More Related Content
Similar to Ce hv8 module 10 denial of service
Similar to Ce hv8 module 10 denial of service (20)
Ce hv8 module 10 denial of service
- 1. D e n ia l o f S e r v ic e
Module 10
- 2. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Denial־of־Service
Module 10
Engineered by Hackers. Presented by Professionals.
CEH
«!>
Ethical H acking and C ounterm easures v8
M odule 10: Denial-of-Service
Exam 312-50
Module 10 Page 1403
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 3. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Security News
Kg■■!!■
Home I News
H S B C is L a te s t T arg et in C yb er A tta c k Sp re e
m
October 19, 2012
H C(H ) ex erien w esp d p n toseveral of itsw sitesT u ay,
SB BC p ced id read isru tio s
eb
h rsd
b co in o eofthe h h st- ro victim yet inaseriesof attacksb ag u claim g
e mg n
ig e p file
s
y ro p
in
tob alliedw Islam terro .
e
ith
ic
rism
"H serverscam undera denial of service attackw affectedanum of H C
SBC
e
hich
ber SB
w sites aroundthew rld th Lo d n b b n in g n sa inastatem t. "T is
eb
o ," e n o - ased a k g ia t id
en h
d n of serviceattackd n t affect anycu m d b t d p
e ial
id o
sto er ata, u id reven cu m u in
t sto ers s g
H Co lin services, in d g in et b n in ."
SB n e
clu in tern a k g
H Csa it h dth situ nu d co tro inth earlym rn g h u of Frid Lo d n
SB id a e atio n er n l e
o in o rs
ay n o
tim
e.
T e Iz a - ina Q
h z d D l- assamC erFig te tookresp n ilityforthe attackthat at p in
yb
h rs
o sib
o ts
crip led u accesstoh c.co an other H C o n p p
p sers'
sb m d
SB - w ed ro erties o th W T e
n e eb. h
g u , w ichh alsod p th w sites of sco of other b n sin d gJ.P.
ro p h as
isru ted e eb
res
a k clu in
M rg C ase(JPM an Ban of A erica (B C sa th attacksw co tin eu til th
o an h
) d k m
A ), id e
ill n u n e
an lslam 'Innocenceof M slim filmtrailer isrem vedfro th Internet
ti- ic
u s'
o
m e
http://www.foxbusiness.com
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
&3>ujs
״mp p
S ecurity N ew s
HSBC is Latest Target in Cyber Attack Spree
Source: http://www.foxbusiness.com
HSBC (HBC) experienced widespread disruptions to several of its websites recently, becoming
one of the highest-profile victims yet in a series of attacks by a group claiming to be allied with
Islamic terrorism.
"HSBC servers came under a denial of service attack which affected a number of HSBC
websites around the world," the London-based banking giant said in a statement. "This denial
of service attack did not affect any customer data, but did prevent customers using HSBC online
services, including internet banking."
HSBC said it had the situation under control in the early morning hours of Friday London time.
The Izz ad-Din al-Qassam Cyber Fighters took responsibility for the attack that at points crippled
users' access to hsbc.com and other HSBC-owned properties on the Web. The group, which has
also disrupted the websites of scores of other banks including J.P. Morgan Chase (JPM ) and
Bank of America (BAC), said the attacks will continue until the anti-lslamic ׳Innocence of
Muslims' film trailer is removed from the Internet.
Module 10 Page 1404
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 4. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
In this case, a group claiming to be aligned with the loosely-defined brigade of hackers called
Anonymous also took responsibility. However, a source in the computer security field who has
been monitoring the attacks told FOX Business "the technique and systems used against HSBC
were the same as the other banks." However, the person who requested anonymity noted that
Anonymous "may have joined in, but the damage was done by" al-Qassam.
The people behind al-Qassam have yet to be unmasked. Several published reports citing
unnamed U.S. officials have pointed to Iran as a potential culprit, but multiple security
researchers have told FOX Business the attacks don't show the hallmarks of an attack from that
country.
There is a consensus, however, that the group is likely using a fairly sophisticated type of
denial-of-service attack. Essentially, al-Qassam has leveraged exploits in W eb server software
to take servers over and then use them as weapons. Once they are taken over, they slam the
W eb servers hosting bank websites with a deluge of requests, making access either very slow or
completely impossible. Servers have an especially high level of connectivity to the Internet,
giving al-Qassam more horsepower with fewer machines.
copyright©2012 FOX News Network, LLC
By Adam Samson.
http://www.foxbu5ines5.com/industries/2012/10/19/hsbc-is-latest-target-in-cvber-attackspree/#ixzz2D14739cA
Module 10 Page 1405
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 5. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Module Objectives
CEH
'
*
J
What Is a Denial of Service Attack?
J
DoS Attack Tools
J
What Are Distributed Denial of
Service Attacks?
J
Detection Techniques
J
D0 S/DD0 S Countermeasure
J
Symptoms of a DoS Attack
J
Techniques to Defend against Botnets
J
DoS Attack Techniques
J
J
Botnet
Advanced DD0 S Protection
Appliances
J
Botnet Ecosystem
J
D0 S/DD0 S Protection Tools
J
Botnet Trojans
J
J
DD0 S Attack Tools
Denial of Service (DoS) Attack
Penetration Testing
r
n
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule O b jectiv e s
ta
=
1
,
=1
This module looks at various aspects of denial־of־service attacks. The module starts
with a discussion of denial-of-service attacks. Real-world scenarios are cited to highlight the
implications of such attacks. Distributed denial-of-service attacks and the various tools to
launch such attacks are included to spotlight the technologies involved. The countermeasures
for preventing such attacks are also taken into consideration. Viruses and worms are briefly
discussed in terms of their use in such attacks. This module will familiarize you with:
2
2
W hat is a Denial of Service Attack?
S
DDos Attack Tools
W hat Are
s
Detection Techniques
s
D0 S/DD0 S Countermeasure
S
Techniques
Distributed
Denial of
Service Attacks?
s
Symptoms of a DoS Attack
s
DoS Attack Techniques
2
Botnet
2
Botnet Ecosystem
2
Botnet Trojans
£
D0 S/DD0 S Protection Tools
2
DD0S Attack Tools
s
Denial
Module 10 Page 1406
to
Defend
against
Botnets
a
Advanced
DD0S
Protection
Appliances
of
Service
(DoS)
Attack
Penetration Testing
Ethical H
acking and C
ounterm
easures C
opyright ©b E - 0 n il
y C C l1 C
A R h Reserved. Reproduction isStrictly Prohibited.
ll ig ts
- 6. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Copyright © by E&Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
In the present Internet world, many attacks are launched targeting organizations in
the banking sector, as well as IT service and resource providers. DoS (denial of service) and
DD0 S (distributed denial of service) were designed by attackers to breach organizations'
services.
m m
Dos/DDoS Attack Tools
Dos/DDoS Concepts
* Dos/DDoS Attack Techniques
d p g
Countermeasures
»* י ־׳
M p J
Botnets
Dos/DDoS Case Study
/ ^
M = 11
Dos/DDoS Protection Tools
Dos/DDoS Penetration Testing
This section describes the terms DoS, DD0 S, the working of DD0 S, and the symptoms of DoS. It
also talks about cyber criminals and the organizational chart.
Module 10 Page 1407
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 7. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
W Is a Denial of Service
hat
Attack?
W hat is a D en ial of S ervice A ttack?
Denial-of-service (DoS) is an attack that prevents authorized users from accessing a
computer or network. DoS attacks target the network bandwidth or connectivity. Bandwidth
attacks overflow the network with a high volume of traffic using existing network resources,
thus depriving legitimate users of these resources. Connectivity attacks overflow a computer
with a large amount of connection requests, consuming all available operating system
resources, so that the computer cannot process legitimate user requests.
An Analogy
Consider a company (Target Company) that delivers pizza upon receiving a telephone
order. The entire business depends on telephone orders from customers. Suppose a
person intends to disrupt the daily business of this company. If this person came up with a way
to keep the company's telephone lines engaged in order to deny access to legitimate
customers, obviously Target Company would lose business.
DoS attacks are similar to the situation described here. The objective of the attacker is not to
steal any information from the target; rather, it is to render its services useless. In the process,
the attacker can compromise many computers (called zombies) and virtually control them. The
attack involves deploying the zombie computers against a single machine to overwhelm it with
requests and finally crash the target in the process.
Module 10 Page 1408
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 8. Ethical Hacking and Countermeasures
Denial of Service
r
Exam 312-50 Certified Ethical Hacker
Malicious Traffic
« • £ *
Malicious traffic takes control
overall the available bandwidth
r o
(R
Internet
4m
Regular Traffic
Router
Attack Traffic
Regular Traffic
Q C^
D
Server Cluster
Figure 10.1: Denial of Service Attack
Module 10 Page 1409
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 9. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
W Are Distributed Denial
hat
of Service Attacks?
j
A distrbuted denial-of-service (DD0 S) attack involves amultitude of
compromised systems attack rig a single target, thereby causing den 01 of
service for users of the targeted system
j
To launch a DDoS attack, an attacker uses botnets and attacks a single system
Loss of
Goodwil
Disabled
Network
Financial
Loss
Disabled
Organization
Copyrights trf E t C M K l. AJ Rights Reserved. Re prod urtion is Striettf Piohbfted.
gjgg W hat Are D istrib u te d D en ial of S ervice A ttack s?
Source: www.searchsecurity.com
A distributed denial-of-service (DD0 S) attack is a large-scale, coordinated attack on the
availability of services on a target's system or network resources, launched indirectly through
many compromised computers on the Internet.
The services under attack are those of the "primary target," while the compromised systems
used to launch the attack are often called the "secondary target." The use of secondary targets
in performing a DD0S attack provides the attacker with the ability to wage a larger and more
disruptive attack, while making it more difficult to track down the original attacker.
As defined by the World W ide W eb Security FAQ: "A Distributed Denial-of-Service (DD0 S) attack
uses many computers to launch a coordinated DoS attack against one or more targets. Using
client/server technology, the perpetrator is able to multiply the effectiveness of the denial-ofservice significantly by harnessing the resources of multiple unwitting accomplice computers,
which serve as attack platforms."
If left unchecked, more powerful DD0 S attacks could cripple or disable essential Internet
services in minutes.
Module 10 Page 1410
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 10. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
How Distributed Denial of
Service Attacks W
ork
CEH
131
m g m
m
m
m
. ...
