CSE 363: Offensive Security - Denial of Service Attacks Study Notes

Goal:
- Harm the availability of service
- Strain software, hardware, or network links beyond their capacity
- Shut down or degrade service quality
- Note: Not always a result of malicious attacks (e.g., flash crowds, "Slashdot effect", "hug of death")
Motives for DoS Attacks:
- Protest/attention
- Financial gain/damage
- Revenge
- Extortion
- Evasion/diversion/cover

Estimated Annual E-commerce Revenue:
- Amazon: $115,879,000,000$
- Revenue loss per hour during downtime: $13,219,128$
- Walmart: $21,443,900,000$ (loss per hour: $2,446,272$ )
- Home Depot: $7,613,000,000$ (loss per hour: $868,464$ )
- Best Buy: $6,126,000,000$ (loss per hour: $698,832$ )
- Costco: $5,828,800,000$ (loss per hour: $664,920$ )
- Macy's: $6,108,500,000$ (loss per hour: $696,852$ )

Attack Source:
- Single source vs. Many sources
- Distributed Denial of Service (DDoS): More than one source leading to an attack
Types of Impact:
- Overload vs. Complete shutdown
- Degradation of service vs. total disabling of software or equipment
Consequences of DoS Attacks:
- Crash, restart, bricking, data loss, disk wipe, website defacement, etc.
Consumed Resources:
- Network bandwidth, CPU, memory, sockets, buffer, disk storage, battery, human time
Amplification Factor:
- Symmetric vs. Asymmetric attacks
- Examples: Broadcast addresses, large protocol responses, exponential propagation, etc.
Algorithmic Complexity Attacks:
- Induce worst-case behavior by triggering corner cases when processing input
Spoofing:
- Hide the true sources of the attack

Physical Layer:
- Wire cutting, equipment manipulation, physical destruction
- RF jamming, signal interference
Link Layer:
- MAC Flooding: Overload switch (CAM table exhaustion)
- ARP Poisoning: Insert erroneous MAC-IP mappings into caches
- DHCP Starvation: Consume all available addresses in the DHCP server
- WiFi Deauthentication: Force disconnection from access points

Purpose:
- Allow hosts to request configuration parameters (IP address, gateway, DNS server, etc.)
- Operates using UDP with no authentication
DHCP Exhaustion:
- Prevents clients from receiving IPs by consuming available addresses
- Relies on MAC address spoofing
Rogue DHCP Server:
- Provide incorrect information to clients
- Can lead to Man-in-the-Middle (MitM) attacks
Defenses:
- DHCP Snooping: Block bogus DHCP offers
- Dynamic ARP Inspection (DAI): Prevent ARP spoofing through validation

Mechanism:
- Send spoofed deauth frames to access points
- Disassociate clients from access points
- Clients may connect to malicious ("evil twin") access points
Tools:
- aireplay-ng, metasploit (deauth)
Auth Attacks:
- Flood access point with spoofed random addresses to exhaust resources

Flooding:
- Bombard target with network packets
Types of Attacks:
- Volumetric Attacks: Saturate available network bandwidth
- Packet Rate Attacks: Overload packet processing engines
IP Spoofing:
- Conceal attack source
- Limited applications due to filtering not universally deployed
Broadcast Amplification:
- One packet causes many responses
- Example: ICMP Smurf Attack

Mechanism:
- Attacker sends spoofed ICMP Echo requests to victim's broadcast address
- Victim is flooded with responses
Mitigation:
- Configure hosts not to respond to ECHO requests
- Configure routers to prevent forwarding packets to broadcast addresses

SYN Flooding:
- Flood server with SYN requests
- Causes resource exhaustion
- Source IP may be spoofed
- Involves connection termination via RST injection
Mitigation Techniques:
- Drop old half-open connections
- Implement SYN cookies

Concept:
- Reply to SYN packets without maintaining per-connection state
- Encode SYN queue entry state within a cookie
- Restore state based on legitimate ACK packets
- Default behavior in Ubuntu on SYN flood detection

Types of Terminations:
- FIN: Indicates sender is done, but can still receive data
- RST: Denotes both sending and receiving stops immediately
Impacts of RST Injection:
- Can be used for censorship, blocking unwanted traffic

Attacks on Application Layer:
- Connection flooding and reflection
- Exploit software vulnerabilities
- Algorithmic complexity attacks to exploit worst-case scenarios
- Spam as a form of resource attack

Definition:
- Overloading of communication networks with telephone calls
- Can occur through both malicious intent and accidental events
- Impacts emergency communication and response capabilities

Increase in DDoS attacks due to botnets
Use of compromised IoT devices for attack architecture (e.g., Mirai botnet)
Reports of record-breaking attack sizes (e.g., Cloudflare mitigated 5.6 Tbps attack)

Definition:
- Networks of compromised systems controlled by an attacker
- Can include PCs, mobile, and IoT devices
Challenges:
- Difficult to combat due to scale and volume of attacks
- Often rented through online markets

General Defenses:
- Packet filtering, capacity upgrading, etc.
- Development of asymmetry in cost-benefit analysis of attacks vs defenses
Technical Solutions:
- Ingress/egress filtering
- Use of content delivery networks (CDNs) and redundancy
- Explore overlay-based defensive systems

Understanding DoS and DDoS attack mechanisms is critical for cybersecurity.
Awareness and proactive mitigation strategies can limit the impact of such attacks.
Importance of continuing to develop and adapt defenses as the landscape evolves.