DoS Attack - Incident Handling

Editor's Notes

• #2: By Marcelo Silva
• #4: The Denial of Service (DoS) is an attack that by overloading a network or system’s resource, brings the system down, or at least reduces significantly the network availability and systems performance, in order to prevent the authorized user’s access.Some of the DoS attacks are listed below:Flooding the network or host with more traffic or requests than can be handledFlooding a Service with more events than it can handleCrashing a TCP/IP stack by sending corrupt packetsCrashing a service by interacting with it in an unexpected wayHanging a system by causing it to go into an infinite loopThe Network are affected in their bandwidthThe Operating Systems are impacted on their CPUs, Memory and Disk spaceThe Services/Applications are affected on their ability to respond to the requestsThe Network Devices are affected in their ability to work on purpose (Router=routing, Switch=Manage Traffics, Firewall=Filtering/Blocking/Allowing/Detection…)Therefore, the DoS attack is against the availability of the systems and the communication networks.
• #5: DoS attack against NetworkThe attacker uses all available network bandwidth by generating a large volume of traffic.Another way to attack the network availability it is broadcasting on the same frequencies used by a wireless network to make it unusable.The network is also compromised when a attack cause physical destruction or alteration of the network components.DoS attack against ComputersMalformed TCP/IP packets are sent to a server so that operating system will crash.Establishing many simultaneous login session to a server so that legitimate users cannot start login.Making many processor-intensive requests so that the server stops responding.Consuming all available disk space by creating a high number of large files.DoS attack against ApplicationsSending illegal requests to an application to crash it.Web servers, application servers and database servers can be affected by the Dos attack.
• #6: DDoS is a well coordinated Denial of Service attack that is launched indirectly through many compromised computers on the Internet, against the service availability on a victim’s network or systems.The three steps of the DDoS attack:Attackers compromise hosts on the Internet and deploy bots on themAttackers uses a handler to instruct the agents (or they do that by pre-programming those bots) on what, when and how to attackThe botnet initiates the attack according to the instructionsUsually the attacker uses thousands of bots when performing a DDoS attack.
• #7: Reflector AttacksAttackers like to use spoofed source addresses in order to hide the real source of the attack.The attacker sends UDP packets to the Reflector, using spoofed IP addressesThe host generates a reply to each request and sends the replies to the spoofed addressThen a potentially loop occurs, generating high network traffic and processing activitiesBut it worth to mention that during that type of attack, a DoS could happen to the Reflector, the host at spoofed address, or both hosts.Some common ports/services used by the reflector attack are:Echo (7)Chargen (19)DNS (53)SNMP (161)ISAKMP (500)Amplifier AttacksThat kind of attack tries to explore the broadcast address, expecting that many hosts will respond to it.This attack could be blocked by configuring properly the border routers to not forward directed broadcasts.One of the examples of an Amplifier attack it is a DNS recursion attack. That’s why the DNS server should be configured for non-recursive.Flood AttacksAs stated by the EC Council (2010) in DDoS flood attacks, “zombies flood victim systems with IP traffic. The large volume of packets that zombies send to victim systems slows down the systems, crashes the systems, or saturates the network’s bandwidth”.On UDP attacks, for example, the large amount of packets can saturate the network, impacting the network performance for legitimate service requests.
• #8: As indicated by Scarfone, K., & Grance, T., & Masone, K. (2008), “DoS attacks can be detected through particular precursors and indications”. Thus, by observing these precursors and indications, we are able to prevent and pro-actively act in order to avoid the unavailability of systems and applications. The first step that an attacker performs before a DoS attack is executing some reconnaissance tasks. Those activities include network scanning and some tests in order to determine which attacks could be more effective.  Handlers could detect this preparation phase activities; however the attacker can use some techniques to ensure the network traffic doesn’t reach common thresholds that are used to trigger the monitoring alarms. If handlers are able to detect these reconnaissance activities, the company can proactively change its security controls such as firewall rules to block a specific protocol or port from being used. Another action/response could be hiding a vulnerable host until the vulnerability or weaknesses are corrected. Another DoS attack precursor, and that could represent a significant threat to an organization, it is when a new DoS tool is released. For this, the company should investigate that tool further, and change its security controls accordingly. This way, the organization will be able to effectively avoid such kind of attack.
