DOS / DDOS introduction How Easy it is to get information Real Life Examples MyDoom , GitHub , Dyn , Windows Server and Windows 10 servers running Internet Information Services (IIS) are vulnerable to denial of service (DOS) attacks Base of Attacks Types of DOS / DDOS Attack Tools , LOIC, XOIC, Stacheldracht DOS/DDOS Weaknesses Category of OS/ DDOS What to defend? Botnets and Botnets mitigations Michael Calce, a.k.a. MafiaBoy Point of entrance / OSI Model ( If time permit)

1. Presented by : Professor Lili
Saghafi
proflilisaghafi@gmail.com
@Lili_PLS
Computer Security
Cyber security
DOS & DDOS Attacks
Beyond Campus Innovations, Inc. Colorado
Corporation
SEU

2. 2
Today’s Agenda
• DOS / DDOS introduction
• How Easy it is to get information
• Real Life Examples MyDoom , GitHub , Dyn , Windows
Server and Windows 10 servers running Internet
Information Services (IIS) are vulnerable to denial of
service (DOS) attacks
• Base of Attacks
• Types of DOS / DDOS
• Attack Tools , LOIC, XOIC, Stacheldracht
• DOS/DDOS Weaknesses
• Category of OS/ DDOS
• What to defend?
• Botnets and Botnets mitigations
• Michael Calce, a.k.a. MafiaBoy
• Point of entrance / OSI Model ( If time permit)

3. 3
a denial-of-service attack is a cyber-attack in which the hacker seeks to make a
machine or network resource unavailable to its intended users by temporarily or
indefinitely disrupting services of a host connected to the Internet.

4. 44
Introduction
Denial-of-Service Attacks
One of the most common types of attacks,
Second only to virus/worm attacks are denial-of-service attacks.
Prevent legitimate users from accessing the
system
Know how it works
It is common because of its ease of use and effectiveness in
shutting down services.
If you can keep a service from reaching customers, then you
can effectively stop e-business. (MyDoom and Slammer.)
Know how to stop it ( It is crucial for you to understand
how DoS attacks work and how to defend yourself against them.)

5. 5
How easy it is?
• How long data takes to go to server and back
• Ping shows the statistic how many packets sent and
received
• Ipconfig in Command Prompt
• My router Address and IP address are the same
means my DHCP server is currently residing on
router .
• My DNS Server is the same as router address
means that my DNS server is on my router

6. 6
Ipconfig in Command
Prompt

7. 7
MyDoom
• "At present rates, MyDoom is the fastest spreading
malware of all time. The worm was spread through
mass emailing . With the recent hike in
infections, MyDoom has become comparable in
destruction to Sobig -- the worst malware of all time,
which caused $37 billion of
economic damage worldwide primarily in late 2003,"
• The original MyDoom virus is known to have two
triggers. One trigger caused the virus to start a
denial of service (DoS) attack starting Feb. 1, 2004.
• The second trigger caused
the virus to stop distributing itself on Feb. 12, 2004

8. 8
MyDoom

9. 99
Base of the attack
Computers have physical limitations
Number of users
Size of files
Speed of transmission
Amount of data stored
Exceed any of these limits , the computer will cease to
respond
Only so many cars can go on the highway. If more are
allowed, then the safety, speed, and other qualities of
highway traffic suffer.

10. 10
•Experiencing a distributed denial-of-service (DDoS) attack is like
having your home flood. ...
•When a DDoS attack hits your network, a long time can pass
before the security/network staff fully realizes it is actually a DDoS
attack that is affecting the services, and not a failing server or
application.
number of machines to attack the target.

11. 11
GitHub (February, 2018)
• GitHub (February, 2018) , A popular online code
management service used by millions of developers,
GitHub is used to high traffic and usage.
• What it wasn’t prepared for was the record breaking 1.3
Tbps of traffic that flooded its servers with 126.9 million
packets of data each second.
• The attack was the biggest recorded DDoS attack, but
amazingly the onslaught only took GitHub’s systems
down for about 20 minutes.
• This was largely due to the fact that GitHub utilized a
DDoS mitigation service that detected the attack and
quickly took steps to minimize the impact.

12. 12
A data tsunami , March 2018, distributed denial-of-service
(DDoS) attack on GitHub had been measured at a record-breaking
peak of 1.35 terabits per second

13. 13

14. 14
A VARIETY OF DDoS ATTACKS
Volume based attack Protocol
attack
massive
amounts of
bogus /fake
traffic
large numbers of
Internet Control
Message Protocol
(ICMP) packets

15. 15
Dyn (October, 2016)
• As a major DNS provider (Domain Name Servers (DNS)
are the Internet's equivalent of a phone book. ) , Dyn
was crucial to the network infrastructure of several major
companies, including Netflix, PayPal, Visa, Amazon, and
The New York Times.
• Using a malware called Mirai, turns networked devices
running Linux into remotely controlled "bots" that can
be used as part of a botnet in large-scale network
attacks.
• It primarily targets online consumer devices such as IP
cameras and home routers.
• Unidentified hackers created a massive botnet
incorporating internet of things (IoT) devices to
launch what was at the time the largest recorded DDoS
attack.

16. 1616
DOS attack tools
LOIC (Low Orbit Ion Cannon is an open-source network stress testing
and denial-of-service attack application, written in C#. )
A LOIC (Low Orbit Ion Cannon) is one of the most
powerful DOS attacking tools freely available.
Open-source application developed by Praetox Technologies used for
network stress testing, as well as denial of service (DoS) and distributed
denial of service (DDoS) attacks.
Downloading and using the LOIC on your own personal servers as a means
of stress-testing is perfectly legal, using the program to perform a DDoS
attack on someone else could be considered a felony under the Computer
Fraud and Abuse Act of 1986.
GUI
Easy to use

17. 1717
DOS attack tools
•XOIC, is also a strong tool for DOS attacks and is very similar to
the LOIC tool.
•XOIC comes with a few different modes.
•These modes include the test mode and a normal DoS attack mode.
•It performs a DOS attack on any server with an IP address, a user-
selected port, and a user-selected protocol .
•The last DoS tool is called the HULK.
GUI
Easy to use

18. 1818
DOS attack tools
Common Tools Used for DoS
TFN and TFN2K ( TFN and TFN2K are not viruses, but
attack tools that can be used to perform a distributed
DoS attack. )
Can perform various protocol floods.
Master controls agents.
Agents flood designated targets.
Communications are encrypted.
Communications can be hidden in traffic.
Master can spoof its IP.

19. 1919
DDOS attack tools
Common Tools Used for DoS
Stacheldracht (Stacheldraht (German for "barbed wire") is
malware written by Mixter for Linux and Solaris systems which
acts as a distributed denial-of-service (DDoS) agent. This tool
detects and automatically enables source address forgery.)
stacheldraht trojan horse agent allows
attack-by-proxy
Combines Trinoo with TFN
Detects source address forgery
Performs a variety of attacks
proxy server A machine
or software that hides all
internal network IP
addresses from the
outside world. It provides
a point of contact
between a private
network and the Internet.

20. 20© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks 20
Stacheldracht
on the
Symantec site

21. 2121
DoS Weaknesses
Hacker must successfully spoof (imitate) the source
IP.
In a DDoS, as soon as victims’ machines are
disinfected, the attack stops.
In a single attack, the hacker’s own machine is at risk
of discovery.
The flood must be sustained.( continued for a period)

22. 22
Categories of DOS/DDOS
attacks

23. 23
Category 1 Attack

24. 24
This is a URL redirection
attack
• A URL Redirection Attack is a kind of vulnerability that redirects
you to another page freely out of the original website when
accessed, usually integrated with a phishing attack.
http://www.example.com/login.php?redirect=
http://www.examp1e.com/home.php
and on clicking it will bring you to
http://www.examp1e.com/home.php
• This page could lead to a malicious page that resembles the
original, and tries to trick the user into giving their credentials.
• Notice the “l” and “1”, which can catch some unwary users off-
guard..

