Denial of Service

Total Seminars • 500,000+ Enrollments
A free video tutorial from Total Seminars • 500,000+ Enrollments
Home of Mike Meyers and his Team of IT Certification Pros
4.6 instructor rating • 29 courses • 271,843 students

Lecture description

In this episode, Mike discusses attacks that prevent servers from providing their essential services.

Learn more from the full course

TOTAL: CompTIA Security+ Certification (SY0-501).

Everything you need to pass the CompTIA Security+ SY0-501 Exam, from Mike Meyers. CompTIA expert and bestselling author.

18:57:19 of on-demand video • Updated March 2020

  • This is a complete and comprehensive CompTIA Security+ Certification (SY0-501) course. It is designed to prepare you to be able to take and pass the exam to become CompTIA Security+ Certified.
  • Once you complete the course, you will have the knowledge and confidence to pass the CompTIA exam AND the skills to be a great IT security tech. This course is ideal as both a study tool and an on-the-job reference.
  • Your new skills and the CompTIA Security+ Certification will help you land a great IT security tech job. Or, if you are already a security tech, get that raise or advancement you are after.
English The big challenge to attacks is that once we discover an attack it's usually repaired or prevented or mitigated in some fashion fairly quickly. But there is one big exception to that probably the biggest attack problem we have today and that is a denial of service attack. A denial of service attack is designed to do one thing: to deny service. Imagine that you've got some type of server out there. It could be a web server, an e-mail server, a DNS server, I don't care what it is. The whole idea behind a denial of service attack is that you have so many people coming in to talk to that server that it can't take care of anybody else. So imagine you've got a little store and you've got a whole bunch of people trying to push in the front door. That is a denial of service attack. Now there are lots and lots of denial of service attacks out there. They've been around for close to 20 years. But I like to break them down into three big groups. The first one I'm going to call a volume attack. A volume attack is we're not really doing anything evil in terms of how we're talking to the server, we're just doing a lot of talking so the server can't help anybody else. The next type of denial of service attack is a protocol attack. A protocol attack does something with the underlying protocol. The Web HTTP protocol or a DNS protocol if you're talk to a DNS server. It does something not normally accepted to the protocol that causes the server to do weird things and keep it from answering quickly. The third type is what we call an application attack. An application attack works within the application conversation itself doing naughty things that keeps the application that that server is running from being able to respond in a timely fashion. So let's go and start off with the granddaddy of all: a good old volumetric attack. So here's my little network. I've got one server on this network and other computers doing something. Now one example of a volumetric attack would be a ping flood. In essence one or more the machines start sending pings to the server. Now the trick is is they just keep sending pings and they don't wait for a response. And that could overwhelm the server. Another example could be a UDP flood. In this case the attacking machine is sending out all kinds of strange UDP requests to all kinds of different ports on the server. So the server has to deal with all of these incoming requests and it has to respond back and that could overwhelm the machine. Now the volumetric attacks I just showed you are pretty much easily negated today. For one thing we're not going to let people from the outside try to fake these types of attacks. Routers are by definition designed to stop that type of stuff. However we can still see as we get a little bit more into this episode where we can still do volumetric attacks although we make them a little bit smarter than this. OK. So that's a volumetric attack. Remember a volumetric attack doesn't really do anything wrong it just does a lot of it. We're going to change that now with what's known as a protocol attack. So here we have our little server doing its server thing it could be a web server, a DNS server, again, I don't care. Now a protocol attack is going to do naughty things to the protocol to create confusion. So in this particular example we're going to create what's known as a SYN Flood or a TCP SYN Attack. Now in this particular case what we're talking about within a TCP/IP conversation is that the client will send a SYN and then the server sends back a SYN Ack. And this initiates conversation within TCP/IP. However what we're going to do with this case is we're going to have the client send out a SYN after a SYN after a SYN. Keep trying to make all these connections. Each one of these creates an extra connection to the server itself and the client never responds, no matter how many SYN Acks are sent back in response. This can clog the system up beautifully. Protocol attacks are still a huge problem out there when it comes to denial of service and they are arguably the most common form of denial of service attack out there. But there is another thing we can do. What we can also do is take advantage of problems within applications themselves. And let's go ahead and do an example of an application attack. OK. In this situation I've got an old copy of the very very popular Apache web server and we're going to take advantage of something within the application to do something naughty. And in this case we're going to do what's known as a Slow Loris Attack. The slow loris is named because loris is a slow animal and it just does things really slow. So what he's going to do is the client is going to initiate a conversation with the Apache web server and it'll get the conversation going. But then it just stops talking. And the poor Apache web server sitting there waiting for a response. In the meantime the attacker is sending out more conversations and just not talking back. And as a result of that the poor Apache server simply gets overwhelmed. Waiting for these clients to talk which never do. Now this is fairly easy to fix and later versions of Apache simply lowered their timeout value and slow loris is not nearly as big of a problem as it used to be. Now you can get in a lot more detail than simply the big three that I've broken down. For example one great thing we can do is what's known as amplification. Let me show you that in action. So here's my little web server again. Now in this case what we're going to do is what we call a Smurf attack. A Smurf attack is a great example of an amplification attack because it simply does this. We send in an ICMP packet into the network. Now what we do is that the attacker spoofs the Web site's IP address, so it sends out a broadcast into the network and then everybody in the network starts responding back, except they're responding back to the target. And that would be a great example where one packet being sent into a network can generate lots and lots of packets and that's amplification. Now of all the examples of denial of service I've shown you so far we basically only have one attacker. Now think about this for a minute. How hard would it be if we got a bunch of computers to work together to all attack one client? And that's really the big problem today. Distributed Denial of Service attacks. Let's take a look at DDoS. So here's that poor little server one more time. Now this time what we're going to do is we're going to attack that server but not with just one individual computer someplace. What we can do is add a bunch of computers to it and each one of these will start attacking. Now the problem here is that how do you do this? Well you could call your buddies up and you could all basically say go and start attacking simultaneously. But usually what we will do instead is we will create a form of malware that generates what we call a BotNet. Now in this situation all of these computers over here on the left have some form of malware on them and they're controlled by a single computer somewhere else. So these individual computers are called zombies and collectively all of these computers under the control of a single system are known as a BotNet. Distributed denial of service attacks are the nightmare of the Internet these days. the Internet these days. To give you an idea of just how bad DDoS attacks are, there are a number of Web sites from security companies that provide real time tracking of attacks as they are taking place and I just happen to have one of my favorites up right now. This is from Norse corporation. And you can actually see it has this pretty graphics showing who's attacking who right now. And you can see the attack origins you can see the types of attacks you can see who they're going after. And then you can actually see what's taking place in terms of the attack. For example you can see attack type and the port numbers that are actually being attacked in real time right now. DDoS is a huge issue today and it's something we've always got to watch out for. Make sure you're comfortable with the basic types of denial of service attacks because you're going to see it on the exam.