File000144

Module XXXI – Investigating DoS
Attacks

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: AlertPay Brought Down
by DDOS Attack
Source: http://www.mxlogic.com/

EC-Council
News: UN Agency Investigates
Curbs on Internet Anonymity
Source: http://news.zdnet.co.uk

EC-Council
Module Objective
• DoS Attack
• Indications of a DoS/DDoS Attack
• Types of DoS attack
• DDoS attack
• Working of DDoS attack
• Classification of DDoS attack
• Detecting DoS attacks Using Cisco NetFlow
• Investigating DoS Attack
• Challenges in Investigating DoS attack
This module will familiarize you with:

EC-Council
Module Flow
Detecting DoS Attacks
Using Cisco NetFlow
Classification of
DDoS Attack
DoS Attack
Investigating
DoS Attack
Working of DDoS
Attack
Indications of a
DoS/DDoS Attack
Challenges in
Investigating
DoS Attack
DDoS Attack
Types of DoS Attack

EC-Council
DoS Attack
DoS attack is a type of network attack intended to make a computer resource unavailable to its
legitimate users by flooding or disrupting the network’s traffic
The attacker may target a particular server application (HTTP, FTP, ICMP, TCP etc.) or the
network as a whole

EC-Council
Indications of a DoS/DDoS Attack
Unusual slowdown of network services
Unavailability of a particular web site
Dramatic increase in the volume of spam

EC-Council
Types of DoS Attacks
• Ping of Death
• Teardrop
• SYN flooding
• Land
• Smurf
• fraggle
• Snork
• OOB Attack
• Nuke Attacks
• Reflected Attack
Major types of DoS attacks are as
follows:

EC-Council
Ping of Death Attack
Attacker uses an abnormal ICMP (Internet Control Message Protocol) data packet containing
large amounts of data that causes TCP/IP to crash or behave irregularly
Attacker sends illegal ping requests that is larger than 65,536 bytes to the target computer
Hacker Victim
Ping of Death Packet – 1,12,000 Bytes
Normal Packet – 65,536 Bytes

EC-Council
Teardrop Attack
Attacker sends fragments with invalid overlapping values in the Offset field which causes the
target system to crash when it attempts to reassemble the data
It targets the systems that run Windows NT 4.0, Win95, and Linux up to 2.0.32
Hacker System Victim System
Normal IP packets offset
Updated IP packets offset
ACK, IP packets
Normal ACK, IP packets

EC-Council
SYN Flooding
Attacker sends a sequence of SYN requests to a target's system with spoofed IP addresses
It is an attack on a network that prevents a TCP/IP server from giving service to other users
Victim SystemHacker System
INTERNETTCP SYN Packets
TCP SYN ACK packets
BACKLOG

EC-Council
Land
A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a
machine with the source host/port the same as the destination host/port
Land renders the victim’s network unprotected against packets coming from outside with
victim’s own IP addresses
Hacker System Victim System
INTERNET
TCP packets,
source host/port = destination host/port

EC-Council
Smurf
Attacker sends the ICMP echo requests to a broadcast
network node
It is accomplished by sending ping requests to a
broadcast address on the target network or
intermediate network
IP address is spoofed and replaced by the victim’s own
address
Attacker abuses “bounce-sites” to attack victims
Smurf functions like an amplifier, generates hundreds
of responses from one request and eventually causes a
traffic overload
Attacker
Amplifier
Victim

EC-Council
Fraggle and Snork Attacks
• Attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets
to the IP broadcast address of a large network, which has a fake source address
• Fraggle attack affects the management console through the firewall
Fraggle:
• Snork is an attack against the Windows NT RPC service
• It allows an attacker with minimal resources to cause a remote NT system to
consume 100% CPU usage for an indefinite period of time
Snork:

EC-Council
WINDOWS OUT-OF-BAND (OOB)
Attack and Buffer Overflow
• The "OOB attack" is a denial of service attack that takes advantage of a bug in
Microsoft’s implementation of its IP-stack, to crash or make network interface
unavailable
• Vulnerability on the RPC port 135 can be exploited to launch a denial-of-service attack
against an NT system
OOB Attack:
• Buffer overflow occurs any time the program writes more information into the buffer
than the space allocated in the memory
• The attacker can overwrite the data that controls the program’s execution path and
hijacks the control of the program to execute the attacker’s code instead of the process
code
• Sending email messages that have attachments with 256-character file names can cause
buffer overflow
Buffer Overflow Attack:

EC-Council
Nuke and Reflected Attacks
• Nuke attacks are also called nuking
• Attacker repeatedly sends the fragmented or invalid ICMP packets to the target computer
using a ping utility that slows down the computer network
Nuke Attack:
• Reflected attack involves sending false request to a large number of computers
• The attacking machines send out huge volumes of SYN request packets but with the
source IP address pointing to the target machine
• Requested computers reply to that IP address of target’s system which results in flooding
Reflected Attack:

EC-Council
DDoS Attack
Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large number of
compromised systems attack a single target, thereby causing denial of service for users of the
targeted system
In a DDoS attack, attackers first infect multiple systems called zombies, which are then used
to attack a particular target

EC-Council
Working of DDoS Attacks
Attacker infects handler systems
Handler systems
then infect
numerous systems
(zombies)
Zombies then attack
the target system
together
Attacked

EC-Council
Classification of DDoS Attack
• Manual attacks
• Semi-automatic attacks
• Attack by direct communication
• Attack by indirect communication
• Automatic attacks
• Attacks using random scanning
• Attacks using hit list scanning
• Attacks using topology scanning
• Attacks using Permutation Scanning
• Attacks using Local Subnet Scanning
The Degree of Automation
• Attacks using Central Source Propagation
• Attacks using Back-chaining Propagation
• Attacks using Autonomous Propagation
Propagation mechanism
DDoS attacks can be classified according to:

EC-Council
Classification of DDoS Attack
(cont’d)
• Protocol Attacks
• Brute-force Attacks
• Filterable Attacks
• Non-filterable Attacks
Exploited Vulnerability
• Continuous Rate Attacks
• Variable Rate Attacks
• Increasing Rate Attacks
• Fluctuating Rate Attacks
Attack Rate Dynamics
• Disruptive Attacks
• Degrading Attacks
Impact

EC-Council
DDoS Attack Taxonomy
DDoS Attacks
Bandwidth
Depletion
Resource
Depletion
Flood Attack Amplification
Attack
Protocol Exploit
Attack
Malformed
Packet Attack
UDP ICMP
Smurf Fraggle
TCP SYN
Attack
PUSH+ACK
Attack
TCP

EC-Council
DoS Attack Modes
• Consumption of scarce, limited, or non-renewable resources
• Destruction or alteration of configuration information
• Physical destruction or alteration of network components
There are three basic modes of DoS attacks:

EC-Council
Techniques to Detect DoS Attack
• Activity profiling
• Sequential Change-Point detection
• Wavelet-based signal analysis
Three basic techniques to detect Denial-0f-Service
attack are:

EC-Council
Techniques to Detect DoS Attack:
Activity Profiling
Activity profiling is the process of calculating the average packet rate for a network flow,
which consists of consecutive packets with similar packet fields
Time interval between the consecutive matching packets determines the flow’s average
packet rate or activity level
Packets with similar characteristics can be clustered together for easy monitoring
• Increase in average packet flow rate
• Increase in the overall number of distinct clusters
Traffic activities that indicate a DoS attack:

EC-Council
Sequential Change-Point Detection
Sequential Change-Point detection algorithms isolate a traffic statistic’s change caused by
attacks
In this technique, the target traffic data is filtered by address, port, or protocol and the
resultant flow data is stored as a time series
Statistical change in resultant data at a particular time indicates DoS attack that had
occurred around that time

EC-Council
Wavelet-based Signal Analysis
Wavelet analysis describes an input signal in terms of spectral components
Wavelets analysis provides the concurrent time and frequency description, and determines the
time at which certain frequency components are present
Any anomaly in frequency of data packets at a particular time indicates a DoS attack

EC-Council
Monitoring CPU Utilization to
Detect DoS Attacks
Monitor the router's CPU utilization
Collect statistical information of a router including CPU utilization and the bandwidth’s
utilization on each of its connections
Check whether the router is reloading periodically; it indicates an attack

