1 00:00:00,000 --> 00:00:02,820 In this lessonn we're going to focus on the concept 2 00:00:02,820 --> 00:00:04,700 of a Denial of Service attack. 3 00:00:04,700 --> 00:00:06,180 Now, a Denial of Service attack 4 00:00:06,180 --> 00:00:08,600 isn't a specific attack in and of itself, 5 00:00:08,600 --> 00:00:11,290 but instead, it's this category or type of attack 6 00:00:11,290 --> 00:00:13,660 that's carried out in a number of different ways. 7 00:00:13,660 --> 00:00:15,520 Essentially, the term Denial of Service 8 00:00:15,520 --> 00:00:17,270 is used to describe any attack 9 00:00:17,270 --> 00:00:18,570 which attempts to make a computer 10 00:00:18,570 --> 00:00:20,660 or service resources unavailable, 11 00:00:20,660 --> 00:00:22,550 but it can also be extended to network devices, 12 00:00:22,550 --> 00:00:24,670 like switches and routers, as well. 13 00:00:24,670 --> 00:00:27,910 There are five subcategories of Denial of Service attacks, 14 00:00:27,910 --> 00:00:31,200 Flooding Attacks, the Ping of Death, the Teardrop, 15 00:00:31,200 --> 00:00:34,300 the Permanent Denial of Service attack, and the Fork Bomb. 16 00:00:34,300 --> 00:00:36,810 The first category is called a Flood Attack. 17 00:00:36,810 --> 00:00:39,240 This is a specialized type of Denial of Service 18 00:00:39,240 --> 00:00:41,620 which attempts to send more packets to a single server 19 00:00:41,620 --> 00:00:43,300 or host than it can handle. 20 00:00:43,300 --> 00:00:44,500 So, in this example, 21 00:00:44,500 --> 00:00:45,939 we see an attacker sending 12 requests 22 00:00:45,939 --> 00:00:48,000 at a time to a server. 23 00:00:48,000 --> 00:00:49,780 Now, normally, a server wouldn't be overloaded 24 00:00:49,780 --> 00:00:51,020 with just 12 requests, 25 00:00:51,020 --> 00:00:53,500 but if I could send 12 hundred or 12,000, 26 00:00:53,500 --> 00:00:56,870 that might allow me to flood that server and take it down. 27 00:00:56,870 --> 00:00:58,240 Now, under a Flood Attack 28 00:00:58,240 --> 00:01:00,280 we have a few different specialized varieties 29 00:01:00,280 --> 00:01:02,270 that you're going to come across on the exam. 30 00:01:02,270 --> 00:01:03,993 The first is called a Ping Flood. 31 00:01:03,993 --> 00:01:06,550 This attack is going to happen when somebody attempts to 32 00:01:06,550 --> 00:01:09,220 flood your server by sending too many pings. 33 00:01:09,220 --> 00:01:12,420 Now, a ping is technically an ICMP echo request packet, 34 00:01:12,420 --> 00:01:14,760 but they like to call it a ping on the exam. 35 00:01:14,760 --> 00:01:17,600 Because a Ping Flood has become so commonplace, though, 36 00:01:17,600 --> 00:01:20,880 many organizations are now simply blocking echo replies 37 00:01:20,880 --> 00:01:23,270 and simply having the firewall dropping these requests 38 00:01:23,270 --> 00:01:24,620 whenever they're received. 39 00:01:24,620 --> 00:01:26,380 This results in the attacker simply getting 40 00:01:26,380 --> 00:01:27,780 a request timed out message, 41 00:01:27,780 --> 00:01:29,290 and the service remains online, 42 00:01:29,290 --> 00:01:31,450 and the Denial of Service is stopped. 43 00:01:31,450 --> 00:01:33,230 Next, we have a Smurf Attack. 