Chapter 17 Common Types of Attacks

So let's talk about denial of service or distributed denial of service attacks.  

So that's exactly how it sounds.  

It's a hacker that normally attacking a website to try to deny service to the users or to the company. 

They're trying to crash it. 

So Denial of Service Attack 

We're going to go over a couple of these.  

The first one is called the Ping of Death 

So, Ping is a command. 

You can go to command line on a Windows machine or a Linux machine and type in a ping command and you tell it what IP address you want to ping, and it basically reaches out to that IP address, sends it packets and waits to see if they bounce. 

Tells you how many packets were sent, how long it took them to bounce back. 

One isn't a bad thing.  

One even left continually running probably wouldn't affect the system. 

But when you do that hundreds or thousands of times using bot Nets and things like that, you can crash a service by sending out all those pings.  

So I'll give you the textbook definition. 

But that's basically what it is.  

Pinging is primarily used to see whether a computer is responding to IP. 

Usually when you ping a remote host, what you're really doing is sending 4 normal sized Internet Controlled Message Protocols, they're called ICMP packets, to the remote host to see if it's available. 

But during a ping of death attack, humongous ICMP packet is sent to the remote host victim, totally flooding the victim's buffer and causing the system to reboot or helplessly hang drowning. 

And it's good to know that patches are available for most operating systems to prevent the ping of deaths from working.  

So that's another way to do it is to instead of having you know lots of, I've seen it both ways.  

Lots of bot Nets sending thousand pings a second, is to have oversized pings or giants, as we talked about a few slides ago or a few chapters ago, to a system to crash it. 

Then talking about distributed DoS or DDoS attacks. 

It's a Denial-of-Service Attack that can be made more effective if they can be amplified by recruiting helpers, and the attack process. 

In the following section, some terms and concepts that apply to DDoS attacks are explained. 

Basically, it's being attacked by more than one person, more than one computer really. 

You can have, if you have a big enough system, a bunch of virtual machines. 

You get enough of your friends with a bunch of virtual machines or bad guys.  

A group of bad guys that are, say, trying to bring down a website for whatever reason. 

You get all your friends to help you and you flood that, right?  

So, it's not like one person requesting information.   

It could look like thousands. 

I've been in a DDoS attack where the IP address and Web page was hit 1000 times per second.  

So basically, these people are setting up scripts to have their computers hit that website multiple times, just over and over and over, repeating loop  

So that is a DDoS. 

Something you need to know is Botnet Command and Control.  

So, botnet is a group of programs connected on the Internet for the purpose of performing a task in a coordinated manner.  

Some botnets, such as those created to maintain control of Internet relay chat channels, are legal. 

While others are illegally created for DDoS attacks 

An attacker can recruit and build a bot net to amplify the attack.  

Basically, what I said is they will get all their little buddies to attack your site and you'll get hits.  

Lots and lots of times. 

So, a botnet operator sends out viruses or worms whose payloads are malicious applications.  

The bots infect ordinary user computers, but they could just be overloading a website with requests.  

Also, the bots on the infected PCs log into a server called a Command-and-Control Server until under the control of the attacker.  

So, botnet will get into a server that has command and control of your network and they try to take it over. 

At the appropriate time, the hackers, through the CNC server, send the command to all bots to attack the victim at the same time, thereby significantly amplifying the effect of the attack.  

So that's something that the bad guys will do, is they will get into your system but not do anything. 

They want to see if they're going to be noticed.  

Did anybody catch us cracking into the system itself?  

They may wait 30 days, 60 days, 90 days, depending on what they're trying to do.  

I know of a school system here in Michigan where the hackers hacked into their system, and their accounting system, payroll system, and they were watched for months. 

The traffic, the emails, all that stuff. 

And when they gained enough knowledge, they sent out an attack that drained over a three- or four-month period, a million dollars out of a payroll account.  

So just because you get hacked doesn't mean the hackers are going to attack you right away. They may wait.