Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /home/a26f9f83/public_html/articles/includes/config.php on line 159
DOS Attacks: Instigation and Mitigation > NetSparsh - Viral Content you Love & Share

DOS Attacks: Instigation and Mitigation

During the release of a new software product specialized to track spam, ACME Software Inc notice that there was not as much traffic as they hoped to receive. During further investigation, they found that they could not view their own website. At that moment, the VP of sales received a call from the company's broker stating that ACME Software Inc stock fell 4 point due to lack of confidence. Several states away, spammers didn't like the idea of lower profit margins do to an easy to install spam blocking software so they thought they would fight back. Earlier that day, they took control of hundreds of compromised computers and used them as DoS zombies to attack ACME Software Inc's Internet servers in a vicious act of cyber assault. During an emergency press conference the next morning, ACME Software Inc's CIO announced his resignation as a result of a several million dollar corporate loss.

Scenarios like the one above happen a more then people think and are more costly then most will admit. Denial of Service (DoS) attacks are designed to deplete the resources of a target computer system in an attempt to take a node off line by crashing or overloading it. Distributed Denial of Service (DDoS) is a DoS attack that is engaged by many different locations. The most common DDoS attacks are instigated through viruses or zombie machines. There are many reasons that DoS attacks are executed, and most of them are out of malicious intent. DoS attacks are almost impossible to prevent if you are singled out as a target. It's difficult to distinguish the difference between a legitimate packet and one used for a DoS attack.

The purpose of this article is to give the reader with basic network knowledge a better understanding of the challenges presented by Denial of Service attacks, how they work, and ways to protect systems and networks from them.

Instigation:

Spoofing - Falsifying an Internet address (know as spoofing) is the method an attacker uses to fake an IP address. This is used to reroute traffic to a target network node or used to deceive a server into identifying the attacker as a legitimate node. When most of us think of this approach of hacking, we think of someone in another city essentially becoming you. The way TCP/IP is designed, the only way a criminal hacker or cracker can take over your Internet identity in this fashion is to blind spoof. This means that the impostor knows exactly what responses to send to a port, but will not get the corresponding response since the traffic is routed to the original system. If the spoofing is designed around a DoS attack, the internal address becomes the victim. Spoofing is used in most of the well-known DoS attacks. Many attackers will start a DoS attack to drop a node from the network so they can take over the IP address of that device. IP Hijacking is the main method used when attacking a secured network or attempting other attacks like the Man in the Middle attack.

SYN Flood - Attackers send a series of SYN requests to a target (victim). The target sends a SYN ACK in response and waits for an ACK to come back to complete the session set up. Instead of responding with an ACK, the attacker responds with another SYN to open up a new connection. This causes the connection queues and memory buffer to fill up, thereby denying service to legitimate TCP users. At this time, the attacker can hijack the system's IP address if that is the end goal. Spoofing the "source" IP address when sending a SYN flood will not only cover the offender's tracks, but is also a method of attack in itself. SYN Floods are the most commonly used DoS in viruses and are easy to write. See http://www.infosecprofessionals.com/code/synflood.c.txt

Smurf Attack- Smurf and Fraggle attacks are the easiest to prevent. A perpetrator sends a large number of ICMP echo (ping) traffic at IP broadcast addresses, using a fake source address. The "source" or spoofed address will be flooded with simultaneous replies (See CERT Advisory: CA-1998-01). This can be prevented by simply blocking broadcast traffic from remote network sources using access control lists.

Fraggle Attack - This types of attack is the same as a Smurf attack except using UDP instead if TCP. By sending an UDP echo (ping) traffic to IP broadcast addresses, the systems on the network will all respond to the spoofed address and affect the target system. This is a simple rewrite of the Smurf code. This can be prevented by simply blocking broadcast traffic from remote IP address.

Ping of Death - An attacker sends illegitimate ICMP (ping) packets larger than 65,536 bytes to a system with the intention of crashing it. These attacks have been outdated since the days of NT4 and Win95.

