You are on page 1of 36

Fifth year

Networks Security & Disaster Recovery course



Report name:
Apache Web Server Security
& Attacks

Prepared by:

Part I
ABSTRACT





Web services is
major use applications
in our life. In this
report we will focus on
the famous web server
which is apache trying
to make a brief study
on its major vulnera-
bilities and attacks.
Focusing on the most widely known attacks and how prevent against.
How those attacks works to exploit Apache. Finally will try to implement
one of those attacks DoS (denial of service ) on Apache web server to help
us to study a practical case of widely happened attack.


***************
Part II
Introduction




Every web site (the collection of html/css files, data files, scripts and
other files) need a web server. A Web server is a piece of software that
is responsible for showing you the documents you ask for when you type
Web addresses into your browser.( Examples of web servers Apache , IIS
and Netscape ). The web server is used to storing the data and to responds
to requests over the Internet. Apache HTTP Server Project is a
collaborative software development effort aimed at creating a robust,
commercial-grade and freely available source code implementation of an
HTTP (Web) server. The project is jointly managed by a group of
volunteers located around the world, using the Internet and the Web to
communicate, plan, and develop the server and its related documentation.
This project is part of the Apache Software Foundation. In addition,
hundreds of users have contributed ideas, code, and documentation to the
project. This file is intended to briefly describe the history of the Apache
HTTP Server and recognize the many contributors.


Apaches main role is all about communication over networks, and it uses
the TCP/IP protocol (Transmission Control Protocol/Internet Protocol that
allows devices with IP addresses within the same network to communicate
with one another).
The Apache server offers a number of services that clients might use.
These services are offered using various protocols through different ports,
and include:
Hypertext Transfer Protocol (HTTP), simple mail transfer protocol
(SMTP), domain name service (DNS) and file transfer protocol (FTP)
uploading and downloading files.

Why choose Apache
Apache is a solid, dependable, reliable Web server, developed by talented,
dedicated developers who are deeply concerned about the quality of the
product, and the quality of the code that goes into the product. They are all
amateurs, in the original sense of that word. That is, they are not doing this
development because they are paid to do so (although some lucky guys are
actually paid to do this). They do it because they love it and want to see
something good come out of it, and see millions of people use the results of
their work.


Part III
Literature review




In this section, will present principles every security professional
should know. These principles have evolved over time and are part of the
information security body of knowledge. Then will decrease the spot to
focus on Apache.


Common Security Vocabularies

At this point, a short vocabulary of frequently used security terms would be
useful. You may know some of these terms, but some are specific to the
security industry.

Weakness

A less-than-ideal aspect of a system, which can be used by attackers in
some way to bring them closer to achieving their goals. A weakness may be
used to gain more information or as a stepping-stone to other system parts.

Vulnerability

Usually a programming error with security consequences.



Exploit

A method (but it can be a tool as well) of exploiting a vulnerability. This
can be used to break in or to increase user privileges (known as privilege
elevation).


Attack vector

An entry point an adversary could use to attempt to break in. A popular
technique for reducing risk is to close the entry point completely for the
attacker. Apache running on port 80 is one example of an entry point.

Attack surface

The area within an entry point that can be used for an attack. This term is
usually used in discussions related to the reduction of attack surface. For
example, moving an e-commerce administration area to another IP address
where it cannot be accessed by the public reduces the part of the application
accessible by the attacker and reduces the attack surface and the risk.


Attacks (Reasons, Types & Avoid)

Table 3-1 gives a list of reasons someone may attack you.

Reason Description
To grab an
asset
Attackers often want to acquire something valuable, such as a
customer database with credit cards or
some other confidential or private information.

To steal a
service

This is a special form of the previous category. The servers you
have with their bandwidth, CPU, and hard
disk space are assets. Some attackers will want to use them to
send email, store pirated software, use
them as proxies and starting points for attacks on other systems,
or use them as zombies in automated
distributed denial of service attacks.

Recognition
Attacks
especially web site defacement attacks, are frequently performed
to elevate ones status in the
underground.
Thrill Some people love the thrill of breaking in. For them, the more
secure a system, the bigger the thrill and
desire to break in.


Mistake
Well, this is not really a reason, but attacks happen by chance,
too.


Table 3-1




Typical attacks on web systems
Table 3-2 gives a list of typical attacks on web systems and some ways to
handle them.


