Dos attack – Denial of Service attack / Single Source

DDOS attack – Distributed Denial of service attack / Multiple Source

What is Dos attack ?

• Purposeful attack / Intentional attack

• On the target resource / Service / Web app / System / Bandwith

• Overloaded / Over burdent with bogus request

• Bogus request – false request / fraud request

• Goal to overload the server

• The server over whelmed with no of incoming request this is
know dos attack
Important Points

• All this Fake request /bogus request are generated from single
source

• Multiple Source
• All the false request to be generated from multiple source this is
known as DDOS attack

• Legitimate user is disallowed access to any resource

No of request

These all request are generated from single source

The server is not able to handle these request this is going to Dos attack
No of request

These all request are generated from Multiple source

The server is not able to handle these request this is going to Ddos attack
 What is a Denial-of-Service Attack?

• Denial of Service (DoS) is an attack on a computer or network

that reduces, restricts or prevents accessibility of system resources to its legitimate
users.

• In a DoS attack, attackers flood a victim system with non-legitimate service requests or
traffic to overload its resources.

• DoS attack leads to unavailability of a particular website and show network

performance.
 What are Distributed Denial of Service Attacks?

• A distributed denial-of-service (DDoS) attack involves a multitude of compromised

systems attacking a single target, thereby causing denial of service for users of the
targeted system.

• To launch a DDoS attack, an attacker uses botnets and attacks a single system.

• Bots – Different machine are bot / n number of comparmized machine are bots

• Botnet – All the system are connected to each other that is botnet / Botnet is the network of bots

• CNC ( Command and control center )- How be the attack to be able to control all the system
simultaneously
• Then comes the rule of cnc
 DoS/DDoS Attack Techniques

• Bandwidth Attacks and Service Request Floods

• SYN Flooding Attack
• ICMP Flood Attack /ping flooding or ping of death
• Peer-to-Peer Attacks
• Application-Level Flood Attacks
• Permanent Denial-of-Service Attack
• Distributed Reflection Denial of Service (DrDoS)
 Bandwidth Attacks

• A single machine cannot make enough requests to overwhelm network equipment;

hence DDoS attacks were created where an attacker uses several computers to flood a
victim.
• When a DDoS attack is launched, flooding a network, it can cause network equipment
such as switches and routers to be overwhelmed due to the significant statistical
change in the network traffic.
• Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP
ECHO packets.
• Basically, all bandwidths is used and no bandwidth remains for legitimate use.
Service Request Floods

• An attacker or group of zombies attempts to exhaust server resources by setting up and tearing
down TCP connections.
• Service request flood attacks flood servers with a high rate of connections from a valid source.
• It initiates a request on every connection.

SYN Attack

• The attacker sends a large number of SYN request to target server (victim) with fake source IP
addresses.
• The target machine sends back a SYN/ACK in response to the request and waits for the ACK to
complete the session setup.
• The target machine does not get the response because the source address is fake.
 SYN Flooding

• SYN Flooding takes advantage of a flaw in how most hosts implement the TCP three-way
handshake.
• When Host B receives the SYN request from A, it must keep track of the partially-opened
connection in a "listen queue" for at least 75 seconds.
• A malicious host can exploit the small size of the listen queue by sending multiple SYN requests
the a host, but never replying to the SYN/ACK.
• The victim's listen queue is quickly filled up.
• The ability of holding up each incomplete connection for 75 seconds can be cumulatively used
as a Denial-of-Service attack.
 ICMP Flood Attack

• ICMP flood attack is a type DoS attack in which perpetrators send a large number of ICMP
packets directly or through reflection networks to victims causing it to be overwhelmed and
subsequently stop responding to legitimate TCP/IP requests.

• To protect against ICMP flood attack, set a threshold limit that when exceeds invokes the ICMP
flood attack protection feature.
 Effect of dos attack

• Financial loss
• Loss of customer

How to prevent Dos attack

• Cloud flare
 Detection Techniques

• Detection techniques are based on identifying and discriminating the illegitimate

traffic increase and flash events from legitimate packet traffic.

• All detection techniques define an attack as an abnormal and noticeable

deviation from a threshold of normal network traffic statistics.

1. Activity Profiling
2. Wavelet-based Signal Analysis
3. Changepoint Detection
 Activity Profiling

• An attack is indicated by:

• An increase in activity levels among the network flow clusters.

• An increase in the overall number of distinct clusters (DDoS attack)

• Activity profile is done based on the average packet rate for a network flow,
which consists of consecutive packets with similar packet fields.

• Activity profile is obtained by monitoring the network packet's header information.

• Activity Profiling monitors a network packet's header information, calculates the

average packet rate for a network flow
 Wavelet-based Signal Analysis

• Wavelet analysis describes an input signal in terms of spectral components.

• Wavelets provide for concurrent time and frequency description.

• Analyzing each spectral window's energy determines the presence of anomalies.

• Signal analysis determines the time at which certain frequency components are
present.
 Sequential Change-Point Detection

• Isolate Traffic: Change-point detection algorithms isolate changes in network traffic

statistics caused by attacks.
• Filter Traffic: The algorithms filter the target traffic data by address, port, or protocol and
store the resultant flow as a time series.
• Identify Attack: Sequential change-point detection technique uses Cumulative Sum
(Cusum) algorithm to identify and locate the DoS attacks; the algorithm calculates
deviations in the actual versus expected local average in the traffic time series.
• Identify Scan Activity: This technique can also be used to identify the typical scanning
activities of the network worms.
 DoS/DDoS Countermeasure Strategies

• Absorbing the Attack:

• Use additional capacity to absorb attack; it requires preplanning.
• It requires additional resources.
• Degrading Services:
• Identify critical services and stop non critical services.
• Shutting Down the Services:
• Shut down all the services until the attack has subsided.
 DoS/DDoS Attack Countermeasures: Protect Secondary Victims

• Install anti-virus and anti-Trojan software and keep these up-to-date.

• Increase awareness of security issues and prevention techniques in all Internet users.

• Disable unnecessary services, uninstall unused applications, and scan all the files received from
external sources.

• Properly configure and regularly update the built-in defensive mechanisms in the core hardware
and software of the system.
 DoS/DDoS Attack Countermeasures: Detect and Neutralize Handlers

• Network Traffic Analysis: Analyze communication protocols and traffic patterns between handlers
and clients or handlers and agent in order to identify the network nodes that might be infected by
the handlers.

• Neutralize Botnet Handlers: There are usually few DDoS handlers deployed as compared to the
number of agents. Neutralizing a few handlers can possibly render multiple agents useless, thus
thwarting DDoS attacks.

• Spoofed Source Address: There is a decent probability that the spoofed source address of DDoS
attack packets will not represent a valid source address of the definite sub-network.
DoS/DDoS Countermeasures: Detect Potential Attacks

• Egress Filtering:
• Scanning the packet headers of IP packets leaving a network.
• Egress filtering ensures that unauthorized or malicious traffic never leaves the internal
network.
• Ingress Filtering:
• Protects from flooding attacks which originate from the valid prefixes (IP address)
• It enables the originator to be traced to its true source.
• TCP Intercept:
• Configuring TCP Intercept prevents DoS attacks by intercepting and validating the TCP
connection requests.
 DoS/DDoS Countermeasures: Deflect Attacks

• Systems that are set up with limited security, also known as Honeypots, act as an
enticement for an attacker.

• Honeypots serve as a means for gaining information about attackers, attack techniques
and tools by storing a record of the system activities.

• Use defense-in-depth approach with IPSes at different network points to divert suspicious
DoS traffic to several honeypots.

• Low-interaction honeypots: All services offered by a Low Interaction Honeypots are

emulated.
• High-interaction honeypots: (honeynet) High Interaction Honeypots make use of the
actual vulnerable service or software.
• KFSensor: KFSensor is a Windows-based honeypot IDS.
 DoS/DDoS Countermeasures
• Use strong encryption mechanisms such as WPA2, AES 256, etc. for broadband networks to
withstand against eavesdropping.
• Ensure that the software and protocols are up-to-date and scan the machines thoroughly to
detect any anomalous behavior.
• Disable unused and insecure services.
• Block all inbound packets originating from the service ports to block the traffic from reflection
servers.
• Update kernel to the latest release.
• Prevent the transmission of the fraudulently addressed packets at ISP level.
• Implement cognitive radios in the physical layer to handle the jamming and scrambling attacks.
• Configure the firewall to deny external ICMP traffic access.
• Perform the thorough input validation.
• Prevent use of unnecessary functions such as gets, strcpy etc.
• Secure the remote administration and connectivity testing.
• Data processed by the attacker should be stopped from being executed.
• Prevent the return addresses from being overwritten.
Denial-of-Service (DoS) Attack Penetration Testing
• DoS attack should be incorporated into Pen testing plans to find out if the network server is susceptible
to DoS attacks.
• DoS Pen Testing determines minimum thresholds for DoS attacks on a system, but the tester cannot
ensure that the system is resistant to DoS attacks.
• The pen tester floods the target network with traffic, similar to hundreds of people repeatedly
requesting the service in order to check the system stability.
• Pen testing results will help the administrators to determine and adopt suitable network perimeter
security controls such as load balancer, IDS, IPS, Firewalls, etc.
• Test the web server using automated tools such as Webserver Stress Tool and JMeter for load capacity,
server-side performance, locks, and other scalability issues.
• Scan the network using automated tools such as Nmap, GFI LanGuard, and Nessus to discover any
systems that are vulnerable to DoS attacks.
• Flood the target with connection request packets using tools such as Dirt Jumper DDoS
Toolkit, Dereil, HOIC, and DoS HTTP.
• Use a port flooding attack to flood the port and increase the CPU usage by maintaining all the
connection requests on the ports under blockade. Use tools LOIC and Moihack Port Flooder to automate
a port flooding attack.
• Use tools Mail Bomber to send a large number of emails to a target mail server.
• Fill the forms with arbitrary and lengthy entries