Teardrop - Otherwise known as an IP fragmentation attack, this DoS attack targets systems that are running Windows NT 4.0, Win95 , Linux up to 2.0.32. Like the Ping of Death, the Teardrop is no longer effective.

Application Attack - Thess are DoS attacks that involve exploiting an application vulnerability causing the target program to crash or restart the system.

Kazaa and Morpheus have a known flaw that will allow an attacker to consume all available bandwidth without being logged. See http://www.infosecprofessionals.com/code/kazaa.pl.txt

Microsoft's IIS 5 SSL also has an easy way to exploit vulnerability. Most exploits like these are easy to find on the Internet and can be copied and pasted as working code. There are thousands of exploits that can be used to DoS a target system/application. See http://www.infosecprofessionals.com/code/IIS5SSL.c.txt

Viruses, Worms, and Antivirus - Yes, Antivirus. Too many cases where the antivirus configuration is wrong or the wrong edition is installed. This lack of foresight causes an unintentional DDoS attack on the network by taking up valuable CPU resources and bandwidth. Viruses and worms also cause DDoS attacks by the nature of how they spread. Some purposefully attack an individual target after a system has been infected. The Blaster worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135 is a great example of this. The Blaster targeted Microsoft's windows update site by initiating a SYN FLOOD. Because of this, Microsoft decided to no longer resolve the DNS for 'windowsupdate.com'.

DoS attacks are impossible to stop. However, there are things you can do to mitigate potential damages they may cause to your environment. The main thing to remember is that you always need to keep up-to-date on the newest threats.

Mitigation:

Antivirus software - Installing an antivirus software with the latest virus definitions will help prevent your system from becoming a DoS zombie. Now, more then ever, this is an important feature that you must have. With lawsuits so prevalent, not having the proper protection can leave you open for downstream liability.

Software updates - Keep your software up to date at all times. This includes antivirus, email clients, and network servers. You also need to keep all network Operating Systems installed with the latest security patches. Microsoft has done a great job with making these patches available for their Windows distributions. Linux has been said to be more secure, but the patches are far more scarce. RedHat is planning on incorporating the NSA's SE Linux kernel into future releases. This will give Mandatory Access Control (MAC) capabilities to the Linux community.

Network protection - Using a combination of firewalls and Intrusion Detection Systems (IDS) can cut down on suspicious traffic and can make the difference between logged annoyance and your job. Firewalls should be set to deny all traffic that is not specifically designed to pass through. Integrating an IDS will warn you when strange traffic is present on your network. This will assist you in finding and stopping attacks.

Network device configuration - Configuring perimeter devices like routers can detect and in some cases prevent DoS attacks. Cisco routers can be configured to actively prevent SYN attacks starting in Cisco IOS 11.3 and higher using the TCP intercept command in global configuration mode.

Access-list number {deny | permit} tcp any destination destination-wildcard ip tcp intercept list access-list-number ip tcp intercept ? (will give you a good list of other options.)

Cisco routers can prevent Smurf and Fraggle attacks by blocking broadcast traffic. Since Cisco IOS 12.0, this is the default configuration. ACLs or access control lists should also be configured on all interfaces.

No ip directed-broadcast

The Cisco router can also be used to prevent IP spoofing. ip access-group list in interface access-list number deny icmp any any redirect access-list number deny ip 127.0.0.0 0.255.255.255 any access-list number deny ip 224.0.0.0 31.255.255.255 any access-list number deny ip host 0.0.0.0 any See Improving Security on Cisco Routers - www.cisco.com/warp/public/707/21.html

Old Cisco IOS versions are vulnerable to several DoS attacks. The "Black Angels" wrote a program called Cisco Global Exploiter. This is a great software to use when testing the security of your Cisco router version and configuration and can be found at http://www.blackangels.it/Projects/cge.htm

Security is not as mystical as people believe. DoS attacks come in many different types and can be devastating if you don't take the proper precautions. Keep up to date and take steps to secure network nodes. Keeping security in mind can minimize damages, downtime, and save your career.

