How DDoS Attacks Work

DDoS is an advanced version of the DoS attack. Like DoS, DDoS tries to deny access to services running on a system by sending packets to the destination system in a way that the destination system can't handle. The key of a DDoS attack is that it relays attacks from many different hosts (which must first be compromised), rather than from a single host like DoS. DDoS is a large-scale, coordinated attack on a victim system.

---

Hacking Tools

Trinoo is a tool that sends User Datagram Protocol (UDP) traffic to create a DDoS attack. The Trinoo master is a system used to launch a DoS attack against one or more target systems. The master instructs agent processes (called daemons) on previously compromised systems (secondary victims) to attack one or more IP addresses. This attack occurs for a specified period of time. The Trinoo agent or daemon is installed on a system that suffers from a buffer overflow vulnerability. WinTrinoo is a Windows version of Trinoo and has the same functionality as Trinoo.

Shaft is a derivative of the Trinoo tool that uses UDP communication between masters and agents. Shaft provides statistics on the flood attack that attackers can use to know when the victim system is shut down; Shaft provides UDP, ICMP, and TCP flooding attack options.

Tribal Flood Network (TFN) allows an attacker to use both bandwidth-depletion and resource-depletion attacks. TFN does UDP and ICMP flooding as well as TCP SYN and smurf attacks. TFN2K is based on TFN, with features designed specifically to make TFN2K traffic difficult to recognize and filter. It remotely executes commands, hides the source of the attack using IP address spoofing, and uses multiple transport protocols (including UDP, TCP, and ICMP).

Stacheldraht is similar to TFN and includes ICMP flood, UDP flood, and TCP SYN attack options. It also provides a secure telnet connection (using symmetric key encryption) between the attacker and the agent systems (secondary victims). This prevents system administrators from intercepting and identifying this traffic.

Mstream uses spoofed TCP packets with the ACK flag set to attack a target. It consists of a handler and an agent portion, but access to the handler is password protected.

---

The services under attack are those of the primary victim; the compromised systems used to launch the attack are secondary victims. These compromised systems, which send the DDoS to the primary victim, are sometimes called zombies or BOTs. They're usually compromised through another attack and then used to launch an attack on the primary victim at a certain time or under certain conditions. It can be difficult to track the source of the attacks because they originate from several IP addresses.

Normally, DDoS consists of three parts:

• Master/handler
• Slave/secondary victim/zombie/agent/BOT/BOTNET
• Victim/primary victim

The master is the attack launcher. A slave is a host that is compromised by and controlled by the master. The victim is the target system. The master directs the slaves to launch the attack on the victim system. See Figure 1.

 
Figure 1: Master and Slaves in a DDoS Attack

DDoS is done in two phases. In the intrusion phase, the hacker compromises weak systems in different networks around the world and installs DDoS tools on those compromised slave systems. In the DDoS attack phase, the slave systems are triggered to cause them to attack the primary victim. See Figure 2.

 
Figure 2: Bots or Zombie systems

Denial of Service

A DoS attack is an attempt by a hacker to flood a user's or an organization's system. As a CEH, you need to be familiar with the types of DoS attacks and should understand how DoS and DDoS attacks work. You should also be familiar with robots (BOTs) and robot networks (BOTNETs), as well as smurf attacks and SYN flooding. Finally, as a CEH, you need to be familiar with various DoS and DDoS countermeasures.

There are two main categories of DoS attacks:

• Attacks sent by a single system to a single target (simple DoS)
• Attacks sent by many systems to a single target (distributed denial of service, or DDoS)

The goal of DoS isn't to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it. A DoS attack may do the following:

• Flood a network with traffic, thereby preventing legitimate network traffic.
• Disrupt connections between two machines, thereby preventing access to a service.
• Prevent a particular individual from accessing a service.
• Disrupt service to a specific system or person.

Different tools use different types of traffic to flood a victim, but the result is the same: a service on the system or the entire system is unavailable to a user because it's kept busy trying to respond to an exorbitant number of requests.

---

Real World Scenario: A Denial of Service Attack

On the evening of May 28, 2008, the company I was working for (alfasystems.com) suddenly dropped off the Internet. Their web servers were no longer accessible from the Internet.

