dos

DoS Primer – Vulnerabilities

Quick Summary

While volumetric and resource exhaustion attacks make up a significant proportion of DoS attacks seen in the wild, operating systems, software, and hardware are often vulnerable to exploits that can result in denial of service conditions, making them attractive targets for causing outages against their intended targets.

Ping of Death

First discovered in the 1990s and largely patched against today, the Ping of Death attack involved sending ICMP packets that exceeded the maximum size allowance of 65535 bytes. When malicious packets are received and reassembled by the target, this triggers a buffer overflow resulting in a denial of service.

While this attack is generally mitigated against in modern hardware and software, variations can and do resurface, the most recent of which emerged in 2016 against network devices produced by both Cisco and Juniper.

Apache HTTPD Range Header – CVE-2011-3192

In 2011, CVE-2011-3192 was discovered in the widely-deployed Apache HTTP server which, when exploited, consumed excessive amounts of CPU and memory resources.

The vulnerability existed in the optional range HTTP header, which can be used to request ranges of bytes from a web server. By requesting multiple overlapping byte ranges, it was possible to trigger a DoS in the Apache service, causing the application to slow down considerably or crash entirely.

Similar vulnerabilities in other web servers are identified from time to time and serve as a reminder to  regularly patch software and systems to minimise the risk of exploits impacting service.

Modsecurity – CVE-2019-19886

Modsecurity is an open source web application firewall (WAF) that is frequently deployed alongside web servers to protect them from common web application vulnerabilities.

In late 2019, a vulnerability was discovered in versions 3.0.0 - 3.0.3 of libModSecurity that could cause a denial of service by using a malformed cookie header field. On receipt of the malformed data, the web server worker process would crash before recovering shortly after.

By continuing to send requests containing malformed cookie data, it is possible to continually crash the worker process, resulting in a sustained denial of service.

BIND DNS service – multiple vulnerabilities

BIND is a common service used to perform DNS lookups and is of high importance in some organisations such as internet service providers. A number of high severity vulnerabilities have existed in the BIND DNS service that cause it to crash when exploited. The resulting impact prevents domains from being successfully resolved until the service has been restarted.

Mitigating DoS vulnerabilities

Vulnerabilities that lead to denial of service conditions in critical systems and services can often result in loss of data or services and even reputational damage to the affected company.

Regular patching on internet-facing systems will reduce the risk of known vulnerabilities being exploited. However, zero-day exploits present risks that may not be possible to patch, so alternate mitigations may need to be implemented until the vendor is able to release an update. Such mitigations can include intrusion prevention systems (IPS), web application firewalls (WAF), and carefully managed configurations.

In this lab

Using the information from this lab, complete the  game by dragging the boxes from left to right to match the statements.

DoS Primer – Vulnerabilities

Quick Summary

While volumetric and resource exhaustion attacks make up a significant proportion of DoS attacks seen in the wild, operating systems, software, and hardware are often vulnerable to exploits that can result in denial of service conditions, making them attractive targets for causing outages against their intended targets.

Ping of Death

First discovered in the 1990s and largely patched against today, the Ping of Death attack involved sending ICMP packets that exceeded the maximum size allowance of 65535 bytes. When malicious packets are received and reassembled by the target, this triggers a buffer overflow resulting in a denial of service.

While this attack is generally mitigated against in modern hardware and software, variations can and do resurface, the most recent of which emerged in 2016 against network devices produced by both Cisco and Juniper.

Apache HTTPD Range Header – CVE-2011-3192

In 2011, CVE-2011-3192 was discovered in the widely-deployed Apache HTTP server which, when exploited, consumed excessive amounts of CPU and memory resources.

The vulnerability existed in the optional range HTTP header, which can be used to request ranges of bytes from a web server. By requesting multiple overlapping byte ranges, it was possible to trigger a DoS in the Apache service, causing the application to slow down considerably or crash entirely.

Similar vulnerabilities in other web servers are identified from time to time and serve as a reminder to  regularly patch software and systems to minimise the risk of exploits impacting service.

Modsecurity – CVE-2019-19886

Modsecurity is an open source web application firewall (WAF) that is frequently deployed alongside web servers to protect them from common web application vulnerabilities.

In late 2019, a vulnerability was discovered in versions 3.0.0 - 3.0.3 of libModSecurity that could cause a denial of service by using a malformed cookie header field. On receipt of the malformed data, the web server worker process would crash before recovering shortly after.

By continuing to send requests containing malformed cookie data, it is possible to continually crash the worker process, resulting in a sustained denial of service.

BIND DNS service – multiple vulnerabilities

BIND is a common service used to perform DNS lookups and is of high importance in some organisations such as internet service providers. A number of high severity vulnerabilities have existed in the BIND DNS service that cause it to crash when exploited. The resulting impact prevents domains from being successfully resolved until the service has been restarted.

Mitigating DoS vulnerabilities

Vulnerabilities that lead to denial of service conditions in critical systems and services can often result in loss of data or services and even reputational damage to the affected company.

Regular patching on internet-facing systems will reduce the risk of known vulnerabilities being exploited. However, zero-day exploits present risks that may not be possible to patch, so alternate mitigations may need to be implemented until the vendor is able to release an update. Such mitigations can include intrusion prevention systems (IPS), web application firewalls (WAF), and carefully managed configurations.

In this lab

Using the information from this lab, complete the  game by dragging the boxes from left to right to match the statements.