From eb105d9a4208961ada7630d1b6e7752b7e409c36 Mon Sep 17 00:00:00 2001 From: devraza Date: Wed, 5 Jun 2024 00:01:13 +0100 Subject: [PATCH 1/4] Add missing 'if' --- cheatsheets/Denial_of_Service_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/Denial_of_Service_Cheat_Sheet.md b/cheatsheets/Denial_of_Service_Cheat_Sheet.md index 6f81bcdcba..0abcf4da72 100644 --- a/cheatsheets/Denial_of_Service_Cheat_Sheet.md +++ b/cheatsheets/Denial_of_Service_Cheat_Sheet.md @@ -42,7 +42,7 @@ The **physical layer** consists of the networking hardware transmission technolo The **data layer** is the protocol layer that transfers data between adjacent network nodes in a wide area network (WAN) or between nodes on the same local area network (LAN) segment. Typical DoS scenarios are MAC flooding (targeting switch MAC tables) and ARP poisoning. -In **MAC flooding attacks**, a switch is flooded with packets that all have different source MAC addresses. The goal of this attack is to consume the limited memory used by a switch to store the MAC and physical port translation table (MAC table), which causes valid MAC addresses to be purged and forces the switch to enter a fail-over mode where it becomes a network hub. If this occurs, all data forwarded to all ports, resulting in a data leakage. +In **MAC flooding attacks**, a switch is flooded with packets that all have different source MAC addresses. The goal of this attack is to consume the limited memory used by a switch to store the MAC and physical port translation table (MAC table), which causes valid MAC addresses to be purged and forces the switch to enter a fail-over mode where it becomes a network hub. If this occurs, all data is forwarded to all ports, resulting in a data leakage. [Future additions to sheet: The impact in relation to DoS and document compact remediation] From 94568158976854d4321f0418e6776b085656263e Mon Sep 17 00:00:00 2001 From: devraza Date: Wed, 5 Jun 2024 00:12:01 +0100 Subject: [PATCH 2/4] Fix some grammar --- cheatsheets/Denial_of_Service_Cheat_Sheet.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cheatsheets/Denial_of_Service_Cheat_Sheet.md b/cheatsheets/Denial_of_Service_Cheat_Sheet.md index 0abcf4da72..a9da2784dd 100644 --- a/cheatsheets/Denial_of_Service_Cheat_Sheet.md +++ b/cheatsheets/Denial_of_Service_Cheat_Sheet.md @@ -14,13 +14,13 @@ Because anti-DoS methods cannot be one-step solutions, your developers and appli ![DDOSFlow](../assets/Denial_of_Service_Cheat_Sheet_FlowDDOS.png) -This DoS system inventory should look for potential places where DoS attacks can cause problems and highlight single point of system failures, which can range from programming related errors to resource exhaustion. It should give you a clear picture of what issues at stake (e.g. bottlenecks, etc.). **To resolve problems, a solid understanding of your environment is essential to develop suitable defence mechanisms**. These could be aligned with: +This DoS system inventory should look for potential places where DoS attacks can cause problems and highlight any single points of system failures, which can range from programming related errors to resource exhaustion. It should give you a clear picture of what issues are at stake (e.g. bottlenecks, etc.). **To resolve problems, a solid understanding of your environment is essential to develop suitable defence mechanisms**. These could be aligned with: 1. Scaling options (**up** = inner hardware components, **out** = the number of complete components). 2. Existing conceptual / logical techniques (such as applying redundancy measurements, bulk-heading, etc. - which expands your in-house capabilities). 3. A cost analysis applied to your situation. -This document adopts a specific guidance structure from CERT-EU to analyze this subject, which you may need to change depending on your situation. It is not a complete approach but it will help you create fundamental blocks which should be utilized to assist you in constructing anti-DoS concepts fitting to your needs. +This document adopts a specific guidance structure from CERT-EU to analyze this subject, which you may need to change depending on your situation. It is not a complete approach but it will help you create fundamental blocks which should be utilized to assist you in constructing anti-DoS concepts fitting your needs. ### Analyzing DoS attack surfaces @@ -28,7 +28,7 @@ In this cheat sheet, we will use the DDOS classification as documented by CERT-E #### 1) Overview of potential DoS weaknesses -It is important to understand that each of these three attack categories needs to be considered when designing a DoS resilient solution: +It is important to understand that each of these three attack categories need to be considered when designing a DoS-resilient solution: **Application attacks** focus on rendering applications unavailable by exhausting resources or by making it unusable in a functional way. @@ -36,9 +36,9 @@ It is important to understand that each of these three attack categories needs t **Network (or volumetric) attacks** focus on saturating the bandwidth of the network resource. -Note that OSI model layer 1 and 2 are not included in this categorization, so we will now discuss these layers and how DoS applies to them. +Note that OSI model layers 1 and 2 are not included in this categorization, so we will now discuss these layers and how DoS applies to them. -The **physical layer** consists of the networking hardware transmission technologies of a network. It is a fundamental layer underlying the logical data structures of the higher-level functions in a network. Typical DoS scenarios that involve the physical layer involve system destruction, obstruction, and malfunction. For example, a Georgian elderly woman sliced through an underground cable, resulting in loss of internet for the whole of Armenia. +The **physical layer** consists of the networking hardware transmission technologies of a network. It is a fundamental layer underlying the logical data structures of the higher-level functions in a network. Typical DoS scenarios that involve the physical layer involve system destruction, obstruction, and malfunction. For example, a Georgian elderly woman sliced through an underground cable, resulting in the loss of internet for