SlideShare uma empresa Scribd logo

File000144

Desmond Devendran
Desmond Devendran
Tecnologia
1 de 59
Baixar para ler offline
Module XXXI – Investigating DoS Attacks
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: AlertPay Brought Down by DDOS Attack Source: http://www.mxlogic.com/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: UN Agency Investigates Curbs on Internet Anonymity Source: http://news.zdnet.co.uk
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • DoS Attack • Indications of a DoS/DDoS Attack • Types of DoS attack • DDoS attack • Working of DDoS attack • Classification of DDoS attack • Detecting DoS attacks Using Cisco NetFlow • Investigating DoS Attack • Challenges in Investigating DoS attack This module will familiarize you with:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Detecting DoS Attacks Using Cisco NetFlow Classification of DDoS Attack DoS Attack Investigating DoS Attack Working of DDoS Attack Indications of a DoS/DDoS Attack Challenges in Investigating DoS Attack DDoS Attack Types of DoS Attack
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DoS Attack DoS attack is a type of network attack intended to make a computer resource unavailable to its legitimate users by flooding or disrupting the network’s traffic The attacker may target a particular server application (HTTP, FTP, ICMP, TCP etc.) or the network as a whole
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Indications of a DoS/DDoS Attack Unusual slowdown of network services Unavailability of a particular web site Dramatic increase in the volume of spam
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of DoS Attacks • Ping of Death • Teardrop • SYN flooding • Land • Smurf • fraggle • Snork • OOB Attack • Nuke Attacks • Reflected Attack Major types of DoS attacks are as follows:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ping of Death Attack Attacker uses an abnormal ICMP (Internet Control Message Protocol) data packet containing large amounts of data that causes TCP/IP to crash or behave irregularly Attacker sends illegal ping requests that is larger than 65,536 bytes to the target computer Hacker Victim Ping of Death Packet – 1,12,000 Bytes Normal Packet – 65,536 Bytes
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Teardrop Attack Attacker sends fragments with invalid overlapping values in the Offset field which causes the target system to crash when it attempts to reassemble the data It targets the systems that run Windows NT 4.0, Win95, and Linux up to 2.0.32 Hacker System Victim System Normal IP packets offset Updated IP packets offset ACK, IP packets Normal ACK, IP packets
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SYN Flooding Attacker sends a sequence of SYN requests to a target's system with spoofed IP addresses It is an attack on a network that prevents a TCP/IP server from giving service to other users Victim SystemHacker System INTERNETTCP SYN Packets TCP SYN ACK packets BACKLOG
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Land A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port Land renders the victim’s network unprotected against packets coming from outside with victim’s own IP addresses Hacker System Victim System INTERNET TCP packets, source host/port = destination host/port
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Smurf Attacker sends the ICMP echo requests to a broadcast network node It is accomplished by sending ping requests to a broadcast address on the target network or intermediate network IP address is spoofed and replaced by the victim’s own address Attacker abuses “bounce-sites” to attack victims Smurf functions like an amplifier, generates hundreds of responses from one request and eventually causes a traffic overload Attacker Amplifier Victim
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fraggle and Snork Attacks • Attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the IP broadcast address of a large network, which has a fake source address • Fraggle attack affects the management console through the firewall Fraggle: • Snork is an attack against the Windows NT RPC service • It allows an attacker with minimal resources to cause a remote NT system to consume 100% CPU usage for an indefinite period of time Snork:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited WINDOWS OUT-OF-BAND (OOB) Attack and Buffer Overflow • The "OOB attack" is a denial of service attack that takes advantage of a bug in Microsoft’s implementation of its IP-stack, to crash or make network interface unavailable • Vulnerability on the RPC port 135 can be exploited to launch a denial-of-service attack against an NT system OOB Attack: • Buffer overflow occurs any time the program writes more information into the buffer than the space allocated in the memory • The attacker can overwrite the data that controls the program’s execution path and hijacks the control of the program to execute the attacker’s code instead of the process code • Sending email messages that have attachments with 256-character file names can cause buffer overflow Buffer Overflow Attack:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Nuke and Reflected Attacks • Nuke attacks are also called nuking • Attacker repeatedly sends the fragmented or invalid ICMP packets to the target computer using a ping utility that slows down the computer network Nuke Attack: • Reflected attack involves sending false request to a large number of computers • The attacking machines send out huge volumes of SYN request packets but with the source IP address pointing to the target machine • Requested computers reply to that IP address of target’s system which results in flooding Reflected Attack:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DDoS Attack Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large number of compromised systems attack a single target, thereby causing denial of service for users of the targeted system In a DDoS attack, attackers first infect multiple systems called zombies, which are then used to attack a particular target
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of DDoS Attacks Attacker infects handler systems Handler systems then infect numerous systems (zombies) Zombies then attack the target system together Attacked
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Classification of DDoS Attack • Manual attacks • Semi-automatic attacks • Attack by direct communication • Attack by indirect communication • Automatic attacks • Attacks using random scanning • Attacks using hit list scanning • Attacks using topology scanning • Attacks using Permutation Scanning • Attacks using Local Subnet Scanning The Degree of Automation • Attacks using Central Source Propagation • Attacks using Back-chaining Propagation • Attacks using Autonomous Propagation Propagation mechanism DDoS attacks can be classified according to:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Classification of DDoS Attack (cont’d) • Protocol Attacks • Brute-force Attacks • Filterable Attacks • Non-filterable Attacks Exploited Vulnerability • Continuous Rate Attacks • Variable Rate Attacks • Increasing Rate Attacks • Fluctuating Rate Attacks Attack Rate Dynamics • Disruptive Attacks • Degrading Attacks Impact
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DDoS Attack Taxonomy DDoS Attacks Bandwidth Depletion Resource Depletion Flood Attack Amplification Attack Protocol Exploit Attack Malformed Packet Attack UDP ICMP Smurf Fraggle TCP SYN Attack PUSH+ACK Attack TCP
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DoS Attack Modes • Consumption of scarce, limited, or non-renewable resources • Destruction or alteration of configuration information • Physical destruction or alteration of network components There are three basic modes of DoS attacks:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Techniques to Detect DoS Attack • Activity profiling • Sequential Change-Point detection • Wavelet-based signal analysis Three basic techniques to detect Denial-0f-Service attack are:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Techniques to Detect DoS Attack: Activity Profiling Activity profiling is the process of calculating the average packet rate for a network flow, which consists of consecutive packets with similar packet fields Time interval between the consecutive matching packets determines the flow’s average packet rate or activity level Packets with similar characteristics can be clustered together for easy monitoring • Increase in average packet flow rate • Increase in the overall number of distinct clusters Traffic activities that indicate a DoS attack:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Techniques to Detect DoS Attack: Sequential Change-Point Detection Sequential Change-Point detection algorithms isolate a traffic statistic’s change caused by attacks In this technique, the target traffic data is filtered by address, port, or protocol and the resultant flow data is stored as a time series Statistical change in resultant data at a particular time indicates DoS attack that had occurred around that time
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Techniques to Detect DoS Attack: Wavelet-based Signal Analysis Wavelet analysis describes an input signal in terms of spectral components Wavelets analysis provides the concurrent time and frequency description, and determines the time at which certain frequency components are present Any anomaly in frequency of data packets at a particular time indicates a DoS attack
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Monitoring CPU Utilization to Detect DoS Attacks Monitor the router's CPU utilization Collect statistical information of a router including CPU utilization and the bandwidth’s utilization on each of its connections Check whether the router is reloading periodically; it indicates an attack
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Detecting DoS Attacks Using Cisco NetFlow NetFlow is the built-in service in Cisco routers that monitors and exports data for sampled IP traffic flows When NetFlow identifies a new flow, an entry is added to the NetFlow cache; this entry then is used to switch packets and to perform ACL checking • Source and destination IP address • Source and destination TCP/UDP ports • Port utilization numbers • Packet counts and bytes per packet NetFlow sampling includes:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Detecting DoS Attacks Using Network Intrusion Detection System (NIDS) NIDS is an intrusion detection system that can be used to detect malicious activity by monitoring the network’s traffic It scans system files to check if any illegal action is performed and also maintains the file’s integrity • Host machine monitors its own traffic • Independent machine monitors all the network traffic passing through hub, router, and other network devices It may run on both the host machines in the network and independent machine:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating DoS Attacks DoS attacks can be investigated by looking for specific characteristics within the attacking traffic Packet tracebacking in the network helps the investigator to find the source of attack Packet tracebacking includes reconfiguration of routers and the examination of log information DNS logs are also helpful for investigation
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ICMP Traceback ICMP traceback messages are used to find the source of an attack • Router’s next and earlier hop address • Timestamp • Role of the traced packet • Authentication information ICMP traceback message includes: Traceback mechanism allows the victim to find out an attacking agent on traced packets It maintains logs of the DDoS attack information to do a forensic analysis and assists in enforcing law if the attacker does severe financial damage This mechanism is based on the number of attacking agents
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hop-by-Hop IP Traceback Hop-by-hop IP traceback helps in tracing large and continuous packet flows that are generated by DoS packet flooding attack To investigate the source of the attack, it is necessary to report such attacks to the victim’s ISP Hop-by-hop IP traceback process: The administrator then moves on to the upstream router ISP administrator uses diagnostic and debugging or logging features of the router to find out the nature of the traffic and the input link, which serves as a path for an attack ISP administrator identifies the ISP’s router that is closest to the victim’s machine
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hop-by Hop IP Traceback (cont’d) It can be considered to be the baseline from which all proposed improvements in tracking and tracing are judged Once the entry point into the ISP’s network is identified, the bordering provider carrying the attack traffic must be notified and asked to continue the hop-by-hop trace The administrator repeats the diagnostic procedure on this upstream router, and continues to trace backwards, hop-by-hop, until the source of the attack is found inside the ISP’s administrative domain of control (such as the IP address of a customer of the ISP) or, more likely, until the entry point of the attack into the ISP’s network is identified
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Limitations of Hop-by Hop IP Traceback Traceback to the origin of an attack fails if cooperation is not provided at every hop This method fails if a router along the way lacks sufficient diagnostic capabilities or resources It also fails if the attack stops before the trace is complete It is labor-intensive, technical process, and since attack packets often cross administrative, jurisdictional, and national boundaries, it is difficult to obtain cooperation
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Backscatter Traceback Backscatter traceback is a technique for tracing a flood of packets that are targeting the victim of a DDoS attack It relies on the standard characteristics of the existing Internet routing protocols, and although some special router configurations are used, there is no custom modification of protocols or equipment that is outside of Internet standards It uses large number of invalid source address that are characteristic of contemporary DDoS attacks The destination address field of each attack packet contains the IP address of the victim
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How the Backscatter Traceback Works • The attack is reported to an ISP • The ISP uses a standard routing control protocol to quickly configure all of its routers to reject (i.e., filter) packets that are targeted to the victim • Rejected packets are “returned to sender” • The ISP configures all of its routers to blackhole (that is, route for capture) many of the ICMP error packets (i.e., the “backscatter”) with illegitimate destination IP addresses • Analysis by the blackhole machine quickly traces the attack to one or more routers at the outermost boundary of the ISP’s network • The ISP removes the filter blocking the victim’s IP address from all routers except those serving as the entry points for the DDoS attack • The ISP asks neighbouring ISPs, upstream of the attack, to continue the trace • The neighboring ISP(s) can continue to trace the attack closer to its ultimate source Working of backscatter traceback:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hash-Based IP Traceback or Single- Packet IP Traceback (cont’d) Hash-Based IP Traceback can be used to track a single packet to its sourc This method relies on storing highly compact representations of each packet known as “packet digests” rather than the full packets themselves “Packet digests” are created using mathematical functions called hash functions Transformation information corresponding to the packet digests is stored in a transformation lookup table, which provides the information needed to track packets despite common transformations The transformation information is retained by the router for the same amount of time as the packet digests Hash-based IP traceback is accomplished using a system known as a Source Path Isolation Engine (SPIE)
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IP Traceback with IPSec IPSec is a protocol suite for securing network connections IP traceback with IPSec tunnels is a part of DecIdUous (Decentralized source identification for network based intrusion) framework Traceback is done by locating the IPSec tunnels between an arbitrary router and the victim If the attack packets get authenticated by the security association (SA), the attack originates at a point further behind the router, or the attacker lies in the path between this router and the victim This process is iterated until an SA tunnels is established between the intermediate router and the victim
