Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 1588

DDOS - DOS ATTACk DIFF TYPES WITH DESCRIPTIONS

by MeSvAk - 08 February, 2020 - 11:31 AM
This post is by a banned member (MeSvAk) - Unhide
MeSvAk  
Registered
4.014
Posts
3.395
Threads
6 Years of service
#1
(This post was last modified: 08 February, 2020 - 11:32 AM by MeSvAk.)
[align=start]BUFFER OVER FLOW
Buffer override occurs when the amount of information written to the buffer exceeds the amount of memory expected to be in the system memory. The attacker can overwrite the application's path control data and execute its own program code instead of server processes by stealing and taking control of the program.[/align]
ICMP Flood
[align=start]In this way, by sending many Ping requests to the victim server, it disrupts the target server's service. Suppose there are too many hosts on one server and a large volume of ICMP requests to the server, which will respond to all hosts on that network, causing the network switch to shut down and eventually shutting down the server.[/align]
SYN Flood
[align=start]SYN Flood occurs when a host sends a packet of TCP / SYN packets with a fake address. Each of these packets is considered as a connection request, which creates a semi-open connection to the server so that the server waits for a response from the sender by sending a TCP / SYN-ACK Packet (in response to the ACK Packet). ).[/align]
[align=start]Or, in other words, sending multiple requests with the SYN mark to the victim machine will cause the backlog queue to be filled. But what is a Backlog? All requests that are logged into the machine and include the SYN mark for communication are stored in a partial memory order so that after answering and communicating, this part of the memory is called the Backlog Queue. When this part is filled due to many requests, the server will have to drop new requests and as a result will be unable to handle these requests.[/align]
[align=start] [/align]
Teardrop Attacks
[align=start]Teardrop attack by sending mangled ip with overlap creates high load for the target server's network card. This is due to bugs in the network layers and TCP / IP. The operating systems of Windows 3.1, 95, NT and Linux 2.0.32 and 2.1.63 are vulnerable to the attack. In September 2009 the attack was seen in Windows Vista . But the attack was on the SMB2 layer above the TCP layer. Using up-to-date operating systems and using security updates has a great role to play in preventing such attacks.[/align]
[align=start]Or, in other words, Teardrop attacks when the data is transmitted from one system to another are split into small pieces and reconnected to the target system. Each packet has an offset field indicating what part of the packet contains the information. This field, along with the order number, helps the destination system reconnect the packets. If packets are sent offset and in an irrelevant order on different operating systems, due to bugs in the packet code refinement of packets associated with the TCP / IP protocol, they cause the target system to sort them out. They fail and break down, eventually causing the system to crash.[/align]
[align=start][Image: 4-2.png][/align]
Stable DOS Attacks
[align=start]Permanent DOS attack, also known as phlashing. In this type of attack, a system is severely damaged, requiring hardware replacement or reinstallation.[/align]
Application Floods
[align=start]Various DOS-like exploits such as buffer overflow can confuse running software and fill up disk space or consume all the RAM or CPU time.[/align]
Nuke
[align=start]One of the oldest methods of attack is Dos. By sending incorrect requests, Ping disables the network. One of the popular software that makes this attack is WinNuke. This program uses the weaknesses in Netbios Windows 95 to attack. By sending a string of information to port 139, it will display a blue screen in this version of Windows operating system.[/align]
RU-Dead-Yet
[align=start]The attack is attacked using sessions pending request by web applications. slowloris is a program that keeps most web server sessions open for communication. RUDY disables the web server by sending requests with high volume headers to these pending sessions.[/align]
Reset or RST attack
[align=start]The packets sent with the RST mark cause the connection to be disconnected. In fact, if machine A sends packets to machine B with the RST mark, the connection request will be cleared from Backlog.[/align]
[align=start]The attack can be used to disconnect the two machines. This way, the intruder cuts the connection between machine A and machine B by sending an RST request to machine B from machine A. In fact, inside the packet sent by the intruder to the victim, the client's IP is inserted and then machine B, which is the server, removes the connection A machine from the backlog.[/align]
[align=start]In this way, the attacker can by means of a device generate a fake IP and actually send his request to another machine. This technique is also called spoofing.[/align]
[align=start]You can see in a bit of detail what the source IP (SourceIP) in the packet sent from the attacking machine to the B machine is the same as the IP machine A. Whereas the IP of machine C is used by the intruder.[/align]
[align=start] [/align]
Land Attack attack
[align=start]The attack uses the spoofing method to send packets sent to the server instead of the IP and Port source and the IP and Port destination of the server machine itself.[/align]
[align=start]In fact, the IP and PORT of the server machine are sent to the server itself. This will create an internal Routing loop on older operating systems, which will cause memory overload and DOS attacks.
The attack on Win 95 (winsok 1.0 and Cisco IOS ver 10.x machines and older systems caused the system to crash, but today all smart systems such as IDS are capable of detecting these attacks and this attack has a huge impact. Does not affect the server workflow.
[/align]
[Image: 6.jpg]DOS and DDOS Attack MethodsSmurf Attack
