Denial of Service
A Denial of service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
Distributed Denial Of service
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the targeted system with traffic to make the resources unavailable to its intended users, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding a company's main server.
Botnet
A botnet is a collection of Internet-connected devices that are infected and controlled by a common type of malware each of which is running one or more bots. Infected machines are controlled remotely. Botnet infections are usually spread through malware, such as a trojan horse. Botnet malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven't been patched. Botnet malware may also scan for ineffective or outdated security products, such as firewalls or antivirus software. Common tasks executed by botnets include:
● Using the machine’s power to assist in distributed denial-of-service (DDoS).
● Generating spam emails.
● Internet traffic generation on a third-party website.
● Replacing banner ads in a web browser.
Exploiting System and Application Level Vulnerabilities
In this method, either the operating system or the application software will have bugs which will cause a denial of service situation. Once an attacker finds this vulnerability, he has to find out the working exploit code for the vulnerability, if an attacker finds the exploit code he can use it to DOS the target without any further problems.
TCP SYN Flood
TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. With SYN flood DDoS, the attacker sends TCP connection requests faster than the targeted machine can process them, causing network saturation.
In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server, using a fake IP address. The server receives multiple, apparently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK packet from each open port.
The attacker either does not send the expected ACK or if the IP address is spoofed never receives the SYN-ACK in the first place. Either way, the server under attack will wait for an acknowledgment for its SYN-ACK packet for some time. During this time, the server cannot close down the connection by sending RST packet, and the connection stays open. Before the connection can time out, another SYN packet will arrive. This leaves an increasingly large number of connections half-open.
UDP Flood
UDP flood is a type of Denial of Service (DoS) attack in which the attacker sends a request to random ports on the targeted host with IP packets containing UDP datagrams.
The receiving host checks for applications associated with these datagrams and if no application is associated with the request, then it sends back a “Destination Unreachable” packet. As more and more UDP packets are received which need to be answered, the system becomes overwhelmed and unresponsive to other clients. The attacker may also spoof the IP address of the packets, both to make sure that the return ICMP packets do not reach their host, to anonymize the attack.
User Datagram Protocol (UDP) is a connectionless and session less networking protocol. Since UDP traffic does not require a three-way handshake like TCP, it runs with lower overhead and is ideal for traffic that does not need to be checked and rechecked, such as chat or VoIP.
HTTP Flood
HTTP flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker sends seemingly legitimate HTTP GET or POST requests to a target web server or application. HTTP client like a web browser communicates with application or server; it sends an HTTP request. A GET request is used to retrieve content while POST requests are used to send dynamically generated content.
The attack is effective when it forces the server or application to allocate the maximum resources possible in response to every single request. For this reason, HTTP flood attacks using POST requests tend to be the most resource effective. POST requests may include parameters that trigger complex server-side processing. On the other hand, HTTP GET based attacks are simple to perform.
Ping of Death
In this method of DOS, the attacker will try to send the large-sized ping packets which the target cannot handle which will cause DOS situation on the target device.
Other types of Flooding
An attacker can use any other protocol vulnerabilities to flood packets to the target device so that the target device will be busy with handling Flood packets and may not respond to the original request made by the legitimate user.
Countermeasures
● DoS detection techniques are based on identifying and discriminating the illegitimate traffic from legitimate packet traffic
● Set up Systems with limited security (Honeypots), to attract an attacker
● FortGuard Anti-DDoS Firewall provides a fundamentally superior approach to mitigating DDoS attacks, with a design that focuses on passing legitimate traffic rather than discarding attack traffic.
A Denial of service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
Distributed Denial Of service
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the targeted system with traffic to make the resources unavailable to its intended users, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding a company's main server.
Botnet
A botnet is a collection of Internet-connected devices that are infected and controlled by a common type of malware each of which is running one or more bots. Infected machines are controlled remotely. Botnet infections are usually spread through malware, such as a trojan horse. Botnet malware is typically designed to automatically scan systems and devices for common vulnerabilities that haven't been patched. Botnet malware may also scan for ineffective or outdated security products, such as firewalls or antivirus software. Common tasks executed by botnets include:
● Using the machine’s power to assist in distributed denial-of-service (DDoS).
● Generating spam emails.
● Internet traffic generation on a third-party website.
● Replacing banner ads in a web browser.
Exploiting System and Application Level Vulnerabilities
In this method, either the operating system or the application software will have bugs which will cause a denial of service situation. Once an attacker finds this vulnerability, he has to find out the working exploit code for the vulnerability, if an attacker finds the exploit code he can use it to DOS the target without any further problems.
TCP SYN Flood
TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. With SYN flood DDoS, the attacker sends TCP connection requests faster than the targeted machine can process them, causing network saturation.
In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server, using a fake IP address. The server receives multiple, apparently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK packet from each open port.
The attacker either does not send the expected ACK or if the IP address is spoofed never receives the SYN-ACK in the first place. Either way, the server under attack will wait for an acknowledgment for its SYN-ACK packet for some time. During this time, the server cannot close down the connection by sending RST packet, and the connection stays open. Before the connection can time out, another SYN packet will arrive. This leaves an increasingly large number of connections half-open.
UDP Flood
UDP flood is a type of Denial of Service (DoS) attack in which the attacker sends a request to random ports on the targeted host with IP packets containing UDP datagrams.
The receiving host checks for applications associated with these datagrams and if no application is associated with the request, then it sends back a “Destination Unreachable” packet. As more and more UDP packets are received which need to be answered, the system becomes overwhelmed and unresponsive to other clients. The attacker may also spoof the IP address of the packets, both to make sure that the return ICMP packets do not reach their host, to anonymize the attack.
User Datagram Protocol (UDP) is a connectionless and session less networking protocol. Since UDP traffic does not require a three-way handshake like TCP, it runs with lower overhead and is ideal for traffic that does not need to be checked and rechecked, such as chat or VoIP.
HTTP Flood
HTTP flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker sends seemingly legitimate HTTP GET or POST requests to a target web server or application. HTTP client like a web browser communicates with application or server; it sends an HTTP request. A GET request is used to retrieve content while POST requests are used to send dynamically generated content.
The attack is effective when it forces the server or application to allocate the maximum resources possible in response to every single request. For this reason, HTTP flood attacks using POST requests tend to be the most resource effective. POST requests may include parameters that trigger complex server-side processing. On the other hand, HTTP GET based attacks are simple to perform.
Ping of Death
In this method of DOS, the attacker will try to send the large-sized ping packets which the target cannot handle which will cause DOS situation on the target device.
Other types of Flooding
An attacker can use any other protocol vulnerabilities to flood packets to the target device so that the target device will be busy with handling Flood packets and may not respond to the original request made by the legitimate user.
Countermeasures
● DoS detection techniques are based on identifying and discriminating the illegitimate traffic from legitimate packet traffic
● Set up Systems with limited security (Honeypots), to attract an attacker
● FortGuard Anti-DDoS Firewall provides a fundamentally superior approach to mitigating DDoS attacks, with a design that focuses on passing legitimate traffic rather than discarding attack traffic.
No comments:
Post a Comment