CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [61]
Describe the DoS/DDoS Countermeasures
There are several ways to detect, halt, or prevent DoS attacks. The following are common security features available:
Network-ingress filtering All network access providers should implement network-ingress filtering to stop any downstream networks from injecting packets with faked or spoofed addresses into the Internet. Although this doesn't stop an attack from occurring, it does make it much easier to track down the source of the attack and terminate the attack quickly.
Rate-limiting network traffic A number of routers in the market today have features that let you limit the amount of bandwidth some types of traffic can consume. This is sometimes referred to as traffic shaping.
Intrusion detection systems Use an intrusion detection system (IDS) to detect attackers who are communicating with slave, master, or agent machines. Doing so lets you know whether a machine in your network is being used to launch a known attack but probably won't detect new variations of these attacks or the tools that implement them. Most IDS vendors have signatures to detect Trinoo, TFN, or Stacheldraht network traffic.
Host-auditing tools File-scanning tools are available that attempt to detect the existence of known DDoS tool client and server binaries in a system.
Network-auditing tools Network-scanning tools are available that attempt to detect the presence of DDoS agents running on hosts on your network.
Automated network-tracing tools Tracing streams of packets with spoofed address through the network is a time-consuming task that requires the cooperation of all networks carrying the traffic and that must be completed while the attack is in progress.
DoS Scanning Tools
Find_ddos is a tool that scans a local system that likely contains a DDoS program. It can detect several known DoS attack tools.
SARA gathers information about remote hosts and networks by examining network services. This includes information about the network information services as well as potential security flaws such as incorrectly set up or configured network services, well-known bugs in the system or network utilities system software vulnerabilities listed in the Common Vulnerabilities and Exposures (CVE) database, and weak policy decisions.
RID is a free scanning tool that detects the presence of Trinoo, TFN, or Stacheldraht clients.
Zombie Zapper instructs zombie routines to go to sleep, thus stopping their attack. You can use the same commands an attacker would use to stop the attack.
Session Hijacking
Session hijacking is when a hacker takes control of a user session after the user has successfully authenticated with a server. Session hijacking involves an attack identifying the current session IDs of a client/server communication and taking over the client's session. Session hijacking is made possible by tools that perform sequence-number prediction. The details of sequencenumber prediction will be discussed later in this chapter.
Understand Spoofing vs. Hijacking
Spoofing attacks are different from hijacking attacks. In a spoofing attack, the hacker performs sniffing and listens to traffic as it's passed along the network from sender to receiver. The hacker then uses the information gathered to spoof or uses an address of a legitimate system. Hijacking involves actively taking another user offline to perform the attack. The attacker relies on the legitimate user to make a connection and authenticate. After that, the attacker takes over the session, and the valid user's session is disconnected.
Session hijacking involves the following three steps to perpetuate an attack:
Tracking the session The hacker identifies an open session and predicts the sequence number of the next packet.
Desynchronizing the connection The hacker sends the valid user's system a TCP reset (RST) or finish (FIN) packet to cause them to close their session.
Injecting the attacker's packet The