Attack type

Description

Mitigation
Denial of Service Any of the network, web-server,
or application-based attacks that
result in denial of service, a
condition in which a system is
Prepare for attack
Inspect the application to
remove application-based
attack points
Table 3-2
overloaded and can no longer
respond normally.
Exploitation of
configuration
errors

These errors are our own fault.
Surprisingly,
they happen more often than
you might think.
Create a secure initial
installation Plan changes,
and assess the impact of
changes before you make
them. Implement
independent assessment
of the configuration on a
regular basis.

Exploitation of
Apache
vulnerabilities
Unpatched or unknown
problems in
the Apache web server.

Patch promptly

Exploitation of
application
vulnerabilities
Unpatched or unknown
problems in deployed web
applications.
Assess web application
security before each
application is deployed.

Attacks through
other services
This is a catch-all category
for all other unmitigated
problems on the same network
as the web server.
For example, a vulnerable
MySQL database server running
on the same
machine and open to the public.
Do not expose unneeded
services, and
compartmentalize
Denial of Service
A denial-of-service (DoS) attack is any action (initiated by a human or
otherwise) that incapacitates your hosts hardware, software, or both,
rendering your system unreachable and therefore denying service to
legitimate (or even illegitimate) users.
In a DoS attack, the attackers aim is straightforward: to knock your host(s)
off the Net. Except when security teams test consenting hosts, DoS attacks
are always malicious and unlawful.
Denial of service is a persistent problem for two reasons. First, DoS attacks
are quick, easy, and generate an immediate, noticeable result. Hence,
theyre popular among budding crackers, or kids with extra time on their
hands. As a Web administrator, you should expect frequent DoS attacks;
theyre undoubtedly the most common type.

An Apache-Based Denial-of-Service Example
A serious Apache vulnerability surfaced on April 12, 2001, when
Auriemma Luigi discovered (and William A. Rowe, Jr. confirmed) that
attackers could send a custom URL via Web browser and thereby
hang Apache, or run the targets processor to 100% utilization.
Attackers could perform this DoS attack in one of three ways:
Issue a GET request consisting of 8,184 / characters
Issue a HEAD request consisting of 8,182 A characters
Issue an ACCEPT of 8,182 / characters
in both Windows 98 and Windows 2000, if an attacker sent two or more
strings from different connections, the targets would crash (and all
connections would thereafter fall idle).
The problem affected all Apache versions earlier than version 1.3.20 on the
following platforms:
Microsoft Win32
Microsoft Windows NT
Microsoft Windows 2000
OS/2
As reported by the Apache team
(http://bugs.apache.org/index.cgi/full/7522):

("In the case of an extremely long URI, a deeply embedded parser properly
discarded the request, returning the NULL pointer, and the next higher-
level parser was not prepared for that contingency. Note further that
accessing the NULL pointer created an exception caught by the OS,
causing the apache process to be immediately terminated. While this
exposes a denial-of-service attack, it does not pose an opportunity for any
server exploits or data vulnerability.")

Apache patched this problem in version 1.3.20. However, as I related
earlier, Apache isnt your only concern. You must be ever diligent to
monitor security advisory lists for your operating system and any
applications or modules that run on your Web host.

Distributed denial-of-service (DDoS) attacks
In a typical DDoS attack, the attackers army consists of master zombies
and slave zombies. The attacker coordinates and orders master zombies and
they, in turn, coordinate and trigger slave zombies. More specifically, the
attacker sends an attack command to the master zombies, and activates all
attack processes on those machines, which are in hibernation, waiting for
the appropriate command to wake up and start attacking.
Then the master zombies duplicate the attack commands to each of their
slave zombies, ordering them to mount a DDoS attack against the victim. In
this way, the zombie systems begin to send a large volume of packets to the
victim, flooding it with useless loads, and exhausting its resources.


Figure 3-3

n DDoS attacks, spoofed source IP addresses are used in the packets of the
attack traffic. Attackers prefer to use such counterfeit source IP addresses
for two major reasons: first, to hide the identity of the zombies, so that the
victim cannot trace the attack back to them. The second reason is to
discourage any attempt by the victim to filter out the malicious traffic.

Things Apache Cant Defend Against

Database issues
Apache may securely interface with this or that database, and thats fine.
However, if your preferred database has security issues or vulnerabilities
that have nothing to do with Apache, Apache cannot help.

