Attack types explained.
Thead Owner : Houga,
Category : Technology and Devices,
0 Comment,
44 Read
Viewers:
1 Guest(s)
08-10-2014, 11:58 PM
Attack Type: SYN Flood Attack Description: In a SYN Flood attack, an attacker will initiate hundreds or thousands of TCP connections. As you know, the TCP connection is as follows:
SYN, SYN/ACK, ACK The attacker will only initiate connections and will not complete them. You can accomplish this one of two ways:
Send the SYN unaltered and simply drop any incoming SYN/ACKs from the victim
Send the SYN with a false IP address. Even if the spoofed IP is up, it will not respond. Now, different applications have slightly different constants regarding the time each SYN can take, but it‟s around 10-30 seconds usually. Each SYN request will take up one connection, even though it is never completed. The application can only handle so many connections. When legitimate users try and connect, there are no open connections with which they can interact.\ Mitigations: An ASA firewall is becoming more and more common in corporate in-house servers as means of mitigating these attacks, among others. The ASA firewall will accept the SYN requests and keep the connections open for a certain amount of time, as a normal HTTP server would. However, they are much more resilient than normal servers and are made for these kinds of attacks. When the original sender of the SYN request responds with an ACK (meaning it is a valid client), the ASA firewall will initiate its own SYN request to the HTTP backend server and allow them to communicate.
Attack Type: UDP Flood Attack Description: In a normal UDP Flood attack, the attacker will send datagrams (UDP Packets) to open ports at random. The application, assuming no application is actively listening for datagrams, will respond with an ICMP unreachable error. Now, sending so many datagrams over a short span of time will essentially fill up network tunnels on the victim‟s side thus not allowing any connections either incoming or outgoing, at full speed anyways. This is often a very simply attack. The downside is that it uses the attacker‟s network bandwidth. Mitigations: There‟s an interesting technique called “Round Robin” that‟s commonly used in both corporate settings as well as private website owners. Round Robin is a way of configuring DNS servers in which one domain resolves to multiple servers, all of which have the same static files. This way, each time the domain is resolved it will point to different server. This provides load balancing as well as a way of mitigating denial of service attacks. Also, companies like CloudFlare openly claim to protect against these attacks.
Attack Type: UDP DNS Amplification Description: In a DNS amplification attack, the attacker sends DNS queries with the source address spoofed to be that of the victim. The DNS query is such that it will ask for ALL DNS records. Each query is responded with a DNS response that is much larger than the query. When an attacker uses several people, servers, or hosts to query these DNS servers, it can result in several gigabytes of data. Mitigations: Many VPS and Dedicated Server hosts disallow packets to be sent from false source IP addresses. This is usually great for mitigating all of the aforementioned attacks, but this one especially as it‟s the only one that absolutely requires you to spoof the source. Other mitigations such as load balancers and Round Robin are going to be useful here.
Attack Type: Slowloris Description: Much like a TCP SYN flood, Slowloris aims at keeping as many connections open as possible. However, whereas raw TCP SYNs work on layer 4 of the OSI model, Slowloris keeps connections live via HTTP (layer 7, application). Slowloris is a very powerful attack against HTTP servers. Mitigations: Though many applications are affected (Apache, Lighttpd, dhttpd) as they are not made to handle such an astronomical amount of connections, some servers are able to handle this attack (IIS, Nginx, Squid).
Attack Type: ARME (Apache Remote Memory Exhaustion) Description: Depreciated. ARME exploits an old vulnerability in APACHE that essentially allows a remote attacker to consume SWAP space and memory possibly resulting in a system crash. This attack no longer works. Mitigations: Modern Apache servers are patched and are subsequently not affected by this attack.
Attack Type: RUDY (R You Dead Yet) Description: RUDY is another Layer 7 attack (that is, it works via HTTP). It will send HTTP packets in very small increments over long amounts of time. It mimics the way an incredibly slow internet connection would work, but it will work it over a long period of time. Mitigations: Mitigations such as round robin or limiting HTTP connection times are known to be helpful against these attacks. Also, companies like CloudFlare are dedicated to defending servers against these attacks.
-H
Houga@entropy.cat
SYN, SYN/ACK, ACK The attacker will only initiate connections and will not complete them. You can accomplish this one of two ways:
Send the SYN unaltered and simply drop any incoming SYN/ACKs from the victim
Send the SYN with a false IP address. Even if the spoofed IP is up, it will not respond. Now, different applications have slightly different constants regarding the time each SYN can take, but it‟s around 10-30 seconds usually. Each SYN request will take up one connection, even though it is never completed. The application can only handle so many connections. When legitimate users try and connect, there are no open connections with which they can interact.\ Mitigations: An ASA firewall is becoming more and more common in corporate in-house servers as means of mitigating these attacks, among others. The ASA firewall will accept the SYN requests and keep the connections open for a certain amount of time, as a normal HTTP server would. However, they are much more resilient than normal servers and are made for these kinds of attacks. When the original sender of the SYN request responds with an ACK (meaning it is a valid client), the ASA firewall will initiate its own SYN request to the HTTP backend server and allow them to communicate.
Attack Type: UDP Flood Attack Description: In a normal UDP Flood attack, the attacker will send datagrams (UDP Packets) to open ports at random. The application, assuming no application is actively listening for datagrams, will respond with an ICMP unreachable error. Now, sending so many datagrams over a short span of time will essentially fill up network tunnels on the victim‟s side thus not allowing any connections either incoming or outgoing, at full speed anyways. This is often a very simply attack. The downside is that it uses the attacker‟s network bandwidth. Mitigations: There‟s an interesting technique called “Round Robin” that‟s commonly used in both corporate settings as well as private website owners. Round Robin is a way of configuring DNS servers in which one domain resolves to multiple servers, all of which have the same static files. This way, each time the domain is resolved it will point to different server. This provides load balancing as well as a way of mitigating denial of service attacks. Also, companies like CloudFlare openly claim to protect against these attacks.
Attack Type: UDP DNS Amplification Description: In a DNS amplification attack, the attacker sends DNS queries with the source address spoofed to be that of the victim. The DNS query is such that it will ask for ALL DNS records. Each query is responded with a DNS response that is much larger than the query. When an attacker uses several people, servers, or hosts to query these DNS servers, it can result in several gigabytes of data. Mitigations: Many VPS and Dedicated Server hosts disallow packets to be sent from false source IP addresses. This is usually great for mitigating all of the aforementioned attacks, but this one especially as it‟s the only one that absolutely requires you to spoof the source. Other mitigations such as load balancers and Round Robin are going to be useful here.
Attack Type: Slowloris Description: Much like a TCP SYN flood, Slowloris aims at keeping as many connections open as possible. However, whereas raw TCP SYNs work on layer 4 of the OSI model, Slowloris keeps connections live via HTTP (layer 7, application). Slowloris is a very powerful attack against HTTP servers. Mitigations: Though many applications are affected (Apache, Lighttpd, dhttpd) as they are not made to handle such an astronomical amount of connections, some servers are able to handle this attack (IIS, Nginx, Squid).
Attack Type: ARME (Apache Remote Memory Exhaustion) Description: Depreciated. ARME exploits an old vulnerability in APACHE that essentially allows a remote attacker to consume SWAP space and memory possibly resulting in a system crash. This attack no longer works. Mitigations: Modern Apache servers are patched and are subsequently not affected by this attack.
Attack Type: RUDY (R You Dead Yet) Description: RUDY is another Layer 7 attack (that is, it works via HTTP). It will send HTTP packets in very small increments over long amounts of time. It mimics the way an incredibly slow internet connection would work, but it will work it over a long period of time. Mitigations: Mitigations such as round robin or limiting HTTP connection times are known to be helpful against these attacks. Also, companies like CloudFlare are dedicated to defending servers against these attacks.
-H
Houga@entropy.cat