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CenterTrack Method CenterTrack method is used to improve the traceability of the large packet flows associated with DoS flood attacks In this method, first an overlay network has been created using IP tunnels to connect the edge routers in an ISP’s network to special-purpose tracking routers that are optimized for analysis and tracking An overlay network is a supplemental or auxiliary network that is created when a collection of nodes from an existing network are joined together using new physical or logical connections to form a new physical or logical network on top of the existing one The overlay network is also designed to further simplify hop-by-hop tracing by having only a small number of hops between edge routers
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CenterTrack Method (cont’d) The ISP diverts the flow of attack packets (destined for a victim’s machine) from the existing ISP network onto the overlay tracking network containing the special-purpose tracking routers The attack packets can now be easily traced back, hop-by-hop, through the overlay network, from the edge router closest to the victim, back to the entry point of the packet flood into the ISP’s network
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packet Marking Marking classified packets in order to identify the DoS attack traffic In the packet’s IP header, IP precedence field can be used to specify the importance with which a particular packet should be involved • Deterministic packet marking, router shows all the packets • Probabilistic packet marking (PPM) will divide the path’s information into small packets Types of packet marking:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Probabilistic Packet Marking (PPM) In packet marking scheme, tracking information is placed into rarely used header fields inside the IP packets themselves The tracking information is collected and correlated at the destination of the packets, for a sufficiently large packet flow there will be enough tracking (path) information embedded in the packets to successfully complete the trace This method adds authentication controls to the embedded encodings of tracking information, which prevents tampering and spoofing of tracking information
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Check Domain Name System (DNS) Logs The attacker uses DNS to determine the actual IP address of the target machine before launching the attack If attacker uses tools, then time of DNS query and attack may be close, which helps to identify the attacker’s DNS resolver by looking at DNS queries around the time of the start of the attack Check and compare the DNS logs of different systems which are attacked Use Sawmill DNS log analyzer to view the DNS log files
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tracing with "log-input" Check the log entries in an access list of the router “log-input” helps in identifying router‘s interface that accepts network traffic If the interface is a multipoint connection, give the Layer 2 address of the device from which it is received Use this Layer 2 address to identify the next router in the chain, using the commands such as show ip arp mac-address for Cisco router Continue this process until the source of the traffic is found
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Control Channel Detection Large volume of control channel traffic indicates that the actual attacker or coordinator of the attack is close to the detector The channel control function provides facilities to define, monitor, and control channels • To determine particular control channel packets within a specific time period • To provide a clear way into the network and geographic location of the attacker Use threshold-based detector:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Correlation and Integration Attack detector tool can find the location of the attacker by integrating with other packet spoofing tools • To determine the source of the control channel for particular flood • To understand spoofed signals from hop to hop or from attack server to target Collect the data from control channel detectors and flood detectors:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Path Identification (Pi) Method Pi traces path of each packet and filters the packet which contains the attack path It can trace DoS attack packets using filtering techniques and analyzing their path • Which part of the router’s IP address to mark • Where to write IP address in each packet’s ID field • How to neglect the unnecessary nodes in the path • How to differentiate the paths It considers four factors to mark a path between the attackers and the victim:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packet Traffic Monitoring Tools Source of the attack can be found out by monitoring the network’s traffic • Ethereal • Dude Sniffer • Tcpdump • EffeTech • SmartSniff • EtherApe • Maa Tec Network Analyzer Following are some of the traffic monitoring tools:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools for Locating IP Address • Traceroute • NeoTrace • Whois • Whois Lookup • SmartWhois • CountryWhois • WhereIsIP Tools: After getting the IP address of the attacker’s system, use the following IP address locating tools to gives details about the attacker
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Challenges in Investigating DoS Attacks Attackers know that they can be traced, so they attack for a limited time Attacks come from multiple sources Anonymizers protect privacy by impeding tracking Attackers may destroy logs and other audit data Communication problems slow down the tracing process There is no mechanism for performing malicious traffic discrimination False positives, missed detections, and detection delays There are some legal issues which make the investigation process difficult
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Nmap Nmap is an open source utility for network exploration or security auditing Uses raw IP packets to determine the available hosts on the network, services they offer, etc. •C:CMDTNmap>nmap [Scan Type(s)] [Options] <host or net list> Syntax:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Friendly Pinger Friendly Pinger is a tool for network administration, monitoring, and inventory purpose It notifies when any server wakes up or goes down Audit software and hardware components installed on the computers over the network It tracks user access and files opened on your computer via the network
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: IPHost Network Monitor • SNMP (on UNIX/Linux/Mac) • WMI (on Windows) • HTTP/HTTPS • FTP • SMTP • POP3 • IMAP • ODBC • PING IPHost Network Monitor allows availability and performance monitoring of mail, db and other servers, web sites and applications, various network resources and equipment using:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Monitoring Tools Tail4Win is a Windows port of the UNIX 'tail -f' command which can monitor log files of server applications in real time Status2k provides server information for current and future clients in an easy to read format, with live load, uptime and memory usage
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Monitoring Tools (cont’d) DoSHTTP is a powerful HTTP Flood Denial of Service testing software for Windows that includes URL verification, HTTP Redirection, and performance monitoring Admin’s Server Monitor is a tool to monitor server disk traffic loaded over network that shows accumlated byte counts read from server's disks by client PCs over network
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary “DoS attack is a type of network attack intended to make a computer resource unavailable to its intended users by flooding of network or disruption of connections” If an attacker is unable to gain access to a machine, the attacker will most likely crash the machine to accomplish a denial of service attack Attacker uses a abnormal ICMP (Internet Control Message Protocol) data packet containing large amounts of data that causes TCP/IP to crash or behave irregularly Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large number of compromised systems attack a single target, thereby causing denial of service for users of the targeted system Three basic techniques used to detect Denial-0f-Service attack are Activity profiling, Sequential Change-Point detection, and Wavelet-based signal analysis
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Recomendados

