forensics book 4: investigating network intrusions and cybercrime chapter 5: investigating dos...

Forensics Book 4: Investigating Network Intrusions and Cybercrime

Chapter 5: Investigating DoS Attacks

Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited

Objectives

Understand DoS attacks Recognize the indications of a DoS/DDoS

attack Understand the different types of DoS

attacks Understand DDoS attacks Understand the working of a DDoS attack


Objectives (continued)

Understand the classification of a DDoS attack

Detect DoS attacks using Cisco NetFlow Investigate DoS attacks Understand the challenges in investigating

DoS attacks


Introduction to Investigating DoS Attacks

Denial-of-service (DoS) attacks Attackers attempt to prevent legitimate users

of a service from using it by flooding the network with traffic or disrupting connections

Attacker may target a particular server application or the network as a whole May also be an effort to interrupt the

connection between two machines Improper use of resources may also create a

DoS DoS attacks can harm the target in terms of

time and resources


Indications of a DoS/DDoS Attack

Indications of a DoS/DDoS attack are as follows: Unusual slowdown of network services Unavailability of a particular Web site Dramatic increase in the volume of spam


Types of DoS Attacks Main types of DoS attacks:

Ping of death Teardrop SYN flooding LAND Smurf Fraggle Snork OOB attack Buffer overflow attack Nuke attack Reflected attack


Ping of Death Attack

Attacker deliberately sends an ICMP echo packet of more than 65,536 bytes

Attacks are dangerous since the identity of the attacker sending the huge packet could simply be spoofed Attacker does not have to know anything

about the target except its IP address Several Web sites block ICMP ping messages

at their firewalls to avoid this type of DoS attack


Teardrop Attack

Occurs when an attacker sends fragments with overlapping values in their offset fields Causes the target system to crash when it

attempts to reassemble the data Affects systems that run Windows NT 4.0,

Windows 95, and Linux up to 2.0.32, causing them to hang, crash, or reboot


SYN Flooding Attack

Occurs when the intruder sends SYN packets (requests) to the host system faster than the system can handle them

A connection is established through a TCP three-way handshake Intruder transmits large numbers of such SYN

requests, producing a TCP SYN flooding attack

Attack works by filling the table reserved for half-open TCP connections in the operating system’s TCP/IP stack


LAND Attack

Attacker sends a fake TCP SYN packet with the same source and destination IP addresses and ports to a host computer IP address used is the host’s IP address

For this to work, the victim’s network must be unprotected against packets coming from outside with their own IP addresses

Symptoms of a LAND attack depend upon the operating system running on the targeted machine

Because LAND uses spoofed packets to attack, only blocking spoofed packets can prevent it


Smurf Attack

Network-level attack against hosts Named after the program used to carry it out

Attacker sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses using a spoofed source address matching that of the victim

Generates a large number of echo responses from a single request Results in a huge network traffic jam, causing

the network to crash


Fraggle Attack

UDP variant of the Smurf attack Attacker sends a large number of UDP ping

packets to a list of IP addresses using a spoofed IP address All of the addressed hosts then send an ICMP

echo reply, which may crash the targeted system

Target networks where UDP ports are open and allow unrestricted UDP traffic to bypass firewalls


Snork Attack

UDP packet sent by an attacker consumes 100% of CPU usage on a remote Windows NT machine

If there are several Snork-infected NT systems in a network, they can send echoes to each other Generating enough network traffic to consume

all available bandwidth


OOB Attack

Exploits a bug in Microsoft’s implementation of its IP stack, causing a Windows system to crash

RPC port 135, also known as the NetBIOS Session Service port, is the most susceptible port for these kinds of attacks

When a Windows system receives a data packet with an URGENT flag on, it assumes that the packet will have data with it

In OOB attacks, a virus file has an URGENT flag with no data


Buffer Overflow Attack

Type of attack that sends excessive data to an application Either brings down the application or forces

the data being sent to the application to be run on the host system

Two types of buffer overflow attacks: heap based and stack based


Nuke Attack

Attacker repeatedly sends fragmented or invalid ICMP packets to the target computer using a ping utility

