Department of service attack

-> Advertising links : Pirates use advertising links to download boots.

Department of service attack

The denial of service (back) is an attack on a computer or a network that reduces, restricted or prevents the accessibility of system resources to its legitimate users.

During a back attack, the attackers flood the victim system, by service requests or by non -legitimate traffic, to overload their resources. Thus the back attack precisely leads to the unavailability of a service.

2. What is a distributed denial attack (DDOS) ?

A distributed service denial attack (DDOS) implies a multitude of compromise systems attacking a single target, causing a denial of service for users of the target system.

To launch a DDOS attack, an attacker uses boots to attack a single system.

3. Impacts of back attacks

Department attacks have harmful consequences on victim organizations. The impact of the back attack can lead to the structure concerned:

• A loss of business value: users of the services provided no longer have confidence,
• network inactivity: the services are inaccessible,
• a financial loss: there may be a drop in turnover,
• the organization of the organization.

4. Basic categories of back / ddos ​​attack vectors

The basic categories of back or DDOS attack vectors are as follows:

• Volumetric attacks: they consume the bandwidth of the network or the target service. It is measured in bits per second (BPS) by Flood attacks, amplification attacks (UDP, ICMP, Ping of Death, SMURF), etc.
• Protocol attacks: they consume the connection state tables present in the components of the network infrastructure such as load balancers, bares – fire and application servers. The attack is measured in packets per second (PPS).

Example: SYN, ACK, TCP, Fragmentation attack, etc.

• Application layer attacks : they consume resources or application service, thus making them unavailable for other legitimate users. It is measured in requests per second (RPS).

Example: HTTP Get / Post attack

II. Attack techniques

1. UDP flood attack

-> The attacker sending Udp UDP packages, with a very high package of packets, to a remote host on random ports of a target server using a wide range of IP addresses.

-> The flooding of UDP packets will force the server to verify non -existing applications several times at the ports of the ports.

-> Legitimate applications are inaccessible by the system and return an error response package with as a “inaccessible destination” message.

-> This attack will consume the resources of the network and the available bandwidth, exhausting the network until it is disconnected.

2. ICMP flood attack

-> This is a type of attack in which the attackers send a large number of echo ICMP application packages to a victim.

-> Indeed network administrators use ICMP mainly for IP configurations, troubleshooting and error messaging of non -deliverable packages.

-> These packages will point out to the target system to respond and the combination of traffic will saturate the bandwidth of the target network. The latter will be overloaded and will stop responding to legitimate TCP / IP requests.

-> To protect yourself from ICMP flooding attacks, a threshold limit can be defined which, when exceeded, calls the protection function against the ICMP flood attacks.

3. Death ping

-> The attacker tries to plant, destabilize or freeze the target system or service by sending large packages using a simple ping command.

-> If the size of the packet exceeds the size limit prescribed by RFC791 IP (65535), the reinforcement process can plant the system.

4. Smurf attack

-> In this attack, the striker usurpe the IP address of the target and sends a maximum flow of icmp echo packets (ping) to the addresses of Broadcast, that is to say to an IP diffusion network. Each ping will include the Target computer usurped address.

-> The hosts of the broadcast network will respond with Echo ICMP requests to the Victim Machine, which will ultimately cause the machine breakdown.

5. Syn queries flood attack

-> The attacker sends a large number of Syn requests to the victim with false IP addresses.

-> “Syn Flooding” takes advantage of a flaw in the way most hosts implement TCP negotiations to three.

-> When the victim receives a SYN request, she must keep a trace of the connection partially open in a “queuing queue” for at least 75 seconds.

-> A malicious host can use the small size of the listening queue by sending several SYN requests to a host, but never responding to SYN / ACK.

-> The victim’s listening queue fills up quickly.

-> Holding each incomplete connection for 75 seconds can be used as a denial of service attack.

6. Fragmentation attack

-> These attacks imply the transmission of fraudulent UDP or TCP packets which are larger than the MTU (the maximum transmission unit) of the network (generally ~ 1500 bytes). This attack will destroy the ability of a victim to enjoy fragmented packets.

-> As these packages are false and cannot be reached, the resources of the target server are quickly consumed, which leads to the unavailability of the server.

7. Attacks with HTTP Get or Post requests

-> An HTTP Flood attack uses what seems to be HTTP Get or Post legitimate requests to attack a web server or an application.

-> The HTTP GET attack will be carried out by delaying the sending of the HTTP header to maintain the HTTP connection and exhaust the web server resources.

-> The HTTP Post attack can be carried out by sending a complete header and an incomplete body, which obliges the web server to wait for the rest of the body until the resources are exhausted.

8. Slowloris attack

-> Slowloris is a DDOS Application DDOS attack that uses partial HTTP requests to open connections between a single computer and a targeted web server, then keeping these connections open as long as possible, submerging and slowing down the target.

-> Consequently, the maximum simultaneous connections pool of the target server will be completed and additional connection attempts will be refused.

9. Multi-latest attack

-> In a multi-label attack, the attackers combine a set of threats such as volumetric attacks, protocol and application deployed to many stages, on several entry points (attack vectors) to infect computers and networks, and thus reach the target.

-> The attacker will quickly go from a distributed form of denial of service.

-> Most often these attacks are used to confuse a company’s IT service to make it spend all its resources and divert its attention on the wrong side.

10. Attacks between peers

-> Using peer-to-peer customers, attackers ask customers to disconnect from their peer-to-peer network and connect to the fake website of the victim.

-> The attackers use the faults found on the network using the DC ++ protocol (Direct Connect), which is used to share all the types of files between instant messaging customers.

-> Thanks to this, the attackers launch massive service denial attacks and compromise websites.

11. Permanent back attack

Among the permanent back attacks, we have:

-> The Phlashing : The permanent back, also called Phlalashing, refers to attacks which cause irreversible damage to the system of the system.

-> The Sabotage : Unlike other back attacks, he sabotes the system of the system, forcing the victim to replace or reinstall the equipment.

-> The ‘Bricking’ system : This attack is carried out using a method known as “Bricking A System”. By using this method, the attackers send fraudulent hardware updates to the victims.

12. Disputed service by reflection distributed (DRDOS)

-> A distributed reflected service denial attack (DRDOS), also called the usurped attack, implies the use of several intermediate and secondary machines which contribute to the actual DDOS attack against the machine or the target application.

-> The attacker launches this attack by sending requests to the intermediate hosts, these requests are then redirected to secondary machines which in turn reflect the traffic traffic towards the target.

-> Advantage : The main target seems to be directly attacked by the secondary victim, not by the real attacker; Several intermediate victim servers are used, which leads to an increase in the bandwidth attack.

III. Boots

1. Definition

-> Boots are software applications that perform automated tasks on the Internet and perform simple repetitive tasks, such as web exploration and search engines indexing.

-> A botnet is a large network of compromise systems and can be used by an attacker to launch attacks by denial of service.

2. Analysis methods to find vulnerable machines

-> Random analysis : the infected machine examines the IP addresses randomly from the IP address beach of the target network and checks the vulnerability.

-> Analysis of the results list : the attacker first collects the list of potentially vulnerable machines, then performs an analysis to find the vulnerable machine.

-> Topological analysis : He uses the information obtained on the infected machine to find new vulnerable machines.

-> Local subnet analysis : the infected machine is looking for the new vulnerable machine in its own local network.

-> Analysis of permutations : He uses a pseudo-random permutation list of IP addresses to find new vulnerable machines.

3. How is the malicious code spread ?

The attackers use three techniques to propagate malware to a newly discovered vulnerable system:

-> Propagation of the central source: The attacker places an attack tool box on the central source and a copy of it will be transferred to the newly discovered vulnerable system.

-> Back-chain propagation: The attacker places the attack tool box on his system himself and a copy of the box is transferred to the newly discovered vulnerable system.

-> Autonomous propagation: The host itself transfers the attack tool box to the target system, exactly when its vulnerability is discovered.

-> Advertising links : Pirates use advertising links to download boots.

4. Use of mobile devices as an botnets to launch DDOS attacks

-> Android is passively vulnerable to various malware such as Trojan horses, bots (robots), remote access tools (rat), etc. from third -party stores.

-> These unsecured Android devices are the main target of the attackers to enlarge their botnet.

-> Once the attacker traps you with an application, he can use your device as a botnet to launch DDOS attacks.

Iv. Back / ddos ​​attack tools

1. Some back and ddos ​​attack tools

High Orbit Ion Cannon (Hoic) : Hoic performs DDOS attacks on any IP address, with a port selected by the user and a protocol selected by the user.

HTTP Unbearable Load King (Hulk) : Hulk is a DDOS tool for web server. It is specifically used to generate traffic volumes on a web server.

Davoset : is a command line to carry out DDOS attacks on sites via vulnerabilities of functionality abuse and XML external entities on other sites.

Other tools: Tsunami, blackhat hacking tools, etc.

2. Back and DDOS attack tool for mobile

Low orbit Ion Cannon (Loic) : The Android version of the low orbit ion cannon (LOIC) software is used to flood the packages that allow the attacker to make a DDOS attack on the target organization.

Andosid : Andosid allows the attacker to simulate a back attack (a post-flood http attack to be exact) and a DDOS attack on a web server from mobile phones.

Other tools: Packet Generator, Pingtools Pro, etc.

V. Detection techniques

Detection techniques are based on identifying the increase in illegitimate traffic. All detection techniques define an attack as an abnormal and noticeable difference in relation to a threshold of normal network traffic statistics.

1. Activity profiling

An attack is indicated by:

• An increase in activity levels among network flow clusters.
• An increase in the total number of separate clusters (DDOS attack)

Activity profiling is based on the average flow of packages for a network flow, which consists of consecutive packages with similar fields of packets. Indeed the profiling of activity is to monitor the header information of a network package and to calculate the average flow of packets for a network flow in order to detect the increase in the level of activity.

2. Sequential detection of change points

This detection technique follows the following steps:

• Isolate trafficking : detection algorithms for change points isolate changes in network traffic statistics caused by attacks.
• Filter traffic : algorithms filter target traffic data by address, port or protocol and store the resulting flow in the form of chronological series.
• Identify the attack : the sequential detection technique of the points of change uses the algorithm of cumulative sum (CUSUM) to identify and locate the back attacks; The algorithm calculates the differences between the real local average and expected in the chronological series of trafficking.
• Identify the analytical activity : this technique can also be used to identify typical analysis activities of network worms.

3. Signal analysis based on wavelets

The wavelet analysis describes an input signal in terms of spectral components. The wavelets provide a simultaneous description of time and frequency. Energy analysis of each spectral window determines the presence of anomalies. Signal analysis determines the time at which certain frequency components are present and filters the input signals of abnormal traffic like background noise.

Vi. Countermeasures

1. DOS / DDOS counter-effects strategies

Absorb : Use an additional capacity to absorb attacks; This requires prior planning and additional resources.

Identify degradation services : Identify critical services and stop non -critical services.

Service stop : Stop all the services until the attack has calmed down.

2. Back / DDOS attack countermeasures

• protect secondary victims

-> Regularly monitor security to remain protected from the DDOS agent software.

-> Install Trojan antivirus and anti-horse software and keep them up to date.

-> Awareness of all Internet users about prevention issues and techniques.

-> Deactivate unnecessary services, uninstall unused applications, analyze all files received from external sources.

-> Configure correctly and regularly update the defense mechanisms integrated into the system and basic software of the system.

• Detect and neutralize managers

Network traffic analysis : Analyze communication protocols and traffic models between managers and customers or managers and agent in order to identify network nodes that could be infected with managers.

Neutralize Botnet managers : there are generally few DDOS managers deployed in relation to the number of agents. The neutralization of some managers can possibly make several agents useless, thus thwarting DDOS attacks.

User source address : there is a decent probability that the usurped source address of DDOS attack packets does not represent a valid source address of the defined subnet.