File000142
File000142File000142
File000142Desmond Devendran
 
File000141
File000141File000141
File000141Desmond Devendran
 
File000140
File000140File000140
File000140Desmond Devendran
 
File000139
File000139File000139
File000139Desmond Devendran
 
File000149
File000149File000149
File000149Desmond Devendran
 
Ce hv6 module 48 corporate espionage by insiders
Ce hv6 module 48 corporate espionage by insidersCe hv6 module 48 corporate espionage by insiders
Ce hv6 module 48 corporate espionage by insidersVi Tính Hoàng Nam
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffersVi Tính Hoàng Nam
 
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersCe hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersVi Tính Hoàng Nam
 

Recomendados

File000142
File000142File000142
File000142Desmond Devendran
 
File000141
File000141File000141
File000141Desmond Devendran
 
File000140
File000140File000140
File000140Desmond Devendran
 
File000139
File000139File000139
File000139Desmond Devendran
 
File000149
File000149File000149
File000149Desmond Devendran
 
Ce hv6 module 48 corporate espionage by insiders
Ce hv6 module 48 corporate espionage by insidersCe hv6 module 48 corporate espionage by insiders
Ce hv6 module 48 corporate espionage by insidersVi Tính Hoàng Nam
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffersVi Tính Hoàng Nam
 
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersCe hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersVi Tính Hoàng Nam
 
File000150
File000150File000150
File000150Desmond Devendran
 
Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersCeh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersMina Fawzy
 
Ce hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomCe hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomVi Tính Hoàng Nam
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksVi Tính Hoàng Nam
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesVi Tính Hoàng Nam
 
Ce hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devicesCe hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devicesVi Tính Hoàng Nam
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsVi Tính Hoàng Nam
 
Ceh v5 module 08 denial of service
Ceh v5 module 08 denial of serviceCeh v5 module 08 denial of service
Ceh v5 module 08 denial of serviceVi Tính Hoàng Nam
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 
Ce hv6 module 45 privacy on the internet
Ce hv6 module 45 privacy on the internetCe hv6 module 45 privacy on the internet
Ce hv6 module 45 privacy on the internetVi Tính Hoàng Nam
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumerationVi Tính Hoàng Nam
 
Ce hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warezCe hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warezVi Tính Hoàng Nam
 
File000146
File000146File000146
File000146Desmond Devendran
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingVi Tính Hoàng Nam
 
Ceh v5 module 17 physical security
Ceh v5 module 17 physical securityCeh v5 module 17 physical security
Ceh v5 module 17 physical securityVi Tính Hoàng Nam
 
Ce hv6 module 62 case studies
Ce hv6 module 62 case studiesCe hv6 module 62 case studies
Ce hv6 module 62 case studiesVi Tính Hoàng Nam
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanningVi Tính Hoàng Nam
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingVi Tính Hoàng Nam
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingVi Tính Hoàng Nam
 
Ceh v5 module 21 cryptography
Ceh v5 module 21 cryptographyCeh v5 module 21 cryptography
Ceh v5 module 21 cryptographyVi Tính Hoàng Nam
 
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/... Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...Suhail Khan
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!PriyadharshiniHemaku
 

Mais conteúdo relacionado

Mais procurados

Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersCeh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersMina Fawzy
 
Ce hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomCe hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomVi Tính Hoàng Nam
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksVi Tính Hoàng Nam
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesVi Tính Hoàng Nam
 
Ce hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devicesCe hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devicesVi Tính Hoàng Nam
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsVi Tính Hoàng Nam
 
Ceh v5 module 08 denial of service
Ceh v5 module 08 denial of serviceCeh v5 module 08 denial of service
Ceh v5 module 08 denial of serviceVi Tính Hoàng Nam
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 
Ce hv6 module 45 privacy on the internet
Ce hv6 module 45 privacy on the internetCe hv6 module 45 privacy on the internet
Ce hv6 module 45 privacy on the internetVi Tính Hoàng Nam
 
Ce hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warezCe hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warezVi Tính Hoàng Nam
 
Ceh v5 module 17 physical security
Ceh v5 module 17 physical securityCeh v5 module 17 physical security
Ceh v5 module 17 physical securityVi Tính Hoàng Nam
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingVi Tính Hoàng Nam
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingVi Tính Hoàng Nam
 

Mais procurados (20)

File000150
File000150File000150
File000150
 
Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersCeh V5 Module 07 Sniffers
Ceh V5 Module 07 Sniffers
 
Ce hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomCe hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atom
 
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networksCeh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
 
Ce hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devicesCe hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devices
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoors
 
Ceh v5 module 08 denial of service
Ceh v5 module 08 denial of serviceCeh v5 module 08 denial of service
Ceh v5 module 08 denial of service
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
Ce hv6 module 45 privacy on the internet
Ce hv6 module 45 privacy on the internetCe hv6 module 45 privacy on the internet
Ce hv6 module 45 privacy on the internet
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
Ce hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warezCe hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warez
 
File000146
File000146File000146
File000146
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
 
Ceh v5 module 17 physical security
Ceh v5 module 17 physical securityCeh v5 module 17 physical security
Ceh v5 module 17 physical security
 
Ce hv6 module 62 case studies
Ce hv6 module 62 case studiesCe hv6 module 62 case studies
Ce hv6 module 62 case studies
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijacking
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
 
Ceh v5 module 21 cryptography
Ceh v5 module 21 cryptographyCeh v5 module 21 cryptography
Ceh v5 module 21 cryptography
 

Semelhante a File000144

Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/... Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...Suhail Khan
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!PriyadharshiniHemaku
 
denialofservice.pdfdos attacck basic details with interactive design
denialofservice.pdfdos attacck basic details with interactive designdenialofservice.pdfdos attacck basic details with interactive design
denialofservice.pdfdos attacck basic details with interactive designperfetbyedshareen
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddoskalyan kumar
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the ArtBiagio Botticelli
 
Denial Of Service
Denial Of ServiceDenial Of Service
Denial Of ServiceMr Cracker
 
Lecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxLecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxAsmaaLafi1
 
Ce hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional securityCe hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional securitydefquon
 

Semelhante a File000144 (20)

Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/... Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
Distributed denial-of-service (DDoS) attack || Seminar Report @ gestyy.com/...
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
 
denialofservice.pdfdos attacck basic details with interactive design
denialofservice.pdfdos attacck basic details with interactive designdenialofservice.pdfdos attacck basic details with interactive design
denialofservice.pdfdos attacck basic details with interactive design
 
Denial of service
Denial of serviceDenial of service
Denial of service
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddos
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the Art
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
DDOS (1).ppt
DDOS (1).pptDDOS (1).ppt
DDOS (1).ppt
 
DoS.ppt
DoS.pptDoS.ppt
DoS.ppt
 
DoS.ppt
DoS.pptDoS.ppt
DoS.ppt
 
DoS.ppt
DoS.pptDoS.ppt
DoS.ppt
 
Denial Of Service
Denial Of ServiceDenial Of Service
Denial Of Service
 
Lecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptxLecture 7 Attacker and there tools.pptx
Lecture 7 Attacker and there tools.pptx
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Ce hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional securityCe hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional security
 

Mais de Desmond Devendran

Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guidesDesmond Devendran
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeDesmond Devendran
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentialsDesmond Devendran
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management Desmond Devendran
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDesmond Devendran
 

Mais de Desmond Devendran (20)

Siam key-facts
Siam key-factsSiam key-facts
Siam key-facts
 
Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guides
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentials
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
 
CHFI 1
CHFI 1CHFI 1
CHFI 1
 
File000176
File000176File000176
File000176
 
File000175
File000175File000175
File000175
 
File000174
File000174File000174
File000174
 
File000173
File000173File000173
File000173
 
File000172
File000172File000172
File000172
 
File000171
File000171File000171
File000171
 
File000170
File000170File000170
File000170
 
File000169
File000169File000169
File000169
 
File000168
File000168File000168
File000168
 
File000167
File000167File000167
File000167
 
File000166
File000166File000166
File000166
 
File000165
File000165File000165
File000165
 
File000164
File000164File000164
File000164
 

Último

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 

Último (20)

Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 

File000144

  • 1. Module XXXI – Investigating DoS Attacks
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: AlertPay Brought Down by DDOS Attack Source: http://www.mxlogic.com/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: UN Agency Investigates Curbs on Internet Anonymity Source: http://news.zdnet.co.uk
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • DoS Attack • Indications of a DoS/DDoS Attack • Types of DoS attack • DDoS attack • Working of DDoS attack • Classification of DDoS attack • Detecting DoS attacks Using Cisco NetFlow • Investigating DoS Attack • Challenges in Investigating DoS attack This module will familiarize you with:
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Detecting DoS Attacks Using Cisco NetFlow Classification of DDoS Attack DoS Attack Investigating DoS Attack Working of DDoS Attack Indications of a DoS/DDoS Attack Challenges in Investigating DoS Attack DDoS Attack Types of DoS Attack
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DoS Attack DoS attack is a type of network attack intended to make a computer resource unavailable to its legitimate users by flooding or disrupting the network’s traffic The attacker may target a particular server application (HTTP, FTP, ICMP, TCP etc.) or the network as a whole
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Indications of a DoS/DDoS Attack Unusual slowdown of network services Unavailability of a particular web site Dramatic increase in the volume of spam
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of DoS Attacks • Ping of Death • Teardrop • SYN flooding • Land • Smurf • fraggle • Snork • OOB Attack • Nuke Attacks • Reflected Attack Major types of DoS attacks are as follows:
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ping of Death Attack Attacker uses an abnormal ICMP (Internet Control Message Protocol) data packet containing large amounts of data that causes TCP/IP to crash or behave irregularly Attacker sends illegal ping requests that is larger than 65,536 bytes to the target computer Hacker Victim Ping of Death Packet – 1,12,000 Bytes Normal Packet – 65,536 Bytes
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Teardrop Attack Attacker sends fragments with invalid overlapping values in the Offset field which causes the target system to crash when it attempts to reassemble the data It targets the systems that run Windows NT 4.0, Win95, and Linux up to 2.0.32 Hacker System Victim System Normal IP packets offset Updated IP packets offset ACK, IP packets Normal ACK, IP packets
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SYN Flooding Attacker sends a sequence of SYN requests to a target's system with spoofed IP addresses It is an attack on a network that prevents a TCP/IP server from giving service to other users Victim SystemHacker System INTERNETTCP SYN Packets TCP SYN ACK packets BACKLOG
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Land A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port Land renders the victim’s network unprotected against packets coming from outside with victim’s own IP addresses Hacker System Victim System INTERNET TCP packets, source host/port = destination host/port
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Smurf Attacker sends the ICMP echo requests to a broadcast network node It is accomplished by sending ping requests to a broadcast address on the target network or intermediate network IP address is spoofed and replaced by the victim’s own address Attacker abuses “bounce-sites” to attack victims Smurf functions like an amplifier, generates hundreds of responses from one request and eventually causes a traffic overload Attacker Amplifier Victim
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fraggle and Snork Attacks • Attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the IP broadcast address of a large network, which has a fake source address • Fraggle attack affects the management console through the firewall Fraggle: • Snork is an attack against the Windows NT RPC service • It allows an attacker with minimal resources to cause a remote NT system to consume 100% CPU usage for an indefinite period of time Snork:
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited WINDOWS OUT-OF-BAND (OOB) Attack and Buffer Overflow • The "OOB attack" is a denial of service attack that takes advantage of a bug in Microsoft’s implementation of its IP-stack, to crash or make network interface unavailable • Vulnerability on the RPC port 135 can be exploited to launch a denial-of-service attack against an NT system OOB Attack: • Buffer overflow occurs any time the program writes more information into the buffer than the space allocated in the memory • The attacker can overwrite the data that controls the program’s execution path and hijacks the control of the program to execute the attacker’s code instead of the process code • Sending email messages that have attachments with 256-character file names can cause buffer overflow Buffer Overflow Attack:
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Nuke and Reflected Attacks • Nuke attacks are also called nuking • Attacker repeatedly sends the fragmented or invalid ICMP packets to the target computer using a ping utility that slows down the computer network Nuke Attack: • Reflected attack involves sending false request to a large number of computers • The attacking machines send out huge volumes of SYN request packets but with the source IP address pointing to the target machine • Requested computers reply to that IP address of target’s system which results in flooding Reflected Attack:
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DDoS Attack Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large number of compromised systems attack a single target, thereby causing denial of service for users of the targeted system In a DDoS attack, attackers first infect multiple systems called zombies, which are then used to attack a particular target
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working of DDoS Attacks Attacker infects handler systems Handler systems then infect numerous systems (zombies) Zombies then attack the target system together Attacked
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Classification of DDoS Attack • Manual attacks • Semi-automatic attacks • Attack by direct communication • Attack by indirect communication • Automatic attacks • Attacks using random scanning • Attacks using hit list scanning • Attacks using topology scanning • Attacks using Permutation Scanning • Attacks using Local Subnet Scanning The Degree of Automation • Attacks using Central Source Propagation • Attacks using Back-chaining Propagation • Attacks using Autonomous Propagation Propagation mechanism DDoS attacks can be classified according to:
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Classification of DDoS Attack (cont’d) • Protocol Attacks • Brute-force Attacks • Filterable Attacks • Non-filterable Attacks Exploited Vulnerability • Continuous Rate Attacks • Variable Rate Attacks • Increasing Rate Attacks • Fluctuating Rate Attacks Attack Rate Dynamics • Disruptive Attacks • Degrading Attacks Impact
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DDoS Attack Taxonomy DDoS Attacks Bandwidth Depletion Resource Depletion Flood Attack Amplification Attack Protocol Exploit Attack Malformed Packet Attack UDP ICMP Smurf Fraggle TCP SYN Attack PUSH+ACK Attack TCP
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DoS Attack Modes • Consumption of scarce, limited, or non-renewable resources • Destruction or alteration of configuration information • Physical destruction or alteration of network components There are three basic modes of DoS attacks:
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Techniques to Detect DoS Attack • Activity profiling • Sequential Change-Point detection • Wavelet-based signal analysis Three basic techniques to detect Denial-0f-Service attack are:
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Techniques to Detect DoS Attack: Activity Profiling Activity profiling is the process of calculating the average packet rate for a network flow, which consists of consecutive packets with similar packet fields Time interval between the consecutive matching packets determines the flow’s average packet rate or activity level Packets with similar characteristics can be clustered together for easy monitoring • Increase in average packet flow rate • Increase in the overall number of distinct clusters Traffic activities that indicate a DoS attack:
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Techniques to Detect DoS Attack: Sequential Change-Point Detection Sequential Change-Point detection algorithms isolate a traffic statistic’s change caused by attacks In this technique, the target traffic data is filtered by address, port, or protocol and the resultant flow data is stored as a time series Statistical change in resultant data at a particular time indicates DoS attack that had occurred around that time
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Techniques to Detect DoS Attack: Wavelet-based Signal Analysis Wavelet analysis describes an input signal in terms of spectral components Wavelets analysis provides the concurrent time and frequency description, and determines the time at which certain frequency components are present Any anomaly in frequency of data packets at a particular time indicates a DoS attack
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Monitoring CPU Utilization to Detect DoS Attacks Monitor the router's CPU utilization Collect statistical information of a router including CPU utilization and the bandwidth’s utilization on each of its connections Check whether the router is reloading periodically; it indicates an attack
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Detecting DoS Attacks Using Cisco NetFlow NetFlow is the built-in service in Cisco routers that monitors and exports data for sampled IP traffic flows When NetFlow identifies a new flow, an entry is added to the NetFlow cache; this entry then is used to switch packets and to perform ACL checking • Source and destination IP address • Source and destination TCP/UDP ports • Port utilization numbers • Packet counts and bytes per packet NetFlow sampling includes:
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Detecting DoS Attacks Using Network Intrusion Detection System (NIDS) NIDS is an intrusion detection system that can be used to detect malicious activity by monitoring the network’s traffic It scans system files to check if any illegal action is performed and also maintains the file’s integrity • Host machine monitors its own traffic • Independent machine monitors all the network traffic passing through hub, router, and other network devices It may run on both the host machines in the network and independent machine:
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating DoS Attacks DoS attacks can be investigated by looking for specific characteristics within the attacking traffic Packet tracebacking in the network helps the investigator to find the source of attack Packet tracebacking includes reconfiguration of routers and the examination of log information DNS logs are also helpful for investigation
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ICMP Traceback ICMP traceback messages are used to find the source of an attack • Router’s next and earlier hop address • Timestamp • Role of the traced packet • Authentication information ICMP traceback message includes: Traceback mechanism allows the victim to find out an attacking agent on traced packets It maintains logs of the DDoS attack information to do a forensic analysis and assists in enforcing law if the attacker does severe financial damage This mechanism is based on the number of attacking agents
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hop-by-Hop IP Traceback Hop-by-hop IP traceback helps in tracing large and continuous packet flows that are generated by DoS packet flooding attack To investigate the source of the attack, it is necessary to report such attacks to the victim’s ISP Hop-by-hop IP traceback process: The administrator then moves on to the upstream router ISP administrator uses diagnostic and debugging or logging features of the router to find out the nature of the traffic and the input link, which serves as a path for an attack ISP administrator identifies the ISP’s router that is closest to the victim’s machine
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hop-by Hop IP Traceback (cont’d) It can be considered to be the baseline from which all proposed improvements in tracking and tracing are judged Once the entry point into the ISP’s network is identified, the bordering provider carrying the attack traffic must be notified and asked to continue the hop-by-hop trace The administrator repeats the diagnostic procedure on this upstream router, and continues to trace backwards, hop-by-hop, until the source of the attack is found inside the ISP’s administrative domain of control (such as the IP address of a customer of the ISP) or, more likely, until the entry point of the attack into the ISP’s network is identified
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Limitations of Hop-by Hop IP Traceback Traceback to the origin of an attack fails if cooperation is not provided at every hop This method fails if a router along the way lacks sufficient diagnostic capabilities or resources It also fails if the attack stops before the trace is complete It is labor-intensive, technical process, and since attack packets often cross administrative, jurisdictional, and national boundaries, it is difficult to obtain cooperation
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Backscatter Traceback Backscatter traceback is a technique for tracing a flood of packets that are targeting the victim of a DDoS attack It relies on the standard characteristics of the existing Internet routing protocols, and although some special router configurations are used, there is no custom modification of protocols or equipment that is outside of Internet standards It uses large number of invalid source address that are characteristic of contemporary DDoS attacks The destination address field of each attack packet contains the IP address of the victim
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How the Backscatter Traceback Works • The attack is reported to an ISP • The ISP uses a standard routing control protocol to quickly configure all of its routers to reject (i.e., filter) packets that are targeted to the victim • Rejected packets are “returned to sender” • The ISP configures all of its routers to blackhole (that is, route for capture) many of the ICMP error packets (i.e., the “backscatter”) with illegitimate destination IP addresses • Analysis by the blackhole machine quickly traces the attack to one or more routers at the outermost boundary of the ISP’s network • The ISP removes the filter blocking the victim’s IP address from all routers except those serving as the entry points for the DDoS attack • The ISP asks neighbouring ISPs, upstream of the attack, to continue the trace • The neighboring ISP(s) can continue to trace the attack closer to its ultimate source Working of backscatter traceback:
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hash-Based IP Traceback or Single- Packet IP Traceback (cont’d) Hash-Based IP Traceback can be used to track a single packet to its sourc This method relies on storing highly compact representations of each packet known as “packet digests” rather than the full packets themselves “Packet digests” are created using mathematical functions called hash functions Transformation information corresponding to the packet digests is stored in a transformation lookup table, which provides the information needed to track packets despite common transformations The transformation information is retained by the router for the same amount of time as the packet digests Hash-based IP traceback is accomplished using a system known as a Source Path Isolation Engine (SPIE)
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IP Traceback with IPSec IPSec is a protocol suite for securing network connections IP traceback with IPSec tunnels is a part of DecIdUous (Decentralized source identification for network based intrusion) framework Traceback is done by locating the IPSec tunnels between an arbitrary router and the victim If the attack packets get authenticated by the security association (SA), the attack originates at a point further behind the router, or the attacker lies in the path between this router and the victim This process is iterated until an SA tunnels is established between the intermediate router and the victim
