Analysis of an Intrusion: DOS Attack

What is DOS?

Denial of Service (DOS) attacks are a type of malicious activity aimed at disrupting the availability of a server or service so it can no longer deliver its functionality. Such attacks are motivated either politically (e.g. rival countries or rival parties), financially (e.g. to incapacitate a competitor), in protest (e.g. by activists such as Anonymous) or simply for bragging rights. There are several variations of DOS attacks, depending on how the attack is carried out, and whether it comes from a single source, or multiple sources.

DOS attacks can be carried out by simply flooding a service/server with legitimate requests, so that it can no longer reply in a timely fashion and eventually cease functioning. An alternative, is to exploit an existing vulnerability in the service that allows deployment of malware to consume resources or cause the service to crash or become unresponsive.

Since flood-based DOS attacks require multiple simultaneous requests/connections to a service, the attacker requires lot of computing power and bandwidth. Most of such attacks make use of a large number of computers and this often involves hijacking computers, turning them into so called “zombies”, and use them as the source of the attack. In this case, the DOS attack is known as being distributed (DDOS) as it uses multiple, distinct attack sources spread over a large geographical area. The attacker would either need to be in control of a botnet, or purchase the use of part of a botnet from the black market for such an attack.

Distributed denial of service attacks are popular since it is difficult to protect against them. Simple DOS attacks are detected by firewalls or intrusion detection systems, and the source IP can be automatically blocked, causing the attack to fail. On the other hand, blocking the source of a DDOS is rather complicated, as it is difficult to identify between a legitimate connection and one that is part of the DDOS.

An increasing trend both in incidence and attack strength

According to Prolexic Q1 2014 Global Attack Report, in the US, the incidence of DOS attacks has increased in Q1 2014 by 18%, compared to Q4 2013 and by 47%, compared to Q1 2013. Attack parameters such as average attack bandwidth and duration saw a similar consistent increase, a sign that the strength of the attacks is on a similar increasing trend. The most popular targets are vulnerable protocols like Character Generation Protocol (CHARGEN), Network Time Protocol (NTP) and Domain Name System protocol (DNS) – most of these services are often enabled (although not needed in most cases) and are all UDP based, allowing attackers to easily hide their identity and source of attack. More than 87 % of the attacks take place at infrastructure level, while the rest take place at application level, targeting mostly SSL, HTTP protocols. The most popular attack vector remains SYN with an incidence of 19%, followed by NTP with 16%. NTP saw the biggest increase from less than 1% in 2013 to 16% in Q1 2014.

A typical DOS attack

1. Preparation

This stage is mainly about gathering information about the specific target. The activities done at this stage are very important since they will help the attacker decide what tools, attack vectors and methodologies are likely to result in a successful attack.

  • Port scanning: Attackers use port scanning in order to identify open ports. Open ports are an important prerequisite for an attack. If there are no open ports that can be exploited easily, the attacker is likely to give up or focus on more complex application layer attacks targeting common open ports like HTTP or SSL. The result of port scanning is a list of open ports, from which the attacker selects the ones corresponding to vulnerable services that can be targeted.
  • Identification of the services running on open ports (fingerprinting): At this stage the attacker tries to identify the software that is listening to the open port. This can be done using various methods such as banner grabbing, or specific protocol queries. Depending on the software, the attacker will often manage to determine the version of application running on the server. Using this knowledge, the attacker can easily identify outdated software versions that are susceptible to various types of attacks.
  • Gather information about the network infrastructure between the Internet-facing services, and the clients it serves: The attacker can choose to attack the communication channel between target service and its clients, such as altering routing or DNS configurations, or disabling network devices rather than attacking the service directly. The end result is the same – users are denied access to the service.

2. Execution

Running a vulnerability-based, DOS attack

In this case, it is essential that the attacker finds a vulnerability that can be exploited in order to either send crafted requests that cause a service to hang or crash, or install malware designed to consume the physical resources of the server. Alternately, more severe vulnerabilities may allow changes in the configuration of the service, which renders it unusable by Internet clients. Once the vulnerability is identified, the attacker proceeds with the adequate methodology by using specific tools designed to carry out the malicious activities.

Running a flood-based, Distributed DOS attack

In this case, the attacker must be in control of a large number of computers which can be instructed to execute specific requests to the target, in a synchronized manner and for a specific period of time. The so-called “bots” are malicious software agents that are installed on computers belonging to third-parties, which allow the attacker to define a target in terms of IP, port /protocol, timeframe, etc. Once a trigger is sent from the attacker, the bots will execute the designated requests and the attacker will rely on the sheer number of requests/second to bring the servers’ processing power to its knees, causing it to cease responding to legitimate clients.

The existence of a vulnerability is not a precondition of this type of attack, in the sense that the attack does not rely on vulnerabilities to execute. However, controling a large “army” of bots usually implies exploiting vulnerabilities on the third-party computers. Most bots are deployed either via social means (freebies, malware on social networks, malicious shareware programs, etc.), by exploiting endpoint vulnerabilities that allow software installation, or by exploiting web vulnerabilities such as Persistent XSS (as shown in this example).

3. Monitoring attacks in progress and measuring results

Most attackers have access to tools which allow them to measure the results of the distributed denial of service attack. Tools give indications on the total number of requests sent to a single target, bandwidth consumed and so on, allowing the attacker to better understand the processing power and hardware capabilities of the target. The same tools allow the attacker to increase the number of zombies attacking the target, or alter the attack parameters as needed.

How do vulnerability and network scanners help?

A critical stage in carrying out a DOS attack, is the preparation stage – and that is where vulnerability and network scanners come into play. They do the same job as the attackers’ tools that used for collecting information: port scanning, fingerprinting and vulnerability detection. Running such tools on Internet-facing servers helps identify unnecessary open ports and service/ application vulnerabilities before attackers.

In addition, such network scans can also reveal open ports used by attackers to communicate with bots installed on any corporate computers which may have been infected, turned into zombies to form part of a botnet army unknowingly taking part in such DDOS attacks. Such zombie machines are difficult to detect, since they function normally, only occasionally exchanging minimal information. These machines do not show up as top bandwidth consumers, or as using too many machine resources. At the same time, they often go undetected by antivirus software for a very long time.

IT admins can be equipped with the same information as the potential attackers, plus the extra information that tools like Acunetix Online Vulnerability Scanner provide, including: information on why certain ports are dangerous, information on how to fix vulnerabilities, or mitigate the risk of them being exploited. Consequently, when using vulnerability and network scanners, IT admins have the edge - more information, delivered in time for corrective actions to be taken. For best results, IT admins should run scheduled vulnerability and network assessments on their servers frequently as attackers may already be doing it, and new vulnerabilities are being exposed every day.

 

ShareShare on FacebookTweet about this on TwitterShare on Google+

Leave a Reply


*