Attacker sets a ,־
f
handler system /
H d
an ler
>1
Handler infects
a large number of
computers over
Internet
C p isedPC (Zom ies)
om rom
s
b
Copyright © by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
How D istrib u te d D e n ia l of S ervice A ttack s W ork
In a DD0S attack, the target browser or network is pounded by many applications with
fake exterior requests that make the system, network, browser, or site slow, useless, and
disabled or unavailable.
The attacker initiates the attack by sending a command to the zombie agents. These zombie
agents send a connection request to a genuine computer system, i.e., the reflector. The
requests sent by the zombie agents seem to be sent by the victim rather than the zombies.
Thus, the genuine computer sends the requested information to the victim.
The victim
machine gets flooded with unsolicited responses from several computers at once. This may
either reduce the performance or may cause the victim machine to shut down.
Module 10 Page 1411
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 11. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Handler infects
a largo num ber of
computers over
Internet
Attacker sets a
handler system
& I
;
I O
0
m
N [Ml
N INI
*־יי׳
M
M
%•<*
m
Zombie systems are instructed
• 0
Compromised PCs (Zombies)
Attacker
Q .
u 2 ־
.... j
□□□ ..... 0 ■
[05□
• ?
• <3>
Handler
Compromised PCs (Zombies)
FIGURE 10.2: Distributed Denial of Service Attacks
Module 10 Page 1412
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 12. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Symptoms of a DoS Attack
^
H
□
Unavailability of
a particular
website
Inability to
access any
website
Dramatic
increase in
the amount
of spam emails
received
Unusually
slow network
performance
$
Copyright © by E&CtuacO. All Rights Reserved Reproduction is Strictly Prohibited.
Sym ptom s of a DoS A ttack
Based on the target machine, the symptoms of a DoS attack may vary. There are four
main symptoms of a DoS attack. They are:
© Unavailability of a particular website
© Inability to access any website
© Dramatic increase in the amount of spam emails received
© Unusually slow network performance
Module 10 Page 1413
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 13. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Module Flow
Copyright © by E& C ain cil. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
^ =1
So far, we have discussed DoS, DD0 S, symptoms of DoS attacks, cybercriminals, and
the organizational chart of cybercrime. Now it's time to discuss the techniques used to perform
D0 S/DD0S attacks.
am
Dos/DDoS Attack Tools
Dos/DDoS Concepts
Countermeasures
* Dos/DDoS Attack Techniques
Botnets
/*V 5 Dos/DDoS Protection Tools
Dos/DDoS Case Study
Dos/DDoS Penetration Testing
i—
In a DoS attack, the victim, website, or node is prevented from providing services to valid users.
Various techniques are used by the attacker for launching DoS or DD0S attacks on a target
computer or network. They are discussed in detail in this section.
Module 10 Page 1414
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 14. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
-
DoS Attack Techniques
Cl
CEH
Bandwidth Attacks
Service Request Floods
Attacker
SYN FloodingAttack
ICMP Flood Attack
Peer-to-Peer Attacks
J
Permanent Denial-of-Service Attack
Application-Level Flood Attacks
User
Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack T e c h n iq u e s
A denial-of-service attack (DOS) is an attack performed on a networking structure to
disable a server from serving its clients. The actual intent and impact of DoS attacks is to
prevent or impair the legitimate use of computer or network resources. There are seven kinds
of techniques that are used by the attacker to perform DOS attacks on a computer or a
network. They are:
©
Bandwidth Attacks
©
Service Request Floods
©
SYN Flooding Attacks
©
ICMP Flood Attacks
©
Peer-to-Peer Attacks
©
Permanent Denial-of-Service Attacks
©
Application-Level Flood Attacks
Module 10 Page 1415
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 15. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Bandwidth Attacks
A single machine cannot make enough
requests to overwhelm network equipment;
hence DDoS attacks were created where
an attacker uses several computers
to flood a victim
X
C EH
When a DDoS attack is launched, flooding
a network, it can cause network
equipment such as switches and routers
^
to be overwhelmed due to the
significant statistical change in the
network traffic
'
Attackers use botnets and carry
out DDoS attacks by flooding the
network with ICMP ECHO
packets
Basically, all bandwidth is
used and no bandwidth remains
for legitimate use
Copyright © by E & C o in a l. All Rights Reserved. Reproduction is Strictly Prohibited.
B andw idth A ttacks
A bandwidth attack floods a network with a large volume of malicious packets in
order to overwhelm the network bandwidth. The aim of a bandwidth attack is to consume
network bandwidth of the targeted network to such an extent that it starts dropping packets.
The dropped packets may include legitimate users. A single machine cannot make enough
requests to overwhelm network equipment; therefore, DDoS attacks were created where an
attacker uses several computers to flood a victim.
Typically, a large number of machines is required to generate the volume of traffic required to
flood a network. As the attack is carried out by multiple machines that are combined together
to generate overloaded traffic, this is called a distributed-denial-of-service (DDoS) attack.
Furthermore, detecting the source of the attack and blocking it is difficult as the attack is
carried out by numerous machines that are part of different networks. All the bandwidth of the
target network is used by the malicious computers and no bandwidth remains for legitimate
use.
Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO
packets.
Module 10 Page 1416
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 16. An attacker or group of zombies attempts
to exhaust server resources by setting up
and tearing down TCP connections
Service request flood attacks flood servers with a
high rate of connections from a valid source
O
It initiates a request on every connection
Copyright © by E&Cauacil. All Rights Reserved. Reproduction is Strictly Prohibited.
Service R eq u est F loods
in
1D5n ן
Service request floods work based on the connections per second principle. In this
method or technique of a DoS attack, the servers are flooded with a high rate of connections
from a valid source. In this attack, an attacker or group of zombies attempts to exhaust server
resources by setting up and tearing down TCP connections. This probably initiates a request on
each connection, e.g., an attacker may use his or her zombie army to fetch the home page from
a target web server repeatedly. The resulting load on the server makes it sluggish.
M
odule 1 Page 1417
0
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 17. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
CEH
SYN Attack
The attacker sends a fake TCP SYN requests to the target
server (victim)
The target machine sends back a SYN ACK in response
to the request and waits for the ACK to complete the
session setup
The target machine does not get the response because
the source address is fake
Note: This attack exploits the three-way handshake method
Copyright © by
E C i a .All Rights Reserved. Reproduction is Strictly Prohibited.
&onl
SYN A ttack
A SYN attack is a simple form of DoS attack. In this attack, an attacker sends a series of
SYN requests to a target machine (victim). W hen a client wants to begin a TCP connection to
the server, the client and the server exchange a series of messages as follows:
© The attacker sends a fake TCP SYN requests to that target server (victim)
© The target machine sends back a SYN ACK in response to the request and waits for the
ACK to complete the session setup
0
The target machine never gets the response because the source's address is fake
Module 10 Page 1418
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 18. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
SYN Flooding
J
J
J
CEH
C
«rt1fW
4
SYN Flooding takes advantage of a flaw in
how most hosts implement the TCP
three-way handshake
........©
When Host B receives the SYN request
from A, it must keep track of the
partially-opened connection in a "listen
queue" for at least 75 seconds
syN K
/P,C
A*
C
.... S N
Y
.... S N
Y
.... S N
Y
.... S N
Y
The victim's listen queue is quickly filled
up
J
......
N rml co n ctio
o a ne n
S/
yy
..... ....... estab m t
lish en
............. .
A malicious host can exploit the small
size of the listen queue by sending
multiple SYN requests to a host, but
never replying to the SYN/ACK
J
ItkKjl Km Im
This ability of removing a host from the
network for at least 75 seconds can be
used as a denial-of-service attack
Copyright © by
<1 S NF o in
t Y lo d g
1
............. .
............ .
............. .
............. .
E C i a .All Rights Reserved. Reproduction is Strictly Prohibited.
&onl
SYN F looding
SYN flooding is a TCP vulnerability protocol that emerges in a denial-of-service attack.
This attack occurs when the intruder sends unlimited SYN packets (requests) to the host
system. The process of transmitting such packets is faster than the system can handle.
The connection is established as defined by the TCP three-way handshake as:
Q
Host A sends the SYN request to the Host B
Q
Host B receives the SYN request, and replies to the request with a SYN-ACK to Host A
6
Thus, Host A responds with the ACK packet, establishing the connection
W hen Host B receives the SYN request from Host A, it makes use of the partially open
connections that are available on the listed line for a few seconds, e.g., for at least 75 seconds.
The intruder transmits infinite numbers of such SYN requests with a forged address, which
allows the client to process the false addresses leading to a misperception. Such numerous
requests can produce the TCP SYN flooding attack. It works by filling the table reserved for half
open TCP connections in the operating system's TCP IP stack. When the table becomes full,
new connections cannot be opened until and unless some entries are removed from the table
(due to handshake timeout). This attack can be carried out using fake IP addresses, so it is
difficult to trace the source. The table of connections can be filled without spoofing the source
Module 10 Page 1419
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 19. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
IP address. Normally, the space existing for fixed tables, such as a half open TCP connection
table, is less than the total.
*
5
o
Host A
r
Host B
SY
N
........
Normal connection
establishment
.....
.......... ...
SVN/ACK ........
ACK
SYN
......5VN
SYN Flooding
.......... ...
..........................................
..................
...... .?.אז
......... ..
...............
FIGURE 10.3: SYN Flooding
Module 10 Page 1420
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 20. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
ICMP Flood Attack
ICM is a type of D Sattack in
P
o
w
hich perpetrators sen a larg
d
e
num of packets with fake source
ber
addresses to a target server inorder
to crash it an cause it to sto
d
p
responding to T P/IP req ests
C
u
* 9
A
ttacker
T he a tta c k e r s e n d s
ICMP ECHO re q u e s ts
w ith s p o o fe d s o u rc e ad d re s s e s
ECHO Request
After the ICM threshold is reached
P
,
the router rejects further ICM echo
P
req ests froma addresses inthe
u
ll
sam security zon for the
e
e
rem
ainder of the current second
an the n t secon as w
d
ex
d
ell
ECHO Request
ECHO Reply
-Maximum limit of ICMP Echo Requests per SecondECHO Request
ECHO Request
Legitimate ICM Pechorequestfrom an
address in the same security zone
Copyright © by
ii’
E r o n l All Rights Reserved. Reproduction is Strictly Prohibited.
fCia.
O p IC M P Flood A ttack
Internet Control Message Protocol (ICMP) packets are used for locating network
equipment and determining the number of hops to get from the source location to the
destination. For instance, ICMP_ECHO_REPLY packets ("ping") allow the user to send a request
to a destination system and receive a response with the roundtrip time.
A DDoS ICM P flood attack occurs when zombies send large volumes of ICMP_ECHO packets to
a victim system. These packets signal the victim's system to reply, and the combination of
traffic saturates the bandwidth of the victim's network connection. The source IP address may
be spoofed.
In this kind of attack the perpetrators send a large number of packets with fake source
addresses to a target server in order to crash it and cause it to stop responding to TCP/IP
requests.
After the ICM P threshold is reached, the router rejects further ICM P echo requests from all
addresses in the same security zone.
Module 10 Page 1421
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 21. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
«*£?-...... &
Attacker
Target Server
The attacker sends
ICMP ECHO requests
with spoofed source addresses
EC OR u
H eq est
EC OR ly
H ep
EC OR u
H eq est
EC OR ly
H ep
-Maximum limit of IC M P Echo Requests per Second-
EC OR u
H eq est
l:
EC OR u
H eq est
Le g itim a te IC M P e c h o re q u e s t fro m a n
a d d re s s in th e s a m e s e c u rity z o ne
,
tl
FIGURE 10.4: ICMP Flood Attack
Module 10 Page 1422
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 22. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Peer-to-Peer Attacks
0
CEH
(•itilwd 1 ItlMUl IlMhM
J U gp
sin eer-to eer attacks, attackers instruct clients of peer-to-peer file sharing hu s to
-p
b
disconnect fromtheir p
eer-to eer netw and to connect to the victim fake w
-p
ork
's
ebsite
0
J A
ttackers exploit flaw found inthe netw u g D + (D
s
ork sin C + irect C
onnect) p
rotocol, that is u
sed
for sharing a types of files betw instant m
ll
een
essag clien
ing
ts
J U g th m od, attackers lau m
sin is eth
nch assive denial-of-service attacks an com
d
prom w
ise ebsites
0
<,
d
U rse 1
Copyright © by
«I▼ /
E r o n l All Rights Reserved. Reproduction is Strictly Prohibited.
fCia.
P eer-to -P eer A ttacks
A peer-to-peer attack is one form of DD0 S attack. In this kind of attack, the attacker
exploits a number of bugs in peer-to-peer servers to initiate a DD0 S attack. Attackers exploit
flaws found in the network that uses DC++ (Direct Connect) protocol, which allows the
exchange of files between instant messaging clients. This kind of attack doesn't use botnets for
the attack. Unlike a botnet-based attack, a peer-to-peer attack eliminates the need of attackers
to communicate with clients. Here the attacker instructs the clients of peer-to-peer file sharing
hubs to disconnect from their network and to connect to the victim's website. With this,
several thousand computers may try to connect to the target website, which causes a drop in
the performance of the target website. These peer-to-peer attacks can be identified easily
based on their signatures. Using this method, attackers launch massive denial-of-service attacks
and compromise websites.
Module 10 Page 1423
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 23. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
User-5
User-4
A tta c k Traffic
..7־
►•
'ל
u
ר
f it*
.....
User-3
Attacker
User-2
User-1
FIGURE 10.5: Peer-to-Peer Attacks
Module 10 Page 1424
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 24. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Permanent Denial-of-Service
Attack
CEH
Permanent DoS, also known as phlashing, refers to
attacks that cause irreversible damage to system
hardware
Unlike other DoS attacks, it sabotages the system
hardware, requiring the victim to replace or reinstall
the hardware
Bricking a
system method
1 This attack is carried out using a method known as
.
"bricking a system"
2. Using this method, attackers send fraudulent
hardware updates to the victims
Sends email, IRC chats, tw e e ts, post videos
w ith fraudulent content for hardw are updates
Attacker
Attacker gets access to
victim's com puter
V
ictim
(M alicious c o d e is e x e cu ted )
Copyright © by
&
0O
^
±
1^5
£
Process
E C i a .All Rights Reserved. Reproduction is Strictly Prohibited.
&onl
P e rm a n e n t D e n ia l־of־S ervice A ttack
Permanent denial-of-service (PD0 S) is also known as plashing. This refers to an attack
that damages the system and makes the hardware unusable for its original purpose until it is
either replaced or reinstalled. A PD0 S attack exploits security flaws. This allows remote
administration on the management interfaces of the victim's hardware such as printers,
routers, and other networking hardware.
This attack is carried out using a method known as "bricking a system." In this method, the
attacker sends email, IRC chats, tweets, and posts videos with fraudulent hardware updates to
the victim by modifying and corrupting the updates with vulnerabilities or defective firmware.
W hen the victim clicks on the links or pop-up windows referring to the fraudulent hardware
updates, they get installed on the victim's system. Thus, the attacker takes complete control
over the victim's system.
Module 10 Page 1425
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 25. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
FIGURE 10.5:
3■
Attacker
Sends email, IRC chats, tweets, post videos
with fraudulent contentfor hardware updates
Attacker gets access to
victim's computer
Victim
(Malicious code is executed)
FIGURE 10.6: Permanent Denial-of-Service Attack
Module 10 Page 1426
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 26. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Application Level Flood Attacks CEH
UrtrfW*
itfciul NMhM
J Application-level flood attacks result inthe loss of services of a particular
network, such as em networkresources, the tem
ails,
porary ceasingof
applications and services, and m
ore
J
Usingthis attack, attackers destroy program ing source code and files
m
in affected com
puter system
s
Using application-level flood attacks, attackers attempts to:
Flood w ap lication
eb p
s
to leg ate user traffic
itim
D
isrupt service to asp
ecific
systemor person, for ex p
am le,
b ckin a user’s access b
lo g
y
rep
eating in
valid lo in
g
attem
pts
Copyright © by
Jam the ap licatio p
n
database connection b
y
crafting m u SQ
alicio s L
q
ueries
E C i a .All Rights Reserved. Reproduction is Strictly Prohibited.
&onl
A p p licatio n -lev el Flood A ttacks
Some DoS attacks rely on software-related exploits such as buffer overflows, whereas
most of the other kinds of DoS attacks exploit bandwidth. The attacks that exploit software
cause confusion in the application, causing it to fill the disk space or consume all available
memory or CPU cycles. Application-level flood attacks have rapidly become a conventional
threat for doing business on the Internet. W eb application security is more critical than ever.
This attack can result in substantial loss of money, service and reputation for organizations.
Usually, the loss of service is the incapability of a specific network service, such as email, to be
available or the temporary loss of all network connectivity and services. Using this attack,
attackers destroy programming source code and files in affected computer systems.
Using application-level flood attacks, attackers attempt to:
©
©
Flood web applications, thereby preventing legitimate user traffic.
Disrupt service to a specific system or person, for example, blocking user access by
repeated invalid login attempts.
Q
Jam the application-database connection by crafting CPU-intensive SQL queries.
Module 10 Page 1427
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 27. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Attacker exploiting application source code
4
^
Attacker
Victim
FIGURE 10.7: Application-level Flood Attacks
Module 10 Page 1428
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 28. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
M odule Flow
So far, we have discussed D0 S/DD0S concepts and D0 S/DD0 S attack techniques. As
mentioned previously, DoS and DD0 S attacks are performed using botnets or zombies, a group
of security-compromised systems.
am
Dos/DDoS Attack Tools
Dos/DDoS Concepts
Countermeasures
־Dos/DDoS Attack Techniques
Bot ״ets
/^
s>
Dos/DDoS Case Study
Dos/DDoS Protection Tools
Dos/DDoS Penetration Testing
-
This section describes botnets, as well as their propagation techniques and ecosystem.
Module 10 Page 1429
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 29. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Organized Crime Syndicates
C yb er
C rim in a ls
H ie r a r c h ic a l
S e tu p
P ro c e s s
R e p o rt
M a tte r o f
C o n c e rn
C crim areincreasingly b gassociated w organizedcrim
yber
inals
ein
ith
e
syndicatestotake advantageof their sophisticatedtechniques
Thereareo anizedg sofcybercrim who w ina hierarchical
rg
roup
inals
ork
setupw a predefined revenuesharing m d lik a m corporation
ith
o el, e ajor
that offers crim services
inal
O
rganizedg screate andrent botnetsandoffervarious services, from
roup
w
riting m are, to hackin b kaccounts, tocreatingm
alw
g an
assived ial-o
en fservice attacksagainstanytargetfor a p
rice
A
ccordingtoV
erizon's 2 1 D Breach Investigations R
0 2 ata
eport, the
m
ajority of breaches w drivenb organizedg s andalm a d
ere
y
roup
ost ll ata
stolen (98%) w the w ofcrim outsidethevictimorg
as
ork
inals
anizatio
n
T e grow involvem of o anizedcrim syndicates inpolitically
h
ing
ent rg
inal
m
otivatedcyber w
arfare andhactivismisa m
atter of concernfor n al
ation
securityag cies
en
Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited.
O rg a n iz e d C rim e S y n d icates
Cyber criminals have developed very refined and stylish ways to use trust to their
advantage and to make financial gains. Cyber criminals are increasingly being associated with
organized crime syndicates to take advantage of their refined techniques. Cybercrime is now
getting more organized. Cyber criminals are independently developing malware for financial
gain. Now they operate in groups. This has grown as an industry. There are organized groups of
cyber criminals who develop plans for different kinds of attacks and offer criminal services.
Organized groups create and rent botnets and offer various services, from writing malware, to
attacking bank accounts, to creating massive denial-of-service attacks against any target for a
price. The increase in the number of malware puts an extra load on security systems.
According to Verizon's 2010 Data Breach Investigations Report, the majority of breaches were
driven by organized groups and almost all data stolen (70%) was the work of criminals outside
the target organization.
The growing involvement of organized criminal syndicates in politically motivated cyber
warfare and hactivism is a matter of concern for national security agencies.
Module 10 Page 1430
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 30. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Organized Cyber Crime:
Organizational Chart
4
^
o
Attackers Crimeware Toolkit Owners
Trojan Distribution in Legitimate website
- Underboss: Trojan Provider and
O
Manager of Trojan Command and Control
q
C am p aign M a n a g e r
C am p aign M a n a g e r
to
#
-
u
#
>י
m
C am p aign M a n a g e r
to
+
A ffiliatio n
:
N e tw o r k
©
S to le n D ata R e s e lle r
n <
ו
A tut A
A
*׳s
ir
m
♦
A ffiliatio n
n
II
N e tw o r k
©
n
It
י*'•־ 4 4 ' י^׳
jr
:
a
«
:
t
A ffiliatio n N e tw o r k
:
©
S to le n D ata R e s e lle r
S to le n D ata R e s e lle r
Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited.
