CYBER ATTACKS(DOS & DDOS)

A SEMINAR REPORT

Submitted by

ASHISH JAIMAN

In partial fulfillment for the award of the degree

Of

MASTER OF COMPUTER APPLICATIONS

At

SIDDHI VINAYAK College of Science & Hr.Education, ALWAR

Dec. 2013

ABSTRACT

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack)

is an attempt to make a computer resource unavailable to its intended users.Although the

means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of

the concerted efforts of a person or people to prevent an Internet site or service from

functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks

typically target sites or services hosted on high-profile web servers such as banks, credit card

payment gateways, and even root name servers.

The term is generally used with regards to computer networks, but is not limited to this field,

for example, it is also used in reference to CPU resource management. There are two general

forms of DoS attacks: those that crash services and those that flood services.

One common method of attack involves saturating the target machine with external

Communications requests, such that it cannot respond to legitimate traffic, or responds so

slowly as to be rendered effectively unavailable. In general terms, DoS attacks are

implemented by either forcing the targeted computer to reset, or consuming its resources so

that it can no longer provide its intended service or obstructing the communication media

between the intended users and the victim so that they can no longer communicate

adequately.

.DDos attack tools are readily available and any internet host is targetable as either a zombie

or the ultimate DDos focus. These attacks can be costly and frustrating and are difficult, if not

impossible to eradicate. The best defence is to hinder attackers through vigilant system

administration.

TABLE OF CONTENTSii

CHAPTER NO. TITLE PAGE NO.

ABSTRACT……………………………………..ii

ACKNOWLADGMENT………………………iv

1 INTRODUCTION………………………………….1

2 IP Spoofing……………………………………….3

3 Types of DOS & DDOS Attacks…………….4

3.1 Types of Dos Attack……………….4

3.2 Types of DDOS Attack………………..5

4 Ping of Death…………………………………6

5 LAND Attack…………………………….7

6 Tear Drop Attack……………………….8

7 SYN Flood Attack……………………………9

8 ICMP Flood Attack…………………………11

9 UDP Flood Attack……………………….12

10 Smurf Attack…………………………13

11 DDOS Attack…………………………………….15

REFRENCES…………………………………………..18

ACKNOWLEDGEMENT

We would like to express our heartfelt gratitude towards our able guide Mr. Lokesh Mittal

(Assistant professor) who was ever willing to offer constructive suggestions and help us out

whenever we got stuck.

It is with deepest sense of gratitude that we thank our Department Head Ms. Gayatri Lalwani

for her normal guidance and constant encouragement.

At last but not least we thank all our teachers and other staff members of Siddhi Vinayak

College of Science & Hr. Education for providing an excellent and healthy environment

during the Seminar work.

CHAPTER 1

INTRODUCTION

iv

Cyber attacks, also referred as cyber warfare or cyber terrorism in specific situations, is a type of

offensive maneuver employed by both individuals and whole organizations that targets computer

information systems, infrastructures, computer networks, and/ or personal computer devices by

various means of malicious acts usually originating from an anonymous source that either steals,

alters, or destroys a specified target by hacking into a susceptible system. Cyber warfare or cyber

terrorism can be as harmless as installing spyware on a PC or as grand as destroying the

infrastructure of entire nations. In the 21st century as the world becomes more technologically

advanced and reliant upon computer systems, cyber attacks have become more sophisticated,

dangerous, and the preferred method of attacks against large groups by "attackers."

Dos attack and DDos attack both are the terms of cyber attacks.

The traditional intent and impact of DOS (Denial of Service) attacks is to prevent or impair the

legitimate use of computer or network resources. Regardless of the diligence, effort, and resources

spent securing against intrusion, internet connect system face a consistent and real threat from DoS

attack because of two fundamental characteristics of the Internet.

The Infrastructure of interconnected system and networks comprising the internet is entirely

composed of limited resources. Bandwidth, processing power, and storage capacities are all

common targets for DoS attacks designed to consume enough of a target for DoS attacks Designed

to consume enough of a target’s available resources to cause some level of service disruption. An

abundance of well – engineered resources may raise the bar on the degree an attack must reach to

be effective, but today’s attack methods and tools place even the most abundant resources in range

for disruption.

DDoS (Distributed Denial of Services) is an advanced version of the DoS(Denial of Service) attack.

Much like DoS, DDoS also tries to block important services running on a server by flooding the

destination server with packets. The specialty of DDoS is that the attacks do not come from a single

network or host but from a number of different hosts or networks which have been previously

compromised.

DDoS, like many other attack schemes, can be considered to consist of three participants, we can

refer to these as the Master, the Slave, and the Victim. The Master is the initial source of the attack –

i.e., the person/machine behind all this (sounds COOL, Right?). The Slave is the host or network

which was previously compromised by the Master and the Victim is the target site/server under

attack. The Master informs the Slave(s) to launch an attack on the victim’s site/machine; since the Page no. 1

attack comes from multiple sources at once (note that the Master is usually not involved in this

phase), it is called a Distributed ( or co-ordinate) attack.

