system), ICMP echo-request floods, and
ICMP-directed broadcasts (also known as smurf attacks) are
similar to DDoS attacks; however, the scope of a DDoS attack is
different. Victims of DDoS attacks experience packet flooding
from many different sources, possibly spoofed IP source
addresses that bring network connectivity to a halt. In the
past, the typical DoS attack involved a single attempt to flood
a target host with packets. With DDoS tools, an attacker can
conduct the same attack using thousands of systems. In Figure ,
the hacker uses a terminal to scan for systems to hack. After
handler systems are accessed, the hacker installs software on
these systems. This software attempts to scan for, compromise,
and infect agent systems. When the agent systems are accessed,
the hacker then loads remote control attack software to carry
out the DDoS attack. DoS and DDoS Attack Mitigation
When attacks involve specific network server applications, such
as an HTTP server or an FTP server, the attacker focuses on
acquiring and keeping open all the available connections that
the server supports. This strategy effectively locks out valid
users of the server or service. DoS attacks can also be
implemented using common Internet protocols, such as TCP and
ICMP. For example, the “Ping of Death” attack exploits
limitations in the IP protocol. Most DoS attacks exploit a
weakness in the overall architecture of the system rather than
software bugs or security holes. Some attacks compromise the
performance of your network by flooding the network with
undesired and often useless network packets and by providing
false information about the status of network resources. You
can reduce the threat of DoS and DDoS attacks using the methods
listed in Figure : - Anti-spoof features: Proper
configuration of anti-spoof features on your routers and
firewalls can reduce your risk of attack. These features
include an appropriate filtering with access lists, unicast
reverse path forwarding that looks up the routing table to
identify spoofed packets, disabling of source route options,
and others.
- Anti-DoS features: Proper
configuration of anti-DoS features on routers and firewalls can
help limit the effectiveness of an attack. These features often
involve limits on the amount of half-open TCP connections that
a system allows at any given time. This method is also known as
SYN-flooding prevention and can be configured on the router by
limiting the overall number of half-open TCP sessions that can
go through the router, by limiting the number of half-open
sessions per minute, or by limiting the number of half-open
sessions that are destined to a specific server.
-
Traffic rate limiting: An organization can implement
traffic rate limiting with the organization’s ISP. This type of
filtering limits the amount of nonessential traffic that
crosses network segments at a certain rate. A common example is
to limit the amount of ICMP traffic that is allowed into a
network because this traffic is used only for diagnostic
purposes. ICMP-based DDoS attacks are common.
Web
Links Ping of Death
http://insecure.org/sploits/ping-o-death.html
Content
5.2 Mitigating Network Attacks
5.2.8 IP Spoofing in DoS and DDoS IP spoofing
is a technique a hacker uses to gain unauthorized access to
computers. In IP spoofing, the intruder sends messages to a
computer with an IP address that indicates that the message is
coming from a trusted host. To engage in IP spoofing, hackers
must first use a variety of techniques to find an IP address of
a trusted host and then modify the packet headers to appear as
though packets are coming from that trusted host. In addition,
the attacker can engage other unsuspecting hosts to also
generate traffic that appears as though this traffic too is
coming from the trusted host, thus flooding the network.Routers
determine the best route between distant computers by examining
the destination address. The originating address is ignored by
routers. However, the destination machine uses the originating
address when the machine responds back to the source. In a
spoofing attack, the intruder sends messages to a computer
indicating that the message has come from a trusted system. For
example, an attacker outside your network pretends to be a
trusted computer, either by using an IP address that is within
the range of IP addresses for your network or by using an
authorized external IP address that your network trusts and
provides specified resource access to. To be successful, the
intruder must first determine the IP address of a trusted
system and then modify the packet headers so that the packets
appear to be coming from the trusted system. The goal of the
attack is to establish a connection that allows the attacker to
gain root access to the host and to create a backdoor entry
path into the target system. Normally, an IP spoofing attack is
limited to the injection of data or commands into an existing
stream of data that passes between a client and server
application or a peer-to-peer network connection. To enable
bidirectional communication, the attacker must change all
routing tables to point to the spoofed IP address. Another
approach the attacker could take is to simply not worry about
receiving any response from the applications. For example, if
an attacker is attempting to get a system to mail a sensitive
file, application responses are unimportant. If an attacker
manages to change the routing tables to divert network packets
to the spoofed IP address, the attacker can receive all network
packets that are addressed to the spoofed address and reply
just as any trusted user. Like packet sniffers, IP spoofing is
not restricted to people who are external to the network. IP
spoofing can also provide access to user accounts and
passwords or be used in other ways. For example, an attacker
can emulate one of your internal users in ways that prove
embarrassing for your organization. The attacker could send
e-mail messages to business partners that appear to have
originated from someone within your organization. Such attacks
are easier to accomplish when an attacker has a user account
and password, but the attacks are also possible when attackers
combine simple spoofing attacks with knowledge of messaging
protocols. These points are summarized in Figure . IP
Spoofing Attack Mitigation
As shown in Figure , the
threat of IP spoofing can be reduced, but not eliminated, using
these measures: - Access control configuration
- Encryption
- RFC 3704 filtering
- Additional
authentication
Access Control
Configuration
The most common method for preventing IP
spoofing is to properly configure access control. To reduce the
effectiveness of IP spoofing, configure the access control list
(ACL) to deny any traffic from the external network that has a
source address that should reside on the internal network. This
configuration helps to prevent spoofing attacks only if the
internal addresses are the only trusted addresses. If some
external addresses are trusted, this method is not effective.
Encryption
Another possible way to prevent IP
spoofing is to encrypt all network traffic to prevent source
and destination hosts from being compromised. RFC 3704
Filtering
You can prevent your network users from
spoofing other networks (and be a good Internet citizen at the
same time) by preventing any outbound traffic on your network
that does not have a source address in your the IP range of
your organization. This filtering denies any traffic that does
not have the source address that was expected on a particular
interface. For example, if an ISP is providing a connection to
the IP address 15.1.1.0/24, the ISP could filter traffic so
that only traffic sourced from address 15.1.1.0/24 can enter
the ISP router from that interface. Note that unless all ISPs
implement this type of filtering, the effectiveness is
significantly reduced. Note
RFC 3704 covers ingress
filtering for multihomed networks. It updates RFC 2827.