| Question |
| What is a DoS or DDoS attack? |
| Answer |
| A denial-of-service attack (DOS attack) or distributed denial-of-service attack (DDOS attack) is an attempt to make a machine or network resource unavailable to its intended users. A denial-of-service (DOS) attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. There are two general forms of DOS attacks: those that crash services and those that flood services. A distributed-denial-of-service attack (DDOS) occurs when multiple systems flood the bandwidth or resources of a targeted system,usually one or more web servers. This is the result of multiple compromised systems (for example a botnet) flooding the targeted system(s) with traffic. When a server is overloaded with connections, new connections can no longer be accepted. |
| |
| Question |
| What are the security measures we can take to avoid such attacks? |
| Answer |
| DDoS mitigation is a set of techniques for resisting distributed denial of service (DDoS) attacks on networks attached to the Internet by protecting the target and relay networks. This is done by passing network traffic addressed to the attacked network through high-capacity networks with “traffic scrubbing” filters. DDoS mitigation requires correctly identifying incoming traffic to separate human traffic from human-like bots and hijacked browsers. The process is done by comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, http headers, and Javascript footprints. Manual DDoS mitigation is no longer recommended due to DDoS attackers being able to circumvent DDoS mitigation software that is activated manually. Best practices for DDoS mitigation include having both anti-DDoS technology and anti-DDoS emergency response services. DDoS mitigation is also available through cloud-based providers. Control – With the DDoS defense on-site, there is full control with instant response and reporting. Vendor Selection On-premises lets the security team select the specific DDoS appliance. Independence Full independence of Internet Service Provider (ISP), including flexibility to use multiple ISPs. |
| |
| Question |
| |
| Which tool is best suit to counter DDoS in Banking enviornment |
| Answer |
| |
| There are few market leaders which are providing the DDOS protection . please find the below list. ARBOR TATA AKAMAI Neustar Prolexic For Banking Sector AKMAI will be best solution. |
| |
| Question |
| |
| How attacker attacks by using DDoS method ? |
| Answer |
| Procedure to launch a DDoS attack: The recruit phase: It involves scanning of remote machines looking for security holes that will help breaking into. The exploit phase: After the discovery of vulnerable hosts their security loop holes in these machines are exploited to inject malicious code. The inject phase: The insertion of malicious code to control these hosts is the inject phase. The Use Phase: The infected machines are used to infect further machines. |
| |
| Question |
| What techniques do advanced firewalls use to protect againt DoS/DDoS? |
| |
| Answer |
| Firewalls can be set up to have simple rules such to allow or deny protocols, ports or IP addresses. In the case of a simple attack coming from a small number of unusual IP addresses for instance, one could put up a simple rule to drop (deny) all incoming traffic from those attackers. More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic. Additionally, firewalls may be too deep in the network hierarchy. Routers may be affected before the traffic gets to the firewall. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall. Some stateful firewalls, like OpenBSD’s packet filter, can act as a proxy for connections: the handshake is validated (with the client) instead of simply forwarding the packet to the destination. It is available for other BSDs as well. In that context, it is called “synproxy”. Rate-based attacks (such as ICMP floods and SYN floods). |
| |
| Question |
| What are the types of DDOS attacks? |
| Answer |
| |
| Types of DDOS Attacks Volumetric/Flood: This straight-up bully attack hits a target with so much traffic that it is overwhelmed. These attacks often affect the Internet connection as much as they impact the end-target host Resource Starvation: Â Attacks the underlying operating system and network stack resources in an attempt to crash either or both. This does not rely so much on the total volume of traffic but more on the types and combinations of traffic that will best affect the application or application services. Application: This assaults the application at layer 7 of the OSI model and is an attempt to crash the application itself or the underlying application server. Again, this does not rely on total traffic volume but the types and combinations of traffic that will best affect those subsystems |
| |
| Question |
| Is Riverbed Can be used to denial DoS or effective utilization of N/W as well |
| Answer |
| The Riverbed can restrict the DOS attacks with making specific setting like Connection Limiting and Service Protection Rule |
| |
| Question |
| |
| What is the best solution to mitigate this attack Firewall or IPS. How IPS diagnose this attack? |
| |
| Answer |
| Firewalls can be set up to have simple rules such to allow or deny protocols, ports or IP addresses. In the case of a simple attack coming from a small number of unusual IP addresses for instance, one could put up a simple rule to drop (deny) all incoming traffic from those attackers. More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic. Additionally, firewalls may be too deep in the network hierarchy. Routers may be affected before the traffic gets to the firewall. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall. Some stateful firewalls, like OpenBSD’s packet filter, can act as a proxy for connections: the handshake is validated (with the client) instead of simply forwarding the packet to the destination. It is available for other BSDs as well. In that context, it is called “synproxy”. Rate-based attacks (such as ICMP floods and SYN floods). IPS based prevention Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks. An ASIC based IPS may detect and block denial-of-service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic DDS based defense More focused on the problem than IPS, a DoS Defense System (DDS) is able to block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and Blackholing and sinkholing With blackholing, all the traffic to the attacked DNS or IP address is sent to a “black hole” (null interface or a non-existent server). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP. Sinkholing routes traffic to a valid IP address which analyzes traffic and rejects bad packets. Sinkholing is not efficient for most severe attacks. |
| |
| Question |
| how to Analysis of DDoS attack trends |
| Answer |
| Not all disruptions to service are the result of a denial-of-service attack. There may be technical problems with a particular network, or system administrators may be performing maintenance. However, the following symptoms could indicate a DoS or DDoS attack: unusually slow network performance (opening files or accessing websites) unavailability of a particular website inability to access any website dramatic increase in the amount of spam you receive in your account Even if you do correctly identify a DoS or DDoS attack, it is unlikely that you will be able to determine the actual target or source of the attack. If you notice that you cannot access your own files or reach any external websites from your work computer, contact your network administrators. This may indicate that your computer or your organization’s network is being attacked. If you are having a similar experience on your home computer, consider contacting your internet service provider (ISP). If there is a problem, the ISP might be able to advise you of an appropriate course of action. |
| |
| Question |
| how exactly an attacker spoof frames like CTS frames , disassociation frames, client authentication request frame etc. is there any specific software available ? what is the process ? |
| Answer |
| |
| In this type of attack, an intruder spoofs a beacon packet on a channel that is different from that advertised in the beacon frame of the AP. There are many tools which are available on internet to do the DDOS Attack. A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. Legal botnets :The term botnet is widely used when several IRC bots have been linked and may possibly set channel modes on other bots and users while keeping IRC channels free from unwanted users. This is where the term is originally from, since the first illegal botnets were similar to legal botnets. Illegal botnets :Botnets sometimes compromise computers whose security defenses have been breached and control conceded to a third party. Each such compromised device, known as a “bot”, is created when a computer is penetrated by software from a malware (malicious software) distribution. Procedure to launch a DDoS attack: The recruit phase: It involves scanning of remote machines looking for security holes that will help breaking into. The exploit phase: After the discovery of vulnerable hosts their security loop holes in these machines are exploited to inject malicious code. The inject phase: The insertion of malicious code to control these hosts is the inject phase. The Use Phase: The infected machines are used to infect further machines. |
