1. 简介:拒绝服务(Denial of Service-D.O.S)
Learn what Denial of Service (DoS) is and countermeasure techniques to fight it as an Ethical Hacker.
The Denial of Service module delivers an in-depth analysis on the availability of info in terms of Penetration Testing and specifically to Denial of Service attacks. It clearly articulates the relationships of the network and to business, and discusses the two types of attacks you’ll face: regular Denial of Service (DoS) and Distributed Denial of Service (DDoS). You’ll also learn the differences between the two and unique ways of how to address each event.
And finally, you’ll learn countermeasure techniques for DOS attacks. You’ll see when to utilize a specific countermeasure, and how to determine what your most effective penetration testing strategies will be.
The topics explored in this Denial of Service module include:
- Whiteboard, which shows the interrelationship of all the basic components utilized in this module
- And the following Denial of Service labs:
Hi Leo Dregier here I want to talk about denial of service. So far within these penetration testing modules we have really focused our time on information being disclosed to us and then a little bit about changing the integrity of our systems but in the IEC triad we have to balance our confidentiality integrity and availability. This is one those special modules where we focus specifically on availability. A lot of people take this for granted but ask any big company. Amazon, eBay or anybody who has gone through history denial of service attacks and the effects which it can have. Now there is two major types here – regular denial of service and distributed denial of service. Both of them focus on availability but the biggest differentiating factor is in a distributed denial of service attack you are basically using multiple computers to your advantage. We setup these robotic networks and the more that we have out there the better off we are in terms of the eyes of the attacker. Now also in this module I want to point out you really don’t want to go out on the internet and just start denial servicing everybody. We have to act legally we have to act ethically we need to make sure we are doing the right thing. There is plenty of tools out there in which we can use distributed denial service but again we have to act responsibly and legally. We will follow up and finish up with counter measures. What kind of companies do to protect themselves. Not only from simple availability but also how do you deal with distributed denial service style attacks because the last thing you want is for your website to go down. More importantly you don’t want your internal network to go down either. So let us go ahead and get into the details of distributed denial of service.
2. 框架
This whiteboard lecture covers the Denial Service attack in detail. A Denial of Service, or DoS attack is used to disrupt some legitimate activity (such as browsing the Web or email functionality). It is achieved by sending messages to the target machine that interfere with its operation.
Alright in this module I want to talk about distributed denial of service. So let us check it out the basic concept here is ultimately no matter how you do it to reduce someone’s network traffic or availability restrict legitimate access to something or prevent an authorized user from getting access to something or to flood your target with an over whelming number of requests. So that regular people or users cannot get access to what they need. So it is all rooted in the IAC triad availability section. So basic concept here now the impact ultimately could result in a loss of goodwill. Could disable network either in portion or completely unusable or in worst case scenario disable the organization completely usable for a period of time. Ultimately which would result in some sort of financial loss. So the major ways in which we can detect this are actively looking for signs of bot net style traffic actively profiling your networks and if you can find signs of that. Hopefully prevent it before it happens but if you can’t prevent it well then your best is going to be to detect incorrect as you go or change point analysis. Change point analysis is when an attack comes in let us say comes in from a particular IP address. Well if that IP address changes or it goes to another network. You need to be able profile my source is changing the way in into a change point means changing of the point in which they are coming in. So if you can profile that and see that they are bouncing around from network to network to network as they change IP addresses. Well then you are tracking that change. Ultimately you are tracking the source, so that is called change point analysis. So distributed service really has basically architecture map into that all. So over here you have the happy attacker and they create handlers or middle man or middle computers as we say ultimately to find zombies or computers or people that don’t know what they are doing to ultimately go attack a target. So the sole job of the attacker is that you get a handful of handlers which will then create as many zombies out there as we possibly can get. The more the merrier this is where you really want to invite ten million of your closest friends to go attack a particular target through whatever technique. It would be some sort of software or an app in a store or something like that but the attacker creates a handful of agents the handlers distribute zombies. Give the instructions to these zombies and then all of a sudden it is zombies rise attack the target at pre-determined time and then the target is now the sad target over here which is getting an overwhelming number of requests coming in. So let us go ahead and look at different techniques that make these targets unhappy. One easy way is just to consume their bandwidth now in the days where we only had 56k worth of traffic. You could easily just consume this with a simple ping command. Nowadays with bandwidth on our side it is a little bit harder to do bandwidth but there is still several choke points out there. So bandwidth is just one technique other flooding techniques. The classic sin flood which is really a manipulation of the TCP three way hand shake detecting from a defensive