ce hv8 module 10 denial of service
TRANSCRIPT
D e n i a l o f S e r v i c e
Module 10
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Denial־of־ServiceModule 10
Engineered by Hackers. Presented by Professionals.
«!>C EH
Ethical Hacking and Counterm easures v8 Module 10: Denial-of-Service
Exam 312-50
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1403
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Security News
October 19, 2012
Home I NewsKg■■!!■H SBC is Latest Target in Cyber A ttack SpreeHSBC (HBC) experienced widespread disruptions to several of its websites Thursday, becoming one of the highest-profile victims yet in a series of attacks by a group claiming to be allied with Islamic terrorism."HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world," the London-based banking giant said in a statement. "This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking."HSBC said it had the situation under control in the early morning hours of Friday London time.The Izzad-Din al-Qassam Cyber Fighters took responsibility forthe attack that at points crippled users' access to hsbc.com and other HSBC-owned properties on the Web. The group, which has also disrupted the websites of scores of other banks including J.P. Morgan Chase (JPM) and Bank of America (BAC), said the attacks will continue until the anti-lslamic 'Innocence of Muslims' film trailer is removed from the Internet
http://www.foxbusiness.com
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
m
&3>ujs Security News m p״ p HSBC is Latest Target in Cyber Attack Spree
Source: http://www.foxbusiness.com
HSBC (HBC) experienced widespread disruptions to several of its websites recently, becoming one of the highest-profile victims yet in a series of attacks by a group claiming to be allied with Islamic terrorism.
"HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world," the London-based banking giant said in a statement. "This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking."
HSBC said it had the situation under control in the early morning hours of Friday London time.
The Izz ad-Din al-Qassam Cyber Fighters took responsibility for the attack that at points crippled users' access to hsbc.com and other HSBC-owned properties on the Web. The group, which has also disrupted the websites of scores of other banks including J.P. Morgan Chase (JPM) and Bank of America (BAC), said the attacks will continue until the anti-lslamic ׳Innocence of Muslims' film trailer is removed from the Internet.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1404
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
In this case, a group claiming to be aligned with the loosely-defined brigade of hackers called Anonymous also took responsibility. However, a source in the computer security field who has been monitoring the attacks told FOX Business "the technique and systems used against HSBC were the same as the other banks." However, the person who requested anonymity noted that Anonymous "may have joined in, but the damage was done by" al-Qassam.
The people behind al-Qassam have yet to be unmasked. Several published reports citing unnamed U.S. officials have pointed to Iran as a potential culprit, but multiple security researchers have told FOX Business the attacks don't show the hallmarks of an attack from that country.
There is a consensus, however, that the group is likely using a fairly sophisticated type of denial-of-service attack. Essentially, al-Qassam has leveraged exploits in Web server software to take servers over and then use them as weapons. Once they are taken over, they slam the Web servers hosting bank websites with a deluge of requests, making access either very slow or completely impossible. Servers have an especially high level of connectivity to the Internet, giving al-Qassam more horsepower with fewer machines.
copyright©2012 FOX News Network, LLC
By Adam Samson.
http://www.foxbu5ines5.com/industries/2012/10/19/hsbc-is-latest-target-in-cvber-attack-spree/#ixzz2D14739cA
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1405
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Module Objectives CEH* '
J What Is a Denial of Service Attack? J DoS Attack ToolsJ What Are Distributed Denial of J Detection Techniques
Service Attacks? J D0S/DD0S CountermeasureJ Symptoms of a DoS Attack
J Techniques to Defend against BotnetsJ DoS Attack Techniques
r J Advanced DD0S ProtectionJ Botnet
n AppliancesJ Botnet Ecosystem J D0S/DD0 S Protection ToolsJ Botnet Trojans J Denial of Service (DoS) AttackJ DD0S Attack Tools Penetration Testing
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule O bjectivesta = ,
1 =1 This module looks at various aspects of denial־of־service attacks. The module starts with a discussion of denial-of-service attacks. Real-world scenarios are cited to highlight the implications of such attacks. Distributed denial-of-service attacks and the various tools to launch such attacks are included to spotlight the technologies involved. The countermeasures for preventing such attacks are also taken into consideration. Viruses and worms are briefly discussed in terms of their use in such attacks. This module will familiarize you with:
S DDos Attack Tools
s Detection Techniques
s D0S/DD0S Countermeasure
S Techniques to Defend against Botnets
a Advanced DD0S Protection Appliances
£ D0S/DD0S Protection Tools
s Denial of Service (DoS) Attack Penetration Testing
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCilAll Rights Reserved. Reproduction is Strictly Prohibited.
2 What is a Denial of Service Attack?
2 What Are Distributed Denial of Service Attacks?
s Symptoms of a DoS Attack
s DoS Attack Techniques
2 Botnet
2 Botnet Ecosystem
2 Botnet Trojans
2 DD0S Attack ToolsModule 10 Page 1406
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule FlowIn the present Internet world, many attacks are launched targeting organizations in
the banking sector, as well as IT service and resource providers. DoS (denial of service) and DD0S (distributed denial of service) were designed by attackers to breach organizations' services.
m mDos/DDoS Concepts Dos/DDoS Attack Tools
* Dos/DDoS Attack Techniquesי ־׳« *
d p g Countermeasures
M p J Botnets / \ ^ Dos/DDoS Protection Tools
Dos/DDoS Case Study Dos/DDoS Penetration TestingM = 1 1
This section describes the terms DoS, DD0S, the working of DD0S, and the symptoms of DoS. It also talks about cyber criminals and the organizational chart.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1407
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
What Is a Denial of Service Attack?
W hat is a D enial of Service A ttack?Denial-of-service (DoS) is an attack that prevents authorized users from accessing a
computer or network. DoS attacks target the network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic using existing network resources, thus depriving legitimate users of these resources. Connectivity attacks overflow a computer with a large amount of connection requests, consuming all available operating system resources, so that the computer cannot process legitimate user requests.
An Analogy
Consider a company (Target Company) that delivers pizza upon receiving a telephone order. The entire business depends on telephone orders from customers. Suppose a
person intends to disrupt the daily business of this company. If this person came up with a way to keep the company's telephone lines engaged in order to deny access to legitimate customers, obviously Target Company would lose business.
DoS attacks are similar to the situation described here. The objective of the attacker is not to steal any information from the target; rather, it is to render its services useless. In the process, the attacker can compromise many computers (called zombies) and virtually control them. The attack involves deploying the zombie computers against a single machine to overwhelm it with requests and finally crash the target in the process.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1408
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Malicious Traffic
QDC Server Cluster
Malicious traffic takes control overall the available bandwidth
r o
RouterInternet
Attack Traffic Regular Traffic
r
« • £ *
(R
4mRegular Traffic
Figure 10.1: Denial of Service Attack
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1409
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
What Are Distributed Denial of Service Attacks?
j A distrbuted denial-of-service (DD0 S) attack involves amultitude of compromised systems attack rig a single target, thereby causing den 01 of service for users of the targeted system
j To launch a DDoS attack, an attacker uses botnets and attacks a single system
DisabledNetwork
Loss of Goodwil
DisabledOrganization
FinancialLoss
Copyrights trf E tC M K l. AJ Rights Reserved. Re prod urtion is Striettf Piohbfted.
gjgg W hat Are D istribu ted D enial of Service A ttacks?Source: www.searchsecurity.com
A distributed denial-of-service (DD0S) attack is a large-scale, coordinated attack on the availability of services on a target's system or network resources, launched indirectly through many compromised computers on the Internet.
The services under attack are those of the "primary target," while the compromised systems used to launch the attack are often called the "secondary target." The use of secondary targets in performing a DD0S attack provides the attacker with the ability to wage a larger and more disruptive attack, while making it more difficult to track down the original attacker.
As defined by the World Wide Web Security FAQ: "A Distributed Denial-of-Service (DD0S) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial-of- service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms."
If left unchecked, more powerful DD0S attacks could cripple or disable essential Internet services in minutes.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1410
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
CEHHow Distributed Denial of Service Attacks Work
1 3 1
m g m. .. . >1 mm m
Handler infects a large number of computers over
Internet
f,־ Attacker sets a / handler system
HandlerCompromised PCs (Zombies)
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
How D istribu ted D enial of Service A ttacks W orkIn a DD0S attack, the target browser or network is pounded by many applications with
fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable.
The attacker initiates the attack by sending a command to the zombie agents. These zombie agents send a connection request to a genuine computer system, i.e., the reflector. The requests sent by the zombie agents seem to be sent by the victim rather than the zombies. Thus, the genuine computer sends the requested information to the victim. The victim machine gets flooded with unsolicited responses from several computers at once. This may either reduce the performance or may cause the victim machine to shut down.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1411
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
Zombie systems are instructed
• 0
N%•<* [Ml mm N־יי׳*\ INIM M
Handler infects a largo number of computers over
Internet
Compromised PCs (Zombies)
• ? • <3>
Attacker sets a & I ; handler system I O
0
..... 0 ■
u 2 ־.... j□ □□
[05□
Q .Attacker
Handler
Compromised PCs (Zombies)
FIGURE 10.2: Distributed Denial of Service Attacks
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1412
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Symptoms of a DoS Attack
Inability to access any
website
$
Dramatic increase in
the amount of spam emails
received
Unavailability of a particular
^ website
Unusually slow network
performance
H
□
Copyright © by E&CtuacO. All Rights Reserved Reproduction is Strictly Prohibited.
Sym ptom s of a DoS A ttackBased on the target machine, the symptoms of a DoS attack may vary. There are four
main symptoms of a DoS attack. They are:
© Unavailability of a particular website
© Inability to access any website
© Dramatic increase in the amount of spam emails received
© Unusually slow network performance
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1413
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Module Flow
Copyright © by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow =1 So far, we have discussed DoS, DD0S, symptoms of DoS attacks, cybercriminals, and
the organizational chart of cybercrime. Now it's time to discuss the techniques used to perform D0S/DD0S attacks.
a mDos/DDoS Concepts Dos/DDoS Attack Tools
* Dos/DDoS Attack Techniques Countermeasures
Botnets /*V5 Dos/DDoS Protection Tools
Dos/DDoS Case Study Dos/DDoS Penetration Testingi —
In a DoS attack, the victim, website, or node is prevented from providing services to valid users. Various techniques are used by the attacker for launching DoS or DD0S attacks on a target computer or network. They are discussed in detail in this section.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1414
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
-
DoS Attack Techniques CEH
Attacker
JUser
Bandwidth Attacks
Service Request Floods
SYN FloodingAttack
ICMP Flood Attack
Peer-to-Peer Attacks
Permanent Denial-of-Service Attack
Application-Level Flood Attacks
C l
Copyright © by E&Co inal. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack T echn iquesA denial-of-service attack (DOS) is an attack performed on a networking structure to
disable a server from serving its clients. The actual intent and impact of DoS attacks is to prevent or impair the legitimate use of computer or network resources. There are seven kinds of techniques that are used by the attacker to perform DOS attacks on a computer or a network. They are:
© Bandwidth Attacks
© Service Request Floods
© SYN Flooding Attacks
© ICMP Flood Attacks
© Peer-to-Peer Attacks
© Permanent Denial-of-Service Attacks
© Application-Level Flood Attacks
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1415
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
C EHBandwidth Attacks
When a DDoS attack is launched, flooding a network, it can cause network
equipment such as switches and routers ^ to be overwhelmed due to the
significant statistical change in the \ network traffic
'
A single machine cannot make enough requests to overwhelm network equipment; hence DDoS attacks were created where an attacker uses several computers to flood a victim X
Basically, all bandwidth is used and no bandwidth remains
for legitimate use
Copyright © by E&Co inal. All Rights Reserved. Reproduction is Strictly Prohibited.
Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHOpackets
B andw idth A ttacksA bandwidth attack floods a network with a large volume of malicious packets in
order to overwhelm the network bandwidth. The aim of a bandwidth attack is to consume network bandwidth of the targeted network to such an extent that it starts dropping packets. The dropped packets may include legitimate users. A single machine cannot make enough requests to overwhelm network equipment; therefore, DDoS attacks were created where an attacker uses several computers to flood a victim.
Typically, a large number of machines is required to generate the volume of traffic required to flood a network. As the attack is carried out by multiple machines that are combined together to generate overloaded traffic, this is called a distributed-denial-of-service (DDoS) attack. Furthermore, detecting the source of the attack and blocking it is difficult as the attack is carried out by numerous machines that are part of different networks. All the bandwidth of the target network is used by the malicious computers and no bandwidth remains for legitimate use.
Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO packets.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1416
An attacker or group of zombies attemptsto exhaust server resources by setting up and tearing down TCP connections
Service request flood attacks flood servers with a high rate of connections from a valid source
O It initiates a request on every connection
Copyright © by E&Cauacil. All Rights Reserved. Reproduction is Strictly Prohibited.
Service R equest FloodsService request floods work based on the connections per second principle. In this
method or technique of a DoS attack, the servers are flooded with a high rate of connections from a valid source. In this attack, an attacker or group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections. This probably initiates a request on each connection, e.g., an attacker may use his or her zombie army to fetch the home page from a target web server repeatedly. The resulting load on the server makes it sluggish.
