SlideShare une entreprise Scribd logo

Distributed Denial of Service (DDos) Testing Methodology

Network Intelligence India
Network Intelligence India

A Distributed Denial-of-Service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users by using multiple hosts attempting to connect simultaneously to the victim machine. It generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Attackers typically target sites of high-profile web servers such as banks, credit card payment gateways, and even root name servers.

Technologie
1  sur  13
Télécharger pour lire hors ligne
DISTRIBUTED DENIAL OF SERVICE TESTING METHODOLOGY From An article on Distributed-Denial-of-Service (DDoS) attacks, their various types and our methodology for testing the robustness of your network against them.
Distributed Denial-of-Service Testing and Methodology Document Tracker Author Version Summary of Changes Manasdeep November 2012 Document Created Confidential  Network Intelligence (India) Pvt. Ltd. Page 2 of 13
Distributed Denial-of-Service Testing and Methodology NOTICE This document contains information which is the intellectual property of Network Intelligence. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of Network Intelligence. Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of Network Intelligence; indemnity; and all others. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of Network Intelligence. Network Intelligence retains the right to make changes to this document at any time without notice. Network Intelligence makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. Copyright Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved. NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt. Ltd. Trademarks Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe. NII CONTACT DETAILS Network Intelligence India Pvt. Ltd. 204 Ecospace,Old Nagardas Road,Near Andheri Subway, Andheri (E), Mumbai 400 069, India Tel: +91-22-2839-2628 +91-22-4005-2628 Fax: +91-22-2837-5454 Email: info@niiconsulting.com Confidential  Network Intelligence (India) Pvt. Ltd. Page 3 of 13
Distributed Denial-of-Service Testing and Methodology Contents 1. Introduction .............................................................................................................................. 5 2. Rationale for using DDoS attacks against banks .......................................................................... 6 3. Variants of DDoS attack: ............................................................................................................ 7 a. ReDoS (Regular Expressions DoS Attack) ................................................................................ 7 b. Billion laughs (XML Parser DDoS): .......................................................................................... 7 c. Peer-to-peer DDoS attacks: .................................................................................................... 8 d. Permanent denial-of-service attacks ...................................................................................... 8 e. Distributed reflected denial of service attack (DRDoS)............................................................ 8 f. Un-intentional denial of service ............................................................................................. 9 4. Challenges in mitigation defences against DDoS attacks........................................................... 10 a. Rapid Scaling of the attacks .................................................................................................. 10 b. Problem with peer-to-peer DDoS ......................................................................................... 10 c. Distinguishing between the legitimate traffic and attack traffic ............................................ 10 5. Our Approach .......................................................................................................................... 11 Confidential  Network Intelligence (India) Pvt. Ltd. Page 4 of 13
Distributed Denial-of-Service Testing and Methodology 1. I NTRODUCTION A Distributed Denial-of-Service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users by using multiple hosts attempting to connect simultaneously to the victim machine. It generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Attackers typically target sites of high-profile web servers such as banks, credit card payment gateways, and even root name servers. Commonly, the attack involves saturating the target machine with external requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. The objective of these DDoS attacks is to either force the targeted computer(s) to reset, or consume its resources so that it can no longer provide its intended service. Impact These attacks violate Internet proper use policy, the acceptable use policies of virtually all Internet service providers. They cause huge productivity losses to the organizations as the services offered by the organizations are rendered unavailable due to saturation of servers. They damage hard earned positive brand image of a financial institution by rapid erosion of its stakeholder’s confidence. What can happen due to DDoS? a. Rapid consumption of computational resources, such as bandwidth, disk space, or processor time. b. Disruption of routing information. c. Unsolicited resetting of TCP sessions. d. Disruption of physical network components in very short time interval. e. Sudden spike or maxing out of the processor's usage f. Multiple errors triggered in interconnected machines. g. Multiple errors in the sequencing of instructions, forcing the connected computer into an unstable state or lock-up. h. Almost instant resource starvation and/or thrashing in interconnected machines i.e. to using up all available facilities. Confidential  Network Intelligence (India) Pvt. Ltd. Page 5 of 13
