc/9 2

*■BBHVUnenlMC 1 !
y
‫ %.׳‬hM- 0:!J> 32 > «1
<
«r«m V v 1
• A■#1 < Ttff ‫ז‬WOI
‫>׳״‬
‫•־־׳״‬
ttaaO

AM•
% '‫־‬
-«».*>o l«*.. Alb
n
* IV
w rl
% ......
Am MS‫־‬l
A
te

CWNK*ANS1*>1}2W• m
CVWst

M tn

•*‫״‬WW

0
0

£

<
fcp
A1J*.

!
1
I
!

%
:4 ‫׳‬f
% ,,‫. ״ ־‬
«fc,iTM6PPCfc,r

$ ifcari KayiKmCSDRIVER
>
f.Bf’IJ'IFVtPi'.Wlip.lvl

A td *v
1 c6
«u»W>

AFO M«lv*jVrgSu

D ee n.i
«w
D«‫*׳‬ce D
ii

NdfiM»< Irdu•■
m
fV*d»1 o«eo1l 11
9

Oe*c« D
ii
Owe• D
ii
DMee D
ii
Shiild So
r
Slandiid S

nftivmh.,

6
1

RAS y‫״‬chre«*u

1

D M DI
< ca
Shotd 5
w
d‫ ״ ־‬r!.i
m
fiiwco D
ii
D-wteDH
Dwce D
ii

ATMARP O
is»*PM D**ee r.ii
I
M
anajee ado d
evi.. Shaied Ssr
Dvnc■ D
ii

SUA*
STOPPED
STOPPED
RUN IN
N G
STOPPED
5 Ul’ltD
1
STOPPED
RUN IN
N G
RUN IN
N G
STOPPED
5TUI‫־‬ltD
‫־‬
iTOPPTO
STOPPEO
51O D
PTC
stoppcd

STOPPFD
5TUI‫־‬IVD
‫,׳‬oprrn
j
STOPPED
STOPPED
ST0PPC0
RUN IN
N G
STOPPED
STOPPED
RUN IN
N G
RUN IN
N G

Sta pT e
rtu yp
Dfcdfcd
D *M
k
D
iaetfej
D114M
M
nrnnl
A afo
uiom
Aulsm
A;
DMM
DMM
d1 *m
u
D:.:tM
1

logonif

NIAJJTH[* T 4cc.< «
m
Nl «UTH0n1TY<toc4S«.

D
I‫*״‬M
DI.1M
r>l!*W
DiNfcM
DutUrJ
Hyiv (
Ajio a 3
« rr>b
D .o
i- LfcJ
MnrivJ
Aulorrrfc
M1*0
0 .*1

IcoafSyttom

<
Do«rtoaJi

V
>

OB/*

ifload:

08/3

Copyright © by E& C a w c il. All Rights Reserved. Reproduction is Strictly Prohibited.

P oison Ivy: B otnet C o m m an d C ontrol C e n te r
Poison Ivy is an advanced encrypted "reverse connection" for firewall bypassing
remote administration tools. It gives an attacker the option to access, monitor, or even take
control of a compromised system. Using this tool, attackers can steal passwords, banking or
credit card information, as well as other personal information.

FIGURE 10.13: Poison Ivy: Botnet Command Control Center

Module 10 Page 1441


Denial of Service


Botnet Trojan: PlugBot
J

ttk>«l lUikw

PlugBot is a hardware botnet project

J

CEH

(•tt.fwtf

It is a covert penetration testing device (bot) designed for covert use during
physical penetration tests

PlugBot Statistics
W
>wn S*»o* art *arr•cui* U*» *nyou

http://thephgbot.com
Copyright © by

HrCunol.All Rights Reserved. Reproduction isStrictly Prohibited.

B otnet T rojan: PlugB ot
Source: http://theplugbot.com
PlugBot is a hardware botnet project. It's a covert penetration testing device (bot) is designed
for covert use during physical penetration tests. PlugBot is a tiny computer that looks like a
power adapter; this small size allows it to go physically undetected all while being powerful
enough to scan, collect, and deliver test results externally.
Some of the features include:
6

Issue scan commands remotely

e

Wireless 802.11b ready

Q

Gigabit Ethernet capable

©

1.2 Ghz processor

©

Supports Linux, Perl, PHP, MySQL on-board

Q

Covertly disguised as power adapter

©

Capable of invoking most Linux-based scan apps and scripts

Module

10 Page 1442


Denial of Service


H d O A D M IN IU vtO U w 9««ng»| Logout

5fl5rlt®
e

Dashboard

^

DropZone

£

Account

I l f ‫ ־‬Settings

( ? ) Help

OMttxMrd-

‫פ‬
Jobs
C

Dashboard
Botnot Statistics

Manwwoos

P lu g Bo t Statistics

Cb AddJoto

Shown oeiow are some aucx suss on your
botnet.

Applications

• Mn^oa
1 eaAp

Statistics
• Bots: 2

Co AddApo

• Joas Pending 0
• Jo&sComoi«ed:0
• Chock-Ins: 14636

Dots
Q

Manage Bet*

C6 A03B0‫׳‬

FIGURE 10.14: Botnet Trojan: PlugBot

Module 10 Page 1443


Denial of Service


Botnet Trojans: Illusion Bot and r c u
NetBot Attacker
-----

ACa o m m o ‫״‬

P « 8667

* a h # 10001
o

0 *0

P*ss *ten

Chm

p * 6667

1| Hotf 10001

Pot

****

P*

Pt
o

Pk s

* * • ‫י׳‬

P«*

Sort1 p rt
4 o

* Rno.rne 20
adm«0 01

* SocAiVpart

FT p«1
P

Bethel part

‫ ז0 י‬password

MD5C.ypl
‫*• י׳0 '•** ״‬wonIRCchaml *

t

'‫««.*»*״-*׳‬
I—

^

1
n

r_

‫ ־ ״‬O d v*‫״‬

‫כ^-־ט‬

s
M

Abou

Copyright © by

&onl

B otnet T rojans: Illu sio n Bot a n d N etBot A ttack er
M

l

j

Illu sio n Bot

Source: http://www.teamfurry.com
Illusion Bot is a GUIt.

Features:
Q

C&C can be managed over IRC and HTTP

e

Proxy functionality (Socks4, Socks5)

e

FTP service

e

MD5 support for passwords

e

Rootkit

e

Code injection

0

Colored IRC messages

e

XP SP2 firewall bypass

6

DDOS capabilities

Module 10 Page 1444


Denial of Service


Illusion M jk e i

1

Binary

CADocuments and SettingsVWinux'J’ afio‫ * •׳‬cron^BOTBIMARV EXE

Reload

IRC Administration
1) Host: 100 0 1

Port: 6667

Chan Behan

Pass 4lest

2) Host: 100.0.1

Port: 6667

Chan

Pass: 4iesi

Behan

WEB Administration
1) Host: 10

Port

Path

2) Host: 1C

Port:

Path

A

Refresh time:

j

sec.

Default services:
Socks4, port

R

v Socks5, pat

R

FTP. port

R

*

Random, range:

2001

-

3000
R

Bmdshefl. port:

IRC Access
BOT PASSWORD

qwerty

MD5 Crypt

Options
v• Install Kernel Drivei

IRC serve! need passwotd

Auto OP admm on IRC channel

‫ ׳ י‬Loloied IRC messages
‫ם‬

*

*

ln!ect code fit dnve< falsi

«/ B>pass XP SP2 F»ewall

+

Save cervices state in registry

Ada to autoload

Ewt

Fluod Values

Save

About

FIGURE 10.15 Illusion Maker

NetBot A ttack er
—

NetBot attacker has a simple Windows user interface to control botnets. Attackers

use it for commanding and reporting networks, even for command attacks. It has two RAR files;
one is INI and the other one is a simple EXE. It is more powerful when more bots are used to
affect the servers. With the help of a bot, attackers can execute or download a file, open
certain web pages, and can even turn off all PCs.

(P •

HtOMUmtckm I 4 laiM « ■>
•> » ■

3 ■ >1

On line hosts Attack Area Co Hedive order Use kelp
PC IP

jComputef!system

Memory

!;* ‫ן‬

WiodowiXP

►*onfai pcrfSOwHeh t

[Servke edition

1m m

1‫•י״ יי‬

|^«cu*r •••wg

»taeft«oe « N

FIGURE 10.16: NetBot Attacker

Module 10 Page 1445


Denial of Service


Copyright © by E & C a in c i. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule Flow
So far, we have discussed D0 S/DD0 S concepts, attack techniques, and botnets. For
better understanding of the attack trajectories and to find possible ways to locate attackers, a
few DD0 S case studies are featured here.

am

Dos/DDoS Concepts

Countermeasures


Botnets

^



Dos/DDoS Case Study
i—

This section highlights some of real-world scenarios of DD0 S attacks.

Module 10 Page 1446


Denial of Service


DDoS Attack

H a ck e rs a d v e rtis e LOIC to o l
on T w itte r, F ace b o o k,
G o o g le , e tc.
V o lu n te e r

Copyright © by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.

DDoS A ttack
In a DDoS attack, a group of compromised systems usually infected with Trojans are
used to perform a denial-of-service attack on a target system or network resource. The figure
that follows shows how an attacker performs a DDoS attack with the help of an LOIC tool.

Module 10 Page 1447


Denial of Service

(ft


A
ttacker R
eleases Lo O it
w rb
Io C n o (LO ) T o o th W
n a n n IC o l n e eb

o

V o lunteers connect to IRC

A o ym u H ck r
nn os a e

channel and w a it for
instruction from attack er

V lu teer
o n
e
DDoS Attack o

! *

V lu teer
o n
H ck rsad
a e vertiseL ICto l
O o
o T itter, F ce o k
n w
a bo,
G o le, e
o g tc.
V lu teer
o n
FIGURE 10.17: DDoS Attack

Module 10 Page 1448


Denial of Service


CEH

DDoS Attack Tool: LOIC

MM

tU Jl N h
M MM

‫ו‬fhis tool was used to bring down Paypal and mastercard websites
IC I 0
3

Low O bit Ion Cannon | U dun goofed | v. 1J.D5
RC server
•

1,'anujl Mode for pu ssies!