1D5n ןin
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1417
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
CEHSYN Attack
The attacker sends a fake TCP SYN requests to the target server (victim)
The target machine sends back a SYN ACK in response to the request and waits for the ACK to complete the session setup
The target machine does not get the response because the source address is fake
Note: This attack exploits the three-way handshake method
Copyright © by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
SYN A ttackA SYN attack is a simple form of DoS attack. In this attack, an attacker sends a series of
SYN requests to a target machine (victim). When a client wants to begin a TCP connection to the server, the client and the server exchange a series of messages as follows:
© The attacker sends a fake TCP SYN requests to that target server (victim)
© The target machine sends back a SYN ACK in response to the request and waits for the ACK to complete the session setup
0 The target machine never gets the response because the source's address is fake
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1418
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
SYN Flooding CEHC«rt1fW4 ItkKjl Km Im
........© ......
Normal connectionSy/y..... ....... establishment............. .syN/P,CK
AC*
<t11 SYN Flooding............. ............. .............. .............. .
.... SYN
.... SYN
.... SYN
.... SYN
J SYN Flooding takes advantage of a flaw in how most hosts implement the TCP three-way handshake
J When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a "listen queue" for at least 75 seconds
J A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN/ACK
J The victim's listen queue is quickly filled up
J This ability of removing a host from the network for at least 75 seconds can be used as a denial-of-service attack
Copyright © by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
SYN FloodingSYN flooding is a TCP vulnerability protocol that emerges in a denial-of-service attack.
This attack occurs when the intruder sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle.
The connection is established as defined by the TCP three-way handshake as:
Q Host A sends the SYN request to the Host B
Q Host B receives the SYN request, and replies to the request with a SYN-ACK to Host A
6 Thus, Host A responds with the ACK packet, establishing the connection
When Host B receives the SYN request from Host A, it makes use of the partially open connections that are available on the listed line for a few seconds, e.g., for at least 75 seconds.
The intruder transmits infinite numbers of such SYN requests with a forged address, which allows the client to process the false addresses leading to a misperception. Such numerous requests can produce the TCP SYN flooding attack. It works by filling the table reserved for half open TCP connections in the operating system's TCP IP stack. When the table becomes full, new connections cannot be opened until and unless some entries are removed from the table (due to handshake timeout). This attack can be carried out using fake IP addresses, so it is difficult to trace the source. The table of connections can be filled without spoofing the source
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1419
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
IP address. Normally, the space existing for fixed tables, such as a half open TCP connection table, is less than the total.
* o r
Host B
Normal connection establishment
SYN Flooding
SYN
S Y N
5Host A
........ establishment............... ...
SVN/ACK ........
ACK
......5VN .......... ...
............................................................
.......אז?. ..........................
FIGURE 10.3: SYN Flooding
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1420
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
ICMP Flood Attack
The a tta c k e r sen d s ICMP ECHO re q u es ts
with sp o o fe d so u rc e ad d resses
* 9Attacker
ECHO Request
ECHO Request
ECHO Reply
-Maximum limit of ICMP Echo Requests per Second-
ECHO Request
ECHO Request
Legitimate ICMPechorequestfroman address in the same security zone ii’
ICMP is a type of DoS attack in which perpetrators send a large number of packets with fake source addresses to a target server in order to crash it and cause it to stop responding to TCP/IP requestsAfter the ICMP threshold is reached, the router rejects further ICMP echo requests from all addresses in the same security zone for the remainder of the current second and the next second as well
Copyright © by EfrCoinal. All Rights Reserved. Reproduction is Strictly Prohibited.
O p ICM P Flood A ttackInternet Control Message Protocol (ICMP) packets are used for locating network
equipment and determining the number of hops to get from the source location to the destination. For instance, ICMP_ECHO_REPLY packets ("ping") allow the user to send a request to a destination system and receive a response with the roundtrip time.
A DDoS ICMP flood attack occurs when zombies send large volumes of ICMP_ECHO packets to a victim system. These packets signal the victim's system to reply, and the combination of traffic saturates the bandwidth of the victim's network connection. The source IP address may be spoofed.
In this kind of attack the perpetrators send a large number of packets with fake source addresses to a target server in order to crash it and cause it to stop responding to TCP/IP requests.
After the ICMP threshold is reached, the router rejects further ICMP echo requests from all addresses in the same security zone.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1421
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Target Server«*£?-...... &
The attacker sends ICMP ECHO requests
with spoofed source addresses
Attacker
ECHO Request
ECHO Reply
ECHO Request
ECHO Reply
-Maximum limit of ICMP Echo Requests per Second-
ECHO Request
l :ECHO RequestLegitim ate IC M P echo request from an ,
address in th e sam e security zone tl
FIGURE 10.4: ICMP Flood Attack
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1422
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Peer-to-Peer Attacks CEH(•itilwd 1 ItlMUl IlMhM
Copyright © by EfrCoinal. All Rights Reserved. Reproduction is Strictly Prohibited.
«- Peer-to -P eer A ttacksI ▼ /
A peer-to-peer attack is one form of DD0S attack. In this kind of attack, the attacker exploits a number of bugs in peer-to-peer servers to initiate a DD0S attack. Attackers exploit flaws found in the network that uses DC++ (Direct Connect) protocol, which allows the exchange of files between instant messaging clients. This kind of attack doesn't use botnets for the attack. Unlike a botnet-based attack, a peer-to-peer attack eliminates the need of attackers to communicate with clients. Here the attacker instructs the clients of peer-to-peer file sharing hubs to disconnect from their network and to connect to the victim's website. With this, several thousand computers may try to connect to the target website, which causes a drop in the performance of the target website. These peer-to-peer attacks can be identified easily based on their signatures. Using this method, attackers launch massive denial-of-service attacks and compromise websites.
0 0J Using peer-to-peer attacks, attackers instruct clients of peer-to-peer file sharing hubs todisconnect from their peer-to-peer network and to connect to the victim's fake website
J Attackers exploit flaws found in the network using DC++ (Direct Connect) protocol, that is used for sharing all types of files between instant messaging clients
J Using this method, attackers launch massive denial-of-service attacks and compromise websites0 <d,
User-1
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1423
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
User-4
f i t *
A ttack Traffic
User-3
uרUser-5
־..7
.....•ל'►
User-2
Attacker
User-1
FIGURE 10.5: Peer-to-Peer Attacks
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1424
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Permanent Denial-of-Service Attack CEH
Permanent DoS, also known as phlashing, refers to attacks that cause irreversible damage to system
hardware
Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall
the hardware
1. This attack is carried out using a method known as "bricking a system"
2. Using this method, attackers send fraudulent hardware updates to the victims
Bricking a system method
±Process£
1 5Sends email, IRC chats, tw ee ts, post videos
with fraudulent content for hardware updates
VictimAttacker gets access to
victim's com puter(Malicious co d e is executed)Attacker
Copyright © by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
& ^0 O P erm an en t D en ia l־of־Service A ttackPermanent denial-of-service (PD0S) is also known as plashing. This refers to an attack
that damages the system and makes the hardware unusable for its original purpose until it is either replaced or reinstalled. A PD0S attack exploits security flaws. This allows remote administration on the management interfaces of the victim's hardware such as printers, routers, and other networking hardware.
This attack is carried out using a method known as "bricking a system." In this method, the attacker sends email, IRC chats, tweets, and posts videos with fraudulent hardware updates to the victim by modifying and corrupting the updates with vulnerabilities or defective firmware. When the victim clicks on the links or pop-up windows referring to the fraudulent hardware updates, they get installed on the victim's system. Thus, the attacker takes complete control over the victim's system.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1425
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
FIGURE 10.5:Sends email, IRC chats, tweets, post videos
with fraudulent contentfor hardware updates
Victim (Malicious code is executed)
Attacker gets access to victim's computer3■
Attacker
FIGURE 10.6: Permanent Denial-of-Service Attack
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1426
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
Application Level Flood Attacks CEHUrtrfW* itfciul NMhM
J Application-level flood attacks result in the loss of services of a particular network, such as emails, network resources, the temporary ceasing of applications and services, and more
J Using this attack, attackers destroy programming source code and files in affected computer systems
Using application-level flood attacks, attackers attempts to:Jam the application- database connection by crafting malicious SQL queries
Disrupt service to a specific system or person, for example, blocking a user’s access by repeating invalid login attempts
Flood web applications to legitimate user traffic
Copyright © by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
A pplication-level Flood A ttacksSome DoS attacks rely on software-related exploits such as buffer overflows, whereas
most of the other kinds of DoS attacks exploit bandwidth. The attacks that exploit software cause confusion in the application, causing it to fill the disk space or consume all available memory or CPU cycles. Application-level flood attacks have rapidly become a conventional threat for doing business on the Internet. Web application security is more critical than ever. This attack can result in substantial loss of money, service and reputation for organizations. Usually, the loss of service is the incapability of a specific network service, such as email, to be available or the temporary loss of all network connectivity and services. Using this attack, attackers destroy programming source code and files in affected computer systems.
Using application-level flood attacks, attackers attempt to:
© Flood web applications, thereby preventing legitimate user traffic.
© Disrupt service to a specific system or person, for example, blocking user access by repeated invalid login attempts.
Q Jam the application-database connection by crafting CPU-intensive SQL queries.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1427
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Attacker exploiting application source code
Victim
FIGURE 10.7: Application-level Flood Attacks
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
4 ^Attacker
Module 10 Page 1428
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
M odule FlowSo far, we have discussed D0S/DD0S concepts and D0S/DD0S attack techniques. As
mentioned previously, DoS and DD0S attacks are performed using botnets or zombies, a group of security-compromised systems.
a mDos/DDoS Concepts Dos/DDoS Attack Tools
Dos/DDoS Attack Techniques ־ Countermeasures
Bot״ets /s > Dos/DDoS Protection Tools
Dos/DDoS Case Study Dos/DDoS Penetration Testing-
This section describes botnets, as well as their propagation techniques and ecosystem.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1429
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Organized Crime Syndicates
Cyber criminals are increasingly being associated with organized crime syndicates to take advantage of their sophisticated techniques
There are organized groups of cyber criminals who work in a hierarchical setup with a predefined revenue sharing model, like a major corporation that offers criminal services
Organized groups create and rent botnets and offer various services, from writing malware, to hacking bank accounts, to creating massive denial-of- service attacks against any target for a price
According to Verizon's 2012 Data Breach Investigations Report, the majority of breaches were driven by organized groups and almost all data stolen (98%) was the work of criminals outside the victim organization
The growing involvement of organized criminal syndicates in politically motivated cyber warfare and hactivism is a matter of concern for national security agencies
Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited.
CyberC rim in als
H ie ra rch ica lSetup
P ro c e s s
R e p o rt
M a tte r of C oncern
O rgan ized C rim e SyndicatesCyber criminals have developed very refined and stylish ways to use trust to their
advantage and to make financial gains. Cyber criminals are increasingly being associated with organized crime syndicates to take advantage of their refined techniques. Cybercrime is now getting more organized. Cyber criminals are independently developing malware for financial gain. Now they operate in groups. This has grown as an industry. There are organized groups of cyber criminals who develop plans for different kinds of attacks and offer criminal services. Organized groups create and rent botnets and offer various services, from writing malware, to attacking bank accounts, to creating massive denial-of-service attacks against any target for a price. The increase in the number of malware puts an extra load on security systems.
According to Verizon's 2010 Data Breach Investigations Report, the majority of breaches were driven by organized groups and almost all data stolen (70%) was the work of criminals outside the target organization.
The growing involvement of organized criminal syndicates in politically motivated cyber warfare and hactivism is a matter of concern for national security agencies.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1430
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Organized Cyber Crime: Organizational Chart
4 ^ - -
Underboss: Trojan Provider and Manager of Trojan Command and Control
o
OAttackers Crimeware Toolkit Owners Trojan Distribution in Legitimate website
Campaign M anagerq
aCampaign M anager
n n :I I I t t4'•־י* ׳ '4 י A ffiliation N e tw ork
j r « :
t oCampaign M anager
t on <וA u A ♦
A t t s Affiliation N*׳ e tw ork
i r m :# # +- u Affiliation N י< e tw o rk
m :
©©©Sto len Data R ese lle rS to len Data Rese lle rS to len Data Rese lle r
Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited.
O rgan ized C yber C rim e: O rgan iza tional C hartCybercrimes are organized in a hierarchical manner. Each criminal gets paid depending
on the task that he or she performs or his or her position. The head of the cybercrime organization, i.e., the boss, acts as a business entrepreneur. He or she does not commit cybercrimes directly. The boss is the first in the hierarchy level. The person who is at the next level is the "underboss." The underboss is the second person in command and manages the operation of cybercrimes.
The "underboss" provides the necessary Trojans for attacks and also manages the Trojans׳ command and control center. People working under the "underboss" are known as "campaign managers." These campaign managers hire and run their own attack campaigns. They perform attacks and steal data by using their affiliation networks as distributed channels of attack. The stolen data is then sold by "resellers." These resellers are not directly involved in the crimeware attacks. They just sell the stolen data of genuine users.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1431
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Underboss: Trojan Provider and M anager of Trojan Command and Control
C am paign M a n a g e r
41! 4! v4 A A י*׳ ff ilia t io n N e tw o rk
u ;
O
oAttackers Crimeware Toolkit OwnersTrojan Distribution In Legitimate website
r% r> 1 r s iC am paign M a n a g e r
t o
6
Cam p a ign M a n a g e r
t oO 4 !4: י׳! v4J A <*׳ ff ilia t io n N e tw o rk
O '" O |
S to le n D a ta R e s e lle rS to le n D a ta R e s e lle rS to le n D a ta R e s e lle r
FIGURE 10.8: Organizational Chart
Module 10 Page 1432 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
CEHBotnet
J Bots are software applications that run automated tasks over the Internet and perform simple repetitive tasks, such as web spidering and search engine indexing
J A botnet is a huge network of the compromised systems and can be used by an intruder to create denial-of-service attacks
iTarget Se rve r
Bots attack a target server
v l u
m יז3
Bots connect to C&C handler and wait for instructions
Attacker sends commands to the bots through C&C
Zom bies0
Bot looks for other vulnerable systems and Infects them to create Botnet
Sets a bot C&C handler
Ogk 0■ •=■• ft M ea machine
, a f t ©V ictim (Bo t)A ttacker
Bo t Com m and & Control Center
Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited.