Distributed Denial-of-Service Testing and Methodology 2. R ATIONALE FOR USING DD O S ATTACKS AGAINST BANKS Although, DDoS attacks are quite noisy and easily noticeable by both victims and banks; this works largely as a shadow attack. This is a smart diversion technique to camouflage the real hacker intention; which is to siphon out user data while security and network administrators are busy fixing congested data network pipes. DDoS outages also deflect attention from the bank wire transfers making them unable to reverse the transactions (if found). For e.g., when Sony diverted its technical efforts to subvert the DDoS attack launched by Anonymous hacker group, information of more than 100 million customers was quietly siphoned by hackers in background. Additionally, panic waves and knee-jerk reactions are spread among public at large when customers find out that they are unable to access their accounts online. Many important transactions are simply delayed or rolled back during peak business hours. This results in major reputation loss for financial institutes. Banks will be forced to face embarrassing litigation suits if these issues are not promptly fixed. Longer the "Access Denied" period stays, greater the financial and reputation losses along with rapid depletion of stakeholder confidence are suffered by these financial institutions. Confidential  Network Intelligence (India) Pvt. Ltd. Page 6 of 13
Distributed Denial-of-Service Testing and Methodology 3. V ARIANTS OF DD O S ATTACK : a. ReDoS (Regular Expressi ons DoS A tta ck) The Regular expression Denial of Service (ReDoS) exploits the fact that most Regular Expression implementations may reach extreme situations that causes them to work very slowly (exponentially related to input size). An attacker can use this to consume resources and leave them hanging for a very long time. Evil regexes are those that get stuck on crafted input and can be different depending on the regular expression matcher that is under attack. Necessary factors for evil regex to occur:  The regular expression applies repetition ("+", "*") to a complex sub-expression;  For the repeated sub expression, there exists a match which is also a suffix of another valid match.  If a regex itself is affected by a user input, the attacker can inject an Evil Regex, and make the system vulnerable. A Regex is called "evil" if it contains regular expression:  Grouping with repetition  Inside the repeated group  Repetition  Alternation with overlapping For e.g.:  (a+)+  ([a-zA-Z]+)*and so on.... b. Billion laugh s (XML Parser DDoS ): A billion laughs attack is a type of denial-of-service (DoS) attack which is aimed at parsers of XML documents. The attack consists of defining 10 entities, each defined as consisting of 10 of the previous entity, which expands to one billion copies of the first entity. Example: <?xml version="1.0"?> <!DOCTYPElolz [ <!ENTITYlol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> Confidential  Network Intelligence (India) Pvt. Ltd. Page 7 of 13
Distributed Denial-of-Service Testing and Methodology <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> When an XML parser loads this document, it sees that it includes one root element, "lolz", that contains the text "&lol9;". However, "&lol9;" is a defined entity that expands to a string containing ten "&lol8;" strings. Each "&lol8;" string is a defined entity that expands to ten "&lol7;" strings, and so on. After all the entity expansions have been processed, this small (< 1 KB) block of XML will actually contain 109 = a billion "lol"s, taking up almost 3 gigabytes of memory. c. Peer-to-peer DDoS attacks : In this DDoS attack, the attacker acts as a "puppet master," by instructing clients of large peer-to-peer file sharing hubs to disconnect from their network and connect directlyto the victim's website instead. Subsequently, several thousand computers aggressively try to connect to a victim's website making web servers typically designed to handle a few hundred connections per second failing instantly when are overwhelmed by receiving requests from five or six thousand connections per second. d. Permanent denial-of-service attacks Also called phlashing; this attack damages a system so badly that it requires replacement or reinstallation of hardware. This attack exploits security flaws which allow remote administration on the management interfaces of victim’s hardware by replacing the device's firmware with a modified, corrupt, or defective firmware image. This essentially "bricks" the device, rendering it unusable until it can be repaired or replaced. PDoS is a pure hardware attack. It can be much faster and requires fewer resources than using a botnet. Because of the potential and high probability of security exploits on Network Enabled Embedded Devices (NEEDs), this technique is getting popular. e. Distributed reflected denial of service attack (DRDoS ) This attack sends forged requests to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go Confidential  Network Intelligence (India) Pvt. Ltd. Page 8 of 13
Distributed Denial-of-Service Testing and Methodology and flood the target site. For e.g.ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected attack f. Un-intenti ona l denial of service A situation when a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but due to a sudden enormous spike in popularity. This happens when an extremely popular website posts a prominent link to a second, less equipped site, for example, as part of a news story. The result is that large number of primary site's users – click that link in the space of a few hours, having the same effect as a DDoS attack on the target website.An attacker can intentionally post an interesting news link which redirects it to the victim's site, causing a DDoS Attack. Confidential  Network Intelligence (India) Pvt. Ltd. Page 9 of 13
