CEH v10: 10_Denial_of_Service
Denial-of-Service is type of attack on which service offered by a system or a network is denied. Service may either be denied, reduce the functionality or prevent the access.
Symptoms of DoS attack:
- Slow performance
- Increase in spam email
- Unavailability of a resource
- Loss of access to a website
- Disconnection of a wireless or wired internet connection
- Denial of access to any internet services
Distributed Denial of Service (DDoS)
In DDoS, multiple compromised systems are involved to attack a target.
The attacker send several connection request to the server with fake return address, so the server can’t find a user to send the connection approval. The authentication process waits for a certain time to close the session. The attacker is continuously sending requests which causing a number of open connection on the server that lead to a denial of service.
Categories of DoS/DDoS Attacks
Denial of Service attack performed by sending a high amount of traffic towards the target. Volumetric attack are focused on overloading the bandwidth capability.
DoS attacks witch fragment the IP datagram into multiple smaller size packets. It requires to reassembly at the destination which requires resources of routers.
- UDP and ICMP fragmentation attacks
- TCP fragmentation attacks
TCP-State-Exhaustion Attacks are focused on web servers, firewalls, load balancers and other infrastructure component to disrupt connections by exhausting their finite number of concurrent connections.
Most common state-exhaustion attack is ping of death.
Application Layer Attacks / Layer 7 DDoS
The application level attack overloads the particular service of a website or application.
DoD/DDoS Attack Techniques
Bandwidth attack requires multiple sources to generate q request to overload the target. The goal is to consume the bandwidth completely.
Zombie servers or Botnets used to perform this type of attack.
Service Request Floods
Attacker flood the request towards a web service or server until it is overloaded.
SYN Attack / Flooding
The attacker sending a lot of SYN request to tying up a system. The victim waits for the acknowledgement from the IP address, but there will be no response because the source address is spoofed. This waiting period ties up a connection “listen to queue”, that can tie up for 75 seconds.
ICMP Flood Attack
Flooding ICMP request without waiting for the response overwhelm the resource of the network device.
Exploit bugs in peer-to-peer servers using Direct Connect (DC++). Using one or more malicious hosts in a peer-to-peer network to perform the attack.
Permanent DoS Attack (PDoS)
Permanent DoS attack is focused on hardware sabotage, cause irreversible damage to the hardware. Affected hardware require replacement or reinstall the software.
- Bricking a system : sending fraudulent hardware updates
Application Level Flood Attacks
Attacker finds the fault and flaws in an application or operating system and exploits the vulnerability to gain control over a system.
Distributed Reflection Denial of Service (DRDoS)
Attacker uses an intermediary victim which redirect the traffic to a secondary victim. Secondary victim redirects the traffic to the target. The intermediary and secondary victim is used for spoofing the attack.
Attacker compromises victims to make bot, which compromise other system to create a botnet. These botnets are controlled by Command and Control server owned by the attacker. This server is used to send instructions to perform the attack.