9

Port

Cnannel

fji■ :: ■

FUCKWGHfVc UNO

r 1 Select your target----------------------URL

- 2 . Rea<iy?--------------

ww
w .davenD 0 1n
0rtV ns.c0
Stop flooding

v y
!

85.116.9.83
3 ‫ ־‬Attack otf» n s ------------------------------------------------------Trneout
HT7PSU>s<e
ZX Append ranJom chars to the URl
4000

TCP / U0P message

/119/

U dun goofed

----------------------------------------------------------------------------------------------------------------------- —
HTTP
g
10
80
■ *Vat for rep*y
------------ 1
Port
Method
Threads
«• faster Speed slower ■
>

V

Idle

Connectrg

Requestrg

Cowntoadmg

Downloaded

Requested

Faded

1

9

0

0

419

419

9

Copyright © by

‫ב‬

E C i c .All Rights Reserved. Reproduction is Strictly Prohibited
&ani

DDoS A ttack Tool: LOIC
LOIC is an open source tool, written in C#. The main purpose of the tool is to conduct

stress tests of web applications, so that the developers can see how a web application behaves
under a heavier load. Of course, a stress application, which could be classified as a legitimate
tool, can also be used in a DDoS attack. LOIC basically turns the computer's network connection
into a firehouse of garbage requests, directed towards a target web server. On its own, one
computer rarely generates enough TCP, UDP, or HTTP requests at once to overwhelm a web
server—garbage requests can easily be ignored while legit requests for web pages are
responded to as normal.
But when thousands of users run LOIC at once, the wave of requests become overwhelming,
often shutting a web server (or one of its connected machines, like a database server) down
completely, or preventing legitimate requests from being answered.
LOIC is more focused on web applications; we can also call it an application-based DOS attack.
LOIC can be used on a target site by flooding the server with TCP packets, UDP packets, or HTTP
requests with the intention of disrupting the service of a particular host.

Module 10 Page 1449

Ethical Hacking and Countermeasures Copyright © by EC-C0linCil

Denial of Service


FIGURE 10.18: DDoS Attack Tool: LOIC

Module 10 Page 1450


Denial of Service


Hackers Advertise Links to
Download Botnet

CEH

Gougle
£jfr _

sM sg SSSsa sK si
E - r - l S 2‫—־‬

“ '

rr- 8•TVA rg.? ‫־״—י‬
tr *‫ - -~'־‬r!rrj.« * — ‫"*־-׳‬
‫־‬
•
,

!S ^ iS S S '0 ’‫׳‬a‫ ״‬L C‫*־*״־* — ׳*״׳ — ״ ״ סי‬O

Copyright © by E W io u n c i. All Rights Reserved. Reproduction is Strictly Prohibited.

H ack ers A d v ertise L inks to D ow nload B otnets

Module 10 Page 1451


Denial of Service


FIGURE 10.19: Hackers Advertise Links to Download Botnets

Module 10 Page 1452


Denial of Service


Copyright © by E & C a in c i. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule Flow
So far, we have discussed the D0 S/DD0S concepts, attack techniques, botnets, and the
real-time scenarios of DDoS. The D0 S/DD0 S attacks discussed so far can also be performed with
the help of tools. These tools make the attacker's job easy.

am

Dos/DDoS Concepts

ji Countermeasures


Botnets


Dos/DDoS Case Study

I—

This section lists and describes various D0 S/DD0 S attack tools.

Module 10 Page 1453


Denial of Service


c EH

DoS Attack Tools
DoSHTTP 2.5.1
Rle

Options

(crtifwd

IU mjI Nm Im

X
J

S o c k e ts o ft.n e t [E valuation M ode]

Help

DoSHTTP
H T T P F lo o d D e n ia l o f S e r v i c e ( D o S ) T e s tin g To ol
T a ig e t U R L

3‫־‬
Status:

M oz«a/60 (compatible; MSIE 7.0a; Windows NT 5.2; SV1)
S o c k e ts

Connect:

R e q u e s ts
‫ף י‬

Connecting to 118.215.252.59:80...

Connected:

"‫] ״ ־‬

[Conhnuous

V e r ify U R L | S t o p F lo o d |

Requests 1

C lo s e

Peak:

[ 1174

74‫ח‬

OK

Disconnect:

|

a

Responses 0

Multisystem TCP Denial of Service Attacker [Build #12]
Coded by Yarix (yarix@tut.by)
http://varbt.bv.r11/

DoS H TTP

Sprut

Internet

Target Server

Copyright © by E& C aunc!. All Rights Reserved. Reproduction is Strictly Prohibited.