O rg a n iz e d C y b er C rim e: O rg a n iz a tio n a l C h art
Cybercrimes are organized in a hierarchical manner. Each criminal gets paid depending
on the task that he or she performs or his or her position. The head of the cybercrime
organization, i.e., the boss, acts as a business entrepreneur. He or she does not commit
cybercrimes directly. The boss is the first in the hierarchy level. The person who is at the next
level is the "underboss." The underboss is the second person in command and manages the
operation of cybercrimes.
The "underboss" provides the necessary Trojans for attacks and also manages the Trojans׳
command and control center. People working under the "underboss" are known as "campaign
managers." These campaign managers hire and run their own attack campaigns. They perform
attacks and steal data by using their affiliation networks as distributed channels of attack. The
stolen data is then sold by "resellers." These resellers are not directly involved in the crimeware
attacks. They just sell the stolen data of genuine users.
Module 10 Page 1431
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 31. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
O
Attackers Crim eware Toolkit Owners
Trojan Distribution In Legitimate website
r%
r>
C a m p a ig n M a n a g e r
to
O
4!
4
J
U n d erb oss: Trojan P ro v id e r and
M a n a g e r o f Trojan C o m m a n d and C ontrol
o
rs
1
i
C a m p a ig n M a n a g e r
C a m p a ig n M a n a g e r
to
י׳
4!
:
v
4!
1
>*׳A f f ilia t io n N e t w o r k
O '" O
4!
4A
|
י*׳
u
v
A f f ilia t io n N e t w o r k
;
6
S t o le n D a t a R e s e lle r
S t o le n D a t a R e s e lle r
S t o le n D a t a R e s e lle r
FIGURE 10.8: Organizational Chart
Module 10 Page 1432
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 32. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
CEH
Botnet
J
Bots are software applications that run automated tasks over the Internet and perform
simple repetitive tasks, such as web spidering and search engine indexing
J
A botnet is a huge network of the compromised systems and can be used by an intruder
to create denial-of-service attacks
Bots connect to C&C
vl
handler and wait for instructions
B o t Com m and &
Attacker sends commands to
the bots through C&C
Bots attack
u
a target server
i
3יז
m
T arg et S e rv e r
C o n tro l C e n te r
0
Zo m b ie s
Sets a bot
C&C handler
Bot looks for other vulnerable
systems and Infects them to
,a f t©
O gk 0■^•=■• ft M e
create Botnet
a machine
A tta ck e r
V ic tim (B o t)
Copyright © by E&Cauacfl. All Rights Reserved. Reproduction is Strictly Prohibited.
The term botnet is derived from the word roBOT NETwork, which is also called zombie
army. A botnet is a huge network of compromised systems. It can compromise huge numbers
of machines without the intervention of machine owners. Botnets consist of a set of
compromised systems that are monitored for a specific command infrastructure.
Botnets are also referred to as agents that an intruder can send to a server system to perform
some illegal activity. They are the hidden programs that allow identification of vulnerabilities. It
is advantageous for attackers to use botnets to perform illegitimate actions such as stealing
sensitive
information
(e.g.,
credit
card
numbers)
and
sniffing
confidential
company
information.
Botnets are used for both positive and negative purposes. They help in various useful services
such as search engine indexing and web spidering, but can also be used by an intruder to create
denial-of-service attacks. Systems that are not patched are most vulnerable to these attacks. As
the size of a network increases, the possibility of that system being vulnerable also increases.
An intruder can scan network ranges to identify which ones are vulnerable to attacks. In order
to attack a system, an intruder targets machines with Class B network ranges.
Ill
Module
Purpose of Botnets:
0
10 Page 1433
Allows the intruder to operate remotely.
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 33. Ethical Hacking and Countermeasures
Denial of Service
6
Exam 312-50 Certified Ethical Hacker
Scans environment automatically, and spreads through vulnerable areas, gaining access
via weak passwords and other means.
Q
Allows compromising a host's machine through a variety of tools.
Q
Creates DoS attacks.
6
Enables spam attacks that cause SMTP mail relays.
©
Enables click fraud and other illegal activities.
The diagram that follows shows how an attacker launches a botnet-based DoS attack on a
target server.
Bots connect to C C
&
handler an w for In
d ait
structions
Bots attack
atarget server
o
Bot Command &
Control Center
!1
Attacker sen s com andsto
d
m
the b ts through C C
o
&
Target Server
2 יי
A
" 6 *
Zombies
Bot lo ks for other vulnerable
o
system an infectsthemto
s d
create Botnet
Attacker
Victim (Bot)
FIGURE 10.9: BOTNET
In order to perform this kind of attack, the attacker first needs to create a botnet. For this
purpose, the attacker infects a machine, i.e., victim bot, and compromises it. He or she then
uses the victim bot to compromise some more vulnerable systems in the network. Thus, the
attacker creates a group of compromised systems known as a botnet. The attacker configures a
bot command and control (C&C) center and forces the botnet to connect to it. The zombies or
botnet connect to the C&C center and wait for instructions. The attacker then sends commands
to the bots through C&C to launch DoS attack on a target server. Thus, he or she makes the
target server unavailable or non-responsive for other genuine hosts in the network.
Module 10 Page 1434
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 34. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Botnet Propagation Technique
....... / 2 ........
>: ר <־
O
O
A
ttackers
i
@
v
.• I
♦
(S e rv e rs , S o ftw a r e , and S e rv ic e s )
0
(z)
/
;
™
© • ........... ■ ® § ז
M alicious
Affiliation N etw ork
C yb e rcrim e R e la te d IT O p e ra tio n s
U-
T rojan
C om m and
a n d C ontrol
C enter
Crime w are
Toolkit
D a ta b a s e I
C EH
Trojan upload stolen
data and receives
commands from
command and control
center
4$ ~
Legitim ate
C om prom ised W e b site s
Copyright © by
E r o n l All Rights Reserved. Reproduction is Strictly Prohibited.
fCia.
^ B otnet P ro p a g a tio n T e ch n iq u e
Botnet propagation is the technique used to hack a system and grab tradable
information from it without the victim's knowledge. The head of the operations is the boss or
the cybercriminal. Botnet propagation involves both criminal (boss) and attackers (campaign
managers). In this attack, the criminal doesn't attack the victim system directly; instead, he or
she performs attacks with the help of attackers. The criminal configures an affiliation network
as distribution channels. The job of campaign managers is to hack and insert reference to
malicious code into a legitimate site. The malicious code is usually operated by other attackers.
W hen the malicious code runs, the campaign managers are paid according to the volume of
infections accomplished. Thus, cybercriminals promote infection flow. The attackers serve
malicious code generated by the affiliations to visitors of the compromised sites. Attackers use
customized crimeware from crimeware toolkits that is capable of extracting tradable
information from the victim's machine.
Module 10 Page 1435
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 35. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
.0
..״
C y b e r c r i m e R e l a t e d IT O p e r a t i o n s
(S e r v e r s , S o f t w a r e , a n d S e rv ic e s )
©
Attackers
Criminal
Trojan upload stolen
)•:־
data and receives
commands from
command and control
center
FIGURE 10.10: Botnet Propagation Technique
Module 10 Page 1436
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 36. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
C EH
Botnet Ecosystem
Malicious Site
Scan &
Intrusion
Zero-Day
Market
<s/y
>
'
Botnet
b
Market
o'6
Licenses
Botnet
MP3, DivX
Financial
Diversion
Data
e f
Theft t ----
-
Owner
i
Crimeware Toolkit
Database
:
Trojan Command
and Control Center s'
Client-Side
Vulnerab llity^
: Spam
: Mass Mailing
DDoS '
Malware Market
t
#
i
Scams
Adverts
B
Stock Fraud
Copyright © by E tC tm G il. All Rights Reserved. Reproduction is Strictly Prohibited.
B otnet E co sy stem
A group of computers infected by bots is called botnet. A bot is a malicious program
that allows cybercriminals to control and use compromised machines to accomplish their own
goals such as scams, launching DDoS attacks, distributing spam, etc. The advent of botnets led
to enormous increase in cybercrimes. Botnets form the core of the cybercriminal activity center
that links and unites various parts of the cybercriminal world. Cybercriminal service suppliers
are a part of cybercrime network. These suppliers offer services such as malicious code
development, bulletproof hosting, creation of browser exploits, and encyrption and packing.
Malicious code is the main tool used by criminal gangs to commit cybercrimes. Botnet owners
order both bots and other malicious programs such as Trojans, viruses, worms, keyloggers,
specially crafted applications to attack remote computers via network, etc. Malware services
are offered by developers on public sites or closed Internet resources.
Typically, the botnet ecosystem is divided into three parts, namely trade market, DDoS attack,
and spam.
A botmaster is the person who makes money by facilitating the infected botnet
groups for service on the black market. The master searches for vulnerable ports and uses
them as candidate zombies to infect. The infected zombies further can be used to perform
DDoS attacks. On the other hand, spam emails are sent to randomly chosen users. All these
activities together guarantee the continuity of malicious botnet activities.
Module 10 Page 1437
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 37. Exam 312-50 Certified Ethical Hacker
Ethical Hacking and Countermeasures
Denial of Service
The pictorial representation of botnet ecosystem is shown as follows:
M a lic io u s S it e
Z ro D y
e -a
M a rk et
............. Q
b
L ice n se s
B o tn e t
M P 3 , D iv X
Financial
Diversion
Data
Theft
E m a ils
C rim ew are Toolkit
Trojan Command
Database
C& C
and Control Center
Client-Side
R e d ir e c t
Spam
Vulnerability
M a s s M a ilin g
DD0S
M a lw a r e M a r k e t
□
S to c k Fraud
M
Scam s
A d v e r ts
E x to rtio n
FIGURE 10.11: Botnet Ecosystem
Module 10 Page 1438
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 38. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Botnet Trojan: Shark
CEH
^
(•rtifwtf
I til1(41 NMhM
-^*harK.3.1 fw b״
:ha♦, De&oc Preview [RC-Chat
mbsta
Command Control Center
ISe1ver2
Sail up
f j insul BrtMf
111
;5 * Jv'.* wonPort: 60123
ומי
4 סי* 0גi »k 3.1
, 1«t ccrplcd: ;1נ 0, מ
3.3 מ
■e*gUDdtto<*ocH..
¥t ■MnewVmicn
1J
□<l- hj|hg_tk״to _p!od->
» A m W * « Stfv*: 127.0 0 1 ^ ^7 נ * »^5 ״
.1
))> ג^ 1!72-»£יז
י
?
1
■adits
If nFo
O aodJrt
Arb Dcbjxi־o
f 5dh
tt
e
1 L־cb*: yflro l-cvfcccor v fc rroxirrurr! loqsco of twin
׳י
»׳f»
M ll«w>rvrr
KByto < - Unlmtod
0
Q>jrnror>־
Comale
Copyright© by EC-Gouicil. All Rights Reserved Reproduction is Strictly Prohibited.
B otnet T rojan: sh arK
Source: https://sites.google.coin
sharK is a reverse-connecting, firewall- bypassing remote administration tool written in VB6.
With shark, you will be able to administrate any PC (using Windows OS) remotely.
Features:
9
mRC4 encrypted traffic (new & modded)
9
zLib compressed traffic
9
High-speed, stable screen/cam cCapture
9
Keylogger with highlight feature
9
Remote memory execution and injection
9
VERY fast file manager/registry editor listing due to unique technic
9
Anti: Debugger, Vm Ware, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox,
Virtual Box
9
Supporting random startup and random server names
9
Desktop preview in SIN Console
Module
10 Page 1439
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 39. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
9
Sortable and configurable SIN Console
0
Remote Autostart Manager
9
Optional Fwb++ (Process Injection, API Unhook)
9
Folder mirroring
d dfx
* J sharK 3.1 fwb♦
sftarK Desktop Preview IRC-Chat Website
| Country
Usernam
e
lo
s
| PCNone
iLW-itaa
I Verson
| Pirq
C o m m a n d C o n tro l C e n te r
[5:4S:3S AN] Inrfi.atarg Cfer*...
[9:46:55 AW] Iwtenrxj on Port: 60123
[9:46:38 AH] sharK 3.1 fwb++, Last Compiled: 30.03.2008
[9:46:38 AN] Updotecheck...
[9:46:40 AW] Hew Versicn ovoiloble: □<!- ־turing cluster_prod > ־
[9:50:25 AN] * New Serve!: 127.0.0.1 - Server 1 (HocLers « >ECC-272FF53AA87)
5
Wolcom • to i h t i K 3 .1.0, MacUor*
Thi* it an information box rofroshing it* contant ovary 24
hour* H «r» you will
inform ation about
charK
davalop m ant it a t • ! and othar ralaacac of kora dCodarc.eoi
(o m a tim M .
R e o a ׳ds.
sN1p*109 ׳and rockZ
Copyright 2007-2008 (c ) BoredCoders.com
sharK 3.1 fwb++
* J N ew S e rv e r - [S e rv e r2 ]
,4
k.
*5
Basic Settings
Server Installation
Server name:
|Se rver2
Startup
Instal Events
Server Password:
1pLwUyQ|GEq|pl1t4mAD
ft Bind Files
Q
Blacklist
Connection Interval:
j
I
... .....................................................................
Anti Debugging
4 seconds
Stealth
Firewal Bypass
dB Liteserver
1* Enable offline keylogger with mawnum logsue of [i 000
KByte (0 - Untmrted)
QU Advanced
Q
Summary
Compile
SIN-Addr esses:
1i p
Port
I Status
Add
---------------- .
Delete
(
1
Save Current Profile
1
Test Hosts
ן
1
______________________________________________________________________________________________________________________________________________________________1
FIGURE 10.12: Botnet Trojan: sharK
Module 10 Page 1440
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 40. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Poison Ivy: Botnet Command
Control Center
CEH
gMaiayr P3 »«o 1 | Pday | Acn^ ■ ; PdcfcciAnatizaj R o SW! k iw •.׳; ־י
tg rd js1
I R :!!■
em te
DaptyNam•
O
eacflp
icr!
Pi*
«ז<ז
Dwct D
ii
DwceDii..
D
evice D
ii
Dwce D
ii
־u4a»״
aot
%ACHfC
I..I1
*A M *.
%mT9j2
S*M r ao iy!k• ^ DP(V T
iV
C
*CHEC
oaA ■
-'u■
are
AfO
«*■
»*.
AfctlSfa
4 u
fc/9 2
*■BBHVUnenlMC 1 !
y
%.׳hM- 0:!J> 32 > «1
<
«r«m V v 1
• A■#1 < Ttff זWOI
>׳״
•־־׳״
ttaaO
AM•
% '־
-«».*>o l«*.. Alb
n
* IV
w rl
% ......
Am MS־l
A
te
CWNK*ANS1*>1}2W• m
CVWst
M tn
•*״WW
0
0
£
<
fcp
A1J*.
!
1
I
!
%
:4 ׳f
% ,,. ״ ־
«fc,iTM6PPCfc,r
$ ifcari KayiKmCSDRIVER
>
f.Bf’IJ'IFVtPi'.Wlip.lvl
A td *v
1 c6
«u»W>
AFO M«lv*jVrgSu
D ee n.i
«w
D«*׳ce D
ii
NdfiM»< Irdu•■
m
fV*d»1 o«eo1l 11
9
Oe*c« D
ii
Owe• D
ii
DMee D
ii
Shiild So
r
Slandiid S
nftivmh.,
6
1
RAS y״chre«*u
1
D M DI
< ca
Shotd 5
w
d ״ ־r!.i
m
fiiwco D
ii
D-wteDH
Dwce D
ii
ATMARP O
is»*PM D**ee r.ii
I
M
anajee ado d
evi.. Shaied Ssr
Dvnc■ D
ii
SUA*
STOPPED
STOPPED
RUN IN
N G
STOPPED
5 Ul’ltD
1
STOPPED
RUN IN
N G
RUN IN
N G
STOPPED
5TUI־ltD
־
iTOPPTO
STOPPEO
51O D
PTC
stoppcd
STOPPFD
5TUI־IVD
,׳oprrn
j
STOPPED
STOPPED
ST0PPC0
RUN IN
N G
STOPPED
STOPPED
RUN IN
N G
RUN IN
N G
Sta pT e
rtu yp
Dfcdfcd
D *M
k
D
iaetfej
D114M
M
nrnnl
A afo
uiom
Aulsm
A;
DMM
DMM
d1 *m
u
D:.:tM
1
logonif
NIAJJTH[* T 4cc.< «
m
Nl «UTH0n1TY<toc4S«.
D
I*״M
DI.1M
r>l!*W
DiNfcM
DutUrJ
Hyiv (
Ajio a 3
« rr>b
D .o
i- LfcJ
MnrivJ
Aulorrrfc
M1*0
0 .*1
IcoafSyttom
<
Do«rtoaJi
V
>
OB/*
ifload:
08/3
Copyright © by E& C a w c il. All Rights Reserved. Reproduction is Strictly Prohibited.
P oison Ivy: B otnet C o m m an d C ontrol C e n te r
Poison Ivy is an advanced encrypted "reverse connection" for firewall bypassing
remote administration tools. It gives an attacker the option to access, monitor, or even take
control of a compromised system. Using this tool, attackers can steal passwords, banking or
credit card information, as well as other personal information.
FIGURE 10.13: Poison Ivy: Botnet Command Control Center
Module 10 Page 1441
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 41. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Botnet Trojan: PlugBot
J
ttk>«l lUikw
PlugBot is a hardware botnet project
J
CEH
(•tt.fwtf
It is a covert penetration testing device (bot) designed for covert use during
physical penetration tests
PlugBot Statistics
W
>wn S*»o* art *arr•cui* U*» *nyou
http://thephgbot.com
Copyright © by
HrCunol.All Rights Reserved. Reproduction isStrictly Prohibited.
B otnet T rojan: PlugB ot
Source: http://theplugbot.com
PlugBot is a hardware botnet project. It's a covert penetration testing device (bot) is designed
for covert use during physical penetration tests. PlugBot is a tiny computer that looks like a
power adapter; this small size allows it to go physically undetected all while being powerful
enough to scan, collect, and deliver test results externally.
Some of the features include:
6
Issue scan commands remotely
e
Wireless 802.11b ready
Q
Gigabit Ethernet capable
©
1.2 Ghz processor
©
Supports Linux, Perl, PHP, MySQL on-board
Q
Covertly disguised as power adapter
©
Capable of invoking most Linux-based scan apps and scripts
Module
10 Page 1442
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 42. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
H d O A D M IN IU vtO U w 9««ng»| Logout
5fl5rlt®
e
Dashboard
^
DropZone
£
Account
I l f ־Settings
( ? ) Help
OMttxMrd-
פ
Jobs
C
Dashboard
Botnot Statistics
Manwwoos
P lu g Bo t Statistics
Cb AddJoto
Shown oeiow are some aucx suss on your
botnet.
Applications
• Mn^oa
1 eaAp
Statistics
• Bots: 2
Co AddApo
• Joas Pending 0
• Jo&sComoi«ed:0
• Chock-Ins: 14636
Dots
Q
Manage Bet*
C6 A03B0׳
FIGURE 10.14: Botnet Trojan: PlugBot
Module 10 Page 1443
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 43. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Botnet Trojans: Illusion Bot and r c u
NetBot Attacker
-----
ACa o m m o ״
P « 8667
* a h # 10001
o
0 *0
P*ss *ten
Chm
p * 6667
1| Hotf 10001
Pot
****
P*
Pt
o
Pk s
* * • י׳
P«*
Sort1 p rt
4 o
* Rno.rne 20
adm«0 01
* SocAiVpart
FT p«1
P
Bethel part
ז0 יpassword
MD5C.ypl
*• י׳0 '•** ״wonIRCchaml *
t
'««.*»*״-*׳
I—
^
1
n
r_
־ ״O d v*״
כ^-־ט
s
M
Abou
Copyright © by
E C i a .All Rights Reserved. Reproduction is Strictly Prohibited.
&onl
B otnet T rojans: Illu sio n Bot a n d N etBot A ttack er
M
l
j
Illu sio n Bot
Source: http://www.teamfurry.com
Illusion Bot is a GUIt.
Features:
Q
C&C can be managed over IRC and HTTP
e
Proxy functionality (Socks4, Socks5)
e
FTP service
e
MD5 support for passwords
e
Rootkit
e
Code injection
0
Colored IRC messages
e
XP SP2 firewall bypass
6
DDOS capabilities
Module 10 Page 1444
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 44. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Illusion M jk e i
1
Binary
CADocuments and SettingsVWinux'J’ afio * •׳cron^BOTBIMARV EXE
Reload
IRC Administration
1) Host: 100 0 1
Port: 6667
Chan Behan
Pass 4lest
2) Host: 100.0.1
Port: 6667
Chan
Pass: 4iesi
Behan
WEB Administration
1) Host: 10
Port
Path
2) Host: 1C
Port:
Path
A
Refresh time:
j
sec.