• Prevent potential attacks

Output filter : It is a question of scaning the headers of IP packages leaving a network, to ensure that unauthorized or malicious traffic never leaves the internal network and to check the necessary specifications to reach the target.

Entry filter : It prevents source addressing, protects against attacks by flooding. It allows the sender to be traced until its real source.

TCP interception : TCP Intercept’s configuration will protect servers from TCP Syn flooding attacks and prevent back attacks by intercepting and validating TCP connection requests.

Bound rate:: It is a rate limiting incoming or outgoing traffic, it reduces high volume incoming traffic that can cause a DDOS attack.

-> The systems implemented with limited security, also known as honey pots (honeyPots), act as an incentive for an attacker.

-> Honey pots are used to obtain information on attackers, attack techniques and tools by storing a recording of system activities.

-> Use an in -depth defense approach with IPS at different points from the network to divert suspicious back traffic towards several jars of honey.

-> Increase the bandwidth on critical connections to absorb additional traffic generated by an attack.

-> Replica servers to provide additional security protection.

-> Balance the load on each server in a multiple server architecture to alleviate DDOS attacks.

-> Configure the routers so that they access a server with a logic to limit the incoming traffic levels which are safe for the server.

-> Limitation avoids damaging servers by controlling back traffic.

-> Can be extended to limit DDOS attack traffic and authorize legitimate user traffic for better results.

Removal of queries:

-> Servers will remove the packages when the load increases, this will induce a puzzle to be resolved to start the request.

Forensic analysis occurs specifically as a result of an incident. Referring to a security audit, Forensic analysis allows to reconstruct an attack as a whole, thanks to digital evidence, in order to search for the traces left by the Pirate.

-> Analysis Attack traffic models: The data is analyzed after the attack to search for specific characteristics within the attacking traffic. This can help network administrators develop new filtering techniques to prevent traffic traffic from entering or getting out of networks.

-> Packet Tradeback: Similar to reverse engineering, helps find the source of attack, to take the necessary measures to block other attacks.

-> Analysis of the Journal of Events: The Journal of Events helps to identify the source of back traffic, to recognize the type of DDOS attack.

3. Defense against botnets

-> RFC 3704 filtering : it limits the impact of DDOS by refusing traffic with falsified addresses through a filter in FAI.

-> Filter of reputation IP Source Cisco IPS : Reputation services help determine whether IP address or service is a threat source or not, Cisco Ips regularly updates its database with known threats such as botnets, botnet collectors, malware, etc. and help filter back back.

-> Black holes filtering : The black hole refers to network nodes where incoming traffic is rejected or abandoned without informing the source that the data did not reach the expected recipient. The filtering of black holes refers to the elimination of packets in routing.

-> DDOS prevention offers or DDOS service : Activate IP Source Guard (in Cisco) or similar features in other routers to filter traffic depending on the DHCP surveillance database or IP source bonds that prevent a bot from sending falsified packages.

4. Other DDOS / DOS countermeasures

To avoid DDOS / DOS attacks, the following instructions can be followed:

1) Use powerful encryption mechanisms such as WPA2, AES 256, etc.

2) Disable unused and unsecured services.

3) update the nucleus with the latest version

4) Perform in -depth validation of the entries

5) prevent the use of unnecessary functions such as Gets, Strcpy, etc.

6) prevent the return addresses from being crushed

7) Configure the firewall to refuse access to external ICMP traffic

8) implement cognitive radios in the physical layer to manage jamming attacks.

9) Make sure that software and protocols are up to date.

10) prevent the transmission of fraudulent addressed packets in terms of FAI.

11) Block all incoming packages from service ports to block traffic from reflection servers.

12) Secure remote administration and connectivity tests.

5. DOS / DDOS protection in terms of FAI

These mechanisms allow the Internet service provider (ISP) to protect themselves from back/ddos attacks:

1) Most FAI simply block all requests during a DDOS attack, even preventing legitimate traffic from access to the service.

2) FAIs offer DDOS protection in the cloud for internet links so that they are not saturated by the attack.