The term botnet is derived from the word roBOT NETwork, which is also called zombie army. A botnet is a huge network of compromised systems. It can compromise huge numbers of machines without the intervention of machine owners. Botnets consist of a set of compromised systems that are monitored for a specific command infrastructure.
Botnets are also referred to as agents that an intruder can send to a server system to perform some illegal activity. They are the hidden programs that allow identification of vulnerabilities. It is advantageous for attackers to use botnets to perform illegitimate actions such as stealing sensitive information (e.g., credit card numbers) and sniffing confidential company information.
Botnets are used for both positive and negative purposes. They help in various useful services such as search engine indexing and web spidering, but can also be used by an intruder to create denial-of-service attacks. Systems that are not patched are most vulnerable to these attacks. As the size of a network increases, the possibility of that system being vulnerable also increases. An intruder can scan network ranges to identify which ones are vulnerable to attacks. In order to attack a system, an intruder targets machines with Class B network ranges.
Purpose of Botnets:
0 Allows the intruder to operate remotely.I l l
Module 10 Page 1433 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
6 Scans environment automatically, and spreads through vulnerable areas, gaining access via weak passwords and other means.
Q Allows compromising a host's machine through a variety of tools.
Q Creates DoS attacks.
6 Enables spam attacks that cause SMTP mail relays.
© Enables click fraud and other illegal activities.
The diagram that follows shows how an attacker launches a botnet-based DoS attack on a target server.
! 1Target Server
Bots attack a target server
Bot looks for other vulnerablesystems and infects them to create Botnet
יי2 " 6 *Zombies
o
Bots connect to C&C handler and wait for Instructions
Attacker sends commands to the bots through C&CBot Command &
Control Center A
Victim (Bot)Attacker
FIGURE 10.9: BOTNET
In order to perform this kind of attack, the attacker first needs to create a botnet. For this purpose, the attacker infects a machine, i.e., victim bot, and compromises it. He or she then uses the victim bot to compromise some more vulnerable systems in the network. Thus, the attacker creates a group of compromised systems known as a botnet. The attacker configures a bot command and control (C&C) center and forces the botnet to connect to it. The zombies or botnet connect to the C&C center and wait for instructions. The attacker then sends commands to the bots through C&C to launch DoS attack on a target server. Thus, he or she makes the target server unavailable or non-responsive for other genuine hosts in the network.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1434
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Botnet Propagation Technique C E H
......./ 2 \ ........ Cybercrim e Re lated IT Operations: (Servers, So ftw are , and Serv ices)־< ר<
U-\Trojan Comm and
an d C ontrol C enter
Trojan upload stolen data and receives 0 commands from
/ command and control \ center
™ 4$ ~
Crime w are Toolkit
D a ta b ase I
v .•♦I
(z)
Legitimate Com prom ised W ebsites
O O
Attackers
i @ ;
• ז...........© § ® ■Malicious
Affiliation N etw ork
Copyright © by EfrCoinal. All Rights Reserved. Reproduction is Strictly Prohibited.
^ Botnet P ropagation T echniqueBotnet propagation is the technique used to hack a system and grab tradable
information from it without the victim's knowledge. The head of the operations is the boss or the cybercriminal. Botnet propagation involves both criminal (boss) and attackers (campaign managers). In this attack, the criminal doesn't attack the victim system directly; instead, he or she performs attacks with the help of attackers. The criminal configures an affiliation network as distribution channels. The job of campaign managers is to hack and insert reference to malicious code into a legitimate site. The malicious code is usually operated by other attackers. When the malicious code runs, the campaign managers are paid according to the volume of infections accomplished. Thus, cybercriminals promote infection flow. The attackers serve malicious code generated by the affiliations to visitors of the compromised sites. Attackers use customized crimeware from crimeware toolkits that is capable of extracting tradable information from the victim's machine.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1435
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
C y b e r c r im e R e la te d IT O p e ra t io n s
( S e r v e r s , S o f t w a r e , an d S e r v ic e s ). .0״.
Criminal
Trojan upload stolen data and receives commands from command and control center
־:•(
FIGURE 10.10: Botnet Propagation Technique
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCilAll Rights Reserved. Reproduction is Strictly Prohibited.
©
Attackers
Module 10 Page 1436
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
C EHBotnet Ecosystem
Malicious Site
<>' s/yScan & Intrusion
o'6
FinancialDiversion
Licenses MP3, DivXBotnet
e f t ----- :Data
Theft
Crimeware Toolkit Trojan CommandDatabase and Control Center s'
: Spam
: Mass Mailing
t i
Client-Side \ Vulnerab llity
BotnetMarket
i
DDoS '
BStock Fraud Scams Adverts#
bZero-Day
Market
Owner
Malware Market
Copyright © by EtC tm G il. All Rights Reserved. Reproduction is Strictly Prohibited.
Botnet E cosystemA group of computers infected by bots is called botnet. A bot is a malicious program
that allows cybercriminals to control and use compromised machines to accomplish their own goals such as scams, launching DDoS attacks, distributing spam, etc. The advent of botnets led to enormous increase in cybercrimes. Botnets form the core of the cybercriminal activity center that links and unites various parts of the cybercriminal world. Cybercriminal service suppliers are a part of cybercrime network. These suppliers offer services such as malicious code development, bulletproof hosting, creation of browser exploits, and encyrption and packing.
Malicious code is the main tool used by criminal gangs to commit cybercrimes. Botnet owners order both bots and other malicious programs such as Trojans, viruses, worms, keyloggers, specially crafted applications to attack remote computers via network, etc. Malware services are offered by developers on public sites or closed Internet resources.
Typically, the botnet ecosystem is divided into three parts, namely trade market, DDoS attack, and spam. A botmaster is the person who makes money by facilitating the infected botnet groups for service on the black market. The master searches for vulnerable ports and uses them as candidate zombies to infect. The infected zombies further can be used to perform DDoS attacks. On the other hand, spam emails are sent to randomly chosen users. All these activities together guarantee the continuity of malicious botnet activities.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1437
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
The pictorial representation of botnet ecosystem is shown as follows:
M alic io u s S ite
............. Q
FinancialDiversion
Licenses M P3 , D ivXB o tn e t
DataTheft
Em ails
R ed irec tSpam
M ass M ailing
Client-SideVulnerability
□ MStock Fraud Scam s A d verts
Crimeware Toolkit Trojan Command Database and Control Center
DD0S
Extortion
b
Zero-DayM ark e t
C&C
M a lw a re M arket
FIGURE 10.11: Botnet Ecosystem
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1438
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Botnet Trojan: Shark CEH^ (•rtifwtf I til 1(41 NMhM
:ha♦, De&oc Preview [RC-Chat mbsta
Command Control Center
ISe1ver2Sail up
f j insul BrtMf ■If and Fitos O aodJrt
f Arb Dcbjxi־o 5tedthM ll«w>rvrr
Q >jrnror־> Comale
Jv'.*111w on Port: 60123 ומי* 5;ג0 סי* 4 i»k 3.1 , 1«t ccrplcd: ; מ ,03.3נ1מ■e*gUDdtto<*ocH..¥t ■1MJ new Vmicn □<l- hj|hg_tk״to?1 _p!od ->» AmW* « Stfv*: 127.0 0.1 1-«£יז((27!1ג^י^ ״ 5נ*«^7^ >
fcf» rroxirrurr! loqsco of twin KByto <0 - Unlmtod«׳cb*: yflro l-cvfcccor v־L ׳י1
-^*harK.3.1 fwb״
Copyright© by EC-Gouicil. All Rights Reserved Reproduction is Strictly Prohibited.
BotnetSource: https://sites.google.coin
sharK is a reverse-connecting, firewall- bypassing remote administration tool written in VB6. With shark, you will be able to administrate any PC (using Windows OS) remotely.
Features:
9 mRC4 encrypted traffic (new & modded)
9 zLib compressed traffic
9 High-speed, stable screen/cam cCapture
9 Keylogger with highlight feature
9 Remote memory execution and injection
9 VERY fast file manager/registry editor listing due to unique technic
9 Anti: Debugger, VmWare, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox, Virtual Box
9 Supporting random startup and random server names
9 Desktop preview in SIN Console
Trojan: sharK
Module 10 Page 1439 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
9 Sortable and configurable SIN Console
0 Remote Autostart Manager
9 Optional Fwb++ (Process Injection, API Unhook)
9 Folder mirroring
ddfx* J sharK 3.1 fwb♦sftarK Desktop Preview IRC-Chat Website
los I Verson | Pirq| Country Username | PC NoneiLW-itaa
C o m m a n d C o n t r o l C e n t e r
Wolcom• to ih t iK 3.1.0, MacUor*
Thi* it an information box rofroshing it* contant ovary 24 hour* H«r» you will information about charK davalopmant ita t• ! and othar ralaacac of kora dCodarc.eoi (om atim M .
R eoa׳ds.sN1p*109׳ and rockZ
Copyright 2007-2008 (c ) BoredCoders.com
[5:4S:3S AN] Inrfi.atarg Cfer*...[9:46:55 AW] Iwtenrxj on Port: 60123[9:46:38 AH] sharK 3.1 fwb++, Last Compiled: 30.03.2008[9:46:38 AN] Updotecheck...[9:46:40 AW] Hew Versicn ovoiloble: □<!-־ turing cluster_prod ־ >[9:50:25 AN] * New Serve!: 127.0.0.1 -- Server 1 (HocLers «5> ECC-272FF53AA87)
sharK 3.1 fwb++
* J N ew S e rv e r - [S e rv e r2 ] k.Basic Settings *5
,4 Server Installation Server name: |Server2StartupInstal Events
ft Bind Files Q Blacklist
Server Password:
Connection Interval:
1pLwUyQ|GEq|pl1t4mAD
I... .....................................................................Anti Debugging
j StealthFirewal Bypass
dB Liteserver QU Advanced Q Summary
Compile
1* Enable offline keylogger with mawnum logsue of [i 000 KByte (0 - Untmrted)
SIN-Addr esses:
4 seconds
1 ip Port I Status Add---------------- .
Delete
( 11 ן
Save Current ProfileTest Hosts
1______________________________________________________________________________________________________________________________________________________________1
FIGURE 10.12: Botnet Trojan: sharK
Ethical Hacking and Countermeasures Copyright © by EC-COUIICilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1440
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Poison Ivy: Botnet Command Control Center CEH
gMaiayr P3tg»«ord1js1| Pday | AcIn R■:!!■; PdcfcciAnatizaj Remote SW! k iw ־י •.׳;
DaptyNam• Pi* Oeacflpicr! »ז>ז SUA* Startup Type log on ifDwct Dii STOPPED Dfcdfcd
״«u4a־ DwceDii.. STOPPED Dk* Maot \S* M r aoiViy !k•^ DP (VCT Device Dii RUNNING
%ACHfC *CHEC Dwce Dii STOPPED DiaetfejoaA-'u■■ 51 Ul’ltD D114Mare *■BBHVUnenlMC 1y! D«wee n.i STOPPED MnrnnlAfO \11«hM- 0 :!\J>«r«m32V>v ׳.%< AFO M«lv*jVrgSu D«׳*ce Dii RUNNING Auiomafo
I..I1 «*■»*. WOI ז ttaaOTt ff >•־־׳״ A■#1 <׳״• RUNNING AulsmA;* A M * . AfctlSfa Oe*c« Dii STOPPED DMM%mT9j2 4fc/9u2 Owe• Dii 5TUI־ltD DMM
DMee Dii iTOPPTO־ d1u*mAM• NdfiM »<m Irdu•■ Shiild Sor STOPPEO D1 :.:tM NIAJJTH[* T- 4cc.<m«
% ..*»on l <*.«»-־' Alb C WNK*ANS1*>1}2W• m fV*d»1 o«eo1l 191 Slandiid S 51OPTCD Nl «UTH0n1TY<toc4S«.*IV stoppcd DI״*M
% ...... w r l D<Mca D1I STOPPFD DI.1MAmMS־l C VW st M tn nftivmh., Shotd 5w 5TUI־IVDAte d־m״ r!.i joprrn,׳ r>l!*W
fiiwco Dii STOPPED DiNfcMWW״*• STOPPED DutUrJ£!1I! RAS 61y״chre«*u D-wteDH ST0PPC0 Hyiv(
f4 ׳: % <fcp \$> ifcari 0 0 Kay iKmCS DR IVE R Dwce Dii RUNNING A«jiorr>ab3% ״־,, . A1J*. STOPPED Di-.oLfcJ«fc,iTM6PPCfc,r f.Bf’IJ'IFVtPi'.Wlip.lvl ATM ARP Ois»*PMI D**ee r.ii STOPPED MnrivJ
A1tdc6*v Manajee ado devi.. Shaied Ssr RUNNING Aulorrrfc IcoafSyttom«u»W> Dvnc■ Dii RUNNING M01 *.*01 V
< >Do«rtoaJi OB/* ifload: 08/3
Copyright © by E&Caw cil. All Rights Reserved. Reproduction is Strictly Prohibited.