• #9: In addition to the precursors, there are also some indications that a DoS attack is ongoing. Following below some indications for each type of DoS attack: Network-based DoS attack against a hostServer crashSystem unavailability reported by usersAlerts from the IDS/IPSAlerts/events at the HIDS on the hostLarge number of connections is detected on a single hostPackets with unusual source IP address Server Logs Network-based DoS attack against a networkSystems and Network unavailability reported by the usersAlerts from the NIDSUnexplained connection lossesNetwork activities and bandwidth increased for no reasonPackets with non-existent destination IP addressesHigh number of incoming traffic and low number of outgoing traffic DoS attack against the Operating Systems Continuous server crashSystems and Applications unavailability reported by usersAlerts from the NIDS/HIDSServer Logs (System and Application events/logs)Packets with unusual source IP address  Layer 7 DoS attack against an Web Application / Web Server / Web Service / DatabaseApplications unavailability reported by users or other systemsAlerts from the NIDS/HIDSApplication logs fromWeb tierApplication tierData tierPackets with unusual source IP address
• #10: Trace the source of attacksSpoofed IP addresses are used for that kind of attack, by using connectionless protocols (UDP/ICMP) or connection-oriented protocols but without establishing connections properly (TCP SYN packets)The IP of the handler is not visibleDDoS attacks usually use thousands of bots/zombies, which are activated by the controller. The victims can’t see the IP of the handler and if it could, it probably would be an IP from one of the compromised computer/host, and not from the real attacker.False positive alertsNetwork-based DoS attacks are difficult to be detected by the IDPS sensors with high level of accuracy. SYNflood is one of the most common kind of false positive on detection systems. A quick port scan, for example, could be detected as a SYNflood attack.Server crash and outages resultant from attacksUsually server crash and service outage are related to hardware failure, bad drivers or physical failures. However, the DoS attacks can cause it, and the most Systems Administrators will not realize that an attack has just occurred.
• #11: The Containment phase is focused on suspends the intrusion before it impacts more and more resources and the number of users and applications that are affected is increased.It is not that easy to stop a DoS attack, that’s why all possible solutions for containing the attack should be attempted.Following below some actions to containing a Denial of Service:Close the gap – The vulnerability that is being exploited by the attack should be corrected. Patches and hotfixes should be applied to Operating Systems and Applications; Services should be re-configured and filters should be altered to block packets from a specific protocol. Also, an attacked host could be removed from the network, as a temporarily measure of containment.Implement filtering accordingly – Identify the characteristics of the attack and change/implement filtering against that. If the attack is using ICMP echo requests, block temporarily that traffic on the network. If there is a SYNflood against one particular host, block the SYN packets to that host on the port it is being attacked, or alter the limit of packets per second to the particular host/port.The ISPs are the first allies – The ISPs should act right away to implement filtering for blocking activities related to the network-based DoS. Correcting OS and Applications vulnerabilities inside the company it will not worth anything if the Internet Service Providers don’t implement adequate filtering to contain the DoS from the external hosts.Hide the target – It is one of the last measures to be taken. If other containing measures are not working, then try to change the host IP address, change the subnet, or even move the service to a different host. But make sure that host doesn’t have the same vulnerability. Otherwise the sophisticated tools used by the attacker could easily detect the new victim.Clean up the house - It’s necessary to bring back the systems to the normal operations. For that, the organization should remove all configuration changed by the DoS attack, if it is the case of an internal attack, by removing malicious codes from the hosts, and from the rules of routers and firewalls.  After the incident, the affected systems should be up and running, applications and services tested in their functionalities. The recovery from the incident is necessary. During the evidence gathering phase after a DoS/DDoS attack, it’s hard for the IT security team to collect substantial proofs, due a couple of reasons such as tracing the attacks, or identify the real IP source addresses or even mining the information in the log entries.Get the cooperation from the ISPs; Identifying the spoofed addresses from the real ones; and extract good information from the large log files are some of the challenges on this task.