Distributed Denial-of-Service Testing and Methodology 4. C HALLENGES IN MITIGATION DEFENCES AGAINST DD O S ATTACKS a. Rapid Scaling of the attacks Mitigation mechanisms for DDoS are difficult to maintain because even if we rapidly block the large no of IP address from where the requests are originating, attacker will simply add more zombie computers to scale up the attack. Buying more redundant servers for extra load balancing won’t be of much help as the attacker can also scale up the attack by merely adding more zombie computers. b. Probl em wit h peer -to-peer DDoS Although, peer-to-peer attacks are easy to identify with signatures, even tearing down connections takes server resources and can harm the server. This method of attack can be prevented by specifying in the peer-to-peer protocol which ports are allowed or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited. c. Dist inguishing b etween t he leg itimate tr affic and attack traffic It gets very difficult to distinguish the legitimate traffic from the bogus volume of attacker’s traffic coming from DDoS attack as many machines are simultaneously trying to connect to the target site and blocking a few of them won’t help as attacker just needs to leverage the attack by adding “new” ones from the “botnet”. Taking down the site “offline” even for few hours proves self-defeating for any financial institution as thousands to millions of transactions remain stuck, or get rolled back causing millions dollars’ worth of business loss to banks etc. during peak trading hours. Confidential  Network Intelligence (India) Pvt. Ltd. Page 10 of 13
Distributed Denial-of-Service Testing and Methodology 5. O UR A PPROACH a. Identify the targe t IP add resses We need to find what IP addresses are publically hosted on the internet. What we need: List of the IP addresses hosting critical services on internet b. Identify the services or resources to attack Typically we look for services hosted such as Web/Application server, DNS servers, Email/Exchange server etc. We explore the known vulnerabilities and public exploits for various products What we need to target: Identify services which process large amount of financial transactions or provide user services.We can try to blocking access to them for legitimate users will have biggest impact for the target. c. Identify the tools needed to overwhelm these offered services or resources to make them stop functi oning Email Systems: Email bombs to send massive volume of emails to an address in an attempt to overwhelm the server where the emails for the target are hosted and managed. Filling up the mailboxes forces the mail servers to reject any legitimate mails arriving at the inbox and bounce back to sender address which causes valuable client follow-up and losing business opportunities. Through poor non-delivery notification design, a considerable proportion of mail services currently deployed throughout the Internet may be used as denial of service agents. By abusing a small number of vulnerable mail servers within large organizations with high Internet bandwidth connectivity, it is possible to cause the complete denial of service of critical e-mail services of any targeted organization. It is a simple process of abusing multiple SMTP services to cause a Distributed DoS (DDoS) that would increase the impact on the target. Application and Web Servers: KillApache DDOS tool enables us to crash any Apache web server. It works by stating multiple unsorted components in the header which causes an Apache server to malfunction. Confidential  Network Intelligence (India) Pvt. Ltd. Page 11 of 13
Distributed Denial-of-Service Testing and Methodology In IIS, DDoS attacks can exist in IIS pool by opening many connections and make sure that the pool of victim website is over the limit so website is down with "service unavailable" message. We just need to send large no of requests to a vulnerable IIS server for successful DDoS attack. FTP Servers: Misconfigured FTP servers can allow an attacker to upload large files onto the server, thus reducing the space and bandwidth available for legitimate users. DNS Servers: Attackers can exploit unpatched or misconfigured DNS services to resolve domain names for external domains. Multiple such requests can cause the server to place subsequent legitimate resolution request on hold or drop those requests. Bandwidth Exhaustion: Internet exposed services are provided by the target’s internet service provider (ISP). These services are provided a large dedicated bandwidth to allow users of the service constant availability. In a normal scenario, a single attacker (with smaller bandwidth pipes) may not be able to fill up the bandwidth pipeline at the target. However, multiple such small sources, may be able to exhaust the dedicate bandwidth pipe available with the target. Some of the popular techniques used to cause bandwidth exhaustion are SYN Flood, SMURF attack etc. What we need:  Email addresses of important point of contacts (Sales, helpdesk, HR) and important individuals.  Permission to run a quick scan for critical services like HTTP, FTP, DNS  Multiple Dedicated bandwidth to send excessive traffic to exhaust bandwidth resources at the target’s internet pipeline d. Distribute the a tta ck from multip le machines We distribute attacks from different machines which simultaneously point to the target machine and send out thousands of requests per second blocking them effectively. e. Execute the atta ck The above attacks can be executed at an amplified state using multiple attack origins. Confidential  Network Intelligence (India) Pvt. Ltd. Page 12 of 13
Distributed Denial-of-Service Testing and Methodology Tools us ed: Here are some of the popular tools we use for testing DDoS:  LOIC (Low orbit Ion Cannon) – This performs a distributed-denial-of-service (DDoS) attack when used by multiple individuals on a target site by flooding the server with TCP packets or UDP packets with the intention of disrupting the service of a particular host.  HULK (Http Unbearable Load King), web server DDoS tool  Silent-DDoSer - This Visual Basic tool offers attack types “UDP”, “SYN” and “HTTP”. Silent-DDoSer utilizes triple-DES and RC4 encryption, IPv6 capabilities, and password stealing functions.  Net-Weave - It is a booter/bot and backdoor written in .NET and features USB spreading capabilities, TCP connection exhaustion flood, UDP flood, and a crude port 80 flood instantiated with a .NET Socket call.  DirtJumper v5.0  Runescapeddoser–Loaded with over 12500 shells, that's enough to destroy any home connection even through the biggest firewalls. Also has built in a Runescape name to IP fetcher.After fetching the IP simply press boot and IP’s are taken offline for 180 seconds.  KillApache tool – An unknown flaw in the code for processing byte range headers allows versions 2.2.x of the Apache Web Server to be crippled from a single PC. This tool exploits this issue to launch DDoS attack. Confidential  Network Intelligence (India) Pvt. Ltd. Page 13 of 13

