Definition.

Ethical hacki
WERABE UNIVERSITY

DEPARTMENT OF INFORMATION TECHNOLOGY

Group 4 Assignment for denial of service

Reviewed by:- 1 Yasin Jemal (MSc. CNS /08/15)

2 Muntaha Hayatu (MSc.CNS /R/05/2015)

Submitted to Dr.CHANDRA S.

WERABE,Ethiopia

i
ii
Contents page
Introduction denial of service......................................................................................................................1

A typical denial of service attack.................................................................................................................2

Malicious DoS..........................................................................................................................................2

Botnet..........................................................................................................................................................3

Types of Denial of Service Attacks...........................................................................................................4

1. Application-layer Flood...................................................................................................................4

2. Distributed Denial of Service Attacks (DDoS)................................................................................4

3. Unintended Denial of Service Attacks.............................................................................................5

Common DDoS attacks types...................................................................................................................5

Distributed DoS attack.............................................................................................................................7

How do eavesdropping attacks work?.....................................................................................................8

Eavesdropping Methods.....................................................................................................................8

Securing Wireless Networks........................................................................................................................8

What can you do to minimize the risks to your wireless network?.........................................................9

IPSec.........................................................................................................................................................10

Security association...................................................................................................................................11

Key Management in IPsec.....................................................................................................................12

iii
Introduction denial of service
A Denial-of-Service (DoS) is an attack meant to shut down a machine or network, making it inaccessible
to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it
information that triggers a crash. In both instances, the DoS attack deprives legitimate users (i.e.
employees, members, or account holders) of the service or resource they expected. Victims of DoS a
ttacks often target web servers of high-profile organizations such as banking, commerce, and media
companies, or government and trade organizations. Though DoS attacks do not typicaly result in the theft
or loss of significant information or other assets, they can cost the victim a great deal of time and money
to handle.

There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks occur
when the system receives too much traffic for the server to buffer, causing them to slow down and
eventually stop. Popular flood attacks include:

Buffer overflow attacks – the most common DoS attack. The concept is to send more traffic to a network address
than the programmers have built the system to handle. It includes the attacks listed below, in addition to others that
are designed to exploit bugs specific to certain applications or networks

ICMP flood – leverages misconfigured network devices by sending spoofed packets that ping every computer on
the targeted network, instead of just one specific machine. The network is then triggered to amplify the traffic. This
attack is also known as the smurf attack or ping of death.

An additional type of DoS attack is the Distributed Denial of Service (DDoS) attack. A DDoS attack
occurs when multiple systems orchestrate a synchronized DoS attack to a single target. The essential
difference is that instead of being attacked from one location, the target is attacked from many locations
at once. The distribution of hosts that defines a DDoS provides the attacker multiple advantages:

"Denial of service" or "DoS" describes the ultimate goal of a class of cyber attacks designed to render a
service inaccessible. The DoS attacks that most people have heard about are those launched against high
profile websites, since these are frequently reported by the media.

4
The DoS attacks that most people have heard about are those launched against high profile websites, since
these are frequently reported by the media. However, attacks on any type of system, including industrial
control systems which support critical processes, can result in a denial of service.

When a website suffers a DoS attack, the apparent effect will depend on your perspective. For the average
user, it appears that the site has simply stopped displaying content. For businesses, it could mean that the
online systems they depend upon have ceased to respond. The symptoms of a DoS attack against
industrial control systems may include the inability to retrieve sensor data, or control critical processes.

A typical denial of service attack

DoS events are often brought about by a service's underlying systems being overloaded. We'll use a
simple web-based example to clarify exactly how overload-based DoS attacks work, so let's imagine a
shopping website you visit is under attack.

Ordinarily, when you visit an online shopping site, your requests pass through your Internet Service
Provider's network, through one or more exchanges and out, onto other providers' networks. From there
your clicks pass onto the hosting service used by the shopping site, and finally onto the site's own
infrastructure.

