Today is a special day when I have just finished the analysis of an malware. That made me spend more than 10 days on it, it was kind of exhausting. But for now, I have a lot of energy when it finished.
So today, I will share my experiences about their attacks that based on DDos attacks.
In real life, (UDP) is a connectionless and sessionless networking protocol. It doesn’t need a three-way handshake like TCP, and runs with lower overhead and that is ideal for traffic, doesn’t need to be checked and rechecked, for example: chat or VoIP.
“UDP flood” is a type of Denial of Service (DoS) attack. The attacker try to connect to random ports on the targeted host with IP packets containing UDP datagrams.The receiving host checks for applications associated with these datagrams but finding nonn, then it sends back a “Destination Unreachable” packet. More and more UDP packets are received and answered, the system becomes overloaded and can’t response to other usual clients.
With this UDP flood attack, the attacker often fake their IP address in the packets, then they can make sure that the return ICMP packets don’t reach their host, and to anonymize the attack. For performing a UDP flood attack, you guys could try UDP Unicorn tool ( just for fun ).
DNS flood is a different type of DDoS attack in which the attacker targets one or more Domain Name System (DNS) servers belonging to a given zone, attempting to slow down or make it hard to resolute the resource records of that zone and its sub-zones.
DNS servers are the heart of the Internet, helping our Internet clients can find the servers they want. A DNS zone is a specific portion of the domain name space in the Domain Name System. For each zone, administrative responsibility is delegated to a single server cluster. In a DNS flood attack the offender tries to overbear a given DNS server (or servers) with apparently valid traffic, overwhelming server resources and impeding the servers’ ability to direct valid requests to zone resources.
A DNS flood attack is a variant of the UDP flood attack, since DNS servers rely on the UDP protocol for name resolution, and is a Layer 7 attack. With UDP-based queries (unlike TCP queries), a full connection is never established, and thus spoofing is more easily accomplished.
To attack a DNS server with a DNS flood, hacker runs a shell from malicious servers. These shell send malformed packets with spoofed IP addresses. With Layer 7 attacks like DNS flood require no response to be effective, the hacker can send packets that don’t need to accurate or even correctly formatted. The hacker can spoof all packet information, such as source IP and make it appear that the attack is coming from many sources. Randomized packet data also helps offenders to avoid common DDoS protection mechanisms, eveb IP filtering by using Linux IPtables useless.
Another common type of DNS flood attack is DNS NXDOMAIN flood attack, in which the attacker floods the DNS server with requests for records that are nonexistent or invalid. The DNS server expends all its resources looking for these records, its cache fills with bad requests, and it eventually has no resources to serve legitimate requests.
TCP STOMP attack is an another of the simple ACK flood intended to bypass mitigation devices. While analyzing the actual implementation of this attack, it seems that the virus opens a full TCP connection and then continues flooding with ACK packets that have legitimate sequence numbers, in order to hold the connection alive.
Many all of the devices had port 23 open with default passwords. But today manufacturers ship hundreds of thousands of high-powered computer devices that do just that. There’s no oversight here, and no clear path to recover. There probably isn’t even a way to notify the consumer that your DVR in your room that have some sick problems. 😀
Valve Source Engine Specific Flood
The Valve Source Engine flood is a UDP (amplification) attack used to consume available resources against a server. The attack is designed to flood TSource Engine Query ( this is a common Distributed Reflective Denial of Service (DRDoS) attack ) with so many requests to a gaming server that it cannot process all of them, thereby creating a denial attack against the gaming service.
This type of attack is geared specifically to the gamers market. It is a reflection attack with responses larger than requests. You guys can read more information about this attack here.
As you see, they are some kind of DDos attacks that are used by Botnet – the largest botnet until today.
Hope you guys understand and give it a try ( maybe ) in some days in the future, but always remember with education purposes. 😀