ICMP Brute Flood Attack(PACKET ATTACKS-Type1)
ICMP works on top of TCP. The ICMP protocol is simple yet very effective. Its used for error correcting and testing network connectivity. Your average PING program uses ICMP packets to test network connectivity. By sending a small amount of arbitrary data in an ECHO_REQUEST packet it waits for a reply from the target host, simple right? A typical ICMP packet is called an ECHO_REQUEST. You send 4 or 5 of these at a target machine and when it arrives there it requests an ECHO_REPLY. Thats when everything is done according to design. If you want more info on an ICMP packet and how it works then read my tutorial on that!
In this attack the source IP address is spoofed. So now hundreds, thousands of ECHO_REQUEST packets rush towards their destination. They reach point B, request an ECHO_REPLY for every ECHO_REQUEST sent. Point B says OK, reads the source IP. The source IP ends up being unreachable. ut point B is waiting a small amount of time (milliseconds) to determine that for every packet thats hitting it. It will be a few more moments before the process relinquishes this small bit of memory back to the system. This adds up to a great deal of packets and memory allocation building up. Now if these packets are coming from multiple source zombies (DDOS) then this means there each coming from different routes. So even if one ISP stops one attack, there are still many more zombie machines attacking the victim. All of this is eating up time and bandwidth, because with every millisecond that passes more and more bandwidth is being taken up. Eventually point B can no longer keep up with the ECHO_REQUESTS and his connection is completely flooded and of no use. On an unprotected system or router this attack can be very consuming. This attack is also sometimes referred to a bandwidth attack. Even if the target is running an advanced firewall it cannot protect the wire it connected to from being flooded with packets. There have been changes in this attack as well. On the net there are what we call amplifiers. On every network there are the network and subnet addresses. In many default configurations when you ping either one of these addresses they multiply the echo requests by 4 or more. So a zombie would attack a vulnerable network (.0) or subnet address (.255) with a spoofed source IP, being the victims real IP. So even tho the traffic becomes valid as far as IP addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You will see more of this description in other attacks, as it works for some of those to.
[zombie machine] -->ICMP ECHO_REQUEST (source IP = 1.1.1.1) -->-->--> [target]
[??????????????] ICMP ECHO_REPLY (destination 1.1.1.1 ?)<-- [target]
Hopefully that simple drawing shows you exactly how this attack works. Its very very simple, massive ICMP packets with spoofed address's taking up network resources. The simplest of attacks.
google search
Custom Search
No comments:
Post a Comment