DoS/DDoS attack essentials and countermeasures 102
We are back with some more interesting ways of launching DoS attack!
1. DNS Amplification - It is a type of reflection attack which manipulates publicly-accessible DNS, making them flood a target with large quantities of UDP packets. Here, DNS turns initially small queries into large payloads, that can bring essentially bring down the victim's server.
2. DNS Flood - This attack targets the DNS server. It floods the DNS with UDP packets in an effort to make it unavailable for legitimate traffic.
3. Fork Bomb - Unlike other ways which target the victim externally, this technique is an effort from within the system. It exhausts the system's resources by repeatedly forking child processes, thus blocking it from legitimate programs that want to execute and create new processes.
For more info, refer this.
4. IP Fragmentation Attack - Essentially disrupting putting together of fragmented packets, which leads to inundating the server. As an example, transmission of fraudulent UDP or ICMP packets that are larger than the network’s MTU, (usually ~1500 bytes). As these packets are fake, and are unable to be reassembled, the target server’s resources are quickly consumed, resulting in server unavailability.
Also, check out TCP fragmentation attacks (a.k.a. Teardrop) here
5. NTP Amplification - In addition to clock synchronization, older versions of NTP support a monitoring service that enables administrators to query a given NTP server for a traffic count. This command, called “monlist,” sends the requester a list of the last 600 hosts that connected to the queried server. This response is considerably larger than the request, amplifying the amount of traffic directed at the target server and ultimately leading to a degradation of service for legitimate requests.
6. Smurf Attack - Essentially its a ping flood + amplification vector to increase payload potential on broadcast network.
7. SNMP Reflection - Simple Network Management Protocol (SNMP) – is a common network management protocol used for configuring and collecting information from network devices like servers, hubs, switches, routers and printers. During an SNMP reflection attack, the perpetrator sends out a large number of SNMP queries with a forged IP address (the victim’s) to numerous connected devices that, in turn, reply to that forged address. Slowly, the responses accumulate to an exponential volume in the network and make the target network unavailable.
8. UDP Flood - Here, the attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams. The receiving host checks for applications associated with these datagrams and finding none sends back a “Destination Unreachable” packet, which exponentially grow and collectively make the network unavailable for legitimate hosts.
The following link gives a good gist of different kinds of DoS techniques https://www.incapsula.com/blog/security-glossary-top-12-ddos-attack-types-need-know.html
Phew! That covered a lot of ways to instigate a DoS attack. We finished playing bad cop, and it was fun! Wasn't it?
It's now time to put on your white hat! Our understanding of DoS isn't complete until and unless we study how to counter the different DoS techniques.
Some countermeasures include :
1. Tightening DNS server security, blocking specific DNS servers or all open recursive relay servers, and rate limiting.
2. Deep Packet Inspection (DIP) that filters out malicious DDoS traffic(most effective technique, when protocols allow payload to be inspected).
3. Preventing fork bombs is done by limiting the maximum number of processes a user can own. Commands are specific to OS.
4. Preventing untrusted software to run on root can block the vast majority of fork bomb attack scenarios.
5. Mitigation mechanism for HTTP Flood rely on a combination of traffic profiling methods, including identifying IP reputation, keeping track abnormal activity and employing progressive security challenges (e.g., asking to parse JavaScript).
6. Smurf attack mitigation relies on a combination of capacity over-provisioning (CO) and an existence of filtering services to identify and block illegal ICMP responses.
7. SNMP Reflection can be countered by over-provisioning of network resources that will allow the target infrastructure to withstand the attack.
8. Ingress/egress packet filtering is effective against many attacks since it gives you the flexibility to understand the context of the packet before forwarding.
9. Common ways to mitigate SYN Flood are micro blocks, SYN cookies, RST cookies, stack tweaking.
a) Micro blocks - allocating a micro-record (as few as 16 bytes) in the server memory for each incoming SYN request instead of a complete connection object.
b) SYN cookies - Server allocated memory for the connection only after verifying ACK instead of allocating before receiving it.
c) RST cookies - For the first request from a given client, the server intentionally sends an invalid SYN-ACK, and expects the client to generate an RST packet(indicating that something is wrong), failing which the server knows the request is not legitimate. If RST is received, the server knows the request is legitimate, logs the client, and accepts subsequent incoming connections from it.
d) Stack tweaking - Administrators can tweak TCP stacks to mitigate the effect of SYN floods.
10) Using machine learning to detect anomalous network patterns.
After reading this article, do you feel like you have understood the basics of DoS/DDoS attacks?
In the upcoming weeks, we will cover more concepts on DoS attack from SDN perspective. Stay tuned for more stimulating security discussions!
1. DNS Amplification - It is a type of reflection attack which manipulates publicly-accessible DNS, making them flood a target with large quantities of UDP packets. Here, DNS turns initially small queries into large payloads, that can bring essentially bring down the victim's server.
2. DNS Flood - This attack targets the DNS server. It floods the DNS with UDP packets in an effort to make it unavailable for legitimate traffic.
3. Fork Bomb - Unlike other ways which target the victim externally, this technique is an effort from within the system. It exhausts the system's resources by repeatedly forking child processes, thus blocking it from legitimate programs that want to execute and create new processes.
For more info, refer this.
4. IP Fragmentation Attack - Essentially disrupting putting together of fragmented packets, which leads to inundating the server. As an example, transmission of fraudulent UDP or ICMP packets that are larger than the network’s MTU, (usually ~1500 bytes). As these packets are fake, and are unable to be reassembled, the target server’s resources are quickly consumed, resulting in server unavailability.
Also, check out TCP fragmentation attacks (a.k.a. Teardrop) here
5. NTP Amplification - In addition to clock synchronization, older versions of NTP support a monitoring service that enables administrators to query a given NTP server for a traffic count. This command, called “monlist,” sends the requester a list of the last 600 hosts that connected to the queried server. This response is considerably larger than the request, amplifying the amount of traffic directed at the target server and ultimately leading to a degradation of service for legitimate requests.
6. Smurf Attack - Essentially its a ping flood + amplification vector to increase payload potential on broadcast network.
7. SNMP Reflection - Simple Network Management Protocol (SNMP) – is a common network management protocol used for configuring and collecting information from network devices like servers, hubs, switches, routers and printers. During an SNMP reflection attack, the perpetrator sends out a large number of SNMP queries with a forged IP address (the victim’s) to numerous connected devices that, in turn, reply to that forged address. Slowly, the responses accumulate to an exponential volume in the network and make the target network unavailable.
8. UDP Flood - Here, the attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams. The receiving host checks for applications associated with these datagrams and finding none sends back a “Destination Unreachable” packet, which exponentially grow and collectively make the network unavailable for legitimate hosts.
The following link gives a good gist of different kinds of DoS techniques https://www.incapsula.com/blog/security-glossary-top-12-ddos-attack-types-need-know.html
Phew! That covered a lot of ways to instigate a DoS attack. We finished playing bad cop, and it was fun! Wasn't it?
It's now time to put on your white hat! Our understanding of DoS isn't complete until and unless we study how to counter the different DoS techniques.
Some countermeasures include :
1. Tightening DNS server security, blocking specific DNS servers or all open recursive relay servers, and rate limiting.
2. Deep Packet Inspection (DIP) that filters out malicious DDoS traffic(most effective technique, when protocols allow payload to be inspected).
3. Preventing fork bombs is done by limiting the maximum number of processes a user can own. Commands are specific to OS.
4. Preventing untrusted software to run on root can block the vast majority of fork bomb attack scenarios.
5. Mitigation mechanism for HTTP Flood rely on a combination of traffic profiling methods, including identifying IP reputation, keeping track abnormal activity and employing progressive security challenges (e.g., asking to parse JavaScript).
6. Smurf attack mitigation relies on a combination of capacity over-provisioning (CO) and an existence of filtering services to identify and block illegal ICMP responses.
7. SNMP Reflection can be countered by over-provisioning of network resources that will allow the target infrastructure to withstand the attack.
8. Ingress/egress packet filtering is effective against many attacks since it gives you the flexibility to understand the context of the packet before forwarding.
9. Common ways to mitigate SYN Flood are micro blocks, SYN cookies, RST cookies, stack tweaking.
a) Micro blocks - allocating a micro-record (as few as 16 bytes) in the server memory for each incoming SYN request instead of a complete connection object.
b) SYN cookies - Server allocated memory for the connection only after verifying ACK instead of allocating before receiving it.
c) RST cookies - For the first request from a given client, the server intentionally sends an invalid SYN-ACK, and expects the client to generate an RST packet(indicating that something is wrong), failing which the server knows the request is not legitimate. If RST is received, the server knows the request is legitimate, logs the client, and accepts subsequent incoming connections from it.
d) Stack tweaking - Administrators can tweak TCP stacks to mitigate the effect of SYN floods.
10) Using machine learning to detect anomalous network patterns.
After reading this article, do you feel like you have understood the basics of DoS/DDoS attacks?
In the upcoming weeks, we will cover more concepts on DoS attack from SDN perspective. Stay tuned for more stimulating security discussions!
Comments
Post a Comment