Ready to Start Your Career?
August 11, 2016
The Many Flavors of Denial of Service
August 11, 2016
(D)DoS attacks are one of the most disruptive attacks on the internet these days. It all began when some geek somewhere realized he could use a simple ping with its payload increased, or its ping rate set obscenely high in order to stress test and overload network equipment and servers.Disambiguation: DoS is an acronym for Denial of Service. DDoS is the Distributed form of Denial of Service, which commonly utilizes a Botnet, Server Cluster or other team of nodes that can be controlled into launching a form of DoS Attack.This type of attack is usually deployed to knock a target (site or service) offline for everyone who would legitimately be using it. But, it has also been used to cause excessive cost in the form of bandwidth overage charges to those with metered internet connections and impact them financially (as a form of activism).Though these attacks originate back to the invention of the ICMP protocol, their methodology and premises have successfully crossed into other protocols as well - with each having a unique set of possible uses and strengths and weaknesses. DoS vs DDoSA basic Denial of Service attack, regardless of the protocol used, is one network node attempting to overload another's resources and hang it up. Most commonly, resources that can be targeted include the network/internet connection - but can also the RAM and CPU. Both DoS and DDoS share this ideology. The difference is that a regular DoS attack can originate from one or a few sources.A true DDoS attack can be the same attack - and even use the same protocols - as a DoS attack. Yet, a DDoS attack is massively scaled up, utilizing large numbers of nodes working as a team to attack a target. Most commonly, a team of nodes would be called a Botnet. Nearly all Botnets are a team of infected, hacked or exploited computers, servers, network equipment, Smartphones and IoT devices. A DDoS reaches magnitudes that even our largest ISPs have trouble mitigating.A DDoS has another benefit in that its much, much harder to determine who initiated the attack because its sources could number hundreds or thousands. This makes prosecution of perpetrators considerably harder.Additionally, mostly all DoS protocol options can fully scale into a DDoS, but many DDoS protocols or methods aren't possible, or at least effective in a non-distributed approach. Layer 3 vs Layer 7A Layer 3 (D)DoS attack is one that utilizes a low level protocol, most commonly ICMP (ping). This type of attack would not usually work to hang up CPU and RAM resources on a target, unless it was very old or misconfigured. Yet, it can still be used to flood a connection to its limit quite effectively and easily (most notably, by using hping on Unix/Linux/BSD Systems).A Layer 7 (D)DoS attack is one that utilizes application layer protocols and exploits to directly overload the weakest link in a service, whichever it may be. Examples of Layer 7 attacks include various Reflection Attacks, PingBack Amplification Attacks (see WordPress and XMLRPC), NTP Amplification Attacks (Network Time Protocol), DNS Amplification Attacks and many others.These attack methods can hangup the CPU, RAM and the entire Ephemeral Port Range of a target rendering it completely inoperable (even if its connection is strong enough to handle the load). It's not uncommon to see all of the resources completely depleted during such an attack. Sometimes, defense services such as CloudFlare and other Reverse Proxies cannot perfectly defend from a really strong Layer 7 DDoS Attack. These are some of the most powerful DDoS Attacks ever invented thus far. What's a Reflection/Amplification Attack?Imagine you want to launch a DDoS attack against someone like Google, Microsoft or some big, well-defended network, but you don't have a Botnet. These days, you no longer need one!What if you could sit back at your desk, and, as if you had a remote control in your hand, cause random websites and servers to attack your target FOR YOU, without having to root or otherwise takeover control of them directly. Surprisingly, this has been possible - sometimes, to a horrifying extent.There are tools in the wild that, if provided with a list of WordPress sites from something like a Google dorking search, can issue commands to those random WordPress sites. They trigger mass amounts of them all at once, connecting to your target to say "hi" over and over and over and over. Can you imagine hundreds or thousands of these WordPress sites suddenly doing this? There's your attack, using the ridiculously insecure WordPress pingback XMLRPC features in a malicious fashion.There are also known exploits in some major internet protocols, which allow the exact type of remote controlled attack with no actual access to the system. Most notable are NTP and DNS. You can spoof your IP and get these services to flood your target with erroneous responses they never asked for to create a similarly disruptive effect. What's a Syn Attack/Flood?There are actually a number of Syn Flooding Attack methods that are possible. But, unlike other (D)DoS methods that seek to massively overpower a target, Syn Floodd can often fly right over a network using little to no bandwidth at all. They have nearly identical effects on a target system depending on its OS, configuration and firewalling.A Syn flood tricks the Server or Service into opening as many connections as it can possibly handle, exhausting usually either RAM, the available ephemeral ports, or hitting the max connections limit of an application and keeping it full, depending on the OS.Syn Floods are notorious for working quite effectively against Windows servers. They do work against Linux, too. They can effectively hang and lockup IIS Servers, RDP Access, FTP and many other protocols. If a server is discovered to be Windows, Syn Floods not only the target service ports (for example, IIS 80 and 443, but also 3389) to prevent an administrator from being able to remote desktop into the server to mitigate the attack.And, while all of that is going on, you might only be utilizing 500kb of network traffic. The network would show mostly idle, which could confuse a newbie server technician into thinking that it's not an attack, but a hung server or self inflicted malfunction of some kind.Syn Floods are one of the easier attack types to defend against due to the fact they are programmatic-based, rather than a data overload. However, most firewalls do not block all of the possible Syn attack methods by default, as there are many many ways to trick a firewall into thinking they're legitimate requests.Being the author of one such obscure Syn Flood method that can sneak through most firewalls (even Cisco), I can attest to them being easier to defend against, "at least once they're discovered" as happening in the first place.I would estimate at least 50% of the server admins who have been victimized by Syn Floods never knew it was a Syn Flood that caused their problems. The ones who knew it was a Syn Flood were probably the ones with high levels of security in place to notify them of such (and a long history of such prior attacks).