The Denial of Service (DoS) is an attack that by overloading a network or system’s resource, brings the system down, or at least reduces significantly the network availability and systems performance, in order to prevent the authorized user’s access.Some of the DoS attacks are listed below:Flooding the network or host with more traffic or requests than can be handledFlooding a Service with more events than it can handleCrashing a TCP/IP stack by sending corrupt packetsCrashing a service by interacting with it in an unexpected wayHanging a system by causing it to go into an infinite loopThe Network are affected in their bandwidthThe Operating Systems are impacted on their CPUs, Memory and Disk spaceThe Services/Applications are affected on their ability to respond to the requestsThe Network Devices are affected in their ability to work on purpose (Router=routing, Switch=Manage Traffics, Firewall=Filtering/Blocking/Allowing/Detection…)Therefore, the DoS attack is against the availability of the systems and the communication networks.
DoS attack against NetworkThe attacker uses all available network bandwidth by generating a large volume of traffic.Another way to attack the network availability it is broadcasting on the same frequencies used by a wireless network to make it unusable.The network is also compromised when a attack cause physical destruction or alteration of the network components.DoS attack against ComputersMalformed TCP/IP packets are sent to a server so that operating system will crash.Establishing many simultaneous login session to a server so that legitimate users cannot start login.Making many processor-intensive requests so that the server stops responding.Consuming all available disk space by creating a high number of large files.DoS attack against ApplicationsSending illegal requests to an application to crash it.Web servers, application servers and database servers can be affected by the Dos attack.
DDoS is a well coordinated Denial of Service attack that is launched indirectly through many compromised computers on the Internet, against the service availability on a victim’s network or systems.The three steps of the DDoS attack:Attackers compromise hosts on the Internet and deploy bots on themAttackers uses a handler to instruct the agents (or they do that by pre-programming those bots) on what, when and how to attackThe botnet initiates the attack according to the instructionsUsually the attacker uses thousands of bots when performing a DDoS attack.
Reflector AttacksAttackers like to use spoofed source addresses in order to hide the real source of the attack.The attacker sends UDP packets to the Reflector, using spoofed IP addressesThe host generates a reply to each request and sends the replies to the spoofed addressThen a potentially loop occurs, generating high network traffic and processing activitiesBut it worth to mention that during that type of attack, a DoS could happen to the Reflector, the host at spoofed address, or both hosts.Some common ports/services used by the reflector attack are:Echo (7)Chargen (19)DNS (53)SNMP (161)ISAKMP (500)Amplifier AttacksThat kind of attack tries to explore the broadcast address, expecting that many hosts will respond to it.This attack could be blocked by configuring properly the border routers to not forward directed broadcasts.One of the examples of an Amplifier attack it is a DNS recursion attack. That’s why the DNS server should be configured for non-recursive.Flood AttacksAs stated by the EC Council (2010) in DDoS flood attacks, “zombies flood victim systems with IP traffic. The large volume of packets that zombies send to victim systems slows down the systems, crashes the systems, or saturates the network’s bandwidth”.On UDP attacks, for example, the large amount of packets can saturate the network, impacting the network performance for legitimate service requests.
As indicated by Scarfone, K., & Grance, T., & Masone, K. (2008), “DoS attacks can be detected through particular precursors and indications”. Thus, by observing these precursors and indications, we are able to prevent and pro-actively act in order to avoid the unavailability of systems and applications. The first step that an attacker performs before a DoS attack is executing some reconnaissance tasks. Those activities include network scanning and some tests in order to determine which attacks could be more effective. Handlers could detect this preparation phase activities; however the attacker can use some techniques to ensure the network traffic doesn’t reach common thresholds that are used to trigger the monitoring alarms. If handlers are able to detect these reconnaissance activities, the company can proactively change its security controls such as firewall rules to block a specific protocol or port from being used. Another action/response could be hiding a vulnerable host until the vulnerability or weaknesses are corrected. Another DoS attack precursor, and that could represent a significant threat to an organization, it is when a new DoS tool is released. For this, the company should investigate that tool further, and change its security controls accordingly. This way, the organization will be able to effectively avoid such kind of attack.
