DDoS Tools and Countermeasures

00:01

Hey, everyone, welcome back to the course. So in this video, we're just gonna talk about some of the DDOS tools that you can use as well as some countermeasures for those attacks.

00:11

So the first tool we're gonna talk about is the real, and we're just gonna cover. This is a very, very high level. Um, you just need to be familiar with some of the names for the ch exam. You don't need to actually know these tools and death or even actually use them. You just need to know the names for that particular exam. So this is a tool that uses modern patterns for attacks. Um,

00:31

and it doesn't via, like, TCP protocol http protocol as well as UDP.

00:36

We've got Pandora,

00:38

which is essentially Ah, Adidas bought tool kit. Uh, if you remember, we may not know, but there used to be a dirt jumper. DDOS tool kits, this kind of updated variant of that and it offers five different attack mode. So it offers http. Men http Download http Combo

00:56

soccer connect as well a smacks flood. And again, you don't need to know that stuff

01:00

for the ch exam.

01:02

We've got the low orbit. Ion cannon. So a lot of script kiddies use this one. This one Just a simple denial of service attack for you.

01:10

We've also got the high orbit ion cannon. So this one makes attacks to any I p address with a user selected port and a user selected port.

01:19

We've got the high orbit ion cannon, which basically does DDOs attacks to any I p address with a user selected port and a user selected protocol. We've got our denial of service Http or Dos http, basically, this is just an http flood denial of service tool. It's used for windows,

01:38

usually. And it includes things like you are l verification,

01:42

http redirection port designation as well as things like performance monitoring and also some or enhanced reporting.

01:51

We've got Angela Anderson, which basically allows the attacker to simulate a denial of service attack

01:57

on ah Web server from a mobile device. So specifically, this is gonna be an http post flood attack.

02:02

So let's talk about some of the countermeasures weaken, do

02:07

we could do things like throttling and load balancing. So with load balancing were essentially when all those packets air coming in were spreading them across all these different servers and not a single device, the same thing with throttling. We can basically block packets. At a certain point, we say, Well, there's too many here

02:22

and we're blocking those out Cloudflare Flair is an example of a provider that does that. So, for example,

02:28

if I'm using like Cloudflare and I am getting a ton of requests coming through to my website, and I normally don't, it may block that and make several of those requests actually wait to make sure it's not a baht attacking. And it's actually just ah lot of traffic because, let's say, for example, I was on Oprah show and she said,

02:46

Ken's course on Sai Buri is the most popular thing. I love it,

02:51

and then everybody wanted to take the course right? So the throttling aspect there allows an organization to make sure it's actually legitimate traffic and not a botnet.

03:00

We can also do things like stopping non critical services. So, for example, I got certain services running. They're not critical. We can stop those so we can take that bandwidth and put it back into our server or devices,

03:12

Also making sure that we're using things like anti virus or anti malware on our end points as well as we can we have to think through is an organization basically like Do we want to absorb this attack? So we do We want to plan in advance of saying, OK, what happens if we get a massive attacks? Should we put up additional resource is etcetera. So we have to plan in advance and you don't always know

03:31

how big an attack is going to be or how often you might be attacked. We could also choose to, as we talked about, stop those critical services or just degrade them so we could show we could shut down all services. Or we could just stop those non critical ones.

03:49

We can harden our service. So again, kind of a pre planning type of thing, hardening our service against specific vulnerabilities, making sure the software is up to date. The firmware is up to date, and that way infant attacker does try to attack. They're less likely to have success exploiting vulnerabilities, because sometimes the denial of service or DDOS attack as well

04:09

are just a mirror, A mask. Excuse me. There just a mask for what the actual attack is. And so if we harden our servers,

04:15

we can help mitigate some of those issues.

04:17

And we could simply as a lot of organizations do, just deny those pings right. We could just deny that ICMP traffic

04:26

on our firewall instead of rule and say, Hey, if it's an ICMP packet, were dropping it, we don't even care. It's not coming through.

04:32

Other things we can do include things like analyzing the network traffic. So just, you know, identifying what looks normal. What's the normal traffic patterns and what would be anomalous right will be different. That might indicate there's some kind of infection going on or that there's an inactive attack going on.

04:50

We could try to neutralize the botnet handlers as well.

04:54

We can do things like ingress or egress filtering so incoming or external filtering. Andi kind of going back to the firewall, right? We could block those ICMP packets. So, for example, for egress filtering, we could scan the packet headers of the I P packets that might be leaving our network so we could make sure that no unauthorized or malicious traffic is leaving

05:12

our internal network. So, for example, If an attacker

05:15

convinced our person in accounting to download something, there might be a reverse shell opened up where the Attackers communicating with the commander control server via that that shell. And so, with egress filtering weaken, block that traffic potentially and help protect our network.

05:30

Ingress filtering. Right. Protecting ourselves from that flooding attack we can block certain I p addresses that air known attack I I p addresses. We can block other indicators of compromise. So that way, the attacker can't use those things To get into our network,

05:46

we can use something like TCP intercept where essentially the the the packet is being validated and and the TCP request is actually being validated.

05:56

We can use honey pots in our network, which is a pretty common thing to do. And these air deliberately vulnerable machines so we can identify, Like, how our Attackers actually attacking, right? What are they doing on these devices? And that helps us determine a better plan of defense.

06:11

We could also just drop the package like we talked about already, right? We could just literally when they request, come in. We say this doesn't look right, and we drop it

06:17

so just a quick quiz question here for you. There is typically a large amount of botnet handlers.

06:24

Is that gonna be true or false?

06:26

Alright, so that one's false. There's usually very few details handlers that are deployed compared to the number of agents. Eso if we neutralize those few handlers so again going back to neutralizing the Batna handlers, we can potentially render many of those agents useless, which will eventually thwart that Deedles attack from the attacker.