Poison Ivy: Botnet C om m and Control C en terPoison Ivy is an advanced encrypted "reverse connection" for firewall bypassing
remote administration tools. It gives an attacker the option to access, monitor, or even take control of a compromised system. Using this tool, attackers can steal passwords, banking or credit card information, as well as other personal information.
FIGURE 10.13: Poison Ivy: Botnet Command Control Center
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1441
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Botnet Trojan: PlugBot CEH(•tt.fwtf ttk>«l lUikw
J PlugBot is a hardware botnet projectJ It is a covert penetration testing device (bot) designed for covert use during
physical penetration tests
PlugBot StatisticsW>wn S*»o* art *arr• cui* U*» *n you
http://thephgbot.com
Copyright © by HrCunol. All Rights Reserved. Reproduction isStrictly Prohibited.
Botnet Trojan: PlugBotSource: http://theplugbot.com
PlugBot is a hardware botnet project. It's a covert penetration testing device (bot) is designed for covert use during physical penetration tests. PlugBot is a tiny computer that looks like a power adapter; this small size allows it to go physically undetected all while being powerful enough to scan, collect, and deliver test results externally.
Some of the features include:
6 Issue scan commands remotely
e Wireless 802.11b ready
Q Gigabit Ethernet capable
© 1.2 Ghz processor
© Supports Linux, Perl, PHP, MySQL on-board
Q Covertly disguised as power adapter
© Capable of invoking most Linux-based scan apps and scripts
Module 10 Page 1442 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
HdOADMINIUvtOUw 9««ng»| Logout
5fl5rlt®e Dashboard ^ DropZone £ Account I l f ?) Settings ־ ) Help
OMttxMrd-
Dashboardפ
PlugBot StatisticsShown oeiow are some aucx suss on your botnet.
Statistics• Bots: 2• Joas Pending 0• Jo&sComoi«ed:0• Chock-Ins: 14636
Botnot StatisticsJobs
C Manwwoos
Cb AddJoto
Applications
•1 MenaAopaCo AddApo
Dots
Q Manage Bet*
C6 A03B0׳
FIGURE 10.14: Botnet Trojan: PlugBot
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1443
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Botnet Trojans: Illusion Bot and r c u NetBot Attacker -----
P*ss *ten Pk s * * * *
P « 8667 Chm
p * 6667 0*0 * *• י׳
Pot P *
Pot P«*
ACa o m m o ״1| Hotf 10001
* a ho# 10001
* Random. r«n0e 2001 Bethel part
Sort14 port
* SocAiVpart
FTP p«1
MD5C.yplי0ז password
t •**0י׳ ״ ' •*wonIRCchaml * 1n r »».*«*״-*׳'_I— ״ ־ O d v*־ט״- ^sM כ Abou
Copyright © by E&Coinal. All Rights Reserved. Reproduction is Strictly Prohibited.
Botnet T rojans: Illu sion Bot and NetBot A ttacker Illusion Bot
Source: http://www.teamfurry.com
Illusion Bot is a GUIt.
Features:Q C&C can be managed over IRC and HTTP
e Proxy functionality (Socks4, Socks5)
e FTP service
e MD5 support for passwords
e Rootkit
e Code injection
0 Colored IRC messages
e XP SP2 firewall bypass
6 DDOS capabilities
M l j
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1444
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
NetBot— NetBot attacker has a simple Windows user interface to control botnets. Attackers
use it for commanding and reporting networks, even for command attacks. It has two RAR files; one is INI and the other one is a simple EXE. It is more powerful when more bots are used to affect the servers. With the help of a bot, attackers can execute or download a file, open certain web pages, and can even turn off all PCs.
(P • HtOMUmtckm I 4 laiM «•>■»>■ 3 ■ >1
On line hosts Attack Area Co He dive order Use kelp
PC IP jComputef!system Memory [Servke edition
WiodowiXP 1m m
!;*
ן
1יי•י״
►*onfai pcrfSOwHeh t |^«cu*r •••wg »taeft«oe « N
FIGURE 10.16: NetBot Attacker
Illusion M jke i
1 Binary CADocuments and SettingsVWinux'J’ afio׳• * cron^BOTBIMARV EXE
IRC Administration
1) Host: 10001 Port: 6667 Chan Behan
Reload
Pass 4lest
2) Host: 100.0.1 Port: 6667 Chan Behan Pass: 4iesi
WEB Administration
1) Host: 10 Port Path A Refresh time: j
2) Host: 1C Port: Path sec.
Default services:
Socks4, port R
v Socks5, pat R * Random, range: 2001 - 3000
FTP. port R Bmdshefl. port: R
IRC Access
BOT PASSWORD qwerty MD5 Crypt
Optionsv• Install Kernel Drivei
Save cervices state in registry
י ׳ Loloied IRC messages
Auto OP admm on IRC channel *
* ln!ect code fit dnve< falsi «/
+ Ada to autoload
IRC serve! need passwotd
B>pass XP SP2 F» ewall
Fluod Values
ם Ewt Save About
FIGURE 10.15 Illusion Maker
A ttacker
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1445
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Copyright © by E& C a in c i. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule FlowSo far, we have discussed D0S/DD0S concepts, attack techniques, and botnets. For
better understanding of the attack trajectories and to find possible ways to locate attackers, a few DD0S case studies are featured here.
a mDos/DDoS Concepts Dos/DDoS Attack Tools
Dos/DDoS Attack Techniques ־ Countermeasures
Botnets /*V5 Dos/DDoS Protection Tools
^ Dos/DDoS Case Study Dos/DDoS Penetration Testingi —
This section highlights some of real-world scenarios of DD0S attacks.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1446
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DDoS Attack
Hackers advertise LOIC tool on Tw itter, Facebook,
Google, etc.
Vo lun tee r
Copyright © by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
DDoS A ttackIn a DDoS attack, a group of compromised systems usually infected with Trojans are
used to perform a denial-of-service attack on a target system or network resource. The figure that follows shows how an attacker performs a DDoS attack with the help of an LOIC tool.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1447
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Attacker Releases Low Orbit Ion Cannon (LOIC) Tool on the Web
Volunteers connect to IRC channel and w ait for instruction from attacker
o( f t
Anonymous Hacker
Hackers advertise LOIC tool on Twitter, Facebook,
Google, etc.
Volunteere
DDoS Attack o ! *
Volunteer
Volunteer
FIGURE 10.17: DDoS Attack
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1448
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DDoS Attack Tool: LOIC CM M
EHtUMJl NMhM
fhis tool was used to bring down Paypal and mastercard websitesו
I C3 I 0Low Obit Ion Cannon | U dun goofed | v. 1 J.D5RC server Port Cnannelfji■ :: ■
- 2 . Rea<iy?--------------
Stop flooding
• 1,'anujl Mode for pussies! 9 FUCKWGHfVc UNO
r 1 Select your target-----------------------URL www.davenD0rtV0ns.c01n
85.116.9.83v! y
«Attack otf ־ 3Trneout
n s-------------------------------------------------------HT7PSU>s<e ZX Append ranJom chars to the URl TCP / U0P message
4000 /119/ U dun goofed----------------------------------------------------------------------------------------------------------------------- —
80 HTTP g 10 ■ *Vat for rep*y ------------1Port Method Threads «• faster Speed slower ■>
Idle Connectrg Requestrg Cowntoadmg Downloaded Requested Faded
1 9 0 0 419 419 ב9
Copyright © by E&Cainci. All Rights Reserved. Reproduction is Strictly Prohibited
DDoS A ttack Tool: LOICV
LOIC is an open source tool, written in C#. The main purpose of the tool is to conduct stress tests of web applications, so that the developers can see how a web application behaves under a heavier load. Of course, a stress application, which could be classified as a legitimate tool, can also be used in a DDoS attack. LOIC basically turns the computer's network connection into a firehouse of garbage requests, directed towards a target web server. On its own, one computer rarely generates enough TCP, UDP, or HTTP requests at once to overwhelm a web server—garbage requests can easily be ignored while legit requests for web pages are responded to as normal.
But when thousands of users run LOIC at once, the wave of requests become overwhelming, often shutting a web server (or one of its connected machines, like a database server) down completely, or preventing legitimate requests from being answered.
LOIC is more focused on web applications; we can also call it an application-based DOS attack. LOIC can be used on a target site by flooding the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host.
Ethical Hacking and Countermeasures Copyright © by EC-C0linCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1449
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
FIGURE 10.18: DDoS Attack Tool: LOIC
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1450
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
CEHHackers Advertise Links to Download Botnet
Gougle
£jfr _ sM sgSSSsasKsi
E - r - lS —־2 “ '
rr-tr 8*־,־••'~ T-V-Ar!rrj.«rg*. ?— י— ־־״-׳ *"
!S^ iSSS סי—׳*״׳— ־*״־* LOC״a׳’ 0' ״״ * -
Copyright © by EW iounci. All Rights Reserved. Reproduction is Strictly Prohibited.
H ackers A dvertise Links to D ow nload Botnets
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1451
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
FIGURE 10.19: Hackers Advertise Links to Download Botnets
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1452
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Copyright © by E& C a in c i. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule FlowSo far, we have discussed the D0S/DD0S concepts, attack techniques, botnets, and the
real-time scenarios of DDoS. The D0S/DD0S attacks discussed so far can also be performed with the help of tools. These tools make the attacker's job easy.
a mDos/DDoS Concepts Dos/DDoS Attack Tools
Dos/DDoS Attack Techniques ־ ji Countermeasures
Botnets /*V5 Dos/DDoS Protection Tools
Dos/DDoS Case Study Dos/DDoS Penetration TestingI —
This section lists and describes various D0S/DD0S attack tools.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1453
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DoS Attack Tools c(crtifwdEHIU mjI Nm Im
Connecting to 118.215.252.59:80...Peak: 74ח
OK
Status:
Connected: [ 1174
Connect:
Disconnect:
Multisystem TCP Denial of Service Attacker [Build #12] Coded by Yarix ([email protected]) http://varbt.bv.r11/a
Sprut
DoSHTTP 2.5 .1 S o c k e tso ft.n e t [E valuation M ode]
Rle Options Help
DoSHTTPHTTP F lood D en ia l o f S e rv ic e (D o S ) T estin g Tool T a ig e t U R L
XJ
־3Moz«a/60 (compatible; MSIE 7.0a; Windows NT 5.2; SV1) "־ ״ ]
S o c k e ts R eq u e s tsי ף [Conhnuous V e r ify U R L | S to p F lood | C lo se |
Responses 0Requests 1
DoS H TTP
Target ServerInternet
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack Tools
DoS HTTPSource: http://www.socketsoft.net
DoSHTTP is HTTP flood denial-of-dervice (DoS) testing software for Windows. It includes URL verification, HTTP redirection, and performance monitoring. It uses multiple asynchronous sockets to perform an effective HTTP flood. It can be used simultaneously on multiple clients to emulate a distributed-denial-of-service (DD0S) attack. It also allows you to test web server performance and evaluate web server protection software.
Features:
© Supports HTTP redirection for automatic page redirection
0 It includes URL verification that displays the response header and document
© It includes performance monitoring to track requests issued and responses received
© It allows customized User Agent header fields
© It uses multiple asynchronous sockets to perform an effective HTTP flood
© It allows user defined socket and request settings
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1454
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
Q It supports numeric addressing for target URLs
xJfile Options Help
D o S H T T PHTTP Flood Denial of Service (DoS) Testing Tool Target URL_________________________________________1192.168.168.97 dUser AgentlMozilla/6.0 (compatible; MSIE 7.0a; Windows NT 5.2; SV1J 21Sockets Requests|500 ▼| (Continuous ׳י■] Verify URL | Stop Flood | Close
l«Q» D S C * m*T http //www socketsofi nttf
Running.. Requests: 1 Responses: 0
DoSHTTP 2.5.1 - Socketsoft.net [Evaluation Mode] ■״
FIGURE 10.20: DoS HTTP
SprutSprut is a multisystem TCP denial of service attacker.
