DoS and DDoS attacks. Part :- 2

In the last part, we saw what is DoS, DDoS and how it is performed. In this part, I am going to introduce you with the types of DoS or DDoS attacks. According to the way of exploitation, DoS attacks are classified into three groups:
1. Exploitation of Vulnerabilites in the TCP/IP protocols suite.
2. Exploitation of Vulnerabilites in the IPv4 implementation.
3. Exploitation with Brute-Force attacks.

This was classification according to way of exploitation. The another way of classification is used widely and very well known. It is classified on the basis of carrier or medium of attack. Before we go on to discuss the types of dos attacks, I recommend you having basic knowledge about networking, packets, protocols, types of packets, ports etc. If you are not familiar with this, you can go and prepare these basics nicely and then you can go ahead. Ok, once if you are comfortable with this, here we move ahead.

Types of DoS attacks:
1.Ping of Death:You must have heard about ping. When we ping a target, ICMP echo requests are sent to the target. Target responds with ICMP echo reply telling that it is up and running. This ping is used to diagnose networks and find what the problem is going on. But this simple ping command can also be destructive. Normal size of an ICMP ping packet is not more than 100 bytes. But in this type of attack, an ICMP ping packet is generated which is more than 65,536 bytes in size. This giant packet is sent to the target. The target cannot handle this much giant load in a single packet and it simply crashes. The command to generate ping packet with this much size is:
C:\windows>ping -l 65540 targethost
Where the numerical value is the size of the ICMP packet and 'targethost' is the address of the target whom you have to send this ping request. Please note that this doesn't work on all hosts as they have fixes for them.

2.Teardrop: When the data is transmitted from one system to another, the whole data is not sent in a single go. Data is broken down into packets. These packets carry the data from certain point to certain point. Means, if the data is 5000 bytes in size, First packet would carry data from 1 byte to 1000 byte. Second one would carry data from 1001 byte to 2000 byte and further. The information about 'from where to where' the packet is carrying the data is mentioned in its headers. This value in header is called offset. So, the overall structure looks like this:

Packet no.	Carrying data	Offset value
1	1-1000 bytes	1-1000
2	1001-2000 bytes	1001-2000
3	2001-3000 bytes	2001-3000
4	3001-4000 bytes	3001-4000
5	4001-5000 bytes	4001-5000

When the packets are received by the target, it reassembles the data from these packets by refering to offset field. Ok, now we will modify the offset value in each packet. Note down the difference in this table.

Packet no.	Carrying data	Offset value
1	1-1000 bytes	1-1500
2	1001-2000 bytes	1001-4000
3	2001-3000 bytes	2001-3000
4	3001-4000 bytes	3001-5000
5	4001-5000 bytes	4001-5000

Have you noticed the change? Offset value is changed. Computers just use this offset value to reassemble the data packets. What if any computer tries to reassembles such packets? Probably it won't be able to do that and it will get confused causing itself to crash.

3.SYN flood:You must be aware of TCP three way handshake. You can read about that here. So, here what attacker does, it sends a large number of SYN requests to the server. All these SYN packets have spoofed source address. The server tries to reply these addresses with SYN/ACK and waits for ACK. But, these spoofed addresses don't really exist! So, the server will keep waiting for their ACK which it won't get at all! By this way, server's capacity will be consumed by unnecessary connections which will never establish. This causes failure for other connections to the server. Other people won't be able to connect as the server is waiting for thousands of ACK replies which it is not going to get. The following requests will be kept in queue until the server gets any response from these! This causes timeout. Denial of Service happens here. People can't get access to the server. Servers may have to restart as there is going to be no response from thousands of half-established connections.

4.LAND attack: It is similar to SYN flood. But, in this case, the source IP is kept same as that of server! Means, both source address and destination addresses are same. The server tries to reply itself. This creates an infinite loop within the server. This causes itself to hand or crash. Server can't handle other requests. Please note that this doesn't work on all servers as they have fixes for them.