Security Resources:
Black Angels: http://www.blackangels.it/
Cisco: http://www.cisco.com
Microsoft: http://www.microsoft.com/technet/secur ity/current.aspx
Forum of Incident Response and Security Teams: http://www.first.org/
SANS Institute: http://www.sans.org/resources/

Author: Jeremy Martin CISSP, ISSMP, ISSAP, CEI, CEH, CHS-III, CCNA, Network+, A+ http://www.infosecwriter.com

Member of:
BECCA - Business Espionage Controls & Countermeasures Association
ISACA® - Information Systems Audit and Control Association
(ISC)² - International Information Systems Security
Certification Consortium ISSA - Information Systems Security Association.
OISSG - Open Information Systems Security Group
YEN NTEA - Young Executives Network

In The News:

This RSS feed URL is deprecated, please update. New URLs can be found in the footers at https://news.google.com/news

TechCrunch

Tortuga Logic raises $2 million to build chip-level security systems
TechCrunch
Tortuga Logic has raised $2 million in seed funding from Eclipse Ventures to help in their effort to maintain chip-level system security. Based in Palo Alto, the company plans to use the cash to build products that will find “lurking vulnerabilities ...


UN News Centre

At Security Council, UN chief urges cooperation to tackle security challenges in Mediterranean
UN News Centre
17 November 2017 – The Mediterranean – a confluence of civilizations, cultures, religions, trade and migration – is facing multiple security challenges, such as terrorism, illicit trade in narcotics, environmental degradation and forced displacement ...

and more »

New York Post

Mandalay Bay adds elevator security after Las Vegas shooting
Las Vegas Review-Journal
To that end, we have determined that positioning 24-hour security at the elevator banks improves our surveillance capabilities and enhances security for all of our guests and facilities,” MGM Resorts said in the statement. People seeking to get on the ...
Mandalay Bay adds 24/7 elevator security after gunman's rampageNew York Post

all 4 news articles »

KING5.com

Seattle police plan security for tree lighting ceremony
KING5.com
Seattle police have a plan to secure next week's holiday tree lighting ceremony in Westlake Park, and it makes room for protesters to exercise their first amendment rights. "It's the kickoff for the holiday season," said James Sido, DSA spokesperson ...


New York Times

Homeland Security Official Resigns Over Remarks on African-Americans and Muslims
New York Times
WASHINGTON — The Department of Homeland Security's head of outreach to religious and community organizations resigned on Thursday after audio recordings revealed that he had previously made incendiary remarks about African-Americans and ...
Homeland Security Official Who Blamed Slums On 'Lazy Blacks' QuitsHuffPost
Homeland Security official Jamie Johnson resigns after comments ...Washington Post
Homeland Security's head of community outreach resigns over past controversial comments on black community, IslamCNN
The Grio -New York Daily News -CNN -FEMA.gov
all 68 news articles »

Computerworld

Strong and stable: The iOS security guide
Computerworld
So, what's the weakest point in mobile device security? Sadly, it's you. From tapping links in phony emails to accessing confidential password-protected information using open public Wi-Fi hotspots to simply using the same password everywhere: All ...
The iOS 11 privacy and security settings you need to know aboutWired.co.uk

all 147 news articles »

UN News Centre

Security Council fails at fresh attempt to renew panel investigating chemical weapons use in Syria
UN News Centre
17 November 2017 – For the third time in two days, the United Nations Security Council on Friday failed to adopt a resolution on the mandate of an international panel investigating use of chemical weapons in Syria due to a negative vote by permanent ...
Security Council Considers 30-day Extension on Syria ExpertsVoice of America
The Investigation Into Chemical Attacks in Syria Is Fizzling Out After a Security Council ShowdownTIME
Security Council Fails for Fourth Time to Renew Mandate of Joint Mechanism Investigating Chemical Weapons Attacks ...ReliefWeb

all 521 news articles »

