Thursday, November 27, 2008

Seven Common DoS Attack Methods

Hackers have an armory of methods to pass Denial of Service (DoS) attacks. The following seven sections emphasize the degree of the quandary faced by organizations trying to battle the DoS threat. TippingPoint provides solutions to battle these common methods of DDoS attacks:

<> Vulnerabilities
<> Zombie Staffing
<> Attack Tools
<> Bandwidth Attacks
<> SYN Floods
<> Established Connection Floods
<> Connections-Per-Second Floods

Method 1 : Vulnerabilities

Attackers can effort to collide a service or fundamental operating system in a straight line through a network. These attacks immobilize services by exploiting shock absorber spread out and other accomplishment dodge that exist in defenseless servers. Vulnerability attacks do not want widespread resources or bandwidth to commit; attackers only need to know of the survival of a susceptibility to be able to develop it and cause widespread injure. Once an attacker has control of a vulnerable service, request, or operating system, they abuse the opening to immobilize systems and in the end crash an whole network from within.

Method 2 : Zombie Conscription

The same vulnerabilities used to collide a server allow hackers to change vulnerable PCs into Distributed Denial of Service zombies. Once the hacker develop the susceptibility to increase manage of the system, they plant a backdoor into the system for later use in commiting DDoS attacks. The Trojan or similar disease provides a trail into the system. Once the attacker has the path, they tenuously control the network, making the server a "Zombie" that waits for the given attack authority. Using these zombies, attackers can send a huge number of DoS and DDoS attacks with secrecy. Viruses can also be used for Zombie conscription. For instance, the MyDoom bug was designed to convert PCs into Zombies that attacked SCO and Microsoft at a prearranged time programmed into the virus. Other viruses fit backdoors that let hackers to open coordinated attacks, rising the sharing of the attacks across networks around the sphere. The following figures detail how attackers make and begin these attacks against a network.

Method 3 : Attack Tools

Through zombie recruitment, hackers use secret communication channels to contact and manage their zombie military. They can choose from hundreds of off-the-shelf backdoor programs and tradition tools from websites. These tools and programs begin these attacks to penetrate and control networks as zombie armies to pass additional attacks from within. Once they have the zombie systems, they can use other tools to send a solitary command to all zombies concurrently. In some cases, commands are carried in ICMP or UDP packets that can go around firewalls. In other cases, the zombie "phones home" by making a TCP link to the master. Once the relation is created, the master can manage the Zombie.

The tools used to attack and control systems comprise:

<> Tribe Flood Network (TFN) : Spotlight on Smurf, UDP, SYN, and ICMP reverberation apply for floods.
<> Tribe Flood Network 2000 (TFN2K) : The updated version of TFN.
<> Trinoo : Focuses on UDP floods. Sends UDP packets to chance purpose ports.
The size is configurable.
<> Stacheldraht : Software tool that focuses on TCP, ACK, TCP NULL, HAVOC, DNS floods, and TCP packet floods with random headers.

DDoS Protection tools are growing both in terms of covert channel completion and in DDoS flooding methods. New tools exploit random port numbers or work across IRC. Further, smarter tools cleverly mask flooding packets as lawful service requests and/or bring in a high degree of chance. These improvements make it more and more hard for a port-filtering device to divide attack packets from lawful traffic.

Method 4 : Bandwidth Attacks

When a DDoS attack is opened, it can often be detected as a important change in the arithmetical work of art of the network transfer. For example, a typical system might consist of 80 percent TCP and a 20 percent mix of UDP and ICMP. A change in the arithmetical mix can be a signal of a new attack. For example, the Slammer maggot resulted in a rush of UDP packets, whereas the Welchi worm shaped a flood of ICMP packets. Such surges can be DDoS attacks or so-called zero-day attacks ==> attacks that develop secret vulnerabilities.

Method 5 : SYN Flood

One of the majority common types of DoS attacks is the SYN Flood. This assault can be launched from one or more attacker equipment to put out of action access to a target server. The attack use the device used to found a TCP connection. Every TCP link requires the conclusion of a three-way handclasp before it can pass data:

<> Connection Request : First packet (SYN) sent from the supplicant to the server, preliminary the three-way handclasp
<> Request Acknowledgement : Second packet (SYN+ACK) sent from the server to the requester
<> Connection Complete : Third packet (ACK) sent from the supplicant back to the server, implementation the three-way handshake

The attack consists of a flood of unacceptable SYN packets with spoofed source IP addresses. The spoofed source address causes the target server to react to the SYN with a SYN-ACK to an unwary or absent source machine. The aim then waits for an ACK packet from the source to total the link. The ACK never comes and ties up the connection table with a awaiting connection ask for that by no means completes. The bench will rapidly fill up and devour all obtainable capital with invalid requests. While the number of link entries may differ from one server to another, tables may fill up with only hundreds or thousands of requests. The result is a denial of service since, once a table is full, the target server is unable to service lawful requests. The difficulty with SYN attacks is that each request in separation looks benign. An unacceptable ask for is very difficult to differentiate from a lawful one.

The complexity with SYN assault is that each request in separation looks caring. An invalid request is very hard to differentiate from a lawful one.


Method 6 : Established Connection Flood

An Recognized Connection Flood is an development of the SYN Flood attack that employs a array of zombies to commit a DDoS attack on a aim. Zombies found apparently lawful connections to the end server. By using a large number of zombies, each creating a large number of connections to the target, an attacker can make so many connections that the aim is no longer able to believe to lawful link requests. For example, if a thousand zombies make a thousand connections to a end server, the server have got to run a million open connections. The result is similar to a SYN Flood attack in that it devour server funds, but is even more difficult to sense.

Method 7 : Connections Per Second Floods

Connections Per Second (CPS) Flood attacks flood servers with a high rate of connections from a apparently valid source. In these attacks, an attacker or army of zombies attempts to drain server resources by rapidly setting up and ripping down TCP connections, perhaps begining a request on each link. For example, an attacker strength use his zombie army to frequently obtain the home page from a target web server. The resulting load makes the server tremendously lethargic. visit DDoS Protection