CHAPTER-2

IP SPOOFINGPage no. 2

A technique used to gain unauthorized access to computers, whereby the intruder sendsMessages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. Newer routers and firewall arrangements can offer protection against IP spoofing.

IP Spoofing

CHAPTER 3

TYPES of DOS & DDOS ATTACKSPage no. 3

DOS :--

A DOS (Denial of Service) attack is to prevent or impair the legitimate use of computer or network

resources. Regardless of the diligence, effort, and resources spent securing against intrusion,

internet connect system face a consistent and real threat from DoS attack because of two

fundamental characteristics of the Internset.

3.1 Types of DOS Attacks

1 Ping of Death

2 LAND Attack

3 Tear Drop Attack

4 SYN Flood Attack

5 ICMP Flood Attack

6 UDP Flood Attack

7 Smurf Attack

DDOS :--

DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.

Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet

3.2 Types of DDOS Attacks

DDoS attacks can be broadly divided in three types:Page no. 4

Volume Based Attacks – includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).

Protocol Attacks – includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.

Application Layer Attacks – includes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.

CHAPTER 4

Ping of Death AttackPage no. 5

A ping of death (abbreviated "PoD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 56 bytes in size (or 84 bytes when the Internet Protocol [IP] header is considered); historically, many computer systems could not handle a ping packet larger than the maximum IPv4 packet size, which is 65,535 bytes. Sending a ping of this size could crash the target computer.

In early implementations of TCP/IP, this bug was easy to exploit. This exploit has affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers.

Generally, sending a 65,536-byte ping packet would violate the Internet Protocol as written in RFC 791, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.

In recent years, a different kind of ping attack has become widespread—ping flooding simply floods the victim with so much ping traffic that normal traffic fails to reach the system (a basic denial-of-service attack).

CHAPTER 5

Land AttackPage no. 6

A LAND (Local Area Network Denial) attack is a DoS (Denial of Service) attack that consists of sending a special poison spoofed packet to a computer, causing it to lock up. The security flaw was first discovered in 1997 by someone using the alias "m3lt", and has resurfaced many years later in operating systems such as Windows Server 2003 and Windows XP SP2.

The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. This causes the machine to reply to itself continuously. It is, however, distinct from the TCP SYN Flood vulnerability.

Other LAND attacks have since been found in services like SNMP and Windows 88/tcp (kerberos/global services). Such systems had design flaws that would allow the device to accept request on the wire appearing to be from themselves, causing repeated replies.

CHAPTER 6

Tear Drop AttackPage no. 7

Teardrop is a program that sends IP fragments to a machine connected to the Internet or a network. Teardrop exploits an overlapping IP fragment bug present in Windows 95, Windows NT and Windows 3.1 machines. The bug causes the TCP/IP fragmentation re-assembly code to improperly handle overlapping IP fragments. This attack has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. It should be noted, though, that while this attack is considered to be non-destructive, it could cause problems if there is unsaved data in open applications at the time that the machine is attacked. The primary problem with this is a loss of data.

When a Teardrop attack is run against a machine, it will crash (on Windows machines, a user will likely experience the Blue Screen of Death), or reboot. If you have protected yourself from the winnuke and ssping DoS attacks and you still crash, then the mode of attack is probably teardrop or land. If you are using IRC, and your machine becomes disconnected from the network or Internet, but does not crash, the mode of attack is probably click.

CHAPTER 7

SYN Flood AttackPage no. 8

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. Normally when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

1. The client requests a connection by sending a SYN (synchronize) message to the server.2. The server acknowledges this request by sending SYN-ACK back to the client.3. The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol.

A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it "knows" that it never sent a SYN.

The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will bind resources on the server until no new connections can be made, resulting in a denial of service to legitimate traffic. Some systems may also malfunction badly or even crash if other operating system functions are starved of resources in this way.

Page no. 9

CHAPTER 8Page no. 10

ICMP Flood Attack

The simplicity of the ICMP protocol and the lack of awareness of security issues related to protocol has led me to put in place this paper to attempt to illustrate some of the possible attacks using ICMP as a tool. Also included in this paper are references to some of the too ls that are available for use and in some instances, these have been used for some real world attacks

ICMP, the Internet Control Message Protocol is an integral part of any IP implementation. Although ICMP messages are sent in IP packets and it uses IP as if it were a higher-level protocol, ICMP is in fact an internal part of IP, and must be implemented in every IP module. ICMP messages are classified into 2 main categories:

• ICMP Error Messages

•ICMP Query Messages

CHAPTER 9

Page no. 11

UDP Flood Attack

A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.

Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:

Check for the application listening at that port; See that no application listens at that port; Reply with an ICMP Destination Unreachable packet.

Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker(s) may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach them, and anonymizing their network location(s). Most operating systems mitigate this part of the attack by limiting the rate at which ICMP responses are sent.

The software UDP Unicorn can be used for performing UDP flooding attacks.

This attack can be managed by deploying firewalls at key points in a network to filter out unwanted network traffic. The potential victim never receives and never responds to the malicious UDP packets because the firewall stops them.

