1 Denial of Service
Denial of Service • An attack designed to disrupt or completely deny legitimate user’s access to network, servers, services, or other resources • Two basic favors: – Target resource starvation – Network bandwidth consumption 2
3 Resource Starvation
Land Attack 1 • Targeting MS Windows NT 4.0 boxes pre-SP4 • Port 135 • It appears as if one RPC server sent bad data to another RPC server – A loop of REJECT packet 4
Land Attack 2 - Snork • Against MS Windows NT 4.0 boxes • Allows an attacker with minimal resources to cause a remote NT system to consume 100% CPU usage 5 • http://www.securityfocus.com/bid/2234
6 WinNuke Attack
WinNuke Attack – Con’t • CVE-1999-0153 • This attack attempts to connect to one of three NetBIOS ports (137-139), and send an out of band (OOB) nuke. • The exploit consists of setting the PSH-URG flag but not following it with data – When Windows NT is successfully attacked, it crashes 7
One Dangerous Packet • IP version 0 and an IP header length of 0 • Kill certain processes that listen promiscuously on a network 8
Telnet DoS Attack • A DoS attack against old SunOS and Solaris systems • Flooding the victim’s daemon with ctrl-D characters (0x04) • Target cannot cleanly close the connection with a FIN packet, and resorts to sending RST packets • When the attack stops, the target machine slowly returns to normal 9
10 Telnet DoS Attack – Con’t
11 Telnet DoS Attack – Con’t
12 Bandwidth Consumption
13 Smurf Attack
14 Smurf Attack – Con’t
Smurf Attack • Two main components – Forged ICMP echo request packets – The direction of packets to IP broadcast address • Amplification attack – One packet generates many responses • Three parties: – The attacker – The intermediary – The victim 15
16 Looping Attacks – Echo-Chargen Loop
Echo-Chargen Loop • When UDP port 7 (echo port) receives a packet, it checks the payload and then echoes the payload back to the source • When UDP port 19 (character generator port) receives a packet, it replies with a somewhat random string of characters • CVE-1999-0103 17
18 Spoofed DNS Queries – DoomDNS Attack
DoomDNS Attack • DoomDNS sends odd queries to BIND servers that can elicit many responses from the server • It is possible to flood someone by sending a spoofed UDP QUERY to the DNS – A DNS query of just a few bytes (20-30) can achieve responses of around 400-500 bytes 19
Recommend
More recommend