CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [60]
Mstream uses spoofed TCP packets with the ACKflag set to attack a target. It consists of a handler and an agent portion, but access to the handler is password protected.
The services under attack are those of the primary victim; the compromised systems used to launch the attack are secondary victims. These compromised systems, which send the DDoS to the primary victim, are sometimes called zombies or BOTs. They're usually compromised through another attack and then used to launch an attack on the primary victim at a certain time or under certain conditions. It can be difficult to track the source of the attacks because they originate from several IP addresses.
Normally, DDoS consists of three parts:
■ Master/Handler
■ Slave/secondary victim/zombie/agent/BOT/BOTNET
■ Victim /primary victim
The master is the attack launcher. A slave is a host that is compromised by and controlled by the master. The victim is the target system. The master directs the slaves to launch the attack on the victim system.
DDoS is done in two phases. In the intrusion phase, the hacker compromises weak systems in different networks around the world and installs DDoS tools on those compromised slave systems. In the DDoS attack phase, the slave systems are triggered to cause them to attack the primary victim.
Understand How BOTs/BOTNETs Work
A BOT is short for web robot and is an automated software program that behaves intelligently. Spammers often use BOTs to automate the posting of spam messages on newsgroups or the sending of emails. BOTs can also be used as remote attack tools. Most often, BOTs are web software agents that interface with web pages. For example, web crawlers (spiders) are web robots that gather web-page information.
The most dangerous BOTs are those that covertly install themselves on users' computers for malicious purposes.
Some BOTs communicate with other users of Internet-based services via instant messaging, Internet Relay Chat (IRC) or another web interface. These BOTs allow IRQ users to ask questions in plain English and then formulate a proper response. Such BOTs can often handle many tasks, including reporting weather, providing zip-code information, listing sports scores, converting units of measure, such as currency, and so on.
A BOTNET is a group of BOT systems. BOTNETs serve various purposes, including DDoS attacks, creation or misuse of Simple Mail Transfer Protocol (SMTP) mail relays for spam, Internet Marketing fraud, the theft of application serial numbers, login IDs, and financial information such as credit card numbers. Generally a BOTNET refers to a group of compromised systems running a BOT for the purpose of launching a coordinated DDOS attack.
What Is a "Smurf" Attack?
A smurf attack sends a large amount of ICMP echo (ping) traffic to a broadcast IP address with the spoofed source address of a victim. Each secondary victim's host on that IP network replies to the ICMP echo request with an echo reply, multiplying the traffic by the number of hosts responding. On a multiaccess broadcast network, hundreds of machines might reply to each packet. This creates a magnified DoS attack of ping replies, flooding the primary victim. IRC servers are the primary victim of smurf attacks on the Internet.
What Is "SYN" Flooding?
A SYN flood attack sends TCP connection requests faster than a machine can process them. The attacker creates a random source address for each packet and sets the SYN flag to request a new connection to the server from the spoofed IP address. The victim responds to the spoofed IP address and then waits for the TCP confirmation that never arrives. Consequently, the victim's connection table fills up waiting for replies; after the table is full, all new connections are ignored. Legitimate users are ignored, as well, and