Chapter 17 Common Types of Attacks
2. Technology Based Attacks
2.2. DOS & DDOS Continued
Audio
Transcript
OK, let's continue to talk about DoS and DDoS.
One of the red flags is a traffic spike.
Say you're used to getting a hundred hits per hour at your website, and now you're getting 100 per second.
You know that big jump, your website is not able to handle that.
But that's a flag.
I talked about the one that I worked at, that was 1000 hits per second, is that traffic ramped up that.
That spike was a red flag.
Flagged as to what was going on easily, once we looked at the data to tell that we were getting a DDoS attack.
So, another thing is a coordinated attack and it's an unmistakable feature of the DDoS attack, is the presence of a coordinated attack.
It is like botnet command and control.
And to properly amplify the attack, the bots must attack the victim at the same time.
The coordination of the bots is orchestrated by a command-and-control server.
So yeah, they're all hitting at once.
During that big attack that I worked on, I think we had a list of 200 IP addresses that the attacks were coming from.
They used VPNs, so they looked like they were from all over the world.
Who knows where they really were?
How you stop that is you go through and block those IPs from coming in.
But in the meantime, the damage is being done.
So, a coordinated attack is, they use one server to coordinate and all the botnets attack at once.
Then there's friendly, unintentional DoS attacks.
We're also called friendly fire.
It's not caused by malicious individuals.
Instead, it's a spike in activity to a website or resource that overpowers its ability to respond, in many cases as a result of relatively unknown URLs suddenly becoming shared in a larger medium such as TV.
So, if you have a website, say, selling a product, and an Internet influencer, or something else, says, “Hey, I love this product,” well, your site may get hit with a lot of traffic that it's not prepared to handle.
It's not malicious, but it's going to overload your website.
None just the same.
Then there's physical attacks.
Physical attacks with those that cause hardware damage to a device.
These attacks can be mitigated, but not eliminated, by preventing physical access to the device, routers and switches, firewalls, servers, and other devices should be locked away and protected by strong access controls.
So yeah, you want all that equipment locked up in a room.
You want it monitored as to who can go in there and can't.
Part of this is your training and documentation.
You want your team to know who belongs in there and who doesn't and that comes in there.
You want your team to step up and say, “Hey, what are you doing in here? You need to leave,” or call security.
Whatever your procedures are.
But that's the way you present a physical attack.
I travel from office to office.
In our company, a lot of times, people won't know who I am, especially if they're a new hire since I've been there last, and we will intentionally send me in to see how far into the office I can get before somebody challenges me, or somebody recognizes me.
Depending on where I'm at in the office, I've walked into an office that the SOC was in a different location, but I was able to go into where our developers and engineers were helped.
Help desk guy let me in.
He's brand new, didn't know who I was, but I knocked on the door, acted like I knew what I was doing.
He never asked for my name.
Never questioned what I was doing, but I could have found my way to a server closet and committed a physical attack in that.
So then there's permanent DoS.
That's an attack in which the device is damaged and has to be replaced.
Requires physical access to the device, or it can be virtual.
You don't have to be able to get into the device to destroy it.
You can send in packets that will attack the firmware called phlashing packets.
When you update firmware, you're updating it, but you can phlash it, and that's flash with a P, and that will wipe it.
So that's a permanent DoS attack.
Another attack, it's called a Smurf, and not the little blue guys that you see on TV.
It's a version of a DoS attack that floods the victim with spoofed broadcast ping messages.
I'll talk about spoofing later, but for now, understand that it basically involves stealing someone else's IP address.
They will steal other IP addresses and hit you with ping attacks.
So that's called a Smurf attack.
The bad guy spoofs the intended victims IP address, and then sends a large number of pings to IP broadcast addresses on the receiving router.
Responds by delivering the broadcast to all the hosts and the subnet and all the host responds with an IP ECHO reply.
So, in that version, they will spoof your website, they will send out multiple ping requests to broadcast sites.
And when those broadcast sites come back, they're broadcasting to all of your hosts, and then all of your hosts are sending out replies.
That's flooding your system with Ping requests.
So that's another type of a Smurf attack.
A SYN Flood:
That's S-Y-N.
When we were talking about the OSI model, we talked about SYN/ACK, SYN, SYN/ACK, and those commands that you'll see in your Internet traffic.
So, SYN flood is a DDoS attack.
More it indicates the receiving machine with lots of packets that caused the victim to waste resources by holding connections open.
In normal communications a workstation wants to use TCP/IP, where the server sends a TCP/IP packet with a SYN flag.
The server automatically responds back with a SYN/ACK.
In a SYN flood the attacker sends a SYN, the victim sends back a SYN/ACK and the attacker leaves the victim waiting for the final ACK while the server is waiting for the response.
A small part of memory is reserved for it.
As the SYNs continue to arrive, so basically, they keep sending SYNs and when you send the SYN/ACK, they don't ever send the ACK back.
If you're seeing network traffic like that, I've seen 100 SYN commands come in, and that's taking up memory that's waiting for that response.
Then the last thing that we'll cover on this slide is reflected and amplified attacks.
So, one is DNS.
So, a reflected amplified attack increases the effectiveness of a DoS attack.
Two of the more effective of these attacks are called DNS and NTP.
DNS amplification attack is a form of a reflection attack, in that the attacker delivers traffic to the victim by reflecting it off of a third part.
Reflection conceals the source of the attack.
It relies on exploitation of publicly accessible open DNS servers to deluge victims with DNS response traffic.
So, we talked about like Google, they have two open public DNS servers, 8.8.8.8 and 8.8.4.4, and people can use those to deluge a victim with DNS queries.
So that is the way the attacker sends a small DNS message using the victim's IP address as a source to an open resolver.
The type of request used returns all known information about the DNS zone, which allows for the maximum level of response amplification directed to the victim server.
So, it's sending out a DNS request and then reflecting back all that data, taking up space on your server.
And it's not bad if it's one, but they use multiple.
Botnets command and control, to do these attacks to take down your equipment.
So then the other one is called NTP reflection attacks, and uses the same process of recruiting bots to aid the attack.
The attacks are not reflected off DNS servers.
They're instead reflected off of Network Time Protocol servers.
These servers are used to maintain time synchronization between devices and a network.
The bad guy sends out a small 8-byte packet, UDP packet to a vulnerable NTP server that requests a large amount of data to be sent to the target IP address for the DDoS to take effect.
So that's how that attack handles.
NTP is a time server that synchronizes your network, and they will attack it by sending out a request and flooding your servers with information.