Sunday, November 6, 2016

How to prevent DDoS attacks ?


DoS attacks are one of the most serious threats of today. We often hear about DoS attacks that temporarily or indefinitely suspend a service or an entire network. How are these DoS attacks perpetrated and how can we prevent them? In this article we would discuss about that.


What are a DoS and a DDoS Attack ?


A DoS or Denial of Service Attack is an attack which is perpetrated for the purpose of making a target machine or network resource unavailable for its intended users. This attack is usually made to temporarily or indefinitely suspend a service of a host connected to internet.

DDoS Attack or Distributed Denial of Service Attack is an attack in which the attack comes from multiple sources having different IP addresses. Basically, a DDoS attack is a DoS attack in which the attack is perpetrated using several source IP addresses. Using IP address spoofing, the attackers normally hide their own IP addresses, making it extremely hard to catch the attackers.



 

Effects of DoS Attacks


As a result of a DoS attack, you may see:

  • Unusually slow network performance.
  • Unavailability of a particular website.
  • Dramatic increase of number of spam emails received.
  • Disconnection of internet connection.

The effects can be sometimes long term or even for indefinite time.


Different Types of DoS Attacks


There are different types of DoS Attacks. Let's understand what each type of DoS Attack does:


UDP Flood Attack


UDP Flood Attack is an attack which floods random ports of a remote host with a large number of UDP packets. This makes the host to repeatedly check the application which is listening to the port and to reply with ICMP Destination Unreachable packets when no application found. As a result, the host ends up exhausting considerable amount of its resources and leads to a DoS Attack.


Internet Control Message Protocol Flood or ICMP Flood


Smurf Attack is this type of attack. In these attacks, the attacker sends lots of ICMP broadcast packets forging the source address of the victim. As a result, all the computers in the network send overwhelming number of replies to the victim computer. As a result, the victim computer ends up consuming all its network banwidth in sending replies and its resources become unavailable for legitimate purposes


Ping Flood


In this attack, the attacker sends a large number of ICMP Echo Request or ping packets to the targeted victim's IP address, mostly by using the flood option of ping. As a result, the victim's machine starts responding to each ICMP packet by sending a ICMP Echo Reply packet and ends up exhausting all its network bandwidth, resulting in a DoS attack.



Ping of Death


A correctly formed ping packet is typically 56 bytes in size. But any IPv4 packet may be as large as 65,535 bytes. If the attacker sends a malformed very large ping packet to the victim's IP address, the IP packet will reach the targeted victim splitting into multiple fragments. When the victim's machine will reassemble the IP fragments, it will end up with IP packet larger than 65,535 bytes. As a result, the victim's computer cannot handle that properly and a buffer overflow will happen. It can result in a system crash and potentially allowing the injection of malicious code. This type of attacks are called Ping of Death.


SYN Flood 


In a SYN Flood, the attacker sends an enormous number of connection request to the victim server, often forging his IP address. As a result, the victim server ends up spawning lots of half open connections, sending back a TCP/SYN-ACK packets and waiting for the response. But as the attacker has forged his IP address, the sent packets end up going to wrong IP addresses and the server never gets a reply. But, these half-open connections saturate the maximum number of open connections the server can have and the server can no more respond to legitimate requests, resulting in a DoS attack.


Other Application Level Flood  


In this sort of attacks, the attacker floods the victim machine with legitimate looking requests like database lookup, search requests etc. It exploits few conditions like buffer overflow, and fills up the diskspace of the victim machine or consume all its memory and CPU cycles. As a result, the victim machine ends up exhausting all its computational resources and results in a DoS Attack.


Banana Attack 


In this attack, the attacker redirects outgoing messages from the victim machine back to the machine itself. As a result, the machine ends up exhausting its own network bandwidth and becomes inaccessible to outside network access, resulting in a DoS attack.


Slowloris  


In this attack, the attacker's computer opens many connections to the victim machine's webserver and try to keep them open as long as possible. It mainly opens connections to the victim web server and sends partial request. Periodically, it sends subsequent HTTP headers, but never completes those requests. As a result, the victim webserver keeps maximum possible connections open and becomes inaccessible for legitimate connection requests.