Start
Stop
Reset
Hostname or IP-address:www. juggy boy. com
Port: Threads:[80 [20
Connecting to 118.215.252.59:80 ...Peak: 11741174
OKNo error
Status:Connected:Connect:Disconnect:
Multisystem TCP Denial of Service Attacker [Build 812]http:/A»atix bv.ru/Coded by Yarix ([email protected])BS
FIGURE 10.21: Sprut
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1455
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
CEHUrtifw* ilhiul lUtbM
DoS Attack Tools(Cont’d)
gdt Mew Go Capln tra!:
3 ־ - I _1J _ ! l h « 21 i . DecwfcnKeyi...a72.11 O:־tt1־ss5£־־׳־\. m s: I| :nfosource port: 17795 Destination poFragmented ip p ro to co l (p ro to -uop Fragmented ip p ro to co l (proco-uop Fragmented IP p ro to co l (proto=UDP Fragmented ip p ro to co l (proto=u0P fragm ented IP p ro to co l (proto-UO** Source port: 17795 Destination po Fragmented ip p ro to co l ( p ro to-uop Fragmented IP p ro to co l (p ro to-uop Fragmented IP p ro to co l (proto=UOP Fragmented IP p ro to co l (proto=U0P Fragmented IP p ro to co l (proto-UOP source port: 17706 t*־stlfwi10n po Fragmented ip p ro to co l (proto»uo*> Fragmented IP p ro to co l (proto*u0P Fragmented ip p ro to co l (proto=UOP
?־־
192.16a.168. 32 192.16a. 168. 32192.164.168. 32192.166.168. 32192.164.168. 32
08182 165.289717 192.168.168. 708183 165.289838 192.166.168. 708184 165.289968 192.168.168.708185 165.290090 192.168.168.708186 165.290211 192.168.168.7
192.168.168.32192.168.168.32192.168.168. 32192.168.168.32192.168.168. 32
192.164.168.3?192.168.168. 32192.168.168.32192.164.168. 32192.168.168. 32
08188 165.290403 192.168.168.708189 165.?90S? J 192. 168.168.708190 165.290733 192.168.168.708191 16S. 290776 192.168.168.708192 165.290896 192.168.168.7
08194 165. ?91091 19?. 168.164.708195 165.291210 192.168.168.708196 165.291330 192.168.164.708197 165.291452 192.168.168.708198 165.291582 192.168.168.7
1• rrame 6?4153: 1514 bytes, on wire ( l ? l l ? b its ). 1514 byte•;, captured ( l ? l l ? bit•״)I- kt her ret 11. Src: fclUegro 22:2d: if (00:25:ll:22:2d:5f). ust: 0«1 l_ fd : 86:63 (84 :b»:dt>:fd: 86:63) I internet Protocol, src: 192.168.168.7 (192.168.168.7). USt: 192.108.168.32 (192.168.168.32) ״| vi Oat a (1480 bytes)
c.ft .. t ..............b fd 86 63 00 25 11 22 2d 5f 08 00 45 004« 000־ b« C<.........>010 05 dc ab 21 22 2b 80 11 96 4b cO a4 .18 07 cO a8 .K
>020 *8 20 5* 58 58 58 58 58 58 58 58 58 58 58 58 58 . XXXXXX XXXXXXXX >030 58 SB 58 58 58 58 58 58 58 58 58 54 58 58 58 58 XXXXXXXX XXXXXXXX >040 58 58 58 58 58 58 58 58 58 58 58 54 58 58 58 58 XXXXXXXX XXXXXXXX
>V~ P«*xts: 80 /630<nUr«d: 602/63Marked: 0 frepped: 953I ^K*C:tM>1A>0£-:\>ec£ alocjrr«1
Traffic at Victim Machine
Copyright © by E&Caunci. All Rights Reserved. Reproduction is Strictly Prohibited.
m u mYour V: <DontClo3you>«eNnub)
idr ! tn«* DoS iBju k. please wall Mtillo the browser 10 : !׳
PHP DoS
DoS A ttack Tools (C ont’d)
PHP DoSSource: http://code.google.com
This script is a PHP script that allows users to perform DoS (denial-of-service) attacks against an IP/website without any editing or specific knowledge.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1456
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
xJe■
Your IP: (Dont DoS yourself nub)
IF Time ort
iKsaasiaL^ftiiAlter initiating the DoS attack, please wait while the browser loads
FIGURE 10.22: PHP DoS
Module 10 Page 1457 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DoS Attack Tools q e H(Cont’d) (•itifwtf | tlfcitjl IlMkM
Copyright © by EC-Cooncfl. All Rights Reserved Reproduction is Strictly Prohibited.
DoS A ttack Tools (C ont’d)
I d Janidos
FIGURE 10.23: Janidos
Module 10 Page 1458 Ethical Hacking and Countermeasures Copyright © by EC-C0linCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Supernove
Hub Harvester
Remove
MultipleRemove
י*' ■j־i ;1׳־--r י* ־*3/24/2009] Produced by]
tr^ii R_________[W 1 ז-ו R . 4 ־. P:» 1 ■־. :;1V.H7 * •:41.־!־ A Q Cm ) CPt I
!supernova 5
Single targe( Port
1 ם □ כTy?**Frst Q
[ Load I Save
Random Ports|
ם *י״ 1 כ! □ «
F;׳rT.:.v־r
L a nedDisc omect
SpeedHarvest
Speed
םכ 10 םכBEHSIMSW ■
= 1 I: I I: 1 I: I I
ם כם כ
Search
M ^eptoce hubs on dose 23 Debug connectionsM replace hubs on errors Q Jebug replacesM rorbid Scanner log abuse jQ Debug socxet errorsM nbuiia Scanner S3 .»ebug actionsf l Assign socks for every hub in the list Q Debug User number
Cmdune
FIGURE 10.24: Supernove
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1459
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
CEH(•rtifwd itkitjl
DoS Attack Tools(Cont’d)
*It 9 l H h *£J•*****11•*■! *tifccfcfOilcrw * » י * ' •י ״' «* «•* I , »mlfH n*** [amcw! 103 J VXf fAdlMM *___________ 4~[05}TCT n.1*u»%lly i t l K t «U CM4» ■
T*rc«t kM> //»** tweet <WtK« •1*וי» 1231 TW.U* ]י< *<far* Tt
•!״־ ׳ p susin4 !s&״: r ™״ 85 as[051TC7 4^ ״] .,.tOeiTCT^n-j גז » p• « ~ u , U . ״ ״ a . ft.• ־" ,״ 0, * IB1"T«rc«t ktt» //*** l«f<t <W1W •123|;»ןיק
ז• 0 ״ ® • • tw״ j 10 : * . ״ ״
totw*(1<111r <1• U i l ••4• W 1 m («4m i i i« m 4•!Try* 03 ״ TW«*»10 I *»•«!»< icn ", T«r<«t ... <״«.•! .
.»-־ ״ «/ ׳ *,?nrsffs ■ י•*״ . ״ י . i i . m UIL n • r״ u ״ u *»«*
{^* •״׳־־■* SrSSJ «°°qiy ooos t ״־־4■־ ־ ._ : a 1 C h i n e s e ס י ד
C o r n m e r e י ׳3' ״
Copyright © by EG-Goinci. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack Tools (C ont’d)
Commercial Chinese DIY DDoS Tool
Figure 10.25: Commercial Chinese DIY DDoS Tool
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1460
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
BanglaDos
Mom C w N u 00—tenet Yow •tcaamr t a c i* • * U m Om t tm 01 w » C D S I < ׳ ' f l
H a c k C l a r i f y R ^ R
(7) 7) (OS (7) %> Mdmt (4) d im)(5) iM m 10 •tack) י ( •ft> w y i o g y n <4) x n oM M 0 (5) %we d i m ow • !1) nem1) ״ 6) m c B n u x•
naM• !1) onln• and oflhrw (S) apacaftng vrt*m% (11) pmword recowen•• (?) p*sa«ora
(1) (3) O ) {MX**• n» p cn o v f(3) ew w iepd ip ro ay <2)«em<1»rH»(2)KWWim
(4) 1) <%xm) *1 (4) •יי׳*na (1j tM re 7* (1> •po o t 1m Hן aoftw are c ra c k s (11) •*am
(49) Kcuinv tips and tricks•S * c u r * y o u r b l o g r u n n i n g o n W o r d p r •
■ 10 14 PU Artel• t* S « n r r « J t
FIGURE 10.26: BanglaDos
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1461
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
CEHDoS Attack Tools(Conttt)
DoS A ttack Tools (C ont’d)
DoS
FIGURE 10.27: DoS
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1462
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
M e g a D D o S A t t a c k
FIGURE 10.28: Mega DDoS Attack
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1463
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Copyright © by E&Caincfl. All Rights Reserved. Reproduction is Strictly Prohibited.
A M o d u l e F l o w
‘ "־‘*2׳־־ So far, we have discussed the D0S/DD0S concepts, various threats associated with this kind of attack, attack techniques, botnets, and tools that help to perform D0S/DD0S attacks. All these topics focus on testing your network and its resources against DoS/DDoS vulnerabilities. If the target network is vulnerable, then as a pen tester, you should think about detecting and applying possible ways or methods to secure the network.
1 •--1 JDos/DDoS Concepts Dos/DDoS Attack Tools
‘ Dos/DDoS Attack Techniquesc *
d S Countermeasures*
K J Botnets Dos/DDoS Protection Tools
Dos/DDoS Case Study Dos/DDoS Penetration Testing
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1464
This section describes various techniques to detect D0S/DD0S vulnerabilities and also highlights the respective countermeasures.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1465
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Copyright © by E&Caincfl. All Rights Reseivei.Rejproduction is Strictly Prohibited.
Changepoint DetectionWavelet-based Signal Analysis
J Detection techniques are based on iden tify ing and d iscrim inating the illeg itim ate tra ffic increase and flash events from legitimate packet traffic
J All detection techniques define an attack as an abnorm al and no ticeab le dev ia tio n from a thresho ld o f norm al netw ork traffic statistics
Activity Profiling
D e t e c t i o n T e c h n i q u e s
Most of the DDoS today are carried out by attack tools, botnets, and with the help of other malicious programs. These attack techniques employ various forms of attack packets to defeat defense systems. All these problems together lead to the requirement of defense systems featuring various detection methods to identify attacks.
The detection techniques for DoS attacks are based on identifying and discriminating the illegitimate traffic increases and flash events from legitimate packet traffic.
There are three kinds of detection techniques: activity profiling, change-point detection, and wavelet-based signal analysis. All detection techniques define an attack as an abnormal and noticeable deviation from a threshold of normal network traffic statistics.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1466
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
r It is th e average ץ packet ra te fo r a
n e tw o rk flow , w h ich consists o f
co nsecu tive packets w ith s im ilar packet
fie ld s y
An attack is indicated by:© An increase in activity
levels among clusterse An increase in the
overall number of distinct clusters (DDoS
. attack)
Activity Profiling
Activity profile is obtained by
monitoring the network packet's
header informatio
A c t i v i t y P r o f i l i n g
Typically, an activity profile can be obtained by monitoring header information of a network packet. An activity profile is defined as the average packet rate for network flow. It consists of consecutive packets with similar packet fields. The activity level or average packet rate of flow is determined by the elapsed time between the consecutive packets. The sum of average packet rates of all inbound and outbound flows gives the total network activity.
If you want to analyze individual flows for all possible UDP services, then you should monitor on the order of 264 flows because including other protocols such as TCP, ICMP, and SNMP greatly compounds the number of possible flows. This may lead to high-dimensionality problem. This can be avoided by clustering the individual flows exhibiting similar characteristics. The sum of constituent flows of a cluster defines its activity level. Based on this concept, an attack is indicated by:
0 An increase in activity levels among clusters
© An increase in the overall number of distinct clusters (DDoS attack)
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1467
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Wavelet-based Signal Analysis C EH
Wavelets provide for concurrent time and frequency description
They determine the time at which certain frequency components are present
Wavelet analysis describes an input signal in terms of ־־\
spectral components
Analyzing each spectral window's energy determines
the presence of anomalies
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
W a v e l e t - b a s e d S i g n a l A n a l y s i s
Wavelet analysis describes an input signal in terms of spectral components. It provides a global frequency description and no time localization. Wavelets provide for concurrent time and frequency descriptions. This makes it easy to determine the time at which certain frequency components are present. The input signal contains both time-localized anomalous signals and background noise. In order to detect the attack traffic, the wavelets separate these time-localized signals and the noise components. The presence of anomalies can be determined by analyzing each spectral window's energy. The anomalies found may represent misconfiguration or network failure, flash events, and attacks such as DoS, etc.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1468
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
CEHSequential Change-Point Detection
Change-point detection algorithms isolate a traffic statistic's change caused by attacks
S e q u e n t i a l C h a n g e - P o i n t D e t e c t i o n
Sequential change-point detection algorithms segregate the abrupt changes in traffic statistics caused by attacks. This detection technique initially filters the target traffic data by port, address, and protocol and stores the resultant flow as a time series. This time series can be considered as the time-domain representation of a cluster's activity. The time series shows a statistical change at the time the DoS flooding attack begins.
Cusum is a change-point detection algorithm that operates on continuously slamped data and requires only computational resources and low memory volume. The Cusum identifies and localizes a DoS attack by identifying the deviations in the actual versus expected local average in the time series. If the deviation is greater than the upper bound, then for each t,ime series sample, the Cusum's recursive statistic increases. Under normal traffic flow condition the deviation lies within the bound and the Cusum statistic decreases until it reaches zero. Thus, this algorithm allows you to identify a DoS attack onset by applying an appropriate threshold against the Cusum statistic.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1469
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DoS/DDoS Countermeasure Strategies CEH
Shu tting D ow n the S e rv ic e s
_ Shut down all the services until the attack has subsided
D e g rad in gS e rv ic e s
Identify critical services and stop non critical services
A b so rb in g the A ttack
Q Use additional capacity to absorb attack; it requires preplanning
9 It requiresadditional resources
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
a D o S / D D o S C o u n t e r m e a s u r e S t r a t e g i e s
There are three types of countermeasure strategies available for DoS/DDoS attacks:
A b s o r b th e a t t a c k
Use additional capacity to absorb the attack this requires preplanning. It requires additional resources. One disadvantage associated is the cost of additional resources, even when no attacks are under way.
D e g r a d e s e r v i c e s
If it is not possible to keep your services functioning during an attack, it is a good idea to keep at least the critical services functional. For this, first you need to identify the critical services. Then you can customize the network, systems, and application designs in such a way to degrade the noncritical services. This may help you to keep the critical services functional. If the attack load is extremely heavy, then you may need to disable the noncritical services in order to keep them functional by providing additional capacity for them.