Default services:
Socks4, port
R
v Socks5, pat
R
FTP. port
R
*
Random, range:
2001
-
3000
R
Bmdshefl. port:
IRC Access
BOT PASSWORD
qwerty
MD5 Crypt
Options
v• Install Kernel Drivei
IRC serve! need passwotd
Auto OP admm on IRC channel
׳ יLoloied IRC messages
ם
*
*
ln!ect code fit dnve< falsi
«/ B>pass XP SP2 F»ewall
+
Save cervices state in registry
Ada to autoload
Ewt
Fluod Values
Save
About
FIGURE 10.15 Illusion Maker
NetBot A ttack er
—
NetBot attacker has a simple Windows user interface to control botnets. Attackers
use it for commanding and reporting networks, even for command attacks. It has two RAR files;
one is INI and the other one is a simple EXE. It is more powerful when more bots are used to
affect the servers. With the help of a bot, attackers can execute or download a file, open
certain web pages, and can even turn off all PCs.
(P •
HtOMUmtckm I 4 laiM « ■>
•> » ■
3 ■ >1
On line hosts Attack Area Co Hedive order Use kelp
PC IP
jComputef!system
Memory
!;* ן
WiodowiXP
►*onfai pcrfSOwHeh t
[Servke edition
1m m
1•י״ יי
|^«cu*r •••wg
»taeft«oe « N
FIGURE 10.16: NetBot Attacker
Module 10 Page 1445
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 45. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Copyright © by E & C a in c i. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
So far, we have discussed D0 S/DD0 S concepts, attack techniques, and botnets. For
better understanding of the attack trajectories and to find possible ways to locate attackers, a
few DD0 S case studies are featured here.
am
Dos/DDoS Attack Tools
Dos/DDoS Concepts
Countermeasures
־Dos/DDoS Attack Techniques
Botnets
^
/*V 5 Dos/DDoS Protection Tools
Dos/DDoS Penetration Testing
Dos/DDoS Case Study
i—
This section highlights some of real-world scenarios of DD0 S attacks.
Module 10 Page 1446
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 46. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
DDoS Attack
H a ck e rs a d v e rtis e LOIC to o l
on T w itte r, F ace b o o k,
G o o g le , e tc.
V o lu n te e r
Copyright © by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
DDoS A ttack
In a DDoS attack, a group of compromised systems usually infected with Trojans are
used to perform a denial-of-service attack on a target system or network resource. The figure
that follows shows how an attacker performs a DDoS attack with the help of an LOIC tool.
Module 10 Page 1447
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 47. Ethical Hacking and Countermeasures
Denial of Service
(ft
Exam 312-50 Certified Ethical Hacker
A
ttacker R
eleases Lo O it
w rb
Io C n o (LO ) T o o th W
n a n n IC o l n e eb
o
V o lunteers connect to IRC
A o ym u H ck r
nn os a e
channel and w a it for
instruction from attack er
V lu teer
o n
e
DDoS Attack o
! *
V lu teer
o n
H ck rsad
a e vertiseL ICto l
O o
o T itter, F ce o k
n w
a bo,
G o le, e
o g tc.
V lu teer
o n
FIGURE 10.17: DDoS Attack
Module 10 Page 1448
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 48. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
CEH
DDoS Attack Tool: LOIC
MM
tU Jl N h
M MM
וfhis tool was used to bring down Paypal and mastercard websites
IC I 0
3
Low O bit Ion Cannon | U dun goofed | v. 1J.D5
RC server
•
1,'anujl Mode for pu ssies!
9
Port
Cnannel
fji■ :: ■
FUCKWGHfVc UNO
r 1 Select your target----------------------URL
- 2 . Rea<iy?--------------
ww
w .davenD 0 1n
0rtV ns.c0
Stop flooding
v y
!
85.116.9.83
3 ־Attack otf» n s ------------------------------------------------------Trneout
HT7PSU>s<e
ZX Append ranJom chars to the URl
4000
TCP / U0P message
/119/
U dun goofed
----------------------------------------------------------------------------------------------------------------------- —
HTTP
g
10
80
■ *Vat for rep*y
------------ 1
Port
Method
Threads
«• faster Speed slower ■
>
V
Idle
Connectrg
Requestrg
Cowntoadmg
Downloaded
Requested
Faded
1
9
0
0
419
419
9
Copyright © by
ב
E C i c .All Rights Reserved. Reproduction is Strictly Prohibited
&ani
DDoS A ttack Tool: LOIC
LOIC is an open source tool, written in C#. The main purpose of the tool is to conduct
stress tests of web applications, so that the developers can see how a web application behaves
under a heavier load. Of course, a stress application, which could be classified as a legitimate
tool, can also be used in a DDoS attack. LOIC basically turns the computer's network connection
into a firehouse of garbage requests, directed towards a target web server. On its own, one
computer rarely generates enough TCP, UDP, or HTTP requests at once to overwhelm a web
server—garbage requests can easily be ignored while legit requests for web pages are
responded to as normal.
But when thousands of users run LOIC at once, the wave of requests become overwhelming,
often shutting a web server (or one of its connected machines, like a database server) down
completely, or preventing legitimate requests from being answered.
LOIC is more focused on web applications; we can also call it an application-based DOS attack.
LOIC can be used on a target site by flooding the server with TCP packets, UDP packets, or HTTP
requests with the intention of disrupting the service of a particular host.
Module 10 Page 1449
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 49. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
FIGURE 10.18: DDoS Attack Tool: LOIC
Module 10 Page 1450
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 50. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Hackers Advertise Links to
Download Botnet
CEH
Gougle
£jfr _
sM sg SSSsa sK si
E - r - l S 2—־
“ '
rr- 8•TVA rg.? ־״—י
tr * - -~'־r!rrj.« * — "*־-׳
־
•
,
!S ^ iS S S '0 ’׳a ״L C*־*״־* — ׳*״׳ — ״ ״ סיO
Copyright © by E W io u n c i. All Rights Reserved. Reproduction is Strictly Prohibited.
H ack ers A d v ertise L inks to D ow nload B otnets
Module 10 Page 1451
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 51. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
FIGURE 10.19: Hackers Advertise Links to Download Botnets
Module 10 Page 1452
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 52. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Copyright © by E & C a in c i. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
So far, we have discussed the D0 S/DD0S concepts, attack techniques, botnets, and the
real-time scenarios of DDoS. The D0 S/DD0 S attacks discussed so far can also be performed with
the help of tools. These tools make the attacker's job easy.
am
Dos/DDoS Attack Tools
Dos/DDoS Concepts
ji Countermeasures
־Dos/DDoS Attack Techniques
Botnets
/*V 5 Dos/DDoS Protection Tools
Dos/DDoS Case Study
Dos/DDoS Penetration Testing
I—
This section lists and describes various D0 S/DD0 S attack tools.
Module 10 Page 1453
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 53. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
c EH
DoS Attack Tools
DoSHTTP 2.5.1
Rle
Options
(crtifwd
IU mjI Nm Im
X
J
S o c k e ts o ft.n e t [E valuation M ode]
Help
DoSHTTP
H T T P F lo o d D e n ia l o f S e r v i c e ( D o S ) T e s tin g To ol
T a ig e t U R L
3־
Status:
M oz«a/60 (compatible; MSIE 7.0a; Windows NT 5.2; SV1)
S o c k e ts
Connect:
R e q u e s ts
ף י
Connecting to 118.215.252.59:80...
Connected:
"] ״ ־
[Conhnuous
V e r ify U R L | S t o p F lo o d |
Requests 1
C lo s e
Peak:
[ 1174
74ח
OK
Disconnect:
|
a
Responses 0
Multisystem TCP Denial of Service Attacker [Build #12]
Coded by Yarix (yarix@tut.by)
http://varbt.bv.r11/
DoS H TTP
Sprut
Internet
Target Server
Copyright © by E& C aunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack Tools
DoS HTTP
Source: http://www.socketsoft.net
DoSHTTP is HTTP flood denial-of-dervice (DoS) testing software for Windows. It includes URL
verification, HTTP redirection, and performance monitoring. It uses multiple asynchronous
sockets to perform an effective HTTP flood. It can be used simultaneously on multiple clients to
emulate a distributed-denial-of-service (DD0 S) attack. It also allows you to test web server
performance and evaluate web server protection software.
Features:
©
Supports HTTP redirection for automatic page redirection
0
It includes URL verification that displays the response header and document
©
It includes performance monitoring to track requests issued and responses received
©
It allows customized User Agent header fields
©
It uses multiple asynchronous sockets to perform an effective HTTP flood
©
It allows user defined socket and request settings
Module 10 Page 1454
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 54. Ethical Hacking and Countermeasures
Denial of Service
Q
Exam 312-50 Certified Ethical Hacker
It supports numeric addressing for target URLs
■״DoSHTTP 2.5.1 -
Socketsoft.net
xJ
[E valuation M o de]
file O
ptions H
elp
D oSH TTP
HTTP Flood Denial of Service (D o S ) Testing Tool
Target URL_________________________________________
1
192.168.168.97
d
User Agent
lM
ozilla/6.0 (com
patible; MSIE 7.0a; Windows NT 5.2; SV1J
21
Sockets
|500
Requests
▼| (Continuous
■׳יVerify URL | Stop Flood |
]
Close
h //www so
ttp
cketso n
fi ttf
l«Q » D S C * m*T
Running..
Requests: 1
Responses: 0
FIGURE 10.20: DoS HTTP
Sprut
Sprut is a multisystem TCP denial of service attacker.
Hostname or IP-address:
Start
www. juggyboy.com
Port:
[80
Stop
Threads:
[20
Reset
Status:
Connecting to 118.215.252.59:80 ...
Connected:
1174
Connect:
OK
Disconnect:
No error
B
S
Peak:
1174
Multisystem TCP Denial of Service Attacker [Build 812]
Coded by Yarix (yarix@tut.by)
http:/A»atix bv.ru/
FIGURE 10.21: Sprut
Module 10 Page 1455
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 55. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
DoS Attack Tools
CEH
(Cont’d)
Urtifw*
ilhiul lUtbM
gdt M
ew G Capln tra!:
o
a72.11 O m s: I
3
־
-
I
_1J
08182 165.289717
08183 165.289838
08184 165.289968
08185 165.290090
08186 165.290211
Your V:
<DontClo3you>«eNnub)
: !׳id ! tn *DoS iBju k please wall M the browser 1
r «
.
tillo
0
192.16a.168. 32
192.16a. 168. 32
192.164.168. 32
192.166.168. 32
192.164.168. 32
08188 165.290403
08189 165.?90S? J
08190 165.290733
08191 16S. 290776
08192 165.290896
m u m
192.168.168. 7
192.166.168. 7
192.168.168.7
192.168.168.7
192.168.168.7
192.168.168.7
192. 168.168.7
192.168.168.7
192.168.168.7
192.168.168.7
192.168.168.32
192.168.168.32
192.168.168. 32
192.168.168.32
192.168.168. 32
08194 165. ?91091
08195 165.291210
08196 165.291330
08197 165.291452
08198 165.291582
19?. 168.164.7
192.168.168.7
192.168.164.7
192.168.168.7
192.168.168.7
192.164.168.3?