the whole of Armenia. The **data layer** is the protocol layer that transfers data between adjacent network nodes in a wide area network (WAN) or between nodes on the same local area network (LAN) segment. Typical DoS scenarios are MAC flooding (targeting switch MAC tables) and ARP poisoning. @@ -46,13 +46,13 @@ In **MAC flooding attacks**, a switch is flooded with packets that all have diff [Future additions to sheet: The impact in relation to DoS and document compact remediation] -In **ARP poisoning attacks**, a malicious actor sends spoofed ARP (Address Resolution Protocol) messages over the wire. If the attacker's MAC address becomes linked to the IP address of a legitimate device on the network, the attacker can intercept, modify or stop data that was intended for the victim IP address. The ARP protocol is specific to the local area network and could cause a DoS on the wire communication. +In **ARP poisoning attacks**, a malicious actor sends spoofs ARP (Address Resolution Protocol) messages over the wire. If the attacker's MAC address becomes linked to the IP address of a legitimate device on the network, the attacker can intercept, modify or stop data that was intended for the victim IP address. The ARP protocol is specific to the local area network and could cause a DoS on the wire communication. Packet filtering technology can be used to inspect packets in transit to identify and block offending ARP packets. Another approach is to use static ARP tables but they prove difficult to be maintained. ## Application attacks -**Application layer attacks usually make applications unavailable by exhausting system resources or by making it unusable in a functional way.** These attacks do not have to consume the network bandwidth to be effective. Rather they place an operational strain on the application server in such a way that the server becomes unavailable, unusable or non-functional. All attacks exploiting weaknesses on OSI layer 7 protocol stack are generally categorised as application attacks. They are most challenging to identify/mitigate. +**Application layer attacks usually make applications unavailable by exhausting system resources or by making it unusable in a functional way.** These attacks do not have to consume the network bandwidth to be effective. Rather they place an operational strain on the application server in such a way that the server becomes unavailable, unusable or non-functional. All attacks exploiting weaknesses on OSI layer 7 protocol stack are generally categorised as application attacks. They are the most challenging to identify/mitigate. [Future additions to sheet: List all attacks per category. Because we cannot map remediations one on one with an attack vector, we will first need to list them before discussing the action points.] @@ -72,7 +72,7 @@ Packet filtering technology can be used to inspect packets in transit to identif ### Session - **Limit server side session time based on inactivity and a final timeout**: (resource exhaustion) While sessions timeout is most of the time discussed in relation to session security and preventing session hijacking, it is also an important measure to prevent resource exhaustion. -- **Limit session bound information storage**: The less data is linked to a session, the less burden a user session has on webserver's performance. +- **Limit session bound information storage**: The less data is linked to a session, the less burden a user session has on the webserver's performance. ### Input validation From e200249e5f30c2f8da6d92144b0312c4801655c8 Mon Sep 17 00:00:00 2001 From: devraza Date: Wed, 5 Jun 2024 00:15:40 +0100 Subject: [PATCH 3/4] Revert a grammatical 'fix' I accidentally made --- cheatsheets/Denial_of_Service_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/Denial_of_Service_Cheat_Sheet.md b/cheatsheets/Denial_of_Service_Cheat_Sheet.md index a9da2784dd..ff923086eb 100644 --- a/cheatsheets/Denial_of_Service_Cheat_Sheet.md +++ b/cheatsheets/Denial_of_Service_Cheat_Sheet.md @@ -46,7 +46,7 @@ In **MAC flooding attacks**, a switch is flooded with packets that all have diff [Future additions to sheet: The impact in relation to DoS and document compact remediation] -In **ARP poisoning attacks**, a malicious actor sends spoofs ARP (Address Resolution Protocol) messages over the wire. If the attacker's MAC address becomes linked to the IP address of a legitimate device on the network, the attacker can intercept, modify or stop data that was intended for the victim IP address. The ARP protocol is specific to the local area network and could cause a DoS on the wire communication. +In **ARP poisoning attacks**, a malicious actor sends spoofed ARP (Address Resolution Protocol) messages over the wire. If the attacker's MAC address becomes linked to the IP address of a legitimate device on the network, the attacker can intercept, modify or stop data that was intended for the victim IP address. The ARP protocol is specific to the local area network and could cause a DoS on the wire communication. Packet filtering technology can be used to inspect packets in transit to identify and block offending ARP packets. Another approach is to use static ARP tables but they prove difficult to be maintained. From b33ed4ecb70a88f3eb0b28dbfb4d3ef78f112b1b Mon Sep 17 00:00:00 2001 From: devraza Date: Wed, 5 Jun 2024 07:14:48 +0100 Subject: [PATCH 4/4] Run changes through grammarly --- cheatsheets/Denial_of_Service_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/Denial_of_Service_Cheat_Sheet.md b/cheatsheets/Denial_of_Service_Cheat_Sheet.md index ff923086eb..109192a625 100644 --- a/cheatsheets/Denial_of_Service_Cheat_Sheet.md +++ b/cheatsheets/Denial_of_Service_Cheat_Sheet.md @@ -28,7 +28,7 @@ In this cheat sheet, we will use the DDOS classification as documented by CERT-E #### 1) Overview of potential DoS weaknesses -It is important to understand that each of these three attack categories need to be considered when designing a DoS-resilient solution: +It is important to understand that each of these three attack categories needs to be considered when designing a DoS-resilient solution: **Application attacks** focus on rendering applications unavailable by exhausting resources or by making it unusable in a functional way.