Explain Briefly How Ddos Attack Works Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

DDOS is an activities that impede or turn off the work of service by using many of attacker host, using either a dedicated computer or a computer that forced into zombie to attack using injected Trojan DDOS to helper host (zombie). This attack can use layered infrastructure and different platforms.

In general, How DDOS attack works are :

Scan into the network to search the vulnerable hosts that have internet connection with using DDOS tool

After the vulnerable host is found, the tool will inject the Trojan called DDOS Trojan, to make the vulnerable hosts become a Zombie host which can controlled remotely

Then after the number of zombie hosts felt enough, the cracker server will ask zombie hosts to perform the attack together to make the system hang, or if the target was a website, then it will not be accessible by other users because the provided source has been used to serve a request from DDOS attackers.

The consequences of the DDOS attack is the system of users will hang, whereas on the network it will caused the entire network cannot be accessed.

Explain defense mechanism that can be devised to perform prevent and reactive actions

Answer :

For prevention actions :

Knowing the kind of DDOS attacks and how its works.

Based on the prolexis report, the most used of DDOS type is SYN Flood. This type will flood the victim with a lot of TCP SYN packets, so the victim system will reply with a TCP SYN ACK packets making the backlog queue is full and the system will not respond to other TCP SYN packets.

Install and update anti-virus software and Firewall.

Setup firewall to allow or deny protocols, IP address, or ports. It will prevent users in simpe way from small flooding attack.

Using screening/filtering/sniffing tools

This setup can protect the network/server by looking the attack pattern or by identity the contect of information. When it comes frequently in same pattern, then filtering tools can give signal to block the messages qith this pattern. It will protect the network/server from attack. The example of DDOS system detections are :

NetFlow analyzers : collect IP traffic informations

SNMP-based tools : collect information from network devices like a switch or a router supporting SNMP protocol

Conduct regular testing to know how secure your server or network

For Reactive actions :

Do detection and immediate respon to DDOS attack. The reactive mechanism are :

Signature detection

Search the pattern with observed the network traffic and compare it with known pattern signatures from database. The known attack can easily detect but the new attack cannot detect if the database system not updated

Anomaly detection

Observed the network traffic and compare it with the normal traffic. But the model or categories of "normal traffic" must be updated and properly adjusted

Hybrid systems

Combines the signatures and anomaly mechanism

If users/server has been attacked (with several characteristic likes : Suddenly slow network performance, Cannot access any web site, Suddenly increase of spam email received, Unavailability of a particular web site) some reactive actions may occurs :

Block the traffic

Traceback to identify the attacker

Explain how someone approaches the problem of DDOS caused by botnet.

Answer :

Botnet also calles as "Zombie Army" in DDOS attack. To approach the problem caused by botnet are by using prevention and reactive mechanism, like :

Personal habits that must be considered is notice when downloading, Avoid installing useless things and read carefully before click anything.

Routines to do is use anti-virus/trojan utility, system updates frequently and do not leave your PC without locking it

Back-up all systems on a regular basis, keeping all sotfware up-to-date and use personal firewall.

Explain why DDOS is difficult to solve and describe some of the successful DDOS prevention mechanism

Answer :

DDOS difficult to solve because of :

DDoS attacked victims using flood packets.

The victims was unable to contact anyone for help. So, perhaps if another network be attacked, no one would know it and nobody can help. But it is difficult to detect early, we only know after attacked with a sudden increase traffic.

Using filtering tools for the traffic flow will affect that the valid traffic will also be blocked. It will cause the applications waiting for respond. However, if there is no filtering then it will attacked by zombie and the traffic will flooding and the bandwith/resource will consumed all.

Attack packets also have spoofed IP addresses. It is difficult to trace back to their source, because packets may come from thousands of IP addresses.

Implementation of software and hardware for defense mechanism must be setup up properly. If the setup not comply with the system or architecture then it won't work to defense from attackers.

Some of successful DDOS prevention mechanism are :

Using Honeypots. Honeypots is a system that designed for inspect and be attacked. There is 2 types of honeypots :

Low-interaction honeypots

Used to emulating services and operating system. Attackers cannot interact with the basic operating system, but they can interact only with specific services. This type cannot provide a detail information about the attackers action. But it can detect communication attempts toward unused IP addresses.

High-interaction honeypots

If the attack not directed against the emulated service, we can used a high-interaction honeypots or called honeynet. It is not a software, but a network architecture that designed to be attacked. With this architecture every activity will be recorded and attackers will be trapped. The attack will interact with the honeynet system, but prevent to interact with other systems.

Using Route Filter Techniques

It used to make attackers not know the route to critical servers and suspicious route are not used.

Propose short term solutions to solve DDOS attack. Also propose a long term solution to trace the botnets to the source, i.e. C&C and hopefully the "man behind the gun."

Answer :

a. Short term solutions :

People Aspect:

Increase user awareness, such as : don't open attachment from unknown sender, unknown file extention, always update information about malware, backup personal data regularly, etc

Process Aspect :

Include DDOS security in testing scope

Conduct DDOS risk assessment regularly

Conduct security awareness and training regularly

Develop contingency or disaster recovery plan, if there are any DDOS Attack

Technology Aspect :

Forces all internet transmission to go through TCP (transmission control protocol)

Using route filtering

Deploy IDPS (Intrusion Detection and Preventing System) to detect attack

Using anti virus, firewall to protect our systems

b. Long term solutions :

People Aspect:

Increase internal campaign about DDOS attack and honeynet project to prevent from DDOS attack

Process Aspect :

Participate in honeynet sharing information, to keep update about the honeynet project around the world

Update IT security policy to implement honeynet project

Technoloy Aspect :

Implement honeynet architecture. With implement this, we can studied the attacker activities and method and used it to increase information security.

