Denial of Service (Whiteboard)

[toggle_content title="Transcript"] Alright in this module I want to talk about distributed denial of service. So let us check it out the basic concept here is ultimately no matter how you do it to reduce someone's network traffic or availability restrict legitimate access to something or prevent an authorized user from getting access to something or to flood your target with an over whelming number of requests. So that regular people or users cannot get access to what they need. So it is all rooted in the IAC triad availability section. So basic concept here now the impact ultimately could result in a loss of goodwill. Could disable network either in portion or completely unusable or in worst case scenario disable the organization completely usable for a period of time. Ultimately which would result in some sort of financial loss. So the major ways in which we can detect this are actively looking for signs of bot net style traffic actively profiling your networks and if you can find signs of that. Hopefully prevent it before it happens but if you can't prevent it well then your best is going to be to detect incorrect as you go or change point analysis. Change point analysis is when an attack comes in let us say comes in from a particular IP address. Well if that IP address changes or it goes to another network. You need to be able profile my source is changing the way in into a change point means changing of the point in which they are coming in. So if you can profile that and see that they are bouncing around from network to network to network as they change IP addresses. Well then you are tracking that change. Ultimately you are tracking the source, so that is called change point analysis. So distributed service really has basically architecture map into that all. So over here you have the happy attacker and they create handlers or middle man or middle computers as we say ultimately to find zombies or computers or people that don't know what they are doing to ultimately go attack a target. So the sole job of the attacker is that you get a handful of handlers which will then create as many zombies out there as we possibly can get. The more the merrier this is where you really want to invite ten million of your closest friends to go attack a particular target through whatever technique. It would be some sort of software or an app in a store or something like that but the attacker creates a handful of agents the handlers distribute zombies. Give the instructions to these zombies and then all of a sudden it is zombies rise attack the target at pre-determined time and then the target is now the sad target over here which is getting an overwhelming number of requests coming in. So let us go ahead and look at different techniques that make these targets unhappy. One easy way is just to consume their bandwidth now in the days where we only had 56k worth of traffic. You could easily just consume this with a simple ping command. Nowadays with bandwidth on our side it is a little bit harder to do bandwidth but there is still several choke points out there. So bandwidth is just one technique other flooding techniques. The classic sin flood which is really a manipulation of the TCP three way hand shake detecting from a defensive point of view. We want to detect fraudulent or commonly recurring handshakes and basically reset them or block them. But sin flooding ultimately is a TCP protocol technique. If you can do it from a penetration testing point of view, if you can do it with sin flooding well maybe you can switch your protocol down layer three ICMP and flood it with a large volume of ICMP traffic. When we ping something we send a type eight request adding we get a type zero back or echo request and echo reply. Well you can strategically manipulate the ICMP packet send it your destination. Overwhelm them with a larger volume of them particularly coming from a variety of sources. Gets a little bit harder to detect - it is a little harder to defend against. It is pretty easy to detect because you are just not going to have service. UDP flooding again switch your protocol again. It could happen from a peer to peer network. You could target a particular application. Protocols like http or php they have been known to be extremely vulnerable. Let us think about everybody trying to check out of the online at the same time. Something got to give sooner or later all other techniques permanent techniques like flashing, let us say there is website out there where you get some of update that is critical and you must have download and install that and now you have a piece of software on your system that is basically rendering it useless or which is really, really close to the next example which is breaking up a system. Let us say that I want to get root access to my Android phone. Well if I install the wrong update that could ultimately turn that phone into a basically a useless brick because once the firmware is toast. How are you going to repair it? Or sabotage. In some cases physical in other places through software. Now we got the basics of denial service. Let us talk at some of the counter measures. You could simply absorb it I call this the let us get punched in the face attack. You are just going to stand there and see how much you could take. If you have got a robust network you just might be able to absorb it but again I don't recommend that you get punched in the face attack. You could just allow your service to get degraded and maybe you would be able to go away after time. One easy analogy which you can think about here is think about your automobile. If there was a problem with your automobile what could you do? How could you deal with it? You could just absorb it when you are tired and it goes over a nail and okay we are just absorbing and keep driving or if your car starts degrading in service. It is not running right you just keep driving and let us hope it get better. These are generally not good strategies. You could eventually take your car and shut it down and get it towed to a shop. Networks in the same way you could basically shut down your non critical services and hope that there is just enough critical services to maintain being up and running. So you could shutdown you could try to actively find the bot-necks that are out there and neutralize them. You could deflect them if an attack comes in you deflect it and send the traffic somewhere else. If not well then you probably going to have to have a conversation about forensics which is probably the last technique that you would want to apply because if you are having a forensics conversation. One it suggests criminal and two you are definitely in post mortem at this time. Keep your software up to date the latest and greatest software in patches - good training and awareness. Don't allow people to install software that they don't trust from an unknown source. All of those best practices awareness from a defensive point of view you could just actively profile your traffic and see if there is any sort of bot neck activity in terms of IP addresses or ports or websites and perhaps to block that in advance. Maybe detects spoofed addresses sends the attackers like to use middle men or middle agents in between the attacker and the victim. Well if you can analyze the traffic and see that there is a spoofed address to go ahead and block that. The most common way in my opinion is simply just really good inbound and outbound filtering or ingress or egress filtering. Ingress meaning inbound, egress meaning outbound. You could use technologies like TCP intercept which is a common implemented technology. You could use load balancers or some sort of throttling technique to limit how may requests could come in at a particular time. It is kind of like what you call queueing or quality of service. You could harden the systems which is reducing your surface area of attack. So that if there is no surface area of attack or a very limited one well then you will get infected with a zombie. You could use encryption, things like WPHU if you can protect what people can actually see and keep certain people out of your networks to just good encryption whether it be wireless or it would be on the network. Encryption is a great counter measure all in all or you can use dedicated hardware and there is a variety of vendors out there that specialize in distribute of denial service. So all in all this is what makes up the distributed denial service. Organizations have suffered a large amount of financial loss ask any of the top victims of distributed denial service and I can tell you that this is not easy stuff to deal with mostly because they get a lot of requests coming in from a lot of sources and they just can't block or deal with the stuff fast enough and I think it is the penetration tester. A couple of advantages because there is a lot of middle man or middle computers in the between the source and the destination but also because you are rendering the network organizations useless. So you have to be careful when you use a lot of these bot net style tools because in many cases the tools themselves also make you part of the bot net. So this is - if you are going to use these tools the disclaimer you have to do it in isolated environment. So you can see where the tools are but we have to act responsibly because the last thing you want to do is learn distributed denial service and then find yourself also a victim or a member of a botnet at the same time. So let us go ahead and take a hands on approach. [/toggle_content] This whiteboard lecture covers the Denial Service attack in detail. A Denial of Service, or DoS attack is used to disrupt some legitimate activity (such as browsing the Web or email functionality). It is achieved by sending messages to the target machine that interfere with its operation.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?