DoS / DDoS attack techniques
• Attack tools
• Application-layer floods
• Degradation-of-service attacks
• Denial-of-service Level II
• Distributed DoS attack
• DDoS extortion
• HTTP POST DoS attack
• ICMP flooding
• Peer-to-peer attacks
• Permanent DoS attack
• Reflected / Spoofed attacks
• Amplification attacks
• R-U-Dead-Yet? (RUDY)
• Shrew attack
• Slow Read attack
• Sophisticated low-bw DoS Attack
• TCP SYN flooding
• Teardrop attacks
• Telephony DoS (TDoS)
Attacker compromise a system/systems and use them to launch attacks/issue commands to the Zombie agents to facilitate DDoS attack.
• UK’s GCHQ has tools built for DDoS, named PREDATORS FACE and ROLLING THUNDER.
• Various DoS attacks exploit buffer overflow,
maximum number of open connections.
-Degradation-of-service is a type of denial-of-service attack
Denial-of-service Level II
• The goal of DoS L2 attack is to cause a launching of a defense mechanism which blocks the network segment from which the attack originated.
Distributed DoS attack (DDoS)
A DDoS attack occurs when multiple systems flood the bandwidth or resources of a targeted system.
• Cyber-extortionists typically begin with a low-level attack and a warning that a larger attack will be carried out if a ransom is not paid in Bitcoin/or some other mode.
– The HTTP POST attack sends a complete, legitimate HTTP POST header, which includes a ‘Content-Length’ field to specify the size of the message body to follow.
• Internet Control Message Protocol (ICMP) flood
• A smurf attack relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network
• A Nuke is an old DoS attack consisting of fragmented or otherwise invalid ICMP packets sent to the target.
Peer-to-peer (P2P) attacks
• Attackers have found a way to exploit a number of bugs in P2P servers to initiate DDoS attacks.
Permanent DoS attack is also known as phlashing, hardware attack, which damages a system so badly that it requires replacement or reinstallation of hardware.
• The attacker uses vulnerabilities in victim’s network device firmware to replace with a corrupt image making the device useless.
• PhlashDance tool detects PDoS vulnerabilities.
Reflected / Spoofed attack
• A DDoS attack sending forged requests to a very large number of systems that will reply to the requests. Using IP address spoofing, the source address is set to that of the targeted victim, thereby all the replies will flood the target.
Amplification attacks are used to magnify the bandwidth that is sent to a victim. This is done through publicly accessible DNS servers that are used to cause congestion on the target system using DNS response traffic.
• US-CERT have observed that different services implies in different amplification factors.
RUDY attack targets web applications by starvation of available sessions on the web server.
Slowloris is a type of DoS attack tool which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects.
The shrew attack is a DoS attack on the Transmission Control Protocol (TCP). It uses short synchronized bursts of traffic to disrupt TCP connections on the same link, by exploiting a weakness in TCP’s retransmission timeout mechanism.
Slow Read attack
• A slow read attack sends legitimate application layer requests, but reads responses very slowly, thus trying to exhaust the server’s connection pool.
A sophisticated low-bandwidth DDoS attack is a form of DoS that uses less traffic and increases their effectiveness by aiming at a weak point in the victim’s system design, i.e., the attacker sends traffic consisting of complicated requests to the system.
• This is more difficult to identify, and it has the ability to hurt systems which are protected by flow control mechanisms.
When a host sends a flood of TCP/SYN packets it is called SYN Flooding. Each packet causes the server to start a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a packet in response from the sender address.
• Sender never responds and the half-open connections saturate the number of available connections the server can make, legitimate requests are not responded until the attack ends.
A teardrop attack involves sending mangled IP fragments with overlapping, oversized payloads to the target machine. This can crash various operating systems because of a bug in their TCP/IP fragmentation re-assembly code.
Voice over IP has made abusive origination of large numbers of telephone voice calls inexpensive and readily automated while permitting call origins to be misrepresented through caller ID spoofing.
• TDoS has appeared as part of various fraudulent schemes:
• Jammming victims lines
• Caller ID spoofing, Ransom calls and Threatening calls
• SMS flooding attacks and black fax or fax loop transmission.
- Metro Exodus – Apple M1 and Intel Mac Performance Review
- How can I improve outdoor GSM antenna for 3g internet?