Within a minute of the start of the attack, it was clear to the Alpha Systems engineers that they were experiencing a "packet flooding" attack of some sort. After looking at the log files of their Cisco router, it showed that both of their two T1 trunk interfaces to the Internet were receiving some sort of traffic at their maximum 1.54 megabit rate, while their outbound traffic had fallen to nearly zero. They were drowning in a flood of malicious traffic and valid traffic was unable to get out. Alpha Systems was the victim of a denial-of-service attack, more commonly referred to as a DoS. The engineers knew they had to do something quickly to stop the attack and get the web servers back up and accessible for their customers. But no one really knew what to do as this had never happened to the systems before. Then someone thought of the packet filtering capabilities of the router.

Luckily, because this DoS attack was prone to filtering, Alpha Systems was able to weed out the bad packets and return their service to almost normal operation. In two minutes Alpha Systems engineers applied "brute force" filters to their routers, shutting down all UDP and ICMP traffic, and alfasystems.com instantly popped back onto the Internet.

It was finally determined that their server had been attacked by 474 security-compromised Windows PCs containing remote-control attack "zombies," in a classic DoS attack generated by the coordinated efforts of these hundreds of individual PCs.

---

A DoS attack is usually an attack of last resort. It's considered an unsophisticated attack because it doesn't gain the hacker access to any information but rather annoys the target and interrupts their service. DoS attacks can be destructive and have a substantial impact when sent from multiple systems at the same time (DDoS attacks).

---

Hacking Tools

Ping of Death is an attack that can cause a system to lock up by sending multiple IP packets, which will be too large for the receiving system when reassembled. Ping of Death can cause a DoS to clients trying to access the server that has been a victim of the attack.

SSPing is a program that sends several large fragmented, Internet Control Message Protocol (ICMP) data packets to a target system. This will cause the computer receiving the data packets to freeze when it tries to reassemble the fragments.

A LAND attack sends a packet to a system where the source IP is set to match the target system's IP address. As a result, the system attempts to reply to itself, causing the system to create a loop—which will tie up system resources and eventually may crash the OS.

CPUHog is a DoS attack tool that uses up the CPU resources on a target system, making it unavailable to the user.

WinNuke is a program that looks for a target system with port 139 open, and sends junk IP traffic to the system on that port. This attack is also known as an out-of-bounds (OOB) attack and causes the IP stack to become overloaded—eventually the system crashes.

Jolt2 is a DoS tool that sends a large number of fragmented IP packets to a Windows target. This ties up system resources and eventually locks up the system. Jolt2 isn't Windows specific; many Cisco routers and other gateways may be vulnerable to the Jolt2 attack.

Bubonic is a DoS tool that works by sending TCP packets with random settings, in order to increase the load of the target machine so that it eventually crashes.

Targa is a program that can be used to run eight different DoS attacks. The attacker has the option to either launch individual attacks or try all of the attacks until one is successful.

RPC Locator is a service that, if unpatched, has a vulnerability to overflows. Details on patching a system to prevent RPC vulnerabilities will be covered later in the chapter. The RPC Locator service in Windows allows distributed applications to run on the network. It is susceptible to DoS attacks, and many of the tools that perform DoS attacks exploit this vulnerability.

---

Note

Because DoS attacks are so powerful and can cripple a production system or network, this chapter does not include any DoS tool exercises. If you want to test the tools listed here, ensure that you are not using them on a production network or system. The DoS tools could render the target systems unusable.

DDoS attacks can be perpetrated by BOTs and BOTNETs, which are compromised systems that an attacker uses to launch the attack against the end victim. The system or network that has been compromised is a secondary victim, whereas the DoS and DDoS attacks flood the primary victim or target.

Hacking Tools

EtherFlood is used to flood an Ethernet switch with traffic to make it revert to a hub. By doing this, a hacker is able to capture all traffic on the network rather than just traffic going to and from their system, as would be the case with a switch.

Dsniff is a collection of Unix-executable tools designed to perform network auditing as well as network penetration. The following tools are contained in dsniff: filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy. These tools passively monitor a vulnerable shared network (such as a LAN where the sniffer sits behind any exterior firewall) for interesting data (passwords, email, files, and so on).

Sshmitm and webmitm implement active man-in-the-middle attacks against redirected Secure Shell (SSH) and HTTPS sessions.

Arpspoof, dnsspoof, and macof work on the interception of switched network traffic that is usually unavailable to a sniffer program because of switching. To get around the Layer 2 packet-switching issue, dsniff spoofs the network into thinking that it's a gateway that data must pass through to get outside the network.

