Denial of Service attacks part 2

My previous post on this topic covered the basics of DDoS in terms of what it is and the most commonly thought of attack type.
This post will cover some of the more interesting DDoS attacks that don’t rely just on the brute force approach of massive traffic volume to bring down a service, which attacks are also known as volumetric attacks.

The two categories of DDoS that will be covered in this post are known as RFC / Compliance Attacks and Compute Intensive Attacks.

RFC / Compliance Attacks

These typically work against vulnerabilities in either network protocols or web servers. Some examples of this form of attack are;
– Ping of Death; attacks and ICMP vulnerability
– Teardrop; works against TCP/IP fragmentation vulnerabilities in many implementations of the protocol suite
– Land; Spoof source address to send SYN packets to the host from it’s own IP address
– Apache Killer; TCP based attack against the Apache web server
– HashDoS (hash collision); attack that creates hashing collisions to DDoS various web and application servers

All of the above attacks exploit vulnerabilities in networking or application implementations and do not require a huge volume of traffic to potentially bring down a service.

As more detailed examples;
– Apache Killer; This relies on the fact that the byte range filter in some versions of the Apache web server allowed attackers to cause a DoS of the sever by sending it a header that covers multiple overlapping ranges.
– Hash DoS involves exploiting hash collisions to exhaust CPU resources. This is cause by the ability to force a large number of collisions via a single, multi parameter request.

Compute Intensive Attacks

These are attacks that typically exploit weaknesses in application workflows / process that allow certain interactions to use huge amounts of server resource or take inordinate amounts of time. Some examples of these are;
– HOIC; attacks by sending very Slow Gets, and Slow Posts
– Darkshell; send SYN, attacks HTTP idle timeout congestions
– Simple Slowloris; sends incomplete headers
– RUDY; Slow posts and long form field submissions
– Tor Hammer; sends very slow posts

These work my sending multiple slow or incomplete requests in parallel, this can quickly exhaust the web or application servers ability to service new requests without requiring a huge amount of bandwidth or resource from the attacker.

How have these evolved over the last few years?
– Initially stated with attacks like the original Slowloris that sends a very slow GET requests where the header is send extremely slowly such that it almost never actually completes. This has been very effective against the Apache web server
– Then there was the slow POST, as with the slow GET, this is a POST that is sent so slowly it almost never completes. This one is also affective against various flavours of IIS
– The most recent addition is the slow Read, where a large object is requested, then downloaded extremely slowly

These all enable the attacker to use up very many connections on the web or application server without the need for large bandwidth to be at their disposal.

There has been further tuning of these type of attacks to be specific against applications and databases that use similar techniques to make ‘legal’ requests of the system that lead to large resource requirements on the server. These can be targeted and fine tunes to cause maximum damage.

These types of attack are much more insidious than the volumetric attacks covered in the previous post as they need less resource at the attacker end so can be easier to launch. In addition the compute intensive attacks make use of allowable, normal application behaviour that is manipulated to cause a Dos condition. As such these attacks can be much harder to detect and block; at what point does a connection that is potentially just over a slow connection be identified as an attack?

This is where you have to start looking at advanced application layer defences that are tuned and configured specifically for the applications they are defending. This is another relatively large topic that I’ll likely cover in a later post, as we have now covered off the three usually identified categories of DDoS attack.

K

Advertisements

Author: Kevin Fielder

Innovative and dynamic security professional, with a passion for driving change by successfully engaging with all levels of the business. I am a determined individual with proven ability to provide security insights to the business, in their language. These insights have gained board buy in for delivering security strategy aligned to key business goals. This is achieved by understanding the need to drive change through people, process and technology, rather than focusing exclusively on any one area. I take pride in being a highly articulate, motivational and persuasive team-builder. I have a strategic outlook with the ability to engage with and communicate innovative and effective security solutions to all levels of management. Along with a proven ability to translate security into business language and articulate the business benefits I am also passionate about leading security innovations and making security a key part of the business proposition to its customers. Security should be made a key differentiator to drive sales and customer retention, not just a cost centre! Outside of work I am a proud husband and father to an awesome family, and a passionate CrossFit coach and athlete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s