point of view. We want to detect fraudulent or commonly recurring handshakes and basically reset them or block them. But sin flooding ultimately is a TCP protocol technique. If you can do it from a penetration testing point of view, if you can do it with sin flooding well maybe you can switch your protocol down layer three ICMP and flood it with a large volume of ICMP traffic. When we ping something we send a type eight request adding we get a type zero back or echo request and echo reply. Well you can strategically manipulate the ICMP packet send it your destination. Overwhelm them with a larger volume of them particularly coming from a variety of sources. Gets a little bit harder to detect – it is a little harder to defend against. It is pretty easy to detect because you are just not going to have service. UDP flooding again switch your protocol again. It could happen from a peer to peer network. You could target a particular application. Protocols like http or php they have been known to be extremely vulnerable. Let us think about everybody trying to check out of the online at the same time. Something got to give sooner or later all other techniques permanent techniques like flashing, let us say there is website out there where you get some of update that is critical and you must have download and install that and now you have a piece of software on your system that is basically rendering it useless or which is really, really close to the next example which is breaking up a system. Let us say that I want to get root access to my Android phone. Well if I install the wrong update that could ultimately turn that phone into a basically a useless brick because once the firmware is toast. How are you going to repair it? Or sabotage. In some cases physical in other places through software. Now we got the basics of denial service. Let us talk at some of the counter measures. You could simply absorb it I call this the let us get punched in the face attack. You are just going to stand there and see how much you could take. If you have got a robust network you just might be able to absorb it but again I don’t recommend that you get punched in the face attack. You could just allow your service to get degraded and maybe you would be able to go away after time. One easy analogy which you can think about here is think about your automobile. If there was a problem with your automobile what could you do? How could you deal with it? You could just absorb it when you are tired and it goes over a nail and okay we are just absorbing and keep driving or if your car starts degrading in service. It is not running right you just keep driving and let us hope it get better. These are generally not good strategies. You could eventually take your car and shut it down and get it towed to a shop. Networks in the same way you could basically shut down your non critical services and hope that there is just enough critical services to maintain being up and running. So you could shutdown you could try to actively find the bot-necks that are out there and neutralize them. You could deflect them if an attack comes in you deflect it and send the traffic somewhere else. If not well then you probably going to have to have a conversation about forensics which is probably the last technique that you would want to apply because if you are having a forensics conversation. One it suggests criminal and two you are definitely in post mortem at this time. Keep your software up to date the latest and greatest software in patches – good training and awareness. Don’t allow people to install software that they don’t trust from an unknown source. All of those best practices awareness from a defensive point of view you could just actively profile your traffic and see if there is any sort of bot neck activity in terms of IP addresses or ports or websites and perhaps to block that in advance. Maybe detects spoofed addresses sends the attackers like to use middle men or middle agents in between the attacker and the victim. Well if you can analyze the traffic and see that there is a spoofed address to go ahead and block that. The most common way in my opinion is simply just really good inbound and outbound filtering or ingress or egress filtering. Ingress meaning inbound, egress meaning outbound. You could use technologies like TCP intercept which is a common implemented technology. You could use load balancers or some sort of throttling technique to limit how may requests could come in at a particular time. It is kind of like what you call queueing or quality of service. You could harden the systems which is reducing your surface area of attack. So that if there is no surface area of attack or a very limited one well then you will get infected with a zombie. You could use encryption, things like WPHU if you can protect what people can actually see and keep certain people out of your networks to just good encryption whether it be wireless or it would be on the network. Encryption is a great counter measure all in all or you can use dedicated hardware and there is a variety of vendors out there that specialize in distribute of denial service. So all in all this is what makes up the distributed denial service. Organizations have suffered a large amount of financial loss ask any of the top victims of distributed denial service and I can tell you that this is not easy stuff to deal with mostly because they get a lot of requests coming in from a lot of sources and they just can’t block or deal with the stuff fast enough and I think it is the penetration tester. A couple of advantages because there is a lot of middle man or middle computers in the between the source and the destination but also because you are rendering the network organizations useless. So you have to be careful when you use a lot of these bot net style tools because in many cases the tools themselves also make you part of the bot net. So this is – if you are going to use these tools the disclaimer you have to do it in isolated environment. So you can see where the tools are but we have to act responsibly because the last thing you want to do is learn distributed denial service and then find yourself also a victim or a member of a botnet at the same time. So let us go ahead and take a hands on approach.
3. hping3工具
This Denial of Service lab discusses the advanced ping tool, hping3, and demonstrates how to use it. hping3 is a DoS tool.
hping3 is a DoS tool that’s used in conjunction with EtherApe to facilitate observations of network traffic in “real time.” The significance of real time observations, particularly in penetration testing goes without saying.
Hey Leo Dregier here. I want to show you a really, really cool tool which comes from the hamster and ferret suite. The classic sniffing and web application pen testing and session high jacking tools. So basically what I did is I copied the tools in the suite to the windows system 33 directory. This way I can just run the tool from the command prompt. So it is hamster ferret cascading style sheets and some java script files. So let us open up the command prompt and type ferret. Once you do that it will give you the syntax in which to actually use in this case. Ferret-i and the interface number where the number is the interface to monitor. A real easy way to check this is to do a IP config in windows and basically there are numerically an order so look a connection would be one that tunneling adapters and everything else would secretly go to 3,4,5 etc. So we will clear the screen let us do it again ferret and then we are going to do a ferret -i and I am going to do it for my ethernet interface and just hit enter here and basically you can see give you a quick idea of ferret 1.2.0 the name of the company which made it. The actual build which it is it is actually using the wind p cap traffic analysis and sniffing driver which is just package dll and the specific version. Now in the older days of windows and hacking when p-cap versioning mattered for most part I just install nowadays and whatever it is just seems to work. But that is based on the UNIX lib p cap device it also says the device so if I was curious by guessing in the dark and saying you could say 1. it is the intel network card that happened in the system. & sniffing on that interface it is an Ethernet interface and it is seeing in traffic. So what I am going to do basically is just open any webpage. We are just going to go to CNN.com and basically minimize that and you would be able to see the flood of traffic that basically gets dumped this captures and analyzes. Now not too much of interest in the fact that it is actually flooded but what I would do is actually capture this stuff that is going through my terminal and basically redirect that to like a aesthetic file where I could throw it nicely and dissect it and then I can search because you see some basic stuff like http traffic and then the host who that host is equal to in the URL and again it is not in an easy format much we can look at or review or analyze etc. So I would probably want to import the log file that I created by capturing into a file and then importing into a comma separated value. Choose that because of all of these commas that I see here. So that is how I would store the information in the file and I once I have it in the format in a particular file and then I can import that with another program and actually be able to store all of the host fields etc. or use excel where I could basically do some really good filtering a lot easier than you could a text file anyway. But nonetheless you can see just by opening the CNN home page. All sorts of stuff gets fired off. so you can source addresses names. All sort of stuff in here it is really to take you good half hour 45 minutes to really dig through this at least manually and start trying to make some sense out of what realistically is going on. But I said the value here is actually being able to filter this information. Ultimately you would be looking for things like this like this cookie that is here and if you can determine some of the parameters in the cookies or anything that is stored on the client machines etc. So that is it ferret the basic sniffing tool for application settings and if you want to kind of go away from the command line stuff here and then into realistically a GUi tool I want you to understand the basic of ferret and the types of information that ferret collects. Then you can move over to the burp suit and actually look at the stuff and not so command prompt type away. So that is it for this video my name is Leo Dregier. Don’t forget to check us out on Facebook LinkedIn YouTube and Twitter.
4. LOlC使用
This Denial of Service lab presents LOIC, another highly effective DoS tool. In this lab, you’ll observe a demonstration of another attack on a virtual web server.
In this lab, you’ll observe a demonstration of another attack on a virtual web server. But with LOIC, you’ll also learn how to test bandwidth and assign specific ports to test a regular Denial of Service attack.
Hey Leo Dregier here I want to talk about low orbit iron cannon or LOIC this is simple denial of service tool basically I have set it up to attack my virtual machine. 192.168.92.130 once you get your URL and your IP address you can go ahead and select lock on and go ahead enumerate basically your IP address here here. Then you to step two I am charging my laser and go ahead and hit enter or click on the button and basically you can see the floods going. Also you are going to want to check the ports and something like TCP UDP or http and you can go and set the laser to fast or slower. So far in internal environment that is isolated if you want to test the bandwidth consumption here you obviously can but your keep an idea that when you actually run a tool like this. You have the significant potential of the denial servicing yourself on the network. So be very careful when you use a tool like this. So I am Leo Dregier thanks for watching this is low orbit iron cannon it is a distributed or regular denial of service tool rather. Thanks for watching.
