Denial of service attacks

Disclaimer: I'm not an expert at this, this post is just about what I've learnt about DOS attacks in the past few days! I do not encourage you to use what you learn here against any individual or company. Do try this at home, at your own risk!

Wikipedia: In computing, a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

In simple words, an attacker or a group (In case of a Distributed-DOS) keeps a service busy and unavailable for legitimate users. These denial of service attacks can be done by multiple techniques, some relying on bad OS design (like the ipv6 attack) to others banking on volume like a DDOS attack using a botnet.


Flooding is an attack that is designed to bring a network or service down by flooding it with large amounts of traffic. In a flood a server is hit with many bad connections or incomplete requests that it can no longer process genuine connection requests, either because it has run out of memory or it’s connection pool is exhausted.

An old flood attack is Smurf, in which a large number of ICMP packets with the target’s spoofed IP are sent to a misconfigured network. Since ICMP does not include a handshake, the destination has no way of verifying if the source IP is legitimate. The router receives the request and passes it on to all the devices that sit behind it. The devices on the network now respond by sending a reply to the source ip (which is spoofed) and the target is overwhelmed with packets. This is also called an amplification attack, as the number of packets sent by the attacker is amplified using the misconfigured network.

https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/

Flooding can also be done using a large number of UDP packets, sent to random ports on the target system. As a result, the target will be forced into sending many replies, and becomes unusable for legitimate users. The famous LOIC (Low orbit ion cannon) uses the this method.

A more recent flooding attack is the SYN flood. A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. (wiki)

A TCP connection requires a 3 way handshake:

TCP Handshake (wiki)
  1. Client send a SYN to the Server
  2. The server acknowledges by sending SYN-ACK back.
  3. The client responds with an ACK, and the connection is established.
A SYN flood attack works by not responding to the server with the expected ACK code.

The attacker can either just not send the ACK, or he can spoof the source IP, causing the SYN-ACK to be sent to a spoofed IP, which will not reply with a ACK as it never sent the SYN in the first place! This causes half-open-connections to be created and the server runs out of available resources.

Also see: https://samsclass.info/123/proj10/sockstress.htm


An interesting technique is the DNS amplification attack. The attacker sends a DNS look-up request using the spoofed ip of the target to vulnerable DNS servers, or misconfigured DNS resolvers.

See: http://openresolverproject.org/

Thanks cloudflare!

DNS queries are done over UDP, so there is no handshake. By spoofing the source IP, the attacker can make the DNS servers reply to a different IP, i.e. the target. DNS queries send a lot of data as a reply to a tiny query, for example we can send the query

dig ANY isc.org @x.x.x.x

which is a 64 byte query and get a gigantic 3,223 byte response. So, it essentially means that for every 64 bytes of data sent by the attacker to the open DNS resolvers, 50x amount of data is sent back by them to the target IP.

Newer attacks use Network Time Protocol (206x amplification), you can read about it here: https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/

Another type of flood attack is the recent IPv6 router advertisement attack, In this type of attack the attacker Generates a flood of Router Advertisements (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS), will start to compute IPv6 suffix and update their routing table to reflect the accepted announcement. This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests.

It’s big, and it’s much more interesting when I’m not explaining it: https://samsclass.info/ipv6/proj/RA_flood2.htm

You can see it live here:

Don’t try this at home!

Layer 7 DDOS

The majority of DDoS attacks focus on targeting the transport and network layers. These types of attacks are usually comprised of volumetric attacks that aim to overwhelm the target machine, denying or consuming resources until the server goes offline. Layer 7 attacks target the Application layer of the stack, mimicking human behaviour and are harder to detect. LOIC is capable of doing an HTTP Flood attack, which uses a large number of GET/POSTS.

An HTTP flood attack is a type of Layer 7 application attack that utilizes the standard valid GET/POST requests used to fetch information, as in typical URL data retrievals (images, information, etc.) during SSL sessions. An HTTP GET/POST flood is a volumetric attack that does not use malformed packets, spoofing or reflection techniques. — DDoSAttacks.biz

This explains it perfectly: https://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html

Slowloris: Slowloris is a GET-based DDoS instrument founded on the concept of exhausting server resources with limited investment in the process. Slowloris directly implements HTTP GET attack postures. Once the penetration reaches the application zone, the attacker launches a multitude of requests that have incomplete and time-delayed HTTP refer headers. That’s done in order to keep the HTTP connection open for as long as is needed to deplete the web server threads or resources. (The OWASP Foundation, 2010)

When the server receives a partial HTTP header, it assumes that a user is on an unreliable and slow network, and the rest will arrive in fragmented packets. So the server keeps waiting for the “Slow user”.

Another attack similar to Slowloris is the R.U.D.Y. attack.

R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and named after the Children of Bodom album “Are You Dead Yet?”

It achieves denial-of-service by using long form field submissions. By injecting one byte of information into an application POST field at a time and then waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this behavior is necessary in order to allow web servers to support users with slower connections). R.U.D.Y. creates a massive backlog of application threads, while the long ‘’Content-Length’ field prevent the server from closing the connection. Since R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating simultaneous connections to the server the attacker is ultimately able to exhaust the server’s connection table and create a denial-of-service condition.

Woah, big words. Essentially it means that the attacker gives little information at a time to the server, with the promise of giving it more later.

Acknowledgements:

  1. I thank https://twitter.com/sambowne for the videos and and the learning material!
  2. Wikipedia is a great place to learn a lot, https://en.wikipedia.org
  3. https://www.defcon.org/ archives!
  4. https://blog.cloudflare.com/