Within the shopping site, a number of servers will each handle a small bit of the work needed to generate
the page you see. This will include database servers that provide lists of products, application servers that
interpret that product information and web servers that create the pages you are browsing.

However, much like a human, each server can only do so much work in a given period. So, when too
many users are requesting pages from the shopping site at one time, the site's infrastructure or servers
may not be able to handle everyone's requests in a timely manner.

Depending on how the shopping site is set up, this results in some or all users being unable to view the
site. To put it another way, they are denied access to the service.

Malicious DoS

5
Malicious attacks can take one of two general forms: Denial of Service (DoS) or Distributed Denial of
Service (DDoS).

A Denial of Service attack uses only a small number of attacking systems (possibly just one) to
overload the target. This was the most common type of attack in the early days of the Internet, where
services were relatively small in scale and security technology in its infancy. However, nowadays, a
simple DoS attack is often simple to deflect as the attacker is easy to identify and block. One notable
exception here may be industrial control systems, where equipment may have a low tolerance to
bogus traffic, or may be connected via low bandwidth links that are easily saturated.

In a Distributed Denial of Service attack, the attacker enlists the help of (many) thousands of Internet
users to each generate a small number of requests which, added together, overload the target. These
participants may either be willing accomplices (such as attacks initiated by loosely organised illegal
"hactivist" groups) or by unwitting victims whose machines have been infected with malware.

Botnet

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be
used to perform Distributed Denial-of-Service (DDoS) attacks, steal data,[1] send spam, and allow the
attacker to access the device and its connection. The owner can control the botnet using command and
control (C&C) software.[2] The word "botnet" is a portmanteau of the words "robot" and "network". The
term is usually used with a negative or malicious connotation.

A botnet is a logical collection of Internet-connected devices, such as computers, smartphones or

Internet of things (IoT) devices whose security have been breached and control ceded to a third party.
Each compromised device, known as a "bot," is created when a device is penetrated by software from a
malware (malicious software) distribution. The controller of a botnet is able to direct the activities of

6
these compromised computers through communication channels formed by standards-based network
protocols, such as IRC and Hypertext Transfer Protocol (HTTP).

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be
used to perform Distributed Denial-of-Service (DDoS)

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be
used to perform Distributed Denial-of-Service attacks, steal data, send spam, and allow the attacker to
access the device and its connection. The owner can control the botnet using command and control
software.

Botnet architecture has evolved over time in an effort to evade detection and disruption. Traditionally, bot
programs are constructed as clients which communicate via existing servers. This allows the bot herder
(the controller of the botnet) to perform all control from a remote location, which obfuscates the traffic. [6]
Many recent botnets now rely on existing peer-to-peer networks to communicate. These P2P bot
programs perform the same actions as the client–server model, but they do not require a central server to
communicate.

The first botnets on the Internet used a client–server model to accomplish their tasks. [7] Typically, these
botnets operate through Internet Relay Chat networks, domains, or websites. Infected clients access a
predetermined location and await incoming commands from the server. The bot herder sends commands
to the server, which relays them to the clients. Clients execute the commands and report their results back
to the bot herder..

Types of Denial of Service Attacks

There are three main types of DoS attacks:

1. Application-layer Flood
In this attack type, an attacker simply floods the service with requests from a spoofed IP address in an
attempt to slow or crash the service, illustrated in . This could take the form of millions of requests per
second or a few thousand requests to a particularly resource-intensive service that eat up resources until
the service is unable to continue processing the requests.

7
Preventing application-layer DoS attacks can be tricky. The best way to help mitigate these types of
attacks is to outsource pattern detection and IP filtering to a third party (discussed later).

2. Distributed Denial of Service Attacks (DDoS)

Distributed Denial of Service (DDoS) attacks occur in much the same way as DoS attacks except that
requests are sent from many clients as opposed to just one, illustrated in . DDoS attacks often involve
many "zombie" machines (machines that have been previously compromised and are being controlled by
attackers). These "zombie" machines then send massive amounts of requests to a service to disable it.