This significantly slows the target computer


Reflected Attack

Involves sending huge amounts of SYN packets, spoofed with the victim’s IP address, to a large number of computers that then respond to those requests

Requested computers reply to the IP address of the target’s system, which results in flooding


DDoS Attack

Distributed denial-of-service (DDoS) attack DoS attack where a large number of

compromised systems attack a single target Attackers first infect multiple systems, called

zombies, which are then used to attack a particular target

Use of secondary victims in performing a DDoS attack provides the attacker with the ability to wage a much larger and more disruptive attack


Working of a DDoS Attack

Figure 5-1 In a DDoS attack, the attacker first corrupts handlers, which then corrupt zombies, which then attack the victim.


Classification of a DDoS Attack

DDoS attacks can be classified according to: Degree of automation Propagation mechanism Vulnerability being exploited Rate of attack Final impact


Classification of a DDoS Attack (continued)

Figure 5-2 DDoS attacks are classified based on various criteria.


Classification of a DDoS Attack (continued) Degree of Automation

Manual attacks Semiautomatic attacks Automatic attacks

Propagation Mechanism Attacks using central source propagation Attacks using back-chaining propagation Attacks using autonomous propagation

Exploited Vulnerability Protocol attacks Brute-force attacks


Classification of a DDoS Attack (continued) Attack-Rate Dynamics

Continuous-rate attacks Variable-rate attacks

Impact Disruptive attacks completely prevent

legitimate users from using network services Degrading attacks degrade the quality of

services available to legitimate network users


DoS Attack Modes

DoS attack is known as an asymmetric attack When an attacker with limited resources

attacks a large and advanced site Denial-of-service attacks come in a variety of

forms and target a variety of services The attacks may cause the following:

Consumption of resources Destruction or alteration of information

regarding the configuration of the network Destruction of programming and files in a

computer system


Network Connectivity

Denial-of-service attacks are most commonly executed against network connectivity Goal is to stop hosts or networks from

communicating on the network or to disrupt network traffic


Misuse of Internal Resources

Fraggle attack, or UDP flood attack Forged UDP packets are used to connect the

echo service on one machine to the character generator on another machine

Results in the consumption of the available network bandwidth between them

Possibly affecting network connectivity for all machines


Bandwidth Consumption

Generation of a large number of packets can cause the consumption of all the bandwidth on the network

Typically, these packets are ICMP echo packets


Consumption of Other Resources

Attackers may be able to consume other resources that systems need to operate Intruder may attempt to consume disk space Many sites will lock an account after a certain

number of failed login attempts


Destruction or Alteration of Configuration Information

Alteration of the configuration of a computer or the components in a network may disrupt the normal functioning of a system Examples:

Changing information stored in a router can disable a network

Making modifications to the registry of a Windows machine can disable certain services


Techniques to Detect DoS Attacks

Detecting a DoS attack is a tricky job Detector needs to distinguish between a

genuine and a bogus data packet One problem in filtering bogus traffic from

legitimate traffic is the volume of traffic All the detection techniques used today

define an attack as an abnormal and noticeable deviation in network traffic characteristics


Activity Profiling

Defined as the average packet rate of data packets with similar packet header information

Flow’s average packet rate or activity level is higher the less time there is between consecutive matching packets

Randomness in average packet rate or activity level can indicate suspicious activity Entropy calculation method is used to measure

randomness in activity levels Entropy of network activity levels will increase

if the network is attacked


Sequential Change-Point Detection Filters network traffic by IP addresses,

targeted port numbers, and communication protocols used Stores the traffic flow data in a graph that

shows traffic flow rate versus time Detection algorithms highlight any change in

traffic flow rate If there is a drastic change in traffic flow rate,

a DoS attack may be occurring


Wavelet-Based Signal Analysis

Analyzes network traffic in terms of spectral components

Divides incoming signals into various frequencies and analyzes different frequency components separately Presence of an unfamiliar frequency indicates

suspicious network activity


Monitoring CPU Utilization to Detect DoS Attacks High CPU utilization and a high number of

packets Common symptoms that can be seen during a

DoS attack Monitoring CPU utilization at the time of a

DoS attack and comparing it to the CPU utilization baselines captured at normal traffic conditions can show the severity of an attack