DoS A ttack Tools
DoS HTTP
Source: http://www.socketsoft.net
DoSHTTP is HTTP flood denial-of-dervice (DoS) testing software for Windows. It includes URL
verification, HTTP redirection, and performance monitoring. It uses multiple asynchronous
sockets to perform an effective HTTP flood. It can be used simultaneously on multiple clients to
emulate a distributed-denial-of-service (DD0 S) attack. It also allows you to test web server
performance and evaluate web server protection software.
Features:
©

Supports HTTP redirection for automatic page redirection

0

It includes URL verification that displays the response header and document

©

It includes performance monitoring to track requests issued and responses received

©

It allows customized User Agent header fields

©

It uses multiple asynchronous sockets to perform an effective HTTP flood

©

It allows user defined socket and request settings

Module 10 Page 1454


Denial of Service

Q


It supports numeric addressing for target URLs
‫ ■״‬DoSHTTP 2.5.1 -

Socketsoft.net

xJ

[E valuation M o de]

file O
ptions H
elp

D oSH TTP
HTTP Flood Denial of Service (D o S ) Testing Tool
Target URL_________________________________________
1
192.168.168.97

d

User Agent
lM
ozilla/6.0 (com
patible; MSIE 7.0a; Windows NT 5.2; SV1J

21

Sockets
|500

Requests
▼| (Continuous

‫ ■׳י‬Verify URL | Stop Flood |
]

Close

h //www so
ttp
cketso n
fi ttf

l«Q » D S C * m*T

Running..

Requests: 1

Responses: 0

FIGURE 10.20: DoS HTTP

Sprut
Sprut is a multisystem TCP denial of service attacker.

Hostname or IP-address:

Start

www. juggyboy.com

Port:

[80

Stop

Threads:

[20

Reset

Status:

Connecting to 118.215.252.59:80 ...

Connected:

1174

Connect:

OK

Disconnect:

No error

B
S

Peak:

1174

Multisystem TCP Denial of Service Attacker [Build 812]
Coded by Yarix (yarix@tut.by)
http:/A»atix bv.ru/

FIGURE 10.21: Sprut

Module 10 Page 1455


Denial of Service


DoS Attack Tools

CEH

(Cont’d)

Urtifw*

ilhiul lUtbM

gdt M
ew G Capln tra!:
o

a72.11 O m s: I

3

‫־‬

-

I

_1J

08182 165.289717
08183 165.289838
08184 165.289968
08185 165.290090
08186 165.290211

Your V:

<DontClo3you>«eNnub)

‫ : !׳‬id ! tn *DoS iBju k please wall M the browser 1
r «
.
tillo
0

192.16a.168. 32
192.16a. 168. 32
192.164.168. 32
192.166.168. 32
192.164.168. 32

08188 165.290403
08189 165.?90S? J
08190 165.290733
08191 16S. 290776
08192 165.290896

m u m

192.168.168. 7
192.166.168. 7
192.168.168.7
192.168.168.7
192.168.168.7
192.168.168.7
192. 168.168.7
192.168.168.7
192.168.168.7
192.168.168.7

192.168.168.32
192.168.168.32
192.168.168. 32
192.168.168.32
192.168.168. 32

08194 165. ?91091
08195 165.291210
08196 165.291330
08197 165.291452
08198 165.291582

19?. 168.164.7
192.168.168.7
192.168.164.7
192.168.168.7
192.168.168.7

192.164.168.3?
192.168.168. 3
2
192.168.168.32
192.164.168. 32
192.168.168. 32

_ !lh «

2 1 .
‫£־־׳־‬ss5‫־‬tt1‫ . ־‬DecwfcnKeyi...
:i
|:nfo
source port: 17795 Destination po
Fragmented ip p ro to c o l (p ro to -u o p
Fragmented ip p ro to c o l (proco-uop
Fragmented IP p ro to c o l (proto=UDP
Fragmented ip p ro to c o l (proto=u0P
fragm ented IP p ro to c o l (proto-UO**
Source port: 17795 Destination po
Fragmented ip p ro to c o l ( p r o to-uop
Fragmented IP p ro to c o l (p ro to -u o p
Fragmented IP p ro to c o l (proto=UOP
Fragmented IP p ro to c o l (proto=U0P
Fragmented IP p ro to c o l (proto-UOP
source port: 17706 t*‫־‬stlfwi10n po
Fragmented ip p r o to c o l (proto»uo*>
Fragmented IP p ro to c o l (proto*u0P
Fragmented ip p ro to c o l (proto=UOP