[align=start]These attacks by sending ICMP requests to a range of Amplifier IPs cause the traffic to expand and cause a DOS attack. The attacker can spoof his ICMP requests and send amplifier IPs from the victim machine to the victim machine. Hundreds of ICMP requests are sent to the victim machine every time they request it, increasing its traffic.[/align]
[align=start]Amplifier: All networks that have not filtered ICMP requests for their IP broadcast are considered an Amplifier.
Attackers can send their requests to, for example, IPs such as: 192.168.0.0xxx where X can be 255, 223, 191, 159, 127, 95, 63, 31, 15, 7, 3, ie Broadcast IPs. Slow. It is worth noting, however, that IP broadcasting depends on how the IP is split over the network.
[/align]
[align=start]The attack is a way to generate meaningful and annoying traffic on the victim's computer network. In this way the attacker drowns the victim's system by sending fake Ping messages. In this way, Johnny generates a large amount of ICMP echo traffic (ping) and sends them from anonymous and fake resources to the victim host. The result is an abundance of ping responses that destroy the victim system.[/align]
[Image: 7.jpg]DOS and DDOS Attack MethodsPing Flood or Ping of Death attack
[align=start]Throughout the 20th century, this method was one of the most popular DoS attacks. But today it is generally blocked and prevented. In this type of attack, the hacker tries to block the services or reduce their activity by sending the Ping request directly to the victim's computer. In this type of attack, the packet size is too high (above K64), which is unauthorized in Ping, so that the victim's computer is unable to handle the packets properly and is disrupted.[/align]
[align=start]In this protocol, the file is initially crushed into packets, and after being sent to the destination computer, the packets are aggregated at the destination and rebuilt on the destination computer of the file. But the target operating system could not handle packets of information larger than the standard that the attacker had deliberately made and sent, locked, restarted or even crashed easily.[/align]
[align=start][Image: 8.jpg][Image: 9.jpg][/align]
Trinoo attacks
[align=start]Trinoo is essentially one of the Master / Slave programs that coordinate with each other for a UDP outbreak against the victim's computer. In a normal process, the following steps are to set up a Trinoo DDoS network.[/align]
[Image: 11-2.png]DOS and DDOS Attack Methods
[align=start]Step One: The attacker compiles a list of systems that can be hacked using a hacked host. Most of this process is done automatically by the hacked host. This host contains information on how to find other hosts to hack into.
Step Two: Once this list is ready, the scripts are executed to hack them into Masters or Daemons. A master can control a few devils. The devils are hacked hosts who carry out the main UDP outburst on the victim's machine.
Step Three: DDoS attack occurs when the attacker sends a command to the master hosts. These masters instruct any evil to launch a DoS attack against the IP address specified in the command, and a DDoS attack is formed by performing a large number of DoS attacks.
[/align]
TFN / TFN2K attacks
[align=start]The TFN or Tribal Flood Network or Tribal Influence Network, such as Trinoo, is essentially a Master / Slave attack in which a SYN outbreak is coordinated against the victim system. The TFN devils are capable of performing much more varied attacks, including the ICMP outburst SYN outburst and Smurf attacks, so the TFN is more complex than the Trinoo attack.[/align]
[align=start]The TFN2K has several advantages over the original TFN tool. TFN2K attacks are executed using spoofed IP addresses, making the source of the attack more difficult to detect. TFN2K attacks are not just simple outbursts like TFN. They also include attacks that exploit operating system security flaws for invalid and incomplete packages to crash victim systems. TFN2K attackers no longer need to execute commands by accessing the Client instead of the Master in TFN and can execute these commands remotely. Communication between Clients and Daemons is no longer limited to ICMP echo responses and can occur over various interfaces such as TCP and UDP. So TFN2K is more dangerous and also more difficult to detect.[/align]
[Image: 12.jpg]DOS and DDOS Attack MethodsStacheldraht attacks
[align=start]The Stacheldraht code is very similar to Trinoo and TFN, but the Stacheldraht allows encryption between the attacker and the masters (called Handler attack); agents can upgrade their code automatically, they can take action To various types of attacks such as ICMP outbreaks, UDP outbreaks, and SYN outbreaks.[/align]
[Image: 13-2.png]DOS and DDOS Attack MethodsScan vulnerable systems
[align=start]Random scanning: In this way the hacker scans a random IP address range and identifies vulnerable systems (by default ipv4).[/align]
[align=start]Hit-list scanning: In this way, Attacker first collects a list of potentially vulnerable systems and then scans them. This method is used to scan and install malicious code in a short period of time. (Instead of blindly scanning the whole ipv4)[/align]
[align=start]Topological scanning: This method is used to find other vulnerable systems by the contaminated system, which takes into account the contaminated system's internal information such as other system URLs, emails, etc. The accuracy of this scan is almost good.[/align]
[align=start]Local subnet scanning: In this way, the hacker scans the local network systems behind the firewall, which can shortly create an army of large botnets[/align]
[align=start]Permutation scanning: In this way the scanned IPs will be replaced and one of those scans may be re-scanned, randomized or permitted, as there is a possibility that the scan will not respond once. It takes a lot.[/align]
This post is by a banned member (PsykoZ) - Unhide
PsykoZ  
Registered
2.081
Posts
43
Threads
5 Years of service
#2
Thanks man ! Great infos
fatcat
a retired fatcat
This post is by a banned member (unwind) - Unhide
This post is by a banned member (angelcrack003) - Unhide
21
Posts
0
Threads
3 Years of service
#4
thanks....

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 1 Guest(s)