3) DDOS protection in the cloud redirects attack traffic towards the FAI during the attack and returns it.

4) Administrators can ask the ISPs to block their affected IP and move their site to another IP after having spread DNS.

DDOS protection devices: Fortiddos-1200B, Cisco Guard XT 5650, A10 Thunder TPS

Tools: Incapsula ddos ​​protection, anti ddos ​​guardian, cloudflare, defensepro

VII. Back / ddos ​​penetration test

Step 1: Define a goal

-> It will be a question of establishing a plan for the penetration test

Step 2: Test heavy loads on the server

-> It will be necessary to determine the minimum threshold for back attacks

Step 3: Checking vulnerable back systems

-> This consists in verifying the capacity of the system to deal with the back attacks

Step 4: Run a syn attack on the server

-> The results of the penetration tests will help administrators to determine and adopt security controls of the appropriate network perimeter such as load balancer, IDS, IPS, firewalls, etc.

Step 5: Run porting attacks on the server

-> It is a question of flooding the target traffic network to verify the stability of the system.

Step 6: Launch an email bomber on the email servers

-> The use of tools Bomber email will send a large number of emails to a target messaging server.

Step 7: flood the forms of the website and the guest book with false entrances

-> This increases the use of the processor by maintaining all connection requests on the ports under blockade.

Step 8: Document all the results.

-> All results must be documented.

Department attack – Definition

A Department of service attack ( Denial of Service Attack , Hence the abbreviation Back) is an attack aimed at unavailable a service, to prevent legitimate users from a service from using it. It can be:

• the flood of a network (a computer network is a set of equipment linked together to exchange. ) to prevent its operation
• the disturbance of connections between two machines, preventing access to a particular service
• The obstruction of access to a service to a particular person

The denial of service attack can thus block a file server, make it impossible to access a web server, prevent the distribution of email in a company or make a website unavailable (Internet is the global computer network that makes accessible to the public service. )) .

The pirate does not necessarily need (the needs are in terms of the interaction between the individual and the environment. He is. ) sophisticated equipment. Thus, certain back attacks (in anatomy, in vertebrate animals including humans, the back is the part. ) can be executed with limited resources against a much larger and modern network. This type of attack “asymmetrical attack” is sometimes called (due to the difference in resources between the protagonists). A hacker with a computer (a computer is a machine with a processing unit allowing it. ) obsolete and a modem (the modem (suitcase, for modulator-demodulator), is a serving device. ) slow can thus neutralize much greater machines or networks.

Department’s denial attacks have changed over time (time is a concept developed by humans to understand the. ) (see ).

Everything (all inclusive as a set of what exists is often interpreted as the world or. ) First, the former were only perpetrated by a single “attacker”; Quickly, more advanced attacks appeared, involving a multitude of “soldiers”, also called “zombies”. We then speak of ddos ​​( Distributed Denial of Service Attack )). Then, the back and ddos ​​attacks were perpetrated by pirates only attracted by the feat and the fame. Today, these are mainly criminal organizations, essentially motivated by money (silver or metal silver is a chemical element of AG symbol – of the. )) . Thus, some hackers have specialized in the “lifting” of “zombies” armies, which they can then rent to other pirates to attack a particular target. With the sharp increase in the number (the concept of number in linguistics is dealt with in the article “Number. ) Exchanges on the Internet, the number of singles to the denial of service has progressed very strongly (a pirate launches a back or ddos ​​attack on a company and asks him for a ransom to stop this attack !)).

Historical

The attacks by denial of service have emerged (the day when the day is the interval which separates the sunrise; it is the. ) in the 80s. DDOS (or distributed back attacks) would be more recent: the first official DDOS attack took place in August 1999: a tool (a tool is a finalized object used by a living being in order to increase its. ) called “Trinoo DDO” (described below) was deployed in at least 227 systems, of which 114 were on the Internet, to flood university servers (a university is a higher education establishment whose objective is there. ) Minnesota. Following this attack, university internet access has remained blocked for more than two days.

The first DDOS attack mediated in the consumer press took place in February 2000, caused by Michael Calce, better known as Mafiaboy. On February 7, Yahoo! (Yahoo!,INC. is an American Internet service company operating. ) was the victim of a DDOS attack that made (rendering is a computer process calculating the 2D image (equivalent of a photograph). ) its internet portal inaccessible for three hours. On February 8, Amazon.com, buy.com, CNN and eBay were affected by DDOS attacks which caused either the stop or a strong slowdown (the slowdown signal (SNCF type) announces a needle (or more) in the diverted position. ) of their operation. On February 9, E Trade and Zdnet were in turn victims of DDOS attacks.

Analysts believe that during the three hours of inaccessibility, Yahoo! has undergone loss of e-commerce and advertising revenue amounting to around $ 500,000 . According to Amazon.com, his attack resulted in a loss of $ 600,000 over 10 hours. During the attack, eBay.com has passed (the past is first of all a concept linked to time: it is made up of the whole. ) 100 % availability (the availability of equipment or a system is a performance measure that. ) 9.4 %; Cnn.com went below 5 % of the volume (volume, in physical or mathematical sciences, is a quantity that measures the extension. ) normal ; Zdnet.com and etrade.com were practically inaccessible. Schwab.com, the online site of the Charles Schwab broker, was also affected but he refused to give exact figures on his losses. We can only assume that, in a company which is $ 2 billion per week on online trades, the loss has not been negligible. Michael Calce, the one who hacked Amazon.com, yahoo!, Cnn and ebay was sentenced to 8 months (the month (from lat. Mensis “month”, and formerly at Plur. “Menstrual”) is a period of time. ) in a young detention center (he was only 15 years old at the time of the facts).

In September 2001, a certain virus (a virus was a biological entity that requires a host cell, which he uses. ) Red code infects a few thousand systems, and a second (second is the feminine of the second adjective, who comes immediately after the first or who. ) version, titled Code Red II, installs a DDOS agent. The rumors claim that he had to launch an attack on the White House (the White House (White House in English) is the official residence and the office of the. )) . In a context (the context of an event includes the circumstances and conditions that surround it; the. ) crisis policy, the United States government announces that security measures will be undertaken. But in the summer of 2002, it is the Internet turn to undergo a DDOS attack against its 13 root servers. These servers are the key points of the referral system (in the world of railways, to pass a train from one track to another, we use. ) Internet, called Domain Name System (Domain Name System (or DNS, domain name system) is a service allowing. ) (DNS). This attack will only last for an hour (the hour is a unit of measurement 🙂 but could have paralyzed the whole (in theory of sets, a set intuitively designates a collection. ) Internet network. The incident is taken seriously by experts who claim to strengthen the security of their machines in the future.

The first version of Slapper, which appeared in mid-September 2002, contaminated more than 13,000 Linux servers (in the strict sense, Linux is the name of the kernel of free operating system, multitasking. ) in two weeks. Slapper uses a safety hole present in the OpenSSL1 module, and vehicle (a vehicle is a mobile machine, which allows you to move people or charges of a. ) A DDOS agent. This is detected and stopped in time.

Despite everything, on Monday October 21, 2002, a new back attack blocked 9 of the 13 key servers, making their resources inaccessible for three hours. Part of the companies and organizations managing these key servers reacts and decides to review their safety devices. The FBI has opened an investigation, but locating the authors (s) of the attack promises to be difficult.

Shortly after database servers (in information technology (TI), data is an elementary description, often. ) Microsoft (Microsoft Corporation (Nasdaq: MSFT) is a multinational American solutions. ) SQL Server, poorly configured, are infected with the worm (worms constitute a very heterogeneous group of invertebrate animals. ) SQL Slammer. The latter carries a DDOS agent who launched an attack on January 25, 2003 against Internet. This time, only 4 of the 13 root servers responsible for routing (in computer science, the term routing designates the mechanism by which the data of equipment. ) Internet have been affected. Despite virulence (virulence designates the pathogenic, harmful and violent character of a microorganism. ) of the attack, the overall performance of the network was barely reduced by 15 % .