In this post, I continue to write about the types of attacks on websites.
Fragmented IP attacks
IP packet fragmentation is the basic IP protocol mechanism for transmitting packets larger than the MTU (maximum transmission unit) values of the network through which the transmission is performed. Such packets are fragmented in small enough fragments to fit into the PDU (protocol of the unit) and the network, and then they are collected at a destination in a complete IP packet. The IP packet header contains a field that indicates that there are more data in the fragment that is transmitted separately. These additional fragments are often not subject to packet filtering of network filters and impulse prevention systems, or filtering is only performed on the first fragment. With such complex attacks, the experienced attacker can compile such a set of IP fragments that the server enters into a package that would otherwise not pass through the network layer. Historical “ping-of-death” and “teardrop” attacks were based on the submission of fragmented packets that caused the buffer-overflow of the operating system of the server they were referring to.
The Sockstress attack causing DoS to exploits failures in the TCP protocol. The attacker establishes a legitimate connection to the server but then sends the packet with a window size value 0 indicating that the receive buffer is full and that the server needs to wait for further data transmission. The server maintains an open connection as long as the client sends such packets and thus occupy the server resources. By generating a large enough number of such connections, regular users will not be able to make new connections to the server and the servers of that server will be unavailable. The tools to run this attack are publicly available and there are few anticipations necessary to get it done.
HTTP Flood Attacks
When a web site unrestrictedly provides complex functionalities that consume a lot of system resources (eg database searches with complex queries), the attacker can send a large number of requests for that service and thus burden the server to the extent that even simple requests can not be processed. Also, websites are often located on delimited servers, with little resources or with non-optimized CMSs, so a large number of requests and simple pages can be dropped. It often happens that some text or image of a small website was created on large websites like Slashdot and Facebook, and a large number of users suddenly came to the site and broke it. HTTP Floods do not always use server or application vulnerability but exploit the inexhaustible and inadequate power of hosting providers to override the site.
Types of DDoS attacks
Distributed Denial-of-Service or reduced DDoS are attacks on servers coming from a large number of machines at the same time to increase the intensity and success of the attack. Since botnets often have tens and hundreds of thousands of computers, such attacks can be so large that they fill up the Internet link not only of the server serving the site, but also the link of the providers on whose network the site is hosted.
Often, the DDoS attack at the same time uses more attacking factors so its mitigation and stops are more difficult to perform. DDoS attacks can also see hundreds of thousands of different IP addresses that send packets to one server, and is the only way to block this attack and enable the Internet provider’s link to block (blackholes) the complete communication that goes to that server and the neighboring and superior routers make it known that they do the same. In this way blocking can propagate to other networks, but the site leaves it inaccessible.
Direct DDoS attacks
Under direct DDoS attacks are considered attacks that exhaust Internet link targets by sending UDP packages from attackers to targets. Such DDoS attacks are carried out with a large number of infected machines that are part of a botnet or massive recruitment of activists who voluntarily participate in a targeted attack, such as #OpBlackout and #OpPayback Anonymous action. Direct DDoS attacks are easier to trace IP addresses from which packets arrive, but this does not help to determine who is behind the attack because the botnets that are sent by botnets do not differ from the package sent by a user who voluntarily participates in the attack.
Reflective DDoS attacks
Reflective DDoS attacks come from a relatively small number of machines that send packets with a fake source IP address to a large number of legitimate, inadequate servers across the Internet. Answering these packets, the servers will send you to the fake source address, which is, in fact, the target of the attack. Often for this attack is abused by servers of known sites that have large link capacities.
Amplified DDoS attacks
Amplified DDoS attacks are reflective attacks where server response is several times higher than the packet sent, so the attacker does not need a large capacity link to make a big attack. In recent years, these attacks are the main vector of attacks on the sites.
To generate a large number of ICMP packets that may be a common target during the ICMP flood attack, the attacker must have access to a large network and a large number of computers. Because this is not always the case, ICMP amplification or Smurf attack is used – the ICMP echo-request packet with a fake source IP address is sent to the broadcast address of the poorly configured network so that all devices from that network respond with the ICMP echo-response packet to a fake address, which is target attacks.
Apache Killer is the name of a serious omission of Apache HTTPD, the most widely used web server on the Internet. The bug was discovered in August 2011 in versions before 2.2.21 and allowed the attacker to send a simple HTTP request that required folded parts of a document, causing the server to fail, so that Apache HTTPD would give all the available memory. Although a lot of time has passed since the release of a revised version, a lot of servers still run older, so administrators of these servers need to update the software or application configuration that prevents such problematic requests.
RFI / LFI
Remote File Inclusion (RFI) is a vulnerability that can often be found on web sites written in PHP and is caused by the invalidation of input data. When there is such a failure, the attacker can achieve that the server on which the host is being hosted is an arbitrary code that is located on a remote server. It can thus access the database that the site uses, modify site content, and launch an attack on other servers. Including Local File Inclusion (LFI) is similar to an attack, but the code is set to the server itself.
The insertion of SQL code is also a result of poor or non-existent validation of input data, which can cause the site to remain unencrypted or compromise or stolen. Good developers will check every input that users send so that any special and command characters are properly processed and do not cause unwanted behavior.
WordPress as the most popular blog platform had a stake in DDoS attacks on the site in 2013. There was no exploitation of the site code failure, but the abuse of the pingback WordPress installation that a single blog article was mentioned on another blog. When you receive this pingback, WordPress accesses the specified page to see if the article is there. This feature is often used for social connectivity and is included in every instance of WordPress. With more than 100 million sites based on this platform, it’s easy to launch a simple botnet by launching a simple script and launch an attack on the desired site, which will be quickly overwhelmed by too many requests.