S h u t d o w n s e r v i c e s
Simply shut down all services until an attack has subsided. Though it may not be an optimal choice, it may be a reasonable response for some.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1470
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DDoS Attack Countermeasures C EHProtect
secondary victims
Prevent potential attacks
Mitigateattacks
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
D D o S A t t a c k C o u n t e r m e a s u r e s
There are many ways to mitigate the effects of DDoS attacks. Many of these solutions and ideas help in preventing certain aspects of a DDoS attack. However, there is no single way that alone can provide protection against all DDoS attacks. In addition, attackers are frequently developing many new DDoS attacks to bypass each new countermeasure employed. Basically, there are six countermeasures against DDoS attacks:
© Protect secondary targets
0 Neutralize handlers
0 Prevent potential attacks
0 Deflect attacks
© Mitigate attacks
© Post-attack forensics
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1471
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
CEH
a
DoS/DDoS Countermeasures: Protect Secondary Victims
Install anti-virus and anti-Trojan software and keep these up-to-date
An increased awareness of security issues and prevention techniques from all Internet users
Disable unnecessary services, uninstall unused applications, and scan all the files received from external sources
Configuration and regular updates of built-in defensive mechanisms in the core hardware and software of the systems
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S C o u n t e r m e a s u r e s : P r o t e c t S e c o n d a r y V i c t i m s
Individual Users
Potential secondary victims can be protected from DD0S attacks, thus preventing them from becoming zombies. This demands intensified security awareness, and the use of prevention techniques. If attackers are unable to compromise secondary victims׳ systems and secondary victims from being infected with DD0S, clients must continuously monitor their own security. Checking should be carried out to ensure that no agent programs have been installed on their systems and no DD0S agent traffic is sent into the network. Installing antivirus and anti-Trojan software and keeping these updated helps in this regard, as does installing software patches for newly discovered vulnerabilities. Since these measures may appear daunting to the average web surfer, integrated machineries in the core part of computing systems (hardware and software) can provide protection against malicious code insertion. This can considerably reduce the risk of a secondary system being compromised. Attackers will have no attack network from which to launch their DD0S attacks.
Network Service Providers
© Service providers and network administrators can resort to dynamic pricing for their network usage so that potential secondary victims become more active in preventing
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1472
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Q their computers from becoming part of a DD0S attack. Providers can charge differently as per the usage of their resources. This would force providers to allow only legitimate customers onto their networks. At the time when prices for services are changed, the potential secondary victims who are paying for Internet access may become more cognizant of dangerous traffic, and may do a better job of ensuring their nonparticipation in a DD0S attack.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1473
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DoS/DDoS Countermeasures: Detect and Neutralize Handlers CEH
Spoofed Source Address
There is a good probability that the spoofed source address of DDoS attack packets will not represent a valid source address of the specific sub-network
Neutralize Botnet Handlers
There are usuallyfew ׳׳DDoS handlers deployed as compared to the number of agents
Neutralizinga few ׳׳handlers can possibly render multiple agents useless, thus thwarting DDoS attacks
Study of communication protocols and traffic patterns between handlers and clients or handlers and agents in order to identify the network nodes that might be infected with a handler
\
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited
D o S / D D o S C o u n t e r m e a s u r e s : D e t e c t a n d N e u t r a l i z e H a n d l e r
The DDoS attack can be stopped by detecting and neutralizing the handlers, which are intermediaries for the attacker to initiate attacks. Finding and stopping the handlers is a quick and effective way of counteracting against the attack. This can be done in the following ways:
Studying the communication protocols and traffic patterns between handlers and clients or handlers and agents in order to identify network nodes that might be infected with a handler.
There are usually a few DDoS handlers deployed as compared to the number of agents, so neutralizing a few handlers can possibly render multiple agents useless. Since agents form the core of the attacker's ability to spread an attack, neutralizing the handlers to prevent the attacker from using them is an effective strategy to prevent DDoS attacks.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1474
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DoS/DDoS Countermeasures: Detect Potential Attacks CEH
TCP Intercept
e ConfiguringTCPIntercept prevents DoS attacks by intercepting and validating theTCP connection requests
Egress Filtering
Ingress Filtering9 Protects from flooding
attacks which originate from the valid prefixes (IP addresses)
It enables the originator טto be traced to its true
Copyright © by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S C o u n t e r m e a s u r e s : D e t e c t P o t e n t i a l A t t a c k s
To detect or prevent a potential DDoS attack that is being launched, ingress filtering, engress filtering, and TCP intercept can be used.
I n g r e s s f i l t e r i n g
Ingress filtering doesn't offer protection against flooding attacks originating from valid prefixes (IP addresses); rather, it prohibits an attacker from launching an attack using forged source addresses that do not obey ingress filtering rules. When the Internet service provider (ISP) aggregates routing announcements for multiple downstream networks, strict traffic filtering must be applied in order to prohibit traffic originating from outside the aggregated announcements. The advantage of this filtering is that it allows tracing the originator to its true source, as the attacker needs to use a valid and legitimately reachable source address.
E g r e s s F i l t e r i n g
In this method of traffic filtering, the IP packet headers that are leaving a network are initially scanned and checked to see whether they meet certain criteria. Only the packets that pass the criteria are routed outside of the sub-network from which they originated; the packets
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1475
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
which don't pass the criteria will not be sent. There is a good possibility that the source addresses of DDoS attack packets will not represent the source address of a valid user on a specific sub-network as the DDoS attacks often use spoofed IP addresses. Many DDoS packets with spoofed IP addresses will be discarded, if the network administrator places a firewall in the sub-network to filter out any traffic without an originating IP address from the subnet. Egress filtering ensures that unauthorized or malicious traffic never leaves the internal network.
If a web server is vulnerable to a zero-day attack known only to the underground hacker community, even if all available patches have been applied, a server can still be vulnerable. However, if egress filtering is enabled, the integrity of a system can be saved by disallowing the server to establish a connection back to the attacker. This would also limit the effectiveness of many payloads used in common exploits. This can be achieved by restricting outbound exposure to the required traffic only, thus limiting the attacker's ability to connect to other
------ TCP intercept is a traffic filtering feature intended to protect TCP servers from a TCPSYN-flooding attack, a kind of denial-of-service attack. In a SYN-flooding attack, the attacker sends a huge volume of requests for connections with unreachable return addresses. As the addresses are not reachable, the connections cannot be established and remain unresolved. This huge volume of unresolved open connections overwhelms the server and may cause it to deny service even to valid requests. Consequently, legitimate users may not be able to connect to a website, access email using FTP service, and so on. For this reason, the TCP intercept
In TCP intercept mode, the software intercepts the SYN packets sent by the clients to the server and matches with an extended access list. If the match is found, then on behalf of thedestination server, the software establishes a connection with the client. Similar to this, thesoftware also establishes a connection with the destination server on behalf of the client. Once the two half connections are established, the software combines them transparently. Thus, the TCP intercept software prevents the fake connection attempts from reaching the server. TheTCP intercept software acts as a mediator between the server and the client throughout the
systems and gain access to tools that can enable further access into the network.
T C P I n t e r c e p t
feature is introduced.
connection.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1476
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DoS/DDoS Countermeasures: f EHDeflect Attacks — - -
Systems that have only partial security and can act as a lure for attackers are called ~־‘honeypots. This is required so that the attackers will attack the honeypots and the actual system will be safe. Honeypots not only protect the actual system from attackers, but also keep track of details about what they are attempting to accomplish, by storing the information in a record that can be used to track their activities. This is useful for gathering information related to the kinds of attacks being attempted and the tools being used for the attacks.
Recent research reveals that a honeypot can imitate all aspects of a network including its web servers, mail servers, and clients. This is done to gain the attention of the DDoS attackers. A honeypot is designed to attract DDoS attackers, so that it can install the handler or an agent code within the honeypot. This stops legal systems from being compromised. In addition, this method grants the owner of the honeypot a way to keep a record of handler and/or agent activity. This knowledge can be used for defending against any future DDoS installation attacks.
There are two different types of honeypots:
© Low-interaction honeypots
© High-interaction honeypots
An example of high-interaction honeypots are honeynets. Honeynets are the infrastructure; in other words, they simulate the complete layout of an entire network of computers, but they
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1477
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
are designed for the purpose of "capturing" attacks. The goal is to develop a network wherein all activities are controlled and tracked. This network contains potential victim decoys, and the network even has real computers running real applications.
K F S e n s o r
Source: http://www.keyfocus.net
KFSensor acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a higher level of information than can be achieved by using firewalls and NIDS alone. The screenshot of KFSensor Professional is shown as follows:
KFSensor Professional - Evaluation TrialFile View Scenario Signatures Settings Help
- S i 4 i : t : u Y -1 ־ ! = « i & n ש a) ז o : \, kfsemor kxalhmt Main Sc— a ID Start Duration Pro... Sens... Name Visitor Received- *3 TCP ® 22 10/10/2012 1a 11K)6 A. 0.000 UDP 49270 UOP Packet W1ndows8 (99]u[80 0(
^ 0 Closed TCP Ports < y21 10/10/2012 10:11:05A... 0.000 UDP 65260 UOP Packet W1ndows8 h(02 80 00J2 1 FTP ® 20 10/10/2012 10:1105 A~ 0.000 UDP 58278 UOP Packet W1ndows8 (E0M80 0C£ 25 SMTP « 19 10/10/2012 10:11:05 a ... 0.000 UDP 138 NBT Datagram... Windows8 NBT DGftfS3 5J DNS # 1 8 10/10/2012 10:1105 A.- 0.000 UDP 138 NBT Datagram... W1ndows8 NBT DGR*J 68 DHCP 3 9 1 7 10/10/2012 10:10:51 A... 0.000 UDP 68 DHCP Client 1 0 0 0 .1 (0201060
® 110 POP3G 16 10/10/2012 1005:49 A.- 232413 TCP 1041 TCP Connection ni*in-f125.1e100.... (1703010
£ 119 NNTP $ 15 10/10/2012 10:10:33 A— 0 0 0 0 UDP 63120 UOP Packet W1N-2N9STOSGIEN 1(80 8000
g U S MS W C - W A 14 10/10/2012 10:10:32 A.- 0.000 UDP 111 sunrpc WIN-2N9STOSG1EN Pt(F08C 0(
139 NBT Session Service A 13 10/10/2012 10:10:27 A... 0.000 UDP 111 sunrpc W1N-2N9STOSGIEN Pt(F08C 01 ך
J 389 LDAP ג 12 10/10/2012 10:10^2 A.- 0.000 UDP 111 sunrpc W1N-2N9STOSGIEN Pt(F08C 01
^ 443 HTTPS / '1 1 10/10/2012 10:10:22 A... 0.000 UDP 111 Port Scan War... WIN-2N9STOSGIEN Possible P£g ■Hi NBT SMB— t w 9 1 0 10/10/2012 10:10:06A.- 0 0 0 0 UDP 138 NBT Datagram... W1N-2N9ST OSGIEN NBT DGftfj§ 593 CIS 0 9 10/10/2012 1009:59 A._ 0.000 UDP 54140 UOP Packet W1N-2N9STOSGIEN 2(94 80 00g Ift ii M i CIS ■ tn». 0 8 10/10/2012 1009:58 A.- 0 0 0 0 UDP 60681 UOP Packet WIN-2N9ST OSGIEN (C4]L[80 0i$ 1060 so c ks $ 7 10/10/2012 10=09:58 A... 0.000 UDP 67 DHCP WIN-2N9STOSGIEN DHCP. Bo< J 1433 S a Server 9 6 10/10/2012 1009:23 A... 0.000 UDP 138 NBT Datagram... WIN-MSSELCK4K41 NBT DGRfig 2234 Directplay 9 5 10/10/2012 1(k09:13 A.- 0 0 0 0 UDP 138 NBT Datagram... W1N-MSSELCK4K41 NBT DGRfi^ 3128 IIS Proxy 3 4 10/10/2012 100804 A.- 0.000 UDP 67 DHCP WIN-MSSELCK4K41 DHCP: Bo<j 3268 Global Catalog Sef— 9 3 10/10/2012 1(H)3.-03 A.- 0 0 0 0 UDP 138 NBT Datagram... WIN-MSSELCK4K41 NBT DOR*^ 3389 Terminal Server 9 2 10/10/2012 1002:54 a .- 0.000 UDP 138 NBT Datagram... W1N-MSSELCK4K41 NBT DORA§ 5000 MS Uni Plug and P~.
j j l 10/10/2012 1002:16 a.- 0.000 UDP 67 DHCP W1N-MSSELCK4K41 DHCP: Bo<5357 Web Services for D ...v
< [ hi > <1 M 1 >Server Running Visitors: 11 Events: 39/39
FIGURE 10.29: kfsENSOR
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1478
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
CEHDoS/DDoS Countermeasures: Mitigate Attacks
Throttling
© T h is m e th o d sets up ro u te rs th a t access a se rve r w ith logic to ad ju s t ( th ro t t le ) in co m in g tra ff ic to le ve ls th a t w ill be sa fe fo r th e se rve r to p ro cess
© Th is p ro cess can p re ve n t f lo o d d am ag e to se rve rs
® Th is p ro cess can be ex te n d e d to th ro t t le D D 0 S a tta ck in g tra ff ic ve rsu s leg it im a te use r tra ff ic fo r b e tte r resu lts
Load Balancing1()רי(7)י
P ro v id e rs can in c re ase th e b a n d w id th o n c ritica l co n n e c tio n s to p re ve n t th e m fro m go ing d o w n in th e e v e n t o f an a tta ck
R ep lica tin g se rve rs can p ro v id e a d d it io n a l fa ilsa fe p ro te c tio n
B a lan c in g th e load to each se rve r in a m u ltip le- se rve r a rch ite c tu re can im p ro ve b o th n o rm a l p e rfo rm a n c e s as w e ll a s m it ig a te th e e ffec ts o f a D D 0 S a tta ck
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
are:
D o S / D D o S C o u n t e r m e a s u r e s : M i t i g a t e A t t a c k s
There are two ways in which the DoS/DDoS attacks can be mitigated or stopped. They
L o a d B a l a n c i n g
Bandwidth providers can increase their bandwidth in case of a DD0S attack to prevent their servers from going down. A replicated server model can also be used to minimize the risk. Replicated servers help in better load management and enhancing the network's performance.
