Network Security Essentials -- Notes9. DDOS

1.Distributed DoS: Attacker recrits a number of hosts to simulataneouly or coordinately launch an attack upon the target

2. What is it?
a. Classification of DDOS in terms of resource type:
i. Attack the host (SYN attack e.g.)
ii. Attack the network (ICMP EHCO attack e.g.)

b. SYN flood attack
i.Zombie sends a TCP/IP SYN packet with an errorneous return IP address
ii.Server then tries to establish a TCP connection with a wrong IP
iii.Server will keep waiting since the "client" will never response
iv.The server will soon be not able to accept more TCP/IP connections

c.Attack: Use up server's disk space by sending emails, or generate errors to increase log file, or sending files to FTP

d.ICMP ECHO Attack => Will take down the server's router
Two models:
i. Zombie sends "ICMP ECHO" to server with spoofed IP address --> Server will then try to reply --> its router will be flooded
ii. Zombine sends "ICMP EHCO" to a middle layer of computers with the server's IP as the source IP => This millde layer of coumptuters (Called Reflector) will then reply echoes to the Server => server's router will be flooded

3. How to get Zombines?
Vulnerability Scan => Zombine Software Implantation