1 rrame 6?4153: 1514 bytes, on wire ( l ? l l ? b it s ). 1514 byte•;, captured ( l ? l l ? bit•‫)״‬
•
I- kt her ret 11. Src: fclUegro 22:2d: if (0 0:25 :ll:22 :2 d:5 f). u st: 0«1 l_ f d : 86:63 (84 :b»:dt>:fd: 86:63)
I ‫ ״‬in ternet Protocol, src: 192.168.168.7 (192.168.168.7). USt: 192.108.168.32 (192.168.168.32)
| vi Oat a (1480 bytes)
.. t .
< C 4» 000‫ ־‬fd 86 63 00 25 11 22 2d 5f 08 00 45 00..... ........ c.ft
b«
b
dc ab 21 22 2b 80 11 96 4b cO a4 .18 07 cO a8
.K 05 010>
.........
XXXXXX XXXXXXXX .
58 58 58 58 58 58 58 58 58 58 58 58 58 *5 20 8* 020>
SB 58 58 58 58 58 58 58 58 58 54 58 58 58 58
XXXXXXXX XXXXXXXX 58 030>
XXXXXXXX XXXXXXXX
58 58 58 58 54 58 58 58 58 58 58 58 58 58 58 58 040>

‫?־־‬

I ^K*C:tM>1A>0£-:>ec£^alocjrr«1 >~ P«*xts: 80^/630<
V
nUr«d: 602/63M
arked: 0frepped: 9 3
5

PHP DoS

Traffic at Victim Machine
Copyright © by E& C aunci. All Rights Reserved. Reproduction is Strictly Prohibited.

DoS A ttack Tools (C ont’d)
PHP DoS
Source: http://code.google.com
This script is a PHP script that allows users to perform DoS (denial-of-service) attacks against an
IP/website without any editing or specific knowledge.

Module 10 Page 1456


Denial of Service


xJe■

Your IP:
IF

(Dont DoS yourself nub)
Time

ort

iK sa a sia L^ ftii
Alter initiating the DoS attack, please wait while the browser loads

FIGURE 10.22: PHP DoS

Module 10 Page 1457

Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil

Denial of Service


DoS Attack Tools
(Cont’d)

q eH
(•itifwtf

|

tlfcitjl IlMkM

Copyright © by EC-Cooncfl. All Rights Reserved Reproduction is Strictly Prohibited.

I d

Jan id o s

FIGURE 10.23: Janidos

Module

10 Page 1458

Ethical Hacking and Countermeasures Copyright © by EC-C0linCil

Denial of Service


S upernove

!sup ernova 5

Port

Single targe(
1

□

‫כ ם‬

Ty?**
Frst Q
F;‫׳‬rT.:.v‫־‬
r

[
L a ned

Load

I

Save

Random Ports|

Discomect
Harvest

Speed

1 ‫כ ם‬

Speed ! □

‫*י״‬
«

Remove
Remove

‫כ ם‬
Hub Harvester

M
M
M
M
fl

^eptoce hubs on dose
replace hubs on errors
rorbid Scanner log abuse
nbuiia Scanner
Assign socks for every hub in the list

23 Debug connections
Q
Jebug replaces
jQ Debug socxet errors
S3
.»ebug actions
Q Debug User number

1
0

1

‫כ ם‬

BEHSI
MSW ■
1
I
‫ = כ ם‬I: I
I
‫ 1 : כ ם‬I: I
Search

■ j‫׳1;־‬r
i‫־‬
]Produced by ]3/24/2009
[W A Q C m ) CPt I _________ Rtr^ii

Multiple

*
‫י‬

‫ -ו‬R . 4 .‫ ־‬P« 1.■;:1V.H7 *
‫ז‬
: ‫־‬

:• 1
4 ‫.־!־‬

Cmdune

FIGURE 10.24: Supernove

Module 10 Page 1459


*‫' ^י‬
*‫־‬

Denial of Service


DoS Attack Tools

CEH

(Cont’d)

*It

9

ft.• "‫־‬

Tr« kt /»*t f<<tW•‫ןי»;21*וי‬
«ct M /* l«et W» •123| ‫ק‬
t> * we 1 1« 3
»
*
K

Tfa <
t r* *

0

totw*(1<111r

itkitjl

H h *£

l

J•**1 *! *if‫•י‬f* ' ' ‫*«י ״‬
***1■ tcc
• c
fOilcrw *
I,
»
!m ‫׳‬p* »susin4 «•*
lfH
* fAdlMM * [a c
‫ •!״־‬n * mw
!s&‫ :״‬r 85 ‫™״‬
TCT n }05[~‫_ __________ גז‬
[051TC7 4^ 4 tO eiTC T^n-j.,.
■ ~u,
«U ‫ ״ ״‬a .
• »«u»%lly i t l K t U . CM4*1.

(•rtifwd

•‫״ ז‬

® •

•

as
[‫ » ״‬p

J VXf 103

‫ *,0 ,״‬IB1"

tw ‫ ״‬j

1 :
0

]‫* <י‬T .U 1
W

* .‫״״‬

< • U i l ••4• W 1 m («4 m i i i « m 4•!
1

Ty 0 ‫ ״‬T«»0 I*•» in "T< ... <.! .
r* 3 W 1 »«<c , « « ‫«״‬
*
!
rt
•

‫ .«-־‬i‫»/ .״‬L‫׳‬n*• r
,?nrsffs
‫ ״‬i m UI

■
‫. . י י•*״‬

‫ ״‬u‫ ״‬u

*■ *^} Sr SSJ . ‫־‬
‫•״׳־־‬

‫״‬

_ :a 1 C h in e s e
C o r n m e r e ‫״י ' 3׳‬

*»«*
qiy

‫4־‬
‫־־‬
■

ooos t °°»

‫די ס‬

Copyright © by EG-Goinci. All Rights Reserved. Reproduction is Strictly Prohibited.

Commercial Chinese DIY DDoS Tool

Figure 10.25: Commercial Chinese DIY DDoS Tool

Module 10 Page 1460


Denial of Service


BanglaDos
Mom

C w N u

00— ten et

Yow •tcaamr t a c i * • *

UmOmt

tm 01 w »

C D

SI

H a c k C la r ify

< ‫ '׳‬f l

R ^ R

)O S (7)

%M dm t (4) d i m ( ) 7 )7(
>

ft> w y i o g y n <4) x n o M M 0 • ) ‫ ( י‬iM m 10 •tack )5 (
•m

c

1

1

B n u x ) 1 6 ( ‫ ״‬we d i m o w • ! ) nem % )5 (

naM• ! ) onln• and oflhrw
(S) apacaftng
vrt*m ( ) pm w ord recowen•• (?) p*sa«ora
%
O ) {MX**• n» p c n o v f ) 3 (
) 1(

11

e w w ie p d ip ro a y < 2)«em < 1»rH »(2)KW W im

1

tM re (1jna *

S * c u r * y o u r b l o g r u n n in g o n W o r d p r •

■ 10 14 PU Artel• t* S « n r r « J t

• and tricks
tips

1
1 7

)4 ( *‫) •יי׳‬xm %
<)

aoftw are c r a c k s (11) •*am ‫ ן‬p o o t

1

)3(

)4 (

m H• > ( *

FIGURE 10.26: BanglaDos

Module 10 Page 1461


Denial of Service


DoS Attack Tools
(C o n ttt)

CEH

DoS

FIGURE 10.27: DoS

Module 10 Page 1462


Denial of Service


M e g a D D o S A tta c k

FIGURE 10.28: Mega DDoS Attack

Module 10 Page 1463


Denial of Service


Copyright © by E&Caincfl. All Rights Reserved. Reproduction is Strictly Prohibited.

A

M o d u le F lo w
So far, we have discussed the D0 S/DD0 S concepts, various threats associated with this

‘ ‘* 2
‫׳־־ "־‬

kind of attack, attack techniques, botnets, and tools that help to perform D0 S/DD0 S attacks. All
these topics focus on testing your network and its resources against DoS/DDoS vulnerabilities.
If the target network is vulnerable, then as a pen tester, you should think about detecting and
applying possible ways or methods to secure the network.

1
•--1

J

‘

Dos/DDoS Attack Techniques

c *
K

J


Dos/DDoS Concepts

d

S

Counterm easures
*

Botnets


Dos/DDoS Case Study


Module 10 Page 1464


Denial of Service


This section describes various techniques to detect D0 S/DD0S vulnerabilities and also highlights
the respective countermeasures.

Module 10 Page 1465


Denial of Service

J


D e tectio n te c h n iq u e s a re b ased on id e n tify in g and d is c rim in a tin g th e ille g itim a t e tra ffic
in cre as e an d fla sh e v e n ts fr o m leg itim ate packet tra ffic

J

All d e te ctio n te c h n iq u e s d e fin e an a tta ck as an a b n o rm a l and n o tic e a b le d e v ia tio n fro m a
th re sh o ld o f n o rm al n e tw o rk tra ffic statistics

Activity Profiling

Wavelet-based Signal
Analysis

Changepoint Detection

Copyright © by E&Caincfl. All Rights Reseivei.Rejproduction is Strictly Prohibited.

D e te c tio n T e c h n iq u e s
Most of the DDoS today are carried out by attack tools, botnets, and with the help of
other malicious programs. These attack techniques employ various forms of attack packets to
defeat defense systems. All these problems together lead to the requirement of defense
systems featuring various detection methods to identify attacks.
The detection techniques for DoS attacks are based on identifying and discriminating the
illegitimate traffic increases and flash events from legitimate packet traffic.
There are three kinds of detection techniques: activity profiling, change-point detection, and
wavelet-based signal analysis. All detection techniques define an attack as an abnormal and
noticeable deviation from a threshold of normal network traffic statistics.

Module 10 Page 1466


Denial of Service


Activity Profiling

r
An attack is indicated by:
© An increase in activity
levels among clusters

It is th e a v e r a g e

‫ץ‬

p a ck et r a te fo r a
n e tw o r k flo w , w h ic h
co n s is ts o f
c o n s e c u tiv e pa ck ets
w ith s im ila r p a ck et

e An increase in the
overall number of
distinct clusters (DDoS
. attack)

fie ld s

y

A ctivity profile is
obtained by
m onitoring the
netw ork packet's
header informatio

A c tiv ity P r o filin g
Typically, an activity profile can be obtained by monitoring header information of a
network packet. An activity profile is defined as the average packet rate for network flow. It
consists of consecutive packets with similar packet fields. The activity level or average packet
rate of flow is determined by the elapsed time between the consecutive packets. The sum of
average packet rates of all inbound and outbound flows gives the total network activity.
If you want to analyze individual flows for all possible UDP services, then you should monitor on
the order of 264 flows because including other protocols such as TCP, ICMP, and SNM P greatly
compounds the number of possible flows. This may lead to high-dimensionality problem. This
can be avoided by clustering the individual flows exhibiting similar characteristics. The sum of
constituent flows of a cluster defines its activity level.