192.168.168. 3
2
192.168.168.32
192.164.168. 32
192.168.168. 32
_ !lh «
2 1 .
£־־׳־ss5־tt1 . ־DecwfcnKeyi...
:i
|:nfo
source port: 17795 Destination po
Fragmented ip p ro to c o l (p ro to -u o p
Fragmented ip p ro to c o l (proco-uop
Fragmented IP p ro to c o l (proto=UDP
Fragmented ip p ro to c o l (proto=u0P
fragm ented IP p ro to c o l (proto-UO**
Source port: 17795 Destination po
Fragmented ip p ro to c o l ( p r o to-uop
Fragmented IP p ro to c o l (p ro to -u o p
Fragmented IP p ro to c o l (proto=UOP
Fragmented IP p ro to c o l (proto=U0P
Fragmented IP p ro to c o l (proto-UOP
source port: 17706 t*־stlfwi10n po
Fragmented ip p r o to c o l (proto»uo*>
Fragmented IP p ro to c o l (proto*u0P
Fragmented ip p ro to c o l (proto=UOP
1 rrame 6?4153: 1514 bytes, on wire ( l ? l l ? b it s ). 1514 byte•;, captured ( l ? l l ? bit•)״
•
I- kt her ret 11. Src: fclUegro 22:2d: if (0 0:25 :ll:22 :2 d:5 f). u st: 0«1 l_ f d : 86:63 (84 :b»:dt>:fd: 86:63)
I ״in ternet Protocol, src: 192.168.168.7 (192.168.168.7). USt: 192.108.168.32 (192.168.168.32)
| vi Oat a (1480 bytes)
.. t .
< C 4» 000 ־fd 86 63 00 25 11 22 2d 5f 08 00 45 00..... ........ c.ft
b«
b
dc ab 21 22 2b 80 11 96 4b cO a4 .18 07 cO a8
.K 05 010>
.........
XXXXXX XXXXXXXX .
58 58 58 58 58 58 58 58 58 58 58 58 58 *5 20 8* 020>
SB 58 58 58 58 58 58 58 58 58 54 58 58 58 58
XXXXXXXX XXXXXXXX 58 030>
XXXXXXXX XXXXXXXX
58 58 58 58 54 58 58 58 58 58 58 58 58 58 58 58 040>
?־־
I ^K*C:tM>1A>0£-:>ec£^alocjrr«1 >~ P«*xts: 80^/630<
V
nUr«d: 602/63M
arked: 0frepped: 9 3
5
PHP DoS
Traffic at Victim Machine
Copyright © by E& C aunci. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack Tools (C ont’d)
PHP DoS
Source: http://code.google.com
This script is a PHP script that allows users to perform DoS (denial-of-service) attacks against an
IP/website without any editing or specific knowledge.
Module 10 Page 1456
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 56. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
xJe■
Your IP:
IF
(Dont DoS yourself nub)
Time
ort
iK sa a sia L^ ftii
Alter initiating the DoS attack, please wait while the browser loads
FIGURE 10.22: PHP DoS
Module 10 Page 1457
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 57. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
DoS Attack Tools
(Cont’d)
q eH
(•itifwtf
|
tlfcitjl IlMkM
Copyright © by EC-Cooncfl. All Rights Reserved Reproduction is Strictly Prohibited.
DoS A ttack Tools (C ont’d)
I d
Jan id o s
FIGURE 10.23: Janidos
Module
10 Page 1458
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 58. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
S upernove
!sup ernova 5
Port
Single targe(
1
□
כ ם
Ty?**
Frst Q
F;׳rT.:.v־
r
[
L a ned
Load
I
Save
Random Ports|
Discomect
Harvest
Speed
1 כ ם
Speed ! □
*י״
«
Remove
Remove
כ ם
Hub Harvester
M
M
M
M
fl
^eptoce hubs on dose
replace hubs on errors
rorbid Scanner log abuse
nbuiia Scanner
Assign socks for every hub in the list
23 Debug connections
Q
Jebug replaces
jQ Debug socxet errors
S3
.»ebug actions
Q Debug User number
1
0
1
כ ם
BEHSI
MSW ■
1
I
= כ םI: I
I
1 : כ םI: I
Search
■ j׳1;־r
i־
]Produced by ]3/24/2009
[W A Q C m ) CPt I _________ Rtr^ii
Multiple
*
י
-וR . 4 . ־P« 1.■;:1V.H7 *
ז
: ־
:• 1
4 .־!־
Cmdune
FIGURE 10.24: Supernove
Module 10 Page 1459
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
*' ^י
*־
- 59. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
DoS Attack Tools
CEH
(Cont’d)
*It
9
ft.• "־
Tr« kt /»*t f<<tW•ןי»;21*וי
«ct M /* l«et W» •123| ק
t> * we 1 1« 3
»
*
K
Tfa <
t r* *
0
totw*(1<111r
itkitjl
H h *£
l
J•**1 *! *if•יf* ' ' *«י ״
***1■ tcc
• c
fOilcrw *
I,
»
!m ׳p* »susin4 «•*
lfH
* fAdlMM * [a c
•!״־n * mw
!s& :״r 85 ™״
TCT n }05[~_ __________ גז
[051TC7 4^ 4 tO eiTC T^n-j.,.
■ ~u,
«U ״ ״a .
• »«u»%lly i t l K t U . CM4*1.
(•rtifwd
•״ ז
® •
•
as
[ » ״p
J VXf 103
*,0 ,״IB1"
tw ״j
1 :
0
]* <יT .U 1
W
* .״״
< • U i l ••4• W 1 m («4 m i i i « m 4•!
1
Ty 0 ״T«»0 I*•» in "T< ... <.! .
r* 3 W 1 »«<c , « « «״
*
!
rt
•
.«-־i»/ .״L׳n*• r
,?nrsffs
״i m UI
■
. . י י•*״
״u ״u
*■ *^} Sr SSJ . ־
•״׳־־
״
_ :a 1 C h in e s e
C o r n m e r e ״י ' 3׳
*»«*
qiy
4־
־־
■
ooos t °°»
די ס
Copyright © by EG-Goinci. All Rights Reserved. Reproduction is Strictly Prohibited.
DoS A ttack Tools (C ont’d)
Commercial Chinese DIY DDoS Tool
Figure 10.25: Commercial Chinese DIY DDoS Tool
Module 10 Page 1460
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 60. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
BanglaDos
Mom
C w N u
00— ten et
Yow •tcaamr t a c i * • *
UmOmt
tm 01 w »
C D
SI
H a c k C la r ify
< '׳f l
R ^ R
)O S (7)
%M dm t (4) d i m ( ) 7 )7(
>
ft> w y i o g y n <4) x n o M M 0 • ) ( יiM m 10 •tack )5 (
•m
c
1
1
B n u x ) 1 6 ( ״we d i m o w • ! ) nem % )5 (
naM• ! ) onln• and oflhrw
(S) apacaftng
vrt*m ( ) pm w ord recowen•• (?) p*sa«ora
%
O ) {MX**• n» p c n o v f ) 3 (
) 1(
11
e w w ie p d ip ro a y < 2)«em < 1»rH »(2)KW W im
1
tM re (1jna *
S * c u r * y o u r b l o g r u n n in g o n W o r d p r •
■ 10 14 PU Artel• t* S « n r r « J t
• and tricks
tips
1
1 7
)4 ( *) •יי׳xm %
<)
aoftw are c r a c k s (11) •*am ןp o o t
1
)3(
)4 (
m H• > ( *
FIGURE 10.26: BanglaDos
Module 10 Page 1461
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 61. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
DoS Attack Tools
(C o n ttt)
CEH
DoS A ttack Tools (C ont’d)
DoS
FIGURE 10.27: DoS
Module 10 Page 1462
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 62. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
M e g a D D o S A tta c k
FIGURE 10.28: Mega DDoS Attack
Module 10 Page 1463
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 63. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Copyright © by E&Caincfl. All Rights Reserved. Reproduction is Strictly Prohibited.
A
M o d u le F lo w
So far, we have discussed the D0 S/DD0 S concepts, various threats associated with this
‘ ‘* 2
׳־־ "־
kind of attack, attack techniques, botnets, and tools that help to perform D0 S/DD0 S attacks. All
these topics focus on testing your network and its resources against DoS/DDoS vulnerabilities.
If the target network is vulnerable, then as a pen tester, you should think about detecting and
applying possible ways or methods to secure the network.
1
•--1
J
‘
Dos/DDoS Attack Techniques
c *
K
J
Dos/DDoS Attack Tools
Dos/DDoS Concepts
d
S
Counterm easures
*
Botnets
Dos/DDoS Protection Tools
Dos/DDoS Case Study
Dos/DDoS Penetration Testing
Module 10 Page 1464
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 64. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
This section describes various techniques to detect D0 S/DD0S vulnerabilities and also highlights
the respective countermeasures.
Module 10 Page 1465
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 65. Ethical Hacking and Countermeasures
Denial of Service
J
Exam 312-50 Certified Ethical Hacker
D e tectio n te c h n iq u e s a re b ased on id e n tify in g and d is c rim in a tin g th e ille g itim a t e tra ffic
in cre as e an d fla sh e v e n ts fr o m leg itim ate packet tra ffic
J
All d e te ctio n te c h n iq u e s d e fin e an a tta ck as an a b n o rm a l and n o tic e a b le d e v ia tio n fro m a
th re sh o ld o f n o rm al n e tw o rk tra ffic statistics
Activity Profiling
Wavelet-based Signal
Analysis
Changepoint Detection
Copyright © by E&Caincfl. All Rights Reseivei.Rejproduction is Strictly Prohibited.
D e te c tio n T e c h n iq u e s
Most of the DDoS today are carried out by attack tools, botnets, and with the help of
other malicious programs. These attack techniques employ various forms of attack packets to
defeat defense systems. All these problems together lead to the requirement of defense
systems featuring various detection methods to identify attacks.
The detection techniques for DoS attacks are based on identifying and discriminating the
illegitimate traffic increases and flash events from legitimate packet traffic.
There are three kinds of detection techniques: activity profiling, change-point detection, and
wavelet-based signal analysis. All detection techniques define an attack as an abnormal and
noticeable deviation from a threshold of normal network traffic statistics.