25. 25
Category 2 Attack
•Aug 6, 2009 , Twitter crippled by denial-of-service attack
Twitter was inaccessible for several hours on Thursday morning, followed
by a period of slowness and sporadic time-outs (and more outright
downtime). The company is blaming an "ongoing" denial-of-service attack
• Facebook has also confirmed that it was targeted by a DoS attack
that rendered some of its features slow or non-functional.

26. 26
How it works
A Hacker can close an open
port and deny the access to the
database

27. 27
How bad it is ?
• DDoS attacks cost banks up to $100, 000 per
hour
• 20% of such attacks last for days and even
months
• 87% of the attacked companies were hit
more than once

28. 28
Destruction
A hacker can delete files and causes
RESOUCE NOT FOUND ERROR ,

29. 29
Destruction
If the application is venerable to injection attack
then hacker can delete a table from database and
cause a DOS attack.

30. 30
What to defend ?
• DDoS attacks are increasing in volume, frequency,
and sophistication, and they are targeting every
level in the data center.
• Although recent DDoS attacks declined
slightly in 2018, the first quarter of 2019 saw
an 84 percent increase over the previous year.
• Smart organizations are moving to defend not only
their network, session, and application layers,
but also their business logic and database tiers
as well.

31. 31
repeatedly
request to access
a resource and
By repeatedly
reloading the
page causing
DOS attack .

32. 32
Example of Exhaustion Attack type
• SYN Flood attack. In this type
of attack numerous SYN packets are sent to
an open TCP port.
• So, if many SYN packets are received and
also fail to complete the three way
handshake , increases the amount of
memory to be consumed .

33. 33
botnets – collections of a network of
malware-infected systems
• DDoS attackers rely on botnets – collections of a
network of malware-infected systems that are
centrally controlled.
• These infected endpoints are usually computers and
servers, but are increasingly IoT and mobile
devices.
• The attackers will harvest these systems by
identifying vulnerable systems that they can infect
through phishing attacks, malvertising attacks
and other mass infection techniques.
• Attackers will also rent these botnets from those
who built them.

34. 34
botnets
botnets

35. 35
Botnets can be mitigated
by:
• RFC3704 filtering, which will deny traffic from
spoofed addresses and help ensure that traffic is
traceable to its correct source network. For example,
RFC3704 filtering will drop packets from bogon list
addresses.
• Black hole filtering, which drops undesirable traffic
before it enters a protected network.When a DDoS
attack is detected, the BGP (Border Gateway
Protocol) host should send routing updates to ISP
routers so that they route all traffic heading to victim
servers to a null0 interface at the next hop.

36. 36
Feb 2019
• Microsoft published a security advisory on its Security Response
Center which discloses that Windows Server and Windows 10
servers running Internet Information Services (IIS) are
vulnerable to denial of service (DOS) attacks.
• To be more exact, all IIS servers running Windows Server
2016, Windows Server Version 1709, Windows Server Version
1803, as well as Windows 10 (versions 1607, 1703, 1709,
and 1803) are affected by this DoS issue.
• The vulnerability described in Microsoft's ADV190005 security
advisory makes it possible for a potential remote attacker to
trigger a DoS condition by taking advantage of an IIS resource
exhaustion bug that "could temporarily cause the system CPU
usage to spike to 100% until the malicious connections are
killed by IIS."

37. 37
(DDoS) attack real life
example
• In early 2000, Canadian high school student Michael
Calce, a.k.a. MafiaBoy, whacked Yahoo! with a
distributed denial of service (DDoS) attack that
managed to shut down one of the leading web
powerhouses of the time.
• Over the course of the week that followed, Calce
took aim, and successfully disrupted, other such
sites as Amazon, CNN and eBay. Damage was
more than a billion dollars.
• The fact that the largest website in the world could
be rendered inaccessible by a 15-year-old created
widespread concern. “An Electronic Pearl Harbor
waiting to happen”.

38. Point of entrance
OSI Model Layers

39. 39
OSI Model , Open Systems
Interconnection model
• A conceptual model that characterizes and
standardizes the communication functions of
a telecommunication or computing system
without regard to its underlying internal
structure and technology.

