Unit 6_DoS and DDoS_SQL Injection_tools.pdf

Cryptography and Cyber Security
[IT311]
Sanjivani Rural Education Society’s
Sanjivani College of Engineering, Kopargaon-423603
(An Autonomous Institute Affiliated to Savitribai Phule Pune University, Pune)
NAAC ‘A’ Grade Accredited, ISO 9001:2015 Certified
Department of Information Technology
(NBAAccredited)
Mrs. Kanchan D. Patil
Assistant Professor

Unit 6: Tools & Methods used in Cybercrime
• Introduction, Phishing, Password Cracking, Key-loggers and Spywares,
Types of Virus, Worms, Dos and DDoS, SQL injection, Cyber laws-Indian
context, The Indian IT Act-Challenges, Amendments, Challenges to
Indian Law and cybercrime Scenario in India, Indian IT Act and Digital
Signatures.
Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology

DoS & DDoS Attacks
• Denial-of-service attack (DoS attack) or Distributed denial-of-service
attack (DDoS attack) is an attempt to make a computer resource (i.e.,
information systems) unavailable to its intended users.

DoS Attacks
• In this type of criminal act, the attacker floods the bandwidth of the
victim's network or fills his E-Mail box with Spam mail depriving him of
the services he is entitled to access or provide.
• Although the means to carry out, motives for, and targets of a DoS attack
may vary, it generally consists of the concerted efforts of a person or
people to prevent the Internet site or service from functioning efficiently
temporarily or indefinitely.
• The attackers typically target sites or services hosted on high-profile web
servers such as banks, credit card payment gateways, mobile phone
networks and even root name servers (ie., domain name server)

DoS Attacks
• Buffer overflow technique is employed to commit such kind of criminal
attack known as Spoofing
• The term IP address Spoofing refers to the creation of IP packets with a
spoofed source IP address with the purpose of concealing the ID of the
sender or impersonating another computing system.
• The attacker spoofs the IP address and floods the network of the victim
with repeated requests.
• As the IP address is fake, the victim machine keeps waiting for response
from the attacker's machine for each request.
• This consumes the bandwidth of the network which then fails to serve the
legitimate requests and ultimately breaks down.

DoS Attacks
• The United States Computer Emergency Response Team defines symptoms
of DoS attacks to include:
• Unusually slow network performance (opening files or accessing
websites)
• Unavailability of a particular website
• Inability to access any website
• Dramatic increase in the number of Spam E-Mails received (this type of
DoS attack is termed as an E-Mail bomb)

DoS Attacks
• The goal of DoS is not to gain unauthorized access to systems or data, but
to prevent intended users of a service from using it.
• A DoS attack may do the following:
• Flood a network with traffic, thereby preventing legitimate network
traffic.
• Disrupt connections between two systems, thereby preventing access to
a service.
• Prevent a particular individual from accessing a service.
• Disrupt service to a specific system or person.

Classification of DoS Attacks
Sr.
No.
DoS Attacks Brief Description
1 Bandwidth
attacks
Loading any website takes certain time. Loading means complete webpage appearing on the
screen and system is awaiting user's input. This "loading" consumes some amount of memory.
Every site is given with a particular amount of bandwidth for its hosting, say for example, 50
GB. Now if more visitors consume all 50 GB bandwidth then the hosting of the site can ban
this site. The attacker does the same-he/she opens 100 pages of a site and keeps on
refreshing and consuming all the bandwidth, thus, the site becomes out of service.
2 Logic attacks These kind of attacks can exploit vulnerabilities in network software such as web server or
TCP/IP stack.
3 Protocol attacks Protocols here are rules that are to be followed to send data over network. These kind of
attacks exploit a specific feature or implementation bug of some protocol installed at the
victim's system to consume excess amounts of its resources.
4 Unintentional
DoS attacks
This is a scenario where a website ends up denied not due to a deliberate attack by a single
individual or group of individuals, but simply due to a sudden enormous spike in popularity.
This can happen when an extremely popular website posts a prominent link to a second, less
well-prepared site, for example, as part of a news story. Potentially thousands of people, click
the link within a few hours and have the same effect on the target website as a DDoS attack

Types or Levels DoS Attacks
• Flood attack:
• This is the earliest form of DoS attack and is also known as ping flood.
• It is based on an attacker simply sending the victim overwhelming
number of ping packets, usually by using the "ping" command, which
result into more traffic than the victim can handle.
• This requires the attacker to have a faster network connection than the
victim (i.e., access to greater bandwidth than the victim).
• It is very simple to launch, but to prevent it completely is the most
difficult.

• Ping of death attack:
• The ping of death attack sends oversized Internet Control Message
Protocol (ICMP) packets, and it is one of the core protocols of the IP
Suite.
• It is mainly used by networked computers' OSs to send error messages
indicating (e.g., that a requested service is not available) to the victim.
• The maximum packet size allowed is of 65,536 octets.
• Some systems, upon receiving the oversized packet, will crash, freeze or
reboot, resulting in DoS

• SYN attack:
• It is also termed as TCP SYN Flooding.
• In the Transmission Control Protocol (TCP), handshaking of network
connections is done with SYN and ACK messages.
• An attacker initiates a TCP connection to the server with an SYN (using a
spoofed source address).
• The server replies with an SYN-ACK.
• The client then does not send back an ACK, causing the server (i.e.,
target system) to allocate memory for the pending connection and wait.
• This fills up the buffer space for SYN messages on the target system,
preventing other systems on the network from communicating with the
target system.

• SYN attack:

• Teardrop attack:
• The teardrop attack is an attack where fragmented packets are forged
to overlap each other when the receiving host tries to reassemble
them.
• IP's packet fragmentation algorithm is used to send corrupted packets
to confuse the victim and may hang the system.
• This attack can crash various OSs due to a bug in their TCP/IP
fragmentation reassembly code. Windows 3.11, Windows 95 and
Windows NT OSs as well as versions of Linux are vulnerable to this
attack

• Nuke:
• Nuke is an old DoS attack against computer networks consisting of
fragmented or otherwise invalid ICMP packets sent to the target.
• It is achieved by using a modified ping utility to repeatedly send this
corrupt data, thus slowing down the affected computer until it comes to
a complete stop.
• A specific example of a nuke attack that gained some prominence is the
WinNuke, which exploited the vulnerability in the NetBIOS handler in
Windows 95.
• A string of out-of-band data was sent to TCP port 139 of the victim's
machine, causing it to lock up and display a Blue Screen of Death
(BSOD).

• Smurf attack:
• It is a way of generating significant computer network traffic on a victim
network.
• This is a type of DoS attack that floods a target system via spoofed broadcast
ping messages.
• This attack consists of a host sending an ICMP echo request (ping) to a network
broadcast address.
• Every host on the network receives the ICMP echo request and sends back an
ICMP echo response inundating the initiator with network traffic.
• On a multi-access broadcast network, hundreds of machines might reply to each
packet.
• This creates a magnified DoS attack of ping replies, flooding the primary victim.
• Internet relay chat (IRC) servers are the primary victim of smurf attacks on the
Internet.

Tools used to launch DoS Attacks
Sr.
No.
Tool Brief Description
1 Jolt2 A major vulnerability has been discovered in Windows' networking code. The
vulnerability allows remote attackers to cause a DoS attack against Windows-
based machines- the attack causes the target machine to consume 100% of
the CPU time. Jolt2 on processing of illegal packets. This program generates
random packets
2 Nemesy This program generates random packets of spoofed source IP to enable the
attacker to launch DoS attack
3 Targa It is a program that can be used to run eight different DoS attacks. The
attacker has option to launch either individual attacks or try all attacks until
one is successful.
4 Crazy Pinger This tool could send large packets of ICMP to a remote target network.
5 Some Trouble It is a remote flooder and bomber. It is developed in Delphi

DDoS Attacks
• In a DDoS attack, an attacker may use your computer to attack another
computer.
• By taking advantage of security vulnerabilities or weaknesses, an attacker
could take control of your computer.
• He/she could then force your computer to send huge amounts of data to a
website or send Spam to particular E-Mail addresses DoS attack.
• The attack is distributed because the attacker is using multiple computers,
including yours, to launch the DoS attack.
• A DDoS attack is a distributed DoS wherein a large number of zombie
systems are synchronized to attack a particular system.
• The zombie systems are called "secondary victims" and the main target is
called “primary victim”

Tools used to launch DDoS Attacks
Sr. No. Tool Brief Description
1 Trinoo It is a set of computer programs to conduct a DDoS attack. It is believed that Trinoo
networks have been set up on thousands of systems on the Internet that have been
compromised by remote buffer overrun
2 Tribe Flood
Network
(TFN)
It is a set of computer programs to conduct various DDoS attacks such as ICMP, flood, SYN
flood, UDP food and Smurf attack
3 Stacheldra
ht
It is written by Random for Linux and Solaris systems, which acts as a DDS
agent. It combines features of Trinoo with TFN and adds encryption
4 Shaft This network looks conceptually similar to a Trinoo. It is a packet flooding attack and the
client controls the size of the flooding packets and duration of the attack
5 Mstream It uses spoofed TCP packets with the ACK flag set to attack the target. Communication is
not encrypted and is performed through TCP and UDP packets. Access to the handler is
password protected. This program has a feature not found in other DDoS tools. It informs
all connected users of access successful or not, to the handler(s) by competing parties.

How to Protect from DoS/DDoS Attacks
• Computer Emergency Response Team Coordination Center (CERT/CC) offers
many preventive measures from being a victim of DoS attack
• Implement router filters. This will lessen your exposure to certain DoS
attacks.
• If such filters are available for your system, install patches to guard against
TCP SYN Blooding
• Disable any unused or inessential network service. This can limit the ability
of an attacker to take advantage of these services to execute a DoS attack.
• Enable quota systems on your OS if they are available.
• Observe your system's performance and establish baselines for ordinary
activity. Use the baseline to gauge unusual levels of disk activity, central
processing unit (CPU) usage or network traffic.

How to Protect from DoS/DDoS Attacks
• Routinely examine your physical security with regard to your current needs.
• Use Tripwire or a similar tool to detect changes in configuration information
or other files.
• Invest in and maintain "hot spares" - machines that can be placed into
service quickly if a similar machine is disabled.
• Invest in redundant and fault-tolerant network configurations.
• Establish and maintain regular backup schedules and policies, particularly
for important configuration information.
• Establish and maintain appropriate password policies, especially access to
highly privileged accounts such as Unix root or Microsoft Windows NT
Administrator.

Tools for detecting DoS/DDoS Attacks
Sr.No Tool Brief Description
1 Zombie Zapper It is a free, open-source tool that can tell a zombie system flooding
packets to stop flooding. It works against Trinoo, TFN and
Stacheldraht. It assumes various defaults are still in place used by
these attack tools, however, it allows you to put the zombies to
sleep.
2 Security
Auditor's
Research
Assistant
(SARA)
It gathers information about remote hosts and networks by
examining network services. This includes information about the
network information services as well as potential security flaws
such as incorrectly set up or configured network services, well-
known bugs in the system or network utilities system software
vulnerabilities listed in the Common Vulnerabilities and Exposures
(CVE) database and weak policy decisions.

Tools for detecting DoS/DDoS Attacks
Sr.No Tool Brief Description
3 Find DDoS It is a tool that scans a local system that likely contains a DDoS
program. It can detect several known DoS attack tools.
4 DDoSPing It is a remote network scanner for the most common DDoS programs. It
can detect Trinoo, Stacheldraht and Tribe Flood Network programs
running with their default settings.
5 Remote
Intrusion
Detector
(RID)
It is a tool developed in "C" computer language, which is a highly
configurable packet snooper and generator. It works by sending out
packets defined in theconfig.txt file, then listening for appropriate
replies. It detects the presence of Trinoo, TFN or Stacheldraht clients.

SQL Injection
• Structured Query Language (SQL) is a database computer language
designed for managing data in relational database management systems
(RDBMS).
• SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an application
• The vulnerability is present when user input is either filtered incorrectly for
string literal escape characters embedded in SQL statements or user input
is not strongly typed and thereby unexpectedly executed
• It is an instance of a more general class of vulnerabilities that can occur
whenever one programming or scripting language is embedded inside
another SQL injection attacks are also known as SQL insertion attacks

SQL Injection
• Attackers target the SQL servers used by many organizations to store
confidential data.
• The prime objective behind SQL injection attack is to obtain the
information while accessing a database table that may contain personal
information such as credit card numbers, social security numbers or
passwords.
• During an SQL injection attack, Malicious Code is inserted into a web form
field or the website's code to make a system execute a command shell or
other arbitrary commands.
• Just as a legitimate user enters queries and additions to the SQL database
via a web form, the attacker can insert commands to the SQL server
through the same web form field.

SQL Injection
• Example: an arbitrary command from an attacker might open a command
prompt or display a table from the database.
• This makes an SQL server a high-value target and therefore a system seems
to be very attractive to attackers.
• The attacker determines whether a database and the tables residing into it
are vulnerable, before launching an attack.
• Many webpages take parameters from web user and make SQL query to
the database. For example, when a user logs in with username and
password, an SQL query is sent to the database to check if a user has valid
name and password.
• With SQL injection, it is possible for an attacker to send crafted username
and/or password field that will change the SQL query.

Steps for SQL Injection
• Step 1: The attacker looks for the webpages that allow submitting data,
that is, login page, search page, feedback, etc.
• The attacker also looks for the webpages that display the HTML commands
such as POST or GET by checking the site's source code.
• Step 2: To check the source code of any website, right click on the webpage
and click on "view source“, source code is displayed in the notepad.
• The attacker checks the source code of the HTML, and look for "FORM" tag
in the HTML code.
• Everything between the <FORM> and </FORM> have potential parameters
that might be useful to find the vulnerabilities.

• Step 3: The attacker inputs a single quote under the text box provided on
the webpage to accept the user-name and password.
• This checks whether the user-input variable is sanitized or interpreted
literally by the server.
• If the response is an error message such as we “a“=“a” (or something
similar) then the website is found to be susceptible to an SQL injection
attacks.
• Step 4: The attacker uses SQL commands such as SELECT statement
command to retrieve data from the database or INSERT statement to add
information to the database.