WFTV Orlando

Investigators testify in downtown Orlando security guard's murder trial
WFTV Orlando
ORLANDO, Fla. - Crime scene investigators testified Friday in the murder trial of a man accused of raping and killing a 27-year-old woman at her downtown Orlando apartment. Police said Stephen Duxbury strangled Sasha Samsudean in October 2015 at the ...
Jurors hear from print experts in security guard's murder trialOrlando Sentinel

all 5 news articles »

Houston Chronicle

Ex-Homeland Security secretary recovering from heart attack
Houston Chronicle
Ridge was the nation's first homeland security secretary, serving under Republican President George W. Bush until February 2005. He left the governorship after the terrorist attacks of Sept. 11, 2001, to join the Bush administration. Since leaving ...
Ex-Homeland Security Czar Ridge Hospitalized After Heart AttackVoice of America
Former Pennsylvania Governor and U.S. Homeland Security ...WTAE Pittsburgh
Former Head of US Homeland Security Ridge in Critical ConditionU.S. News & World Report
Fox News -Austin American-Statesman
all 105 news articles »

Tampabay.com

Cyber firm accesses CentCom cloud information, gives command low security score
Tampabay.com
Vickery said he notified the military about the security loophole as soon as it was discovered. He said he would "not be surprised" if someone besides him accessed the information, but Army Maj. Josh Jacques, a command spokesman, said it appears no one ...

and more »
Google News

How To Be Your Own Secret Service Agency

So you want to know who your kids are chatting... Read More

Hacking Threats and Protective Security

The 1998 Data Protection Act was not an extension to,... Read More

Dont be a Dork ? Protect Yourself

There are folks out there who use their powers for... Read More

Spyware Symptoms

Spyware symptoms happen when your computer gets bogged down with... Read More

What to Look for before You Purchase Spyware Software

Huge number of spyware software applications are available in the... Read More

Message Board Security Problems

Security leaks can be a big problem for any site... Read More

Corporate Security for Your Home Business

The words Corporate Security may conjure up images of a... Read More

The Saga of the Annoying Adware

When we think of adware, what comes to mind are... Read More

Its War I Tell You!

There are ways to insure security though. You can get... Read More

How to Prevent Online Identity Theft

Identity theft rates one of the fastest growing crimes in... Read More

Viruses, Trojans, and Spyware - Oh My!

Have you ever had to call Symantec or McAfee to... Read More

Phishing - Learn To Identify It

Phishing: (fish'ing) (n.)This is when someone sends you an email... Read More

Pharming - Another New Scam

Pharming is one of the latest online scams and rapidly... Read More

Avoid Internet Theft, Fraud and Phishing

Since its birth, the Internet has grown and expanded to... Read More

How Spyware Blaster Can Protect Your Computer From Harm

By browsing a web page, you could infect your computer... Read More

Identity Theft ? Beware of Phishing Attacks!

"Dear Bank of the West customer", the message begins. I've... Read More

The Attack of the Advertiser - Spy Mother Spy

The menacing campaigns that drive the corporate spyware and adware... Read More

Cyber Crooks Go Phishing

"Phishing," the latest craze among online evil-doers, has nothing to... Read More

The Important Steps To Protect Your Kids on the Internet

Internet is the ocean of knowledge. In this ocean you... Read More

Burning Bridges is Bad, But Firewalls are Good

When you signed up for that ultra-fast DSL or Cable... Read More

Keeping Worms Out of Your Network...

No auntie Sookie, not earth worms, computer virus worms that... Read More

Website Security - Creating a Bulletproof Site in 5 Easy Steps

When it comes to a secure website and passwords it... Read More

Social Engineering: You Have Been A Victim

Monday morning, 6am; the electric rooster is telling you it's... Read More

Spyware ? Your Web Browser is the Culprit!

My first experience with a spyware BHO based infection was... Read More

Phishing: A Scary Way of Life

The Federal Bureau of Investigation has identified "phishing" as the... Read More