Detecting DoS Attacks Using Cisco NetFlow NetFlow

Major service in Cisco routers that monitors and exports IP traffic-flow data

Checks the flow with a target IP destination and rings an alarm when the destination is reached

NetFlow sampling includes the following: Source and destination IP address Source and destination TCP/UDP ports Port utilization numbers Packet counts and bytes per packet Start time and stop time of data-gathering

events and sampling windows


Detecting DoS Attacks Using a Network Intrusion Detection System (NIDS) NIDS monitors network traffic for suspicious

activity NIDS server

Can be placed on a network to monitor traffic for a particular server, switch, gateway, or router

Scans system files to identify unauthorized activity and monitor data and file integrity

Can identify changes in the server backbone components and scan log files to identify suspicious network activity, usage patterns, or remote hacking attempts

Scans local firewalls or network servers and monitors live traffic


Investigating DoS Attacks

First step in investigating a DoS attack Identify the DNS logs that are used by an

attacker to trace the IP address of the target system before launching an attack

If this is performed automatically by using an attack tool, the time of the DNS query, and the time of the attack might be close to each other

Attacker’s DNS resolver could be determined by looking at the DNS queries during the start of the attack


ICMP Traceback

ICMP traceback messages are used to find the source of an attack

Messages contain the following: Router’s next and earlier hops addresses Time stamp Role of the traced packet Authentication information


ICMP Traceback (continued)

Figure 5-3 This reverse trace can identify an attacker, even when using reflectors.


Hop-by-Hop IP Traceback

Basic method for tracking and tracing attacks Administrator can characterize the nature of

the traffic and determine the input link on which the attack is arriving Administrator then moves on to the upstream

router Administrator repeats the diagnostic procedure

on this upstream router, and continues to trace backward, hop-by-hop

Until the source of the attack is found inside the ISP’s administrative domain of control

More likely, until the entry point of the attack into the ISP’s network is identified


Hop-by-Hop IP Traceback (continued) Hop-by-hop IP traceback limitations:

Traceback to the origin of an attack fails if cooperation is not provided at every hop or if a router along the way lacks sufficient diagnostic capabilities or resources

If the attack stops before the trace is completed, the trace fails

Hop-by-hop traceback is a labor-intensive, technical process, and since attack packets often cross administrative, jurisdictional, and national boundaries, cooperation can be difficult to obtain

Partial traceback can be useful, since packet filters can be put in place to limit the DoS flood


Backscatter Traceback

Technique for tracing a flood of packets that are targeting the victim of a DDoS attack

Relies entirely on the standard characteristics of existing Internet routing protocols


Backscatter Traceback (continued)

Figure 5-4 After applying the correct filters, only a fraction of packets will be caught by the blackhole system.


Hash-Based (Single-Packet) IP Traceback

Also known as single-packet IP traceback Offers the possibility of making the traceback

of single IP packets feasible Fundamental idea

Store highly compact representations of each packet rather than the full packets themselves

Compact representations are called packet digests Created using mathematical functions called

hash functions


IP Traceback with IPSec

IPSec uses cryptographic security services for securing communications over IP networks

IPSec tunnels are used by IP traceback systems such as DECIDUOUS (Decentralized Source Identification for Network-Based Intrusion) Analysis is processed by introducing IPSec

tunnels between an arbitrary router and the victim


CenterTrack Method Overlay network

Supplemental or auxiliary network that is created when a collection of nodes from an existing network are joined together using new physical or logical connections to form a network on top of the existing one

First step in the CenterTrack approach Create an overlay network, using IP tunnels to

connect the edge routers in an ISP’s network to special-purpose tracking routers that are optimized for analysis and tracking

Overlay network is also designed to further simplify hop-by-hop tracing


Packet Marking Packets are marked to identify their traffic

class Once the type of traffic is identified, it can be

marked, or “colored,” within the packet’s IP header

Probabilistic Packet Marking (PPM) Tracking information is placed into rarely used

header fields inside the IP packets themselves Tracking information is collected and correlated

at the destination of the packets If there is a sufficiently large packet flow, there

will be enough tracking information embedded in the packets to successfully complete the trace


Check Domain Name System (DNS) Logs Attacker uses DNS to find the actual IP

address of the target computer before the attack is introduced DNS query closest to the attack could help to

identify the attacker’s DNS resolver Can be useful to compare DNS logs of

different systems that are under attack An investigator can identify the different

attacks carried out within the same individual or group

Sawmill DNS log analyzer can help view and analyze DNS log files


Tracing with “log-input” Steps an investigator should take to trace an

attack passing through a router using “log-input”: Make an access list entry that goes with the

attack traffic Attach the log-input keyword to it Use the access list outbound on the interface

through which the attack stream is sent toward the destination


Control Channel Detection Large volume of control channel traffic

indicates that the actual attacker or coordinator of the attack is close to the detector

Control channel function provides facilities to define, monitor, and control channels

Investigator can use a threshold-based detector Determines the particular number of control

channel detectors within a specific time period Provides a clear way into the network and

geographical location of the attacker


Correlation and Integration Attack detector tool can find the location of

the attacker By integrating its results with other packet

spoofing tools Investigator can integrate with other tools in

order to identify spoofed packets and to find out the location of an attacker

Investigator can correlate data from control channel detectors and flood detectors To identify which control channel established

which flood To observe spoofed signals from hop to hop or

from the attacker to the server


Path Identification (Pi) Method Determines the path of each packet and filter

out the packets that have the attack path Can be used to identify the attack packets

with filtering techniques and to analyze their path

Pi is better than traceback mechanisms if the following are true: The victim can filter the packet independently

from other upstream routers The victim decides whether to drop or receive

each packet It is easier to determine the packet’s source


Packet Traffic Monitoring Tools Some useful traffic monitoring tools:

Ethereal Dude Sniffer Tcpdump EffeTech SmartSniff EtherApe MaaTec Network Analyzer


Tools for Locating IP Addresses IP address-locating tools:

Traceroute NeoTrace Whois Whois Lookup SmartWhois CountryWhois WhereIsIp


Challenges in Investigating DoS Attacks Challenges include:

Attacker will only attack for a limited time An attack may come from multiple sources Anonymizers protect privacy and impede tracing Attackers may destroy logs and other audit data Attacker may compromise the victim’s computer Communication problems slow the tracing

process Difficult to detect and distinguish malicious

packet traffic from legitimate packet traffic False positives, missed detections, and delayed

detections Legal issues can impede investigations


Tool: Nmap

Figure 5-5 Nmap runs from the command line.


Tool: Friendly Pinger

Figure 5-6 Friendly Pinger will show a visual map of the network.


Tool: IPHost Network Monitor

Figure 5-7 IPHost Network Monitor creates Web-based output reports.


Tool: Admin’s Server Monitor

Figure 5-8 Admin’s Server Monitor gives real-time reports on disk usage.


Tool: Tail4Win

Figure 5-9 Tail4Win can view multiple log files in real time.


Tool: Status2k

Figure 5-10 Status2k shows real-time server information.


Tool: DoSHTTP

Figure 5-11 This is a screenshot of DoSHTTP.


Summary

A DoS attack is type of network attack intended to make a computer resource inaccessible to its legitimate and authorized users by flooding the network with bogus traffic or disrupting connections

The attacker may target a particular server application (HTTP, FTP, ICMP, TCP, etc.) or the network as a whole

The ping of death attack uses an abnormal ICMP (Internet Control Message Protocol) data packet that contains large amounts of data that causes TCP/IP to crash or behave irregularly


Summary (continued)

A distributed denial-of-service (DDoS) attack is a DoS attack where a large number of compromised systems attack a single target, thereby causing a denial of service for users of the targeted system

An activity profile is defined as the average packet rate for a network flow for the traffic that consists of data packets with similar packet header information

The sequential change-point detection technique filters network traffic by IP addresses, targeted port numbers, and communication protocols used

The wavelet analysis technique analyzes network traffic in terms of spectral components

forensics book 4: investigating network intrusions and cybercrime chapter 5: investigating dos...

Documents

dos attackscopyright

dos attacksdenial

type of dos attackcopyright

ddos attackdetect dos

syn requests

target system

syn flooding attackoccurs

fake tcp syn packet