Understanding a Denial of Service Attack
What is DoS?
DoS simply means Denial of Service – as its name implies, its goal is to prevent users from making use of any server or access point. It is also fairly straightforward and simple to do – all you need to launch this type of attack is to find the service that you want to exploit, and then overwhelm it with packets until you bring it down.
DoS attacks are very dangerous to a network of computers – if your job entails maintaining network security, you would find that a DoS attack is very similar to flooding a house, which means that the longer it takes you to stop it, the more damage it does to the network that you are maintaining.
Users on the network would have no means to access the targeted service because the firewall state service is overwhelmed. DoS attacks can also cause reboots or may even lock up entire computer systems.
When an attack involves several network connections in order to launch a DoS attack, then it becomes a distributed denial of service (DDoS) attack. That means that the flooding of information to a targeted service may come at a great speed, thanks to bots or other hackers that are sending thousands of packets at the same time.
How Hackers Perform This Attack
All that a hacker needs to have to perform a DoS attack is a computer, a wireless adapter, and software called Kali Linux. Take note that Kali Linux runs as a .iso so make sure that you burn it into a CD first.
Now that you have your tools ready, follow the following steps to perform a DoS attack on a wireless LAN:
1. Pull up Kali Linux and select aircrack-ng from the Top 10 Security Tools tab. Once you pull up a fresh terminal, check if your wireless adapter is functioning.
To do this enter the following command: iwconfig.
After doing this, you may see that your wireless adapter is set as wlan0
2. Place the wireless adapter in monitor mode.
Key in the command “airmon-ng start wlan0”.
3. Monitor all available access points and find your target service
You will need to find the BSSID of the access point that you want to attack and copy it, along with the channel of the access point that it is using. To do this, enter the following command:
4. Connect to the target access point
If you are able to connect to the access point, you would be able to see that at the bottom of the screen. You can use the following command to connect to the access point:
airodump-ng mon0 —bssid (BSSIDaddress) —channel (access point’s channel)
5. Get the MAC address of the target
Now that you are connected to the target access point, you would need to get the MAC address of the target access point. Copy the MAC address that you see right beside the BSSID of the target that you just connected to.
6. Do a broadcast deauthentication
This is similar to the step that you have done in the earlier blog – you would be bumping off the users from the access point in order to deny service to them. To do that, you would need to send out thousands of de-authenticating frames to the target access point until it breaks down.
Pull up a fresh terminal and enter the following command: aireplay-ng —deauth 1000 -a (BSSID) -h (MAC Address) mon0
7. Keep sending packets if the service still did not break down. Take note that this can be a long process, but once the service is no longer able to contain the incoming traffic of packets, all users that are trying to connect to the access point would not be able to log in, or would get disconnected immediately.
Now, you might notice one behavior exhibited by hackers when they choose their targets and launch their attacks: they always do a scan of the targeted system’s vulnerability.
In the example above, you noticed that you are doing a scan for the connection names of your target so that you would know what access point to hit. In other DoS attacks, they search for open ports that are vulnerable to accepting incoming traffic.
What will happen when attackers know the ports of your system? Getting your hands on that knowledge means being able to identify all the services that your computer has, and the exact location of your computer’s vulnerability.
Open ports welcome traffic because they are unsecured, and immediately prompt any hacker that that happens to be in the area that it’s fine to launch thousands of packets in.
Here is some good news if you are worried about open ports: it is possible for you to know that someone is poking through open ports through the use of an Intrusion Detection System (IDS).
These tools are normally used by websites and commercial servers and they function as an alert system to system administrators whenever too many packets are being bounced in and out of ports, which is a telltale sign of a port scan.
IDS are normally equipped with threshold-level alerts, which means that system admins would become immediately alerted when there are waves of packets that are being sent to port terminals. When you get an alert that there is someone flooding any of your services, then you know that it is time to investigate your traffic.
Other Types of DoS Attacks
To have an idea of what you may be dealing with when you notice that there are large amounts of data being sent to you, it’s necessary to be familiar with the most common DoS attacks. Here are some of the most exploited types:
This is also known as smurf attack, ping of death, b flood, or SYN flood. As the name suggests, this involves sending an overwhelming number of ping packets until the web server exceeds its bandwidth. This is done by creating a fake sender address and then masking that as the sender of mass data.
