TCP/IP Transport Layer Attack Vector #6

5 minutes
Share the link to this page
Copied
  Completed
You need to have access to the item to view this lesson.
One-time Fee
$69.99
List Price:  $99.99
You save:  $30
€67.23
List Price:  €96.05
You save:  €28.81
£54.79
List Price:  £78.28
You save:  £23.48
CA$100.29
List Price:  CA$143.28
You save:  CA$42.98
A$112.09
List Price:  A$160.13
You save:  A$48.04
S$94.52
List Price:  S$135.03
You save:  S$40.51
HK$543.88
List Price:  HK$777
You save:  HK$233.12
CHF 61.94
List Price:  CHF 88.49
You save:  CHF 26.55
NOK kr788.73
List Price:  NOK kr1,126.80
You save:  NOK kr338.07
DKK kr502.03
List Price:  DKK kr717.22
You save:  DKK kr215.19
NZ$123.81
List Price:  NZ$176.87
You save:  NZ$53.06
د.إ257.07
List Price:  د.إ367.26
You save:  د.إ110.18
৳8,350.53
List Price:  ৳11,929.84
You save:  ৳3,579.31
₹5,977
List Price:  ₹8,538.94
You save:  ₹2,561.93
RM314.04
List Price:  RM448.65
You save:  RM134.61
₦108,176.53
List Price:  ₦154,544.52
You save:  ₦46,367.99
₨19,454.09
List Price:  ₨27,792.76
You save:  ₨8,338.66
฿2,391.55
List Price:  ฿3,416.65
You save:  ฿1,025.10
₺2,463.31
List Price:  ₺3,519.17
You save:  ₺1,055.85
B$446.27
List Price:  B$637.56
You save:  B$191.28
R1,312.34
List Price:  R1,874.85
You save:  R562.51
Лв131.59
List Price:  Лв188
You save:  Лв56.40
₩101,993.60
List Price:  ₩145,711.39
You save:  ₩43,717.78
₪255.42
List Price:  ₪364.90
You save:  ₪109.48
₱4,105.61
List Price:  ₱5,865.41
You save:  ₱1,759.80
¥11,000.67
List Price:  ¥15,715.92
You save:  ¥4,715.24
MX$1,411.29
List Price:  MX$2,016.21
You save:  MX$604.92
QR254.14
List Price:  QR363.08
You save:  QR108.93
P970.50
List Price:  P1,386.50
You save:  P415.99
KSh9,031.50
List Price:  KSh12,902.70
You save:  KSh3,871.20
E£3,557.88
List Price:  E£5,082.90
You save:  E£1,525.02
ብር8,897.26
List Price:  ብር12,710.92
You save:  ብር3,813.65
Kz63,830.88
List Price:  Kz91,190.88
You save:  Kz27,360
CLP$69,240.40
List Price:  CLP$98,919.10
You save:  CLP$29,678.70
CN¥510.85
List Price:  CN¥729.82
You save:  CN¥218.97
RD$4,256.60
List Price:  RD$6,081.12
You save:  RD$1,824.52
DA9,455.74
List Price:  DA13,508.78
You save:  DA4,053.03
FJ$162.28
List Price:  FJ$231.84
You save:  FJ$69.55
Q538.26
List Price:  Q768.97
You save:  Q230.71
GY$14,619.81
List Price:  GY$20,886.35
You save:  GY$6,266.53
ISK kr9,767.10
List Price:  ISK kr13,953.60
You save:  ISK kr4,186.50
DH704.68
List Price:  DH1,006.73
You save:  DH302.05
L1,289.28
List Price:  L1,841.91
You save:  L552.62
ден4,135.94
List Price:  ден5,908.74
You save:  ден1,772.79
MOP$559.01
List Price:  MOP$798.63
You save:  MOP$239.61
N$1,299.34
List Price:  N$1,856.28
You save:  N$556.93
C$2,571.30
List Price:  C$3,673.45
You save:  C$1,102.14
रु9,517.06
List Price:  रु13,596.38
You save:  रु4,079.32
S/260.20
List Price:  S/371.74
You save:  S/111.53
K283.61
List Price:  K405.18
You save:  K121.56
SAR262.82
List Price:  SAR375.47
You save:  SAR112.65
ZK1,933.89
List Price:  ZK2,762.82
You save:  ZK828.92
L334.85
List Price:  L478.38
You save:  L143.52
Kč1,692.49
List Price:  Kč2,417.95
You save:  Kč725.45
Ft27,633.93
List Price:  Ft39,478.73
You save:  Ft11,844.80
SEK kr761.65
List Price:  SEK kr1,088.11
You save:  SEK kr326.46
ARS$71,885.87
List Price:  ARS$102,698.50
You save:  ARS$30,812.63
Bs482.86
List Price:  Bs689.84
You save:  Bs206.97
COP$308,852.42
List Price:  COP$441,236.66
You save:  COP$132,384.23
₡35,480.70
List Price:  ₡50,688.88
You save:  ₡15,208.18
L1,775.44
List Price:  L2,536.46
You save:  L761.01
₲544,980.94
List Price:  ₲778,577.57
You save:  ₲233,596.63
$U3,110.44
List Price:  $U4,443.67
You save:  $U1,333.23
zł286.56
List Price:  zł409.39
You save:  zł122.83
Already have an account? Log In