5.Smurf attack:This also exploits ICMP echo request and replies. What is done here, ICMP echo requests are sent to a large number of computers. Same as the upper cases, source address is spoofed. It is kept as the victim's IP. So, what will these large number of computers do, they will give out ICMP echo replies to that victim IP which was kept as source address. Now, the actual victim computer will start receiving so much ICMP echo replies. The victim computer didn't send a single ping request to any computer and it is getting so much of replies. This 'confusion' causes it to crash or hang.

6.Fraggle attack: This attack is nearly same as that of smurf. Except, it uses UDP instead of ICMP. This is also called 'UDP flooding'. All the process is same that of smurf. Fraggle attack exploits UDP echo and chargen services.

So, these were the types of DDoS attack. Please note that not all the types of attack will work on each server. Many of them have got solutions and fixes for most of these. Also, Dos attacks require very large bandwidth speed nearly 10mbps or above. Dos attacks are more powerful if the bandwidth is high. Therefore, they play good on LANS where this much speed is possible.
Here we arrive to the end of DoS and DDoS article which was divided in 2 sections. Hope you have liked it! have a nice day!...

DoS and DDoS attacks. Part :- 1

Dos attacks are on a rising scale now-a-days. DOS means denial of service. In this type of attack, target system is not actually 'hacked'. It is just flooded with overwhelming number of synchronization requests or something similar. Sometimes, specially crafted data (packets) is sent to the target system. These things cause the target system to crash, hang or reboot just because it can't handle that much connections or can't handle badly constructed data. Dos attacks don't 'steal' or take out any private information. What they do is just damage and force systems to reboot and cause nuisance. These attacks have solutions over them such as port blocking, protocol blocking, address blocking etc. They are possible to prevent because they are generated from only one machine. But what if it is generated from thousands of systems worldwide? This is one of the most dangerous upcoming concept called 'DDoS' (Distributed Denial of Service).

Before we go on to look what is ddos, I will give you an example of it. This is a story of a ghost. There was a ghost hunter who was giving troubles to a ghost. Once, the ghost managed to run away and started living on a tree. Some days passed away. The ghost now started attracting people towards that tree. Once they have arrived near that tree, the ghost used to bite them and from that moment, the people psycologically affected and used to be a slave of that monster after that. Like this, thousands of people were affected by the ghost. Now, they would listen only to that what their master ghost would say. Once the ghost ordered them, "go and kill that hunter at once!". Obeying the command, whole flock marched towards the hunter. Surprised hunter tried to remove effect of ghost on many of them. But they were in thousands. Hunter didn't get success. Hunter was killed by the people who were under the control of ghost.

So, what is the relation of this story with ddos attack? Can such things happen on internet? oh yes! They are happening! The ghost in this story is the actual main hacker. The hunter is playing the role of legetimiate websites like government websites, websites of federal agencies or educational systems. And who are the slaves of ghost? They can be any innocent pc users like anybody! So, how does this happen? Attacker, by using one of the various methods, gives out malicious programs to mass community. These malicious programs or malwares, once reached to any pc, they infect it. Due to this infection, the infected pc starts obeying commands that are coming from the attacker. These infected machines are known as 'zombies' or 'bots'. Once the attacker has control over thousands of such machines situated worldwide. He gives out command to all these zombies to lauch dos attack on a particular web server. The infected machines obey the rule and starts flooding the target. So, what will happen now? This would be preventable if the floods are coming from few machines. Server could block them. But here, the flood is coming from thousands of systems from worldwide. They can be form any country. How many such systems will the web-server block? Finally, same happens with them what happened with the hunter in that story. The have to be shutted down. Many programs running on server may be crashed causing a great loss. Case is even worse when the target is e-commerce website. They have to tremendously suffer from loss. The only outcome from such attacks is 'nuisance' and no 'benefit' for the attacker.

Phishing: what is it and how it is done

Phishing is one of the most easy to implement and mostly unpredictable for victims. Phishing is the word which rhymes with 'fishing'. Well, it is nearly same as what we do in fishing. Some kind of foodstuff is attached to one end of rope and it is dipped in water. Any unfortunate fish comes there and starts eating that foodstuff. At the same time, rope is pulled from other side causing fish to get trapped.
Same thing happens here. Attacker uses luring or some kind of technique to let the victim arrive in the fake environment. This environment is made such that victim believes that this is the original one. Please note that there may be slight difference between the original one and this duplicate one.
Anyways, the victim is asked to give private information here. It maybe in the form of login username-password or any other. The way of letting the victim give the information is not changed. So, the victim gives out sensitive information as they don't experience any change. As this is the duplicate one, the attacker has control over this virtual environment. As soon as the information is received, it is stored or conveyed to the attacker by one of the various ways. In the efficient traps, victim is redirected to original environement pretending the login was unsuccessful. Victim may also be authenticated to the original environment leaving no doubt in their mind. In some of the non-efficient traps, an error is shown to the victim or they are also told that 'we have received your private information. Thank you!' This may surely arise a doubt in victim's mind.
Phishing has a close relation with 'social engineering'. Social engineering is a process of pretending to be an authority, professional, needy or someone willing to help whom you can trust and give away private information for some of the reasons presented by the same. It is considered as easiest to perform as it requires little or no technical knowledge. Phishing and social engineering are very close concepts and are often implemented together.
Phishing should not be considered as any attack as it doesn't bypass any technical security. It is a part of hacking, but the word hacking should not be used instead of phishing as most of the people mistakenly consider hacking as defacing and disabling.
Phishing is just like stealing. Rather, it should be called as 'fooling by pretending'.
Other types of hacking such as buffer overflows, xss, sql injection may have any patches or solutions for them but phishing can't have any patch or fix as you cannot block each and every phishing site. Further, proxies are also there. Day by day, the use of web browsers is becoming the only medium between you and internet. Uploading, downloading, emailing, chatting etc. things are becoming web-based (some of them used to be software or telnet based like outlook and irc chat etc.). Therefore, cloning them and making phishing sites is also increasing. Phishing is very difficult to block from firewall or any such systems or softwares. The best way to detect phishing is by 'human'. But, it is also said that, "Humans are the weakest link in security chain".

Hacking : Defintion

You may think "whats special in this post". Yes, there is nothing special in this post. Actually, this post covers only the definition of hacking. Nothing else. But just the definition is not so simple. Try asking a common man, "what is hacking?". He may say that "breaking into systems","stealing information" or any such thing in one sentence. But, if you ask a hacker, what is hacking, he will surely get confused what to tell. Because, when you tell "hacking", they remember all types of attacks, processes, tricks, ways and intentions of doing it. It becomes difficult to relate those things and tell those things in order.
Two days before, I also passed from the same situation. Someone asked me, "Basically, what is hacking?". Too many points gushed in my mind but I was not able to cover all of them. This simple question may arise doubt if you are really a hacker or not. So, after that, I sat and taking into consideration all the types, ways etc. I managed to make a definition of hacking. It is not a simple sentence. It is divided into 5 sections. So, without waiting so much for that, here we go with definition.
(note: This may feel a little bit lawyer-like language, but I have no other alternative.)


Hacking is defined as
1. breaking into or gaining access to computers, networks, systems or accounts,
2. or/and rendering their services/processes down
3. with one of the various methods of interaction and attack
4. after which one can (not always) view,change,destroy,modify,damage,copy sensitive or insensitive data/information
5. with or without any intention of it.


So, this was primary definition of "hacking" according to me. But still there are other 5 points in the definition. You may consider them as "secondary points". Well, they are not this much necessary for the definition. But they are essential as a complete definition. Here we go with the other 5 points.



6. It may involve gaining the information about the target before hacking.
7. It may also involve successful or unsuccessful attempts to keep their access to compromised systems.
8. It may also involve successful or unsuccessful attempts to clear their tracks or evidences from the compromised systems.
9. It is considered as ethical if you are doing it with permission from the target in order to test (and improve) digital security of the same and are not going to fiddle with sensitive information/data after compromise.
10.It may also involve help from insider or outsider humans or systems (with or without their intention) which contributes to successful hacking attempt.

Please note that everyone may have different definitions of hacking. This one is good according to me. I have not copied this from any other source. This is made by my own.

© Vipul Chaskar, 2009.