cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
32325
Views
33
Helpful
5
Comments
Kureli Sankar
Cisco Employee
Cisco Employee

 

Denial of Service Attack:

DoS attack is a malicious attempt by a single person or a group of people to cause the victim, site, or node to deny service to  its customers. When this attempt derives from a single host of the network, it constitutes a DoS attack. Meaning, when one computer and one internet connection is used to flood a server with packets, with the aim of overloading the targeted server’s bandwidth and resources, it is defined as DoS attack. Read here for mitigation techniques: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html

Distributed Denial of Service Attack:

It is  also possible that a lot of malicious hosts coordinate to flood the  victim with an abundance of attack packets, so that the attack  takes place simultaneously from multiple points. This type of attack is  called a Distributed DoS. DDoS attack, uses many devices and  multiple Internet connections, often distributed globally into what is referred to as a botnet. A DDoS attack is,  therefore, much harder to deflect, simply because there is no single attacker to defend  from, as the targeted resource will be flooded with requests from many hundreds and thousands of multiple sources. Read here for mitigation techniques:

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html

MAC Flood Attack

In a typical MAC flooding attack, a switch is fed many ethernet frames, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table.

Read here for mitigation techniques: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html

Evasive UDP

Land Attack

A land attack is a remote denial-of-service (DOS) attack caused by   sending a packet to a machine with the source host/port the same as the   destination host/port. Read here for mitigation techniques:https://supportforums.cisco.com/docs/DOC-14318

Ping Of Death

Triggers when a IP datagram is received with the  protocol field of the IP header set to 1(ICMP), the Last Fragment bit is  set, and (IP offset * 8) + (IP data length) > 65535 that is to say,  the IP offset (which represents the starting position of this fragment  in the original packet, and which is in 8 byte units) plus the rest of  the packet is greater than the maximum size for an IP packet.

Ping Sweep

A ping sweep consists of Internet Control Message Protocol (ICMP) Echo  requests sent to multiple hosts, this is done to determine which  machines are alive and which ones aren’t. Simply block ICMP request messages IN on the OUTSIDE interface of the firewall.

Random unreacable host

A DoS attack occurs when a stream of ICMP echo requests (pings) are broadcast to a destination subnet. The source addresses of these requests are falsified to be the source address of the target. For each request sent by the attacker, many hosts on the subnet will respond flooding the target and wasting bandwidth. The most common DoS attack is called a “smurf” attack, named after an executable program and is in the category of network-level attacks against hosts. DoS attacks can be easily detected when error-message logging of the ICMP Unreachable Destination Counters feature is enabled. Read here for mitigation techniques and other configuration: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/hticmpun.pdf

Reset Flood

Flood with spoofed source addresses, ports and FIN or RST flag on. If the  attacker guesses the sequence numbers, port combinations and source  address of an existing flow this flow will be terminated. Since there is  low probability for a successful guess, the attacker's goal is likely  to overwhelm network or end host with excess packets and the flag is  just there to bypass security systems that may block other packet types.

Smurf Attack

Sends PING request to a broadcast address, machines reply to the spoofed victim's address in the request. Read here for mitigation techniques: http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml

Fraggle attack

Fraggle attack  UDP variant of Smurf attack.Spoofed UDP packets are sent to broadcast  addresses to port 7 (echo port), replies go to the victim's address.

Syn Flood

Direct Attack

If attackers rapidly send SYN segments without spoofing their IP source address, we call this a direct attack. This method of attack is very easy to perform because it does not involve directly injecting or spoofing packets below the user level of the attacker's operating system. It can be performed by simply using many TCP connect() calls, for instance. To be effective, however, attackers must prevent their operating system from responding to the SYN-ACKs in any way, because any ACKs, RSTs, or Internet Control Message Protocol (ICMP) messages will allow the listener to move the TCB out of SYN-RECEIVED. This scenario can be accomplished through firewall rules that either filter outgoing packets to the listener (allowing only SYNs out), or filter incoming packets so that any SYN-ACKs are discarded before reaching the local TCP processing code.

 

When detected, this type of attack is very easy to defend against, because a simple firewall rule to block packets with the attacker's source IP address is all that is needed. This defense behavior can be automated, and such functions are available in off-the-shelf reactive firewalls.

Read here for mitigation techniques:

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html

 

Spoofing-Based Attacks

Another form of SYN flooding attacks uses IP address spoofing, which might be considered more complex than the method used in a direct         attack, in that instead of merely manipulating local firewall rules, the attacker also needs to be able to form and inject raw IP packets with valid IP and TCP headers. Today, popular libraries exist to aid with raw packet formation and injection, so attacks based on spoofing are actually fairly easy.

 

For spoofing attacks, a primary consideration is address selection. If the attack is to succeed, the machines at the spoofed source addresses must not respond to the SYN-ACKs that are sent to them in any way. A very simple attacker might spoof only a single source address that it knows will not respond to the SYN-ACKs, either because no machine physically exists at the address presently, or because of some other property of the address or network configuration. Another option is to spoof many different source addresses, under the assumption that some percentage of the spoofed addresses will be unrespondent to the SYN-ACKs. This option is accomplished either by cycling through a list of source addresses that are known to be desirable for the purpose, or by generating addresses inside a subnet with similar properties.

 

If only a single source address is repetitively spoofed, this address is easy for the listener to detect and filter. In most cases a larger list of source addresses is used to make defense more difficult. In this case, the best defense is to block the spoofed packets as close to their source as possible.

Read here for mitigation techniques: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html

TCP Port Scan

 


Reference Links besides Cisco:

http://www.isi.edu/~mirkovic/bench/attacks.html

http://www.incapsula.com/ddos/ddos-attacks/denial-of-service

Comments
timroth
Cisco Employee
Cisco Employee

Thanks for the awesome content. With the addition of the new modules in CTR, IE Stealthwatch cloud etc. Are there plans to update this module matrix? Thanks,  Tim

rkit
Level 1
Level 1

@Kureli Sankar The weblinks are dead.

Kureli Sankar
Cisco Employee
Cisco Employee

@rkit 

Thanks for letting me know.  We are working on updating this doc.

 

-Kureli

Allan001
Level 1
Level 1

Good morning @Kureli Sankar 

Please let us know when you will fix the broken links. I just tried to open the first URL on DoS, and it is not working. 

Thanks,

 

@Kureli Sankar Can you please share the updated DOC or link?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: