DDoS Attacks Methods New

8/9/2019 DDoS Attacks Methods New

1/10

DDoS Attacks

Methods used in DDoS type attacks

1


2/10

1 General DefinitionsThe following definitions and terms will be used throughout this document:

DoS Attack: Refers to all Denial of Service related attacks including DoS, DDoS and DRDoS

attacks (unless specified otherwise).

Victim: the target network, host or hosts of a DoS Attack.

Attacker: the initiator of the attack.

Intermediary: innocent hosts or networks exploited for the attack.

2 Attacks classificationDoS attacks exploit the asymmetric nature of certain types of network traffic. One attack method

seeks to cause the target to use more resources processing traffic than the attacker does sendingthe traffic. Another method is to control multiple attackers. Therefore DoS attacks can be

classified into three categories bandwidth/Throughput attacks, Protocol attacks and SoftwareVulnerability Attacks.

2.1 Bandwidth/Throughput Attacks

Bandwidth attacks are intended to overflow and consume resources available to the victim. These

resources include network bandwidth between the victim and the internet or equipment

throughput (including computer related resources such as memory and CPU).

Such high volume attacks can consume all available bandwidth between an ISP and the victim'ssite. The bandwidth clogs up, and legitimate users find it virtually impossible to receive any kind

of service from the site rendering it useless (and the attack in some scenarios may even cause the

victim's server to crash).An attacker can consume bandwidth by transmitting any traffic at all on the victim's networkconnection.

Attack traffic can be classified in two separate groups. The first includes connectionless protocol

traffic such as IP raw packets, UDP and ICMP which targets primarily the victim's bandwidth

capacity. The second group includes all connection oriented protocols (mainly TCP related)which in addition to consuming bandwidth, aims to exploit additional vulnerabilities of network

equipment used by the victim (including switches, routers, firewalls etc.).

The first group of attacks exploits the throughput limits of servers or network equipment by

focusing on high packet rates sending large numbers of small packets which require large

processing resources on the victim's side.

High-packet-rate attacks typically overwhelm network equipment before the traffic reaches the

limit of available bandwidth. For instance routers and firewalls upon reaching their input limits

start dumping excess packets due to queue overflow and processing latencies. Servers under greatprocessing stress may even collapse resulting with a general system freeze. In practice, denial of

service is often accomplished by high packet rates, not by sheer traffic volume. 1


3/10

2.1.1 Ping Flood Attack (ICMP Echo)

ICMP (Internet Control Message Protocol) is a message control and error-reporting protocol

between a host server and a gateway to the Internet. ICMP is encapsulated by IP datagrams.

ICMP includes two commonly used packets: ICMP echo request which conveys an ICMP query

(for instance: is the host designated by IP address 1.1.1.1 reachable) and ICMP echo responsewhich is used for providing information (such as the latency from the host that sent an ICMP

echo request).

Ping Flood is an attempt by an attacker on a high bandwidth connection to saturate a networkwith ICMP Echo Request packets in order to slow or stop legitimate traffic going through the

network.

2.1.2 SYN Flood Attack (DoS attack)

The idea behind this attack is to exploit the TCP-Three Way Handshake.

Individual TCP packets contain "flag bits" which specify the contents and purpose of each packet.Packets can be marked as either a SYN packet (synchronize) meaning that it is initiating a

connection from the sender to the recipient, an ACK packet (acknowledge) that acknowledges

the receipt of information from the sender or A FIN packet (finish) terminating the connectionfrom the sender to the recipient. In addition each packet includes source and destination port

numbers, IP address of the machine which originated the packet (the Source IP) and the address

of the machine to which the Internet's routers will forward the packet (the Destination IP). 3

Since understanding the handshake is necessary for this mode of attack and more advanced types,we will start with presenting a detailed explanation of how the handshake works.

2.1.2.1 TCP-Three Way Handshake

The connection initiating SYN packet is usually sent from the client's port, numbered between1024 and 65535, to the server's port, numbered between 1 and 1023. The port on the Client side is

assigned by the operating system.