Common Gateway Interface
You will doubtless include at least some CGI functionality on your site.
Apache accounts for CGI security issuesat least those that revolve
around permissions. This is great news, but by no means the end of the
story. Bad CGI is bad CGI, and if you or your developers fail to observe
CGI coding security practices, Apache wont save the day.

Environmental issues
Apaches code assumes that youve configured your underlying system
properly and securely. If you havent, Apaches raw power can then turn
against you and offer crackers innumerable possibilities.



Inside jobs
More than 60% of all intrusions today stem from insiders, disgruntled
employees, or other individuals to whom you entrust administrative
privileges. Therefore, observing standard security polices (such as locking
out fired developers) is paramount.

Third-party tools
Third-party modulessecurity related or otherwisecan sometimes harbor
hidden or latent holes. Naturally, youll want to enhance your Apache
servers functionality, but in doing so, choose modules wisely. If you
compile in, bind, or load a flawed module to Apache, Apache core and
security facilities wont save the day.

Personal diligence
Crackers are busy folks, and find holes in applications every day.
Therefore, you must constantly keep up to date on the security status of
your underlying operating system, Apache, and any third-party modules
you load. Security lists and advisories are invaluable resources in this
regard, providing that you read them

Network attacks
Apache cannot save your system from attacks that exploit
network hardware or infrastructures beyond its control.


Examples of other Apache attacks

THE APACHE SLAPPER WORM
Everyone should be familiar with the Slapper worm, which surfaced in
September 2002.
A lot of people think its not really about Apache, its about OpenSSL.
Since the worm exploits Apache through an issue in OpenSSL and since it
is the most recent serious issue.
It proceeds to infect other systems and calls back home to become a part of
a distributed denial of service (DDoS) network.
Some variants install a backdoor, listening on a TCP/IP port. The worm
only works on Linux systems running on the Intel architecture.
The behavior of this worm serves as an excellent case study and a good
example of how some of the techniques we used to secure Apache help in
real life.

The worm uses a probing request to determine the web server make and
version from the Server response header and attacks the servers it knows
are vulnerable. A fake server signature would, therefore, protect from this
worm. Subsequent worm mutations stopped using the probing request, but
the initial version did and this still serves as an important point.

If a vulnerable system is found, the worm source code is uploaded (to /tmp)
and compiled. The worm would not spread to a system without a compiler,
to a system where the server is running from a jail, or to a system where
code execution in the /tmp directory is disabled (for example, by mounting
the partition with a noexec flag).

Proper firewall configuration, as discussed in Chapter 9, would stop the
worm from spreading and would prevent the attacker from going into the
server through the backdoor.

The Alan Ralsky DoS
In November 2002, Alan Ralsky, a well-known bulk-email operator, gave
an interview describing what he does and how he makes money sending
bulk email. The interview received wide publicity reaching most
technology-oriented web sites and, eventually, the very popular Slashdot
technology news site. In the interview, Alan disclosed the purchase of a
new home, and soon the address of the home found its way into a Slashdot
comment. In an apparent retribution by the readers, Alan Ralsky was
subscribed to hundreds of snail-mail mailing lists for ads, catalogues, and
magazines. Subscriptions caused huge quantities of mail to arrive on his
doorstep every day, effectively preventing Ralsky from using the address to
receive the mail he wanted.



Attack toolkits
While there are numerous scripts that are used for scanning, compromising
and infecting vulnerable machines, there are only a handful of DDoS attack
tools that have been used to carry out the actual attacks.

Trinoo
This tool uses a handler/agent architecture wherein an attacker sends
commands to the handler (the first system compromised in the series) via
TCP, and handlers and agents communicate via UDP. Both handlers and
agents are password-protected to try to prevent them from being taken over
by another attacker. Trinoo generates UDP packets of a given size to
random ports on one or multiple target addresses, during a specified attack
interval.

Tribe Flood Network (TFN)
This tool uses a different type of handler/agent architecture. Commands are
sent from the handler to all of the agents, from the command line. The
attackers do not log in to the handler as with Trinoo. This tool can
perform a UDP flood, a TCP SYN flood and Smurf attacks at specified or
random victim ports. The attackers run commands from the handler using
any of a number of connection methods (e.g., a remote shell bound to a
TCP port, and UDP-based client/server remote shells). All commands sent
from the handler to agents through ICMP packets are encoded, which
hinders detection.

) Tribe Flood Network 2000 (TFN2K
An improved version of TFN, this includes several features designed
specifically to make its traffic difficult to recognize and filter; to remotely
execute commands; to obfuscate the true source of the traffic, and to
transport TFN2K traffic over multiple transport protocols, including UDP,
TCP, and ICMP. TFN2K obfuscates the true traffic source by spoofing
source addresses.

nnon) Orbit Ion Ca - LOIC (Low
This is the chosen tool in our experiment.
LOIC is one of the first choices of attackers in the current era of DDoS 2.0.
It is an open source network-attack application written in C#, which
performs DoS/DDoS attacks on a target site by flooding the server with
TCP packets, UDP packets, or HTTP requests.
An attacker downloads the LOIC client and configures it to connect to an
IRC server. The victim server gets flooded with requests from all LOIC
clients, operating in hive mode. This is a classic Distributed Denial of
Service (DDoS) using a botnet, except that in this case, attackers volunteer
to join it.
If you are using this tool even for testing purposes, be careful, because it
does not include code for masking the originators IP address, which will
show up on the target servers logs and can easily be traced back to the
users ISP account, and eventually the local router.

Trinity
This is the first DDoS tool that is controlled via IRC. Upon compromise
and infection by Trinity, each zombie joins a specified IRC channel and
waits for commands. The use of a legitimate IRC service for
communication between attacker and zombie replaces the classic
independent handler, and elevates the level of the threat. It is also capable
of launching several types of flooding attacks on a victim site, including
UDP, an IP fragment, TCP SYN, TCP RST, TCP ACK, and other floods.
Now, due to regular security checks and patches, and signature-based
IDS/IPS (Intrusion Detection/Prevention Systems), many of these tools
have became less effective, and are not used by attackers. However, this
has led to the next era of DDoS attacks, which is referred to as DDoS 2.0.

HTTP SlowLoris
Recently, Slowloris has emerged as a perilous application DDoS attack.
It disrupts application services by exhausting Web server connections. In
the Slowloris attack, the attackers send an incomplete HTTP header, and
then periodically send header lines to keep the connection alive, but they
never send the full header. Without requiring that much bandwidth, an
attacker can open numerous connections, and overwhelm the targeted Web
server. While multiple patches have been created for Apache to mitigate
this vulnerability, it nonetheless demonstrates the power of more
sophisticated DDoS attacks.

About DDoS 2.0
DDoS attacks are traditionally carried out by computer-based bots. DDoS
2.0 is considered to be a highly amplified class of DDoS attacks. Recently,
a new breed of DDoS attacks has been uncovered that uses Web servers as
payload-carrying bots. Using a basic software program equipped with a
dashboard and control panel, attackers could configure the IP, port, and
duration of the attack. Hackers simply need to type the Website URL they
wish to attack, and they can instantly disable targeted sites.

Here are some points on why Web servers are used in DDoS 2.0:
* Servers provide a powerful DDoS attack platform, because they usually
have greater bandwidth than a simple PC.
*Servers are always online, while a typical PC might go offline. Moreover,
they are also rarely formatted.
*A Web servers outgoing traffic is usually less monitored by ISPs,
because of a common misconception that a servers outgoing traffic is not
as malicious as a PCs.
*By using Web servers as zombies, attackers are even less detectable,
because trace backs typically lead to a lone server at a random hosting
company.














Part IV
Methodology


In this part, will explain what attacks that LOIC can do and
deeper look to the tool functionality and architecture.

Low Orbit Ion Cannon (LOIC) is an open source network stress testing and
denial-of-service attack application, written in C#.

LOIC was initially developed by Praetox Technologies, but was later
released into the public domain, and now is hosted on several open source
platforms.

The software has inspired the creation of an independent JavaScript version
called JS LOIC, as well as LOIC-derived web version called Low Orbit
Web Cannon. These enable DoS from a web browser.


Figure 4-1

What it does?
There are three types of attacks, each using a different packet type:
UDP, TCP and HTTP. All attack types are similar; they open several
connections to the same target host and continuously send a pre-defined string,
set using the message parameter.
In the UDP and TCP attacks, this string is simply sent in plain-text, while in the
HTTP attack the message is included in the contents of a HTTP GET message.
When a huge amount of messages is sent, the target host becomes overloaded
and can no longer reply to requests from legitimate users.
The tool, however, does not attempt to protect the identity of the user, as the IP
address of the attacker can be seen in all packets sent during the attacks.

