Intro to Common Layer 3, Layer 4 & Layer 7 DoS Attacks

December 21, 2016 | Views: 12875

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Common Layer 3 (network layer) and Layer 4 (transport layer) Attacks:

ICMPDefinition from The Tech Terms Dictionary  )

Stands for “Internet Control Message Protocol.” When information is transferred over the Internet, computer systems send and receive data using the TCP/IP protocol. If there is a problem with the connection, error and status messages regarding the connection are sent using ICMP, which is part of the Internet protocol.

When one computer connects to another system over the Internet (such as a home computer connecting to a Web server to view a website), it may seem like a quick and easy process. While the connection may take place in a matter of seconds, there are often many separate connections that must happen in order for the computers to successfully communicate with each other. In fact, if you were to trace all the steps of an Internet connection using a traceroute command, it might surprise you that Internet connections are successful as often as they are. This is because for every “hop” along the way, the network must be functional and able to accept requests from your computer.

In cases where there is a problem with the connection, ICMP can send back codes to your system explaining why a connection failed. These may be messages such as, “Network unreachable” for a system that is down, or “Access denied” for a secure, password-protected system. ICMP may also provide routing suggestions to help bypass unresponsive systems. While ICMP can send a variety of different messages, most are never seen by the user. Even if you do receive an error message, the software you are using, such as a Web browser, has most likely already translated the message into simple (and hopefully less technical) language you can understand.

Before Initiating ICMP attacks it is important to determine if a host will accept ICMP packets. A simple ping can do this for you. I also find www.check-host.com very useful for this.

Control Message Types can be found at the following link: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

BLACK NURSE

BlackNurse Denial-of-Service Attack Blog

In denial of service attacks, it is possible to carefully craft an ICMP packet or their send interval to disrupt service. A popular Linux Program hping3 allows you to shape every aspect of sending ICMP control messages. An old attack that has become popular again called “black nurse” uses ICMP category 3 type 3 messages to tell a host that their port is unreachable. This attack can crash firewalls and servers even if executed from a single laptop. The power of this attack scales up en masse naturally.

The command to execute a black nurse attack in hping3 is as follows:  hping3 –icmp -C 3 -K 3 –flood [target]

Here is a link to another form of ICMP flooding: 

ICMP Echo Flooding aka Ping Flood: https://www.incapsula.com/ddos/attack-glossary/ping-icmp-flood.html

Initiating an ICMP echo flood in hping3 is very easy: hping3 –icmp –flood <target>

It is possible to craft the packet size between 64bits and 1500bits depending on how fast your upload speed is. Hping3 defaults to 0 data bytes. The goal is to send as many packets as quickly as possible.

use hping3 –h to look at further options for echo flooding.

  

TCP DOS:

Synflood is a TCP request for acknowledgment attack. During connection or “handshaking” there are a few special packets sent to establish a connection. By repeatedly requesting acknowledgement from a spoofed host that is unreachable denial of service can be achieved.

These two links explain TCP handshaking and SYNflooding better than I possibly could:

https://en.wikipedia.org/wiki/SYN_flood/

https://en.wikipedia.org/wiki/Transmission_Control_Protocol#CONNECTION-ESTABLISHMENT

Synflooding in Metasploit:

sudo service postgresql start

sudo msfconsole

msf>use auxiliary/dos/tcp/synflood

set rport <target port>

set rhost <target host>

run <execute a SYN flood>

Fuzz Testing, Application Layer (layer 7) Stressing:

Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. Prior to initiating fuzz testing it is important to have ran a port scan on a particular host and have determined what services are active. I use zenmap and metasploit’s front end armitage to perform these attacks but they can be done with just metasploit or other clients.

Definition from Techtarget  )

Common Layer 7 (application layer) Attacks

Fuzzing in armitage:

sudo service postgresql start

sudo msfconsole

msf>sudo armitage

At this point, 2 windows are going to come up. Click connect to Connect to the postgres database and Yes to start RPC

Click “Connect” to connect to the postgres database.