Since the address is not correct, the web server that responds to ping requests would contain half-open connections since it cannot send the TCP/SYN-ACK packet that it needs to deliver to the requesting party. The result would, of course, be traffic saturation and the inability of the server to accommodate legitimate ping requests.
This attack is also known as layer 7 DDoS. This type of flooding aims to exploit buffer overflows which are software related. This works by sending thousands of requests to an application, which would result in precious CPU resource being wasted.
3. Peer-to-Peer attack
This type of attack involves massive connections to a website at once, which would cause the web server to crash. You can think of it as a network zombie attack, wherein several bot accounts or computers send thousands of requests to a web server for a connection, forcing the target to go beyond capacity.
How to Stop a DoS Attack
As you may have noticed, this type of attack may come in waves and can take a long time before putting a targeted service down. That means that you would have time to stop volumetric attacks before your system gets flooded with packets.
The best way to prevent a DoS attack from destroying your service is to have knowledge of what is happening in your network, especially if you notice strange behavior in the services that you are monitoring. You can sample the flow that gets into your system ports and predicts trends in incoming traffic.
Take note that flow analysis can take up time, and it may require you to sample more than one packet that goes into your ports to know the type of data that flows in.
If you manage to sample enough packets while an attack is going on, then you have plenty of opportunities to know more about the attack and the attacker. If you are suffering from a DoS attack on your wireless connection, you are aware that all users are getting bumped off repeatedly whenever they try to connect.
That gives you an idea that, most likely, someone is feeding your connection several deauthentication packets with the intention of sending them at great speed until your system goes over the limit.
If you detect several connections feeding you unrelated data, then you know what to do: bump them off from your network and secure the vulnerable entry point that the hackers found.
Detecting Possible DoS Flood Signatures
Since you read about DoS attacks in an earlier blog, you might also be very interested in how you can possibly see if your ports are being flooded by a hacker with the attempt to deny your service. If you have Wireshark, you can detect the signs of possible waves of packets that are possibly being sent to you by a criminal hacker.
Here’s a typical scenario for packet floods such as DoS attacks – if a criminal hacker wants to flood you, he would want to conceal his identity by spoofing IP addresses for each type of packet that he wants to send you.
The reason why criminal hackers do this is that they are very aware that it is very easy for many commercial firewalls to detect flooding from a single source and then proceed to blacklist that IP.
Of course, if the huge wave of traffic looks like it is coming from a single source in a small amount of time, then you can just stop the connection coming from that address.
When detecting a DoS attack, you can run a Wireshark capture and look at the ports that are receiving traffic. If you see that there are too many IPs that are sending traffic to a single port and that the packets that they are sending are coming to you in suspiciously small intervals, then you know that someone is trying to destroy (or at the very least, bog down) your network.
Making Sure that Your Network is Safe
By making sure that you are aware whenever someone is trying to send you a port scan, you would be able to secure your network and prevent any network-related attack.
The only proven way to do this is to have a person monitoring the traffic that is coming into your system, and then making sure that all data requests coming online are legitimate. Once there is a suspicious activity going on, then it is time for you, the ethical hacker, to carry out the next step in thwarting a possible attack.
What could you possibly do during a possible attack? You can simply try to find all the suspicious incoming connections and then ban them from connecting to you.
This way, you would not have to deny service to anyone who should really be accessing your network – and this is of importance if your business depends on being able to offer access. In other words, you should always consider the possible repercussions of every step you take against possible attacks
Conducting Vulnerability Scanning
A vulnerability is a weakness or lack of protection present within a host, system, or environment. The presence of a vulnerability represents a potential spot for exploitation or targeting by a threat. Locating and identifying vulnerabilities in a system represents one important component of protecting a system—but not the only one.
How do you find all the vulnerabilities that exist in an environment, especially with the ever-increasing complexity of technologies? Many techniques can help you; some of them are manual or scripted in nature, and some are automated tools such as vulnerability scanners.
