Which type of attack broadcasting network request to multiple computers but change is the address from which the request came to the victims computer?

Internet control message protocol (ICMP) flood

A smurf attack relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The attacker will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination.

Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the “ping” command from Unix-like hosts. It is very simple to launch, the primary requirement being access to greater bandwidth than the victim. Ping of death is based on sending the victim a malformed ping packet, which will lead to a system crash on a vulnerable system.

The Smurf Attack

The smurf attack uses an unfortunate default behavior of routers to swamp a victim host. Recall that ICMP is used to provide control messages over IP. One control message is an echo request, that asks a host to provide an echo reply, responding with the body of the message. Here lies the start of the problem: Suppose our evil host wants to take out a target host. He finds a well-connected intermediary, and forges an echo request to the intermediary host apparently from the target host. The intermediary responds, and the target receives a flood of traffic from the intermediary, potentially overwhelming the target. One additional trick makes this more deadly: the original echo request can be targeted not just at a single host, but at a broadcast request—and under a default configuration, all hosts on that network will reply. This allows a host to multiply itself by the number of hosts on that network: with a 200-fold multiplication, a single host on a 256K DSL line can saturate a 10Mb Ethernet feed.

The recommended guidance is to prevent broadcast addresses from being expanded, at least from packets on the Internet. On your Cisco routers, for each interface, apply the following configuration:

no ip directed-broadcast

This will prevent broadcast packets from being converted. Blocking ICMP doesn’t help: A variant, fraggle, uses UDP packets in a similar fashion to flood hosts. An even more vicious approach, described in CERT advisory CA-1996-01, uses forged packets to activate the chargen port, ideally connecting to the echo port on the target. The two hosts are then locked in a fatal embrace of a packet stream until one or both of the machines are reset.

III.B.1. Smurf Attack

In the case of a smurf attack, the attacker's objective is the denial of service at the victim host. A utility known as Ping sends ICMP Echo Request messages to a target machine to check if the target machine is reachable. The target machine, upon receiving ICMP Echo Request messages, typically responds by sending ICMP Echo Reply messages to the source. When carrying out a smurf attack, an attacker (host X in Fig. 4) uses a broadcast address for the destination address field of the IP packet carrying the ICMP Echo Request and the address of the victim host (host Y in Fig. 4) in the source address field of the IP packet. When the ICMP Echo Request messages are sent, they are broadcast to a large number of stations (1 … N in Fig. 4). All of these stations then send ICMP Echo Reply messages to the victim device, thereby flooding the victim device and perhaps bringing it down.

Answers

1.

Correct Answer and Explanation: A. Answer A is correct; smurf attacks are a DoS technique that uses spoofed ICMP Echo Requests sent to misconfigured third parties (amplifiers) in an attempt to exhaust the victim's resources.

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are incorrect. Session hijacking involves a combination of sniffing and spoofing to allow the attacker to masquerade as one or both ends of an established connection. The teardrop attack works by sending overlapping fragments that, when received by a vulnerable host, can cause a system to crash. The land attack is a malformed packet DoS that can cause vulnerable systems to crash by sending a SYN packet with both the source and destination IP address set to that of the victim.

Correct Answer and Explanation: C. Answer C is correct; session hijacking involves a combination of sniffing and spoofing so that the attacker can masquerade as one or both ends of an established connection.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. Password cracking has little to do with which website is resolved. Though Trojan Horse infections no doubt have the ability to alter hosts tables, DNS settings, and other things that can cause this behavior, they are considered malware rather than an attack technique. Also the mention of a trusted endpoint makes session hijacking the more likely answer. UI redressing is a simple distraction answer, and is the more generic term for what is known as clickjacking.

Correct Answer and Explanation: A. Answer A is correct; configuration management involves the creation of known security baselines for systems, which are often built leveraging third-party security configuration guides.

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are incorrect. Change management is concerned with ensuring a regimented process for any system changes. Patch management focuses on ensuring that systems receive timely updates to the security and functionality of the installed software. The goal of vulnerability management is to understand what known vulnerabilities exist in an organization and to track their remediation over time.

Correct Answer and Explanation: B. Answer B is correct; the teardrop attack is a DoS that works by sending overlapping fragments that, when received by a vulnerable host, can cause a system to crash.

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are incorrect. Smurf attacks are a DoS that uses spoofed ICMP Echo Requests sent to misconfigured third parties (amplifiers) in an attempt to exhaust the victim's resources. Fraggle attacks are a smurf variation that uses spoofed UDP rather than ICMP messages to stimulate the misconfigured third-party systems. Session hijacking involves a combination of sniffing and spoofing in which the attacker masquerades as one or both ends of an established connection.

