Purposeful attack on a network or resource to prevent legitimate access.
Distributed denial of Service (DDoS) = similar to DoS, it uses many sources (zombies, often not aware)
Symptoms: network unavailable, abnormally slow connectivity, IP-based Services unavailable
Effects: financial loss, loss of customers, network disabled and organization disabled
10.2 DoS Techniques
– SYN Flooding Use of spoofed sources → server connections maxed-out → server cannot accept new connection
– Service Request Floods Use valid sources → create many connections to a service
– Application Level DoS DoS to an application by exploiting a vulnerability
– Bandwidth Overload Distributed system of computers (attackers)
– ICMP Flooding Many ICMP Requests
– Permanent DoS A.K.A. Phlashing; intent: permanent Disable Service
Network of compromised hosts running software that automates tasks through remote Command&Control.
10.4 DoS Attack Tools
– PHP DoS (DDoS Script written in PHP)
– XOIC (website DoS)
– DDOSIM (Linux tool)
– LOIC (Low Orbit Ion Cannon)
– HULK (HTTP Unbearable Load King)
– Tor’s Hammer (HTTP DoS, it anonymize source)
10.5 Detection and Countermeasures
– Activity profiling → monitoring solution
– Wavelet-based Signal Analysis → detect unknown anomalies
- Protect “zombies”
- Neutralize Handlers
- Detect Potential Attacks
- Deflect Attack (honeypots)
- Mitigate Attacks (bandwidth increase during the attack)
– Forensics (after DoS)
– Protect devices from botnet
– Perimeter Security
– Contact IPS
– Hardware (several vendors offer DDoS mitigation appliances)
10.6 DoS Protection Tools
– FortGuard DDoS Firewall
– Anti-DDoS Guardian
The purpose of session hijacking is to compromise a valid session between a client and a server (also called TCP session hijacking).
There are many techniques for hijacking: brute force, application level hijacking, MiTM, predict session ID, session ID replay, reset, blind injection.
These techniques are classified as:
– ACTIVE when the hacker takes over the session; the victim is then “frozen” and he knows something is wrong;
– PASSIVE when the hacker just watches; the session is recorded and the victim is unaware of the attack.
These attack techniques are Application-based or Network-based.
11.3 Application level session hijacking
The session IDs are alphanumeric strings (that should be randomly generated) used to establish a stateful connection. These IDs are typically stored in cookies, in URLs or in hidden fields. When the ID is compromised, the attacker can gain access to the session.
SESSION REPLAY → it’s reusing a valid session ID to spoof the client
SESSION PREDICTING → the attacker watches IDs looking for patterns and tries then to predict the next one (that’s why they should be randomly generated). A variation of this type of attack is using brute-force trying many session IDs.
SESSION FIXATION → the attacker uses an established connection with the server trying to get victim to use this connection. In this way the client’s traffic passes through the attacker.
MAN-IN-THE-MIDDLE attacks (11.4) → the attacker is in between the client and the server forcing all the traffic through him/her. Man-in-The-Browser is a variation: the malicious entity is not a separate system, but a client-side program used for capturing data or inserting scripts into web-pages.
CROSS-SITE ATTACKS (11.5) → in this category we find:
- Cross-Site Scripting (XSS) that is exploiting a valid existing session to inject malicious scripts on the client side
- Cross-Site Request Forgery similar to the previous but exploits existing session to provide a 3rd party
11.6 Network Level Hijacking
TCP/IP hijacking happens after the second message of the 3-way handshake (SYN & ACK & ISN): the attacker responds to the server instead of the client with the 3rd message.
RESET or RST hijacking → RST packet is sent from the server to the client for reset the connection: the attacker can send this packet to the client who re-authenticate himself but with the attacker.
Others attacks with TCP/IP:
UDP hijacking → UDP is connection-less and UDP requests can contain DNS queries. If the attacker wins the race with the server to respond to an UDP request, he can also respond to a DNS query with a fake web-server.
11.7 Session Hijacking Tools
SURF JACK → hijack HTTP connections to steal cookies (works on both ethernet and wifi)
COOKIE CATCHER → for Cross-Site Scripting
FIRESHEEP → HTTP sessions hijacking
WHATSUP GOLD ENGINEER TOOL → it’s a network diagnostic tool
ZAPROXY → it’s a penetration testing tool that searches for vulnerabilities on web applications
11.8 Hijacking protection
About network security, use secure networks with firewalls, limit incoming connections, minimize remote access, use HTTPS and not HTTP, send encrypted data, utilize Certification Authorities.