NTP Amplificaion Attack 


NTP or Network Time Protocol is a protocol used by machines connected to the internet to set their clocks accurately. These NTP Servers are publicly accessible and can easily be found with tools like MetaSploit and NMAP. NTP Amplification Attack is an attack in which the attacker exploits these publicly available NTP Servers and sends lots of UDP packets to the victim machine. As a result, the victim machine ends up sending long replies which exhausts its resources.


HTTP Flood 


HTTP Flood Attack is an attack in which the attacker sends lots of legitimate looking malicious HTTP GET or HTTP POST requests to a webserver. These requests consume significant amount of server's respurces. As a result, the webserver ends up exhausting its resources and results in a DoS attack.


Zero-day DoS Attack 


In this type of attacks, the attacker exploits vulnerabilities of a software for which no patch is yet released and performs the DoS attacks. This is quite a popular attack for attackers.


DNS Amplification Attack 


In this attack, the attacker sends lots of DNS query to a DNS server, but forges the IP address of the victim machine as source IP address of all the query packets. As a result, the DNS server ends up sending all the responses to the victim machine. As DNS responses are much larger in size, the responses end up flooding the victim machine with responses and consuming its bandwidth.


CHARGEN Attack 


CHARGEN is a character generation protocol that listens to port 19 of TCP or UDP and continues to stream random characters until the connection is closed. For UDP, it responds to a request with up to 512 byte response. In CHARGEN Attack, the attacker sends lots of request with spoofed IP addresses and floods the victim machine with UDP traffic at port 19, resulting in a DoS attack.


DrDoS Attack or Reflection DoS Attack  


In this attack, an attacker spoofs his IP address, and sends lots of request messages to other hosts of the network. As the attacker uses the victim machine's IP address as the source IP address of the outgoing request messages, all the other hosts sends a response to the victim machine. At this point, if the attacker has much higher bandwidth than the victim machine, the victim machine gets lots of reponses which uses up all its network bandwidth. As a result, victim machine becomes no longer available for legitimate requests, resulting in a DoS attack.


SSDP Reflection Attack 


SSDP or Simple Service Discovery Protocol is a protocol which enables network devices to smoothly connect with each other. It is part of the Universal Plug and Play or UPnP protocol standard and is used to connect devices such as computers, printers, internet gateways, Wi-Fi access points, mobile devices, cable modems, gaming consoles etc. In SSDP Reflection Attack, the attacker sends lots of falsified request messages and redirects the amplified responses to the victim machine. As a result, the victim machine gets flooded with the responses, resulting in a DoS attack. The concept of this attack is pretty new and it first appeared in July, 2014.


SNMP Attack 


SNMP or Simple Network Management Protocol is a protocol which is used to manage devices with IP addresses, such as routers, servers, printers, IP video cameras, alarms etc. These devices transmits sensor readings and other variables over the network using this protocol. In SNMP Attack, the attacker sends falsified SNMP requests and redirects the responses to the victim machine, flooding it with responses and thus it results in a DoS attack.


SSL Flood 


When a server provides a secure connection to a client, normally it involves a large amount of processing cycles from the server's side. This type of attacks exploits that scenario. The attacker requests lots of secure connection to the server, and the server loses its processing cycles to respond to the illegitimate connections, not being able to respond to the legitimate ones.


SSL Garbage Flood 


In SSL Garbage Flood, the attacker sends lots of malformed SSL requests to the victim machine. As these SSL requests takes lots of computational resources of the SSL server, the victim machine ends up exhausing all its resources, resulting in a DoS attack.


TCP Null Attack 


In this attack the attacker sends lots of IP packets to the victim machine with the IPv4 headers filled with NULL. The firewalls configured for TCP, UDP and ICMP packets may allow these packets. As a result, the enormous amout of these packets flood the victim machine, consuming its bandwidth.


LAND Attack 


It is a Local Area Network Denial attack. In this attack, the attacker sends a TCP SYN packet to initiate a TCP connection with the victim machine. But the attacker uses the victim machine's IP address as both source and destination address. As a result, the victim machine ends up replying to itself continuously, consuming all its processing power and resulting in a DoS attack.



Teardrop Attacks 


In this attack, the attacker sends a mangled IP packet, with oversized and overlapping payloads, to the victim. If the Operating System of the victim's machine cannot handle it properly, the machine will end up crashing, resulting in a DoS attack.

Peer-to-Peer Attacks  


In this attack, the attacker gets control over the clients of a peer-to-peer file sharing hub. He instructs the clients to disconnect from their peer-to-peer network and connect to the victim's machine instead. This results in hundreds of thousands of connection request to the victim machine. As a result, the victim machine ends up exhausting all its computational resources, resulting in a DoS attack.


Slow Read Attack 


A Slow Read Attack sends a legitimate application layer request to the victim machine, but it reads the responses from the machine very slowly. The attacker advertises a very small number for the TCP Receive Window size and empties the victim machine's receive buffer slowly.


Smurf Attack  


In Smurf Attack, the attacker creates lots of ICMP packets with the intended victim's IP address as source IP address of those packets and broadcasts those packets in a computer network using an IP Broadcast address. As a result, computers in the network sends the responses to the victim machine. And, the victim machine gets flooded with the responses, resulting in a DoS attack.


Fraggle Attack  


This type of attack is similar to Smurf Attack, but instead of ICMP traffic, the attacker sends large number of forged UDP traffic to the victim machine.



Prevention of DoS Attacks


There are a number of ways to prevent DoS attacks. It can be defended in Application Layer, Transport Layer, Network Layer or by profiling allowed traffic and filtering the traffic as per that.


Profiling Application Layer Traffic


DoS Attacks can be defended in Application Layer by profiling incoming traffic to distinguish between humans, human bots or hijacked web browsers and filtering traffic based on that. Several techniques can be used to profile the incoming traffic. Various attributes like IP and ASN informartion, HTTP headers, cookie support variation, JavaScript footprint etc can be used to classify client requests and filter out bots. Often fingerprinting is used to separate good bots from the bad bots. Some DoS defense solutions also maintain visitor state across sessions within an application to isolate real users from repeat offenders.


Using Progressive Challenges


A set of progressive challenges can be used to isolate a legitimate human user from a malicious bot. Transparent challenges like cookie support or JavaScript execution can be used for this purpose. CAPTCHA also can be used, so that a human can complete a CAPTCHA test and move ahead.


Behavioral Anomaly Detection


Anomaly detection rules can be used to analyze behavioral patterns of incoming traffic and detect non-human traffic or traffic from hijacked or malware infected computers, which are often used to carry out a DDoS attack.


Web Application Firewall


Application Layer firewalls can examine the payload of a packet and filter traffic based on that. They can allow or deny certain Application Layer requests coming from a user. Firewalls rules can also be created to block malicious traffic on allowed ports. 

You can find more on how Web Application Firewalls work here : Web Application Firewalls


Deep Packet Inspection


Deep Packet Inspection or DPI can look into the data part of a network packet and filter traffic accordingly. DPI can monitor the payload of each packet and detect protocols, applications, inappropriate URLs and intrusion attempts. It also can produce much more detailed logs, which can help in dealing with security incidents. DPI can eliminate unwanted traffic before it can attack the entire network. 

You can find more on how Deep Packet Inspection works here : Deep Packet Inspection


Using IDS/IPS


IDS/IPS can match the packet signature with existing attack signatures present in a database and filter traffic accordingly. If a database is adequately populated, they can detect and prevent network attacks with much less false positives.

You can find more on how IDS and IPS work here : IDS and IPS


High Capacity Network Bandwidth


High capacity network bandwidth helps in preventing Layer 3 and Layer 4 DDoS attacks up to a great extent. Layer 3 or Layer 4 DDoS attacks are usually possible if the network bandwidth of the attackers is more than that of the attacked network. Hence, increasing the capacity of the network bandwidth does help.


No comments:

Post a Comment