Denial-of-service
(DoS) and distributed denial-of-service (DDoS) attacks
A denial-of-service attack overwhelms a system’s resources so that it
cannot respond to service requests. A DDoS attack is also an attack on system’s
resources, but it is launched from a large number of other host machines that
are infected by malicious software controlled by the attacker.
Unlike attacks that are designed to enable the attacker to gain or increase
access, denial-of-service doesn’t provide direct benefits for attackers. For
some of them, it’s enough to have the satisfaction of service denial. However,
if the attacked resource belongs to a business competitor, then the benefit to
the attacker may be real enough. Another purpose of a DoS attack can be to take
a system offline so that a different kind of attack can be launched. One common
example is session hijacking, which I’ll describe later.
There are different types of DoS and DDoS attacks; the most common are
TCP SYN flood attack, teardrop attack, smurf attack, ping-of-death attack and
botnets.
In this attack, an attacker exploits the use of the buffer space during
a Transmission Control Protocol (TCP) session initialization handshake. The
attacker’s device floods the target system’s small in-process queue with
connection requests, but it does not respond when the target system replies to
those requests. This causes the target system to time out while waiting for the
response from the attacker’s device, which makes the system crash or become
unusable when the connection queue fills up.
There are a few countermeasures to a TCP SYN flood attack:
·
Place servers behind a firewall configured to stop inbound SYN packets.
·
Increase the size of the connection queue and decrease the timeout on
open connections.
Teardrop attack
This attack causes the length and fragmentation offset fields in
sequential Internet Protocol (IP) packets to overlap one another on the
attacked host; the attacked system attempts to reconstruct packets during the
process but fails. The target system then becomes confused and crashes.
If users don’t have patches to protect against this DoS attack, disable
SMBv2 and block ports 139 and 445.
Smurf attack
This attack involves using IP spoofing and the ICMP to saturate a target
network with traffic. This attack method uses ICMP echo requests targeted at
broadcast IP addresses. These ICMP requests originate from a spoofed “victim”
address. For instance, if the intended victim address is 10.0.0.10, the
attacker would spoof an ICMP echo request from 10.0.0.10 to the broadcast
address 10.255.255.255. This request would go to all IPs in the range, with all
the responses going back to 10.0.0.10, overwhelming the network. This process
is repeatable, and can be automated to generate huge amounts of network
congestion.
To protect your devices from this attack, you need to disable
IP-directed broadcasts at the routers. This will prevent the ICMP echo
broadcast request at the network devices. Another option would be to configure
the end systems to keep them from responding to ICMP packets from broadcast
addresses.
Ping of death
attack
This type of attack uses IP packets to ‘ping a target system with an IP
size over the maximum of 65,535 bytes. IP packets of this size are not allowed,
so attacker fragments the IP packet. Once the target system reassembles the
packet, it can experience buffer overflows and other crashes.
Ping of death attacks can be blocked by using a firewall that will check
fragmented IP packets for maximum size.
Botnets
Botnets are the millions of systems infected with malware under hacker
control in order to carry out DDoS attacks. These bots or zombie systems are
used to carry out attacks against the target systems, often overwhelming the
target system’s bandwidth and processing capabilities. These DDoS attacks are
difficult to trace because botnets are located in differing geographic
locations.
Botnets can be mitigated by:
·
RFC3704 filtering, which will deny traffic from spoofed addresses and
help ensure that traffic is traceable to its correct source network. For
example, RFC3704 filtering will drop packets from bogon list addresses.
·
Black hole filtering, which drops undesirable traffic before it enters a
protected network. When a DDoS attack is detected, the BGP (Border Gateway
Protocol) host should send routing updates to ISP routers so that they route
all traffic heading to victim servers to a null0 interface at the next hop.
2.
Man-in-the-middle (MitM) attack
A MitM attack occurs when a hacker inserts itself between the
communications of a client and a server. Here are some common types of
man-in-the-middle attacks:
Session hijacking
In this type of MitM attack, an attacker hijacks a session between a trusted
client and network server. The attacking computer substitutes its IP address
for the trusted client while the server continues the session, believing it is
communicating with the client. For instance, the attack might unfold like this:
1.
A client connects to a server.
2.
The attacker’s computer gains control of the client.
3.
The attacker’s computer disconnects the client from the server.
4.
The attacker’s computer replaces the client’s IP address with its own IP
address and
spoofs the client’s sequence numbers.
5.
The attacker’s computer continues dialog with the server and the server
believes it is still communicating with the client.
IP spoofing is used by an attacker to convince a system that it is
communicating with a known, trusted entity and provide the attacker with access
to the system. The attacker sends a packet with the IP source address of a
known, trusted host instead of its own IP source address to a target host. The
target host might accept the packet and act upon it.
Replay
A replay attack occurs when an attacker intercepts and saves old
messages and then tries to send them later, impersonating one of the
participants. This type can be easily countered with session timestamps or
nonce (a random number or a string that changes with time).
Currently, there is no single technology or configuration to prevent all
MitM attacks. Generally, encryption and digital certificates provide an
effective safeguard against MitM attacks, assuring both the confidentiality and
integrity of communications. But a man-in-the-middle attack can be injected
into the middle of communications in such a way that encryption will not help —
for example, attacker “A” intercepts public key of person “P” and
substitute it with his own public key. Then, anyone wanting to send an
encrypted message to P using P’s public key is unknowingly using A’s public
key. Therefore, A can read the message intended for P and then send the message
to P, encrypted in P’s real public key, and P will never notice that the
message was compromised. In addition, A could also modify the message before
resending it to P. As you can see, P is using encryption and thinks that his
information is protected but it is not, because of the MitM attack.
So, how can you make sure that P’s public key belongs to P and not to A?
Certificate authorities and hash functions were created to solve this problem.
When person 2 (P2) wants to send a message to P, and P wants to be sure that A will
not read or modify the message and that the message actually came from P2, the
following method must be used:
1.
P2 creates a symmetric key and encrypts it with P’s public key.
2.
P2 sends the encrypted symmetric key to P.
3.
P2 computes a hash function of the message and digitally signs it.
4.
P2 encrypts his message and the message’s signed hash using the
symmetric key and sends the entire thing to P.
5.
P is able to receive the symmetric key from P2 because only he has the
private key to decrypt the encryption.
6.
P, and only P, can decrypt the symmetrically encrypted message and
signed hash because he has the symmetric key.
7.
He is able to verify that the message has not been altered because he
can compute the hash of received message and compare it with digitally signed
one.
8.
P is also able to prove to himself that P2 was the sender because only
P2 can sign the hash so that it is verified with P2 public key.
good
ReplyDeleteosm
ReplyDelete