DDOS Attacks: The Rundown

Group A: Joshua Petree, Wiley Allgood, Samuel Royce, James Francois, Jordan Griggs

April 14th, 2022

LIS4777, Dr. Shuyuan Metcalfe

Project Significance

• DDOS attacks
• Popular, yet serious type of attack
• Responsible for some of the biggest attacks
• Overview of study
• Identify the network (SECNET) and its topology
• Go over the types of DDOS attacks we studied
• Locate vulnerabilities and patch them
• Five DDOS attack types: Slowloris, SYN flood, ICMP flood, NTP amplification, and HTTP flood

Network Environment Topology

HTTP Flooding

• Common DDoS that is difficult to mitigate
• Occurs on Layer 7 (Application Layer)
• Easier to mimic legitimate traffic on this layer as it is the most accessible
• Volumetric attack
• Executed through overloading an HTTP server with requests and renders the server useless as it cannot justify the amount of traffic
• Purpose is to obstruct a users ability to access an attacked resource by means of overloading a server through means such as a botnet
• Two types of HTTP flood attacks
• HTTP GET Flood
• Simpler to create
• Usually carried out with botnets as a large scale is needed to be effective
• HTTP POST Flood
• More resource effective
• Can trigger complex server-side processing

HTTP Flood Demo

• Flooding local network (127.0.0.1) with HTTP GET Requests
• Used:
• WireShark
• LOIC
• Entered 127.0.0.1 into LOIC
• Specified HTTP attack
• Locked in
• Confirmed attack through wireshark on Loopback: lo (Local web server traffic)

​

​

Defending against HTTP Flooding

• The last slide highlighted the difficulty in mitigating HTTP flooding, so how does one defend against it?
• A server can employ tactics to identify whether or not they are dealing with bots
• CAPTCHA
• “a program or system intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites”
• Type in the letters or identify the pictures that they see to verify that they are human
• Firewall
• Firewalls can be employed to identify and block malicious traffic

NTP Amplification

• Amplification: send packets to different server that then boosts packets to target
• NTP: network time protocol; used to sync time across network systems
• Attack effects
• Compromises time system
• Can cause system and vital process failures
• Could potentially bring down a network

Attacking with NTP Amplification

• Target: NTP server
• Method
• Sends UDP NTP packets to server
• Amplifies to increase effectiveness
• Tools used
• NTPDoser (open-source tool)
• Wireshark (monitoring)
• Kali Linux (attack OS)
• Run command with preset parameters in NTPDoser via Kali’s terminal
• Monitor and verify packets sent with Wireshark

​

Defending from NTP Amplification

• 2 main methods
• Disable monlist
• Function that receives monitoring info about surrounding traffic
• Sole cause of why this occurs
• Enable firewall rules
• Alternative method
• Potentially problematic
• Both solutions easy and effortless to implement

Attacking With ICMP (Ping) Flooding

​

• Target: Router’s IP address
• Method
• Sends ICMP Echo requests
• Sending more increases effectiveness
• Tools used
• hping3(Attacking tool)
• Kali Unix (OS used)
• Wireshark (Checks IP address)
• While using hping3 call to it within the Kali VM command line as well as the IP Address this will start the attack
• Use wireshark to indicate the traffic is occurring between the IP address.

Defending from ICMP (Ping) Flooding

Defense Methods

• Firewall Configuration
• Configuring your firewall to block ICMP pings from entering your network.
• Router Filters
• Adding filters to your router to detect when data packets are coming from a unknown source.
• Network Monitoring Software
• A form of added security that can protect your computer from ICMP Floods

Attacking with Slowloris

OSI Model Layer: Application Layer 7

Target:

• Web Server
• Single Computer

Method:

• Utilises HTTP Requests and keeps connections open for as long as possible

Tools Used:

• Kali Linux (Operating System)
• Kali Linux Command Line Slowloris(Open Source)
• WireShark (Monitoring)

Defending Against Slowloris

Prevention Methods:

• Fail2ban IDS
• Increase the maximum number of clients the web server will allow
• Add time restraints to clients
• Make use of Apache Modules (Apache 2.2.15 includes mod_reqtimeout which is a popular defense mechanism.)
• Also the use of firewalls and reverse proxies or content switchers.
• PS. You all have defended against slowloris you just might not have known it!

Attacking with SYN Flooding

Method/Target:

• Overflow TCP/IP handshake with many requests which cannot be validated
• Hogs processing power to stop traffic on a network
• Simple and common attack type

Tools:

• Used Metasploit Framework in Kali unsuccessfully
• Used Hping3 software in Kali unsuccessfully on other team’s VMs
• Used successfully for demo purposes on spare Windows VM

Defending from SYN Flooding

Prevention Method:

• Created a rule in Palo Alto for our main Firewall, at 192.168.74.111
• This rule blocks many forms of DDOS attacks, but also specifically blocks SYN Flooding attacks

Counting Our Assets

• Good news: most systems stayed intact!
• Windows and Ubuntu systems stayed intact
• Bad news: our web servers were compromised
• (Not under PAFW)
• SSH brute force used
• Systems falsely believed to be protected by PAN firewall
• Issue was eventually fixed

Lessons Learned and Conclusion

• Lessons learned
• Don’t make assumptions that something is secured
• Understand what you work with beforehand
• Attacks were overall successful
• Defense tactics were effective, some could be implemented more thoroughly
• Team has a greater understanding of DDOS and its capabilities