References :












[20 pts] Answer the following question :

How does the protocol work for authentication?

Answer :

The MS-CHAP v2 works is :

The client asks for a challenge authenticator from server.

The server will send back a 16-bytes random server challenge.

The client will generate the response:

Generates 16-bytes random client challenge.

Generates challenge Hash using SHA1 = (ClientChallange||ServerChallange||Username)

Generates 16 bytes from the user's password becoma the NT hash password.

Added 5 bytes of zero to 16 bytes of NT hash password, then generates challenge response using 3 x DES (every 7 bytes)

Encrypt the first 8 bytes (result in step b) using 3 DES keys (d) to result 24 bytes Challangeresponse

Send 24-bytes Challangeresponse, 16-bytes ChallangeHash, and username to the Server

The server receives the response, and decrypt it using the client hashed password that stored in database

If the decrypted result matches the challenge, the server will send back 20-bytes authenticator response to the client

The client uses generate the 20 bytes (with same procedures) and compares it to the servers authenticator response. If they match, then the client and the server are authenticated

What is the vulnerability of the protocol?

Answer :

When generating the 8-bytes of challenge that used in 16-bytes random server challenge, is transmitted in plain-text. It can be attacked by any eavesdropper, so this challenge not provide security.

Derive from the NT hash password using 3 DES keys

The 16-bytes NT hash password is added with 5 byte of zero, and then it will derive 3 DES keys every 7 bytes. Because the last 5 byte is zero, then the effective key just 16 bytes.

Using brute force attack trying, it just need 65536 different DES keys to determined the 16 bits of NT hash password and it will take no more than some seconds.

What kind of technology was used to crack this protocol? Compare the technology used in cracking DES and describe their differences

Answer :

CHAPCRACK is a tool that used to crack MS-CHAPV2.

To cracking DES use tool called EFF DES cracker or DEEP CRACK.

The differences are :

CHAPCRACK is combined the used of Deep Crack and CloudCracker. Chapcrack will capture the network traffic that using MS CHAPV2 and and reduce it into a single DES key. The DES key submitted into CloudCracker (that using a FGPA Cracking box/DES cracking machine) to decrypt the key. This output then used by Chapcrack to decrypt the entire session.

Deep Crack just used to crack DES key encryption

Explain the countermeasure corporation should take in this case.

Answer :

Don't use PPTP VPN protocol. Users can move to using PEAP or another more secure VPN. And for user who used it for WPA2 Radius (wifi connection) should migrate to another secure protocol.

References :






[30 pts] Answer the following question :

Describe how SMS Internet Banking two-factor authentication works

Answer :

SMS Internet banking Two-Factor Authentication is an authentication process that involves an additional layer of security to verifying an Internet Banking user's identity. Users will be required to present a unique One-Time Password (OTP) in addition to the User ID and password when performing login and other important transactions such as 3rd party funds transfer or online credit card transactions. How it works :

User login into internet banking website using their Username and password

User do transactions such as 3rd party fund transfer

User will receive SMS to their registered mobile phone number with unique and temporary PIN code (OTP). Each of SMS OTP used only once and in a short period of time.

User must enter this code into the website to prove their identity

If the PIN code is entered correctly, then their transaction will be proceed

With this mechanism, it will provide an extra layer of online security for internet banking transactions. But user must always update their mobile phone number to Bank.

Describe how Mobile in the Middle attack of Zitmo actually works

Answer :

Zitmo will inject some HTML form into victim browser to get victim phone number and phone model

After get the phone number and model, they will send SMS that contain link with compatible version of malicious package

After user downloading the malicious mobile application, it will lifts SMS texts containing personal information (i.e. bank account number, password, etc) that sent to the user

Zitmo then funneled it to a remote server

This make attacker can get access to mobile transaction authentication number or OTP pin code

Describe the difference between spitmo and Zitmo

Answer :

The difference between Spitmo and Zitmo :




Standing for


Zeus In The Mobile

Type of attack

Man in the browser

Man in the Mobile

Required Phone information

Mobile phone number and phone IMEI number

Mobile phone number and phone model

How to attack

Using compromised user browser, then ask user to certificated their phone number with downloading a link.

Then user will be instructed to call a specific number that intercept by the malicious apps.

The Trojan will intercept and transferred all incoming SMS to the drop points

Using malicious mobile applications to intercept and block all incoming SMS

User Interface

Doesn't have user interface

Using user interface, looks like a security tools

How to send stolen information

Using URLEncoder to "encode" the data via GET request

Using JSON object in a POST request

How to stealth

Not run as background service

Run as background service

Describe what is code signing and how does these malware got signed and trusted by the device?

Answer :

Code signing is is a method used for digital certificates and and the public key infrastructure to sign program files so user can confirm/authorise the writer of the file/software and guaranteed that it hasn't been destructed.

How does these malware got signed and trusted by the device :

The Spitmo trojan usually was signed using a test key publicly available from the CyanogenMod github repository. When they inject the web browser (i.e. bank website) they ask the customer phone number and phone IMEI. This customer phone IMEI used to listed in certificate. Because the device will trust application or file that the certificate has their IMEI number.

After the attacker receive the IMEI number, they will update the certificate for all victims and create a new file installer signed with the updated certificate. When user downloading the file/applications, it will trusted by the device, because the application or file has the IMEI certificate.