Internet Service Providers can resolve the IP addresses to their client names, and
therefore easily identify the attackers. Moreover, Web servers normally keep
logs of all served requests, so that target hosts also have information about
the attackers.

The following settings are available:
* IP/URL.
* Port.
* HTTP subsite.
* Append random chars to the subsite.
* Number of simultaneous threads.
* Wait for reply: Determines for each thread whether to wait for a reply
from the target before starting a new connection.
* Timeout: Max time to wait for reply.
* Attack speed.

All types provided with this tool is a denial of service attacks.

Here is a simple scenario: an attacker sends a large number of requests to a
Web server for example, a website that hosts HD image files at a
particular URL, say www.example.com/images/HD_images.html.
Lets also assume that this page contains about 50-60 images. Now, every
time a user reloads this page, it consumes a large portion of the Web
servers bandwidth. Now, here, an attacker could design a separate HTML
page, with an iframe embedded in it, like whats shown figure 4-3

< html >
< iframe src=http://www.example.com/images/HD_images.html width=2 height=2></iframe> >
/< html >

Figure4-3

Lets suppose that instead of a single iframe, the attacker copies and pastes
the above code 1,000 times in the same page, and also adds a meta refresh
tag as shown in figure 4-4.



< html >
< head >
< meta http-equiv="refresh" content="2 >"
/< head >
< iframe src=http://www.example.com/images/HD_images.html width=2 height=2></iframe >
< iframe src=http://www.example.com/images/HD_images.html width=2 height=2></iframe >
:
( 1000 times )
/< html >

Figure 4-4
Such a page, when loaded, will send the same request 1,000 times every 2
seconds, and will consume a lot of the Web servers bandwidth. Thus, the
target server will not be able to respond to other clients, and eventually,
legitimate clients will be denied services from the server.

Now let us assume that an attacker would like to launch a DoS attack on
example.com by bombarding it with numerous messages. Also assume that
example.com has abundant resources and considerable bandwidth (which is
most often the case). It is then difficult for the attackers to generate a
sufficient number of messages from a single machine (as in the above
scenario) to overload those resources.

However, imagine the consequences if they got 100,000 machines under
their control, in order to simultaneously generate requests to example.com.
Each of the attacking machines (compromised machines that have been
infected by malicious code) may be only moderately provisioned (have a
slow processor and be on a mere modem link), but together, they form a
formidable attack network which, with proper use, could overwhelm
even a well-provisioned victim site. This is a distributed denial-of-service
(DDoS) attack, and the machines under the attackers control are termed as
zombies/agents.


What happened during every Attack mode?

TCP Mode
TCP SYN flooding attacks: DoS attacks often exploit stateful network
protocols, because these protocols consume resources to maintain state.
TCP SYN flooding is one such attack, and had a wide impact on many
systems. When a client attempts to establish a TCP connection to a server,
the client first sends a SYN message to the server. The server
acknowledges this by sending a SYN-ACK message to the client. The
client completes establishing of the connection by responding with an ACK
message. The connection between the client and the server is then open,
and service-specific data can be exchanged between them.

The abuse occurs at the half-open state when the server is waiting for the
clients ACK message, after sending the SYN-ACK message to the client.
The server needs to allocate memory to store information about the half-
open connection, and this memory will not be released until the server
either receives the final ACK message, or the half-open connection expires
times out.

Attackers can easily create half-open connections by spoofing source IPs in
SYN messages, or ignoring SYN-ACKs. The consequence is that the final
ACK message will never be sent to the victim. Because the victim normally
only allocates a limited amount of space in its process table, too many half-
open connections will soon fill the space.

Even though the half-open connections will eventually expire due to their
timeout, zombies can aggressively send spoofed TCP SYN packets,
requesting connections at a much higher rate than the expiration rate.
Finally, the victim will be unable to accept any new incoming connections,
and thus cannot provide services.

UDP Mode
UDP flooding attacks: By patching or redesigning the implementation of
TCP and ICMP protocols, current networks and systems have incorporated
new security features to prevent TCP and ICMP attacks. Nevertheless,
attackers may simply send a large amount of UDP packets towards a
victim. Since an intermediate network can deliver higher volumes of traffic
than the victim network can handle, the flooding traffic can exhaust the
victims connection resources.
Pure flooding can be done with any type of packets. Attackers can also
choose to flood service requests so that the victim cannot handle all
requests with its constrained resources (i.e., service memory or CPU
cycles). UDP flooding is similar to flash crowds that occur when a large
number of users try to access the same server simultaneously.

HTTP Mode
Slowloris: A Slow HTTP Denial of Service (DoS) attack, otherwise
referred to as Slowloris HTTP DoS attack, makes use of HTTP GET
requests to occupy all available HTTP connections permitted on a web
server.
A Slow HTTP DoS Attack takes advantage of a vulnerability in thread-
based web servers which wait for entire HTTP headers to be received
before releasing the connection. While some thread-based servers such as
Apache make use of a timeout to wait for incomplete HTTP requests, the
timeout, which is set to 300 seconds by default, is re-set as soon as the
client sends additional data.
This creates a situation where a malicious user could open several
connections on a server by initiating an HTTP request but does not close it.
By keeping the HTTP request open and feeding the server bogus data
before the timeout is reached, the HTTP connection will remain open until
the attacker closes it. Naturally, if an attacker had to occupy all available
HTTP connections on a web server, legitimate users would not be able to
have their HTTP requests processed by the server, thus experiencing a
denial of service.
This enables an attacker to restrict access to a specific server with very low
utilization of bandwidth. This breed of DoS attack is starkly different from
other DoS attacks such as SYN flood attacks which misuse the TCP SYN
(synchronization) segment during a TCP three-way-handshake

To make matters worse, Intrusion Detection Systems (IDS) do not
commonly detect a Slow HTTP DoS attack since the attack does not contain
any malformed requests. The HTTP request will seem legitimate to the IDS
and will pass it onto the web server.


Deeper look in LOIC Tool functionalities
In LOIC, most of the files are for creating the interface, but three of them
are of interest: frmMain.cs, HTTPFlooder.cs and Program.cs.
The frmMain.cs file generates the main part of the user interface, and where
the user specifies the URL or IP address of the target server, the program
does a series of checks for valid addresses, port numbers, payload, etc.,
before running the DDoS code for whichever of the three methods (TCP,
UDP or HTTP) is selected.
In the hive mode, commands are sent to the LOIC client through IRC.
The IRC server, channel and port are set initially in the forms and defined
in Program.cs, which uses the C# SmartIRC4NET library. In LOICs
default mode, the user has volunteered to join the rest of the LOIC users all
over the world, thus forming a botnet, which collectively sends mass
requests to the target server.
If you face some difficulty in compiling LOIC, you can go for its binary
here.However, besides LOIC, attackers also use a variety of other tools.
The goal of a Denial of Service (DoS) attack is to disrupt some legitimate
activity, such as browsing Web pages, email functionality or the transfer of
money from your bank account. It could even shutdown the whole Web
server. This denial-of-service effect is achieved by sending messages to the
target machine such that the message interferes with its operation and
makes it hang, crash, reboot, or do useless work.
In a majority of cases, the attackers aim is to deprive clients of desired
server functionality.
One way to interfere with legitimate operations is to exploit vulnerabilities
on the target machine or application, by sending specially crafted requests
targeting the given vulnerability (usually done with tools like Metasploit).
Another way is to send a vast number of messages, which consume some
key resource of the target machine, such as bandwidth, CPU time, memory,
etc. The target application, machine, or network spends all of its critical
resources on handling the attack traffic, and cannot attend to legitimate
clients.
Of course, to generate such a vast number of requests, the attacker must
possess a very powerful machine with a sufficiently fast processor
and a lot of available network bandwidth. For the attack to be successful, it
has to overload the targets resources. This means that an attackers
machine must be able to generate more traffic than a target, or its network
infrastructure, can handle.

Distinct characteristics:
As mentioned before Each LOIC HTTP request ends with a triple CRLF.
This is very unusual for HTTP requests, although it has been seen in
legitimate traffic as well.

Code analysis
The publicly available source code of the tool was analyzed. It was
observed that the tool uses the Socket class, which is supplied by the C#
framework. This led to the conclusion that the TCP layer behavior of the
tool must be normal and therefore must regard TCP connection operations.


Experiment
We ran the tool in several scenarios where we defined different actions of
connection-handling and observed different outcomes. This was done for
each of the three operating modes. Each time it identify the IP address of
web address but we didnt complete the whole attack operation to avoid
illegal risks. A papers from Radware Security site that complete an
experiment on this tool help us to go on our report.




Part V
Results & Conclusion



Countermeasures for the LOIC attack tool were highly effective in
modes of operation were TCP is used (TCP or HTTP). Apparently, these
are the most widely used operating modes in the wild. The tools UDP
mode was not affected at all by any countermeasures attempted. The
reaction of the tool to different actions depends on whether the Wait for
reply option is enabled. If the Wait for reply option is enabled, no
difference was observed in the tools reaction to either dropping or resetting
the connection.

Sometimes the attack traffic drops in relatively the same way whether the
attack traffic is dropped or the connection is reset. However, when the Wait
for reply option is not enabled, the tool continues to initiate new
connections if the attacking traffic is dropped but the tool will stop
initiating new connections if connections are reset.
If hackters use this tool directly from their own computers, instead of via
Anonymized networks such as Tor, the real Internet address of the attacker is
included in every Internet message being transmitted, therefore making it easy to
be traced back. We also found that these tools do not employ sophisticated
techniques, such as IP-spoofing, in which the source address of others is used, or
reflected attacks, in which attacks go via third party systems. The current attack
technique can therefore be compared to overwhelming someone with letters, but
putting your real home address at the back of the envelop.

CONCLUSIONS
Anonymous attacked big companies like MasterCard, Visa and PayPal in
2010, and was even able to take some of their websites down. This suggests
that the tool used by the group (LOIC) is powerful. Therefore, a deeper
understanding of the tool and the available defenses is necessary. This
research aimed at evaluating some defense methods against DDoS attacks
executed using LOIC, pointing out which one is the most effective.

After analyzing the interface, output and source code of LOIC, we can
conclude that the tool does not implement any of the most common DDoS
attacks, but its own rather weak and buggy attack, which has only some few
similarities with typical bandwidth-exhaustion attacks. In special, we
observed in our experiments that the tool uses a single thread to send traffic
(regardless of setup parameters from the interface), and that sometimes it
completely stops sending traffic to the victim.
is currently one of the most used network intrusion detection systems, has
already rule sets available to protect against DDoS attacks executed using
LOIC.
Securing Apache from DDoS
The limit on the number of simultaneous requests that will be served by
Apache is decided by the MaxClients directive, and is set to 256, by
default. Any connection attempts over this limit will normally be queued,
up to a number based on the ListenBacklog directive, which is 511, by
default. However, it is best to increase this, to prevent TCP SYN flood
attacks.
Using traffic-shaping modules: Traffic shaping is a technique that
establishes control over Web server traffic. Many Apache modules perform
traffic shaping, and their goal is usually to slow down a (client) IP address,
or to control the bandwidth consumption on the per-virtual-host level.
On the positive side, these can also be used to prevent DDoS attacks. The
following are some popular traffic shaping modules:
mod_limitipconn limits the number of simultaneous downloads permitted
from a single IP address.
Mod_throttle is intended to reduce the load on your server, and the data
transfer generated by popular virtual hosts, directories, locations, or users.

Mod_bwshare accepts or rejects HTTP requests from each client IP
address, based on past downloads by that client IP address.
Apart from the above, one module that is designed specifically as a remedy
for Apache DoS attacks is mod_dosevasive (Download link). This module
will allow you to specify a maximum number of requests executed by the
same IP address. If the threshold is reached, the IP address is blacklisted for
the time period you specify. The only problem with this module is that
users, in general, do not have unique IP addresses. Many users browse
through proxies, or are hidden behind a NAT (network address translation)
system. Blacklisting a proxy will cause all users behind it to be blacklisted.
Hence, it is recommended to keep traffic shaping modules higher in your
priority list.









References
-Maximum-Apache-Security by anonymous
-Apache Security by Ivan Ristic OReilly
-O'Reilly - Apache Cookbook by By Rich Bowen, Ken Coar
-Web Hacking: Attacks and Defense
By Stuart McClure, Saumil Shah, Shreeraj Shah


-Web Security Testing Cookbook, 1st Edition
by Paco Hope; Ben Walther

-Wikipedia

-Apache.org



Devided Works
Mohammed Al Hadi
Astract &Introduction / part of literature
Review.

Hatim Khalafallah
Part of literature review / Methodology &
Conclusion.

You might also like