Recommandé

Cse ethical hacking ppt
Cse ethical hacking pptCse ethical hacking ppt
Cse ethical hacking ppt
shreya_omar
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
network security, group policy and firewalls
network security, group policy and firewallsnetwork security, group policy and firewalls
network security, group policy and firewalls
Sapna Kumari
 
Attack detection and prevention in the cyber
Attack detection and prevention in the cyberAttack detection and prevention in the cyber
Attack detection and prevention in the cyber
Jahangirnagar University
 
Complete Ethical Hacking Course | Ethical Hacking Training for Beginners | Ed...
Complete Ethical Hacking Course | Ethical Hacking Training for Beginners | Ed...Complete Ethical Hacking Course | Ethical Hacking Training for Beginners | Ed...
Complete Ethical Hacking Course | Ethical Hacking Training for Beginners | Ed...
Edureka!
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automation
Chadni Islam
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
Security Innovation
 
Microsoft Azure and the Competitive Public Cloud Industry: What You Need to Know
Microsoft Azure and the Competitive Public Cloud Industry: What You Need to KnowMicrosoft Azure and the Competitive Public Cloud Industry: What You Need to Know
Microsoft Azure and the Competitive Public Cloud Industry: What You Need to Know
Richard Harbridge
 

Recommandé

Cse ethical hacking ppt
Cse ethical hacking pptCse ethical hacking ppt
Cse ethical hacking ppt
shreya_omar
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
network security, group policy and firewalls
network security, group policy and firewallsnetwork security, group policy and firewalls
network security, group policy and firewalls
Sapna Kumari
 
Attack detection and prevention in the cyber
Attack detection and prevention in the cyberAttack detection and prevention in the cyber
Attack detection and prevention in the cyber
Jahangirnagar University
 
Complete Ethical Hacking Course | Ethical Hacking Training for Beginners | Ed...
Complete Ethical Hacking Course | Ethical Hacking Training for Beginners | Ed...Complete Ethical Hacking Course | Ethical Hacking Training for Beginners | Ed...
Complete Ethical Hacking Course | Ethical Hacking Training for Beginners | Ed...
Edureka!
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automation
Chadni Islam
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
Security Innovation
 
Microsoft Azure and the Competitive Public Cloud Industry: What You Need to Know
Microsoft Azure and the Competitive Public Cloud Industry: What You Need to KnowMicrosoft Azure and the Competitive Public Cloud Industry: What You Need to Know
Microsoft Azure and the Competitive Public Cloud Industry: What You Need to Know
Richard Harbridge
 
Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"
Ahmed Mohamed Mahmoud
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
Sam Bowne
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
JPCERT Coordination Center
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
Anton Chuvakin
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
CrowdStrike
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
integritysolutions
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
jumanne rajabu
 
Cse ethical hacking ppt
Cse ethical hacking pptCse ethical hacking ppt
Cse ethical hacking ppt
SHAHID ANSARI
 
Demystifying Prisma Access
Demystifying Prisma AccessDemystifying Prisma Access
Demystifying Prisma Access
Haris Chughtai
 
Tokenization vs encryption vs masking
Tokenization vs encryption vs maskingTokenization vs encryption vs masking
Tokenization vs encryption vs masking
Ulf Mattsson
 
blockchain unit 3
blockchain unit 3blockchain unit 3
blockchain unit 3
Rohit Verma
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy Model
Atlassian
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hacking
ankit sarode
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber security
Avani Patel
 
Cyber security
Cyber security Cyber security
Cyber security
Sachith Lekamge
 
Cyber security
Cyber securityCyber security
Cyber security
Sapna Patil
 
Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overview
Mark Argent
 
DDoS Report.docx
DDoS Report.docxDDoS Report.docx
DDoS Report.docx
Tushar Mathur
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different Types
IRJET Journal
 

Contenu connexe

Tendances

TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
CrowdStrike
 

Tendances (20)

Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cse ethical hacking ppt
Cse ethical hacking pptCse ethical hacking ppt
Cse ethical hacking ppt
 
Demystifying Prisma Access
Demystifying Prisma AccessDemystifying Prisma Access
Demystifying Prisma Access
 
Tokenization vs encryption vs masking
Tokenization vs encryption vs maskingTokenization vs encryption vs masking
Tokenization vs encryption vs masking
 
blockchain unit 3
blockchain unit 3blockchain unit 3
blockchain unit 3
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy Model
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hacking
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber security
 
Cyber security
Cyber security Cyber security
Cyber security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overview
 

Similaire à Distributed Denial of Service (DDos) Testing Methodology

Study of flooding based ddos attacks and their effect using deter testbed
Study of flooding based ddos attacks and their effect using deter testbedStudy of flooding based ddos attacks and their effect using deter testbed
Study of flooding based ddos attacks and their effect using deter testbed
eSAT Journals
 
ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_Mitigation
R. Blake Martin
 
The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS Providers
Neil Hinton
 
Akamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalAkamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_Final
Cheryl Goldberg
 

Similaire à Distributed Denial of Service (DDos) Testing Methodology (20)

DDoS Report.docx
DDoS Report.docxDDoS Report.docx
DDoS Report.docx
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different Types
 
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSPASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
 
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSPASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKS
 
A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...
 
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...
 
Study of flooding based ddos attacks and their effect using deter testbed
Study of flooding based ddos attacks and their effect using deter testbedStudy of flooding based ddos attacks and their effect using deter testbed
Study of flooding based ddos attacks and their effect using deter testbed
 
Study of flooding based d do s attacks and their effect using deter testbed
Study of flooding based d do s attacks and their effect using deter testbedStudy of flooding based d do s attacks and their effect using deter testbed
Study of flooding based d do s attacks and their effect using deter testbed
 
ITSecurity_DDOS_Mitigation
ITSecurity_DDOS_MitigationITSecurity_DDOS_Mitigation
ITSecurity_DDOS_Mitigation
 
Security Risk Assessment for Quality Web Design
Security Risk Assessment for Quality Web DesignSecurity Risk Assessment for Quality Web Design
Security Risk Assessment for Quality Web Design
 
A017130104
A017130104A017130104
A017130104
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud Computing
 
Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...
Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...
Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...
 
Protecting against modern ddos threats
Protecting against modern ddos threatsProtecting against modern ddos threats
Protecting against modern ddos threats
 
IRJET- A Survey on DDOS Attack in Manet
IRJET- A Survey on DDOS Attack in ManetIRJET- A Survey on DDOS Attack in Manet
IRJET- A Survey on DDOS Attack in Manet
 
The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS Providers
 
cyber security
cyber securitycyber security
cyber security
 
Akamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalAkamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_Final
 
Final report
Final reportFinal report
Final report
 
Protecting your business from ddos attacks
Protecting your business from ddos attacksProtecting your business from ddos attacks
Protecting your business from ddos attacks
 

Plus de Network Intelligence India

RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
Network Intelligence India
 
Mobile Device Management (MDM)
Mobile Device Management (MDM)Mobile Device Management (MDM)
Mobile Device Management (MDM)
Network Intelligence India
 

Plus de Network Intelligence India (20)

Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
The Economics of Security
The Economics of SecurityThe Economics of Security
The Economics of Security
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
National Cyber Security Policy 2013
National Cyber Security Policy 2013National Cyber Security Policy 2013
National Cyber Security Policy 2013
 
RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Understanding Governance
Understanding GovernanceUnderstanding Governance
Understanding Governance
 
Cyber Security in Civil Aviation
Cyber Security in Civil AviationCyber Security in Civil Aviation
Cyber Security in Civil Aviation
 
Spear Phishing Methodology
Spear Phishing MethodologySpear Phishing Methodology
Spear Phishing Methodology
 
Mobile Device Management (MDM)
Mobile Device Management (MDM)Mobile Device Management (MDM)
Mobile Device Management (MDM)
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 
Information Rights Management (IRM)
Information Rights Management (IRM)Information Rights Management (IRM)
Information Rights Management (IRM)
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
XML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus ScannerXML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus Scanner
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 
Application security enterprise strategies
Application security enterprise strategiesApplication security enterprise strategies
Application security enterprise strategies
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Distributed Denial of Service (DDos) Testing Methodology

  • 1. DISTRIBUTED DENIAL OF SERVICE TESTING METHODOLOGY From An article on Distributed-Denial-of-Service (DDoS) attacks, their various types and our methodology for testing the robustness of your network against them.
  • 2. Distributed Denial-of-Service Testing and Methodology Document Tracker Author Version Summary of Changes Manasdeep November 2012 Document Created Confidential  Network Intelligence (India) Pvt. Ltd. Page 2 of 13
  • 3. Distributed Denial-of-Service Testing and Methodology NOTICE This document contains information which is the intellectual property of Network Intelligence. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of Network Intelligence. Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of Network Intelligence; indemnity; and all others. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of Network Intelligence. Network Intelligence retains the right to make changes to this document at any time without notice. Network Intelligence makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. Copyright Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved. NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt. Ltd. Trademarks Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe. NII CONTACT DETAILS Network Intelligence India Pvt. Ltd. 204 Ecospace,Old Nagardas Road,Near Andheri Subway, Andheri (E), Mumbai 400 069, India Tel: +91-22-2839-2628 +91-22-4005-2628 Fax: +91-22-2837-5454 Email: info@niiconsulting.com Confidential  Network Intelligence (India) Pvt. Ltd. Page 3 of 13
  • 4. Distributed Denial-of-Service Testing and Methodology Contents 1. Introduction .............................................................................................................................. 5 2. Rationale for using DDoS attacks against banks .......................................................................... 6 3. Variants of DDoS attack: ............................................................................................................ 7 a. ReDoS (Regular Expressions DoS Attack) ................................................................................ 7 b. Billion laughs (XML Parser DDoS): .......................................................................................... 7 c. Peer-to-peer DDoS attacks: .................................................................................................... 8 d. Permanent denial-of-service attacks ...................................................................................... 8 e. Distributed reflected denial of service attack (DRDoS)............................................................ 8 f. Un-intentional denial of service ............................................................................................. 9 4. Challenges in mitigation defences against DDoS attacks........................................................... 10 a. Rapid Scaling of the attacks .................................................................................................. 10 b. Problem with peer-to-peer DDoS ......................................................................................... 10 c. Distinguishing between the legitimate traffic and attack traffic ............................................ 10 5. Our Approach .......................................................................................................................... 11 Confidential  Network Intelligence (India) Pvt. Ltd. Page 4 of 13
  • 5. Distributed Denial-of-Service Testing and Methodology 1. I NTRODUCTION A Distributed Denial-of-Service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users by using multiple hosts attempting to connect simultaneously to the victim machine. It generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Attackers typically target sites of high-profile web servers such as banks, credit card payment gateways, and even root name servers. Commonly, the attack involves saturating the target machine with external requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. The objective of these DDoS attacks is to either force the targeted computer(s) to reset, or consume its resources so that it can no longer provide its intended service. Impact These attacks violate Internet proper use policy, the acceptable use policies of virtually all Internet service providers. They cause huge productivity losses to the organizations as the services offered by the organizations are rendered unavailable due to saturation of servers. They damage hard earned positive brand image of a financial institution by rapid erosion of its stakeholder’s confidence. What can happen due to DDoS? a. Rapid consumption of computational resources, such as bandwidth, disk space, or processor time. b. Disruption of routing information. c. Unsolicited resetting of TCP sessions. d. Disruption of physical network components in very short time interval. e. Sudden spike or maxing out of the processor's usage f. Multiple errors triggered in interconnected machines. g. Multiple errors in the sequencing of instructions, forcing the connected computer into an unstable state or lock-up. h. Almost instant resource starvation and/or thrashing in interconnected machines i.e. to using up all available facilities. Confidential  Network Intelligence (India) Pvt. Ltd. Page 5 of 13
  • 6. Distributed Denial-of-Service Testing and Methodology 2. R ATIONALE FOR USING DD O S ATTACKS AGAINST BANKS Although, DDoS attacks are quite noisy and easily noticeable by both victims and banks; this works largely as a shadow attack. This is a smart diversion technique to camouflage the real hacker intention; which is to siphon out user data while security and network administrators are busy fixing congested data network pipes. DDoS outages also deflect attention from the bank wire transfers making them unable to reverse the transactions (if found). For e.g., when Sony diverted its technical efforts to subvert the DDoS attack launched by Anonymous hacker group, information of more than 100 million customers was quietly siphoned by hackers in background. Additionally, panic waves and knee-jerk reactions are spread among public at large when customers find out that they are unable to access their accounts online. Many important transactions are simply delayed or rolled back during peak business hours. This results in major reputation loss for financial institutes. Banks will be forced to face embarrassing litigation suits if these issues are not promptly fixed. Longer the "Access Denied" period stays, greater the financial and reputation losses along with rapid depletion of stakeholder confidence are suffered by these financial institutions. Confidential  Network Intelligence (India) Pvt. Ltd. Page 6 of 13
  • 7. Distributed Denial-of-Service Testing and Methodology 3. V ARIANTS OF DD O S ATTACK : a. ReDoS (Regular Expressi ons DoS A tta ck) The Regular expression Denial of Service (ReDoS) exploits the fact that most Regular Expression implementations may reach extreme situations that causes them to work very slowly (exponentially related to input size). An attacker can use this to consume resources and leave them hanging for a very long time. Evil regexes are those that get stuck on crafted input and can be different depending on the regular expression matcher that is under attack. Necessary factors for evil regex to occur:  The regular expression applies repetition ("+", "*") to a complex sub-expression;  For the repeated sub expression, there exists a match which is also a suffix of another valid match.  If a regex itself is affected by a user input, the attacker can inject an Evil Regex, and make the system vulnerable. A Regex is called "evil" if it contains regular expression:  Grouping with repetition  Inside the repeated group  Repetition  Alternation with overlapping For e.g.:  (a+)+  ([a-zA-Z]+)*and so on.... b. Billion laugh s (XML Parser DDoS ): A billion laughs attack is a type of denial-of-service (DoS) attack which is aimed at parsers of XML documents. The attack consists of defining 10 entities, each defined as consisting of 10 of the previous entity, which expands to one billion copies of the first entity. Example: <?xml version="1.0"?> <!DOCTYPElolz [ <!ENTITYlol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> Confidential  Network Intelligence (India) Pvt. Ltd. Page 7 of 13
  • 8. Distributed Denial-of-Service Testing and Methodology <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> When an XML parser loads this document, it sees that it includes one root element, "lolz", that contains the text "&lol9;". However, "&lol9;" is a defined entity that expands to a string containing ten "&lol8;" strings. Each "&lol8;" string is a defined entity that expands to ten "&lol7;" strings, and so on. After all the entity expansions have been processed, this small (< 1 KB) block of XML will actually contain 109 = a billion "lol"s, taking up almost 3 gigabytes of memory. c. Peer-to-peer DDoS attacks : In this DDoS attack, the attacker acts as a "puppet master," by instructing clients of large peer-to-peer file sharing hubs to disconnect from their network and connect directlyto the victim's website instead. Subsequently, several thousand computers aggressively try to connect to a victim's website making web servers typically designed to handle a few hundred connections per second failing instantly when are overwhelmed by receiving requests from five or six thousand connections per second. d. Permanent denial-of-service attacks Also called phlashing; this attack damages a system so badly that it requires replacement or reinstallation of hardware. This attack exploits security flaws which allow remote administration on the management interfaces of victim’s hardware by replacing the device's firmware with a modified, corrupt, or defective firmware image. This essentially "bricks" the device, rendering it unusable until it can be repaired or replaced. PDoS is a pure hardware attack. It can be much faster and requires fewer resources than using a botnet. Because of the potential and high probability of security exploits on Network Enabled Embedded Devices (NEEDs), this technique is getting popular. e. Distributed reflected denial of service attack (DRDoS ) This attack sends forged requests to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go Confidential  Network Intelligence (India) Pvt. Ltd. Page 8 of 13
  • 9. Distributed Denial-of-Service Testing and Methodology and flood the target site. For e.g.ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected attack f. Un-intenti ona l denial of service A situation when a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but due to a sudden enormous spike in popularity. This happens when an extremely popular website posts a prominent link to a second, less equipped site, for example, as part of a news story. The result is that large number of primary site's users – click that link in the space of a few hours, having the same effect as a DDoS attack on the target website.An attacker can intentionally post an interesting news link which redirects it to the victim's site, causing a DDoS Attack. Confidential  Network Intelligence (India) Pvt. Ltd. Page 9 of 13
  • 10. Distributed Denial-of-Service Testing and Methodology 4. C HALLENGES IN MITIGATION DEFENCES AGAINST DD O S ATTACKS a. Rapid Scaling of the attacks Mitigation mechanisms for DDoS are difficult to maintain because even if we rapidly block the large no of IP address from where the requests are originating, attacker will simply add more zombie computers to scale up the attack. Buying more redundant servers for extra load balancing won’t be of much help as the attacker can also scale up the attack by merely adding more zombie computers. b. Probl em wit h peer -to-peer DDoS Although, peer-to-peer attacks are easy to identify with signatures, even tearing down connections takes server resources and can harm the server. This method of attack can be prevented by specifying in the peer-to-peer protocol which ports are allowed or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited. c. Dist inguishing b etween t he leg itimate tr affic and attack traffic It gets very difficult to distinguish the legitimate traffic from the bogus volume of attacker’s traffic coming from DDoS attack as many machines are simultaneously trying to connect to the target site and blocking a few of them won’t help as attacker just needs to leverage the attack by adding “new” ones from the “botnet”. Taking down the site “offline” even for few hours proves self-defeating for any financial institution as thousands to millions of transactions remain stuck, or get rolled back causing millions dollars’ worth of business loss to banks etc. during peak trading hours. Confidential  Network Intelligence (India) Pvt. Ltd. Page 10 of 13
  • 11. Distributed Denial-of-Service Testing and Methodology 5. O UR A PPROACH a. Identify the targe t IP add resses We need to find what IP addresses are publically hosted on the internet. What we need: List of the IP addresses hosting critical services on internet b. Identify the services or resources to attack Typically we look for services hosted such as Web/Application server, DNS servers, Email/Exchange server etc. We explore the known vulnerabilities and public exploits for various products What we need to target: Identify services which process large amount of financial transactions or provide user services.We can try to blocking access to them for legitimate users will have biggest impact for the target. c. Identify the tools needed to overwhelm these offered services or resources to make them stop functi oning Email Systems: Email bombs to send massive volume of emails to an address in an attempt to overwhelm the server where the emails for the target are hosted and managed. Filling up the mailboxes forces the mail servers to reject any legitimate mails arriving at the inbox and bounce back to sender address which causes valuable client follow-up and losing business opportunities. Through poor non-delivery notification design, a considerable proportion of mail services currently deployed throughout the Internet may be used as denial of service agents. By abusing a small number of vulnerable mail servers within large organizations with high Internet bandwidth connectivity, it is possible to cause the complete denial of service of critical e-mail services of any targeted organization. It is a simple process of abusing multiple SMTP services to cause a Distributed DoS (DDoS) that would increase the impact on the target. Application and Web Servers: KillApache DDOS tool enables us to crash any Apache web server. It works by stating multiple unsorted components in the header which causes an Apache server to malfunction. Confidential  Network Intelligence (India) Pvt. Ltd. Page 11 of 13
  • 12. Distributed Denial-of-Service Testing and Methodology In IIS, DDoS attacks can exist in IIS pool by opening many connections and make sure that the pool of victim website is over the limit so website is down with "service unavailable" message. We just need to send large no of requests to a vulnerable IIS server for successful DDoS attack. FTP Servers: Misconfigured FTP servers can allow an attacker to upload large files onto the server, thus reducing the space and bandwidth available for legitimate users. DNS Servers: Attackers can exploit unpatched or misconfigured DNS services to resolve domain names for external domains. Multiple such requests can cause the server to place subsequent legitimate resolution request on hold or drop those requests. Bandwidth Exhaustion: Internet exposed services are provided by the target’s internet service provider (ISP). These services are provided a large dedicated bandwidth to allow users of the service constant availability. In a normal scenario, a single attacker (with smaller bandwidth pipes) may not be able to fill up the bandwidth pipeline at the target. However, multiple such small sources, may be able to exhaust the dedicate bandwidth pipe available with the target. Some of the popular techniques used to cause bandwidth exhaustion are SYN Flood, SMURF attack etc. What we need:  Email addresses of important point of contacts (Sales, helpdesk, HR) and important individuals.  Permission to run a quick scan for critical services like HTTP, FTP, DNS  Multiple Dedicated bandwidth to send excessive traffic to exhaust bandwidth resources at the target’s internet pipeline d. Distribute the a tta ck from multip le machines We distribute attacks from different machines which simultaneously point to the target machine and send out thousands of requests per second blocking them effectively. e. Execute the atta ck The above attacks can be executed at an amplified state using multiple attack origins. Confidential  Network Intelligence (India) Pvt. Ltd. Page 12 of 13
  • 13. Distributed Denial-of-Service Testing and Methodology Tools us ed: Here are some of the popular tools we use for testing DDoS:  LOIC (Low orbit Ion Cannon) – This performs a distributed-denial-of-service (DDoS) attack when used by multiple individuals on a target site by flooding the server with TCP packets or UDP packets with the intention of disrupting the service of a particular host.  HULK (Http Unbearable Load King), web server DDoS tool  Silent-DDoSer - This Visual Basic tool offers attack types “UDP”, “SYN” and “HTTP”. Silent-DDoSer utilizes triple-DES and RC4 encryption, IPv6 capabilities, and password stealing functions.  Net-Weave - It is a booter/bot and backdoor written in .NET and features USB spreading capabilities, TCP connection exhaustion flood, UDP flood, and a crude port 80 flood instantiated with a .NET Socket call.  DirtJumper v5.0  Runescapeddoser–Loaded with over 12500 shells, that's enough to destroy any home connection even through the biggest firewalls. Also has built in a Runescape name to IP fetcher.After fetching the IP simply press boot and IP’s are taken offline for 180 seconds.  KillApache tool – An unknown flaw in the code for processing byte range headers allows versions 2.2.x of the Apache Web Server to be crippled from a single PC. This tool exploits this issue to launch DDoS attack. Confidential  Network Intelligence (India) Pvt. Ltd. Page 13 of 13