This document discusses denial of service (DOS) attacks and distributed DOS attacks. It defines DOS attacks as attempts to overload the bandwidth of a target system by bombarding it with data. It describes several types of DOS attacks like ping of death, teardrop attacks, and SYN flooding. It then discusses how distributed DOS attacks work by using compromised systems called "zombies" to launch coordinated attacks on a target from multiple sources. The document also mentions tools that can be used to perform these attacks, such as Low Orbit Ion Cannon, and countermeasures like bandwidth overprovisioning and traffic filtering. Finally, it discusses data hiding techniques like alternate data streams and steganography.
Cyber Security Lecture on DOS, DDOS, Encryption and Data Hiding
1. Cyber Security and Ethical Hacking
By Mehedi Hasan
Lecture 10:
DOS Attacks, Distributed DOS Attacks, Data Encryption, Data
Hiding and Steganography - Part i
2. DOS Attack
Each system connected to the internet has limited bandwidth available.
In a DOS attack, an attacker tries to choke or clog or overload all the
available bandwidth on the target system by bombarding it with infinite
or unlimited data.
As a result even legitimate or real customers and clients are no longer
able to connect to the target system, hence disrupting all services
provided by the victim.
Results in loss of revenue, disrupt in services, inconvenience, customer
dissatisfaction and many other problems.
3. DOS Attack
TYPES OF DOS ATTACKS
PING OF DEATH: A data packet larger then 65,536 bytes sent to target.
TEARDROP: Data is broken down at some source into smaller chunks
and put back together into larger chunks at destination. Overlapping
data fragments are used to crash the target system.
4000 Bytes
Chunk A: 1—1500 bytes
Chunk B: 1501 – 3000 bytes
Chunk C: 3001 – 4000 bytes
What happens when chunk B is carrying 1499-2999 and Chunk C
carrying 2999 – 4000 bytes? Teardrop.
4. DOS Attack
TYPES OF DOS ATTACKS
Fragmentation Attack: Variation of Teardrop. Identical data fragments
are sent to target system. Chunk B and Chunk C will be identical.
Smurf Attacks: Huge number of PING requests (ICMP Echo Request
packets) are sent to the broadcast address of the target network using
spoofed addresses from within the target network. Infinite loops can
bring down network vary quickly.
Land Attack: Attacker sends infinite packets to the target system from
the target system itself. Some older implementation of TCP/IP were not
able to handle it.
5. DOS Attack
TYPES OF DOS ATTACKS
Syn Flooding: Exploits the classic 3-way TCP/IP handshake. Attacker
create infinite instances of half open connections by sending infinite
connection requests from spoofed addresses. According to TCP/IP rules,
whenever a system receives a connection request (SYN packet), it must
keep track of that connection for least 75 seconds.
Step 1: Attacker sends SYN packet to target (Spoofing).
Step 2: Target sends SYN/ACK packet to spoofed.
Step 3: Attacker will never reply to the target.
Hence, the target is out of commission and cannot accept any new
connections until one of the old connections get limited out.
6. DOS Attack
TYPES OF DOS ATTACKS
Syn Flooding: Can lead to 3 different scenarios:
• The spoofed IP address does not exist.
• The Spoofed IP address exists.
• The spoofed IP address is a system within the victim network.
7. DOS Attack
TYPES OF DOS ATTACKS
Application Specific DOS Attacks: Instead of attacking the entire system,
it is possible for a criminal to DOS attack only specific applications on
the victim system. For example, the criminal can DOS atack only the
FTP, HTTP or SQL application by flooding any of them with infinite
requests, hence bringing them down.
10. DOS Attack
Metasploit
TCP Flooding using Metasploit
It is possible to execute a DOS attack against various victims using
Metasploit as well.
Use auxiliary/dos/tcp/synflood
Set RHOST www.victim.com
Run
11. DOS Attack
Metasploit
Apache Range Header DOS Attack (Apache Killer)
This is a DOS attack that affects apache web server prior to version
2.2.20 and exists due to the way it handles requests by criminal for
overlapping ranges of data. It causes a significant increase in the
memory/CPU usinge of victim.
Use auxiliary/dos/tcp/apache_range_dos
Info auxiliary/dos/tcp/apache_range_dos
Set RHOST www.victim.com
Run
12. DOS Attack
Metasploit
DOS Attack using Metasploit
Filezilla is a popular FTP server for windows platforms. There are two
exploit modules in metasploit that can be used to execute a DOS attack
against some various of the FileZilla Server.
Use auxiliary/dos/windows/ftp/filezilla_admin_user
Use auxiliary/dos/windows/ftp/filezilla_admin_port
Set RHOST www.victim.com
Run
13. DOS Attack
Distributed DOS Attacks
The objective behind a DOS attack is to flood the Target with as much
data as possible. A DOS attack can inflict limited damage, since there is
1 criminal attacker 1 target. This is where D-DOS attacks come in.
Distributed DOS attacks are multi-tiered, multi-layers sophisticated
modern day versions of DOS attacks, where the criminal first hacks into
and take control over a less sophisticated network (called zombies) and
then uses all system on that network to attack the target.
Distributed DOS atatck can be executed with the help of tools like Tribal
Flood Network (TFN), Trin00, Stacheldraht and others.
Can also be executed through viruses, worms and malware infections
15. Low Orbit lon Cannon (LOIC)
It is an open source network stress tool. But can also be used as a dDOS
attack application.
It tries to bring down a server by flooding the victim with infinite
number of TCP or UDP packets. If a lot of people run LOIC against the
same victim simultaneously then it becomes a distributed VOS Attack.
For example, the anonymous hacker group were using IRC channels and
online forums to inform all their supporters about which computer to
attack using LOIC on a specific day.
Http://cisko.fr/
18. DDOS Attack
Botnets and Zombies
A bot is an application or script that can run specific tasks or commands
automatically, for example to execute DOS attacks against the victim. A
system infected with a bot and being controlled remotely by an attacker
is known as a Zombie. Bots or Zombies are controlled from the central
command and control server (C&C). A botnet is a network of computers
on the internet that are infected with some malware or Trojan or bot
and are misused for malicious purposes.
Zombies are recruited into Botnet networks through malware
download, clicking on infected link, P2P through hidden channels like
IRC, Twitter, IM or HTTP.
Such Botnets can be misused from executing DOS Attacks, Spam Click
Fraud and other malicious purposes.
Shark is a popular Botnet.
20. DDOS Attack
Guru Plug is a type of plug which allows normal computing in
a small space
21. DOS and DDOS Attack
Countermeasures
Separate or compartmentalize critical services.
Buy more bandwidth then normally required to count for sudden
attacks. Filter out USELESS/MALICIOUS traffic as early possible.
In case of a attack, disable non critical services and try to keep at least
critical services running.
Disable publicly accessible services.
Balance traffic load on a set of servers.
Regular monitoring and working closely with ISP will always help.
Use antivirus software to detect an remove any bot/trajan/dDOS tools
from your computer.
Analyze traffic patterns to detect source of attack and it by port or by IP
address.
Patch systems regularly. IPSec provides proper verification.
Use scanning tools to detect and remove DDOS tools.
22. DOS and DDOS Attack
Netflow Analyzer Bandwidth & Traffic Management Tools
http://www.manageengine.com/products/netflow/
24. DOS and DDOS Attack
Alternate Data streams or ADS is a feature in windows NTFS
(New technology File System) that contains metadata for
locating files by author or title.
Interestingly, adding additional metadata to a file’s ADS, will
not increase its size or change its functionality. This makes
data stored in the ADS of a file completely hidden. Hence, a
great place for criminals to hide malicious files like Trojan,
keyloggers and spyware.
Alternate Data Streams (ADS)
25. Data Hiding
How to hide some text inside the ADS of another Text file?
Let us create a text file named test.txt and write some sample
text this is a test file only inside it.
Alternate Data Streams (ADS) Manipulation
Let us now use a clone : to data inside the ADS of the test.txt
file.
26. Data Hiding
Detection of ADS Streams
Alternate Data Streams (ADS) Manipulation
Alternate stream view. http://www.nirsoft.net