44 00:01:33,230 --> 00:01:34,570 This is like a Ping Flood, 45 00:01:34,570 --> 00:01:35,950 but instead of trying to flood a server 46 00:01:35,950 --> 00:01:37,730 by sending out pings directly to it, 47 00:01:37,730 --> 00:01:40,110 the attacker instead tries to amplify this attack 48 00:01:40,110 --> 00:01:43,640 by sending a ping to a subnet broadcast address instead, 49 00:01:43,640 --> 00:01:46,290 using the spoofed IP of the target server. 50 00:01:46,290 --> 00:01:48,330 This causes all of the devices on that subnet 51 00:01:48,330 --> 00:01:50,240 to reply back to the victimized server 52 00:01:50,240 --> 00:01:52,200 with those ICMP echo replies, 53 00:01:52,200 --> 00:01:53,810 and it's going to eat up a lot of bandwidth 54 00:01:53,810 --> 00:01:55,320 and processing power. 55 00:01:55,320 --> 00:01:56,690 Now, you can see how this looks here, 56 00:01:56,690 --> 00:01:58,530 with the attacker sending the ping request 57 00:01:58,530 --> 00:02:01,750 with the IP of that server being spoofed into the request, 58 00:02:01,750 --> 00:02:03,320 and now the destination is sent 59 00:02:03,320 --> 00:02:05,120 to the broadcast of that subnet. 60 00:02:05,120 --> 00:02:07,970 In this example, all three PCs in the subnet 61 00:02:07,970 --> 00:02:10,160 are going to reply back to that ping request 62 00:02:10,160 --> 00:02:11,380 thinking it's from the server, 63 00:02:11,380 --> 00:02:13,690 and the server gets three times the amount of ping replies 64 00:02:13,690 --> 00:02:15,870 than if the attacker had sent it to them directly. 65 00:02:15,870 --> 00:02:18,100 Now, this allows that attack to be amplified, 66 00:02:18,100 --> 00:02:20,440 especially if the attacker can get a large subnet, 67 00:02:20,440 --> 00:02:24,150 like a /16 or a /8 used in this attack. 68 00:02:24,150 --> 00:02:26,840 The next kind of Flood Attack is what we call Fraggle. 69 00:02:26,840 --> 00:02:29,320 Fraggle is a throwback reference to the kids show 70 00:02:29,320 --> 00:02:31,120 Fraggle Rock from the 1980s 71 00:02:31,120 --> 00:02:33,970 which aired around the same time as the Smurf TV show. 72 00:02:33,970 --> 00:02:37,420 So, you can guess that Fraggle and Smurf are kind of related. 73 00:02:37,420 --> 00:02:40,820 Well, with Fraggle, instead of using an ICP echo reply, 74 00:02:40,820 --> 00:02:43,500 Fraggle uses a UDP echo instead. 75 00:02:43,500 --> 00:02:46,500 This traffic is directed to the UDP port of seven, 76 00:02:46,500 --> 00:02:50,040 which is the echo port for UDP, and the UDP port of 19, 77 00:02:50,040 --> 00:02:52,020 which is the character generation port. 78 00:02:52,020 --> 00:02:53,140 This is an older attack, 79 00:02:53,140 --> 00:02:55,800 and most networks don't have this vulnerability anymore, 80 00:02:55,800 --> 00:02:58,100 and both of these ports are usually closed, 81 00:02:58,100 --> 00:02:59,960 'cause again, they're unnecessary. 82 00:02:59,960 --> 00:03:01,150 Notice that I didn't have them 83 00:03:01,150 --> 00:03:03,180 in your port memorization chart, either. 84 00:03:03,180 --> 00:03:04,180 Now, because of this, 85 00:03:04,180 --> 00:03:07,140 Fraggle attacks are considered very uncommon today. 86 00:03:07,140 --> 00:03:09,350 That said, a UDP Flood Attack, 87 00:03:09,350 --> 00:03:10,670 which is a variant of Fraggle, 88 00:03:10,670 --> 00:03:12,510 is still heavily used these days. 89 00:03:12,510 --> 00:03:14,820 It works basically the same way as a Fraggle attack, 90 00:03:14,820 --> 00:03:17,610 but it uses different UDP ports. 