file000144

Module XXXI – Investigating DoS Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: AlertPay Brought Down by DDOS Attack

Source: http://www.mxlogic.com/



News: UN Agency Investigates Curbs on Internet Anonymity

Source: http://news.zdnet.co.uk



Module Objective

• DoS Attack• Indications of a DoS/DDoS Attack• Types of DoS attack• DDoS attack• Working of DDoS attack• Classification of DDoS attack• Detecting DoS attacks Using Cisco NetFlow • Investigating DoS Attack • Challenges in Investigating DoS attack

This module will familiarize you with:



Module Flow

Detecting DoS Attacks Using Cisco NetFlow

Classification of DDoS Attack

DoS Attack

InvestigatingDoS Attack

Working of DDoS Attack

Indications of a DoS/DDoS Attack

Challenges in Investigating

DoS Attack

DDoS Attack

Types of DoS Attack



DoS Attack

DoS attack is a type of network attack intended to make a computer resource unavailable to its legitimate users by flooding or disrupting the network’s traffic

The attacker may target a particular server application (HTTP, FTP, ICMP, TCP etc.) or the network as a whole



Indications of a DoS/DDoS Attack

Unusual slowdown of network services

Unavailability of a particular web site

Dramatic increase in the volume of spam



Types of DoS Attacks

• Ping of Death• Teardrop• SYN flooding• Land• Smurf• fraggle• Snork• OOB Attack• Nuke Attacks • Reflected Attack

Major types of DoS attacks are as follows:



Ping of Death Attack

Attacker uses an abnormal ICMP (Internet Control Message Protocol) data packet containing large amounts of data that causes TCP/IP to crash or behave irregularly

Attacker sends illegal ping requests that is larger than 65,536 bytes to the target computer

Hacker Victim

Ping of Death Packet – 1,12,000 Bytes

Normal Packet – 65,536 Bytes



Teardrop Attack

Attacker sends fragments with invalid overlapping values in the Offset field which causes the target system to crash when it attempts to reassemble the data

It targets the systems that run Windows NT 4.0, Win95, and Linux up to 2.0.32

Hacker System Victim System

Normal IP packets offset

Updated IP packets offset ACK, IP packets

Normal ACK, IP packets



SYN Flooding

Attacker sends a sequence of SYN requests to a target's system with spoofed IP addresses

It is an attack on a network that prevents a TCP/IP server from giving service to other users

Victim SystemHacker System

INTERNETTCP SYN Packets

TCP SYN ACK packetsBACKLOG



Land

A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port

Land renders the victim’s network unprotected against packets coming from outside with victim’s own IP addresses

Hacker System Victim System

INTERNET

TCP packets, source host/port = destination host/port



Smurf

Attacker sends the ICMP echo requests to a broadcast network node

It is accomplished by sending ping requests to a broadcast address on the target network or intermediate network

IP address is spoofed and replaced by the victim’s own address

Attacker abuses “bounce-sites” to attack victims

Smurf functions like an amplifier, generates hundreds of responses from one request and eventually causes a traffic overload

AttackerAmplifier

Victim



Fraggle and Snork Attacks

• Attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the IP broadcast address of a large network, which has a fake source address

• Fraggle attack affects the management console through the firewall

Fraggle:

• Snork is an attack against the Windows NT RPC service• It allows an attacker with minimal resources to cause a remote NT system to

consume 100% CPU usage for an indefinite period of time

Snork:



WINDOWS OUT-OF-BAND (OOB) Attack and Buffer Overflow

• The "OOB attack" is a denial of service attack that takes advantage of a bug in Microsoft’s implementation of its IP-stack, to crash or make network interface unavailable

• Vulnerability on the RPC port 135 can be exploited to launch a denial-of-service attack against an NT system

OOB Attack:

• Buffer overflow occurs any time the program writes more information into the buffer than the space allocated in the memory

• The attacker can overwrite the data that controls the program’s execution path and hijacks the control of the program to execute the attacker’s code instead of the process code

• Sending email messages that have attachments with 256-character file names can cause buffer overflow

Buffer Overflow Attack:



Nuke and Reflected Attacks

• Nuke attacks are also called nuking• Attacker repeatedly sends the fragmented or invalid ICMP packets to the target computer

using a ping utility that slows down the computer network

Nuke Attack:

• Reflected attack involves sending false request to a large number of computers• The attacking machines send out huge volumes of SYN request packets but with the

source IP address pointing to the target machine• Requested computers reply to that IP address of target’s system which results in flooding

Reflected Attack:



DDoS Attack

Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large number of compromised systems attack a single target, thereby causing denial of service for users of the targeted system

In a DDoS attack, attackers first infect multiple systems called zombies, which are then used to attack a particular target



Working of DDoS Attacks

Attacker infects handler systems

Handler systems then infect

numerous systems (zombies)

Zombies then attackthe target system

together

Attacked



Classification of DDoS Attack

• Manual attacks• Semi-automatic attacks

• Attack by direct communication• Attack by indirect communication

• Automatic attacks• Attacks using random scanning• Attacks using hit list scanning• Attacks using topology scanning• Attacks using Permutation Scanning• Attacks using Local Subnet Scanning

The Degree of Automation

• Attacks using Central Source Propagation• Attacks using Back-chaining Propagation• Attacks using Autonomous Propagation

Propagation mechanism

DDoS attacks can be classified according to:



Classification of DDoS Attack (cont’d)

• Protocol Attacks• Brute-force Attacks

• Filterable Attacks• Non-filterable Attacks

Exploited Vulnerability

• Continuous Rate Attacks• Variable Rate Attacks

• Increasing Rate Attacks• Fluctuating Rate Attacks

Attack Rate Dynamics

• Disruptive Attacks• Degrading Attacks

Impact



DDoS Attack Taxonomy

DDoS Attacks

BandwidthDepletion

Resource Depletion

Flood Attack AmplificationAttack

Protocol ExploitAttack

Malformed Packet Attack

UDP ICMP

Smurf FraggleTCP SYN Attack

PUSH+ACKAttack

TCP



DoS Attack Modes

• Consumption of scarce, limited, or non-renewable resources• Destruction or alteration of configuration information• Physical destruction or alteration of network components

There are three basic modes of DoS attacks:



Techniques to Detect DoS Attack

• Activity profiling• Sequential Change-Point detection• Wavelet-based signal analysis

Three basic techniques to detect Denial-0f-Service attack are:



Techniques to Detect DoS Attack: Activity Profiling

Activity profiling is the process of calculating the average packet rate for a network flow, which consists of consecutive packets with similar packet fields

Time interval between the consecutive matching packets determines the flow’s average packet rate or activity level

Packets with similar characteristics can be clustered together for easy monitoring

• Increase in average packet flow rate • Increase in the overall number of distinct clusters

Traffic activities that indicate a DoS attack:



Techniques to Detect DoS Attack: Sequential Change-Point Detection

Sequential Change-Point detection algorithms isolate a traffic statistic’s change caused by attacks

In this technique, the target traffic data is filtered by address, port, or protocol and the resultant flow data is stored as a time series

Statistical change in resultant data at a particular time indicates DoS attack that had occurred around that time



Techniques to Detect DoS Attack: Wavelet-based Signal Analysis

Wavelet analysis describes an input signal in terms of spectral components

Wavelets analysis provides the concurrent time and frequency description, and determines the time at which certain frequency components are present

Any anomaly in frequency of data packets at a particular time indicates a DoS attack



Monitoring CPU Utilization to Detect DoS Attacks

Monitor the router's CPU utilization

Collect statistical information of a router including CPU utilization and the bandwidth’s utilization on each of its connections

Check whether the router is reloading periodically; it indicates an attack



Detecting DoS Attacks Using Cisco NetFlow

NetFlow is the built-in service in Cisco routers that monitors and exports data for sampled IP traffic flows

When NetFlow identifies a new flow, an entry is added to the NetFlow cache; this entry then is used to switch packets and to perform ACL checking

• Source and destination IP address• Source and destination TCP/UDP ports • Port utilization numbers • Packet counts and bytes per packet

NetFlow sampling includes:



Detecting DoS Attacks Using Network Intrusion Detection System (NIDS)

NIDS is an intrusion detection system that can be used to detect malicious activity by monitoring the network’s traffic

It scans system files to check if any illegal action is performed and also maintains the file’s integrity

• Host machine monitors its own traffic• Independent machine monitors all the network traffic passing through hub, router,

and other network devices

It may run on both the host machines in the network and independent machine:



Investigating DoS Attacks

DoS attacks can be investigated by looking for specific characteristics within the attacking traffic

Packet tracebacking in the network helps the investigator to find the source of attack

Packet tracebacking includes reconfiguration of routers and the examination of log information

DNS logs are also helpful for investigation



ICMP Traceback

ICMP traceback messages are used to find the source of an attack

• Router’s next and earlier hop address• Timestamp• Role of the traced packet• Authentication information

ICMP traceback message includes:

Traceback mechanism allows the victim to find out an attacking agent on traced packets

It maintains logs of the DDoS attack information to do a forensic analysis and assists in enforcing law if the attacker does severe financial damage

This mechanism is based on the number of attacking agents



Hop-by-Hop IP Traceback

Hop-by-hop IP traceback helps in tracing large and continuous packet flows that are generated by DoS packet flooding attack

To investigate the source of the attack, it is necessary to report such attacks to the victim’s ISP

Hop-by-hop IP traceback process:

The administrator then moves on to the upstream router

ISP administrator uses diagnostic and debugging or logging features of the router to find out the nature of the traffic and the input link, which serves as a path for an attack

ISP administrator identifies the ISP’s router that is closest to the victim’s machine



Hop-by Hop IP Traceback (cont’d)

It can be considered to be the baseline from which all proposed improvements in tracking and tracing are judged

Once the entry point into the ISP’s network is identified, the bordering provider carrying the attack traffic must be notified and asked to continue the hop-by-hop trace

The administrator repeats the diagnostic procedure on this upstream router, and continues to trace backwards, hop-by-hop, until the source of the attack is found inside the ISP’s administrative domain of

control (such as the IP address of a customer of the ISP) or, more likely, until the entry point of the attack into the ISP’s network is identified



Limitations of Hop-by Hop IP Traceback

Traceback to the origin of an attack fails if cooperation is not provided at every hop

This method fails if a router along the way lacks sufficient diagnostic capabilities or resources

It also fails if the attack stops before the trace is complete

It is labor-intensive, technical process, and since attack packets often cross administrative, jurisdictional, and national boundaries, it is difficult to obtain cooperation



Backscatter Traceback

Backscatter traceback is a technique for tracing a flood of packets that are targeting the victim of a DDoS attack

It relies on the standard characteristics of the existing Internet routing protocols, and although some special router configurations are used, there is no custom modification of protocols or equipment that is outside of Internet standards

It uses large number of invalid source address that are characteristic of contemporary DDoS attacks

The destination address field of each attack packet contains the IP address of the victim



How the Backscatter Traceback Works

• The attack is reported to an ISP• The ISP uses a standard routing control protocol to quickly configure all of its routers to

reject (i.e., filter) packets that are targeted to the victim• Rejected packets are “returned to sender”• The ISP configures all of its routers to blackhole (that is, route for capture) many of the

ICMP error packets (i.e., the “backscatter”) with illegitimate destination IP addresses• Analysis by the blackhole machine quickly traces the attack to one or more routers at the

outermost boundary of the ISP’s network• The ISP removes the filter blocking the victim’s IP address from all routers except those

serving as the entry points for the DDoS attack• The ISP asks neighbouring ISPs, upstream of the attack, to continue the trace• The neighboring ISP(s) can continue to trace the attack closer to its ultimate source

Working of backscatter traceback:



Hash-Based IP Traceback or Single-Packet IP Traceback (cont’d)

Hash-Based IP Traceback can be used to track a single packet to its sourc

This method relies on storing highly compact representations of each packet known as “packet digests” rather than the full packets themselves

“Packet digests” are created using mathematical functions called hash functions

Transformation information corresponding to the packet digests is stored in a transformation lookup table, which provides the information needed to track packets despite common transformations

The transformation information is retained by the router for the same amount of time as the packet digests

Hash-based IP traceback is accomplished using a system known as a Source Path Isolation Engine (SPIE)



IP Traceback with IPSec

IPSec is a protocol suite for securing network connections

IP traceback with IPSec tunnels is a part of DecIdUous (Decentralized source identification for network based intrusion) framework

Traceback is done by locating the IPSec tunnels between an arbitrary router and the victim

If the attack packets get authenticated by the security association (SA), the attack originates at a point further behind the router, or the attacker lies in the path between this router and the victim

This process is iterated until an SA tunnels is established between the intermediate router and the victim



CenterTrack Method

CenterTrack method is used to improve the traceability of the large packet flows associated with DoS flood attacks

In this method, first an overlay network has been created using IP tunnels to connect the edge routers in an ISP’s network to special-purpose tracking routers that are optimized for analysis and tracking

An overlay network is a supplemental or auxiliary network that is created when a collection of nodes from an existing network are joined together using new physical or logical connections to form a new physical or logical network on top of the existing one

The overlay network is also designed to further simplify hop-by-hop tracing by having only a small number of hops between edge routers



CenterTrack Method (cont’d)

The ISP diverts the flow of attack packets (destined for a victim’s machine) from the existing ISP network onto the overlay tracking network containing the special-purpose tracking routers

The attack packets can now be easily traced back, hop-by-hop, through the overlay network, from the edge router closest to the victim, back to the entry point of the packet flood into the ISP’s network



Packet Marking

Marking classified packets in order to identify the DoS attack traffic

In the packet’s IP header, IP precedence field can be used to specify the importance with which a particular packet should be involved

• Deterministic packet marking, router shows all the packets• Probabilistic packet marking (PPM) will divide the path’s

information into small packets

Types of packet marking:



Probabilistic Packet Marking (PPM)

In packet marking scheme, tracking information is placed into rarely used header fields inside the IP packets themselves

The tracking information is collected and correlated at the destination of the packets, for a sufficiently large packet flow there will be enough tracking (path) information embedded in the packets to successfully complete the trace

This method adds authentication controls to the embedded encodings of tracking information, which prevents tampering and spoofing of tracking information



Check Domain Name System (DNS) Logs

The attacker uses DNS to determine the actual IP address of the target machine before launching the attack

If attacker uses tools, then time of DNS query and attack may be close, which helps to identify the attacker’s DNS resolver by looking at DNS queries around the time of the start of the attack

Check and compare the DNS logs of different systems which are attacked

Use Sawmill DNS log analyzer to view the DNS log files



Tracing with "log-input"

Check the log entries in an access list of the router

“log-input” helps in identifying router‘s interface that accepts network traffic

If the interface is a multipoint connection, give the Layer 2 address of the device from which it is received

Use this Layer 2 address to identify the next router in the chain, using the commands such as show ip arp mac-address for Cisco router

Continue this process until the source of the traffic is found



Control Channel Detection

Large volume of control channel traffic indicates that the actual attacker or coordinator of the attack is close to the detector

The channel control function provides facilities to define, monitor, and control channels

• To determine particular control channel packets within a specific time period

• To provide a clear way into the network and geographic location of the attacker

Use threshold-based detector:



Correlation and Integration

Attack detector tool can find the location of the attacker by integrating with other packet spoofing tools

• To determine the source of the control channel for particular flood• To understand spoofed signals from hop to hop or from attack server to target

Collect the data from control channel detectors and flood detectors:



Path Identification (Pi) Method

Pi traces path of each packet and filters the packet which contains the attack path

It can trace DoS attack packets using filtering techniques and analyzing their path

• Which part of the router’s IP address to mark• Where to write IP address in each packet’s ID field• How to neglect the unnecessary nodes in the path• How to differentiate the paths

It considers four factors to mark a path between the attackers and the victim:



Packet Traffic Monitoring Tools

Source of the attack can be found out by monitoring the network’s traffic

• Ethereal• Dude Sniffer• Tcpdump• EffeTech• SmartSniff• EtherApe• Maa Tec Network Analyzer

Following are some of the traffic monitoring tools:



Tools for Locating IP Address

• Traceroute• NeoTrace• Whois• Whois Lookup• SmartWhois• CountryWhois• WhereIsIP

Tools:

After getting the IP address of the attacker’s system, use the following IP address locating tools to gives details about the attacker



Challenges in Investigating DoS Attacks

Attackers know that they can be traced, so they attack for a limited time

Attacks come from multiple sources

Anonymizers protect privacy by impeding tracking

Attackers may destroy logs and other audit data

Communication problems slow down the tracing process

There is no mechanism for performing malicious traffic discrimination

False positives, missed detections, and detection delays

There are some legal issues which make the investigation process difficult



Tool: Nmap

Nmap is an open source utility for network exploration or security auditing

Uses raw IP packets to determine the available hosts on the network, services they offer, etc.

•C:\CMDT\Nmap>nmap [Scan Type(s)] [Options] <host or net list>

Syntax:



Tool: Friendly Pinger

Friendly Pinger is a tool for network administration, monitoring, and inventory purpose

It notifies when any server wakes up or goes down

Audit software and hardware components installed on the computers over the network

It tracks user access and files opened on your computer via the network



Tool: IPHost Network Monitor

• SNMP (on UNIX/Linux/Mac)• WMI (on Windows)• HTTP/HTTPS• FTP• SMTP• POP3• IMAP• ODBC• PING

IPHost Network Monitor allows availability and performance monitoring of mail, db and other servers, web sites and applications, various network resources and equipment using:



Screenshot



Network Monitoring Tools

Tail4Win is a Windows port of the UNIX 'tail -f' command which can monitor log files of server applications in real time

Status2k provides server information for current and future clients in an easy to read format, with live load, uptime and memory usage



Network Monitoring Tools (cont’d)

DoSHTTP is a powerful HTTP Flood Denial of Service testing software for Windows that includes URL verification, HTTP Redirection, and performance monitoring

Admin’s Server Monitor is a tool to monitor server disk traffic loaded over network that shows accumlated byte counts read from server's disks by client PCs over network



Summary

“DoS attack is a type of network attack intended to make a computer resource unavailable to its intended users by flooding of network or disruption of connections”

If an attacker is unable to gain access to a machine, the attacker will most likely crash the machine to accomplish a denial of service attack

Attacker uses a abnormal ICMP (Internet Control Message Protocol) data packet containing large amounts of data that causes TCP/IP to crash or behave irregularly

Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large number of compromised systems attack a single target, thereby causing denial of service for users of the targeted system

Three basic techniques used to detect Denial-0f-Service attack are Activity profiling, Sequential Change-Point detection, and Wavelet-based signal analysis

file000144

Technology

eccouncil copyright

land attack

service dos attack

ddos attack source

teardrop attack attacker

type of network attack

ddos attack indications

denial of service attack