CHAPTER 10Page no. 12

SMURF ATTACK

The Smurf Attack is a denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, flooding the victim's computer with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

A smurf attack is a type of denial of service attack in which a system is flooded with spoofed ping messages. This creates high computer network traffic on the victim’s network, which often renders it unresponsive.

Smurfing takes certain well-known facts about Internet Protocol and Internet Control Message Protocol (ICMP) into account. ICMP is used by network administrators to exchange information about network state, and can also be used to ping other nodes to determine their operational status. The smurf program sends a spoofed network packet that contains an ICMP ping. The resulting echo responses to the ping message are directed toward the victim’s IP address. Large number of pings and the resulting echoes can make the network unusable for real traffic.

Page no. 13

An assault on a network that floods it with excessive messages in order to impede normal traffic. It is accomplished by sending ping requests (ICMP echo requests) to a broadcast address on the target network or an intermediate network. The return address is spoofed to the victim's address. Since a broadcast address is picked up by all nodes on the subnet, it functions like an amplifier, generating hundreds of responses from one request and eventually causing a traffic overload. See denial of service attack, flooding and ICMP.

Page no. 14

CHAPTER 11

DDOS ATTACK

DDOS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems -- which are usually infected with a Trojan -- are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

According to this report on eSecurityPlanet, in a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.

Page no. 15

What is a distributed attack?

One DDoSer can do a lot of damage. These denial of service attacks are called distributed because they come from many computers at once. A DDoSer controls a large number of computers that have been infected by a Trojan virus. The virus is a small application that allows remote command-and-control capabilities of the computer without the user’s knowledge.

What is a zombie and a botnet?

The virus-infected computers are called zombies – because they do whatever the DDoSer commands them to do. A large group of zombie computers is called a robot network, or botnet.

Your computer could be part of a botnet without your knowledge. You might not notice any difference, or you might notice your computer is not as fast as it used to be. That’s because it may be busy participating in a DDoS attack at the same time you are using it. Or, you might find out that your computer is infected when your Internet service provider (ISP) drops your service because your computer is sending an unusually high number of network requests.

What is a DDoS command-and-control server?

Zombie computers in a botnet receive instructions from a command and control server, which is an infected web server. DDoSers who have access to a command and control (C&C or CC) server can recruit the botnet to launch DDoS attacks. Prolexic has identified more than 4,000 command-and-control servers and more than 10 million zombies worldwide. We track them and notify law enforcement to disable them when possible.

Many types of DDoS attacks

There are many types of DDoS attacks. They target different network components – routers, appliances, firewalls, applications, ISPs, even data centers – in different ways. There is no easy way to prevent DDoS attacks, but Prolexic has a proven DDoS protection approach that works to minimize the damage and let your system keep working during an attack.

DDoS attackers use a variety of DDoS attack methods. The malicious hacker group Anonymous, for example, started with a tool that could launch Layer 7 DDoS attacks and Layer 3 DDoS attacks from any computer. These attacks had a common attack signature – that is, common code. As a result, the attacks could be detected and mitigated (stopped) fairly easily.

It’s a game of cat and mouse. The cat learns about what the mouse is doing, so the mouse changes tactics to avoid getting caught. DDoSers got smarter and started randomizing their attack signatures and encrypting their code. Some even started using browsers to visit a web page and feed harmful code to a web application on the site.

Although application-layer DDoS attacks are more difficult to recognize, DDoS mitigation experts in our Security Operations Center (SOC) know what to look for – and we are always looking. Our anti-DDoS experts monitor and analyze these attacks all the time– day and night – and block the DDoS attacks that target our clients.

Page no. 16

What are application layer 7 DDoS attacks?

Application layer 7 (L7) attacks may not create such high volumes of network traffic, but they can harm your website in a more devastating way. They might activate some aspect of a web application, such as posting different user names and passwords, or targeting a shopping cart or search engine.

Many of the high profile e-Commerce outages are the result of Layer 7 application attacks. The biggest issue is that Layer 7 attacks change and randomize very fast. Anything a visitor can access an attacker can too – and it looks the same to an IT administrator.

Page no. 17

REFRENCES

1. Karig, David and Ruby Lee. Remote Denial of Service Attacksand Countermeasures, Princeton University Department ofElectrical Engineering Technical Report CE-L2001-002, October2001.

2. Kargl, Frank, Joern Maier, and Michael Weber. Protecting WebServers from Distributed Denial of Service Attacks. WWW10,May 1-5 Hong Kong. ACM 1-58113-348-0/01/0005.

3. Stein, Lincoln. The World Wide Web Security FAQ, Version3.1.2, February 4, 2002. http://www.s3.org/security/faq/ - visitedon October 1, 2002.

4. Dittrich, David. The DoS Project’s “trinoo” Distributed Denial ofService Attack Tool. University of Washington, October 21, 1999.http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt –visited on October 1, 2002

5. Dittrich, David. The “Tribe Flood Network” Distributed Denial ofService Attack Tool. University of Washington, October 21, 1999.http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt –visited on October 1, 2002

6. Dittrich, David. The “stacheldraht” Distributed Denial of ServiceAttack Tool. University of Washington, December 31, 1999.http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt –visited on October 1, 2002

Page no. 18