Wednesday, September 30, 2015

Some Major Attacks That You Need To Be Prepared For

Criminal perpetrators target sites and services hosted on many web servers like banks, credit card payment gateways etc, for the purpose of taking revenge, blackmail or activism. No doubt we need to be prepared for these attacks and take preventive measures.

In some of my previous articles, I mentioned few such attacks. In this article, I will write about some more major attacks that are most common in recent times and against which we need to be protected, if we want to run our business successfully.

I think we all have heard about Denial of Service attack or DoS. What is it actually?

DoS is an attack for the purpose of making a target machine or network resource unavailable for its intended users. This attack mainly temporarily indefinitely suspend a service of a host connected to internet. As a result, you may see:

- Unusually slow network performance.
- Unavailability of a particular website.
- Dramatic increase of number of spam emails received.
- Disconnection of internet connection.

The effects can be sometimes long term or even for indefinite time.

Is this DoS attack from a single source?

Not necessarily. Sometimes, the attack may even come from multiple sources having different IP addresses. Using IP address spoofing, the attackers may even hide their own IP addresses, making it extremely hard to catch the attacker. This type of attacks from multiple sources are sometimes called Distribiuted Denial of Service Attack or DDoS.

There can be various ways a DoS can be done. Each attack is implemented in a different way.

Internet Control Message Protocol Flood or ICMP Flood : Smurf attacks, Ping Flood or Ping of Death are this sort of attacks. In this sort of attacks, the attacker may send ICMP broadcast packets forging the source address of the victim. As a result, all the computers in the network send overwhelming number of replies to the victim computer, consuming its network bandwidth. Sometimes, the attacker even send enormous number of ICMP ping messages or a malformed ping packet to the victim computer. As a result, the victim computer ends up consuming all its banwidth in sending replies, or for a malformed ping packet, it ends up crashing.

As I discussed earlier, the preventive measures of this sort of attacks is configuring firewalls properly to stop responding to ping messages or broadcast messages.

SYN Flood : In a SYN Flood, the attacker often forges his IP address and sends an enormous number of connection request to the victim server. As a result, the victim server ends up spawning lots of half open connections, sending back a TCP/SYN-ACK packets and waiting for the response. But as the attacker has forged his IP address, the sent packets end up going to wrong IP addresses and the server never gets a reply. But, these half-open connections saturate the maximum number of open connections the server can have and the server can no more respond to legitimate requests.

Other Application Level Flood : In this sort of attacks, the attacker exploits few conditions like buffer overflow, and fills up the diskspace of the victim machine or consume all its memory and CPU cycles. The attacker can even redirect outgoing message from the victim machine back to the machine itself, preventing the victim machine from outside network access. This particular type of attacks are also called 'Banana Attacks'.

Teardrop Attacks : In this attack, the attacker sends a mangled IP packet, with oversized and overlapping payloads, to the victim. If the Operating System of the victim's machine cannot handle it properly, the machine will end up crashing.

Peer-to-Peer Attacks : In this attack, the attacker gets control over the clients of a peer-to-peer file sharing hub, instructs the clients to disconnect from their peer-to-peer network and connect to the victim's website instead. This results in hundreds of thousands of connection request to the victim machine. As a result, the victim machine ends up exhausting all its computational resources, resulting in a DoS attack.

HTTP Post DDoS Attack : In this attack, the attacker sends a legitimate HTTP Post header to the victim machine, but then keeps sending the actual message body at an extremely slow rate. The entire message is correct, so the victim machine keeps waiting for the entire message to arrive, slowing down the whole system. The main problem with this sort of attacks is, it is very difficult to differentiate the attacking connection from a legitimate one and it manages to bypasses the security mechanisms easily.

Slow Read Attack : A Slow Read Attack sends a legitimate application layer request to the victim machine, but it reads the responses from the machine very slowly. The attacker advertises a very small number for the TCP Receive Window size and empties the victim machine's receive buffer slowly.

Reflected Attack : It is a DDoS attack, where the attacker forges the IP address of the victim machine and sends lots of request message to large number of other computers. All the machines start responding to the requests received, but all the responses reach to the victim machine, eating up all its bandwidth.

SSL Flood : When a server provides a secure connection to a client, normally it involves a large amount of processing cycles from the server's side. This type of attacks exploits that scenario. The attacker requests lots of secure connection to the server, and the server loses its processing cycles to respond to the illegitimate connections, not being able to respond to the legitimate ones.

Fraggle Attack : This type of attack is similar to Smurf Attack, but instead of ICMP traffic, the attacker sends large number of forged UDP traffic to the victim machine.

LAND Attack : It is a Local Area Network Denial attack. In this attack, the attacker sends a TCP SYN packet to initiate a TCP connection with the victim machine. But the attacker uses the victim machine's IP address as both source and destination address. As a result, the victim machine ends up replying to itself continuously, consuming all its processing power.

DNS Amplification Attack : In this attack, the attacker sends lots of DNS query to a DNS server, but forges the IP address of the victim machine as source IP. As a result, the DNS server ends up sending all the responses to the victim machine. As DNS responses are much larger in size, the responses end up flooding the victim machine with responses and consuming its bandwidth.

TCP Null Attack : In this attack the attacker sends lots of IP packets to the victim machine with the IPv4 headers filled with NULL. The firewalls configured for TCP, UDP and ICMP packets may allow these packets. As a result, the enormous amout of these packets flood the victim machine, consuming its bandwidth.

If I continue, perhaps the list will be never ending, and that will only flood the article with information. I wanted to keep it short and so, mentioned only the most common attacks.

Knowing about the possible attacks is the very first step towards protection against it. So, if you think this article has helped you anywhere there or you want to add valuable information to this article, please feel free to share your feedback/comments/opinions.

No comments:

Post a Comment