DDoS attacks are famously hard to mitigate, which is why outsourcing network filtering to a third party is
the recommended approach. We'll cover this later on.

3. Unintended Denial of Service Attacks

Not all DoS attacks are nefarious. The third attack type is the "unintended" Denial of Service attack. The
canonical example of an unintended DDoS is called "The Slashdot Effect (opens new window)". Slashdot
is an internet news site where anyone can post news stories and link to other sites. If a linked story
becomes popular, it can cause millions of users to visit the site overloading the site with requests. If the
site isn't built to handle that kind of load, the increased traffic can slow or even crash the linked site.
Reddit and "The Reddit Hug of Death (opens new window)" is another excellent example of an
unintentional DoS.

The only way to prevent these types of unintended DoS attacks is to architect your application for scale.
Use patterns like edge-caching with CDNs, HTTP caching headers, auto-scaling groups, and other
methods to ensure that even when you receive a large amount of burst-traffic, your site will not go down.

Another type of unintentional DoS attack can occur when servicing low bandwidth areas. For instance,
streaming content internationally means that people in certain areas of the world with slow or bad internet
connections might cause problems. When your service attempts to send information to these low-
bandwidth areas, packets drop. In an attempt to get the information to the destination, your service will

8
attempt to resend all dropped packets. If the connection drops the packets again, your service may make
another attempt. This cycle can cause your service's load to double or triple, causing your service to be
slow or unreachable for everyone.

Common DDoS attacks types

UDP Flood
A UDP flood, by definition, is any DDoS attack that floods a target with User Datagram Protocol (UDP)
packets. The goal of the attack is to flood random ports on a remote host. This causes the host to
repeatedly check for the application listening at that port, and (when no application is found) reply with
an ICMP ‘Destination Unreachable’ packet. This process saps host resources, which can ultimately lead
to inaccessibility.

ICMP (Ping) Flood

Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP
Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies.
This type of attack can consume both outgoing and incoming bandwidth, since the victim’s servers will
often attempt to respond with ICMP Echo Reply packets, resulting a significant overall system slowdown.

SYN Flood
A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way
handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a
SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a
SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s
SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system
continues to wait for acknowledgement for each of the requests, binding resources until no new
connections can be made, and ultimately resulting in denial of service.

Ping of Death
A ping of death (“POD”) attack involves the attacker sending multiple malformed or malicious pings to a
computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the

9
Data Link Layer usually poses limits to the maximum frame size – for example 1500 bytes over an
Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments),
and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario,
following malicious manipulation of fragment content, the recipient ends up with an IP packet which is
larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet,
causing denial of service for legitimate packets.

NTP Amplification
In NTP amplification attacks, the perpetrator exploits publically-accessible Network Time Protocol
(NTP) servers to overwhelm a targeted server with UDP traffic. The attack is defined as an amplification
assault because the query-to-response ratio in such scenarios is anywhere between 1:20 and 1:200 or
more. This means that any attacker that obtains a list of open NTP servers (e.g., by a using tool like
Metasploit or data from the Open NTP Project) can easily generate a devastating high-bandwidth, high-
volume DDoS attack.

HTTP Flood
In an HTTP flood DDoS attack, the attacker exploits seemingly-legitimate HTTP GET or POST requests
to attack a web server or application. HTTP floods do not use malformed packets, spoofing or reflection
techniques, and require less bandwidth than other attacks to bring down the targeted site or server. The
attack is most effective when it forces the server or application to allocate the maximum resources
possible in response to every single request.

Zero-day DDoS Attacks

The “Zero-day” definition encompasses all unknown or new attacks, exploiting vulnerabilities for which
no patch has yet been released. The term is well-known amongst the members of the hacker community,
where the practice of trading zero-day vulnerabilities has become a popular activity.

10
DoS attacks can target specific infrastructure, network applications, and other systems such as industrial
control systems (ICS). In a DoS attack, the threat actor floods the target (e.g. a server hosting a website or
an organization’s network) with traffic. The target is then overloaded by this traffic and cannot respond to
it or the system crashes. When this occurs, a user may receive an error message when trying to access a
website. Threat actors use different methods to carry out DoS attacks:

Flooding attacks: Flooding attacks are the most common attack method. The threat actor repeatedly sends
requests to connect to the target server but does not complete the connections. These incomplete
connections occupy and consume all available server resources. As a result, the server cannot respond to
legitimate traffic and connection attempts.

Distributed DoS attack

A distributed DoS (DDoS ) attack has the same goal of disrupting and preventing access to services and
information, as a DoS, but it looks a bit different. To carry out a DDoS, a threat actor uses multiple
machines to attack one target. While a DDoS attack can be a coordinated effort between a group of threat
actors, it can also be carried out by one person using a botnet. DDoS increases the attack power but also
makes it harder to identify the true source of the attack.

What are the problems with eavesdropping?

Eavesdropping attacks can culminate in the loss of business critical data, user privacy disruptions, loss of
client trust, reduced stock prices and investor dissatisfaction. Eavesdroppers may sell stolen data to third-
parties or business competitors
Eavesdropping attacks can result in the loss of critical business information, users' privacy being
intercepted, and lead to wider attacks and identity theft

How do eavesdropping attacks work?

With eavesdropping attacks, your passwords, card details and other sensitive data are easily stolen when it
is transferred from one device to another. Eavesdropping attacks are possible when a client and server
connection is weak, when encryption is not used when applications or devices are not up to date, or when

11
malware is present and insecure network connections exist. There are different types of eavesdropping
attacks.

Eavesdropping Methods

Pickup devices can take audio from attached microphones and convert it into an electrical format
using mini-amplifiers to reduce background noise.
For sending and receiving messages, a transmission link may be used at both sender and receiver
endpoints.
A telephone conversation may be recorded or taken for pick-up and automatically ends when the call
ends. This is done with the help of listening posts.
Using weak passwords makes it easy for attackers to gain access to user accounts. Through this,
networks can be infiltrated and data can be stolen.
Using current digital computerized phone systems, it is possible to intercept phones electronically
without direct access to the device. For an attack, attackers can send signals down telephone lines and
transmit any conversation taking place in the same room, even if the handset is not active.

Securing Wireless Networks

Wireless security prevents unauthorized access or damage to computers using wireless networks. The
most common type of wireless security is Wi-Fi security, which protects information sent through a Wi-
Fi network. Several different types of security measures can be used to protect Wi-Fi networks

What can you do to minimize the risks to your wireless network?

Change default passwords. Most network devices, including wireless access points, are pre-configured
with default administrator passwords to simplify setup. These default passwords are easily available to
obtain online, and so provide only marginal protection. Changing default passwords makes it harder for
attackers to access a device. Use and periodic changing of complex passwords is your first line of defense
in protecting your device.

12
Restrict access. Only allow authorized users to access your network. Each piece of hardware connected to
a network has a media access control (MAC) address. You can restrict access to your network by filtering
these MAC addresses. Consult your user documentation for specific information about enabling these
features. You can also utilize the “guest” account, which is a widely used feature on many wireless
routers. This feature allows you to grant wireless access to guests on a separate wireless channel with a
separate password, while maintaining the privacy of your primary credentials.

Encrypting your wireless data prevents anyone who might be able to access your network from viewing
it. There are several encryption protocols available to provide this protection. Wi-Fi Protected Access
(WPA), WPA2, and WPA3 encrypt information being transmitted between wireless routers and wireless
devices. WPA3 is currently the strongest encryption. WPA and WPA2 are still available; however, it is
advisable to use equipment that specifically supports WPA3, as using the other protocols could leave your
network open to exploitation.

Protect your Service Set Identifier (SSID). To prevent outsiders from easily accessing your network,
avoid publicizing your SSID. All Wi-Fi routers allow users to protect their device’s SSID, which makes it
more difficult for attackers to find a network. At the very least, change your SSID to something unique.
Leaving it as the manufacturer’s default could allow a potential attacker to identify the type of router and
possibly exploit any known vulnerabilities.

Install a firewall. Consider installing a firewall directly on your wireless devices (a host-based firewall),
as well as on your home network (a router- or modem-based firewall). Attackers who can directly tap into
your wireless network may be able to circumvent your network firewall—a host-based firewall will add a
layer of protection to the data on your computer.

Maintain antivirus software. Install antivirus software and keep your virus definitions up to date. Many
antivirus programs also have additional features that detect or protect against spyware and adware.

Use file sharing with caution. File sharing between devices should be disabled when not needed. You
should always choose to only allow file sharing over home or work networks, never on public networks.
You may want to consider creating a dedicated directory for file sharing and restrict access to all other
directories. In addition, you should password protect anything you share. Never open an entire hard drive
for file sharing.

13
IPSec

IPSec uses two distinct protocols, Authentication Header (AH) and Encapsulating Security Payload
(ESP), which are defined by the IETF.

The AH protocol provides a mechanism for authentication only. AH provides data integrity, data origin
authentication, and an optional replay protection service. Data integrity is ensured by using a message
digest that is generated by an algorithm such as HMAC-MD5 or HMAC-SHA. Data origin authentication
is ensured by using a shared secret key to create the message digest. Replay protection is provided by
using a sequence number field with the AH header. AH authenticates IP headers and their payloads, with
the exception of certain header fields that can be legitimately changed in transit, such as the Time To Live
(TTL) field.

The ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin
authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or
both confidentiality and authentication. When ESP provides authentication functions, it uses the same
algorithms as AH, but the coverage is different. AH-style authentication authenticates the entire IP
packet, including the outer IP header, while the ESP authentication mechanism authenticates only the IP
datagram portion of the IP packet.

Either protocol can be used alone to protect an IP packet, or both protocols can be applied together to the
same IP packet. The choice of IPSec protocol is determined by the security needs of your installation, and
is configured by the administrator. It does not have to be applied system-wide, and can be configured
differently for each set of connection endpoints. For a dynamic tunnel, the choice of IPSec protocol is
configured using the IpDataOffer statement in an IP security policy configuration file. For a manual
tunnel, the choice of IPSec protocol is configured using the IpManVpnAction statement in an IP security
policy configuration file

14
Security association

A security association is the establishment of shared security attributes between two network entities to
support secure communication. An SA may include attributes such as: cryptographic algorithm and mode;
traffic encryption key; and parameters for the network data to be passed over the connection.

A Security association consists of the Destination Address, SPI, Key, Crypto Algorithm and Format,
Authentication Algorithm, and Key Lifetime. The goal of key management is to negotiate and compute
the security associations that protect IP traffic. Parent topic: IP security overview.

IPsec datagram

The IP Security Architecture (IPsec) provides cryptographic protection for IP datagrams in IPv4 and IPv6
network packets. The protection can include confidentiality, strong integrity of the data, data
authentication, and partial sequence integrity. Partial sequence integrity is also known as replay
protection.

15
Key Management in IPsec

Security associations (SAs) require keying material for authentication and for encryption. The managing
of this keying material is called key management. The Internet Key Exchange (IKE) protocol handles key
management automatically. You can also manage keys manually with the ipseckey command.
16
SAs on IPv4 and IPv6 packets can use either method of key management. Unless you have an overriding
reason to use manual key management, automatic key management is preferred. For example, to
interoperate with systems other than Solaris systems might require manual key management.

17
ng involves an authorized attempt to gain unauthorized access to a computer system,
application, or data. Carrying out an ethical hack involves duplicating strategies and actions of
malicious attackers. External testing involves testing for vulnerabilities as an outsider trying to
get into an organization or system. This type of testing looks for issues with firewalls potentially
being misconfigured, problems with third-party applications, or weaknesses in email servers.

18