Then, click “Yes” to start RPC.

 

Importing hosts into armitage: 

At the top of the screen you will see a button that says “Hosts” 

Clicking the button will give you two different options to add hosts to armitage. “Import hosts” lets you import hosts from zenmap xml files. Add hosts lets you add a host to armitage using its resolved IP address. If you use the second option you can also find nmap port scanner under the hosts tab that will help you determine what ports are open and what application services are active.

 

Initiating fuzzing:

Highlight the host you would like to fuzz in the host area (it will be bordered in green)

Launch the fuzzer by clicking on it in the auxiliary/fuzzers/XXXXXX area *note if it doesn’t correctly validate the remote host you can use set rhost in the msfconsole section of armitage to correct this. Also, you must run both of the things under the FTP section to initiate ftp fuzzing, one of them sets up an ftp server to fuzz from. Http get form data fuzzing only works if the site has a form listed in the http header. it will tell you where to locate the form to stress test it if the form is not on the homepage most times.

Normally fuzzing will start on its own if you’ve remembered to highlight the host (sometimes I forget). If it doesn’t, in the msfconsole area type “run” at the prompt. If you are fuzzing, you will see output in blue, in the msfconsole area, that says something to the effect of “fuzzing with iteration XXXX”.

HTTP Flood & DDoS Attack Glossary:

 HTTP flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application.

HTTP flood attacks are volumetric attacks, often using a botnet “zombie army”—a group of Internet-connected computers, each of which has been maliciously taken over, usually with the assistance of malware like Trojan Horses.

A sophisticated Layer 7 attack, HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server.

As such, they demand more in-depth understanding about the targeted site or application, and each attack must be specially-crafted to be effective. This makes HTTP flood attacks significantly harder to detect and block.

Attack Description: 

When an HTTP client like a web browser “talks” to an application or server, it sends an HTTP request – generally one of two types of requests: GET or POST. A GET request is used to retrieve standard, static content like images while POST requests are used to access dynamically generated resources.

The attack is most effective when it forces the server or application to allocate the maximum resources possible in response to each single request. Thus, the perpetrator will generally aim to inundate the server or application with multiple requests that are each as processing-intensive as possible.

For this reason HTTP flood attacks using POST requests tend to be the most resource-effective from the attacker’s perspective; as POST requests may include parameters that trigger complex server-side processing. On the other hand, HTTP GET-based attacks are simpler to create, and can more effectively scale in a botnet scenario.

 

VIDEO TUTORIALS:

smptp fuzzing:

https://www.youtube.com/watch?v=0RGC2ekQDqQ

https://www.youtube.com/watch?v=XaeKL4j593A

https://www.youtube.com/watch?v=INGkVx7iAqM&t=26s

https://www.youtube.com/watch?v=4pKJ0-RxLuM

https://www.youtube.com/watch?v=B8RJdcUuuPo

https://www.youtube.com/watch?v=DEwhZnO1xlM

http fuzzer:

https://www.youtube.com/watch?v=9ckk4GK9oXQ

https://www.youtube.com/watch?v=zX20MmUVeY8

fuzzing general:

https://www.youtube.com/watch?v=d8KXoTFRwJ8

dns spoofing:

https://www.youtube.com/watch?v=Aw5CQK6F_O4

hping3 tutorials:

https://www.youtube.com/watch?v=fRxnzAWX5ag

https://www.youtube.com/watch?v=fagjmQi-sBY

https://www.youtube.com/watch?v=Pzy-FwGF_OU

arp poisoning:

https://www.youtube.com/watch?v=Vvln4_HfIVg

https://www.youtube.com/watch?v=tW_NMG2IZ5s

https://www.youtube.com/watch?v=hI9J_tnNDCc

https://www.youtube.com/watch?v=Dat5kJxpwbI

creating a persistent backdoor:

https://www.youtube.com/watch?v=-g8d2YonOxc
Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
  1. very well explained

  2. Great step-by-step – quick and easy!

  3. very cool good read going into college for network engineering

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel