Understanding DoS and DDoS Attacks
Recently, A 23-year-old hacker from Utah who launched a series of DDoS attacks against multiple online services, websites, and online gaming companies between December 2013 and January 2014 was sentenced to 27 months in prison.
Austin Thompson, a.k.a. “DerpTroll,” pledged guilty back in November 2018 after he admitted to being a part of DerpTrolling, a hacker group that was behind DDoS attacks against several major online gaming platforms including Electronic Arts’ Origin service, Sony PlayStation network, and Valve Software’s Steam during Christmas.
Ethical hacking involves testing to see if an organization’s network is vulnerable to outside threats and Denial-of-service (DoS) attacks are one of the biggest threats out there. Being able to mitigate DoS attacks is one of the most desired skills for any IT security professional and is a key topic on the Certified Ethical Hacker exam.
According to US-CERT, Denial-of-Service (DoS) attacks occur when an attacker attempts to prevent legitimate users from accessing information or services. This is done by targeting a user system and its network connections, or the systems and network of the sites users are trying to use. An attacker may be able to deter other users from accessing critical healthcare assets on a website, system of even an entire network using Deauthentication attacks.
These attacks are commonly done when an attacker floods a network with information for example ack and syn-ack packets. To put this into a real-life scenario, when a user types a URL for a particular website into a browser, the user is sending a request to that site’s computer server to view the page. An attacker can overload a server with numerous requests so that valid users cannot get through to the site. Also, an attacker can utilize spam email messages to flood a user’s email account. For example, an attacker may send countless or large email messages to email accounts causing the users to consume their email quota and preventing them from receiving or sending emails.
Attackers use tools like hping3, hynae, LOIC, NTP (used for amplification), GoldenEyes, OWASP switchblade, BlackEnergy, among others. All these tools are open source and many come pre-installed as default in hacking operating systems. Ransomware is also a denial of service attack as it encrypts your data until you pay the ransom.
In a DDoS (Distributed Denial of Service) attack, an attacker may use one system to attack another system. For instance, the attacker may hijack or take control of a computer, forcing the computer to send out huge amounts of illegitimate data traffic to particular websites orsend spam to particular email addresses. The attacker can also control multiple computers with malicious software (also known as botnets e.g. the Zeus Botnet) to launch a DoS attack.
It was reported on October 29th 2019, that one of the most popular torrent sites – The Pirate Bay had been put offline for almost a week due to a DoS attack. The attackers flooded The Pirate Bay with “searches that break the Sphinx search daemon,” effectively crashing the torrent download website, making site visitors unable to download magnet links or torrent files. Sphinx is an open source full-text search engine, and The Pirate Bay reportedly used an older version of the software.
On October 23rd 2019, A team of German cybersecurity researchers has discovered a new cache poisoning attack against web caching systems that could be used by an attacker to force a targeted website into delivering error pages to most of its visitors instead of legitimate content or resources. Dubbed CPDoS, short for Cache Poisoned Denial of Service, the attack resides in the way intermediate CDN servers are incorrectly configured to cache web resources or pages with error responses returned by the origin server. The CPDoS attack threatens the availability of the web resources of a website just by sending a single HTTP request containing a malformed header.
DoS and DDoS attacks may escalate in the near future (as seen in the prior paragraph), especially with the increased usage of IoT (Internet of Things). IoT is a technology that allows multiple devices that have internet access to communicate and transmit data with each other through the internet, without the interaction of humans. This form of technology is used in the healthcare sector, energy sector, oil sector, cars, traffic lights, to mention but a few.
Protecting your organization from DoS attacks
There are a number of methods that can be used to defeat denial of service attacks, or at least to try. These come into one of two categories: mitigation through design and operational mitigation.
Mitigation through design includes establishing the capability for priority-based servicing, egress filtering, and ingress filtering. Operational mitigation includes IP address verification and dropping spoofed packets, rate limiting, understanding the characteristics of malicious traffic and dropping it, and understanding the characteristics of normal traffic and dropping anomalies. Priority-based servicing of traffic can be achieved by ensuring network traffic is marked with a priority attribute, and network queues are managed by priority
To prevent the possibility of being part or a target of DoS or DDoS attacks, USCERT suggests that you consider:
- Continuously monitoring and scanning for vulnerable and comprised IoT devices on their networks, and following proper remediation actions.
- Creating and implementing password management policies and procedures for devices and their users.
- Ensuring all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
- Installing and maintaining anti-virus software and security patches. Updating IoT devices with security patches as soon as patches become available is critical.
- Installing a firewall, and configuring it to restrict traffic coming into and leaving your network and I.T systems.
- Segmenting networks (De-militarized zones) where appropriate and applying appropriate security controls to control access among network segments.
- Disabling Universal Plug and Play (UPnP) on routers unless absolutely necessary.
- Looking for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.
- Monitoring Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
- Practicing and promoting security awareness. It is important to be aware and understand the capabilities of IT systems and devices with network capabilities that are installed on networks. If the device has open Wi-Fi connection and transmits data or can be operated remotely, it has the potential to be infected.
- Following good security practices for distributing email addresses. Applying email filters may help entities manage unwanted traffic.
Responses