Contents

CEH v10: 10_Denial_of_Service

Basic

Denial-of-Service is type of attack on which service offered by a system or a network is denied. Service may either be denied, reduce the functionality or prevent the access.

Symptoms of DoS attack:

  • Slow performance
  • Increase in spam email
  • Unavailability of a resource
  • Loss of access to a website
  • Disconnection of a wireless or wired internet connection
  • Denial of access to any internet services

Distributed Denial of Service (DDoS)

In DDoS, multiple compromised systems are involved to attack a target.

The attacker send several connection request to the server with fake return address, so the server can’t find a user to send the connection approval. The authentication process waits for a certain time to close the session. The attacker is continuously sending requests which causing a number of open connection on the server that lead to a denial of service.

Categories of DoS/DDoS Attacks

Volumetric Attacks

Denial of Service attack performed by sending a high amount of traffic towards the target. Volumetric attack are focused on overloading the bandwidth capability.

Fragmentation Attacks

DoS attacks witch fragment the IP datagram into multiple smaller size packets. It requires to reassembly at the destination which requires resources of routers.

Types:

  • UDP and ICMP fragmentation attacks
  • TCP fragmentation attacks

TCP-State-Exhaustion Attacks

TCP-State-Exhaustion Attacks are focused on web servers, firewalls, load balancers and other infrastructure component to disrupt connections by exhausting their finite number of concurrent connections.

Most common state-exhaustion attack is ping of death.

Application Layer Attacks / Layer 7 DDoS

The application level attack overloads the particular service of a website or application.

DoD/DDoS Attack Techniques

Bandwidth Attacks

Bandwidth attack requires multiple sources to generate q request to overload the target. The goal is to consume the bandwidth completely.

Zombie servers or Botnets used to perform this type of attack.

Service Request Floods

Attacker flood the request towards a web service or server until it is overloaded.

SYN Attack / Flooding

The attacker sending a lot of SYN request to tying up a system. The victim waits for the acknowledgement from the IP address, but there will be no response because the source address is spoofed. This waiting period ties up a connection “listen to queue”, that can tie up for 75 seconds.

ICMP Flood Attack

Flooding ICMP request without waiting for the response overwhelm the resource of the network device.

Peer-to-Peer Attacks

Exploit bugs in peer-to-peer servers using Direct Connect (DC++). Using one or more malicious hosts in a peer-to-peer network to perform the attack.

Permanent DoS Attack (PDoS)

Permanent DoS attack is focused on hardware sabotage, cause irreversible damage to the hardware. Affected hardware require replacement or reinstall the software.

Methods:

  • Phlashing
  • Bricking a system : sending fraudulent hardware updates

Application Level Flood Attacks

Attacker finds the fault and flaws in an application or operating system and exploits the vulnerability to gain control over a system.

Distributed Reflection Denial of Service (DRDoS)

Attacker uses an intermediary victim which redirect the traffic to a secondary victim. Secondary victim redirects the traffic to the target. The intermediary and secondary victim is used for spoofing the attack.

Botnet

Attacker compromises victims to make bot, which compromise other system to create a botnet. These botnets are controlled by Command and Control server owned by the attacker. This server is used to send instructions to perform the attack.