When a connection-requesting SYN packet is received at an "open" TCP service port, the server'soperating system replies with a connection-accepting "SYN/ACK" packet. Although TCP

connections are bi-directional (full duplex), each direction of the connection is set up and

managed independently. For this reason, a TCP server replies to the client's connection-requesting SYN packet by ACKnowledging the client's packet and sending its own SYN to

initiate a connection in the returning direction. These two messages are combined into a single

"SYN/ACK" response packet. The SYN/ACK packet is sent to the SYN's sender by exchanging

the source and destination IPs from the SYN packet and placing them into the answeringSYN/ACK packet. This sets the SYN/ACK packet's destination to the source IP of the SYN,

which is exactly what we want. 3 5

The client's reception of the server's SYN/ACK packet confirms the server's willingness to accept

the client's connection. If the server had been unable or unwilling to accept the client's TCPconnection, it would have replied with a RST/ACK (Reset Acknowledgement) packet, or an

ICMP Port Unreachable packet, to inform the client that its connection request had been denied.
http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci212254,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212176,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214031,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214031,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214031,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211897,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212176,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214031,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211897,00.htmlhttp://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci212254,00.html


4/10

The client ACKnowledges the receipt of the SYN portion of the server's answering SYN/ACK bysending an ACK packet back to the server. At this point, from the client's perspective, a new two-

way TCP connection has been established between the client and server, and data may now freely

flow in either direction between the two TCP endpoints.

The server's reception of the client's ACK packet confirms to the server that its SYN/ACK packetwas able to return to the client across the Internet's packet routing system. At this point, the server

considers that a new two-way TCP connection has been established between the client and server

and data may now flow freely in either direction between the two TCP endpoints.The server's receipt of a client's SYN packet causes the server to prepare for a connection. It

typically allocates memory buffers for sending and receiving the connection's data, and it records

the various details of the client's connection including the client's remote IP and connection portnumber. In this way, the server will be prepared to accept the client's final connection-opening

ACK packet. Also, if the client's ACK packet should fail to arrive, the server will be able to

resend its SYN/ACK packet, presuming that it might have been lost or dropped by an

intermediate Internet router. 3 4 5

2.1.2.2 Exploiting the TCP-Three Way Handshake

Every time a handshake is initiated, memory and other significant server "connection resources"

are allocated as a consequence of the receipt of a single Internet "SYN" packet. Obviously, there

is a limit to the number of "half open" connections a TCP server could handle, and therefore with

simple means this limit may be exceeded. The method used by SYN Flood Attacks is creatingSYN packets with deliberately fraudulent (spoofed) IP return addresses. By flooding the victim

with a flood of SYN packets that seem to be indifferent from valid requests, the victims server

will allocate all the resources mentioned above and reply with an ACK/SYN packet to theSource IP. Since this IP was spoofed, at most cases the ACK/SYN packet will be discarded.

Since the server does not know that the original SYN packet was fraudulent, it will wait and

resend the ACK/SYN packet several more times until giving up. 34All of this connection management consumes valuable and limited resources in the server.Meanwhile, the attacking TCP client continues firing additional fraudulent SYN packets at the

server, forcing it to accumulate a continuously growing pool of incomplete connections. At some

point, the server will be unable to accommodate any more "half-open" connections and even validconnections will fail, since the server's ability to accept any connections will have been

maliciously consumed. At this point any legitimate sessions find it extremely difficult to be

established with the victims server. 3 5

It is important to mention that this method of attack is NOT Bandwidth consumption. This attack,mainly used several years ago when internet servers were not as advanced, could be caused by a

single attacker working on a slow dialup line. Now that servers performance has been

considerably enhanced this method of attack is not efficient enough to create the wanted DoSeffect. 3

2.1.3 DDoS attack (Distributed SYN Flood)

This attack is a natural development from the SYN Flood mentioned above. The idea behind this

attack is focusing Internet connection bandwidth of many machines upon one or a few machines.


5/10

This way it is possible to use a large array of smaller (or weaker), widely distributed computersto create the big flood effect. Usually, the assailant installs his remote attack program on weakly

protected computers (Universities, home users constantly connected etc.) using Trojan horses and

intrusion methods, and then orchestrates the attack from all the different computers at once.