91 00:03:17,610 --> 00:03:20,460 The next Flood Attack we're going to cover is a SYN Flood. 92 00:03:20,460 --> 00:03:23,400 Now, this attack is a variant on a Denial of Service attack, 93 00:03:23,400 --> 00:03:26,410 where the attacker is going to initiate multiple TCP sessions 94 00:03:26,410 --> 00:03:28,730 but never complete the 3-way handshake. 95 00:03:28,730 --> 00:03:29,563 You could see here, 96 00:03:29,563 --> 00:03:32,480 how the attacker is sending four SYN packets to the server, 97 00:03:32,480 --> 00:03:34,530 but they're using made up IP addresses. 98 00:03:34,530 --> 00:03:36,550 The server then replies to those IP addresses 99 00:03:36,550 --> 00:03:38,700 in an attempt to establish that 3-way handshake, 100 00:03:38,700 --> 00:03:41,290 but of course, the other people weren't expecting that call, 101 00:03:41,290 --> 00:03:42,960 and so, no one responds. 102 00:03:42,960 --> 00:03:44,980 This causes a server to set aside resources 103 00:03:44,980 --> 00:03:46,340 for these supposed clients 104 00:03:46,340 --> 00:03:48,390 while it waits for their response and acknowledgement, 105 00:03:48,390 --> 00:03:50,440 but the acknowledgement never comes. 106 00:03:50,440 --> 00:03:51,888 If the attacker creates enough requests, 107 00:03:51,888 --> 00:03:54,070 the server will simply run out of resources, 108 00:03:54,070 --> 00:03:56,470 and be unable to establish any real connections 109 00:03:56,470 --> 00:03:58,620 with those who really want to do business with the server, 110 00:03:58,620 --> 00:04:01,080 and this creates the Denial of Service condition. 111 00:04:01,080 --> 00:04:02,360 To prevent this from occurring, 112 00:04:02,360 --> 00:04:04,500 flood guards can be installed in the network. 113 00:04:04,500 --> 00:04:05,560 These devices will detect 114 00:04:05,560 --> 00:04:07,160 when a SYN Flood is being attempted, 115 00:04:07,160 --> 00:04:09,480 and it'll block the request at the network boundary, 116 00:04:09,480 --> 00:04:11,040 freeing up the server. 117 00:04:11,040 --> 00:04:12,658 Flood guards can also be a feature in some routers 118 00:04:12,658 --> 00:04:14,490 and firewalls, as well. 119 00:04:14,490 --> 00:04:16,810 Also, your server can be configured to timeout 120 00:04:16,810 --> 00:04:19,310 on those half-open requests after a period of time, 121 00:04:19,310 --> 00:04:21,570 say 10, 15 or 30 seconds, 122 00:04:21,570 --> 00:04:23,050 and this will free up those resources, 123 00:04:23,050 --> 00:04:24,550 and prevent the Denial of Service condition 124 00:04:24,550 --> 00:04:26,260 from happening too. 125 00:04:26,260 --> 00:04:28,420 Intrusion prevention systems also have the ability 126 00:04:28,420 --> 00:04:30,370 to detect and respond to SYN Floods 127 00:04:30,370 --> 00:04:32,050 as they're being attempted. 128 00:04:32,050 --> 00:04:33,910 Now, the final type of Flood Attack 129 00:04:33,910 --> 00:04:35,730 is known as a Christmas Attack. 130 00:04:35,730 --> 00:04:37,780 This is a type of attack that's conducted by setting 131 00:04:37,780 --> 00:04:41,580 the FIN, the PSH, and the URG flags inside a TC packet 132 00:04:41,580 --> 00:04:43,150 to the on position. 133 00:04:43,150 --> 00:04:45,380 This'll cause a device to crash or reboot 134 00:04:45,380 --> 00:04:46,900 anytime that packet's received 135 00:04:46,900 --> 00:04:48,930 because it's a nonstandard format. 136 00:04:48,930 --> 00:04:51,120 Now, this attack got its name from the way it looks 137 00:04:51,120 --> 00:04:52,340 when you look at these packets 138 00:04:52,340 --> 00:04:54,720 inside a protocol analyzer like Wireshark, 139 00:04:54,720 --> 00:04:56,300 because all of those flags are turned on, 140 00:04:56,300 --> 00:04:58,110 and it looks like a Christmas tree. 141 00:04:58,110 --> 00:05:00,880 Most devices today will simply block this type of attack 142 00:05:00,880 --> 00:05:01,910 and discard the packet 143 00:05:01,910 --> 00:05:03,690 because they don't understand how to handle it. 144 00:05:03,690 --> 00:05:05,150 But when this attack first came out, 145 00:05:05,150 --> 00:05:06,470 it caused a lot of trouble 146 00:05:06,470 --> 00:05:08,850 for routers and switches around the globe. 147 00:05:08,850 --> 00:05:10,430 So, now that we've covered 148 00:05:10,430 --> 00:05:12,230 all of the different types of Flood Attacks, 149 00:05:12,230 --> 00:05:15,470 let's move on to our next category, the Ping of Death. 150 00:05:15,470 --> 00:05:18,630 This attack sends an oversized and malformed ping packet 151 00:05:18,630 --> 00:05:20,490 to another computer or server. 152 00:05:20,490 --> 00:05:21,490 When it's received, 153 00:05:21,490 --> 00:05:23,270 these systems don't know what to do with it, 154 00:05:23,270 --> 00:05:24,421 and they would crash. 155 00:05:24,421 --> 00:05:26,560 This, again, is an older attack, 156 00:05:26,560 --> 00:05:28,010 and one that modern operating systems 157 00:05:28,010 --> 00:05:29,690 aren't vulnerable to anymore. 158 00:05:29,690 --> 00:05:32,110 Now, essentially, the standard for a packet size 159 00:05:32,110 --> 00:05:36,360 is supposed to not exceed 65,535 bytes 160 00:05:36,360 --> 00:05:39,730 or 64k, but some smart attackers built ways 161 00:05:39,730 --> 00:05:41,930 to force larger packets to be sent. 162 00:05:41,930 --> 00:05:42,860 When they were received, 163 00:05:42,860 --> 00:05:44,860 this could override areas of system memory, 164 00:05:44,860 --> 00:05:46,330 much like a buffer overflow, 165 00:05:46,330 --> 00:05:48,600 or it would simply crash the machine. 166 00:05:48,600 --> 00:05:50,950 Why do we still cover the Ping of Death in Security+ 167 00:05:50,950 --> 00:05:52,900 when no one's vulnerable to it anymore? 168 00:05:52,900 --> 00:05:54,970 Well, I think CompTIA likes to still cover it 169 00:05:54,970 --> 00:05:56,160 because of the history. 170 00:05:56,160 --> 00:05:57,740 The Ping of Death was one of the first 171 00:05:57,740 --> 00:05:59,330 types of Denial of Service attack 172 00:05:59,330 --> 00:06:00,980 that was really effective in the field. 173 00:06:00,980 --> 00:06:03,850 This shows you just how old it really, really is. 174 00:06:03,850 --> 00:06:05,770 Next, we have a Teardrop Attack, 175 00:06:05,770 --> 00:06:08,220 which breaks apart packets into IP fragments, 176 00:06:08,220 --> 00:06:11,070 modifies them with overlapping and oversized payloads, 177 00:06:11,070 --> 00:06:13,460 and sends them back to a victim machine. 178 00:06:13,460 --> 00:06:15,410 This gets its name because if you have enough teardrops, 179 00:06:15,410 --> 00:06:17,470 you could form a large puddle and, essentially, 180 00:06:17,470 --> 00:06:20,090 this attack attempts to create numerous smaller packets 181 00:06:20,090 --> 00:06:22,230 that can't be reformed into this larger puddle, 182 00:06:22,230 --> 00:06:24,170 and when they're trying to put those back together, 183 00:06:24,170 --> 00:06:26,650 the system simply crashes or reboots itself 184 00:06:26,650 --> 00:06:28,700 because it doesn't understand how to handle it. 185 00:06:28,700 --> 00:06:31,120 This will create the desired Denial of Service condition 186 00:06:31,120 --> 00:06:33,420 that the attacker was trying to create. 187 00:06:33,420 --> 00:06:37,530 Next, we have the Permanent Denial of Service attack or PDOS. 188 00:06:37,530 --> 00:06:39,930 This is an attack which exploits a security flaw 189 00:06:39,930 --> 00:06:41,700 to permanently break a networking device 190 00:06:41,700 --> 00:06:43,660 by reflashing its firmware. 191 00:06:43,660 --> 00:06:46,170 This can cause a device to be unable to reboot itself 192 00:06:46,170 --> 00:06:48,440 because its operating system is overwritten. 193 00:06:48,440 --> 00:06:50,680 It's also called a Permanent Denial of Service attack 194 00:06:50,680 --> 00:06:53,710 because a quick reboot won't bring the system back online. 195 00:06:53,710 --> 00:06:56,120 Instead, the device has to be taken offline, 196 00:06:56,120 --> 00:06:58,150 have a full firmware reload done, 197 00:06:58,150 --> 00:07:00,480 and then it can be brought back online. 198 00:07:00,480 --> 00:07:03,380 Finally, we have our last one, the Fork Bomb. 199 00:07:03,380 --> 00:07:04,310 With the Fork Bomb, 200 00:07:04,310 --> 00:07:06,680 the attacker creates a large number of processes 201 00:07:06,680 --> 00:07:09,680 to use up available processing power of a computer. 202 00:07:09,680 --> 00:07:10,513 This attack gets its name 203 00:07:10,513 --> 00:07:12,730 because a process is called a fork, 204 00:07:12,730 --> 00:07:14,690 and it can be forked into two processes, 205 00:07:14,690 --> 00:07:16,420 and then four processes and so on, 206 00:07:16,420 --> 00:07:18,430 until it eats up all of the resources. 207 00:07:18,430 --> 00:07:20,540 Now, some people think of this as a worm 208 00:07:20,540 --> 00:07:22,390 because of the self-replicating nature, 209 00:07:22,390 --> 00:07:25,320 but they're not a worm, because they don't infect programs, 210 00:07:25,320 --> 00:07:27,120 and they don't use the network to spread. 211 00:07:27,120 --> 00:07:29,130 Instead, Fork Bombs only spread out 212 00:07:29,130 --> 00:07:32,150 inside the processor's cache on a single computer 213 00:07:32,150 --> 00:07:33,300 that it's being attacked with, 214 00:07:33,300 --> 00:07:35,160 and it causes a Denial of Service attack, 215 00:07:35,160 --> 00:07:36,720 and a Denial of Service condition, 216 00:07:36,720 --> 00:07:39,310 which is why it's considered not to be a worm. 217 00:07:39,310 --> 00:07:41,130 Now, there are new Denial of Service attacks 218 00:07:41,130 --> 00:07:43,090 being dreamt up all of the time. 219 00:07:43,090 --> 00:07:44,560 Basically, for the exam though, 220 00:07:44,560 --> 00:07:46,850 if an attack causes a system to go offline, 221 00:07:46,850 --> 00:07:48,170 and to stop providing the service 222 00:07:48,170 --> 00:07:50,470 that it's really supposed to do to its real users, 223 00:07:50,470 --> 00:07:53,160 or it can permanently cause a system to be broken, 224 00:07:53,160 --> 00:07:56,110 this could be categorized as a Denial of Service condition.