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CenterTrack Method CenterTrack method is used to improve the traceability of the large packet flows associated with DoS flood attacks In this method, first an overlay network has been created using IP tunnels to connect the edge routers in an ISP’s network to special-purpose tracking routers that are optimized for analysis and tracking An overlay network is a supplemental or auxiliary network that is created when a collection of nodes from an existing network are joined together using new physical or logical connections to form a new physical or logical network on top of the existing one The overlay network is also designed to further simplify hop-by-hop tracing by having only a small number of hops between edge routers
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CenterTrack Method (cont’d) The ISP diverts the flow of attack packets (destined for a victim’s machine) from the existing ISP network onto the overlay tracking network containing the special-purpose tracking routers The attack packets can now be easily traced back, hop-by-hop, through the overlay network, from the edge router closest to the victim, back to the entry point of the packet flood into the ISP’s network
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packet Marking Marking classified packets in order to identify the DoS attack traffic In the packet’s IP header, IP precedence field can be used to specify the importance with which a particular packet should be involved • Deterministic packet marking, router shows all the packets • Probabilistic packet marking (PPM) will divide the path’s information into small packets Types of packet marking:
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Probabilistic Packet Marking (PPM) In packet marking scheme, tracking information is placed into rarely used header fields inside the IP packets themselves The tracking information is collected and correlated at the destination of the packets, for a sufficiently large packet flow there will be enough tracking (path) information embedded in the packets to successfully complete the trace This method adds authentication controls to the embedded encodings of tracking information, which prevents tampering and spoofing of tracking information
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Check Domain Name System (DNS) Logs The attacker uses DNS to determine the actual IP address of the target machine before launching the attack If attacker uses tools, then time of DNS query and attack may be close, which helps to identify the attacker’s DNS resolver by looking at DNS queries around the time of the start of the attack Check and compare the DNS logs of different systems which are attacked Use Sawmill DNS log analyzer to view the DNS log files
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tracing with "log-input" Check the log entries in an access list of the router “log-input” helps in identifying router‘s interface that accepts network traffic If the interface is a multipoint connection, give the Layer 2 address of the device from which it is received Use this Layer 2 address to identify the next router in the chain, using the commands such as show ip arp mac-address for Cisco router Continue this process until the source of the traffic is found
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Control Channel Detection Large volume of control channel traffic indicates that the actual attacker or coordinator of the attack is close to the detector The channel control function provides facilities to define, monitor, and control channels • To determine particular control channel packets within a specific time period • To provide a clear way into the network and geographic location of the attacker Use threshold-based detector:
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Correlation and Integration Attack detector tool can find the location of the attacker by integrating with other packet spoofing tools • To determine the source of the control channel for particular flood • To understand spoofed signals from hop to hop or from attack server to target Collect the data from control channel detectors and flood detectors:
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Path Identification (Pi) Method Pi traces path of each packet and filters the packet which contains the attack path It can trace DoS attack packets using filtering techniques and analyzing their path • Which part of the router’s IP address to mark • Where to write IP address in each packet’s ID field • How to neglect the unnecessary nodes in the path • How to differentiate the paths It considers four factors to mark a path between the attackers and the victim:
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packet Traffic Monitoring Tools Source of the attack can be found out by monitoring the network’s traffic • Ethereal • Dude Sniffer • Tcpdump • EffeTech • SmartSniff • EtherApe • Maa Tec Network Analyzer Following are some of the traffic monitoring tools:
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools for Locating IP Address • Traceroute • NeoTrace • Whois • Whois Lookup • SmartWhois • CountryWhois • WhereIsIP Tools: After getting the IP address of the attacker’s system, use the following IP address locating tools to gives details about the attacker
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Challenges in Investigating DoS Attacks Attackers know that they can be traced, so they attack for a limited time Attacks come from multiple sources Anonymizers protect privacy by impeding tracking Attackers may destroy logs and other audit data Communication problems slow down the tracing process There is no mechanism for performing malicious traffic discrimination False positives, missed detections, and detection delays There are some legal issues which make the investigation process difficult
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Nmap Nmap is an open source utility for network exploration or security auditing Uses raw IP packets to determine the available hosts on the network, services they offer, etc. •C:CMDTNmap>nmap [Scan Type(s)] [Options] <host or net list> Syntax:
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Friendly Pinger Friendly Pinger is a tool for network administration, monitoring, and inventory purpose It notifies when any server wakes up or goes down Audit software and hardware components installed on the computers over the network It tracks user access and files opened on your computer via the network
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: IPHost Network Monitor • SNMP (on UNIX/Linux/Mac) • WMI (on Windows) • HTTP/HTTPS • FTP • SMTP • POP3 • IMAP • ODBC • PING IPHost Network Monitor allows availability and performance monitoring of mail, db and other servers, web sites and applications, various network resources and equipment using:
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Monitoring Tools Tail4Win is a Windows port of the UNIX 'tail -f' command which can monitor log files of server applications in real time Status2k provides server information for current and future clients in an easy to read format, with live load, uptime and memory usage
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Monitoring Tools (cont’d) DoSHTTP is a powerful HTTP Flood Denial of Service testing software for Windows that includes URL verification, HTTP Redirection, and performance monitoring Admin’s Server Monitor is a tool to monitor server disk traffic loaded over network that shows accumlated byte counts read from server's disks by client PCs over network
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary “DoS attack is a type of network attack intended to make a computer resource unavailable to its intended users by flooding of network or disruption of connections” If an attacker is unable to gain access to a machine, the attacker will most likely crash the machine to accomplish a denial of service attack Attacker uses a abnormal ICMP (Internet Control Message Protocol) data packet containing large amounts of data that causes TCP/IP to crash or behave irregularly Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large number of compromised systems attack a single target, thereby causing denial of service for users of the targeted system Three basic techniques used to detect Denial-0f-Service attack are Activity profiling, Sequential Change-Point detection, and Wavelet-based signal analysis
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited