background preloader

Denial-of-service attack

Denial-of-service attack
DDoS Stacheldraht Attack diagram. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS threats are also common in business,[1] and are sometimes responsible for website attacks.[2] This technique has now seen extensive use in certain games, used by server owners, or disgruntled competitors on games, such as server owners' popular Minecraft servers. Denial-of-service attacks are considered violations of the Internet Architecture Board's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. Symptoms and manifestations[edit] The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of denial-of-service attacks to include: Methods of attack[edit] A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Related:  Attacks

Low Orbit Ion Cannon The software has inspired the creation of an independent JavaScript version called JS LOIC, as well as LOIC-derived web version called Low Orbit Web Cannon. These enable a DoS from a web browser.[4] Use LOIC performs a denial-of-service (DoS) attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP or UDP packets with the intention of disrupting the service of a particular host. Countermeasures LOIC attacks are easily identified in system logs, and the attack can be tracked down to the IP addresses used at the attack.[8] Notable uses Project Chanology and Operation Payback Operation Megaupload Origin of name The LOIC application is named after the Ion cannon, a fictional weapon from many sci-fi works.[14] Other implementations Another implementation of LOIC named LOIC++[15] has been made to run natively on Linux. References External links

LOIC Cross-site scripting Background[edit] Security on the web is based on a variety of mechanisms, including an underlying concept of trust known as the same origin policy. This essentially states that if content from one site (such as is granted permission to access resources on the system, then any content from that site will share these permissions, while content from another site ( will have to be granted permissions separately. Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. XSS vulnerabilities have been reported and exploited since the 1990s. Types[edit] There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS: non-persistent and persistent. Non-persistent[edit] A reflected attack is typically delivered via email or a neutral web site. Persistent[edit] Exploit examples[edit]

SQL injection A classification of SQL injection attacking vector as of 2010. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. In a 2012 study, it was observed that the average web application received 4 attack campaigns per month, and retailers received twice as many attacks as other industries.[2] History[edit] The first public discussions of SQL injection started appearing around 1998;[3] for example, a 1998 article in Phrack Magazine.[4] Form[edit] SQL injection (SQLI) is considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project.[5] In 2013, SQLI was rated the number one attack on the OWASP top ten.[6] There are four main sub-classes of SQL injection: 1;DROP TABLE users

Anonymous (group) Anonymous (used as a mass noun) is a loosely associated international network of activist and hacktivist entities. A website nominally associated with the group describes it as "an internet gathering" with "a very loose and decentralized command structure that operates on ideas rather than directives". The group became known for a series of well-publicized publicity stunts and distributed denial-of-service (DDoS) attacks on government, religious, and corporate websites. Anonymous originated in 2003 on the imageboard 4chan, representing the concept of many online and offline community users simultaneously existing as an anarchic, digitized global brain.[3][4] Anonymous members (known as "Anons") can be distinguished in public by the wearing of stylised Guy Fawkes masks.[5] In its early form, the concept was adopted by a decentralized online community acting anonymously in a coordinated manner, usually toward a loosely self-agreed goal, and primarily focused on entertainment, or "lulz".

Internet Relay Chat Internet Relay Chat (IRC) is an application layer protocol that facilitates transfer of messages in the form of text. The chat process works on a client/server model of networking. IRC clients are computer programs that a user can install on their system. Client software is available for every major operating system that supports Internet access.[6] As of April 2011, the top 100 IRC networks served more than half a million users at a time,[7] with hundreds of thousands of channels[7] operating on a total of roughly 1,500 servers[7] out of roughly 3,200 servers worldwide.[8] Over the past decade IRC usage has been declining: since 2003 it has lost 60% of its users (from 1 million to about 400,000 in 2014) and half of its channels (from half a million in 2003).[9] History [edit] Technical information[edit] A screenshot of HexChat, an IRC client for GTK environments. Xaric, a text-based IRC client, in use on Mac OS X. IRC is an open protocol that uses TCP[1] and, optionally, TLS. Modes[edit]

Cold boot attack Description[edit] The attack has been demonstrated to be effective against full disk encryption schemes of various vendors and operating systems, even where a Trusted Platform Module (TPM) secure cryptoprocessor is used. This is because the problem is fundamentally a hardware (insecure memory) and not a software issue. Compressed air cans can be improvised to cool memory modules, and thereby slow down the degradation of volatile memory With certain memory modules, the time window for an attack can be extended to hours by cooling them with a refrigerant such as an inverted can of compressed air. This is not the only attack that allows encryption keys to be read from memory—for example, a DMA attack allows physical memory to be accessed via a 1394 DMA channel. Mitigations[edit] Full memory encryption[edit] Dismounting encrypted disks[edit] Most disk encryption systems overwrite their cached encryption keys as encrypted disks are dismounted. Advanced encryption modes[edit] Booting[edit] [edit]

DMA attack A DMA attack is a type of side channel attack in computer security, in which an attacker can penetrate a computer or other device, by exploiting the presence of high-speed expansion ports that permit Direct Memory Access ("DMA"). Preventing physical connections to such ports will prevent DMA attacks. On many computers, the connections implementing DMA can also be disabled within the BIOS or UEFI if unused, which depending on the device can nullify or reduce the potential for this type of exploit. Description[edit] In modern operating systems, non-system (i.e. user-mode) applications are prevented from accessing any memory locations not explicitly authorized by the virtual memory controller (called Memory Management Unit (MMU)). Uses[edit] An attacker could, for example, use a social engineering attack and send a "lucky winner" a rogue Thunderbolt device. There is a special tool called Inception for this attack, only requiring a machine with an expansion port suspectible to this attack.

Ping flood A flood ping can also be used as a diagnostic for network packet loss and throughput issues.[1] References[edit] Jump up ^ See also[edit] External links[edit] "TBTF for 8/4/97: A morbid taste for fiber" by Keith Dawson SYN flood A normal connection between a user (Alice) and a server. The three-way handshake is correctly performed. SYN Flood. The attacker (Mallory) sends several packets but does not send the "ACK" back to the server. The connections are hence half-opened and consuming server resources. Technical details[edit] The client requests a connection by sending a SYN (synchronize) message to the server.The server acknowledges this request by sending SYN-ACK back to the client.The client responds with an ACK, and the connection is established. This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol. A SYN flood attack works by not responding to the server with the expected ACK code. Countermeasures[edit] There are a number of well-known countermeasures listed in RFC 4987 including: FilteringIncreasing BacklogReducing SYN-RECEIVED TimerRecycling the Oldest Half-Open TCPSYN CacheSYN cookiesHybrid ApproachesFirewalls and Proxies See also[edit]

Smurf attack The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on. History[edit] In the late 1990s, many IP networks would participate in Smurf attacks if prompted (that is, they would respond to ICMP requests sent to broadcast addresses). Mitigation[edit] The fix is two-fold: Configure individual hosts and routers to not respond to ICMP requests or broadcasts; orConfigure routers to not forward packets directed to broadcast addresses. Mitigation on a Cisco Router[edit]

UDP flood attack Check for the application listening at that port;See that no application listens at that port;Reply with an ICMP Destination Unreachable packet. Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker(s) may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach them, and anonymizing their network location(s). Most operating systems mitigate this part of the attack by limiting the rate at which ICMP responses are sent. Software such as Low Orbit Ion Cannon and UDP Unicorn can be used to perform UDP flooding attacks.

DigiNotar DigiNotar was a Dutch certificate authority owned by VASCO Data Security International.[1] On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems.[2] That same month, the company was declared bankrupt.[3] An investigation into the hacking by Dutch-government appointed Fox-IT consultancy identified 300,000 Iranian Gmail users as the main target of the hack (targeted subsequently using man-in-the-middle attacks), and suspected that Iranian government was behind the hack.[4] While nobody has been charged with the break-in and compromise of the certificates (as of 2013[update]), cryptographer Bruce Schneier says the attack may have been "either the work of the NSA, or exploited by the NSA. Company[edit] DigiNotar's main activity was as a Certificate Authority, issuing two types of certificate. History[edit] Bankruptcy[edit] See also[edit]

Related: