Understanding Types of DDoS Attacks


Table 2-1 describes several varieties of generic DDoS attacks.

Table 2-1. Generic DDoS Attacks

Name of Attack

Flooding Capability

Short Description

Land

TCP SYN

Source and destination IP addresses are the same, causing the TCP response to loop.

SYN

TCP

Sends large numbers of TCP connection initiation requests to the target. The target system must consume resources to keep track of these partially opened connections.

Teardrop

TCP fragments

Sends overlapping IP fragments.

Smurf

Internet Control Message Protocol (ICMP)

Sends ICMP ping requests to a directed broadcast address. The forged source address of the request is the target of the attack. The recipients of the directed broadcast ping request respond to the request and flood the target's network.

Ping of death

ICMP

Brings down a system by sending out more than 65536 ICMP packets.

Open/close

TCP, UDP

Opens and closes connections at a high rate to any port serviced by an external service through inetd. The number of connections allowed is hard coded inside inetd (Internet super daemon, often used to run other services like FTP).

ICMP Unreachable

ICMP

The attacker sends ICMP unreachable packets from a spoofed address to a host. This causes all legitimate TCP connections on the host to be torn down to the spoofed address. This causes the TCP session to retry, and as more ICMP unreachables are sent, a denial-of-service (DoS) condition occurs.

ICMP redirect

ICMP

Causes data overload to the system being targeted.

ICMP Router Discovery Protocol (IRDP)

ICMP

Spoofing IRDP causes fake routing entries to be entered into a Windows machine. IRDP has no authentication. Upon startup, a system running MS Windows 95/98 will always send 3 ICMP Router Solicitation packets to the 224.0.0.2 multicast address. If the machine is NOT configured as a DHCP client, it ignores any Router Advertisements sent back to the host. However, if the Windows machine is configured as a DHCP client, any Router Advertisements sent to the machine will be accepted and processed.

ARP redirect

ARP

Attacks local subnets.

Looping User Datagram Protocol (UDP) ports

UDP

Spoofs two UDP serviceschargen (port 19) and echo (port 7)to send data to each other.

Fraggle

UDP

Same as Smurf, but uses UDP rather than ICMP to broadcast address for amplification.

UDP flood

UDP

Sends large numbers of UDP packets to the target system, thus tying up network resources.

TCP flood

TCP

Repeatedly establishes and abandons TCP connections, enabling a malicious host to tie up significant resources on a server.

UDP reflectors

UDP

All web servers, Domain Name System (DNS) servers, and routers are reflectors, because they will return SYN ACKs or RSTs in response to SYN or other TCP packets; query replies in response to query requests; or ICMP Time Exceeded or Host Unreachable in response to particular IP packets. By spoofing IP addresses from slaves, a massive DDoS attack can be arranged.

URL attacks

TCP

Attempts to overload an HTTP server with HTTP bombing (continuous requests for the same homepage or large web page) or by requesting the page with REFRESH to bypass any proxy server. Many of these attacks are not zombie attacks but rather human executedby hundreds simultaneously.

Virtual Private Network (VPN) attacks

TCP

Using specially crafted Generic Routing Encapsulation (GRE) or IP in IP tunnel (IPIP) packets to attack the destination address of a VPN.

Source: Cisco Systems, Inc.




Setf-Defending Networks(c) The Next Generation of network Security
Self-Defending Networks: The Next Generation of Network Security
ISBN: 1587052539
EAN: 2147483647
Year: N/A
Pages: 112

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net