IP Restrictions Scanner (IRS) is used to find the IP restrictions that have been set for a particular service on a host. It combines ARP poisoning with a TCP stealth or half-scan technique and exhaustively tests all possible spoofed TCP connections to the selected port of the target. IRS can find servers and network devices like routers and switches and identify access-control features like access control lists (ACLs), IP filters, and firewall rules.

sTerm is a telnet client with a unique feature: it can establish a bidirectional telnet session to a target host, without ever sending the real IP and MAC addresses in any packet. Using ARP poisoning, MAC spoofing, and IP spoofing techniques, sTerm can effectively bypass ACLs, firewall rules, and IP restrictions on servers and network devices.

Cain & Abel is a multipurpose hacking tool for Windows. It allows easy recovery of various kinds of passwords by sniffing the network; cracking encrypted passwords using dictionary or brute-force attacks; recording Voice over IP, or VoIP, conversations; decoding scrambled passwords; revealing password boxes; uncovering cached passwords; and analyzing routing protocols. The latest version contains a lot of new features like ARP Poison Routing (APR), which enables sniffing on switched LANs and man-in-the-middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and it contains filters to capture credentials from a wide range of authentication mechanisms.

Packet Crafter is a tool used to create custom TCP/IP/UDP packets. The tool can change the source address of a packet to do IP spoofing and can control IP flags (such as checksums) and TCP flags (such as the state flags, sequence numbers, and ack numbers).

SMAC is a tool used to change the MAC address of a system. It lets a hacker spoof a MAC address when performing an attack.

MAC Changer is a tool used to spoof a MAC address on Unix. It can be used to set the network interface to a specific MAC address, set the MAC randomly, set a MAC of another vendor, set another MAC of the same vendor, set a MAC of the same kind, or display a vendor MAC list to choose from.

WinDNSSpoof is a simple DNS ID spoofing tool for Windows. To use it on a switched network, you must be able to sniff traffic of the computer being attacked. Therefore, it may need to be used in conjunction with an ARP spoofing or flooding tool.

Distributed DNS Flooder sends a large number of queries to create a DoS attack, disabling DNS. If DNS daemon software logs incorrect queries, the impact of this attack is amplified.

Understanding MAC Flooding and DNS Spoofing

A packet sniffer on a switched network can't capture all traffic as it can on a hub network; instead, it captures traffic either coming from or going to the system. It's necessary to use an additional tool to capture all traffic on a switched network. There are essentially two ways to perform active sniffing and make the switch send traffic to the system running the sniffer:

• ARP Spoofing This method involves using the MAC address of the network gateway and consequently receiving all traffic intended for the gateway on the sniffer system. A hacker can also flood a switch with so much traffic that it stops operating as a switch and instead reverts to acting as a hub, sending all traffic to all ports. This active sniffing attack allows the system with the sniffer to capture all traffic on the network.

Note

Many switches have been patched or redesigned to not be susceptible to the flooding vulnerability.

DNS Spoofing (or DNS Poisoning) This is a technique that tricks a DNS server into believing it has received authentic information when in reality it hasn't. Once the DNS server has been poisoned, the information is generally cached for a while, spreading the effect of the attack to the users of the server. When a user requests a certain website URL, the address is looked up on a DNS server to find the corresponding IP address. If the DNS server has been compromised, the user is redirected to a website other than the one that was requested, such as a fake website.

To perform a DNS attack, the attacker exploits a flaw in the DNS server software that can make it accept incorrect information. If the server doesn't correctly validate DNS responses to ensure that they come from an authoritative source, the server ends up caching the incorrect entries locally and serving them to users that make subsequent requests.

This technique can be used to replace arbitrary content for a set of victims with content of an attacker's choosing. For example, an attacker poisons the IP address's DNS entries for a target website on a given DNS server, replacing them with the IP address of a server the hacker controls. The hacker then creates fake entries for files on this server with names matching those on the target server. These files may contain malicious content, such as a worm or a virus. A user whose computer has referenced the poisoned DNS server is tricked into thinking the content comes from the target server and unknowingly downloads malicious content.

The types of DNS spoofing techniques are as follows:

• Intranet Spoofing Acting as a device on the same internal network
• Internet Spoofing Acting as a device on the Internet
• Proxy Server DNS Poisoning Modifying the DNS entries on a proxy server so the user is redirected to a different host system
• DNS Cache Poisoning Modifying the DNS entries on any system so the user is redirected to a different host