U T h r o t t l in g
Min-max fair server-centric router throttles can be used to prevent the servers from going down. This method enables the routers in managing heavy incoming traffic so that the server can handle it. It can also be used to filter legitimate user traffic from fake DD0S attack traffic.
Though this method can be considered to be in the experimental stage, network operators are implementing similar techniques of throttling. The major limitation with this method is that it may trigger false alarms. Sometimes, it may allow malicious traffic to pass while dropping some legitimate traffic.
Module 10 Page 1479 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
CEHPost-Attack Forensics
DDoS attack traffic patterns can help the netw ork adm in istrators to develop n ew filte rin g techn iques fo r preventing it from entering or leaving their networks
Analyze router, firewall, and IDS logs to identify the source o f the DoS traffic. Although attackers generally spoof the ir source addresses, an IP trace back w ith the help o f interm ed iary ISPs and law en fo rcem en t agencies m ay enab le to book the perpetrators
Traffic pa tte rn analysis: Data can be analyzed ־ post-attack - to look for specific characteristics w ith in the attacking traffic
Using these characteristics, data can be used fo r updating load-balancing and th ro ttlin g counterm easures<
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
P o s t - A t t a c k F o r e n s i c s
L ' Sometimes by paying a lot of attention to the security of a computer or network, malicious hackers manage to break in to the system. In such cases, one can utilize the post- attack forensic method to get rid of DDoS attacks.
אד T r a f f i c P a t t e r n A n a l y s i s
During a DDoS attack, the traffic pattern tool stores post-attack data that can be analyzed for the special characteristics of the attacking traffic. This data is helpful in updating load balancing and throttling countermeasures to enhance anti-attack measures. DDoS attack traffic patterns can also help network administrators to develop new filtering techniques that prevent DDoS attack traffic from entering or leaving their networks. Needless to say, analyzing DDoS traffic patterns can help network administrators to ensure that an attacker cannot use their servers as a DDoS platform to break into other sites. Analyze router, firewall, and IDS logs to identify the source of the DoS traffic. Although attackers generally spoof their source addresses, an IP traceback with the help of intermediary ISPs and law enforcement agencies may enable booking the perpetrators.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1480
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
R u n t h e Z o m b ie Z a p p e r T o o l
m When a company is unable to ensure the security of its servers and a DDoS attackbegins, the network IDS (intrusion detection system) notices a high volume of traffic
that indicates a potential problem. In such a case, the targeted victim can run Zombie Zapper to stop the system from being flooded by packets.
There are two versions of Zombie Zapper. One runs on UNIX, and the other runs on Windows systems. Currently, Zapper Tool acts as a defense mechanism against Trinoo, TFN, Shaft, andStacheldraht.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1481
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
CEHTechniques to Defend against Botnets
Black Hole Filtering
Black hole refers to network nodes w here incoming traffic is discarded or dropped w ithout informing the source that the data did not reach its intended recipient
Black hole filtering refers to discarding packets at the routing level
RFC 3704 Filtering
Any traffic coming from unused or reserved IP addresses is bogus and should be filtered at the ISP before it enters the Internet link
Cisco IPS Source IP Reputation Filtering
Reputation services help in determ ining if an IP or service is a source o f threat or not, Cisco IPS regularly updates its database w ith known threats such as botnets, botnet harvesters, malwares, etc. and helps in filtering DoS traffic
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
T e c h n i q u e s t o D e f e n d a g a i n s t B o t n e t s
There are four ways to defend against botnets:
R F C 3704 F i l t e r i n g
RFC3704 is a basic ACL filter. The basic requirement of this filter is that packets should be sourced from valid, allocated address space, consistent with the topology and space allocation. A list of all unused or reserved IP addresses that cannot be seen under normal operations is usually called a "bogon list." If you are able to see any of the IP addresses from this list, then you should drop the packets coming from it considering it as a spoofed source IP. Also you should check with your ISP to determine whether they manage this kind of filtering in the cloud before the bogus traffic enters your Internet pipe. This bogon list changes frequently.
SLB l a c k H o le F i l t e r i n g
Black hole filtering is a common technique to defend against botnets and thus to prevent DoS attacks. You can drop the undesirable traffic before it enters your protected network with a technique called Remotely Triggered Black Hole Filtering, i.e., RTBH. As this is a remotely triggered process, you need to conduct this filtering in conjunction with your ISP. With the help of BGP host routes, this technique routes the traffic heading to victim servers to a nullO next hop. Thus, you can avoid DoS attacks with the help of RTBH.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1482
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
a o D D o S P r e v e n t i o n O f f e r in g s f r o m I S P o r D D o S S e r v i c ey » y D D o S P r e v e n t i o n O f f e r in g s f r o m I S P o r D D o S S e r v i c e
Most ISPs offer some form of in-the-cloud DDoS protection for your Internet links. The ־idea is that the traffic will be cleaned by the Internet service provider before it reaches your Internet pipe. Typically, this is done in the cloud. Hence, your Internet links will be safe from being saturated by a DDoS attack. The in-the-cloud DDoS prevention service is also offered by some third parties. These third-party service providers usually direct the traffic intended to you to them, clean the traffic, and then send the cleaned traffic back to you. Thus, your Internet pipes will be safe from being overwhelmed.
C i s c o I P S S o u r c e I P R e p u t a t io n F i l t e r i n g
------' Cisco Global Correlation, a new security capability of Cisco IPS 7.0, uses immensesecurity intelligence. The Cisco SensorBase Network contains all the information about known threats on the Internet, serial attackers, malware outbreaks, dark nets, and botnet harvesters. The Cisco IPS makes use of this network to filter out the attackers before they attack critical assets. In order to detect and prevent malicious activity even earlier, it incorporates the global threat data into its system.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1483
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DoS/DDoS Countermeasures cEH(tkMjl NMhM
/ •.)....................................ן / // 7■.... 1| Use strong encryption mechanisms such as W PA 2 , A ES 256, etc . fo r broadband n e tw o rks to w ith s tan d
against eavesd ropp ing
r•••::::■-.. VI // FAEnsure th a t th e so ftw a re and pro toco ls used are up-to-date and scan th e m achines tho rough ly to d e te c t fo r any anomalous behavior
D isab le unused and insecure services
Block all inbound packets orig inating from th e se rv ice ports to block th e tra ffic from re flec tio n se rve rs
C l Update kernel to th e la te s t re lease
// ) ....../ / ....................................................
0 P re ve n t th e transm ission o f th e fraudulently addressed packets at ISP leve l
I />•'■ // i / / I
Im p lem en t cognitive radios in th e physical la ye r to hand le th e jam m ing and scram bling kind of attacks
Copyright © by EtCm ncj. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S C o u n t e r m e a s u r e s
The strength of an organization's network security can be increased by putting the proper countermeasures in the right places. Many such countermeasures are available forD0S/DD0S attacks. The following is the list of countermeasures
to be applied against D0S/DD0S attacks:
© Efficient encryption mechanisms need to be proposed for each piece of broadbandtechnology
© Improved routing protocols are desirable, particularly for the multi-hop WMN
© Disable unused and insecure services
© Block all inbound packets originating from the service ports to block the traffic from thereflection servers
© Update kernel to the latest release
© Prevent the transmission of the fraudulently addressed packets at the ISP level
© Implement cognitive radios in the physical layer to handle the jamming and scramblingkind of attacks
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1484
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
EHDoS/DDoS Countermeasures( C o n t ’d j
Copyright © by E&Counci. All RightsReservecTReprodiiction is Strictly Prohibited.
> D o S / D D o S C o u n t e r m e a s u r e s ( C o n t ’ d )
:The list of countermeasures against DoS/DDoS attack continuous as follows נ £
© Configure the firewall to deny external Internet Control Message Protocol (ICMP) trafficaccess
The network card is the gateway to the packets. Use a better network card to handle a large number of packets
W W W
Configure th e f ire w a ll to P re ve n t use o f Secure th e rem o ted en y ex terna l In te rn e t unnecessary functions adm in istra tion and
Control M essag e Protoco l such as gets, strcpy etc . co n n e ctiv ity tes tin g( IC M P ) tra ffic access
Perfo rm th e tho rough input
va lid atio n
P reven t th e retu rn addresses from being
o v e rw rit te n
Data p rocessed by the a ttacker should be stopped
from being execu ted
© Prevent the use of unnecessary functions such as gets, strcpy, etc.
© Secure the remote administration and connectivity testing
© Prevent the return addresses from being overwritten
© Data processed by the attacker should be stopped from being executed
© Perform the thorough input validation
© The network card is the gateway to the packets. Hence, use a better network card tohandle a large number of packets
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1485
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DoS/DDoS Protection at ISP Level
B Most ISPs simply blocks all the requests during a DDoS attack, denying legitimate traffic from accessing the
■I ISPs offer in-the-cloud DDoS protection for Internet links so that they do not become saturated by the attack
ri Attack traffic is redirected to the ISP during the attack to be filtered and sent back
Administrators can request ISPs to block the original affected IP and move their site to another IP after performing DNS propagation
h ttp ://w w w . ce rt, org
-----------Copyright © by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S P r o t e c t i o n a t t h e I S P L e v e l
Source: http://www.cert.org
Most ISPs simply block all the requests during a DDoS attack, denying legitimate traffic from accessing the service. ISPs offer in-the-cloud DDoS protection for Internet links so that they do not become saturated by an attack. Attack traffic is redirected to the ISP during the attack to be filtered and sent back. Administrators can request ISPs to block the original affected IP and move their site to another IP after performing DNS propagation.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1486
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1487
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Enabling TCP Intercept on Cisco IOS Software [71 (*rtifxd |
EHIU mjI NMhM
1 S To enable TCP intercept, use these commands in global configuration mode: 1
S t e p C o m m a n d P u r p o s e
1access-list access-list-number {d en y | p e rm it} tcp any destination destination-wildcard
Define an IP extended access list
2 ip tcp In te rcep t list access-list-number Enable TCP In tercept
■I TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.
E n a b l i n g T C P I n t e r c e p t o n C i s c o I O S S o f t w a r e
The TCP intercept can be enabled by executing the following commands in global configuration mode:
Command Purpose
Step 1 access-list access-list-number {deny I permit} tcp any destination destination-wildcard
Defines an IP extended access list.
Step2 ip tcp intercept list access-list- number
Enables TCP intercept.
An access list can be defined for three purposes:
1. To intercept all requests
2. To intercept only those coming from specific networks
3. To intercept only those destined for specific servers
Typically the access list defines the source as any and the destination as specific networks or servers. As it is not important to know who to intercept packets from, do not filter on the source addresses. Rather, you identify the destination server or network to protect.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1488
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
TCP intercept can operate in two modes, i.e., active intercept mode and passive watch mode. The default is intercept mode. In intercept mode, the Cisco IOS Software intercepts all incoming connection requests (SYN), gives a response on behalf of the server with an ACK and SYN, and then waits for an ACK of the SYN from the client. When the ACK is received from the client, the software performs a three-way handshake with the server by setting the original SYN to the server. Once the three-way handshake is complete, the two-half connections are joined.
The command to set the TCP intercept mode in global configuration mode:
Command purpose
ip tcp intercept mode {intercept | Set the TCP intercept modewatch}
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1489
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
CEHAdvanced DDoS Protection Appliances
h ttp ://w w w .arborn etw orks.com
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
A d v a n c e d D D o S P r o t e c t i o n A p p l i a n c e s
f F o r t i D D o S 3 0 0 A־
^ Source: http://www.fortinet.com
The FortiDDoS 300A provides visibility into your Internet-facing network and can detect and block reconnaissance and DDoS attacks while leaving legitimate traffic untouched. It features automatic traffic profiling and rate limiting. Its continuous learning capability differentiates between gradual build-ups in legitimate traffic and attacks.
FIGURE 10.31: FortiDDoS-300A
h ttp ://w w w .c isco .co m
Cisco Guard XT 5650
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1490
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
D D o S P r o t e c t o r
Source: http://www.checkpoint.com
DDoS Protector provides protection against network flood and application layer attacks by blocking the destructive DDOS attacks without causing any damage. It blocks the abnormal traffic without touching the legitimate traffic. It protects your network and web services by filtering the traffic before it reaches the firewall.
FIGURE 10.32: DDoS Protector
C is c o G u a r d X T 5650
Source: http://www.cisco.com
The Cisco Guard XT is a DDoS Mitigation Appliance from Cisco Systems. It performs he detailed per-flow level attack analysis, identification, and mitigation services required to block attack traffic and prevent it from disrupting network operations.