Module 10 Page 1466
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 66. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Activity Profiling
r
An attack is indicated by:
© An increase in activity
levels among clusters
It is th e a v e r a g e
ץ
p a ck et r a te fo r a
n e tw o r k flo w , w h ic h
co n s is ts o f
c o n s e c u tiv e pa ck ets
w ith s im ila r p a ck et
e An increase in the
overall number of
distinct clusters (DDoS
. attack)
fie ld s
y
A ctivity profile is
obtained by
m onitoring the
netw ork packet's
header informatio
A c tiv ity P r o filin g
Typically, an activity profile can be obtained by monitoring header information of a
network packet. An activity profile is defined as the average packet rate for network flow. It
consists of consecutive packets with similar packet fields. The activity level or average packet
rate of flow is determined by the elapsed time between the consecutive packets. The sum of
average packet rates of all inbound and outbound flows gives the total network activity.
If you want to analyze individual flows for all possible UDP services, then you should monitor on
the order of 264 flows because including other protocols such as TCP, ICMP, and SNM P greatly
compounds the number of possible flows. This may lead to high-dimensionality problem. This
can be avoided by clustering the individual flows exhibiting similar characteristics. The sum of
constituent flows of a cluster defines its activity level.
Based on this concept, an attack is
indicated by:
0
An increase in activity levels among clusters
©
An increase in the overall number of distinct clusters (DDoS attack)
Module 10 Page 1467
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 67. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
W
avelet-based Signal Analysis
Wavelet analysis describes
an input signal in terms of ־־
spectral components
CE
H
Wavelets provide for
concurrent time and
frequency description
They determine the time
at which certain
frequency components
are present
Analyzing each spectral
window's energy determines
the presence of anomalies
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
W a v e le t - b a s e d S ig n a l A n a ly s is
W avelet analysis describes an input signal in terms of spectral components. It
provides a global frequency description and no time localization. W avelets provide for
concurrent time and frequency descriptions. This makes it easy to determine the time at which
certain frequency components are present. The input signal contains both time-localized
anomalous signals and background noise. In order to detect the attack traffic, the wavelets
separate these time-localized signals and the noise components. The presence of anomalies
can be determined by analyzing each spectral window's energy. The anomalies found may
represent misconfiguration or network failure, flash events, and attacks such as DoS, etc.
Module 10 Page 1468
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 68. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
Sequential C
hange-Point
Detection
C
EH
Change-point detection algorithms isolate a traffic statistic's
change caused by attacks
S e q u e n t ia l C h a n g e - P o in t D e t e c t io n
Sequential change-point detection algorithms segregate the abrupt changes in traffic
statistics caused by attacks. This detection technique initially filters the target traffic data by
port, address, and protocol and stores the resultant flow as a time series. This time series can
be considered as the time-domain representation of a cluster's activity. The time series shows a
statistical change at the time the DoS flooding attack begins.
Cusum is a change-point detection algorithm that operates on continuously slamped data and
requires only computational resources and low memory volume. The Cusum identifies and
localizes a DoS attack by identifying the deviations in the actual versus expected local average
in the time series. If the deviation is greater than the upper bound, then for each t,ime series
sample, the Cusum's recursive statistic increases. Under normal traffic flow condition the
deviation lies within the bound and the Cusum statistic decreases until it reaches zero. Thus,
this algorithm allows you to identify a DoS attack onset by applying an appropriate threshold
against the Cusum statistic.
Module 10 Page 1469
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 69. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
D D Counterm
oS/D oS
easure
Strategies
A b s o r b in g th e
A tta c k
Q Use additional capacity
to absorb attack; it
requires preplanning
D e g r a d in g
S e r v ic e s
Identify critical
services and stop
non critical services
C
EH
S h u ttin g D o w n th e
S e r v ic e s
_ Shut down all the
services until the
attack has subsided
9 It requiresadditional
resources
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
a
D o S / D D o S C o u n t e r m e a s u r e S tr a te g ie s
There are three types of countermeasure strategies available for DoS/DDoS attacks:
A b s o r b th e a tta c k
Use additional capacity to absorb the attack this requires preplanning. It requires
additional resources. One disadvantage associated is the cost of additional resources, even
when no attacks are under way.
D e g r a d e s e r v ic e s
If it is not possible to keep your services functioning during an attack, it is a good idea
to keep at least the critical services functional. For this, first you need to identify the critical
services. Then you can customize the network, systems, and application designs in such a way
to degrade the noncritical services. This may help you to keep the critical services functional. If
the attack load is extremely heavy, then you may need to disable the noncritical services in
order to keep them functional by providing additional capacity for them.
S h u t d o w n s e r v ic e s
Simply shut down all services until an attack has subsided. Though it may not be an
optimal choice, it may be a reasonable response for some.
Module 10 Page 1470
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 70. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
D oSAttack Counterm
D
easures CE
H
Protect
secondary victims
Prevent
potential attacks
Mitigate
attacks
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
D D o S A tta c k C o u n te rm e a s u re s
There are many ways to mitigate the effects of DDoS attacks. Many of these solutions
and ideas help in preventing certain aspects of a DDoS attack. However, there is no single way
that alone can provide protection against all DDoS attacks. In addition, attackers are frequently
developing many new DDoS attacks to bypass each new countermeasure employed. Basically,
there are six countermeasures against DDoS attacks:
©
Protect secondary targets
0
Neutralize handlers
0
Prevent potential attacks
0
Deflect attacks
©
Mitigate attacks
©
Post-attack forensics
Module 10 Page 1471
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 71. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
D D C
oS/D oS ounterm
easures:
Protect SecondaryVictim
s
C
EH
Install anti-virus and anti-Trojan software and keep these
up-to-date
An increased awareness of security issues and prevention
techniques from all Internet users
Disable unnecessary services, uninstall unused applications,
and scan all the files received from external sources
a
Configuration and regular updates of built-in defensive
mechanisms in the core hardware and software of the systems
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S C o u n te rm e a s u re s : P ro te c t S e c o n d a ry
V ic t im s
Individual Users
Potential secondary victims can be protected from DD0 S attacks, thus preventing them from
becoming zombies. This demands intensified security awareness, and the use of prevention
techniques. If attackers are unable to compromise secondary victims ׳systems and secondary
victims from being infected with DD0 S, clients must continuously monitor their own security.
Checking should be carried out to ensure that no agent programs have been installed on their
systems and no DD0 S agent traffic is sent into the network. Installing antivirus and anti-Trojan
software and keeping these updated helps in this regard, as does installing software patches for
newly discovered vulnerabilities. Since these measures may appear daunting to the average
web surfer, integrated machineries in the core part of computing systems (hardware and
software) can provide protection against malicious code insertion. This can considerably
reduce the risk of a secondary system being compromised. Attackers will have no attack
network from which to launch their DD0 S attacks.
N etw o rk Service Providers
©
Service providers and network administrators can resort to dynamic pricing for their
network usage so that potential secondary victims become more active in preventing
Module 10 Page 1472
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 72. Ethical Hacking and Countermeasures
Denial of Service
Q
Exam 312-50 Certified Ethical Hacker
their computers from becoming part of a DD0 S attack. Providers can charge differently
as per the usage of their resources. This would force providers to allow only legitimate
customers onto their networks. At the time when prices for services are changed, the
potential secondary victims who are paying for Internet access may become more
cognizant
of
dangerous
traffic,
and
may
do
a
better
job
of
ensuring
their
nonparticipation in a DD0 S attack.
Module 10 Page 1473
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 73. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
D D C
oS/D oS ounterm
easures:
EH
Detect andNeutralize Handlers C
Neutralize
Botnet Handlers
Study of communication
protocols and traffic
patterns between
handlers and clients or
handlers and agents in
order to identify the
network nodes that might
be infected with a handler
Spoofed
Source Address
׳׳There are usuallyfew
DDoS handlers deployed
as compared to the
number of agents
There is a good
probability that the
spoofed source address
of DDoS attack packets
will not represent a valid
source address of the
specific sub-network
׳׳Neutralizinga few
handlers can possibly
render multiple agents
useless, thus thwarting
DDoS attacks
Copyright © by E&Caunc!. All Rights Reserved. Reproduction is Strictly Prohibited
D o S / D D o S C o u n te r m e a s u r e s : D e te c t a n d N e u tr a liz e
H a n d le r
The DDoS attack can be stopped by detecting and neutralizing the handlers, which are
intermediaries for the attacker to initiate attacks. Finding and stopping the handlers is a quick
and effective way of counteracting against the attack. This can be done in the following ways:
Studying the communication protocols and traffic patterns between handlers and clients or
handlers and agents in order to identify network nodes that might be infected with a handler.
There are usually a few DDoS handlers deployed as compared to the number of agents, so
neutralizing a few handlers can possibly render multiple agents useless. Since agents form the
core of the attacker's ability to spread an attack, neutralizing the handlers to prevent the
attacker from using them is an effective strategy to prevent DDoS attacks.
Module 10 Page 1474
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 74. Ethical Hacking and Countermeasures
Denial of Service
Exam 312-50 Certified Ethical Hacker
D D C
oS/D oS ounterm
easures:
Detect Potential Attacks
C
EH
Egress Filtering
Ingress Filtering
9 Protects from flooding
attacks which originate
from the valid prefixes (IP
addresses)
טIt enables the originator
to be traced to its true
TCP Intercept
e ConfiguringTCP
Intercept prevents DoS
attacks by intercepting
and validating theTCP
connection requests
Copyright © by EC-Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
D o S / D D o S C o u n te r m e a s u r e s : D e te c t P o te n tia l
A tta c k s
To detect or prevent a potential DDoS attack that is being launched, ingress filtering, engress
filtering, and TCP intercept can be used.
In g r e s s filt e r in g
Ingress filtering doesn't offer protection against flooding attacks originating from valid
prefixes (IP addresses); rather, it prohibits an attacker from launching an attack using forged
source addresses that do not obey ingress filtering rules. When the Internet service provider
(ISP) aggregates routing announcements for multiple downstream networks, strict traffic
filtering must be applied in order to prohibit traffic originating from outside the aggregated
announcements. The advantage of this filtering is that it allows tracing the originator to its true
source, as the attacker needs to use a valid and legitimately reachable source address.
E g re s s F ilt e r in g
In this method of traffic filtering, the IP packet headers that are leaving a network are
initially scanned and checked to see whether they meet certain criteria. Only the packets that
pass the criteria are routed outside of the sub-network from which they originated; the packets
Module 10 Page 1475
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.