Vulnerability scanners are designed to identify problems and “holes” in operating systems and applications. This is done by checking coding, ports, variables, banners, and many other potential problems areas, looking for issues.
A vulnerability scanner is intended to be used by many legitimate users, including pentesters, to find out whether there is a possibility of being successfully exploited and what needs to be fixed to mitigate, either by reducing or eliminating the threat area.
While vulnerability scanners are usually used to check software applications, they also can check entire operating environments, including networks and virtual machines.
Introduction to Vulnerability Scanning
Vulnerability scanning is a process that can be included as part of pen testing or can be performed entirely on its own. The purpose of this type of scan is to locate and identify vulnerabilities on a target and provide information to the initiator of the scan.
When performed properly and regularly, a vulnerability scan can provide valuable information about the security posture of an organization’s infrastructure, including its technical and management policies.
Many companies choose to use vulnerability scanners because they can readily identify many common security issues. This is done by checking coding, ports, and many other aspects of the targeted area to reveal any possible problems that an attacker may use to their advantage.
A vulnerability scanner is used by many legitimate users to find out if there is a possibility of being exploited and what needs to be done to reduce any threat.
At the same time, hackers use these scanners to know just where to attack. While vulnerability scanners tend to be used most often with programs, they can check an entire computer, networks, and virtual machines.
Hackers have many ways of sneaking into a computer; they can come in through weak coding, via an open port, or through a program with easy user access. To keep the possibility of being hacked to a minimum, companies use a vulnerability scanner.
The user may specify a target area, so the program scans just one part of the computer, sifting through everything within that area to reveal problems. Some programs can fix minor errors automatically, though most just report the problems.
The primary users of vulnerability scanner software are legitimate and are mostly businesses. Basic users tend to lack the knowledge to properly fix problems, so vulnerability scanners are usually not designed for them.
These programs are made more for businesses and large networks, where vulnerability can cause a direct loss of money or the loss of trade secrets, which can be costly.
Pentesters tend to find benefit with these utilities because they can reveal vulnerabilities that can be leveraged during their work and provide information for a report to the client.
A vulnerability scanner is most often used on custom programs or web applications— programs that involve many people working simultaneously—because these programs can present a security threat.
Vulnerability scanners also are made for whole computers, networks, ports, databases, and virtual machines. Some scanners are made to scan many different target areas, whereas some will just be able to check one aspect of a computer.
Recognizing the Limitations of Vulnerability Scanning
Vulnerability scanning has long been used as an old standby in the toolkit of the security professional. However, while it is a valuable tool and will continue to be an important part of the security pro’s toolkit, it also has its limitations, which you need to understand to properly apply the technology to its utmost.
Remember that vulnerabilities are an ongoing problem that can be mitigated, but constant reassessment needs to be done in order to make sure that any new issues that appear are dealt with in a timely fashion (and at the very least noted to keep track of the current security issues on the network).
Another important point to remember with these scanners is that an IT admin or security pro running scans with these tools should not be lulled into a false sense of security if their scans reveal no issues of concern.
Vulnerability scanners come in different forms, each able to perform a unique type of scan against a targeted system. At the low end, some scanners only include the ability to perform checks of a system’s configuration, including patches and software version information.
At the higher end, vulnerability scanners can include a wealth of powerful features such as advanced reporting, analysis features, and other helpful abilities.
No matter their feature set and overall capabilities, most scanners use a model similar to that of antimalware packages. In most cases, scanners rely on the use of a database of known vulnerabilities that must be regularly updated by downloading new versions of the database from the vendor’s website.
Much like getting a booster shot for tetanus, however, regular updates must be applied or the software will quickly lose its ability to detect newly emerging threats, thus increasing the risk of a security breach due to an undetected breach being exploited. In fact, a scanner that is not regularly updated will become essentially worthless if it is not updated over a long period of time.
A bigger issue still with scanners is that it is possible to get overconfident even with all current updates and other tasks done to keep the software up to date and current.
Some users of these packages believe that the results of a report represent all the vulnerabilities in an environment, and thus a report that is reviewed and addressed as required means that everything that can be done has been—but this is simply not the case.
In fact, vulnerability scanners will only report on those items it has the ability to detect, which still leaves the chance for a lot of potential issues to be missed.