This creates a brute force flood of malicious "nonsense" Internet traffic to swamp and consumethe target server's or its network connection bandwidth. This malicious packet flood competes

with, and overwhelms, the network's valid traffic so that "good packets" have a low likelihood of

surviving the flood. The network's servers become cut off from the rest of the Internet, and their

service is denied. 63

2.1.4 Distributed Reflected Denial of Service (DRDoS) attack

To enhance the previous methods a reflective method of attack was generated. Instead of

sending directly TCP packets with spoofed Source IP addresses to the Victim, An attacker

located somewhere else on the Internet, might SYN FLOOD INTERNET ROUTERS with TCPconnection-requesting SYN packets. Those SYN packets carry the fraudulent (spoofed) source IP

belonging to the victim. Therefore, the routers believe that the SYN packets were coming fromthe victim, and they reply with SYN/ACK packets as the second phase of the standard TCP three-way connection handshake. This way, the victim sees an attack from a wide array of core

infrastructure servers (instead of many small computers around the globe). 3

Some variations of this attack take advantage of BGP (Border Gate Protocol). This protocol is

supported by intermediate routers. Routers use BGP to communicate with their immediateneighbors to exchange their "routing tables" in order to inform each other about which IP ranges

the router can forward. The specific details of BGP are unimportant. The fact that virtually all of

the Internet's extremely well-connected (high bandwidth) intermediate routers will accept TCP

connections on their port 179 (BGP port) means a SYN packet arriving at port 179 of an Internetrouter will elicit a responding SYN/ACK packet. This example indicates the type of network

assets the assailant may use for his cause. 3

2.1.5 Naptha

Naptha is a name used to describe a set of network DoS vulnerabilities. Naptha attacks exploitweaknesses in the way some TCP stacks and applications handle large numbers of connections in

states other than "SYN RECVD", including "ESTABLISHED" and "FIN WAIT-1". By creating

a suitably large number of TCP connections and leaving them in certain states, individual

applications or the operating system itself can be starved of resources to the point of failure. Inthe past, attacks that would exploit TCP connections in this manner have not been implemented

because they would typically exhaust the resources of the attacker as well. The innovation

provided by the Naptha attack is that it is possible to easily create a DoS on the target with littleresource consumption on the part of the attacker. 78

The first part sends out a sequence of SYN packets from all possible ports of a forged IP address

to the victim. This sounds like a SYN flood, but more happens. The second half runs on a LAN

where the forged IP address would be, if it were a real host. The program first makes sure that therouter has an entry for this phantom host in its ARP table. Next, it listens for a packet from the

victim to the phantom host. The program responds with a packet with the appropriate flags and


6/10

sequence numbers. Typically, it listens for SYN/ACK packets and replies with an ACK. It couldalso set the FIN flag and leave the connection waiting for a FIN-WAIT-1 packet. To keep

connections alive longer, it can listen for 'regular' data packets or 'keep alive' packets and send

ACK in reply. This 'phantom' nature makes it hard to track down and eliminate as it is almost

impossible to discriminate between a bogus connection and valid one.7

2.1.6 UDP Flood Attacks

UDP protocol is a connectionless unreliable protocol which doesn't require session negotiation

between client and server application. UDP provides easy to use interface for producing large

quantity of packets.

A common attack which exploits UDP simply floods the network with UDP packets destined to avictim's host. Due to the relative simplicity of this protocol an attacker can produce large

bandwidth capacity with relatively small effort. 17

2.2 Protocol Attacks

The basic flood attack can be further refined to take advantage of the inherent design of

commonly used network protocols including TCP, UDP, ICMP and applications protocol such asBGP, DNS, HTTP and others.

These attacks do not directly exploit weaknesses in these protocols but, instead, use their

expected behavior to the attackers advantage, resulting in a bandwidth attack. 1

2.2.1 Smurf Attack

The Internet Control Message Protocol (ICMP) is used to handle errors and exchange controlmessages. ICMP can be used to determine if a machine on the Internet is responding. To do this,

an ICMP echo request packet is sent to a host. If a host receives that packet, that host will return

an ICMP echo reply packet. A common implementation of this process is the "ping" application.

In this attack, spoofed IP packets containing ICMP Echo-Request with a source address equal tothat of the attacked system and a broadcast destination address are sent to the intermediate

network.

Broadcast addresses are specially allocated addresses within all network subnets, used to

broadcast messages to the whole network. All hosts within a given subnet receive packets sent tothese broadcast addresses and in some cases (ICMP protocol for instance) respond to them.

Sending a ICMP Echo Request to a broadcast address triggers all hosts included in the network to

respond with an ICMP response packet, thus creating a large mass of packets which are routed to

the victim's spoofed address.