Based on this concept, an attack is

indicated by:
0

An increase in activity levels among clusters

©

An increase in the overall number of distinct clusters (DDoS attack)

Module 10 Page 1467


Denial of Service


W
avelet-based Signal Analysis
Wavelet analysis describes
an input signal in terms of ‫־־‬
spectral components

CE
H

Wavelets provide for
concurrent time and
frequency description

They determine the time
at which certain
frequency components
are present

Analyzing each spectral
window's energy determines
the presence of anomalies

Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.

W a v e le t - b a s e d S ig n a l A n a ly s is
W avelet analysis describes an input signal in terms of spectral components. It
provides a global frequency description and no time localization. W avelets provide for
concurrent time and frequency descriptions. This makes it easy to determine the time at which
certain frequency components are present. The input signal contains both time-localized
anomalous signals and background noise. In order to detect the attack traffic, the wavelets
separate these time-localized signals and the noise components. The presence of anomalies
can be determined by analyzing each spectral window's energy. The anomalies found may
represent misconfiguration or network failure, flash events, and attacks such as DoS, etc.

Module 10 Page 1468


Denial of Service


Sequential C
hange-Point
Detection

C
EH

Change-point detection algorithms isolate a traffic statistic's
change caused by attacks

S e q u e n t ia l C h a n g e - P o in t D e t e c t io n
Sequential change-point detection algorithms segregate the abrupt changes in traffic
statistics caused by attacks. This detection technique initially filters the target traffic data by
port, address, and protocol and stores the resultant flow as a time series. This time series can
be considered as the time-domain representation of a cluster's activity. The time series shows a
statistical change at the time the DoS flooding attack begins.
Cusum is a change-point detection algorithm that operates on continuously slamped data and
requires only computational resources and low memory volume. The Cusum identifies and
localizes a DoS attack by identifying the deviations in the actual versus expected local average
in the time series. If the deviation is greater than the upper bound, then for each t,ime series
sample, the Cusum's recursive statistic increases. Under normal traffic flow condition the
deviation lies within the bound and the Cusum statistic decreases until it reaches zero. Thus,
this algorithm allows you to identify a DoS attack onset by applying an appropriate threshold
against the Cusum statistic.

Module 10 Page 1469


Denial of Service


D D Counterm
oS/D oS
easure
Strategies

A b s o r b in g th e
A tta c k
Q Use additional capacity
to absorb attack; it
requires preplanning

D e g r a d in g
S e r v ic e s
Identify critical
services and stop
non critical services

C
EH

S h u ttin g D o w n th e
S e r v ic e s
_ Shut down all the
services until the
attack has subsided

9 It requiresadditional
resources


a

D o S / D D o S C o u n t e r m e a s u r e S tr a te g ie s
There are three types of countermeasure strategies available for DoS/DDoS attacks:
A b s o r b th e a tta c k
Use additional capacity to absorb the attack this requires preplanning. It requires

additional resources. One disadvantage associated is the cost of additional resources, even
when no attacks are under way.
D e g r a d e s e r v ic e s
If it is not possible to keep your services functioning during an attack, it is a good idea
to keep at least the critical services functional. For this, first you need to identify the critical
services. Then you can customize the network, systems, and application designs in such a way
to degrade the noncritical services. This may help you to keep the critical services functional. If
the attack load is extremely heavy, then you may need to disable the noncritical services in
order to keep them functional by providing additional capacity for them.
S h u t d o w n s e r v ic e s
Simply shut down all services until an attack has subsided. Though it may not be an
optimal choice, it may be a reasonable response for some.
Module 10 Page 1470


Denial of Service


D oSAttack Counterm
D
easures CE
H
Protect
secondary victims

Prevent
potential attacks

Mitigate
attacks


D D o S A tta c k C o u n te rm e a s u re s
There are many ways to mitigate the effects of DDoS attacks. Many of these solutions
and ideas help in preventing certain aspects of a DDoS attack. However, there is no single way
that alone can provide protection against all DDoS attacks. In addition, attackers are frequently
developing many new DDoS attacks to bypass each new countermeasure employed. Basically,
there are six countermeasures against DDoS attacks:
©

Protect secondary targets

0

Neutralize handlers

0

Prevent potential attacks

0

Deflect attacks

©

Mitigate attacks

©

Post-attack forensics

Module 10 Page 1471


Denial of Service


D D C
oS/D oS ounterm
easures:
Protect SecondaryVictim
s

C
EH

Install anti-virus and anti-Trojan software and keep these
up-to-date

An increased awareness of security issues and prevention
techniques from all Internet users

Disable unnecessary services, uninstall unused applications,
and scan all the files received from external sources

a

Configuration and regular updates of built-in defensive
mechanisms in the core hardware and software of the systems


D o S / D D o S C o u n te rm e a s u re s : P ro te c t S e c o n d a ry
V ic t im s
Individual Users

Potential secondary victims can be protected from DD0 S attacks, thus preventing them from
becoming zombies. This demands intensified security awareness, and the use of prevention
techniques. If attackers are unable to compromise secondary victims‫ ׳‬systems and secondary
victims from being infected with DD0 S, clients must continuously monitor their own security.
Checking should be carried out to ensure that no agent programs have been installed on their
systems and no DD0 S agent traffic is sent into the network. Installing antivirus and anti-Trojan
software and keeping these updated helps in this regard, as does installing software patches for
newly discovered vulnerabilities. Since these measures may appear daunting to the average
web surfer, integrated machineries in the core part of computing systems (hardware and
software) can provide protection against malicious code insertion. This can considerably
reduce the risk of a secondary system being compromised. Attackers will have no attack
network from which to launch their DD0 S attacks.
N etw o rk Service Providers

©

Service providers and network administrators can resort to dynamic pricing for their
network usage so that potential secondary victims become more active in preventing

Module 10 Page 1472


Denial of Service

Q


their computers from becoming part of a DD0 S attack. Providers can charge differently
as per the usage of their resources. This would force providers to allow only legitimate
customers onto their networks. At the time when prices for services are changed, the
potential secondary victims who are paying for Internet access may become more
cognizant

of

dangerous

traffic,

and

may

do

a

better

job

of

ensuring

their

nonparticipation in a DD0 S attack.

Module 10 Page 1473


Denial of Service


D D C
oS/D oS ounterm
easures:
EH
Detect andNeutralize Handlers C
Neutralize
Botnet Handlers
Study of communication
protocols and traffic
patterns between
handlers and clients or
handlers and agents in
order to identify the
network nodes that might
be infected with a handler

Spoofed
Source Address

‫ ׳׳‬There are usuallyfew
DDoS handlers deployed
as compared to the
number of agents

There is a good
probability that the
spoofed source address
of DDoS attack packets
will not represent a valid
source address of the
specific sub-network

‫ ׳׳‬Neutralizinga few
handlers can possibly
render multiple agents
useless, thus thwarting
DDoS attacks

Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited

D o S / D D o S C o u n te r m e a s u r e s : D e te c t a n d N e u tr a liz e
H a n d le r
The DDoS attack can be stopped by detecting and neutralizing the handlers, which are
intermediaries for the attacker to initiate attacks. Finding and stopping the handlers is a quick
and effective way of counteracting against the attack. This can be done in the following ways:
Studying the communication protocols and traffic patterns between handlers and clients or
handlers and agents in order to identify network nodes that might be infected with a handler.
There are usually a few DDoS handlers deployed as compared to the number of agents, so
neutralizing a few handlers can possibly render multiple agents useless. Since agents form the
core of the attacker's ability to spread an attack, neutralizing the handlers to prevent the
attacker from using them is an effective strategy to prevent DDoS attacks.

Module 10 Page 1474


Denial of Service


D D C
oS/D oS ounterm
easures:
Detect Potential Attacks

C
EH

Egress Filtering

Ingress Filtering
9 Protects from flooding
attacks which originate
from the valid prefixes (IP
addresses)
‫ ט‬It enables the originator
to be traced to its true

TCP Intercept
e ConfiguringTCP
Intercept prevents DoS
attacks by intercepting
and validating theTCP
connection requests

Copyright © by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.

D o S / D D o S C o u n te r m e a s u r e s : D e te c t P o te n tia l
A tta c k s
To detect or prevent a potential DDoS attack that is being launched, ingress filtering, engress
filtering, and TCP intercept can be used.
In g r e s s filt e r in g
Ingress filtering doesn't offer protection against flooding attacks originating from valid
prefixes (IP addresses); rather, it prohibits an attacker from launching an attack using forged
source addresses that do not obey ingress filtering rules. When the Internet service provider
(ISP) aggregates routing announcements for multiple downstream networks, strict traffic
filtering must be applied in order to prohibit traffic originating from outside the aggregated
announcements. The advantage of this filtering is that it allows tracing the originator to its true
source, as the attacker needs to use a valid and legitimately reachable source address.
E g re s s F ilt e r in g
In this method of traffic filtering, the IP packet headers that are leaving a network are
initially scanned and checked to see whether they meet certain criteria. Only the packets that
pass the criteria are routed outside of the sub-network from which they originated; the packets

Module 10 Page 1475


Ce hv8 module 10 denial of service

Ce hv8 module 10 denial of service

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to Ce hv8 module 10 denial of service

Similar to Ce hv8 module 10 denial of service (20)

Recently uploaded

Recently uploaded (20)

Ce hv8 module 10 denial of service