A denial of service attack can disrupt communication, crash systems, and create extensive service unavailability. In this video, you’ll learn about denial of service attacks, distributed denial of service attacks, and how amplification is used to deny access to services.
<< Previous: Penetration TestingNext: Wireless Network Attacks >>
A denial of service is when a network connection or a server or an application is being forced to fail. You’re trying to make it so that no one else can access that particular service.
Sometimes, this is a simple overload. You’re using all of the bandwidth on the internet connection, or you’re using all of the resources inside of a server so that no one else can access it. Sometimes, this denial of service is created because of a vulnerability in the operating system or the device that causes it to completely crash and be unavailable to everyone, you want to make sure you always have your operating systems and all of your devices patched, especially if there is a known vulnerability that might cause a denial of service.
There have been cases where denial of service attacks have been created by the competitors. Your site goes down, but the competitor’s site stays up and running. This is obviously illegal. This is just one example of why a denial of service attack may occur.
Sometimes, a denial of service is simply a smokescreen for something else. It is a way to take down an existing system so that you can put your own device in place. And sometimes, the denial of service has nothing to do with technology. If you walk up to a building, and the power switch on the side of the building is not locked down, you can pull the switch. The entire building loses power, and you’ve effectively created a denial of service.
We often think about a denial of service as something the hackers or the bad guys are doing, but occasionally, we do this to ourselves. Good example would be something like a network denial of service. In the previous video, we talked about using Spanning Tree to prevent loops. But if you’ve not configured Spanning Tree, and you create a loop on your network, it will very quickly bring down all of the services on your network.
Sometimes, you’re using all the bandwidth on your internet connection. You’re downloading the latest multi-gigabyte Linux distributions, and it’s using up all of the bandwidth, and nobody else is able to go out or come back in to use services in your network.
Sometimes, it may be related to the environment. Maybe you have a water line break, and it’s right over your computer room. In that particular case, you may have a denial of service as you shut down systems or move systems out of the way of the water break.
The most effective denial of service attacks don’t use a single device. They use many devices– in some cases, hundreds or even hundreds of thousands of devices. The only way to do that is if you had a distributed and coordinated attack you can do from many different devices all over the world. We call this a distributed denial of service attack, or a DDoS. This is where you are using all of those resources to combine and focus on a single attack. And you may be using all the resources of a server or all of the bandwidth available on a particular link.
If you’ve ever asked yourself, why do the bad guys want to infect my machine with malware? Well, this is a very good reason why they do that. There are a number of very, very large bot nets where your machine is effectively turned into a robot, and it is under the control of the third party. They’re able to send messages to your machine and then have your machine perform a particular task. They can now coordinate that process and have literally millions of devices now descend upon your network and bring down your services.
This distributed nature of a DDoS allows the bad guys to take advantage of an asymmetric type of threat. They don’t have the same bandwidth that each one of those individual devices that you have on your internet link. Even though they have a smaller number of resources on an individual basis, when they work together, they can easily overwhelm your larger resource.
Another twist that the bad guys put into their distributed denial of service attack is they’re able to amplify their attack. They’re able to send in a very little information, but when it gets to you, the information has become much larger. They’re often reflecting this attack off of another set of services. This is something that’s becoming increasingly common, because it’s using such little bandwidth for the bad guys, and it’s taking up so much bandwidth when it finally gets to you. They’re effectively using the internet services that are important to us and reflecting them against us as an attack.
It uses protocols that don’t have a way to authenticate or do any type of checking, things like NTP, for network time protocol; our domain name system, for DNS; or ICMP by performing pings. This is a very common example of how they can use these very well-entrenched protocols against us.
Here’s an example of an amplification attack that goes back a number of years. This was one that was very well-known before it was patched by our operating system, and it’s called a Smurf attack. This takes advantage of spoofing where you’re going to change the IP address that you’re sending. You’re going to pretend to be a different IP address, and you’ll see why in just a moment.
In this case, I am 192.168.1.22. I’m going to send a ping out to the network, and I’m going to send it to the broadcast address. This is not something that’s commonly done, and these days, devices don’t respond to this broadcast address. But prior to this being patched, every device that received a broadcast ping would respond to that ping.
But instead of sending it from our IP address, we’re going to send it from the IP address of this server, which is 192.168.1.1. So I’m going to spoof this address, send it out to the broadcast, and tell all of the devices on this subnet, please reply to my ping. And that’s exactly what they do. They send ping responses all back to the address that was spoofed. Doesn’t send it back to the original device, because I used a spoof IP address.
So suddenly, this server is now receiving lots of responses to a request that it never made, and therefore, the amplification of the attack was increased by one, two, three, four, five, six, seven, eightfold, just by sending out one single request.
A more modern distributed denial of service amplification attack would be one that takes advantage of DNS. This is one where a botnet has been instructed to send a DNS query to what we call an open DNS resolver. This is one that would accept queries from any device on the internet. And again, we’re using spoofing to change our source IP address to really be the victim address.
What’s nice about this particular amplification is we’re able to send such a small amount of information and respond with a huge amount to the actual victim. The small frame size that we send to the DNS request is really about 60 bytes in size, but the response can be very large; in some cases, thousands of bytes of response. That is a huge increase, so we’re able to send very small information in and have a very large amount of information sent to the victim IP address.
At this point, we’ve taken that 60 bytes. We’ve increased it up to 3,000, and we’ve sent it to the victim. That victim can be easily overwhelmed. If you have multiple devices all doing this at the same time, you will exceed your firewall resources, you’ll exceed your bandwidth resources and cause anything at that site to have all of those services denied.
Here’s visually how this DNS amplification attack works. The bad guys already created a botnet. He’s already infected machines. He may have millions of devices sitting out there, and he sends a message out to these botnet devices. Usually it’s done through a central IRC chat channel or something that’s very simple. He adds one single command, and all of these devices can see that command. At that point, they send their DNS query– usually, it’s not even to a single open DNS resolver, it’s to multiple DNS servers. That single 60 byte request goes in. It’s quickly amplified to thousands of bytes and sent down to the victim machine. You can see how, with a very small number of resources, you’re able to overwhelm a single device on the internet,
Let me give you a small example of what this might look like. I’ve grabbed a domain name that is commonly used for things like DNS amplification attacks. Let’s look at a normal query to this. So I’ll use the query to this viareality.cz domain. So I’m just doing a normal website look up, and you can see I get a website response with the IP address of that particular server.
But now let’s perform the same nslookup, but in this case, I’m going to include the query to give me everything that happens to be in that particular DNS server for that domain name. And if I hit Enter, you can see a lot of information suddenly showed up. I’m going to scroll back up so you can see that this is the request I made right here at the top, and this is all of the responses that I received. You can see how using that single query can amplify such a simple request and end up getting a lot of information sent right to my victim machine.