7 hours 6 minutes
Hey, everyone, welcome back to the course in this video. We're going to talk about the different types of Dallas service and de DOS attacks.
So we have several attacks we're gonna cover. Gonna talk about bandwidth attacks. We also talk about syn flood attacks, ICMP, flood attacks. We'll talk about application level attacks. We'll also talk about permanent denial of service attacks. We'll talk about peer to peer attacks, and we'll also talk about what's called distributed reflection, denial of service or
basically Dr DOS.
So first, we have our bandwidth attacks. So this is our kind of traditional DDOS attack.
This is where the botnet or the adversary systems are gonna flood our target with ICMP packets.
So essentially, this is gonna overwhelm that target device. Eso the target device could be, ah, mirror out of things, right? It could be a web server. It could be switches. It could be a router. But essentially that the device is gonna be overwhelmed by this details attack and
going back to availability. Nobody's gonna be about access. For example, your website, right, your e commerce site. So your organization is gonna lose money because you're not making those sales
next we have the syn flood attacks. So essentially going back to our TCP three way handshake, right? We send this sin packet out and typically speaking when the target is trying to communicate that three way handshake with us. Right, So we send them. Hey, how you doing? And they're typically gonna say
I'm good. How are you? And then we say back, I'm fine.
And we've now got this communication stream established.
Typically, what happens is the host, so that target will basically keep track of that partially open connection. And it puts it in what's called a listen que onda. Lot of times that's gonna be at a minimum of for 75 seconds. So what a syn flood attack does is it tries toe
continuously, make that target,
create thes listen queues
by sending multiple sin packets to that target. And it never replies right? It's never trying to establish that three way handshake. So the goal here is to try to hold up
that target system by combining all of these different listen cues that oven open based off the Sindh packets were sending and try to overwhelm the device and cause nobody to be able to access it. So that's basically how that syn flood attack works
so very similar to our bandwidth attack. In fact, they're pretty much the same thing. But you need to know the different names for the CH exam.
The ICMP flood attack is gonna send those ICMP packets so it's gonna overwhelm the target device with a large number of ICMP packets. Uh, they might be sent directly or through some kind of a reflection network. Typically speaking, the attacker is gonna use a non anonymous their service. So something like a tour, then they'll go to, ah, bulletproof server
or infrastructure. And then from there,
which is basically just something they'll rent out from other adversaries, usually in a country where there may not be good, uh, extradition treaties or there may be no extradition treaties. A lot of times you'll see these in Russia, and then from there they'll go to a compromise infrastructure. That's their actual attack infrastructure, maybe even several of those.
And then they'll do the attack, right? They typically aren't gonna
spin up their laptop and do a DDOS attack against you, right? Unless they're a script, kiddie or something, but really Attackers were not gonna typically do it that way. They wanna make sure they could do these things without actually getting caught.
So with peer to peer attacks, essentially, there's clients of these peer to peer file sharing hubs. And so what the attacker does is they convince these clients to disconnect from that network and attack attached to,
um, the victims actual website. And so then what happens is the attacker uses what's called D C D. C protocol or direct connect protocol,
uh, to exploit the flaws in that p two p network.
And really, the goal here is for the attacker to act like a puppet back master, right? So they instruct those clients to disconnect from that p two p and then go ahead and connect to that victims websites who the victims websites getting all these requests coming in from these clients of the PDB file sharing
network and it's overwhelming their site and then again going back to availability. The people that should be able to access that are no longer able to access that website.
Then we have permanent denial of service attack. This is actually what we commonly call breaking a system So this is where the attacker is gonna go in with the intent to cause basically irreversible damage
to the hardware itself. Right? And so we use the term bricking. So basically, let's say someone does this to my Web server, and I've got a physical Web server,
for example. Let's let's pretend I don't. I use the cloud, but let's pretend I have one and the attack it, then I've basically got what za brick right? I just sits on my desk or wherever I have it at, and it's useless, right? Because at that point, I can't use it for anything. It's basically a paperweight, so that's where we have that term breaking the system at
now it doesn't always lead to strictly brick in the system where it's totally unusable. Sometimes the Attackers intent is to force the victim to reinstall hardware components right, so reinstalling the firmware or adding different hardware components on it because they've destroyed the other ones.
Kind of the whole goal here with this particular type of attack is that the attacker wants to send fraudulent updates to the victim, right? So it could be that I break the system and my goal is to have you go on a website
and order a new
mother board, right, for example, And then I send you out a mother board that's infected with malware and then your systems taking over right kind of a random example there. But you get the idea like there's the whole goal here is to make you do the action that I want you to take, So it could be breaking the system to totally take it off.
Or this could be basically sabotage,
where we're just trying to get that victim to either replace or reinstall that hardware.
We have application level attack, which we've talked about before, right? This is where
the Attackers flooding that application itself for the services. So that way, the victims, or or the people that should be able to access that particular application are no longer able to s o. They exploit weaknesses, basically the programming source code. So this could be,
the attacker trying to flood like Web applications. Eso that way. Legitimate users can't access like your website, for example, or they can't log into their banking website or access their accounts.
It could be that they're trying to disrupt specific, like software system in the organization. So, for example, on health care, the EMR system or the electronic medical record system, maybe they're attacking that application. So none of the nursing staff for doctors can log in and actually do their charting on patients.
It could be
also doing like jamming of the application to the database connections so they could craft like militia sequel queries and block that communication stream and jam it up with all these fake queries to the back end database.
And then we have distributed Reflection and Alice Service Attack or Dr Dos This'll One here is just using reflection, right? So the attacker spoofing packets and then reflecting those off a compromise device or devices
in this case. And then it's the attacks going through to the target system. So it looks like
the attacks actually coming from that other set of devices and not the actual attacker. Again, I mentioned real Attackers out there will use an anonymous izing service, use a bulletproof server or servers and then from there used various compromised networks to do the actual attack.
For the purposes of the CH exam, I had to cover all these different ones. You notice a lot of them are very similar and they're really the same thing. But for the purposes of that particular exam, I want to make sure I covered all of the naming conventions that E C Council uses.
So just a quick, quick question here for you and this type of attack. The TCP three way handshake is not completed. Is that the ICMP flood is that sin flutters at the pier to Pier one.
So that was pretty easy, right? This is in flood attack again. We're just sending that initial part of the TCP through a handshake. So, for example, I say, How are you doing? And you say I'm good. How are you? And I never responded that it just keeps saying How are you doing? How are you doing until I flood your server.
So in this video, we just talked about some of the different types of denial A service and DDOS attacks