Networks may include up to hundreds of hosts, thus one attack echo request results in hundredsof flooding packets at the victim's site. 8


7/10

2.2.2 DNS name server Attack

The most common method seen involves an intruder sending a large number of UDP-based DNS

requests to a nameserver using a spoofed source IP address. Any nameserver response is sent

back to the spoofed IP address as the destination. In this scenario, the spoofed IP address

represents the victim of the denial of service attack. The nameserver is an intermediate party inthe attack. The true source of the attack is difficult for an intermediate or a victim site to

determine due to the use of spoofed source addresses. 10

Since nameserver responses can be significantly larger than DNS requests this is an opportunityfor bandwidth amplification. The queries are usually crafted to request the same valid DNS

resource record from multiple nameservers. The result is many nameservers receiving queries for

resources records in zones for which the nameserver is not authoritative. The response of the

nameserver depends on it's configuration.10

2.3 Software Vulnerability Attacks

Unlike previously mentioned attack strategies, this group of attacks attempts to send a cripplingblow to the victim's Achilles heel. This is accomplished not by brute force of mass traffic, but

with a well designed attack, usually considerably less traffic than flood attacks.

Most of these attacks exploit inherited weaknesses in network software implementations. Forexample, IP fragmented packets reassembly can deal with an orderly set of fragmented packets as

long as the offsets and size of the packet's payload are aligned. In cases where fragments are

overlapping or missing, in some TCP/IP stack implementations this may cause a system failure

(for details see below). 1

2.3.1 Land Attack

In this attack, an attacker sends spoofed TCP SYN packets, with the same source and destination

addresses as the victim's host address.

In some TCP/IP stack implementations those kinds of packets may cause the victim's host to

crash. In cases where the victim's host is a router, this attack may result in a routing loopconsuming large quantities of bandwidth (unless filtered in advance).

One of the variations of this attack targets a certain TCP service provided by the victim. In this

case the attacker uses the same source and destination ports which used by the victim's service

(for instance an attack on the victim's web server will probably use TCP port 80). This mayconsume the victim's host CPU resources. 111213

2.3.2 Ping of Death Attack

Ping of Death is an attempt by an attacker to crash, reboot or freeze a system by sending anillegal ICMP (over IP) packet to the host under attack.

The TCP/IP specification allows for a maximum packet size of up to 65536 octets (1 octet = 8bits of data).In some TCP stack implementation encountering packets of greater size may causethe victim's host to crash.


8/10

Most implementations of the ICMP protocol use packet header size of 8 octets but allow the userto specify larger packet header sizes.

In the attack, the ICMP packet is sent in the form of a fragmented message which, when

reassembled is larger than the maximum legal IP packet size. 1415

2.3.3 Fragmentation Attack and Teardrop Attack

TCP/IP protocol allows IP packets to contain up to 65536 octets.

Most line protocols (such as Cisco's HDLC, PPP, Ethernet etc.) which are used for encapsulatingthese packets limit data units length to up to 4470-5000 octets (also referred to MTU Maximum

transfer unit).

In order to send large IP packets over limited line protocols the IP stack divides them to smaller

fragments. The reconstruction of these fragments is performed according to IP packet headerfields such as fragment offset, packet ID and header flags.

All the fragments of the same IP packet carry the same packet ID field and the flag "Fragmented-

packet" (one of the header's flags) on.

The first fragment is sent with offset 0 and the flag "More-fragments" (one of the header's flags)

is turned on. The next fragments are sent with the offset field containing the sum of all previouslysent fragments lengths. The last fragment's "More-fragments" flag is unset (turned off).

Some TCP/IP stack IP fragmentation re-assembly code improperly handles overlapping IP

fragments. Teardrop (also known as bonk, boink, teardrop2) attack exploits this bug and sends a

series of fragments with overlapping sections. This attack may cause some systems to crash orfreeze. 112

Other Fragmentation attacks exploit other illegal combinations of fragments configuration which

prevents the target host from successfully reconstructing the packets.For instance, the attacker sends series of fragments without sending a closing fragment

(containing the "More-Fragments" flag turned off) thus overloading the victim's host IP packetsreconstruction queue with pending packets. In some systems the attack may result in a system

hold due to resources starvation. The same effect is achieved by sending many unmatched non-

initial IP fragments. 16


9/10

3 References

3.1 Attack methods

(1) Managing the Threat of Denial-of-Service Attacks, CERT Coordination Centerhttp://www.cert.org/archive/pdf/Managing_DoS.pdf

(2) CERTAdvisory CA-1997-28 IP Denial-of-Service Attacks

http://www.cert.org/advisories/CA-1997-28.html

(3) DRDoS - Distributed Reflection Denial of Service http://grc.com/dos/drdos.htm

(4) Denial of Service Attack Threat Analyzedhttp://www.uksecurityonline.com/threat/dos.php

(5) Microsoft Knowledge Base Article - Q172983 - Explanation of the Three-WayHandshake via TCP/IPhttp://support.microsoft.com/default.aspx?scid=KB;EN-US;Q172983&LN=EN-US

(6) The Strange Tale of the Denial Of Service Attacks Against GRC.COMhttp://grc.com/dos/grcdos.htm

(7) Razor - The Naptha DoS vulnerabilitieshttp://razor.bindview.com/publish/advisories/adv_NAPTHA.html

(8) CERT

Advisory CA-2000-21 Denial-of-Service Vulnerabilities in TCP/IP Stackshttp://www.cert.org/advisories/CA-2000-21.html

(9) CERTAdvisory CA-1998-01 Smurf IP Denial-of-Service Attacks


(10)Denial of Service Attacks using Nameservers

http://www.cert.org/incident_notes/IN-2000-04.html

(11)CERTAdvisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attackshttp://www.cert.org/advisories/CA-1996-21.html

(12)CERTAdvisory CA-1997-28 IP Denial-of-Service Attacks


(13)CERT advisory CA-1998-13: Vulnerability in Certain TCP/IP Implementationshttp://www.cert.org/advisories/CA -1998-13.html
http://www.cert.org/archive/pdf/Managing_DoS.pdfhttp://www.cert.org/advisories/CA-1997-28.htmlhttp://www.cert.org/advisories/CA-1997-28.htmlhttp://grc.com/dos/drdos.htmhttp://www.uksecurityonline.com/threat/dos.phphttp://support.microsoft.com/default.aspx?scid=KB;EN-US;Q172983&LN=EN-UShttp://support.microsoft.com/default.aspx?scid=KB;EN-US;Q172983&LN=EN-UShttp://grc.com/dos/grcdos.htmhttp://razor.bindview.com/publish/advisories/adv_NAPTHA.htmlhttp://www.cert.org/advisories/CA-2000-21.htmlhttp://www.cert.org/advisories/CA-2000-21.htmlhttp://www.cert.org/advisories/CA-1998-01.htmlhttp://www.cert.org/incident_notes/IN-2000-04.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1997-28.htmlhttp://www.cert.org/advisories/CA%20-1998-13.htmlhttp://www.cert.org/archive/pdf/Managing_DoS.pdfhttp://www.cert.org/advisories/CA-1997-28.htmlhttp://grc.com/dos/drdos.htmhttp://www.uksecurityonline.com/threat/dos.phphttp://support.microsoft.com/default.aspx?scid=KB;EN-US;Q172983&LN=EN-UShttp://support.microsoft.com/default.aspx?scid=KB;EN-US;Q172983&LN=EN-UShttp://grc.com/dos/grcdos.htmhttp://razor.bindview.com/publish/advisories/adv_NAPTHA.htmlhttp://www.cert.org/advisories/CA-2000-21.htmlhttp://www.cert.org/advisories/CA-1998-01.htmlhttp://www.cert.org/incident_notes/IN-2000-04.htmlhttp://www.cert.org/advisories/CA-1996-21.htmlhttp://www.cert.org/advisories/CA-1997-28.htmlhttp://www.cert.org/advisories/CA%20-1998-13.html


10/10

(14)Sans Institute - How can attacker use ICMP for reconnaissance?http://www.sans.org/newlook/resources/IDFAQ/icmp_misuse.htm

(15)CERTAdvisory CA-1996-26 Denial-of-Service Attack via ping


(16)Security Info Online, CI-98.03: Cisco PIX and CBAC Fragmentation Attackhttp://online.securityfocus.com/advisories/1428

(17)CERTAdvisory CA-1996-01 UDP Port Denial-of-Service Attack


(18)
http://www.sans.org/newlook/resources/IDFAQ/icmp_misuse.htmhttp://www.cert.org/advisories/CA-1996-26.htmlhttp://online.securityfocus.com/advisories/1428http://www.cert.org/advisories/CA-1996-01.htmlhttp://www.sans.org/newlook/resources/IDFAQ/icmp_misuse.htmhttp://www.cert.org/advisories/CA-1996-26.htmlhttp://online.securityfocus.com/advisories/1428http://www.cert.org/advisories/CA-1996-01.html

Documents

DDoS Attacks Methods New