In addition to the precursors, there are also some indications that a DoS attack is ongoing. Following below some indications for each type of DoS attack: Network-based DoS attack against a hostServer crashSystem unavailability reported by usersAlerts from the IDS/IPSAlerts/events at the HIDS on the hostLarge number of connections is detected on a single hostPackets with unusual source IP address Server Logs Network-based DoS attack against a networkSystems and Network unavailability reported by the usersAlerts from the NIDSUnexplained connection lossesNetwork activities and bandwidth increased for no reasonPackets with non-existent destination IP addressesHigh number of incoming traffic and low number of outgoing traffic DoS attack against the Operating Systems Continuous server crashSystems and Applications unavailability reported by usersAlerts from the NIDS/HIDSServer Logs (System and Application events/logs)Packets with unusual source IP address Layer 7 DoS attack against an Web Application / Web Server / Web Service / DatabaseApplications unavailability reported by users or other systemsAlerts from the NIDS/HIDSApplication logs fromWeb tierApplication tierData tierPackets with unusual source IP address
Trace the source of attacksSpoofed IP addresses are used for that kind of attack, by using connectionless protocols (UDP/ICMP) or connection-oriented protocols but without establishing connections properly (TCP SYN packets)The IP of the handler is not visibleDDoS attacks usually use thousands of bots/zombies, which are activated by the controller. The victims can’t see the IP of the handler and if it could, it probably would be an IP from one of the compromised computer/host, and not from the real attacker.False positive alertsNetwork-based DoS attacks are difficult to be detected by the IDPS sensors with high level of accuracy. SYNflood is one of the most common kind of false positive on detection systems. A quick port scan, for example, could be detected as a SYNflood attack.Server crash and outages resultant from attacksUsually server crash and service outage are related to hardware failure, bad drivers or physical failures. However, the DoS attacks can cause it, and the most Systems Administrators will not realize that an attack has just occurred.
The Containment phase is focused on suspends the intrusion before it impacts more and more resources and the number of users and applications that are affected is increased.It is not that easy to stop a DoS attack, that’s why all possible solutions for containing the attack should be attempted.Following below some actions to containing a Denial of Service:Close the gap – The vulnerability that is being exploited by the attack should be corrected. Patches and hotfixes should be applied to Operating Systems and Applications; Services should be re-configured and filters should be altered to block packets from a specific protocol. Also, an attacked host could be removed from the network, as a temporarily measure of containment.Implement filtering accordingly – Identify the characteristics of the attack and change/implement filtering against that. If the attack is using ICMP echo requests, block temporarily that traffic on the network. If there is a SYNflood against one particular host, block the SYN packets to that host on the port it is being attacked, or alter the limit of packets per second to the particular host/port.The ISPs are the first allies – The ISPs should act right away to implement filtering for blocking activities related to the network-based DoS. Correcting OS and Applications vulnerabilities inside the company it will not worth anything if the Internet Service Providers don’t implement adequate filtering to contain the DoS from the external hosts.Hide the target – It is one of the last measures to be taken. If other containing measures are not working, then try to change the host IP address, change the subnet, or even move the service to a different host. But make sure that host doesn’t have the same vulnerability. Otherwise the sophisticated tools used by the attacker could easily detect the new victim.Clean up the house - It’s necessary to bring back the systems to the normal operations. For that, the organization should remove all configuration changed by the DoS attack, if it is the case of an internal attack, by removing malicious codes from the hosts, and from the rules of routers and firewalls. After the incident, the affected systems should be up and running, applications and services tested in their functionalities. The recovery from the incident is necessary. During the evidence gathering phase after a DoS/DDoS attack, it’s hard for the IT security team to collect substantial proofs, due a couple of reasons such as tracing the attacks, or identify the real IP source addresses or even mining the information in the log entries.Get the cooperation from the ISPs; Identifying the spoofed addresses from the real ones; and extract good information from the large log files are some of the challenges on this task.