40. 40
protocol floods,
TFN and TFN2K .
massive amounts of fake traffic to down
a resource such as a website or server,
including ICMP, UDP, and spoof-packet
flood attacks.
flooding applications
with maliciously crafted
requests.
flooding a target
server with TCP,
UDP, or HTTP
packets with the
goal of disrupting
service.

41. 41
DDoS attacks target many layers of
the OSI network model.

42. 42
Three primary classes of DDoS
attacks
1– Those that use massive amounts of bogus
/fake traffic to down a resource such as a
website or server, including ICMP (Internet
Control Message Protocol ), UDP, and
spoof-packet flood attacks.
UDP (User Datagram Protocol)
is an alternative
communications protocol to
Transmission Control Protocol
(TCP) used primarily for
establishing low-latency and loss-
tolerating connections between
applications on the internet.

43. 43
Today's attacks are moving up the
OSI stack.

44. 44
Three primary classes of DDoS
attacks
2-Another class of DDoS attack uses packets to target
the network infrastructure and infrastructure
management tools.
These protocol attacks include SYN Floods and
Smurf DDoS, among others.
Like: The Smurf attack is a distributed denial-of-
service attack in which large numbers of Internet
Control Message Protocol (ICMP) packets with the
intended victim's spoofed source IP are broadcast to
a computer network using an IP broadcast address.

45. 45
Network attacks target layers 2
through 4.

46. 46
Three primary classes of DDoS
attacks
3-Some DDoS attacks target an organization’s
application layer and are conducted by
flooding applications with maliciously
crafted requests.
The goal is always the same: make online
resources sluggish or completely
unresponsive.

47. 47
Session attacks typically defeat
conventional firewalls.

48. 48
Application attacks are the most
widespread today.

49. 49
Application attacks are the most
widespread today.
• An application attack is different from a network
attack in that it is specific to the application being
targeted.
• Whereas a SYN flood can be launched against an
IP address, an application attack will usually
exploit properties specific to the victim, such as the
repeated downloading of a single PDF file on the
website.
• To lower-level security devices such as firewalls, the
attack connections are indistinguishable from normal
traffic.

50. Going Deeper

51. 51
How does the low orbit ion cannon
work?
• It works by flooding a target server with TCP,
UDP, or HTTP packets with the goal of
disrupting service.
• One attacker using the LOIC can't generate
enough junk traffic to make a serious impact
on a target;
• serious attacks require thousands of users to
coordinate a simultaneous attack on the
same target.

52. 52
DDOS

53. 53
DYN
• In October 2016, internet infrastructure
services provider Dyn DNS (Now Oracle
DYN) was stuck by a wave of DNS queries
from tens of millions IP addresses.
• That attack, executed through the Mirai
botnet, infected reportedly over 100,000 IoT
devices, including IP cameras and printers.
• At its peak, Mirai reached 400,000 bots.
Services including Amazon, Netflix, Reddit,
Spotify, Tumblr, and Twitter were disrupted.

54. 54
A data tsunami , March 2018, distributed denial-of-service
(DDoS) attack on GitHub had been measured at a record-breaking
peak of 1.35 terabits per second

55. 55
GitHub
• In early 2018 a new DDoS technique began to
emerge. On February 28, the version control hosting
service GitHub was hit with a massive denial of
service attack, with 1.35 TB per second of traffic
hitting the popular site.
• Although GitHub was only knocked offline
intermittently and managed to beat the attack back
entirely after less than 20 minutes, the sheer scale
of the assault was worrying, as it outpaced the Dyn
attack, which had peaked at 1.2 TB a second.

56. 56
Mirai botnet
Mirai botnet, which required malware to infest
thousands of IoT devices, the GitHub attack
exploited servers running the Memcached
memory caching system, which can return
very large chunks of data in response to
simple requests.

57. 57
Mirai botnet
The Mirai botnet was significant in that, unlike
most DDoS attacks, it leveraged vulnerable
IoT devices rather PCs and servers, It’s
especially scary when one considers that by
2020, according to BI Intelligence, there will
be 34 billion internet connected devices, and
the majority (24 billion) will be IoT devices.

58. 58
Torii
• Torii is capable of taking over a range of IoT
devices and is considered more persistent
and dangerous than Mirai.
• DemonBot hijacks Hadoop clusters, which
gives it access to more computing power.

59. 59

60. 6060
DoS Attacks, TCP SYN Flood Attack
TCP SYN Flood Attack (In a SYN flood attack, the attacker
sends repeated SYN packets to every port on the targeted
server, often using a fake IP address. )
Hacker sends out a SYN packet.(SYN scanning is also
known as half-open scanning. In SYN scanning, the hostile
client attempts to set up a TCP/IP connection with a server
at every possible port. ... If the server responds with a
SYN/ACK (synchronization acknowledged) packet from a
particular port, it means the port is open.)
Receiver must hold space in buffer.
Bogus SYNs overflow buffer.
SYN flood attacks work by exploiting the handshake
process of a TCP connection.

61. 61© 2016 Pearson, Inc. Chapter 4 Denial of Service Attacks 61
DoS Attacks (cont.)

62. 6262
Methods of Prevention of
TCP SYN Flood Attack , protocol
attacks
SYN Cookies
Methods of Prevention
SYN Cookies
Initially no buffer is created.
Client response is verified using a cookie.
Only then is the buffer created.
Resource-intensive.

63. 6363
Methods of Prevention of
TCP SYN Flood Attack, protocol
attacks
RST Cookies
Methods of Prevention
RST Cookies
Sends a false SYNACK back
Should receive an RST in reply
Verifies that the host is legitimate
Not compatible with Windows 95

64. 6464
Methods of Prevention of
TCP SYN Flood Attack, protocol
attacks
Stack Tweaking
Methods of Prevention
Stack Tweaking
Complex method
Alters TCP stack
Makes attack difficult but not impossible

65. 65
corrective measures
Place servers behind a firewall configured to
stop inbound SYN packets.
Increase the size of the connection queue and
decrease the timeout on open connections.

66. 6666
Smurf IP Attack, protocol attacks
(DoS) and (DDoS) attacks
Smurf IP Attack
Hacker sends out ICMP broadcast with
spoofed source IP.
Intermediaries respond with replies.
ICMP echo replies flood victim.
The network performs a DDoS on itself.

67. 6767
CERT listing on Smurf attacks
DoS Attacks (cont.)

68. 68
Methods of Prevention Smurf IP
Attack, protocol attacks
• To protect your devices from this attack, you
need to disable IP-directed broadcasts at the
routers.
• This will prevent the ICMP echo broadcast
request at the network devices.
• Another option would be to configure the end
systems to keep them from responding to
ICMP packets from broadcast addresses.

69. 6969
Methods of Prevention Smurf IP
Attack, protocol attacks
Protection against Smurf attacks
Guard against Trojans.
Have adequate AV software.
Utilize proxy servers.
Ensure routers don’t forward ICMP
broadcasts.

70. 7070
UDP Flood Attack
(DoS) and (DDoS) attacks
UDP Flood Attack
Hacker sends UDP packets to a random port
Generates illegitimate UDP packets
Causes system to tie up resources sending
back packets

71. 7171
ICMP Flood Attack
(DoS) and (DDoS) attacks
ICMP Flood Attack
Floods – Broadcasts of pings or UDP packets
Nukes – Exploit known bugs in operating
systems

72. 7272
The Ping of Death (PoD)
(DoS) and (DDoS) attacks
The Ping of Death (PoD)
Sending a single large packet.
Most operating systems today avoid this
vulnerability.
Still, keep system patched.

73. 73
Methods of Prevention
The Ping of Death (PoD)
• Ping of death attacks can be blocked by
using a firewall that will check fragmented IP
packets for maximum size.

74. 7474
Teardrop Attack
(DoS) and (DDoS) attacks
Teardrop Attack
Hacker sends a fragmented message
Victim system attempts to reconstruct
message
Causes system to halt or crash

75. 75
Methods of Prevention
Teardrop Attack
• If users don’t have patches to protect against
this DoS attack, disable SMBv2 and block
ports 139 and 445.

76. 7676
Land Attack
(DoS) and (DDoS) attacks
Land Attack
Simplest of all attacks
Hacker sends packet with the same source
and destination IP
System “hangs” attempting to send and
receive message

77. 7777
Echo/Chargen Attack
(DoS) and (DDoS) attacks
Echo/Chargen Attack
Echo service sends back whatever it receive.s
Chargen is a character generator.
Combined, huge amounts of data form an
endless loop.

78. 7878
Distributed Denial of Service
(DD0S)
Routers communicate on port 179
Hacker tricks routers into attacking target
Routers initiate flood of connections with
target
Target system becomes unreachable

79. 7979
Real-World Examples
MyDoom
Worked through e-mail
Slammer
Spread without human intervention

80. 80
7 Best Practices for Preventing
DDoS attacks
• Develop a Denial of Service Response Plan. ...
• Secure Your Network Infrastructure. ...
• Practice Basic Network Security. ...
• Maintain Strong Network Architecture. ...
• Leverage the Cloud. ...
• Understand the Warning Signs. ...
• Consider DDoS-as-a-Service. The key benefit of this
model is the ability of tailor-made security
architecture for the needs of a particular company,
making the high-level DDoS protection available to
businesses of any size.

81. 8181
How to Defend Against DoS Attacks
In addition to previously mentioned methods
Configure your firewall to
Filter out incoming ICMP packets.
Egress filter for ICMP packets.
Disallow any incoming traffic.
Use tools such as NetStat and others.

82. 8282
How to Defend Against DoS Attacks
(cont.)
Disallow traffic not originating within the network.
Disable all IP broadcasts.
Filter for external and internal IP addresses.
Keep AV signatures updated.
Keep OS and software patches current.
Have an Acceptable Use Policy.

83. 83
SYN Cookies
SYN cookie is a technique used to
resist SYN flood attacks. The technique's
primary inventor Daniel J. Bernstein
defines SYN cookies as "particular choices
of initial TCP sequence numbers by TCP
servers." In particular, the use of SYN
cookies allows a server to avoid dropping
connections when the SYN queue fills up.

84. 84
TCP SYN flood attack
an attacker exploits the use of the buffer space during
a Transmission Control Protocol (TCP) session
initialization handshake. The attacker’s device
floods the target system’s small in-process queue
with connection requests, but it does not respond
when the target system replies to those requests.
This causes the target system to time out while
waiting for the response from the attacker’s device,
which makes the system crash or become unusable
when the connection queue fills up.

85. 85
RST cookies
• for the first request from a given client, the
server intentionally sends an invalid SYN-
ACK.
• This should result in the client generating
an RST packet, which tells the server
something is wrong.

86. 86
Stack tweaking
• administrators can tweak TCP stacks to
mitigate the effect of SYN floods.
• This can either involve reducing the timeout
until a stack frees memory allocated to a
connection, or selectively dropping incoming
connections.

87. 87
Smurf IP Attack
• This attack involves using IP spoofing and the ICMP
to saturate a target network with traffic.
• This attack method uses ICMP echo requests
targeted at broadcast IP addresses.
• These ICMP requests originate from a spoofed
“victim” address. For instance, if the intended victim
address is 10.0.0.10, the attacker would spoof an
ICMP echo request from 10.0.0.10 to the broadcast
address 10.255.255.255.

88. 88
Smurf IP Attack
• This request would go to all IPs in the range,
with all the responses going back to
10.0.0.10, overwhelming the network. This
process is repeatable, and can be automated
to generate huge amounts of network
congestion.

89. 89
UDP flood attack
• A UDP flood attack is a denial-of-service
(DoS) attackusing the User Datagram
Protocol (UDP), a sessionless/connectionless
computer networking protocol.
• Using UDP for denial-of-service attacks is
not as straightforward as with the
Transmission Control Protocol (TCP).

90. 90
ICMP Flood Attack
• A ping flood is a denial-of-service attack in
which the attacker attempts to overwhelm a
targeted device withICMP echo-request
packets, causing the target to become
inaccessible to normal traffic.
• When the attack traffic comes from multiple
devices, the attack becomes a DDoS or
distributed denial-of-service attack.

91. 91
The Ping of Death (PoD)
• This type of attack uses IP packets to ‘ping a
target system with an IP size over the
maximum of 65,535 bytes.
• IP packets of this size are not allowed, so
attacker fragments the IP packet. Once the
target system reassembles the packet, it can
experience buffer overflows and other
crashes.

92. 92
Teardrop attack
• This attack causes the length and
fragmentation offset fields in sequential
Internet Protocol (IP) packets to overlap one
another on the attacked host; the attacked
system attempts to reconstruct packets
during the process but fails.
• The target system then becomes confused
and crashes.

93. 93
Land Attack
• A LAND (local area network denial) attack is
a DoS (denial of service) attack that consists
of sending a special poison spoofed packet to
a computer
• A vulnerable machine will crash or freeze due
to the packet being repeatedly processed by
the TCP stack.

94. 94
Echo/Chargen Attack
• The CHARGEN protocol, also known as the
Character Generator Protocol, is a network
service defined in 1983. ... The attack itself is
rather simple: the attacker has their botnet
send tens of thousands
of CHARGEN requests to one or more
publicly accessible systems offering
the CHARGEN service.

95. 95
MyDoom
Virus/worm that repeatedly mailed itself to
all entries in a victim’s address book
each time the e-mail was opened.
A logic bomb then caused all these hosts
to attack www.sco.com at a
predetermined time.

96. 96
Slammer
Fastest-spreading worm ever.
Scanned for MS SQL Server Desktop
Engine.
Then exploited a commonly known flaw in
that system.
It was particularly vicious because it
spread without human intervention.
Its destruction could have been avoided;
the patch for this flaw was released
weeks before the attack.

97. 97
netstat (network
statistics
In computing, netstat (network statistics) is a
command-line network utility tool that
displays network connections for the
Transmission Control Protocol (both incoming
and outgoing), routing tables, and a number
of network interface (network interface
controller or software-defined network
interface) and network

98. 98
AV Signature
A unique string of bits, or the binary pattern, of
a virus. The virus signature is like a
fingerprint in that it can be used to detect and
identify specific viruses. Anti-virussoftware
uses the virus signature to scan for the
presence of malicious code.

99. 99
References and Credits
• Computer Security Fundamentals , by Chuck Easttom, © 2016 Pearson, Inc.
• https://ctovision.com
• https://continuinged.uml.edu/degrees/grad/online-master-security-studies-
cyber-security-degree.cfm
• https://www.directcannabisnetwork.com/importance-cybersecurity-
businesses/
• https://en.wikipedia.org/wiki/Computer_security
• https://www.discover.neustar/resources-whitepapers-cyber-threats-report-
q1-2019-ppc.html?utm_campaign=ss-ddos-
gen&utm_source=google&utm_medium=cpc&utm_term=cybersecurity&utm
_content=ss-wpr-cyber-threats-report-q1-2019-
ppc&utm_adgroup=&gclid=Cj0KCQjwgLLoBRDyARIsACRAZe7rWhCbj7IcIAk
CfhQDZhNnTJrOFuKb261fn0bFXhamKwrQ-8QosLEaApzzEALw_wcB
• https://www.ibm.com/security?cm_mmc=Search_Google-_-
Security_Security+Brand+and+Outcomes-_-WW_NA-_-
cybersecurity_e&cm_mmca1=000034XK&cm_mmca2=10009814&cm_mmca7
=9000481&cm_mmca8=kwd-
313645027&cm_mmca9=_k_Cj0KCQjwgLLoBRDyARIsACRAZe7r4XWThBnS
eBf1piWQ7G-
JvEXKwXFRyVIra5JrVQjDGvXpdN7dERIaAuzUEALw_wcB_k_&cm_mmca10=
343744153621&cm_mmca11=e&gclid=Cj0KCQjwgLLoBRDyARIsACRAZe7r4
XWThBnSeBf1piWQ7G-
JvEXKwXFRyVIra5JrVQjDGvXpdN7dERIaAuzUEALw_wcB

100. Computer Security
Cyber security
DOS & DDOS Attacks
Presented by : Professor Lili
Saghafi
proflilisaghafi@gmail.com
@Lili_PLS