DOS attacks

by **renegta0** on Wed Jul 23, 2008 7:31 pm ([msg=8110]see DOS attacks[/msg])

I'm a pen tester in training and I have a question about DOS attacks.

My question is, what makes an effective DOS attack? What do malicious hackers send out to consume so much bandwidth and resources that it keeps a successful denial of service? Also, I hear most of the time a good DOS is done with a spoofed IP in the header. Could someone explain this as well? I know I won't be doing much of this kind of attack while pentesting, just thought it might be good to know.

Thanks in advance.

-Justin

An effective dos attack is one that can be sustained over a long period of time. As for what is sent out the answer is simply anything to consume bandwidth. For instance i could make a program that continually refreshes a webpage and if i got it on enough computers it would more than likely bring down a website (this would be a shoddy way of doing it mind) also the ping command when crafted properly can consume a considerable amount of bandwidth (especially with the -t switch). however normally your victims bandwidth will be greater than yours (because its normally a server) so to bring it down you need multiple computers and its only down as long as the attack is sustained. As for a spoofed ip header thats just changing the ip at the top of a packet to make it look like it came from somewhere it didn't (helps stop things coming back to you). ip spoofing is also used if a computer only allows requests from certain computers (so that you can impersonate said computer).

An effective Denial of Service attack does exactly as it sounds, denies service. You do have to take in count the time of effectiveness and the effect of a DoS attack.

Imagine the Following, Blizzard is about to release Diablo III but it is only available online from blizzard.com. To bribe customers, for the first 12 hours the game will come with a few special items which will only be available through this time. If you are a malicious person, you could attempt to initiate a DoS attack against Blizzard so you would be the only one with these special items.

Since the time period is 12 hours, an effective DoS attack must last over 12 hours for your plan to work.

by **atrius** on Sun Aug 10, 2008 5:40 am ([msg=9263]see Re: DOS attacks[/msg])

Its been a while since i looked into these, but this is my understanding.

There are a few ways that DoS attacks work. Firstly, make the victim spend all its time sending information to a client who does not exist. This is done by packet modification or something similar. For example, we have a network with A and B.
A sends information to B : A->B
But what if B pretends to be C? There is no computer C on the network, but if A thinks that there is, then it will be wasting time sending data to the non-existant C.
This relates the spoofed Ip in the header you were mentioning. Basically, a network packet consists of a few bits of informaiton, something like this:
DestinationIP : Origin : Data.
The orgin and other information is containted in the "header" of a packet. To spoof the header means to change it to what you want, not what it actually should be.
This kind of attacks were the original DoS attacks, I think. However, they arnt so common now, because nobody cares if they are sending a few bytes every few seconds to somewhere that doesnt exist. The amount of bandwidth that is used today makes these attacks almost useless.

So, widespread bandwidth attacking DDoS (Distrubited Denial of Service) attacks are the rage now. These basically involve as many people as possible trying to connect to a server. The server cant cope with this many requests, and all its bandwidth is used up. This effectivly takes the server down, because it cant do anything - it has no network.
How do you orginize these kind of attacks, i hear you ask? Obviously if you got all your home computers and logged into, say, yahoo, Yahoo wont crash. You need alot of computers.

So, BotNets are used. This works as follows : many people are infected with a virus. That virus (in this case a trojan), sits on their computer. The trojans all login to IRC and wait for instructions. (Keeping in mind we could be talking about upwards of 10-20 million computers, here, if the virus is widespread, and probalby more).

When a victim is decided, the controlling person logs into IRC, and tells the bots the IP of the victim. The bots then all try to connect to the victim, crushing it with their bandwidth usage.

Some good reasons : Blackmail. First and formost. If I can tell a bank, or company, that its servers will be down for a few days and they'll be loosing money unless they pay me ... By controlling a DDoS BotNet, I have that power.
Revenge - if i dont like somebody and I have power to do this, then i could.
Buisness advantages - if Google goes down, then other search engines would profit, wouldnt they?
"cool factor" - I get to boast about the power I have.

Some good links
: Wikipedia : http://en.wikipedia.org/wiki/Denial-of-service_attack
: Yahoo Downage report : http://news.cnet.com/2100-1023-236621.html

by **Sveezy** on Mon Sep 29, 2008 4:34 am ([msg=12776]see Re: DOS attacks[/msg])

I'm currently having some serious problems with DoS attacks I believe they are. If someone could offer some assistance, I would be greatly thankful... pm me if at all possible.

How do DoS attacks against routers work? Is it just the same concept, except flooding computers in that IP range with packets?

ArgentPyro wrote:How do DoS attacks against routers work? Is it just the same concept, except flooding computers in that IP range with packets?

yes, but it depends on the kind of router, for eg. cisco has prevention mechanisms implemented

thanks. What types of protection exactly? Does it log IP addresses and doesn't accept packets from IP's sending heavy traffic its way, or does it have a method of detecting patterns (i.e. nonsensical data, without meaningful headers)

by **Arhk** on Sun May 24, 2009 5:17 pm ([msg=24309]see Re: DOS attacks[/msg])

ArgentPyro wrote:thanks. What types of protection exactly? Does it log IP addresses and doesn't accept packets from IP's sending heavy traffic its way, or does it have a method of detecting patterns (i.e. nonsensical data, without meaningful headers)

I'm also curious about this 0_0
~ If I remember right my friend told me the server gets irritated & stops listening to you (because, really who does that many pages requests per second 0_0) which is why you need all the comps my explanation sounds simple but I know nothing about IP (in its advanced stages) been lookin for a good book a while now (any suggestions...?).

I think I just had an great idea!!!!!

Ok so, someone said you could change the top of the packet to include the reply address so
the server won't send packets back to you, how about it you made it so that reply address was..
THEIR SERVER'S IP, so the packets would hit them twice (and twice as hard), and also keeping
you anonomous!!!!

Please tell me if this is incredibly stupid before I try it.