• Few examples of variable field text the attacker uses on a webpage to test
for SQL vulnerabilities:
• Blab or l = l - -
• Login: blab or l = l - -
• Password: blah or l = l - -
• http://search/index.asp?id=blab or l = l - -
• Similar SQL commands may allow bypassing of a login and may return many
rows in a table or even an entire database table because the SQL server is
interpreting the terms literally.
• The double dashes near the end of the command tell SQL to ignore the rest
of the command as a comment.

Blind SQL Injection
• Blind SQL injection is used when a web application is vulnerable to an SQL
injection but the results of the injection are not visible to the attacker.
• The page with the vulnerability may not be the one that displays data.
• however, it will display differently depending on the results of a logical
statement injected into the legitimate SQL statement called for that page.
• This type of attack can become time-intensive because a new statement
must be crafted for each bit recovered.
• There are several tools that can automate these attacks once the location
of the vulnerability and the target information have been established.

Tools used for SQL Server Penetration
• AppDetective Pro:
• It is a network-based, discovery and vulnerability assessment scanner
that discovers database applications within the infrastructure and
assesses security strength.
• It locates, examines, reports and fixes security holes and
misconfigurations as well as identify user rights and privilege levels
based on its security methodology and extensive knowledge based on
application-level vulnerabilities.
• Thus, organizations can harden their database applications.

• DbProtect:
• It enables organizations with complex, heterogeneous environments to
optimize database security, manage risk and bolster regulatory
compliance.
• It integrates database asset management, vulnerability management,
audit and threat management, policy management, and reporting and
analytics for a complete enterprise solution.
• SQLPoke:
• It is an NT-based tool that locates Microsoft SQL (MSSQL) servers and
tries to connect with the default System Administrator (SA) account.
• A list of SQL commands are executed if the connection is successful.

• Database Scanner:
• It is an integrated part of Internet Security Systems' (ISS) Dynamic Threat
Protection platform that assesses online business risks by identifying
security exposures in the database applications.
• Database scanner offers security policy generation and reporting
functionality, which instantly measures policy compliance and
automates the process of securing critical online business data.
• Database scanner runs independently of the database and quickly
generates detailed reports with all the information needed to correctly
configure and secure databases.

• NGSSQLCrack:
• It can guard against weak passwords that make the network susceptible
to attack.
• This is a password cracking utility for Microsoft SQL server 7 and 2000
and identifies user accounts with weak passwords so that they can be
reset with stronger ones, thus, protecting the overall integrity of the
system.
• Microsoft SQL Server Fingerprint (MSSQLFP) Tool:
• This is a tool that performs fingerprinting version on Microsoft SQL
Server 2000, 2005 and 2008, using well-known techniques based on
several public tools that identifies the SQL version and also can be used
to identify vulnerable versions of Microsoft SQL Server.

How to Prevent SQL Injection Attacks
• SQL injection attacks occur due to poor website administration and coding.
• The following steps can be taken to prevent SQL injection.
• 1: Input validation
• Replace all single quotes (escape quotes) to two single quotes.
• Sanitize the input: User input needs to be checked and cleaned of any
characters or strings that could possibly be used maliciously.
• For example, character sequences such as --, select, insert and xp_ can be
used to perform an SQL injection attack.
• Numeric values should be checked while accepting a query string value.
Function - IsNumeric() for Active Server Pages (ASP) should be used to check
these numeric values.
• Keep all text boxes and form fields as short as possible to limit the length of
user input.

• 2: Modify error reports
• SQL errors should not be displayed to outside users and to avoid this,
the developer should handle or configure the error reports very
carefully.
• These errors some time display full query pointing to the syntax error
involved and the attacker can use it for further attacks.

• 3: Other preventions
• The default system accounts for SQL server 2000 should never be used.
• Isolate database server and web server. Both should reside on different
machines.
• Most often attackers may make use of several extended stored
procedures such as xp_cmdshellI and xp_grantlogin in SQL injection
attacks.
• In case such extended stored procedures are not used or have unused
triggers, gored procedures, user-defined functions, etc., then these
should be moved to an isolated server.

References:
• Nina Godbole, Sunit Belapure, “Cyber Security-Understanding Cyber
Crimes, Computer Forensics and Legal Perspective”

Unit 6_DoS and DDoS_SQL Injection_tools.pdf

Recommended

More Related Content

What's hot (20)

Similar to Unit 6_DoS and DDoS_SQL Injection_tools.pdf (20)

More from KanchanPatil34 (11)

Recently uploaded (20)

Unit 6_DoS and DDoS_SQL Injection_tools.pdf