CSC 1111 Fundamental of Trustworthy Computing

Contents
Introduction ................................................................................................................................ 2 Study Area Coverage ................................................................................................................. 3 Technology & Further Exploration............................................................................................ 7 Conclusion ............................................................................................................................... 10 Personal Thought ..................................................................................................................... 11 References ................................................................................................................................ 12

[Type text]

Page 1

CSC 1111 Fundamental of Trustworthy Computing

Introduction
Denial of Service (DoS) Attack, are attacks on computer systems that aim to disrupt or terminate services provided by the systems. On the Internet, this usually means (repeatedly) crashing services or exhausting some limited resource. DoS attacks can often be performed over the network, and exploit security flaws that exist in the services. DoS will probably block access to resources, flood network, degrade performance, causes server to fail. Another way to view this, DoS attacks is by exhausting the network bandwidth of a site, exhausting the inbound network connections of a service, crashing a service using some security flaw or crashing the computer running a service using some security flaw.

[Type text]

Page 2

CSC 1111 Fundamental of Trustworthy Computing

Study Area Coverage

DoS Attacks are usually executed by flooding the target servers with data packets without authorization or permission. This may be done by misconfiguring their network routers or by performing smurf attack on the victim servers. The results will be Capacity Overflow, and Max Out of system resources, which makes the target service unavailable, either temporarily or permanently, depends. Distributed Denial of Service (DDoS) attack, this is by far the most deadly of all denial of service attacks. The origin flooding the bandwidth or resource of the victim servers are distributed over a large network or The Internet. The overall mechanism of DDoS Attack involves a huge quantity of compromised network nodes, governed by agent handlers, which are further controlled centrally by the actual attacker or maybe they can use botnet. The massive number of compromised computers on the internet a.k.a botnet is then governed by the source attacker to demand access to the targeted victim within a minimal time span, which further causes saturation of limited system resources and results in eventual shutdown of the targeted service. The most common method employed to compromise massive amount of user agents on the internet to actually execute DDoS Attack is by plaguing as many computers as possible over the internet with malware/trojan. Trojans can either spread via email attachments or via Peer-to-peer networks. Whatever method of spreading out, once the trojan is silently installed on the uninformed computer agent, that user agent has actually been compromised, which is then called as a Zombie or Botnet. The attacks will typically not be detectable or preventable by existing security monitoring solutions since the attacks do not consume an unreasonable amount of bandwidth and could, in many cases, be indistinguishable from normal traffic. Application attacks are more efficient, the attacker may not need as much resource at their disposal to successfully complete the attack. Application level attacks target bottlenecks and resources limitations within the application and do not require many compromised zombie systems or a large amount of bandwidth. Furthermore, they can be targeted at the [Type text] Page 3

CSC 1111 Fundamental of Trustworthy Computing weakest link in an environment, for example if a web-farm of a hundred servers relies on a single back office host to authenticate users, an application attack may be able to directly target it. Application attacks are harder to trace, because application level attacks normally use HTTP or HTTPS as their transport. Proxy servers can therefore be used to obfuscate the true origin of the attacker; and many are available for an attacker to redirect his malicious traffic. Many of these proxy servers do not keep logs of connection attempts and could therefore successfully hide the true origin of the attacking host. ` Automated data submission, web application architects and designers frequently

assume that the user of the application is a person and not an automated script. This assumption often leads to vulnerabilities that can be exploited by attackers who craft automated tools to attack the application. A simple example would be a dictionary attack on the authentication process. If a username is known, an attacker may automate the login process using passwords from a dictionary of common words until a match is found. There are many tools available to perform dictionary attacks on various protocols. Similarly, variations on this theme can be used to attack specific weaknesses in the applications design, for example by overwhelming application functions, invoking race conditions or systematically attacking multiple entities. Any data sent from the client-side may be manipulated by an attacker, from obvious form elements that are completed by the user to hidden fields, cookies and bespoke data channels. Commonly, manipulation of this data before sending it to the server results in errors or unusual application behaviour even as a result of simple modification such as sending letters instead of numbers. These back-end errors may in turn lead to exploitable vulnerabilities. Attack classes divided into 2 parts, resources abuse and starvation and exploitation. For resource abuse and starvation, The simplest way to attack an application is to exceed expected use beyond the capacity of the environment. This is conceptually very similar to a Network DoS attack in that it prevents legitimate users from accessing the application while it is forced to deal with many false requests. Exploitation is more sophisticated attacks based on an analysis of the application and its functionality, and identification of susceptible components. This may involve overflows on application buffers to crash the components on the servers themselves, or destruction of back-end data through SQL insertion for example. [Type text] Page 4

CSC 1111 Fundamental of Trustworthy Computing The Example of simple DoS attack.

Example of DDoS Attack

[Type text]

Page 5

CSC 1111 Fundamental of Trustworthy Computing Example of smurf attack

DDoS Attack

[Type text]

Page 6

CSC 1111 Fundamental of Trustworthy Computing

Technology & Further Exploration

There are many other attacks of similar nature and purpose such as smurf attack, nuke bomb, ping of death, banana attack, phlashing among many others. For example, smurf attack. An assault on a network that floods it with excessive messages in order to impede normal traffic. It is accomplished by sending ping requests (ICMP echo requests) to a broadcast address on the target network or an intermediate network. The return address is spoofed to the victim's address. Since a broadcast address is picked up by all nodes on the subnet, it functions like an amplifier, generating hundreds of responses from one request and eventually causing a traffic overload. When conducting a smurf attack, attackers will use spoof their IP address to be the same as the victims IP address. This will cause great confusion on the victims network, and a massive flood of traffic will be sent to the victims networking device, if done correctly. Most firewalls protect against smurf attacks, but if you do notice one, there are several things you can do. If you have access to the router your network or website is on, simply tell it to not forward packets to broadcast addresses. In a Cisco router, simply use the command: no ip directed-broadcast. This wont necessarily nullify the smurf attack, but it will greatly reduce the impact and also prevent your network or website from attacking others by passing on the attack. Optionally, you could upgrade your router to newer Cisco routers, which automatically filter out the spoofed IP addresses that smurf attacks rely on. Ping of Death, another kind of DoS attack. On the Internet, ping of death is a denial of service (DoS) attack caused by an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. One of the features of TCP/IP is fragmentation; it allows a single IP packet to be broken down into smaller segments. Attackers began to take advantage of that feature when they found that a packet broken down into fragments could add up to more than the allowed 65,536 bytes. Many operating systems didn't know what to do when they received an oversized packet, so they froze, crashed, or rebooted. Thus, ending a ping of this size is against the rules of the TCP/IP protocol, but hackers can bypass this by cleverly sending the packets in fragments. When the fragments are assembled on the receiving computer, the overall packet size is too great. This will cause a buffer overflow and crash the device. Luckily, most devices created after 1998 are immune to this kind of attack.

[Type text]

Page 7

CSC 1111 Fundamental of Trustworthy Computing If you are running a network with outdated devices this will indeed be a possible threat to your network. In this case, upgrade your devices if possible. Phlashing is a permanent denial of service (DoS) attack that exploits a vulnerability in network-based firmware updates. Such an attack is currently theoretical but if carried out could render the target device inoperable. In the teardrop attack, packet fragments are sent in a jumbled and confused order. When the receiving device attempts to reassemble them, it obviously wont know how to handle the request. Older versions of operating systems will simply just crash when this occurs. Operating systems such as Windows NT, Windows 95, and even Linux versions prior to version 2.1.63 are vulnerable to the teardrop attack. As stated earlier, upgrading your network hardware and software is the best way to stay secure from these types of attacks.

[Type text]

Page 8

CSC 1111 Fundamental of Trustworthy Computing Detecting The Attacks Certain types of DDoS attacks are easy to detect as they make use of unusual protocols or attempt to send specific non-standard packets to the targeted systems. Attacks that mimic the behaviour of legitimate users by making repeated requests to the website or by sending a large volume of e-mails can be much harder to detect. Some network based Intrusion Detection Systems (IDS) and network monitoring tools can be used to identify anomalous behaviour on the network and configured to send alerts to the appropriate personnel. In some cases attacks may be indistinguishable (at the protocol level) from legitimate traffic and it is important that detection mechanisms are able to detect these attacks by analysing the volume of connections per host and not simply relying on attack signatures. The network monitoring tools currently used within your network should be investigated to determine whether they support detecting anomalous traffic patterns. Secondary monitoring procedures should also be in place to detect attacks that are not identified by the primary detection tool. These could be bespoke scripts that check the availability of the web site periodically, or a service provided by the ISP or other partner.

[Type text]

Page 9

CSC 1111 Fundamental of Trustworthy Computing

Conclusion
Vulnerabilities in web applications can allow attackers to exhaust available resources and thereby deny access to legitimate users. Companies that rely on web applications to provide critical business functions are therefore at risk from attackers wishing to disrupt these functions by exploiting application level vulnerabilities. Application based DoS attacks require considerably less resource in terms of processing power and bandwidth on the part of the attacker, and therefore present a higher risk to business as the number of possible threat-agents is much greater. The possibility of a denial of service attack should be considered when designing, implementing and providing applications, and appropriate strategies and mitigation techniques put in place within the application.

[Type text]

Page 10

CSC 1111 Fundamental of Trustworthy Computing

Personal Thought
Denial of Service (DoS) attack can be very useful and also can be very harmful. For example, for hacker, DoS have a lot of advantages for them because DoS can be very powerful tools to use to hack someone they dont like for some revenge. For example, if someone attacked a company using DoS attack, that might cost them to lose their business or maybe make their customer unhappy, which is a threat for the company. Company being attacked using DoS might face loss of revenue or prestige. If hacker use permanent Denial of Service attack (PDoS), it might harm their hardware also. That might cost them to lost a lot of money and slow down their business process. Another point of view, from the victims point of view, DoS can be very dangerous. Some of them dont know how to prevent DoS attack, probably, they dont even know what is DoS attack and they will not know who attacked them. The majority of denial of service attacks can be prevented through simply upgrading to the latest hardware and software. Generally, its a good idea to not make many enemies and keep a sharp watch on your network at all times. And in the event that you do track an attacker down, keep two things in mind. First, it may be a spoofed IP address, and thus, a false lead. Second, never attack back. Simply contact the authorities and wait for the justice system to do its work.

[Type text]

Page 11

CSC 1111 Fundamental of Trustworthy Computing

References
http://en.wikipedia.org/wiki/Smurf_attack

http://www.youtube.com/watch?v=yoJIuz6wuXc

http://www.youtube.com/watch?v=6tAQWP3TQZk

http://www.iss.net/security_center/advice/Intrusions/2000012/default.htm

http://www.google.com.my/#hl=en&q=phlashing+attack&aq=f&aqi=&aql=&oq=&gs_rfai= &fp=b3c510282787d86b

http://www.securityhaven.com/tools.html

http://staff.washington.edu/dittrich/misc/ddos/

http://www.corsaire.com/en/

[Type text]

Page 12