Denial of Service Attacks

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Disclaimer

!!! This Entry is still work in Progress !!!

The up-to-date Entry and Drafts can be found here: [[1]]

Summary

This Documentation is about the Basics of Denial of Service and Distributed Denial of Service Attacks.

Introduction

Denial of Service or Dos attacks aim to prevent that legitimate users access the comprised component. Due to Cisco, is the Dos Attack one of the seven most common types of cyber-attacks [1]. The reasons of the attacker can have many backgrounds. The Attack can am to cause facial loss to the attacked company by bringing the company website down. For example, in 2015 the by the time biggest DDos attack with 1,35 Tbps rained down on Github and put it off the line for 15 minutes [2]. There can also be a political reason, like in July 2008 where Georgian President Mikheil Saakashvili’s webpage was targeted by a DDos attack. The web page was inaccessible for two days. A trace back attempts showed that Commanding Server is located in Russia [3]. Since Internet of Things (IoT) and Smart Home Devices get more popular, the number of IoT bots used for DDos Attacks rise day by day. This is caused due to poor security of IoT devices and the lack of security firmware updates.

Difference Between Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks

The typical DoS attack is performed from one attacker by flooding the victim server with data. Back than it was possible to take down a small web page with the usage of only one state of the art personal computer. But nowadays it is almost impossible because the internet is dominated by the big domains like google or Amazon. Small websites have the possibility to launch their web page on a server of a big domain which makes a typical DoS attack almost impossible. But Distributed DoS attacks are still able to make a huge impact because the attack gets performed by multiple devices at the same time. This net of attacking devices is called botnet. Botnets get constructed by infecting usual devices threw malware. This botnet devices are also used to flood the internet flood the internet with spam mails [4].


Target points of Denial of Service Attacks

Resource Depletion

This type attack aims to exhaust resources like power, sockets, memory and computing power to deny any legit resource usage. A well-known example of memory depletion DoS Attack is Fork bomb. This Program replicates itself until all memory is used up and the system does not allow any new memory allocation. In IoT Networks battery exhaustion attacks are quite common as an attack entry point to take down sensor nodes and make them inaccessible.

Bandwidth Depletion

Bandwidth Depletion is the most common DoS type for attacking Webservers and Services. The attack can either aim at a whole network or a webserver. The types of a bandwidth depletion attack differ into a standard attack distributed denial of service, amplified dos attacks and Protocol attacks.

Zero Day Attack

Zero-day attacks use vulnerabilities that are undiscovered by the manufacturers as the main entry point of the attack. The manufacturer is often powerless against zero-day attack, because he must research the vulnerability before they can take efficient counter measures.

Types of DoS / DDos Attacks

Volunmetric Attacks

Volnumetric DoS Attack

A Volumetric attack is performed by a malicious user and his powerful rig. The malicious user sends a flood of ICMP or TCP packets to the victim to deplete its bandwidth or processing power. The basic form of volumetric attacks against websites is not effective anymore, due to the growth of the internet and Webservices. Nowadays Volumetric Attacks are used with Botnets to be much more effective and many other advanced DoS attacks use this principal as their basis.

Reflection Attack

Reflection DoS Attack

This type of attack is performed by using a range of innocent proxies to flood the victim network or device with packets. The malicious user simply sends an ICMP Request to his proxies that have been altered with a spoofed IP address header field. The innocent Proxies reply to the victim in a legit way and deplete the victim’s network. The proxies are unknowingly performed a DoS attack and the malicious user can cover his tracks.

Amplification Attacks

Amplification DoS Attack

Amplification attacks exploit the connection-less design of UDP which does not validate source IP addresses and Internet Services that send big Response Message data with small requests. One well known example for this is the DNS Amplification Attack. This Attack uses open DNS resolve server which are accessible by everyone. To trigger an amplified response the attacker sends a request for all DNS records of a zone with a spoofed source IP address. This will result in an extremely large stream of response messages to the victim. NTP server can be used quite similar by using the monlist command with a spoofed source IP address. This command triggers a response with the last 600 source IP addresses which used the NTP Service before. This attack has an multiplication factor of 556. Another well-known for amplification used Protocol is the Memcache Protocol that allowed the biggest DDoS attack of 2018 on GitHub since then. The following table shows the Amplification factors of Amplifications Attacks[10]:

Protocol Amplification Factor
Memcached 10000 to 50000
NTP 556.9
QOTD 140.3
WS-Discovery 10 to 500
CLDAP 56 to 70
Quake Network Protocol 63.9
TFTP 60
LDAP 46 to 55
DNS 28 to 54
SSDP 30.8
Portmap (RPCbind) 7 to 28
Kad 16.3
Multicast DNS 2 to 10
SNMPv2 6.3
Steam Protocol 5.5
BitTorrent 3.8
NetBIOS 3.8

Transport Layer attacks

Transport layer attacks like the Blackhole try to be the main route between two networks and then filter their victim’s data traffic.


Application Layer attacks

This type of DoS attacks uses system weaknesses and protocol vulnerabilities to take down servers. Protocol attacks use vulnerabilities in the specification, like ping of death which produces a buffer overflow by sending malformed ICMP packets. Low and Slow attacks are subgroup of Application Layer attacks, that takes down services by using a low bandwidth and proceeding slow. The Slow Loris DoS Attack exhausts apache2 servers by open multiple HTTP connections and keep them alive as long as possible.

References

Introduction:

[1] https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html

[2] https://www.wired.com/story/github-ddos-memcached/

[3] https://ccdcoe.org/uploads/2018/10/12_NAZARIO-Politically-Motivated-DDoS.pdf

Target points of Denial of Service Attacks:

[4] IEEE 2015: Botnet in DDoS Attacks: Trends and Challenge

Types of DoS / DDos Attacks:

[5] https://en.wikipedia.org/wiki/Denial-of-service_attack

[6] IEEE: DDoS Attacks at the Application Layer: Challenges and Research Perspectives for Safeguarding Web Applications

[7] https://blog.cloudflare.com/65gbps-ddos-no-problem/

[8] https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/

[9] https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/

[10]https://www.us-cert.gov/ncas/alerts/TA14-017A

[11] https://web.archive.org/web/20150426090206/http://ha.ckers.org/slowloris

[12] IEEE 2012: DoS Attacks in Mobile Ad Hoc Networks: A Survey