Lessons learnedIt’s very important answering the basic questions such as Why? What? When? And if possible, Who?Evaluate which security measures have worked and which didn’t, and define what improvements should be done in order to avoid similar incidents in the future. Configure/Reconfigure firewall rulesNetwork-based & Host-based firewalls are great weapons against the reflector attacks.The firewall rulesets should be reviewed and reconfigured so that can stop that type of DDoS attacks. Implement/Configure border routers against amplifier attacksThe broadcasts must be blocked on the border routers in order to block the amplifier attacks.Create rules to not forward that kind of traffic. NIDS/NIPS and HIDS to detect attacksIntrusion detection and prevention systems, on the network and hosts, can be helpful in detecting reconnaissance activities and other suspicious activities related to the DoS attacks. Create and maintain a multi-solution containment strategyOnce not only one solution could stop a DoS attack, the company should have a bundle of solutions pre-defined, in sequence, to be attempted when handling an incident. Separate critical servicesAs a good practice, the critical services should be separated from non-production or non-critical services, being placed on separated network and VLANs, or even in different sites. Thus, services more susceptible to failure or intrusion would be kept apart from the critical layer of service. Also, Demilitarized zones (DMZ) must be created for Internet-facing services.The medium and large enterprises often separate their applications on different environments such as Development, QA and Production as a way to secure their most valuable and critical services.Create a follow-up ReportDocument all impacts that have occurred during the Incident, and the countermeasures that were taken as well.Take note of the issues that were addressed and which ones were escalated to be addressed on some post-incident actions.Indicate who was responsible for which task/action and the deadlines.Make sure the Incident was reported properly to the managers, directors and authorities.
Since the staff members at the clinic use the Internet extensively on checking patients’ insurance and get authorizations, they must pay attention to:Only provide username and password on certified websites (Using the HTTPS protocol / SSL Encryption)Not provide any information about the local username/password on external websitesDon’t use the same password that it is being used for the local network and systems accessDon’t accept any kind of software installation through the Internet, even antivirus solution offered by external sources. Regard to the Email systems:Be aware of the Social Engineering. Email messages can be used for identity theft and phishing. Phishing is a technique in which an attacker sends email messages or provides a link falsely claiming to be from a legitimate site in an attempt to acquire a user’s personal information (EC Council, 2010).Don’t click on suspicious email attachments, they can contain worms. They could be scripts or executable disguised as false image or doc text files (e.g.: AnnaKournikova.jpg.vbs). If you receive any suspicious email message, don’t click on any link. Report it to the IT department and ask for guidance.Prefer to use BCC when sending emails to multiple recipients. Use carefully the Carbon Copy (CC) field. You can be exposing unnecessarily some email addresses.Don’t use the corporate email account for social networks or news groups. Use private accounts for private e-mails.Emails usually are sent in clear-text format, unless you use some encryption technology. Therefore, don’t send any sensitive data such credit card number, SSN, Driver’s License numbers and passwords via regular email messages.Don’t forward any email chain letters. It can contain malicious code, it exposes email addresses, it generates network traffic and storage consumption.
Scarfone, K., & Grance, T., & Masone, K. (2008). . Computer Security Incident Handling Guide, NIST 800-61, Gaithersburg, MD: National Institute of Standards and Technology.EC Council (2010). Ethical Hacking and Countermeasures, Threats and Defense Mechanisms, Clifton Park, NY: EC-Council Press.
DoS Attack - Incident Handling
Information SecurityKeeping our network and systems safe The Health Clinic
AgendaInformation Security Incident Handling✓ 1 The Denial of Service attack 2 Detection and Analysis 3 Containment, Eradication, and Recovery 4 Post-Incident Recovery 5 Maintaining network security
DoSDoS do not are standing for “Department of Something!Denial of Service Availability Some security threats affect DoS it is about a kind of ? Confidentiality... ! information security attack to the networks, systems and Others impact the Integrity of Information... applications, in order to make them unavailable for the legitimate users. What the DoS is all about? • It is not about to gain unauthorized It is not about Confidentiality or access to a system Integrity. It is about: • It is not about to corrupt data • It is not about to crack any Availability password.
