CYBER ATTACKS

(DOS & DDOS)

A SEMINAR REPORT Submitted by

ASHISH JAIMAN

In partial fulfillment for the award of the degree Of

MASTER OF COMPUTER APPLICATIONS

At

SIDDHI VINAYAK College of Science & Hr.Education, ALWAR

Dec. 2013

ABSTRACT
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. The term is generally used with regards to computer networks, but is not limited to this field, for example, it is also used in reference to CPU resource management. There are two general forms of DoS attacks: those that crash services and those that flood services. One common method of attack involves saturating the target machine with external Communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. .DDos attack tools are readily available and any internet host is targetable as either a zombie or the ultimate DDos focus. These attacks can be costly and frustrating and are difficult, if not impossible to eradicate. The best defence is to hinder attackers through vigilant system administration.

ii

TABLE OF CONTENTS CHAPTER NO. TITLE

ABSTRACT..ii ACKNOWLADGMENTiv 1 2 3 INTRODUCTION.1 IP Spoofing.3 Types of DOS & DDOS Attacks.4 3.1 3.2 4 5 6 7 8 9 10 11 Types of Dos Attack.4 Types of DDOS Attack..5

PAGE NO.

Ping of Death6 LAND Attack.7 Tear Drop Attack.8 SYN Flood Attack9 ICMP Flood Attack11 UDP Flood Attack.12 Smurf Attack13 DDOS Attack.15 REFRENCES..18

ACKNOWLEDGEMENT

We would like to express our heartfelt gratitude towards our able guide Mr. Lokesh Mittal (Assistant professor) who was ever willing to offer constructive suggestions and help us out whenever we got stuck.

It is with deepest sense of gratitude that we thank our Department Head Ms. Gayatri Lalwani for her normal guidance and constant encouragement.

At last but not least we thank all our teachers and other staff members of Siddhi Vinayak College of Science & Hr. Education for providing an excellent and healthy environment during the Seminar work.

iv

CHAPTER 1 INTRODUCTION
Cyber attacks, also referred as cyber warfare or cyber terrorism in specific situations, is a type of offensive maneuver employed by both individuals and whole organizations that targets computer information systems, infrastructures, computer networks, and/ or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system. Cyber warfare or cyber terrorism can be as harmless as installing spyware on a PC or as grand as destroying the infrastructure of entire nations. In the 21st century as the world becomes more technologically advanced and reliant upon computer systems, cyber attacks have become more sophisticated, dangerous, and the preferred method of attacks against large groups by "attackers." Dos attack and DDos attack both are the terms of cyber attacks. The traditional intent and impact of DOS (Denial of Service) attacks is to prevent or impair the legitimate use of computer or network resources. Regardless of the diligence, effort, and resources spent securing against intrusion, internet connect system face a consistent and real threat from DoS attack because of two fundamental characteristics of the Internet. The Infrastructure of interconnected system and networks comprising the internet is entirely composed of limited resources. Bandwidth, processing power, and storage capacities are all common targets for DoS attacks designed to consume enough of a target for DoS attacks Designed to consume enough of a targets available resources to cause some level of service disruption. An abundance of well engineered resources may raise the bar on the degree an attack must reach to be effective, but todays attack methods and tools place even the most abundant resources in range for disruption. DDoS (Distributed Denial of Services) is an advanced version of the DoS(Denial of Service) attack. Much like DoS, DDoS also tries to block important services running on a server by flooding the destination server with packets. The specialty of DDoS is that the attacks do not come from a single network or host but from a number of different hosts or networks which have been previously compromised. DDoS, like many other attack schemes, can be considered to consist of three participants, we can refer to these as the Master, the Slave, and the Victim. The Master is the initial source of the attack i.e., the person/machine behind all this (sounds COOL, Right?). The Slave is the host or network

Page no. 1

which was previously compromised by the Master and the Victim is the target site/server under attack. The Master informs the Slave(s) to launch an attack on the victims site/machine; since the attack comes from multiple sources at once (note that the Master is usually not involved in this phase), it is called a Distributed ( or co-ordinate) attack.

Page no. 2

CHAPTER-2 IP SPOOFING
A technique used to gain unauthorized access to computers, whereby the intruder sends Messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. Newer routers and firewall arrangements can offer protection against IP spoofing.

IP Spoofing

Page no. 3

CHAPTER 3 TYPES of DOS & DDOS ATTACKS

DOS :-A DOS (Denial of Service) attack is to prevent or impair the legitimate use of computer or network resources. Regardless of the diligence, effort, and resources spent securing against intrusion, internet connect system face a consistent and real threat from DoS attack because of two fundamental characteristics of the Internset.

3.1 Types of DOS Attacks 1 Ping of Death 2 LAND Attack 3 Tear Drop Attack 4 SYN Flood Attack 5 ICMP Flood Attack 6 UDP Flood Attack 7 Smurf Attack

DDOS :--

DDoS stands for Distributed Denial of Service. A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet. Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet

Page no. 4

3.2 Types of DDOS Attacks DDoS attacks can be broadly divided in three types:

Volume Based Attacks includes UDP floods, ICMP floods, and other spoofedpacket floods. The attacks goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).

Protocol Attacks includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.

Application Layer Attacks includes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.

Page no. 5

CHAPTER 4 Ping of Death Attack

A ping of death (abbreviated "PoD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 56 bytes in size (or 84 bytes when the Internet Protocol [IP] header is considered); historically, many computer systems could not handle a ping packet larger than the maximum IPv4 packet size, which is 65,535 bytes. Sending a ping of this size could crash the target computer. In early implementations of TCP/IP, this bug was easy to exploit. This exploit has affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers. Generally, sending a 65,536-byte ping packet would violate the Internet Protocol as written in RFC 791, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash. In recent years, a different kind of ping attack has become widespreadping flooding simply floods the victim with so much ping traffic that normal traffic fails to reach the system (a basic denial-of-service attack).

Page no. 6

CHAPTER 5 Land Attack

A LAND (Local Area Network Denial) attack is a DoS (Denial of Service) attack that consists of sending a special poison spoofed packet to a computer, causing it to lock up. The security flaw was first discovered in 1997 by someone using the alias "m3lt", and has resurfaced many years later in operating systems such as Windows Server 2003 and Windows XP SP2. The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. This causes the machine to reply to itself continuously. It is, however, distinct from the TCP SYN Flood vulnerability. Other LAND attacks have since been found in services like SNMP and Windows 88/tcp (kerberos/global services). Such systems had design flaws that would allow the device to accept request on the wire appearing to be from themselves, causing repeated replies.

Page no. 7

CHAPTER 6 Tear Drop Attack

Teardrop is a program that sends IP fragments to a machine connected to the Internet or a network. Teardrop exploits an overlapping IP fragment bug present in Windows 95, Windows NT and Windows 3.1 machines. The bug causes the TCP/IP fragmentation reassembly code to improperly handle overlapping IP fragments. This attack has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. It should be noted, though, that while this attack is considered to be nondestructive, it could cause problems if there is unsaved data in open applications at the time that the machine is attacked. The primary problem with this is a loss of data. When a Teardrop attack is run against a machine, it will crash (on Windows machines, a user will likely experience the Blue Screen of Death), or reboot. If you have protected yourself from the winnuke and ssping DoS attacks and you still crash, then the mode of attack is probably teardrop or land. If you are using IRC, and your machine becomes disconnected from the network or Internet, but does not crash, the mode of attack is probably click.

Page no. 8

CHAPTER 7 SYN Flood Attack

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. Normally when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
1. The client requests a connection by sending a SYN (synchronize) message to the server. 2. The server acknowledges this request by sending SYN-ACK back to the client. 3. The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol. A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it "knows" that it never sent a SYN. The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will bind resources on the server until no new connections can be made, resulting in a denial of service to legitimate traffic. Some systems may also malfunction badly or even crash if other operating system functions are starved of resources in this way.

Page no. 9

Page no. 10

CHAPTER 8 ICMP Flood Attack

The simplicity of the ICMP protocol and the lack of awareness of security issues related to protocol has led me to put in place this paper to attempt to illustrate some of the possible attacks using ICMP as a tool. Also included in this paper are references to some of the too ls that are available for use and in some instances, these have been used for some real world attacks ICMP, the Internet Control Message Protocol is an integral part of any IP implementation. Although ICMP messages are sent in IP packets and it uses IP as if it were a higher-level protocol, ICMP is in fact an internal part of IP, and must be implemented in every IP module. ICMP messages are classified into 2 main categories: ICMP Error Messages ICMP Query Messages

Page no. 11

CHAPTER 9 UDP Flood Attack

A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:

Check for the application listening at that port; See that no application listens at that port; Reply with an ICMP Destination Unreachable packet.

Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker(s) may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach them, and anonymizing their network location(s). Most operating systems mitigate this part of the attack by limiting the rate at which ICMP responses are sent. The software UDP Unicorn can be used for performing UDP flooding attacks. This attack can be managed by deploying firewalls at key points in a network to filter out unwanted network traffic. The potential victim never receives and never responds to the malicious UDP packets because the firewall stops them.

Page no. 12

CHAPTER 10 SMURF ATTACK

The Smurf Attack is a denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, flooding the victim's computer with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on. A smurf attack is a type of denial of service attack in which a system is flooded with spoofed ping messages. This creates high computer network traffic on the victims network, which often renders it unresponsive. Smurfing takes certain well-known facts about Internet Protocol and Internet Control Message Protocol (ICMP) into account. ICMP is used by network administrators to exchange information about network state, and can also be used to ping other nodes to determine their operational status. The smurf program sends a spoofed network packet that contains an ICMP ping. The resulting echo responses to the ping message are directed toward the victims IP address. Large number of pings and the resulting echoes can make the network unusable for real traffic.

Page no. 13

An assault on a network that floods it with excessive messages in order to impede normal traffic. It is accomplished by sending ping requests (ICMP echo requests) to a broadcast address on the target network or an intermediate network. The return address is spoofed to the victim's address. Since a broadcast address is picked up by all nodes on the subnet, it functions like an amplifier, generating hundreds of responses from one request and eventually causing a traffic overload. See denial of service attack, flooding and ICMP.

Page no. 14

CHAPTER 11 DDOS ATTACK

DDOS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems -- which are usually infected with a Trojan -- are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack. According to this report on eSecurityPlanet, in a DDoS attack, the incoming traffic flooding the victim originates from many different sources potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.

Page no. 15

What is a distributed attack? One DDoSer can do a lot of damage. These denial of service attacks are called distributed because they come from many computers at once. A DDoSer controls a large number of computers that have been infected by a Trojan virus. The virus is a small application that allows remote command-and-control capabilities of the computer without the users knowledge. What is a zombie and a botnet? The virus-infected computers are called zombies because they do whatever the DDoSer commands them to do. A large group of zombie computers is called a robot network, or botnet. Your computer could be part of a botnet without your knowledge. You might not notice any difference, or you might notice your computer is not as fast as it used to be. Thats because it may be busy participating in a DDoS attack at the same time you are using it. Or, you might find out that your computer is infected when your Internet service provider (ISP) drops your service because your computer is sending an unusually high number of network requests. What is a DDoS command-and-control server? Zombie computers in a botnet receive instructions from a command and control server, which is an infected web server. DDoSers who have access to a command and control (C&C or CC) server can recruit the botnet to launch DDoS attacks. Prolexic has identified more than 4,000 command-and-control servers and more than 10 million zombies worldwide. We track them and notify law enforcement to disable them when possible. Many types of DDoS attacks There are many types of DDoS attacks. They target different network components routers, appliances, firewalls, applications, ISPs, even data centers in different ways. There is no easy way to prevent DDoS attacks, but Prolexic has a proven DDoS protection approach that works to minimize the damage and let your system keep working during an attack. DDoS attackers use a variety of DDoS attack methods. The malicious hacker group Anonymous, for example, started with a tool that could launch Layer 7 DDoS attacks and Layer 3 DDoS attacks from any computer. These attacks had a common attack signature that is, common code. As a result, the attacks could be detected and mitigated (stopped) fairly easily. Its a game of cat and mouse. The cat learns about what the mouse is doing, so the mouse changes tactics to avoid getting caught. DDoSers got smarter and started randomizing their attack signatures and encrypting their code. Some even started using browsers to visit a web page and feed harmful code to a web application on the site. Although application-layer DDoS attacks are more difficult to recognize, DDoS mitigation experts in our Security Operations Center (SOC) know what to look for and we are always looking. Our anti-DDoS experts monitor and analyze these attacks all the time day and night and block the DDoS attacks that target our clients.

Page no. 16

What are application layer 7 DDoS attacks? Application layer 7 (L7) attacks may not create such high volumes of network traffic, but they can harm your website in a more devastating way. They might activate some aspect of a web application, such as posting different user names and passwords, or targeting a shopping cart or search engine. Many of the high profile e-Commerce outages are the result of Layer 7 application attacks. The biggest issue is that Layer 7 attacks change and randomize very fast. Anything a visitor can access an attacker can too and it looks the same to an IT administrator.

Page no. 17

REFRENCES
1. Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001. 2. Kargl, Frank, Joern Maier, and Michael Weber. Protecting Web Servers from Distributed Denial of Service Attacks. WWW10, May 1-5 Hong Kong. ACM 1-58113-348-0/01/0005. 3. Stein, Lincoln. The World Wide Web Security FAQ, Version 3.1.2, February 4, 2002. http://www.s3.org/security/faq/ - visited on October 1, 2002. 4. Dittrich, David. The DoS Projects trinoo Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt visited on October 1, 2002 5. Dittrich, David. The Tribe Flood Network Distributed Denial of Service Attack Tool. University of Washington, October 21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt visited on October 1, 2002 6. Dittrich, David. The stacheldraht Distributed Denial of Service Attack Tool. University of Washington, December 31, 1999. http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt visited on October 1, 2002

Page no. 18