written 6.1 years ago by |
Denial Of Service (DOS)
A denial of service attack is an attack that clogs up so much memory on the target system that it can not serve its users, or it causes the target system to crash, reboot or otherwise deny services to legitimate users.
Classic DOS Attacks:-
- Ping of Death
- Teardrop attacks
- SYN-flood attacks
- Land attacks
- Smurf attacks
- UDP-flood attacks
- Distributed DOS attacks
- ICMP flood
1] Ping Of Death:-
The 'Ping' command makes use of the ICMP(Internet Control message protocol) echo request & echo reply messages & us commonly used to determine whw=ether the remote host is alive.
In a 'ping of Death' attack, ping causes the remote system to hang, reboot or crash. To do so, the attackers make use of ping command in conjunction with the -l argument (used to specify the size of the packet sent) to ping the target system with a data packet by TCP/IP(65,536).
Eg:- c:....>ping -l 65540 hostname
pinging hostname [xx.yy.cc.ss] with 65,540 bytes of data reply from 204.92.242.61 : bytes = 65540 time = 134 ms TTL=61
2] Teardrop Attacks(also known as fragmentation Attack):-
- whenever data is sent over the internet, it is broken into fragments at the source system & reassembled at the destination system.
- Each packet has an offset field in its TCP heads part that specifies the range of data (i.e. specific bytes of data) bing carried by that particular data packet. This, along with the value in the sequence number field, helps the data packets in the correct order.
- In a teardrop attack, the target system connot reassemble the packets & is forced to crash, hang or reboot.
Eg:-
Normal Circumstances
----------------------------------------------------------------------.packets
(Bytes 1-1500) (Bytes 1501-3000) (Bytes 3001-4500)
However in a teardrop attack, the data packets sent to the target computer contain bytes that overlap with each other.
-------------------------------------------------------------------------.Packets
(Bytes 1-1500) (Bytes 1501-3000) (Bytes 1001-3600)
when the target system receives a series of packets as shown above, it cannot reassemble the data & therefore will crash, hang & reboot.
3] SYN-Flood Attacks:- (Covered in Transport layer vulnerabilities)
4] land-Attacks:-
- A land attack we similar to a SYN attack, the only difference bieng that instead of including an invalid IP address, the SYN packets include the IP address of the target system upset.
- As a result , an infinte loop is created within the target system, which ultimately hangs 7 crashes.
Solution:- to install a firewall or filtering utility that filters out outgoing packets as the IP address of the local system.
5] Smurf Attack:-
It is a kind of brute force DOS attack in which a huge number of 'ping' requests containing spoofed source IP addresses within that network.
when the router gets a 'ping' or echo request message, it sends an echo reply message to the spoofed IP address, flooding the network with packets, there by logging the network & preventing legitimate users from obtaining network services.
6] UDP-flood Attacks:-
This attack exploits the target systems charger or echo services to create an infinite loop.
When a connection is established between two UDP services, each of which produces output. Anyone with network connectivity can launch an attack; no account access is needed.
For eg:- by connecting a host charger service to the echo service on the same or another machine, all affected machines may be effectively taken out of service because of the excessively high number of packets produced.
This Attack takes advantage of UDP service that replies to requests.
eg:- UDP port 7 is an echo port. Another UDP port that replies to queries is the chargen port (https://www.cve.org)
- An Attacker can overwhelm the target machine with multiple requests to these ports creating a lot of traffic on the network.
7] Distributed DOS Attacks:-
In case of DOS attacks discussed above, chances are high that the computer criminal will leave a sufficient taut by which savvy system administrators or government authorities could trace him.
Distributed DOS(DDOS) attacks are completely Different. These types of attacks enable hackers to remain anonymous while disabling entire networks of large organizations.
DDOS attacks have proved to be a big security threat.
Due to the shortcomings associated with regular DOS attacks, many hackers came up with an evolved form of DOS attack known as DDOS attacks.
In a typical DOS attacks, their is a single attackes who uses his system as a spoofed address & tries to bring the target system down. the number of target computer is normally 1:1 such aratio may not favorable from attackers point of view & there is a high possibility that the attack may fail. this is why distributed DOS attackes are so good.
In DDOS attack, the attacks follows following steps:
- In DDos attack, instead of directly attacking the target computer, the attacks first identifies a less secure decay network, the attacker chooses this decoy network in such a manner that it is not so secure & has a relatively large number of computers say 100.
- The attacks then breaks into the less secure delay network & takes control of all its system. After this, the attacker then install distributed DOS attack tools or agents on each system that is part of the decoy network.
- finally, the attacker uses all 100 computers/systems of the decoy network. The attacker is able to control over 100 systems with a single command line instruction.
Thus, in DDOS attack there are 100 different attackers/systems attacking the single target system. This raises the ratio of number of attackers to the number of target system to 100:1.
As a result, due to the higher number of attackers, DDOS attacks are far more effective & more dangerous than regular DOS attacks.
Tools used for DDOS:-
- TFN(Trial flood Network)
- Trin00
- Stacheldraht(Barbed nure)
- Shaft
8] ICMP flood:- (Internet Control Message protocol)
- ICMP is basic network management protocol of the ICP1IP. it is used to send error & control messages regard the status of a host or router.
- There are two kinds of attacks that can be initiated by exploting ICMP protocol; passive & attacks.
ICMP active attacks:-
These types of attacks are more than monitoring & analysis of traffic.
An attacker actually tries to bypass or break into the network & can result in DOS.
tool used for networking diagnosis is the ICMP ping.
ping echo packets can be sent to a broadcast address on a target network which can eventually lead to traffic overloaded which can improve normal traffic & can lead to DOS.
ICMP passive attacks:-
passive attacks involves monitoring of traffic & available hosts on a network.
It uses ICMP packets to offer information that is being proved for .
It gives the attackers a true picture of the network to enable proper planning before launching an active attack.
An attacker null be able to better understand the environment & gather information above the target so as to plan the attack approach. he or she is able to determine the number of hops to reach a specific device, & hosts running on the network.
ICMP sweep. Ping sweep or IP sweep involves discovering all the host IP addresses which are alive in the entire target network.
Solution:- Deploying a firewall can ICMP floods.
The firewall can check the rate of ICMP packets destined for a specific destination address. There should be threshold rate & if it is extended, then all such subsequent ICMP packets should be dropped.