FIGURE 10.33: Cisco Guard XT 5650
f e \ A r b o r P r a v a i l : A v a i l a b i l i t y P r o t e c t io n S y s t e m
— Source: http://www.arbornetworks.com
Arbor Pravail allows you to detect and remove known and emerging threats such as DDOS attacks automatically before your vital services go down. It increases your internal network visibility and improves the efficiency of the network.
FIGURE 10.34: Availability Protection System
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1491
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Module Flow C EH
Copyright © by E&Cainci. All Rights Reserved. Reproduction Is Strictly Prohibited.
M o d u l e F l o w
In addition to the countermeasures discussed so far, you can also adopt D0S/DD0S tools to protect your network or network resources against D0S/DD0S attacks.
Dos/DDoS Concepts Dos/DDoS Attack Tools
Dos/DDoS Attack Techniques ־ d p g Countermeasures
H T j Botnets / % * ? Dos/DDoS Protection Tools
Dos/DDoS Case Study Dos/DDoS Penetration Testing ־
This section lists and describes various tools that offer protection against D0S/DD0S attacks.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1492
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
D o S / D D o S P r o t e c t i o n T o o l : D G־ u a r d A n t i - D D o S F i r e w a l l CEH
... .Mooitcf
פ ייייי•
a
i "U*»
f t
1י״יי«
J D-Guard Anti-DDoS Firewall provides the m ost reliable and fastest DDoS protection fo r online en te rp rises , public and m edia serv ices , essen tia l in frastru ctu re , and In te rn e t serv ice p roviders
J Fea tu res :
© Protection against almost all kinds of attacks
© Built-in intrusion prevention system
TCP flow control
» IP blacklist and white list, ARP white list, and MAC Binding
Copyright © by EC-Cauncl. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S P r o t e c t i o n T o o l : D ־ G u a r d A n t i - D D o S F i r e w a l l
Source: http://www.d-guard.com
D-Guard Anti-DDoS Firewall provides DDoS protection. It offers protection against DoS/DDoS, Super DDoS, DrDoS, fragment attacks, SYN flooding attacks, IP flooding attacks, UDP, mutation UDP, random UDP flooding attacsk, ICMP, ICMP flood attacks, ARP spoofing attacks, etc.
Features:
© Built-in intrusion prevention system
© Protection against SYN, TCP flooding, and other types of DDoS attacks
© TCP flow control
© UDP/ICMP/IGMP packets rate management
© IP blacklist and whitelist
© Compact and comprehensive log file
Module 10 Page 1493 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
FIGURE 10.35: D-Guard Anti-DDoS Firewall
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1494
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
DoS/DDoS Protection Tools CEH
t FortiDDoSו ® « http:/ / www. fortine f. com
DefenseProhttp ://w w w . r adware. com
DOSarresthttp ://w w w . dos arres t. com
Anti DDoS Guardianhttp ://w w w . beethink. com
DDoSDefendhttp://ddos defend, com
PW h
[ J J 5 NetFlow Analyzer---- ^ http://www.manageengine.com
SDL Regex Fuzzerhttp://www.m icrosoft.com
WANGuard Sensorן ן http://www.andrisoft.com
NetScaler Application Firewallhttp ://w w w . citrix. com
FortGuard DDoS Firewallhttp ://w w w .fort guard, com
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S P r o t e c t i o n T o o l s
In addition to D-Guard Anti-DDoS Firewall, there are many tools that offer protectionagainst DoS/DDoS attacks. A few tools that offer DoS/DDoS protection are listed as follows:
© NetFlow Analyzer available at http://www.manaeeengine.com
© SDL Regex Fuzzer available at http://www.microsoft.com
© WANGuard Sensor available at http://www.andrisoft.com
© NetScaler Application Firewall available at http://www.citrix.com
© FortGuard DDoS Firewall available at http://www.fortguard.com
© IntruGuard available at http://www.intruguard.com
© DefensePro available at http://www.radware.com
© DOSarrest available at http://www.dosarrest.com
© Anti DDoS Guardian available at http://www.beethink.com
© DDoSDefend available at http://ddosdefend.com
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1495
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Copyright © by E&Caincfl. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F l o wIIL -- -
------The main objective of every ethical hacker or pen tester is to conduct penetrationtesting on the target network or system resources against every major and minor possible attack in order to evaluate their security. The penetration testing is considered as the security evaluation methodology. D0S/DD0S penetration testing is one phase in the overall security evaluation methodology.
■ —Dos/DDoS Concepts Dos/DDoS Attack Tools
‘ Dos/DDoS Attack Techniques Countermeasures0
Botnets Dos/DDoS Protection Tools
Dos/DDoS Case Study Dos/DDoS Penetration Testing
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1496
This section describes DoS attack penetration testing and the steps involved in DoS attack penetration testing.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1497
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
Denial-of-Service (DoS) Attack Penetration Testing c
(•rtifwtfEHtUMJl Km Im
DoS attack should be incorporated into Pen testing to find out if the network server is susceptible to DoS attack
D ILךA vulnerable network cannot handle a large amount of traffic sent to it and subsequently crashes or slows down, thus preventing access by authentic users
נ נ ־ ] ]
The main objective of DoS Pen testing is to flood a target network with traffic, similar to hundreds of people repeatedly requesting a service, to keep the server busy and unavailable
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS Pen Testing determines minimum thresholds for DoS attacks on a system, but the tester cannot ensure that the system is resistant to DoS attacks
r r
v ׳ ' :Ll_:--- ----- 1
^ - D e n i a l ־ o f ־ S e r v i c e ( D o S ) A t t a c k P e n e t r a t i o n T e s t i n g
In an attempt to secure your network, first you should try to find the security weaknesses and try to fix them as these weaknesses provide a path for attackers to break into your network. The main aim of a DoS attack is to lower the performance of the target website or crash it in order to interrupt the business continuity. A DoS attack is performed by sending illegitimate SYN or ping requests that overwhelm the capacity of a network. Legitimate connection requests cannot be handled when this happens. Services running on the remote machines crash due to the specially crafted packets that are flooded over the network. In such cases, the network cannot differentiate between legitimate and illegitimate data traffic. Denial-of-service attacks are easy ways to bring down a server. The attacker does not need to have a great deal of knowledge to conduct them, making it essential to test for DoS vulnerabilities. As a pen tester, you need to simulate the actions of the attacker to find the security loopholes. You need to check whether your system withstands DoS attacks (behaves normally) or it gets crashed. To check this, you need to follow a series of steps designed for DoS penetration test.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1498
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
Denial-of-Service (DoS) Attack Penetration Testing (cont’d)
Test the web server using automated tools such as Webserver Stress Tool, Web Stress Tester, and JMeterfor load capacity, server-side performance, locks, and other scalability issues
Scan the network using automated tools such as Nmap, GFI LanGuard, and Nessus to discover any systems that are vulnerable to DoS attacks
Flood the target with connection request packets using tools such as DoS HTTP, Sprut, and PHP DoS
Use a port flooding attack to flood the port and increase the CPU usage by maintaining all the connection requests on the ports under blockade. Use tools Mutilate and PepsiS to automate a port flooding attack
Use tools Mail Bomber and Advanced Mail Bomber to send a large number of emails to a target mail server
Fill the forms with arbitrary and lengthy entries
START U ,
f
Flood the website form s and guestbook
w ith bogus en tries
Check for DoS vu ln e rab le system s
Run SYN a ttack on th e se rve r
Run em ail bom ber on th e em ail se rve rs
Run port flooding attacks on th e se rve r
Copyright © by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
\ D e n i a l ־ o f ־ S e r v i c e ( D o S ) A t t a c k P e n e t r a t i o n T e s t i n g
'® * י ( C o n t ’ d )
The series of DoS penetration testing steps are listed and described as follows:
Step 1: Define the objective
The first step in any penetration testing is to define the objective of the testing. This helps you to plan and determine the actions to be taken in order to accomplish the goal of the test.
Step 2: Test for heavy loads on the server
Load testing is performed by putting an artificial load on a server or application to test its stability and performance.
It involves the simulation of a real-time scenario. A web server can be tested for load capacity using the following tools:
© Webserver Stress Tool: Webserver Stress Tool is the software for load and performance testing of web servers and web infrastructures. It helps you in performing load test. It allows you to test your entire website at the normal (expected) load. For load testing you simply enter the URLs, the number of users, and the time between clicks of your website traffic. This is a "real-world" test.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1499
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
0 Web Stress Tester
Source: http://www.servetrue.com
Web Stress Tester is a tool that allows you to test the performance and stability of any Webserver and proxy server with SSL/TLS-enabled.
e JM eter
Source: http://imeter.apache.org
JMeter is an open-source web application load-testing tool developed by Apache. This tool is a Java application designed to load test functional behavior and measure performance. It was originally designed for testing web applications but has since expanded to other test functions.
Step 3: Check for DoS vulnerable systems
The penetration tester should check the system for a DoS attack vulnerability by scanning the network. The following tools can be used to scan networks for vulnerabilities:
© Nmap
Source: http://nmap.org
Nmap is a tool that can be used to find the state of ports, the services running on those ports, the operating systems, and any firewalls and filters. Nmap can be run from the command line or as a GUI application.
© GFI LANguard
Source: http://www.gfi.com
GFI LANguard is a security-auditing tool that identifies vulnerabilities and suggests fixes for network vulnerabilities. GFI LANguard scans the network, based on the IP address/range of IP addresses specified, and alerts users about the vulnerabilities encountered on the target system.
© Nessus
Source: http://www.nessus.org
Nessus is a vulnerability and configuration assessment product. It features configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis.
Step 4: Run a SYN attack on the server
A penetration tester should try to run a SYN attack on the main server. This is accomplished by bombarding the target with connection request packets. The following tools can be used to run SYN attacks: DoS HTTP, Sprut, and PHP DoS.
Step 5: Run port flooding attacks on the server
Port flooding sends a large number of TCP or UDP packets to a particular port, creating a denial of service on that port. The main purpose of this attack is to make the ports unusable and
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1500
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical HackerDenial of Service
increase the CPU's usage to 100%. This attack can be carried out on both TCP and UPD ports. The following tools can be used to conduct a port-flooding attack:
© Mutilate: Mutilate is mainly used to determine which ports on the target are open. This tool mainly targets TCP/IP networks. The following command is used to execute Mutilate:
mutilate <target _ IP> <port>Q Pepsi5: The Pepsi5 tool mainly targets UDP ports and sends a specifiable number and
size of datagrams. This tool can run in the background and use a stealth option to mask the process name under which it runs.
Step 6: Run an email bomber on the email servers
In this step, the penetration tester sends a large number of emails to test the target mail server. If the server is not protected or strong enough, it crashes. The tester uses various server tools that help send these bulk emails. The following tools are used to carry out this type of attack:
© Mail Bomber
Source: http://www.getfreefile.com/bomber.html
Mail Bomber is a server tool used to send bulk emails by using subscription-based mailing lists. It is capable of holding a number of separate mailing lists based on subscriptions, email messages, and SMTP servers for various recipients.
© Advanced Mail Bomber
Source: http://www.softheap.com
Advanced Mail Bomber is able to send personalized messages to a large number of subscribers on a website from predefined templates. The message delivery is very fast; it can handle up to 48 SMTP servers in 48 different threads. A mailing list contains boundless structured recipients, SMTP servers, messages, etc. This tool can also keep track of user feedback.
Step 7: Flood the website forms and guestbook with bogus entries
In this step, the penetration tester fills online forms with arbitrary and lengthy entries. If an attacker sends a large number of such bogus and lengthy entries, the data server may not be able to handle it and may crash.
Step 8: Document all the findings
In this step, the penetration tester should document all his or her test findings in the penetration testing report.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1501
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresDenial of Service
C EHModule Summary
□ Denial of Service (DoS) is an attack on a com puter or netw ork tha t prevents legitimate use o f its resources
□ A distributed denial-of-service (D D oS) attack is one in which a m ultitude of the com prom ised system s attack a single target, thereby causing denial o f service fo r users o f the targeted system
□ In tern et Relay Chat (IRC ) is a system fo r chatting that involves a set o f rules and conventions and client/server so ftw are
□ Various attack techniques are used perform a DoS attack such as bandw idth attacks, service request floods, SYN flooding attack, IC M P flood attack, Peer-to-Peer attacks etc.
□ Bots a re so ftw are applications that run autom ated tasks o ver the In ternet and perform simple repetitive tasks such as w eb spidering and search engine indexing
□ DoS detection techniques are based on identifying and discrim inating the illegitimate traffic increase and flash events from legitimate packet traffic
□ DoS Pen Testing determ ines m inimum thresholds for DoS attacks on a system , but the tester cannot ensure tha t the system is resistant to DoS attack
M o d u l e S u m m a r y
Q Denial of service (DoS) is an attack on a computer or network that prevents legitimate use of its resources.
© A distributed denial-of-service (DDoS) attack is one in which a multitude of the compromised systems attack a single target, thereby causing denial of service for users of the targeted system.
Q Internet Relay Chat (IRC) is a system for chatting that involves a set of rules and conventions and client/server software.
© Various attack techniques are used perform a DoS attack such as bandwidth attacks,service request floods, SYN flooding attacks, ICMP flood attacks, peer-to-peer attacks,etc.
© Bots are software applications that run automated tasks over the Internet and performsimple repetitive tasks such as web spidering and search engine indexing.
Q DoS detection techniques are based on identifying and discriminating the illegitimate traffic increase and flash events from legitimate packet traffic.
© DoS pen testing determines minimum thresholds for DoS attack on a system, but the tester cannot ensure that the system is resistant to DoS attacks.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 10 Page 1502