Denial of Service (SYN Flood Attack)

norse-hacking-map

http://map.norsecorp.com/

Denial of Service (DoS) is a common attack method used to flood network connections with the intention to render the network server unusable. DoS attacks are typically motivated by retaliation, perhaps from a fired employee or various other reasons, including social hacktivism or cyber terrorism. Most DoS attacks target web servers by overwhelming them with SYN requests faster than the server can respond to them. DoS attacks can barrage a server by depriving it of other critical resources such as CPU, memory, and bandwidth possibly leading to a system crash.

Distributed Denial of Service (DDoS) is an advanced form of Denial of Service that employs the use of many computers located anywhere around the world where there is an Internet connection. “Malware” running on a computer is what gives the attacker remote control of the computer. When a computer is controlled in this way it is referred to as a “Zombie”. Armies of Zombie computers form what is called a “Botnet”, a large network of centrally controlled computers to perform an action, which can be malicious in nature or for valid reasons, as is the case with The Search for Extraterrestrial Intelligence (SETI), a government scientific organization. Users of malicious Zombie computers are unaware of the control-taking place behind the scenes because the botnet malware usually masquerades itself as valid processes or it can stay hidden deep within the system undetected.

Example:

figure 1

figure 1

Before starting, a benchmark was taken of the target machines vitals, as seen in figure 2 below. The “TOP” command provides a snapshot of how the computer operates under normal conditions. The Metasploitable 2’s webpage also loaded successfully on the attacker’s machine as seen in figure 1. This indicates the apache web service and port 80 are fully functional on the target running Metasploitable 2.

The attack will be performed using a small, lightweight, open source program called Hping3, which is a packet generator and analyzing program that uses the TCP/IP protocol. As seen in the first half of figure 4, the average ping response time is .6ms under normal conditions. Figure 3 shows the command for Hping3 used to launch the attack against Metasploitable 2 from within Kali Linux. Immediately after the attack is initiated the ping response times increased to an average of 300ms, as seen in the bottom half of figure 4 below. Although the SYN flood attack was in progress, the pings were still responding. One must keep in mind that in this experiment only a single machine is used in the attacks. Attacks coming from two or three zombie computers would greatly enhance the effects of the attack, which is where DDoS would come in handy. Keep in mind that a typical DDoS attack could employ the services of thousands of malware infected zombie computers located at every corner of the globe.

figure 2

figure 2

figure 3

figure 3

DoS can also be exploited through many various types of attack vectors. Attackers typically deploy malware that is installed on an unsuspecting user’s machine through social engineering emails, pirated software, or malware embedded in hard drive firmware, which is what the NSA was recently discovered doing. It was also recently discovered that DoS malware could be embedded in web browser cookies. Attackers are finding new innovative ways to penetrate user systems to carry out their malicious activities so it’s critical that organizations adapt to meet these new challenges.

figure 4

figure 4

A screen capture from Wireshark, figure 5, reveals the SYN Flood packet stream in progress. There are an overwhelming number of SYN requests sent to the target machine, which essentially overloads the Apache server and some of the available resources needed for other critical computing functions. The SYN packets are forwarded to every possible port on the target machine causing it to repeatedly respond with multiple (RST, ACK) packets as seen in Figure 6. The target machine is busy resetting all connections that are attempting to link to closed ports.

figure 5

figure 5

SYN Floods are referred to as “Half-Open” attacks because the three-way handshake never fully completes. With typical three-way handshakes, a client returns an ACK packet as a confirmation to the server that a SYN/ACK packet was received. This allows communications to begin. In a SYN flood, an ACK packet will never be sent back to the server, rather, the attacker’s program sends repeated SYN packets to all the server’s ports. When the server responds with a SYN/ACK packet, attackers will be aware of what ports are open.

figure 6

figure 6

The attacker’s SYN packets appear to be valid but since the attackers IP address is most likely spoofed, it’s not possible for the attacked server to shutdown the link by sending an RST packet to the attacker. In this case, the connection stays open. The attacker keeps sending out SYN packets to the server before a time-out occurs. Under these circumstances, the server becomes congested with hostile communications form the attacker making legitimate communications on the server virtually impossible.

As seen in figure 7 below, the target computer is experiencing a large volume of apache2 server activity, which could be indicative of the SYN Flood attack currently underway aimed at port 80.

figure 7

figure 7

An attempt at trying to launch the Metasploitable webpage on the attackers machine returns an “unable to connect” error message as seen in figure 8 below. Apache2 is an open source webserver used by the Linux operating system to service websites and in this case users will be denied service.

figure 8

figure 8

There are various methods used to mitigate DoS and DDoS attacks. Micro Blocks is a technique where administrators allocate micro records (as little as 16K) of server memory for each incoming SYN request in-lieu of an all-inclusive connection object. A SYN cookie is a method that uses cryptographic hashing. The server sends a SYN-ACK response and attaches a sequence number that is fabricated from the client’s IP address, port number, and any other uniquely identifiable information. The response from the client contains the hash within the ACK packet. The server only allocates memory for verified ACKs. Another method used to mitigate DoS attacks is RST cookies. Using this method, the server sends an invalid SYN-ACK for the first request sent from a client. The client responds with an RST packet, which is an indication to the server that something is wrong. This informs the server that the request is legitimate, logs the client, and then accepts successive inbound connections from it.

While DoS and DDoS attacks are nothing new, they are becoming increasingly commonplace in today’s society. Surprisingly, there is now a website that offers DoS services for as little as $50. It easy to see the impact DoS has on critical network systems and how easy it could be to perform. Organizations need to take necessary steps to help mitigate potentially damaging DoS attacks. By implementing sound IT security policies and with preparation, the possibility of severe damages from an attack could be lessened or completely avoided. DoS, by nature, is mainly designed to disrupt and/or crash computer networks. The motives behind DoS attacks can vary widely from anything such as an agitated former employee who was recently fired to overactive teenagers, hacktivists, or cyber terrorists. Organizations are best served by being prepared rather than complacent. Rather than allocating large portions of the budget for damage control, organizations would be better served by taking a more proactive approach to mitigating IT security breaches by budgeting for better IT security solutions.

Citations:

blackmoreops. (2015, 4 21). Denial-of-service Attack – DoS using hping3 with spoofed IP in Kali Linux. Retrieved 7 23, 2015, from blackmoreops: http://www.blackmoreops.com/2015/04/21/denial-of-service-attack-dos-using-hping3-with-spoofed-ip-in-kali-linux/

CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks . (200, 11 29). Retrieved 7 24, 2015, from CERT: https://www.cert.org/historical/advisories/CA-1996-21.cfm?

incapsula. (2015, 7). SYN Flood. Retrieved 7 2015, from incapsula: https://www.incapsula.com/ddos/attack-glossary/syn-flood.html

McDowell, M. (2009, 11 4). Security Tip (ST04-015) Understanding Denial-of-Service Attacks. Retrieved 7 23, 2015, from us-cert: https://www.us-cert.gov/ncas/tips/ST04-015

Rouse, M. (2012, 2). botnet (zombie army). Retrieved 7 2015, from TechTarget Search Cesurity: http://searchsecurity.techtarget.com/definition/botnet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s