Monday, 28 September 2015

Denial of service in Depth Explained

Denial-of-service attack is a very famous and common attack we daily experience such attacks but we are not able to figure it out.Let me define Denial-of-service (DOS) for you  a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.What it means is sometimes we visit a website the website keeps on loading and after a while the connection from the server breaks and we get website not available error.Mostly high profile servers like bank servers, credit card payment gateways and even social services servers are targetted by hackers.

 A famous part of Denial-of-service attack is DDOS Distributed Denial-Of-Service Attack the logic is same the only difference is DOS is operated from one source and DDOS from many.
How Denial Of Service Works
A hacker tells one or more of his computers contact a specific server or Web site repeatedly.The sudden increase in traffic can cause the site to load very slowly for legitimate users. Sometimes the traffic is enough to shut the site down completely.
                                        Some of famous Methods of Attack
Ping of Death - bots create huge electronic packets and sends them on to victims
Mailbomb - bots send a massive amount of e-mail, crashing e-mail servers
Smurf Attack - bots send Internet Control Message Protocol (ICMP) messages to reflectors.
Teardrop - bots send pieces of an illegitimate packet; the victim system tries to recombine the pieces into a packet and crashes as a result
SYN flood-A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address.
Permanent denial-of-service attacks - This ttack that damages a system so badly that it requires replacement or re-installation of hardware.
Denial-of-Service Level II -The goal of DoS L2 attack is to cause a launching of a defense mechanism which blocks the network segment from which the attack originated. In case of distributed attack or IP header modification (that depends on the kind of security behavior) it will fully block the attacked network from Internet, but without system crash.
■ Another well known Denial Of Service is at application level for this it various DoS-causing exploits such as buffer overflow can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time.
Buffer overflow-It is a program written so that on the execution of it memory errors,incorrect results or a breach in security occurs.
■ To perform Denial-of-service attack hackers use tools,bot net,zombies etc etc
I would like to tell you about few famous Denial-of-service tools that have been used by hackers in past to attack high security servers.
LOIC (Low Orbit Ion Cannon)
LOIC was used by Project Chanology, a project by the Anonymous group, to attack websites from the Church of Scientologythen by Anonymous itself to successfully attack the Recording Industry Association of America's website in October 2010,and again during Operation Payback in December 2010 to attack the websites of companies and organizations that opposed WikiLeaks.It is an open source network stress testing and denial-of-service attack application, written in C#. LOIC was initially developed by Praetox Technologies, but was later released into the public domain,and now is hosted on several open source platforms.The software has inspired the creation of an independent JavaScript version called JS LOIC, as well as LOIC-derived web version called Low Orbit Web Cannon. These enable a DoS from a web browser.LOIC performs a denial-of-service (DoS) attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP packets or UDP packets with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets.
HOIC (High Orbit Ion Canon).
It is another dos tool it is not much famous like LOIC but is very powerful and has a good GUI.It is windows executable.
Slowloris
Slowloris the low bandwidth, yet greedy and poisonous HTTP client!
Written by RSnake with help from John Kinsella, and a dash of inspiration from Robert E Lee.
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
There are a number of web servers that are vulnerable to Slowloris' form of attack. Some of the vulnerable web servers include Apache 1.x, Apache 2.x, dhttpd, and the GoAhead WebServer software.
While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general these involve increasing the maximum number of clients the webserver will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.
In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod qos, mod_evasive, mod_security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches.Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack.
IIS6.0,IIS7.0,lighttpd,Squid,nginx are reported to be uneffected.Good features of Slowloris is that it works on low bandwidth and does not stop after sometime like other softwares when they stop getting response from the server.
Xerxes
The Jester (leetspeak handle th3j35t3r) is a computer vigilante who describes himself as grey hat hacktivist.He or she claims to be responsible for attacks on WikiLeaks,4chan,Iranian President Mahmoud Ahmadinejad,and Islamist websites.He claims to be acting out of American patriotism.The Jester uses a denial-of-service (DoS) tool known as "XerXeS", that he claims to have developed.One of The Jester's habits is to tweet "TANGO DOWN" on Twitter whenever he successfully takes down a website.The Jester claims to have originally developed his DoS script as a means to test and harden servers.After learning from an article that Jihadists were using the Internet to recruit and coordinate terror cells, The Jester resolved to disrupt online communications between Jihadists.He weaponized his script and created a front-end known as "XerXeS" in order to solve the script's usability problems.
HULK
HULK (Http Unbearable Load King) is a web server denial of service tool written for research purposes. It is designed to generate volumes of unique and obfuscated traffic at a webserver, bypassing caching engines and therefore hitting the server's direct resource pool.
                                                          ■ DOS prevention -
●  Mitigation performance – high rate DDoS must be mitigated by specialized hardware to withstand the attack load while allowing legitimate traffic to pass through – e.g. Anti-DDoS solutions using ASIC-based DDoS Mitigation Engines
●  Reducing reaction time – Network Behavioral Analysis (NBA) technology should be utilized to automatically and accurately distinguish attack traffic from legitimate traffic – at all layers including layer-7 (e.g. HTTP)
●  Blocking multiple attack vectors – using NBA, IPS and DoS technologies within a single Anti-DDoS solution ensures no attack is overlooked during a multi-vector attack campaign.
●  Firewalls like nexusguard,cloudflare etc helps protect ddos attacks efficiently by providing reverse ip proxy and limiting ping from a certain ip.
●  Apart from Web Firewalls,Firewalls for system like iptables and comodo are also very helpful in preventing ddos attacks. They block the ip of the attacker which kick him off the server.
●  Web Server matters most ddos attack fail to exploit nginx.
●  For bandwidth saturation attacks, make sure your service provider can mitigate volumetric attacks that may saturate your bandwidth.
■ Note : Always Configure your firewalls,ports and other server mechanism correctly becuase I have seen cases where the admin has not configured his firewall correctly and becomes a victim of DDOS.
Note For Server Administrators: A fact is despite being designed to provide network security, firewalls and intrusion prevention systems (IPS) are impacted by DDoS attacks.To stop DDoS attacks you can also go for dedicated hardware solutions.
Correct knowledge can save you from all kind of attacks & always stay awake to updates.
About The Author - Rashmil Tyagi is a young Cyber Security Consultant you can contact him @ official.rashmiltyagi@gmail.com

1 comment:
Write comments
  1. This comment has been removed by a blog administrator.

    ReplyDelete

Get Updates about Latest Hacks, Exploits, Applications and Softwares. http://www.devilscafe.in/
Join Our Newsletter