The situation is somewhat like believing that a walk around a building and looking for problems means you have found all potential vulnerabilities when this is not the case—in fact, you could have easily overlooked something.
Finally, another easy issue to overlook with scanners of this type is that they only need to be used when a problem is mentioned in a news article or other source.
In fact, scans must be run regularly in order to properly catch problems as well as ensure that current measures are working to keep the environment working properly and safely.
Depending on which compliance mandates your company falls under, vulnerability scanning may need to be run on a set schedule and verified.
For example, the Payment Card Industry Data Security Standard (PCI DSS) requires that periodic vulnerability scans be performed, so any organization that stores, processes, or transmits credit card data is expected to perform vulnerability scans.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
Outlining the Vulnerability
Vulnerability scanning is typically implemented as one of many tools to help an organization identify vulnerabilities on their network and computing devices. The results of the scan will help management make informed decisions regarding the security of their networks and the devices attached to them.
Vulnerability scanning can be used on either a small scale or a large scale, depending on the assets and systems that need to be assessed.
Although numerous tools are available that can provide insight into the vulnerabilities on a system, not all scanning tools have the same set of features. Each scanning tool may or may not cover the same list of vulnerabilities that another may assess.
As such, an organization should carefully choose which scanners they wish to use and then designate that the use of any other vulnerability scanner must be justified and approved prior to use.
Any scanning tool should be capable of assessing information systems from a central location and be able to provide remediation suggestions. It must also be able to assign a severity value to each vulnerability discovered based on the relative impact of the vulnerability to the affected unit.
Conducting a Periodic Assessment on Existing Devices
Ideally, each department or departments should be required to conduct an assessment of their networked computing devices on a regular schedule. At the very least, every department should run fully authenticated scans on a set schedule (such as monthly or quarterly).
These scans should be tailored to assess the unique needs of their department and should be run against all assets that are within their own unique areas of control.
An example would be monthly scans required for the following networking computing devices:
Any computing devices that are known to contain sensitive data
Any computing devices that must meet specific regulatory requirements such as HIPAA
All file system images or virtual machine templates used as base images for building and deploying new workstations or servers
All devices that are used as servers or used for data storage Any network infrastructure equipment
The approved vulnerability scanning tool must be used to conduct the scans unless otherwise authorized
Scans should always be performed (in most cases) with the business’s unique needs in mind. Keep in mind that vulnerability scans can and will slow down the network and the devices or applications they are tasked with assessing.
If scans are done during business hours, care should be taken to minimize the potential disruption that could be caused as a result of the scans. Scans should be conducted during off-peak hours, along with an additional second scan to catch non-compliant clients or clients that were shut down to be rescanned again.
The computing device or system administrators should not make changes to networked computing devices for the sole purpose of passing an assessment. Additionally, no devices connected to the network should be specifically configured to block vulnerability scans.
Vulnerabilities on networked computing devices should be addressed based on the results and the needs of the business. Keep in mind that not all the vulnerabilities revealed by the scanning engine need to be addressed.
Conducting a New System Assessment
No new system should be put into production until a vulnerability assessment has been conducted and vulnerabilities addressed.
Each department should be directed to conduct vulnerability assessments at these times:
Upon completion of the operating system installation and patching phase
Upon completion of the installation of any vendor-provided or in-house–developed an application
Prior to moving the information system into production
Upon completion of an image or template designed for deployment of multiple devices
Upon delivery of vendor-provided information systems, prior to user acceptance testing, and again before moving into production
For new network infrastructure equipment, during the burn-in phase and prior to moving to production
At the completion of each of these vulnerability assessments, all discovered vulnerabilities must be documented and remediated.
Understanding What to Scan
Departments should not conduct intrusive scans of systems that are not under their direct control:
Departments are responsible for ensuring that vendor-owned equipment is limited in those vulnerabilities that can harm the enterprise.
The vendor must be informed and permitted to have staff on hand at the time of scans.
Vendors should not be permitted to conduct scans of information systems without the express permission of the department and management.
Networked computing devices that appear to be causing disruptive behavior on the network may be scanned using nonintrusive methods to investigate the source of the disruption.