|
Page 12 of 12 AttacksDenial-of-serviceDenial-of-service (DoS) attacks are performed by sending malformed packets to a system that does not recognize the format and thus does not know how to properly process it. This can cause the system to crash or stop processing other packets. DoS attacks can interrupt service or completely deny legitimate users access to needed system resources.
DoS attacks can be amplified by several attackers combining their bandwidth and attacking simultaneously.
Smurf
Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP Echo Request) is sent as a directed broadcast to a subnet on the Internet. All the machines on that subnet respond to this broadcast. By spoofing the source IP address of the packet, all the responses will get sent to the spoofed IP address. Thus, a hacker can often flood a victim with hundreds of responses for every request the hacker sends out. Possible countermeasures to smurf attacks are: - Disable direct broadcast functionality at border routers to make sure a certain network is not used as an amplifying site.
- Configure parameter routers to reject as incoming messages any packets thatcontain internal source IP addresses. These packets are spoofed.
- Allow only the necessary ICMP and UDP traffic into and out of an environment.
- Employ a network-based IDS to watch for suspicious activity.
- Some systems are more sensitive to certain types of DoS, and patches have already been released. The appropriate patches should be applied.
Fraggle Fraggle, a variant uses UDP instead of ICMP. The attacker broadcasts a spoofed UDP packet to the amplifying network, which in turn replies to the victim’s system. The larger the amplifying network, the larger the amount of traffic that is pointed at the
victim’s system. SYN Flood
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of TCP SYN requests to a target's system. The SYN flood is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK. Fragment attack A "fragment attack" is a network saturation (denial-of-service) attack that exploits the fragmentation principle of the IP protocol. Recent systems are no longer vulnerable to this attack.
The IP protocol is used to fragment large packets into several IP packets each having a sequence number and a common identification number. When receiving data, the recipient reassembles the packets thanks to the offset values they contain.
The most famous fragment attack is the Teardrop attack. The principle of the Teardrop attack involves inserting false offset information into fragmented packets. As a result, during reassembly, there are empty or overlapping fragments that can cause the system to be unstable. Distributed Denial of Service A distributed denial-of-service (DDoS) attack is a logical extension of the DoS attack that gets more computers involved in the act. The DDoS attack uses hundreds or thousands of computers to request services from a server or server farm until the system or web site is no longer functional. DNS DoS Attacks
DNS servers contain records that enable the mapping between hostnames and IP addresses. Primary DNS servers make all the necessary changes to the records when host and/or IP addresses change, and these records are then distributed to the secondary DNS servers. In a DNS DoS attack a secondary server receives bogus records from an attacker instead of receiving legitimate records from the primary DNS server, the secondary server would not know the difference and would update its records accordingly.
While in a cache poisoning DNS DoS attack, attacker inserts false data into the cache of the server instead of replacing the actual records. Possible countermeasures include: - Ensure that DNS servers have public and internal records. The public records serve Internet requests and contain no sensitive information pertaining to the internal network. The internal records should be unreachable from the Internet and are used to resolve queries from internal users.
- Use a primary and secondary DNS server per zone so that DNS servers are redundant.
- Update the DNS BIND version, because different DNS BIND versions have different vulnerabilities.
- Employ secure DNS. It protects DNS servers from having their records updated by unauthorized sources. The secondary DNS servers must authenticate the systems that are updating their records.
Buffer Overflow
Buffer overflows happen when an application does not check the length of data that is input.
Unintentional denial of service
A situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story. The result is that a significant proportion of the primary site's regular users — potentially hundreds of thousands of people, click that link in the space of a few hours, having the same effect on the target website as a DDoS attack.
|
