Print Friendly, PDF & Email

DoS/DDoS Attacks

Denial of Service (DoS) is an attempt to make resources like web site/ services/ App/network etc. unavailable to its legitimate user by exhausting the resource to provide service, with too many request (or related manipulations).
DoS is performed by single user or using single device, which makes it difficult for attacker with increasing strength of Servers.
Screen Shot 2016-06-17 at 3.36.46 PM

DDoS(Distributed Denial of Service) works on the same fundamental as DoS but combines strength of multiple compromised machines to attack single victim, thus completely crashing down or gaining complete control of the system resulting to hosted services being unavailable to legitimate users.
Screen Shot 2016-06-17 at 3.44.01 PM This is usually done by using botnets. A botnet is is a collection of compromised computers often referred to as “zombies” infected with malware that allows an attacker to control them.. The Botnets can be placed anywhere in the Internet.
Thus, the attacked server due to lack of resources might stop responding, shut down for a long duration or even crash due to overload.

Different Forms of DDoS:

UDP flood:
Accomplished by spoofing the attacker’s source IP address.It causes system resource starvation by sending a large number of UDP packets to random ports on victim’s machine.
Setting udp flood threshold can help reduce this attack

ICMP Flood:
Accomplished by sending too many ICMP echo request thereby flooding the network making it unavailable for legitimate request.
Set packet-per-second threshold to protect

SYN Flood:
Target receives so many SYN session initiating invalid connection request that the target no more can serve legitimate connections request. Incomplete TCP handshaking process.
Most of the devices have SYN Flood protection feature which allows you to set different threshold values. Check vendors Security Guide.

Smurf DDoS:
ICMP echo request packet is sent to broadcast IP address of a subnet by creating a forged IP packet containing the source address of the attacker’s intended victim. When all IP in the subnet reply to this echo request a huge traffic is generated thus causing network congestion.
Networks with routers that do not filter broadcast traffic and with multiple host responding can be victimized.
Disable ip-directed-broadcast on subnets(in all the routers) that have direct connection to internet to deny IP broadcast request from external network to internal network.
Most of the operating system has the feature to configure it to deny it from responding to ICMP packets sent to broadcast IP. This helps protect when an attacker has got hold of one of the machines within your internal network and solution ‘a’ is not applicable since the traffic doesn’t reach router

Ping to Death:
Though TCP/IP specification allows packet length only up to 65536 bytes, while packet fragmentation allows an attacker to create a packet whose size is greater specified. Thus, when the receiving end reassembles the packet, the allocated buffer is unable to accommodate the packet resulting to system restart, crash, freeze or any other unpredicted behaviour.
Refer Vendors manual on how to configure firewall, router or any other device to stop malicious ICMP request from getting into your network. Many of the Vendors have released security patch for this vulnerability, just install them.

NTP Amplification:
A Network Time Protocol (NTP) Amplification attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible NTP servers to overwhelm a victim system with UDP traffic. Because the size of the response is typically considerably larger than the request, the attacker by forging NTP requests is able to amplify the volume of traffic directed at the victim, resulting Denial of Service attack.
If left unprotected such network devices or computers can be easily used to abuse other networks on the Internet and your network resources will be involved in organizing such malicious activities.

Please issue the following command on Linux/Unix computer to check if the server is open for exploitation (replace X.X.X.X with the IP address of your device/computer):
ntpq -c rv X.X.X.X

Solution:
1. Update
All versions of ntpd prior to 4.2.7 are vulnerable by default, upgrade all versions of ntpd to at least 4.2.7.
2. Disable Queries
Where update is not possible, add the “noquery” statement to the /etc/ntp.conf file, then restart the ntp daemon, with “service ntpd restart”.
Below is an example:
restrict default nopeer nomodify notrap noquery
restrict 127.0.0.1
https://www.kb.cert.org/vuls/id/348126 has more details on how to resolve this issue
DNS Amplification:
Open Resolver vulnerability relates to recursive DNS server that are usually left exposed to the external network (Internet). By design, the recursive DNS is configured to provide DNS services to only internal network clients. However, in an environment where the DNS Resolver provides service to other external unintended clients, attackers can exploit it by forging legitimate DNS requests and utilizing your server in malicious DDoS attacks.

If left unprotected such DNS server can be easily used to abuse other networks on the Internet and your network resources will be involved in organizing such malicious activities.

To ascertain, if your DNS resolver has such weaknesses, we suggest you to test it using following steps:
(replace X.X.X.X with IP address of your server)
1.*nix systems
# dig +short test.openresolver.com TXT @X.X.X.X
2. Windows systems
$nslookup
>set type=TXT
>server X.X.X.X
> test.openresolvers.org
Ideal results will be: “Your resolver at is CLOSED”
Alternatively, you may use other online tools to validate if your DNS server is open.
Disable open recursive DNS: Restrict the DNS server to respond only to known sources
Configure Response Rate Limiting in Authoritative name server.
Please refer US-CERTS publication: https://www.us-cert.gov/sites/default/files/publications/DNS-recursion033006.pdf for security best practices.

DOS/DDOS Mitigation
There are no one single solution to deal with DoS/DDoS attacks. Security Practices listed below can reduce the probability of occurrence or impact:
Keep your Operating System Up to Date: Helps reduce attacks like SYN floor that take advantage of flaws in Operating System.
Make sure that softwares on all devices(Server, Application, Network) are frequently updated and are running latest security patches.
Install and Configure Firewall: to restrict or filter unwanted traffic. For instance, enabling Network Ingress/Egress Filtering would prohibit DoS which employs IP source address spoofing.
Configure Access Control List: in Network Devices like Routers to limit access to Network.
Use Captcha in your web: Protects your web from spammers or bots leading to DOS/DDOS
Use web application firewall.
Close unused ports and remove unused services from machines hosting servers.
Black hole filtering: After an incident occurs, it provides a mechanism to quickly drop undesirable traffic at the edge of network by forward it to a null0 interface using source or destination IP.
To protect your network from being the source of attack, apply filtering on your router that requires the packets leaving your network to have source IP from your internal network and deny otherwise

For more Details:

https://www.incapsula.com/ddos/ddos-attacks/
https://ddosattackprotection.org/blog/types-of-ddos-attacks/
https://www.cisco.com/c/en/us/support/docs/security-vpn/kerberos/13634-newsflash.html
https://www.cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf
https://nms.lcs.mit.edu/~kandula/projects/killbots/kandula_login.pdf
https://tools.ietf.org/html/bcp38
https://www.icann.org/en/system/files/files/sac-065-en.pdf
https://www.juniper.net/techpubs/en_US/nsm2012.1/topics/concept/security-servicefirewall-flood-defense-prevent-attack-overview.html
https://www.cert.org/historical/advisories/CA-1998-01.cfm?
https://www.kb.cert.org/vuls/id/348126
https://www.us-cert.gov/ncas/alerts/TA14-013A