Transcript

Now let's talk about our second TCP IP model transport layer protocol, UDP. And our first attack vector for that is going to be UDP flood. As you know, UDP has no flex. I mean it's not a sophisticated protocol is TCP. Therefore the attack vectors in this protocol are limited. I mean the variety of the attack vectors.

However, it doesn't mean that they are ineffective. In fact, UDP attacks can be as much effective as any kind of TCP attacks. And we are going to see the reasoning behind that in a moment. So what is the UDP float? But I'll start off with a basic definition. UDP flood attack can be initiated by sending a large number of UDP packets to random ports on my remote host.

Actually, this random is not necessarily random. The attacker can choose some specific ports, like most common ones being 80, or 443, or 53. Basically, these are the ports for HTTP, HTTPS and DNS. So the attacker can specify targets, for example, your web traffic on 80 and 443. So not necessarily random as a result. This part is actually what we want to focus on in this lecture.

The distant host, meaning your host, will check for the application listening at that port. So for example, if the attack is performed on port 80, the host will check if an application is listening on that port. For example, a web application like Apache and in case of web traffic, for example, Port 80 expects TCP traffic. It doesn't expect and UDP traffic So, it will see that no application listens at that port for UDP. And this part is interesting and this part is basically what is making UDP flood attack effective. The host will try to reply with an ICMP destination unreachable packets for every single UDP packet that the attacker will send.

So, again your destination will try to answer with an ICMP destination unreachable, meaning that you know it will try to inform the client in our case the attacker that this port is not reachable via UDP. However, the attacker will exploit it by sending out UDP packets over and over again. So that the host your host will try to answer for each packet and in the end, the resources will not be enough and the services will go down How to detect this. First basically, we need to filter for specific destination ports, I mean the port that you suspect that attacker is attacking to, it could be 80 or 443. In most cases, or if you're running DNS again, it could be 53. And then you can also filter for ICMP responses that are sent.

This is also an important thing to check. And when it comes to volumetric attacks, we need to check also the volume spikes in the incoming traffic. Because this is also an indication of whether a volumetric attack is ongoing or not. And we have a simple power UDP plot might look like in our case, as we can see here, the destination port is 80. And there's one single destination IP One source. In this case a DoS attack is trying to take down the web servers of the destination by constantly sending the same UDP packets.

Now, how to mitigate it? Actually, most of the operating systems mitigate the attack by limiting the rate at which ICMP responses are sent. In other words, operating systems today are clever enough to limit the responses. Therefore limit exploitation of the resources for high volumetric ones. I mean, if you are hit by a really big attack, one of the first things to do is basically narrow down the top talkers, again by top talkers, meaning the IPS, the sources that are generating the most traffic towards your destinations. And if it is possible, trying to block these top talkers, if you cannot cope in either way, you might have to go with a CDN.

The rate controller solution. We are going to talk about advantages and disadvantages of rate controls with CDs towards the end of this course. But just for the heads up for such volumetric attacks if you cannot cope by yourself, a third party defense solution could be necessary.

Sign Up

Share

Share with friends, get 20% off
Invite your friends to LearnDesk learning marketplace. For each purchase they make, you get 20% off (upto $10) on your next purchase.