To remain resilient and resistant, it's imperative - and suggested - to outline and to conduct a thorough analysis on components within your inventory based on functionality, architecture and performance i. The outcome of this research should identify potential causes of a DoS which highlight single point of failures ranging from programming related errors to resource exhaustion.. From a prevention point of view, it's important to have a clear picture on how to tackle your appropriate components to address the issue at stake e.
That's why a solid understanding of your environment is essential to develop a suitable defence mechanism. These could be aligned with:. Within this document we will adhere to a particular guidance structure to illustrate on how to analyse this subject based on your situation. It is by no means a complete approach but we ought to create fundamental blocks which should be utilized to assist you in constructing anti-DoS concepts fitting to your needs.
The document categorizes the 7 OSI model layers into three main attack categories, namely application, Session and Network. Application attacks focus on rendering applications unavailable by exhausting resources or by making it unusable in a functional way. Session or protocol attacks focus on consuming server resources, or resources of intermediary equipment like firewalls and load-balancers. Network or volumetric attacks focus on saturating the bandwidth of the network resource.
It is important to understand that each of these three attack categories needs to be considered when designing a DoS resilient solution. Note that OSI model layer 1 and 2 are not included in this categorization.
In the spirit of providing a complete overview of all DoS type of attacks, we will shortly discuss these layers and how DoS applies to them. The physical layer consists of the networking hardware transmission technologies of a network. It is a fundamental layer underlying the logical data structures of the higher-level functions in a network.
Typical DoS scenarios are destruction, obstruction, malfunction. An example is a case where a Georgian elderly woman sliced through an underground cable, resulting in loss of internet for the whole of Armenia. The data layer is the protocol layer that transfers data between adjacent network nodes in a wide area network WAN or between nodes on the same local area network LAN segment.
The intention is to consume the limited memory used by a switch to store the MAC and physical port translation table MAC table. The result is that valid MAC addresses are purged and the switch enters a fail-over mode where it will act as a network hub. All data is then forwarded to all ports, resulting in a data leakage. The result is that the attacker's MAC address can be linked to the IP address of a legitimate device on the network.
This allows an attacker to intercept, modify or stop data in transit, that was intended for the victim IP address. The ARP protocol is specific to the local area network and could cause a DoS on the wire communication. Packet filtering technology can be used to inspect packets in transit to identify and block offending ARP packets. Another approach is to use static ARP tables but they prove difficult to be maintained.
Application layer attacks focus on rendering applications unavailable by exhausting resources or by making it unusable in a functional way. These attacks do not have to consume the network bandwidth to be effective. Rather they place an operational strain on the application server in such a way that the server becomes unavailable, unusable or non-functional.
All attacks exploiting weaknesses on OSI layer 7 protocol stack are generally categorised as application attacks. TODO: List all attacks per category. Because we cannot map remediations one on one with an attack vector, we will first need to list them before discussing the action points. Until the HTTP request was fully delivered, the server will keep resources stalled while waiting for the missing incoming data.
At one moment, the server will reach the maximum concurrent connection pool, resulting in a DoS. From an attacker's perspective, slow HTTP attacks are cheap to perform because they require minimal resources.
Volumetric in nature. Amplification techniques make these attacks effective. Rate limiting is the process of controlling traffic rate from and to a server or component. This is not a comprehensive tutorial on how to analyze malicious network traffic. Instead, it shows some tips and tricks for Wireshark filters. This tutorial covers the following areas:.
This tutorial uses examples of Windows infection traffic from commodity malware distributed through mass-distribution methods like malicious spam malspam or web traffic. These infections can follow many different paths before the malware, usually a Windows executable file, infects a Windows host. Indicators consist of information derived from network traffic that relates to the infection.
Security professionals often document indicators related to Windows infection traffic such as URLs, domain names, IP addresses, protocols, and ports. Proper use of the Wireshark display filter can help people quickly find these indicators. Wireshark's display filter a bar located right above the column display section.
This is where you type expressions to filter the frames, IP packets, or TCP segments that Wireshark displays from a pcap. Figure 1. Location of the display filter in Wireshark. If you type anything in the display filter, Wireshark offers a list of suggestions based on the text you have typed. While the display filter bar remains red, the expression is not yet accepted.
If the display filter bar turns green, the expression has been accepted and should work properly. If the display filter bar turns yellow, the expression has been accepted, but it will probably not work as intended.
Figure 2. Wireshark's display filter offering suggestions based on what you type. Figure 3. Wireshark's display filter accepts an expression, and it works as intended. Figure 4. Example of Wireshark's display filter accepting an expression, but it does not work as intended. Wireshark's display filter uses Boolean expressions , so you can specify values and chain them together.
The following expressions are commonly used:. When specifying a value exclude, do not use! For example, if you want to specify all traffic that does not include IP address As noted in my previous tutorial on Wireshark , I often use the following filter expression as a way to quickly review web traffic in a pcap:. The value http. My previous tutorial contains web traffic generated when a user viewed a URL from college.
In the pcap, the user was on a Windows 10 computer using Microsoft's Edge web browser. Filtering on http. Figure 5. Filtering on web traffic using the previous tutorial's pcap. Therefore, I filter this out using the following expression:. Filtering out SSDP activity when reviewing a pcap from an infection on a Windows 7 host provides a much clear view of the traffic.
It is filtered on web traffic that contains SSDP requests. Figure 7 shows the same pcap filtered on web traffic excluding the SSDP requests, which provides a clearer picture of the activity. Figure 6. Figure 7. In Figure 7, we see some indicators of infection traffic, but not every indicator of the infection is revealed. In some cases, an infected host may try to connect with a server that has been taken off-line or is refusing a TCP connection.
Try the following filter on the same traffic:. Figure 8. Including TCP SYN segments in your filter can reveal unsuccessful connection attempts by an infected host to other servers. In some cases, post-infection traffic will not be web-based, and an infected host will contact command and control C2 servers.
These servers can be directly hosted on IP addresses, or they can be hosted on servers using domain names. Therefore, I often add DNS activity when reviewing a pcap to see if any of these domains are active in the traffic.
This results in the following filter expression:. In Figure 9, I use the above filter expression to review a pcap showing a Nanocore RAT executable file downloaded from www. The initial download is followed by attempted TCP connections to franex. Figure 9. Figure Some infection traffic uses common protocols that can easily be decoded by Wireshark. Figure 11 shows post-infection traffic caused by this malware executable that generates FTP traffic.
0コメント