Beruflich Dokumente
Kultur Dokumente
ASHISH JAIMAN
ABSTRACT
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. The term is generally used with regards to computer networks, but is not limited to this field, for example, it is also used in reference to CPU resource management. There are two general forms of DoS attacks: those that crash services and those that flood services. One common method of attack involves saturating the target machine with external Communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. .DDos attack tools are readily available and any internet host is targetable as either a zombie or the ultimate DDos focus. These attacks can be costly and frustrating and are difficult, if not impossible to eradicate. The best defence is to hinder attackers through vigilant system administration.
ii
PAGE NO.
Ping of Death6 LAND Attack.7 Tear Drop Attack.8 SYN Flood Attack9 ICMP Flood Attack11 UDP Flood Attack.12 Smurf Attack13 DDOS Attack.15 REFRENCES..18
ACKNOWLEDGEMENT
We would like to express our heartfelt gratitude towards our able guide Mr. Lokesh Mittal (Assistant professor) who was ever willing to offer constructive suggestions and help us out whenever we got stuck.
It is with deepest sense of gratitude that we thank our Department Head Ms. Gayatri Lalwani for her normal guidance and constant encouragement.
At last but not least we thank all our teachers and other staff members of Siddhi Vinayak College of Science & Hr. Education for providing an excellent and healthy environment during the Seminar work.
iv
CHAPTER 1 INTRODUCTION
Cyber attacks, also referred as cyber warfare or cyber terrorism in specific situations, is a type of offensive maneuver employed by both individuals and whole organizations that targets computer information systems, infrastructures, computer networks, and/ or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system. Cyber warfare or cyber terrorism can be as harmless as installing spyware on a PC or as grand as destroying the infrastructure of entire nations. In the 21st century as the world becomes more technologically advanced and reliant upon computer systems, cyber attacks have become more sophisticated, dangerous, and the preferred method of attacks against large groups by "attackers." Dos attack and DDos attack both are the terms of cyber attacks. The traditional intent and impact of DOS (Denial of Service) attacks is to prevent or impair the legitimate use of computer or network resources. Regardless of the diligence, effort, and resources spent securing against intrusion, internet connect system face a consistent and real threat from DoS attack because of two fundamental characteristics of the Internet. The Infrastructure of interconnected system and networks comprising the internet is entirely composed of limited resources. Bandwidth, processing power, and storage capacities are all common targets for DoS attacks designed to consume enough of a target for DoS attacks Designed to consume enough of a targets available resources to cause some level of service disruption. An abundance of well engineered resources may raise the bar on the degree an attack must reach to be effective, but todays attack methods and tools place even the most abundant resources in range for disruption. DDoS (Distributed Denial of Services) is an advanced version of the DoS(Denial of Service) attack. Much like DoS, DDoS also tries to block important services running on a server by flooding the destination server with packets. The specialty of DDoS is that the attacks do not come from a single network or host but from a number of different hosts or networks which have been previously compromised. DDoS, like many other attack schemes, can be considered to consist of three participants, we can refer to these as the Master, the Slave, and the Victim. The Master is the initial source of the attack i.e., the person/machine behind all this (sounds COOL, Right?). The Slave is the host or network
Page no. 1
which was previously compromised by the Master and the Victim is the target site/server under attack. The Master informs the Slave(s) to launch an attack on the victims site/machine; since the attack comes from multiple sources at once (note that the Master is usually not involved in this phase), it is called a Distributed ( or co-ordinate) attack.
Page no. 2
CHAPTER-2 IP SPOOFING
A technique used to gain unauthorized access to computers, whereby the intruder sends Messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. Newer routers and firewall arrangements can offer protection against IP spoofing.
IP Spoofing
Page no. 3
3.1 Types of DOS Attacks 1 Ping of Death 2 LAND Attack 3 Tear Drop Attack 4 SYN Flood Attack 5 ICMP Flood Attack 6 UDP Flood Attack 7 Smurf Attack
DDOS :--
DDoS stands for Distributed Denial of Service. A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet. Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet
Page no. 4
3.2 Types of DDOS Attacks DDoS attacks can be broadly divided in three types:
Volume Based Attacks includes UDP floods, ICMP floods, and other spoofedpacket floods. The attacks goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).
Protocol Attacks includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.
Application Layer Attacks includes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.
Page no. 5
Page no. 6
Page no. 7
Page no. 8
This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol. A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it "knows" that it never sent a SYN. The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will bind resources on the server until no new connections can be made, resulting in a denial of service to legitimate traffic. Some systems may also malfunction badly or even crash if other operating system functions are starved of resources in this way.
Page no. 9
Page no. 10
Page no. 11
Check for the application listening at that port; See that no application listens at that port; Reply with an ICMP Destination Unreachable packet.
Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker(s) may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach them, and anonymizing their network location(s). Most operating systems mitigate this part of the attack by limiting the rate at which ICMP responses are sent. The software UDP Unicorn can be used for performing UDP flooding attacks. This attack can be managed by deploying firewalls at key points in a network to filter out unwanted network traffic. The potential victim never receives and never responds to the malicious UDP packets because the firewall stops them.
Page no. 12
Page no. 13
An assault on a network that floods it with excessive messages in order to impede normal traffic. It is accomplished by sending ping requests (ICMP echo requests) to a broadcast address on the target network or an intermediate network. The return address is spoofed to the victim's address. Since a broadcast address is picked up by all nodes on the subnet, it functions like an amplifier, generating hundreds of responses from one request and eventually causing a traffic overload. See denial of service attack, flooding and ICMP.
Page no. 14
Page no. 15
What is a distributed attack? One DDoSer can do a lot of damage. These denial of service attacks are called distributed because they come from many computers at once. A DDoSer controls a large number of computers that have been infected by a Trojan virus. The virus is a small application that allows remote command-and-control capabilities of the computer without the users knowledge. What is a zombie and a botnet? The virus-infected computers are called zombies because they do whatever the DDoSer commands them to do. A large group of zombie computers is called a robot network, or botnet. Your computer could be part of a botnet without your knowledge. You might not notice any difference, or you might notice your computer is not as fast as it used to be. Thats because it may be busy participating in a DDoS attack at the same time you are using it. Or, you might find out that your computer is infected when your Internet service provider (ISP) drops your service because your computer is sending an unusually high number of network requests. What is a DDoS command-and-control server? Zombie computers in a botnet receive instructions from a command and control server, which is an infected web server. DDoSers who have access to a command and control (C&C or CC) server can recruit the botnet to launch DDoS attacks. Prolexic has identified more than 4,000 command-and-control servers and more than 10 million zombies worldwide. We track them and notify law enforcement to disable them when possible. Many types of DDoS attacks There are many types of DDoS attacks. They target different network components routers, appliances, firewalls, applications, ISPs, even data centers in different ways. There is no easy way to prevent DDoS attacks, but Prolexic has a proven DDoS protection approach that works to minimize the damage and let your system keep working during an attack. DDoS attackers use a variety of DDoS attack methods. The malicious hacker group Anonymous, for example, started with a tool that could launch Layer 7 DDoS attacks and Layer 3 DDoS attacks from any computer. These attacks had a common attack signature that is, common code. As a result, the attacks could be detected and mitigated (stopped) fairly easily. Its a game of cat and mouse. The cat learns about what the mouse is doing, so the mouse changes tactics to avoid getting caught. DDoSers got smarter and started randomizing their attack signatures and encrypting their code. Some even started using browsers to visit a web page and feed harmful code to a web application on the site. Although application-layer DDoS attacks are more difficult to recognize, DDoS mitigation experts in our Security Operations Center (SOC) know what to look for and we are always looking. Our anti-DDoS experts monitor and analyze these attacks all the time day and night and block the DDoS attacks that target our clients.
Page no. 16
What are application layer 7 DDoS attacks? Application layer 7 (L7) attacks may not create such high volumes of network traffic, but they can harm your website in a more devastating way. They might activate some aspect of a web application, such as posting different user names and passwords, or targeting a shopping cart or search engine. Many of the high profile e-Commerce outages are the result of Layer 7 application attacks. The biggest issue is that Layer 7 attacks change and randomize very fast. Anything a visitor can access an attacker can too and it looks the same to an IT administrator.
Page no. 17
REFRENCES
1. Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001. 2. Kargl, Frank, Joern Maier, and Michael Weber. Protecting Web Servers from Distributed Denial of Service Attacks. WWW10, May 1-5 Hong Kong. ACM 1-58113-348-0/01/0005. 3. Stein, Lincoln. The World Wide Web Security FAQ, Version 3.1.2, February 4, 2002. http://www.s3.org/security/faq/ - visited on October 1, 2002. 4. Dittrich, David. The DoS Projects trinoo Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt visited on October 1, 2002 5. Dittrich, David. The Tribe Flood Network Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt visited on October 1, 2002 6. Dittrich, David. The stacheldraht Distributed Denial of Service Attack Tool. University of Washington, December 31, 1999. http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt visited on October 1, 2002
Page no. 18