Correct Answer and Explanation: C. Answer C is correct; rotation of duties is useful in detecting fraud by requiring that more than one employee perform a particular task. In addition to fraud detection, rotation can determine if there is a lack of depth for a given role or function within the organization.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. Separation of duties attempts to prevent fraud by requiring multiple parties to carry out a transaction or by segregating conflicting roles. The principle of least privilege is not associated specifically with fraud detection. Collusion is the term for multiple parties acting together to perpetrate a fraud.

Abstract

Denial of service (DoS) attacks are now one of the biggest issues in the Internet. Distributed denial of service (DDoS) Smurf attack is an example of an amplification attack where the attacker send packets to a network amplifier with the return address spoofed to the victim’s IP address. One of the major properties of our solution to identify and mitigate DDoS attacks, which is distinct from other solutions, is the manner in which routers and firewalls communicate to each other to reduce false rejection rate (FRR) and false acceptance rate (FAR) as much possible as they can. The attackers are able to break into hundreds or thousands of computers or machines and install their own tools to abuse them. The objective of this project is to propose a practical algorithm to allow routers to communicate and collaborate over the networks to detect and distinguish DDoS attacks. This algorithm allows the detection of DDoS attacks on the servers as well as identify and block the attacks.

DDoS

The earliest malicious use of a botnet was to launch Distributed Denial of Service attacks against competitors, rivals, or people who annoyed the botherder. You can see a typical botnet DDoS attack in Figure 2.3. The sidebar, “A Simple Botnet” in Chapter 1 describes the play-by-play for the DDoS. The actual DDoS attack could involve any one of a number of attack technologies, for example TCP Syn floods or UDP floods.

In order to understand how a TCP Syn Flood works you first have to understand the TCP connection handshake. TCP is a connection-oriented protocol. In order to establish a connection, TCP sends a starting synchronization (SYN) message that establishes an initial sequence number. The receiving party acknowledges the request by returning the SYN message and also includes an acknowledgement message for the initial SYN. The sending party increments the acknowledgment number and sends it back to the receiver. Figure 2.4 illustrates the TCP three-way handshake.

Figure 2.5 illustrates a SYN Flood attack. A SYN flood attacker sends just the SYN messages without replying to the receiver's response. The TCP specification requires the receiver to allocate a chunk of memory called a control block and wait a certain length of time before giving up on the connection. If the attacker sends thousands of SYN messages the receiver has to queue up the messages in a connection table and wait the required time before clearing them and releasing any associated memory. Once the buffer for storing these SYN messages is full, the receiver may not be able to receive any more TCP messages until the required waiting period allows the receiver to clear out some of the SYNs. A SYN flood attack can cause the receiver to be unable to accept any TCP type messages, which includes Web traffic, FTP, Telnet, SMTP, and most network applications.

Other DDoS attacks include:

UDP Flood. In a UDP Flood attack, the attacker sends a large number of small UDP packets, sometimes to random diagnostic ports (chargen, echo, daytime, etc.), or possibly to other ports. Each packet requires processing time, memory, and bandwidth. If the attacker sends enough packets, then the victim's computer is unable to receive legitimate traffic.

Smurf attack. In a Smurf attack, the attacker floods an ICMP ping to a directed broadcast address, but spoofs the return IP address, which traditionally might be the IP address of a local Web server. When each targeted computer responds to the ping they send their replies to the Web server, causing it to be overwhelmed by local messages. Smurf attacks are easy to block these days by using ingress filters at routers that check to make sure external IP source addresses do not belong to the inside network. If a spoofed packet is detected, it is dropped at the border router. However given that hackers may have subverted 50000 remote hosts and not care about spoofing IP addresses, they can easily be replicated with TCP SYN or UDP flooding attacks aimed at a local Web server.

Call Data Floods

The attacker will flood the target with RTP packets, with or without first establishing a legitimate RTP session, in an attempt to exhaust the target’s bandwidth or processing power, leading to degradation of VoIP quality for other users on the same network or just for the victim. Other common forms of load-based attacks that could affect the VoIP system are buffer overflow attacks, TCP SYN flood, UDP flood, fragmentation attacks, smurf attacks, and general overload attacks. Though VoIP equipment needs to protect itself from these attacks, these attacks are not specific to VoIP.

A SIP proxy can be overloaded with excessive legitimate traffic—the classic “Mother’s Day” problem when the telephone system is most busy. Large-scale disasters (earthquakes) can also cause similar spikes, which are not attacks. Thus, even when not under attack, the system could be under high load. If the server or the end user is not fast enough to handle incoming loads, it will experience an outage or misbehave in such a way as to become ineffective at processing SIP messages. This type of attack is very difficult to detect because it would be difficult to sort the legitimate user from the illegitimate users who are performing the same type of attack.

Distributed denial of service attacks

The final piece of security history is the Distributed Denial of Service (DDoS) attacks. Denial of Service (DoS) attacks have been around since the advent of the first piece of malware. It was very common for a virus to eat up system resources, sometimes unintentionally, sometime not, to the point that the machine became unusable and had to be rebooted or worse. But a DDoS attack is an attack against an entire network that originates from thousands or hundreds of thousands of hosts.

The first recorded DDoS attacks were in 1989 using simple ping flooding (Defense.net, 2014), which sends out large Internet Control Messaging Protocol (ICMP) packets usually from spoofed IP addresses that eat up system resources and prevent that system from responding to other queries.

Other notable DDoS tactics included smurf and fraggle attacks. A smurf attack occurred when an attacker sent a spoofed ICMP ping request to the broadcast address on a network. The request would be distributed to all of the hosts on the network and every host on that network would now send a response to the spoofed (victim) host. The name smurf comes from the tool smurf.c, which was released by TFreak in 1997. These attacks became so common that a new RFC had to be introduced. RFC 2644, released in 1999, mandates that routers not pass along broadcast packets. Because every network lies behind a router, smurf attacks became ineffective.

Fraggle attacks were similar in design in that they were spoofed packets sent to broadcast addresses. However, instead of being spoofed ICMP ping packets, they were spoofed packets to UDP (User Datagram Protocol) ports 7 and 19 (the chargen [Character Generator Protocol] port). Again, passing along broadcast packets is no longer allowed, and most organizations block all ports at the firewall, especially ports like UDP 7 and 19, which are no longer widely used.

As DDoS attacks grew in popularity so did the capability and sophistication of the tools used in these DDoS attack. In 1997 growth in sophistication resulted in the release of the DDoS-specific tool Trin00. Trin00 resided on compromised hosts and was controlled by a master. The Trin00 master would send commands to the daemons telling them to initiate the attacks. The daemons would then launch UDP-flooding attacks against a specified IP address.

The rise of DDoS attacks also led to the rise of botnets. For an attacker to be effective, it was necessary for the attacker to control thousands or even hundreds of thousands of compromised hosts. Of course, with control of those hosts an attacker was able to do more than just launch DDoS attacks. With a large botnet an attacker could launch spam and phishing campaigns, spread malware to other hosts on compromised networks and collect usernames, passwords, and other personal data.

Ping Flood/Fraggle/Smurf

The ping flood or ICMP flood is a means of tying up a specific client machine. It is caused by an attacker sending a large number of ping packets (ICMP echo request packets) to the victim. This flood prevents the software from responding to server ping activity requests, which causes the server to eventually time out the connection. A symptom of a ping flood is a huge amount of modem activity. This type of attack is also referred to as a ping storm.

The fraggle attack is related to the ping storm. Using a spoofed IP address (which is the address of the targeted victim), an attacker sends ping packets to a subnet, causing all computers on the subnet to respond to the spoofed address and flood it with echo reply messages.

On the Scene

The smurf attack is a form of brute force attack that uses the same method as the ping flood, but directs the flood of Internet Control Message Protocol (ICMP) echo request packets at the network's router. The destination address of the ping packets is the broadcast address of the network, which causes the router to broadcast the packet to every computer on the network or segment. This can result in a very large amount of network traffic if there are many host computers, and it can create congestion that causes a denial of service to legitimate users.

In its most insidious form, the smurf attacker spoofs the source IP address of the ping packet. Then both the network to which the packets are sent and the network of the spoofed source IP address will be overwhelmed with traffic. The network to which the spoofed source address belongs will be deluged with responses to the ping when all the hosts to which the ping was sent answer the echo request with an echo reply.

Smurf attacks can generally do more damage than some other forms of DoS, such as SYN floods. The SYN flood affects only the ability of other computers to establish a TCP connection to the flooded server, but a smurf attack can bring an entire ISP down for minutes or hours. This is because a single attacker can easily send 40 to 50 ping packets per second, even using a slow modem connection. Because each packet is broadcast to every computer on the destination network, the number of responses per second is 40 to 50 times the number of computers on the network—which could be hundreds or thousands. This is enough data to congest even a T1 link.

One way to prevent a smurf attack from using a network as the broadcast target is to turn off the capability to transmit broadcast traffic on the router. Most routers allow you to do this. To prevent the network from being the victim of the spoofed IP address, you should configure the firewall to filter out incoming ping packets.