EC-Council
Detecting DoS Attacks Using
Cisco NetFlow
NetFlow is the built-in service in Cisco routers that monitors and exports data for sampled
IP traffic flows
When NetFlow identifies a new flow, an entry is added to the NetFlow cache; this entry then
is used to switch packets and to perform ACL checking
• Source and destination IP address
• Source and destination TCP/UDP ports
• Port utilization numbers
• Packet counts and bytes per packet
NetFlow sampling includes:

EC-Council
Detecting DoS Attacks Using Network
Intrusion Detection System (NIDS)
NIDS is an intrusion detection system that can be used to detect malicious activity by
monitoring the network’s traffic
It scans system files to check if any illegal action is performed and also maintains the file’s
integrity
• Host machine monitors its own traffic
• Independent machine monitors all the network traffic passing through hub, router,
and other network devices
It may run on both the host machines in the network and
independent machine:

EC-Council
Investigating DoS Attacks
DoS attacks can be investigated by looking for specific characteristics within the attacking
traffic
Packet tracebacking in the network helps the investigator to find the source of attack
Packet tracebacking includes reconfiguration of routers and the examination of log
information
DNS logs are also helpful for investigation

EC-Council
ICMP Traceback
ICMP traceback messages are used to find the source of an attack
• Router’s next and earlier hop address
• Timestamp
• Role of the traced packet
• Authentication information
ICMP traceback message includes:
Traceback mechanism allows the victim to find out an attacking agent on traced packets
It maintains logs of the DDoS attack information to do a forensic analysis and assists in enforcing law if
the attacker does severe financial damage
This mechanism is based on the number of attacking agents

EC-Council
Hop-by-Hop IP Traceback
Hop-by-hop IP traceback helps in tracing large and continuous packet flows that are
generated by DoS packet flooding attack
To investigate the source of the attack, it is necessary to report such attacks to the victim’s
ISP
Hop-by-hop IP traceback process:
The administrator then moves on to the upstream router
ISP administrator uses diagnostic and debugging or logging features of the router to find out the
nature of the traffic and the input link, which serves as a path for an attack
ISP administrator identifies the ISP’s router that is closest to the victim’s machine

EC-Council
Hop-by Hop IP Traceback (cont’d)
It can be considered to be the baseline from which all proposed improvements in tracking and tracing are
judged
Once the entry point into the ISP’s network is identified, the bordering provider carrying the attack traffic
must be notified and asked to continue the hop-by-hop trace
The administrator repeats the diagnostic procedure on this upstream router, and continues to trace
backwards, hop-by-hop, until the source of the attack is found inside the ISP’s administrative domain of
control (such as the IP address of a customer of the ISP) or, more likely, until the entry point of the attack
into the ISP’s network is identified

EC-Council
Limitations of Hop-by Hop IP
Traceback
Traceback to the origin of an attack fails if cooperation is not provided at every hop
This method fails if a router along the way lacks sufficient diagnostic capabilities or
resources
It also fails if the attack stops before the trace is complete
It is labor-intensive, technical process, and since attack packets often cross administrative,
jurisdictional, and national boundaries, it is difficult to obtain cooperation

EC-Council
Backscatter Traceback
Backscatter traceback is a technique for tracing a flood of packets that are targeting the victim
of a DDoS attack
It relies on the standard characteristics of the existing Internet routing protocols, and
although some special router configurations are used, there is no custom modification of
protocols or equipment that is outside of Internet standards
It uses large number of invalid source address that are characteristic of contemporary DDoS
attacks
The destination address field of each attack packet contains the IP address of the victim

EC-Council
How the Backscatter Traceback
Works
• The attack is reported to an ISP
• The ISP uses a standard routing control protocol to quickly configure all of its routers to
reject (i.e., filter) packets that are targeted to the victim
• Rejected packets are “returned to sender”
• The ISP configures all of its routers to blackhole (that is, route for capture) many of the
ICMP error packets (i.e., the “backscatter”) with illegitimate destination IP addresses
• Analysis by the blackhole machine quickly traces the attack to one or more routers at the
outermost boundary of the ISP’s network
• The ISP removes the filter blocking the victim’s IP address from all routers except those
serving as the entry points for the DDoS attack
• The ISP asks neighbouring ISPs, upstream of the attack, to continue the trace
• The neighboring ISP(s) can continue to trace the attack closer to its ultimate source
Working of backscatter traceback:

EC-Council
Hash-Based IP Traceback or Single-
Packet IP Traceback (cont’d)
Hash-Based IP Traceback can be used to track a single packet to its sourc
This method relies on storing highly compact representations of each packet known as “packet digests”
rather than the full packets themselves
“Packet digests” are created using mathematical functions called hash functions
Transformation information corresponding to the packet digests is stored in a transformation lookup
table, which provides the information needed to track packets despite common transformations
The transformation information is retained by the router for the same amount of time as the packet
digests
Hash-based IP traceback is accomplished using a system known as a Source Path Isolation Engine
(SPIE)

EC-Council
IP Traceback with IPSec
IPSec is a protocol suite for securing network connections
IP traceback with IPSec tunnels is a part of DecIdUous (Decentralized
source identification for network based intrusion) framework
Traceback is done by locating the IPSec tunnels between an arbitrary
router and the victim
If the attack packets get authenticated by the security association
(SA), the attack originates at a point further behind the router, or the
attacker lies in the path between this router and the victim
This process is iterated until an SA tunnels is established between the
intermediate router and the victim

EC-Council
CenterTrack Method
CenterTrack method is used to improve the traceability of the large packet flows associated with DoS
flood attacks
In this method, first an overlay network has been created using IP tunnels to connect the edge routers in
an ISP’s network to special-purpose tracking routers that are optimized for analysis and tracking
An overlay network is a supplemental or auxiliary network that is created when a collection of nodes
from an existing network are joined together using new physical or logical connections to form a new
physical or logical network on top of the existing one
The overlay network is also designed to further simplify hop-by-hop tracing by having only a small
number of hops between edge routers

EC-Council
CenterTrack Method (cont’d)
The ISP diverts the flow of attack packets (destined for a victim’s machine) from the existing
ISP network onto the overlay tracking network containing the special-purpose tracking
routers
The attack packets can now be easily traced back, hop-by-hop, through the overlay network,
from the edge router closest to the victim, back to the entry point of the packet flood into the
ISP’s network

EC-Council
Packet Marking
Marking classified packets in order to identify the DoS attack traffic
In the packet’s IP header, IP precedence field can be used to specify the importance with
which a particular packet should be involved
• Deterministic packet marking, router shows all the packets
• Probabilistic packet marking (PPM) will divide the path’s
information into small packets
Types of packet marking:

EC-Council
Probabilistic Packet Marking (PPM)
In packet marking scheme, tracking information is placed into rarely used
header fields inside the IP packets themselves
The tracking information is collected and correlated at the destination of the
packets, for a sufficiently large packet flow there will be enough tracking
(path) information embedded in the packets to successfully complete the
trace
This method adds authentication controls to the embedded encodings of
tracking information, which prevents tampering and spoofing of tracking
information

EC-Council
Check Domain Name System (DNS)
Logs
The attacker uses DNS to determine the actual IP address of the target machine before launching the attack
If attacker uses tools, then time of DNS query and attack may be close, which helps to identify the attacker’s
DNS resolver by looking at DNS queries around the time of the start of the attack
Check and compare the DNS logs of different systems which are attacked
Use Sawmill DNS log analyzer to view the DNS log files

EC-Council
Tracing with "log-input"
Check the log entries in an access list of the router
“log-input” helps in identifying router‘s interface that accepts network traffic
If the interface is a multipoint connection, give the Layer 2 address of the device from
which it is received
Use this Layer 2 address to identify the next router in the chain, using the commands such
as show ip arp mac-address for Cisco router
Continue this process until the source of the traffic is found

EC-Council
Control Channel Detection
Large volume of control channel traffic indicates that the actual attacker or coordinator of
the attack is close to the detector
The channel control function provides facilities to define, monitor, and control channels
• To determine particular control channel packets within a specific
time period
• To provide a clear way into the network and geographic location of
the attacker
Use threshold-based detector:

EC-Council
Correlation and Integration
Attack detector tool can find the location of the attacker by integrating with other packet
spoofing tools
• To determine the source of the control channel for particular flood
• To understand spoofed signals from hop to hop or from attack server to target
Collect the data from control channel detectors and flood
detectors:

EC-Council
Path Identification (Pi) Method
Pi traces path of each packet and filters the packet which contains the attack path
It can trace DoS attack packets using filtering techniques and analyzing their path
• Which part of the router’s IP address to mark
• Where to write IP address in each packet’s ID field
• How to neglect the unnecessary nodes in the path
• How to differentiate the paths
It considers four factors to mark a path between the
attackers and the victim:

EC-Council
Packet Traffic Monitoring Tools
Source of the attack can be found out by monitoring the network’s traffic
• Ethereal
• Dude Sniffer
• Tcpdump
• EffeTech
• SmartSniff
• EtherApe
• Maa Tec Network Analyzer
Following are some of the traffic monitoring tools:

EC-Council
Tools for Locating IP Address
• Traceroute
• NeoTrace
• Whois
• Whois Lookup
• SmartWhois
• CountryWhois
• WhereIsIP
Tools:
After getting the IP address of the attacker’s system, use the following IP address locating
tools to gives details about the attacker

EC-Council
Challenges in Investigating DoS
Attacks
Attackers know that they can be traced, so they attack for a limited time
Attacks come from multiple sources
Anonymizers protect privacy by impeding tracking
Attackers may destroy logs and other audit data
Communication problems slow down the tracing process
There is no mechanism for performing malicious traffic discrimination
False positives, missed detections, and detection delays
There are some legal issues which make the investigation process difficult

EC-Council
Tool: Nmap
Nmap is an open source utility for network exploration or security auditing
Uses raw IP packets to determine the available hosts on the network, services they offer, etc.
•C:CMDTNmap>nmap [Scan Type(s)] [Options] <host or net list>
Syntax:

EC-Council
Tool: Friendly Pinger
Friendly Pinger is a tool for network administration, monitoring, and inventory purpose
It notifies when any server wakes up or goes down
Audit software and hardware components installed on the computers over the network
It tracks user access and files opened on your computer via the network

EC-Council
Tool: IPHost Network Monitor
• SNMP (on UNIX/Linux/Mac)
• WMI (on Windows)
• HTTP/HTTPS
• FTP
• SMTP
• POP3
• IMAP
• ODBC
• PING
IPHost Network Monitor allows availability and performance
monitoring of mail, db and other servers, web sites and
applications, various network resources and equipment
using:

EC-Council
Screenshot

EC-Council
Network Monitoring Tools
Tail4Win is a Windows port of the
UNIX 'tail -f' command which can
monitor log files of server applications
in real time
Status2k provides server information
for current and future clients in an easy
to read format, with live load, uptime
and memory usage

EC-Council
Network Monitoring Tools
(cont’d)
DoSHTTP is a powerful HTTP Flood
Denial of Service testing software for
Windows that includes URL verification,
HTTP Redirection, and performance
monitoring
Admin’s Server Monitor is a tool to
monitor server disk traffic loaded over
network that shows accumlated byte
counts read from server's disks by
client PCs over network

EC-Council
Summary
“DoS attack is a type of network attack intended to make a computer resource unavailable to its
intended users by flooding of network or disruption of connections”
If an attacker is unable to gain access to a machine, the attacker will most likely crash the machine to
accomplish a denial of service attack
Attacker uses a abnormal ICMP (Internet Control Message Protocol) data packet containing large
amounts of data that causes TCP/IP to crash or behave irregularly
Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large number of compromised
systems attack a single target, thereby causing denial of service for users of the targeted system
Three basic techniques used to detect Denial-0f-Service attack are Activity profiling, Sequential
Change-Point detection, and Wavelet-based signal analysis

EC-Council

File000144

More Related Content

Similar to File000144

More from Desmond Devendran

Recently uploaded

File000144