DoSWhat happens when a DoS attack is going on?Networks Computers ApplicationsNetwork OSs are crashed by Application crash byperformance is the action of receiving illegalcompromised malformed TCP/IP requests packetsBroadcasts are sent Applications onon the same Servers establish too Web tier,frequencies than many simultaneous Application tier and login sessionwireless devices Data tier can be affected Too many processor-Network intensive requestscomponents are are mademodified ordestructed Large files are created
Distributed Denial of Service (DDoS) How does it work?1 • Agents are installed on compromised hosts • They perform the attacks DDoS Agents are installed on • They are also called “bots” the hosts • The set of hosts running bots is called “botnet”2 • It is a program that controls the agents Handler instructs • The handler says: the DDoS • When to attack Agents • What to attack • How to attack3 • Bots follow the instructions • Bots attack the targeted victims DDoS Agents attack the victim • The bots could be pre-programmed to attack networks and • Attacker can also communicate with the bots via hosts IRC
DDoS The three types of DDoS attacks • An UDP service based is used to attack • An intermediate host is used to attack the victimReflector • The intermediate host is called ReflectorAttacks • The real source is hidden behide an spoofed address • Loops between Ports 7 (Echo) and 19 (Chargen) • Also it involves sending requests with spoofed source address • Use a whole network of intermediate hostsAmplifier • Uses ICMP and UDP requests to broadcast addressesAttacks • E.g.: DNS recursive attack • Use large number of incomplete connection requests • Prevent new connections from being madeFloods • Examples: SYNFlood and peer-to-peer attacks • Can be used by sending UDP, ICMP and TCP packetsAttacks
Detection and AnalysisPrecursors • Reconnaissance activity Usually a low volume of the traffic Handlers could detect preparation for a DoS attack Changing the security implementation as a Response • Newly released DoS tool Usually a low volume of the traffic Investigate the new tool and change the security controls
Detection and AnalysisIndications • Network-based DoS against a host • Network-based DoS against a network • DoS against the Operating System • Layer 7 DoS attack - against an application/service
Detection and AnalysisAdditional Challenges• Trace the source of attacks• The IP of the handler is not visible• False positive alerts• Server crash and service outages resultant fromattacks
Containment, Eradication and RecoveryPerforming containment, gathering and handling evidence forDoS incidents Containment for a DoS incident 1 It usually consists of STOPPING • Correct the Vulnerability the DoS. – It is not too easy! • Implement Filtering based on Stop bleeding the cahracteristics of the attack Try all possible solutions for 2 containing a DoS attack • The ISPs are key partners against the network-based DoS Eradication & Recovery • Hide the target 3 Clean up the house
Post-incident RecoveryCorrective and Preventive actions• Hold a lessons learned meeting• Configure firewall rulsets to prevent reflector attacks• Configure border routers to prevent aplifier attacks• Implement/Configure NIDS and HIDS to detect DoS attacks• Create and maintain a multi-solution containment strategy• Separate critical services• Create a follow-up Report
Maintaining network securityHow employees can help maintain network security? • Only provide username and password on certified websites • Don’t accept any kind of software installation through the Internet • Be aware of the Social Engineering. Email messages can be used for identity theft and phishing • Don’t click on suspicious email attachments • Prefer to use BCC when sending emails to multiple recipients • Emails usually are sent in clear-text format • Don’t forward any email chain letters
References • Scarfone, K., & Grance, T., & Masone, K. (2008). . Computer Security Incident Handling Guide, NIST 800-61, Gaithersburg, MD: National Institute of Standards and Technology. • EC Council (2010). Ethical Hacking and Countermeasures, Threats and Defense Mechanisms, Clifton Park, NY: EC-Council Press.