DoS Attacks and Mitigations

Created: 16.05.2023

In this article, I will cover the main DoS techniques and how they look in the logs. I will also cover some main mitigation techniques.

ICMP Flooding (flood ping)

An example of tcpdump for DDoS flood ping:

img

Note different source IP addresses (indicative of an army of botnets performing a DDoS attack).

LAND

⛔ïļ Outdated.

The system sends packets are sent to itself in a loop.

img

Smurf

  1. Multiple ICMP requests from several machines (one is seen in the dump).
  2. Frequent requests
  3. B in the requests stands for Broadcast, which makes it different from the ping dump.

ing

Fraggle

Similar to the Smurf attack but uses UDP instead.

  1. B in the requests stands for Broadcast, which makes it different from the ping dump.
  2. Multiple UDP requests from several machines.
  3. Frequent.
  4. Usually, the destination port is 7 (echo).

ing

UDP-Storm or Echo-Chargen

  1. Port 19 (chargen) > port 7 (echo) OR 13 (daytime) OR 37 (time). Instead of echo one could use any other port that automatically replies to a request.
  2. This creates a loop because both are configured to reply automatically.

❗ïļ This problem was eliminated on newer systems. Such ports as echo or time do not respond to requests sent from ports < 1024 or of a broadcast type.

img

Ping of Death

  1. Start with ICMP of a larger size.
  2. Following fragments of unusual size, some systems fail to reassemble and crash/hang.

img

SYN Flood Attack

  1. A lot of SYN packets are sent in a short period.
  2. Same destination port.

img

Mitigation

SYN cookies

They are used to protect against SYN flood attacks. Shifts the responsibility of keeping the connection state info to the client.

Steps

Construct a unique sequence number.

time()>>6 max segm size Enc(k,t, serverIP, serverPort, clientIP, clientPort)
  1. time()>>6 - 5 bits.
  2. max_segm_size - 3 bits.
  3. Enc(k,t, serverIP, serverPort, clientIP, clientPort) - 24 bits.

Micro blocks

16 bytes of data instead of full connection objects allocated on the server.

RST cookies

Return an error for each client upon connection initiation. It generates and sends RST cookies along. If the client returns with the same cookie - proceed with the connection.

Stack Tweaking

Selectively drop the connection and timeout for individual connections.

DNS Aplification

Use a public DNS server to flood the victim with DNS replies. Requires a botnet, each bot sending a DNS request with a spoofed IP (the victim’s IP).

nmap -sU -p53 -sV --script=dns-recursion.nse IP

Weird Scan

  1. SYN and FIN flag together (not normal). Many additional flags have weird orders of requests, like SYN followed by SYN+FIN etc.
  2. It Could be used to determine the OS type + circumvent the port scanning rules.

img

SLOWRIS

  1. The attacker initiates multiple connections to the targeted web server, often using low bandwidth or low computational power.
  2. The attacker sends partial HTTP requests to the server, but deliberately keeps the connections open without completing the requests.
  3. The attacker periodically sends small, incomplete requests, and ensures that each connection is kept alive by periodically sending additional headers or data.
  4. The server’s resources become tied up as it keeps waiting for the open connections to complete the requests.
  5. Eventually, the server reaches its maximum connection limit, and legitimate users are unable to establish new connections or access the server’s resources.

Mitigations

  1. Setting up load balancers or reverse proxies: These can help distribute and manage connections, reducing the impact of slow or malicious clients.
  2. Configuring web server settings: For example, reducing the maximum connection timeout or limiting the number of concurrent connections from a single IP address.
  3. Implementing application-level protections: This can involve monitoring and detecting slow or incomplete requests, and terminating connections that show suspicious behavior.
  4. Employing rate-limiting techniques: Applying restrictions on the number of connections allowed per client or implementing connection rate limits.

General Mitigation Techniques

  1. Traffic filtering (block ICMP/UDP flood, ACLs etc).
  2. Rate limiting for a given IP.
  3. IDP/IPS.
  4. Load Balancing.
  5. Traffic analysis and anomaly detection.
  6. Cloud-based protection services.

References

Expand… Something here