• #12: Lessons learnedIt’s very important answering the basic questions such as Why? What? When? And if possible, Who?Evaluate which security measures have worked and which didn’t, and define what improvements should be done in order to avoid similar incidents in the future. Configure/Reconfigure firewall rulesNetwork-based & Host-based firewalls are great weapons against the reflector attacks.The firewall rulesets should be reviewed and reconfigured so that can stop that type of DDoS attacks. Implement/Configure border routers against amplifier attacksThe broadcasts must be blocked on the border routers in order to block the amplifier attacks.Create rules to not forward that kind of traffic. NIDS/NIPS and HIDS to detect attacksIntrusion detection and prevention systems, on the network and hosts, can be helpful in detecting reconnaissance activities and other suspicious activities related to the DoS attacks. Create and maintain a multi-solution containment strategyOnce not only one solution could stop a DoS attack, the company should have a bundle of solutions pre-defined, in sequence, to be attempted when handling an incident.  Separate critical servicesAs a good practice, the critical services should be separated from non-production or non-critical services, being placed on separated network and VLANs, or even in different sites. Thus, services more susceptible to failure or intrusion would be kept apart from the critical layer of service. Also, Demilitarized zones (DMZ) must be created for Internet-facing services.The medium and large enterprises often separate their applications on different environments such as Development, QA and Production as a way to secure their most valuable and critical services.Create a follow-up ReportDocument all impacts that have occurred during the Incident, and the countermeasures that were taken as well.Take note of the issues that were addressed and which ones were escalated to be addressed on some post-incident actions.Indicate who was responsible for which task/action and the deadlines.Make sure the Incident was reported properly to the managers, directors and authorities.
• #13: Since the staff members at the clinic use the Internet extensively on checking patients’ insurance and get authorizations, they must pay attention to:Only provide username and password on certified websites (Using the HTTPS protocol / SSL Encryption)Not provide any information about the local username/password on external websitesDon’t use the same password that it is being used for the local network and systems accessDon’t accept any kind of software installation through the Internet, even antivirus solution offered by external sources. Regard to the Email systems:Be aware of the Social Engineering. Email messages can be used for identity theft and phishing. Phishing is a technique in which an attacker sends email messages or provides a link falsely claiming to be from a legitimate site in an attempt to acquire a user’s personal information (EC Council, 2010).Don’t click on suspicious email attachments, they can contain worms. They could be scripts or executable disguised as false image or doc text files (e.g.: AnnaKournikova.jpg.vbs). If you receive any suspicious email message, don’t click on any link. Report it to the IT department and ask for guidance.Prefer to use BCC when sending emails to multiple recipients. Use carefully the Carbon Copy (CC) field. You can be exposing unnecessarily some email addresses.Don’t use the corporate email account for social networks or news groups. Use private accounts for private e-mails.Emails usually are sent in clear-text format, unless you use some encryption technology. Therefore, don’t send any sensitive data such credit card number, SSN, Driver’s License numbers and passwords via regular email messages.Don’t forward any email chain letters. It can contain malicious code, it exposes email addresses, it generates network traffic and storage consumption.
• #14: Scarfone, K., & Grance, T., & Masone, K. (2008). . Computer Security Incident Handling Guide, NIST 800-61, Gaithersburg, MD: National Institute of Standards and Technology.EC Council (2010). Ethical Hacking and Countermeasures, Threats and Defense Mechanisms, Clifton Park, NY: EC-Council Press.