Using Denial of Service for Hacking
Happy Monday! I spent the better part of this weekend thinking about denial of service, but rather than releasing a tool, I thought it would be worthwhile to talk about how denial of service attacks could be used in tandem with other attacks to exploit other logical or business issues. Let’s take a few examples:
Timing: Let’s say you have a site that accepts bids up to a certain time of day - say an auction site or a site that allows you to bid on work or whatever. Most of the time people submit their bids as close to the deadline as they can so that their competitors don’t have time to revise their bids. Sure, you can write a robot to come in at the last fraction of a microsecond and underbid, but what if you want to keep your bid highest or lowest (depending on the type of site)? Well by submitting your bid earliest and then denying service to the application for the remainder of the time your competitors don’t have a chance to submit their bids.
Web services: Sometimes, it’s not a matter of denying service to the site itself, which may have all sorts of robust protections in place, but sometimes the web service is actually more interesting. This could include things like authentication or even email. Let’s say I know someone is traveling and they use their phone to get their email. If I know they are in charge of responding to events, I can deny service to the webmail server and poof - suddenly they are no longer getting updates that something else is going on that they need to take care of.
Diversionary: And that leads us to the last item on the list which is using denial of service as a diversionary tactic. Sure, we can just do the bad thing that we intend to, but wouldn’t it be so much better to throw a red herring in there to cause them to look in the wrong place while the attacker stealthily gets whatever he wants elsewhere?
Anyway, it’s an interesting concept to talk about. I think most people think of DoS as a simple script kiddy menace without considering it’s other useful purposes. And now, with a case of the Mondays, it’s time to buckle down for a lonnng week.
May 4th, 2009 at 8:01 am
You can also use it as a redirection and recon technique. Just like when criminals cause incidents to scope reaction procedures. You cause the DoS, see that they have an alternative site that they use during outages that is “less” secure. And now you circumvent their super secure web app, for the one that is much less looked at. Many, many uses for DoS.
May 4th, 2009 at 8:26 am
DoS as a serious issue is something I’ve been talking about for a while, unfortunately no one seems to want to listen or care. I ran my survey (results posted on my blog) and sent out a talk on the subject in response to a few CFPs but few people seem interested. To many in IT/IS DoS is a remnant of a joke from 10-15 years ago. I think that people are in for a real awakening one of these days… as some of the biggest news stories of last year were really just denial of service.
May 4th, 2009 at 8:42 am
Another tactic is to take down a central authentication system to force a system to fall back to a less-secure local authentication mode. This is especially applicable for routers and switches which may have credentials right in their config file that won’t be valid unless the central RADIUS server is down, for example.
May 4th, 2009 at 8:48 am
You can even use Google to DoS someone from accessing a website!
http://sirdarckcat.blogspot.com/2009/04/how-to-use-google-analytics-to-dos.html
This also applies to XSS vulns, and shared subdomains like
-> appspot.com
-> wordpress.com
-> googlepages.com
-> blogspot.com
-> no-ip.org
etc…
Greetz!!
May 4th, 2009 at 8:57 am
DoS can also be used to disable a log server which is responsible of serving several other servers in its subnet while an attacker is compromising one of them. This is a kind of diversionary as well.
May 4th, 2009 at 6:17 pm
I used a sort of DoS attack to prevent my friend from accessing a bank site. He got frustrated, because he had to pay his bills, but he was unable to do so. What happened? Well, he went to the library nearby where I had my keylogger setuped.
A simple demonstration how one could possibly make use of DoS attacks.
May 5th, 2009 at 5:21 am
Someone briefly mentioned this during a defcon talk last year. I think the context was getting close enough to IT & figuring out what their processes were for dealing with alerts. If you find out that they have a small staff & investigate every virus alert on their desktops, then you could use that knowledge to throw tons of viruses at their desktops to keep them busy while you attempt to get past an IDS to a server.
Of course you have to play that smart. If you cause a thousand alerts simultaneously, they’re going to step back & try to figure out what caused that rather than investigate each one.
May 5th, 2009 at 12:38 pm
Another clever take on auction site DoS… Wait until the aution is about to end. Then look at the list of current bidders. Attempt to log into their accounts multiple times causing their accounts to be locked out. Then place your bid. They won’t have time to reset their account and counter your bid. Of course this won’t work for people that haven’t placed any bids yet, but it will likely increase your chances.
May 5th, 2009 at 2:22 pm
DoS can also be used to deny access to a login by taking advantage of things like….YouTube’s 15 minute bad password timeouts (hmm, why not put curl on a cronjob and have it enter a bad password every 14 minutes and 50 seconds?)…..or IP spoofing your mark’s IP on a fail2ban setup and purposely entering in the wrong password many times to get their IP banned.
One thing people fail to realize is that DoS is not just packeting people or having 10,000 bots access one file at once. It can also be taking mechanisms that keep peoples login credentials safe and using it against them.
May 6th, 2009 at 9:34 am
@Micheal oftentimes that lock-out system is IP based rather than account based.
May 14th, 2009 at 10:43 pm
Y0 it’s quite a serious vulnerability!
May 17th, 2009 at 2:12 am
DoS Attacks are for truly beginner hackers. What is the effort in downloading someone else’s tool and flooding someones business. People have families just like me or you and when you disable their ability to put food on the table. Then their 2 year old kids starve because you thought it was fun and your talented. Well talent comes with developing your own unique SW to blow someone offline and if they’re malicious users feel free to blow them off the radar. Thanks Chaser.
May 19th, 2009 at 9:45 am
DoS vulnerabilities is very interesting topic. You can read my Classification of DoS vulnerabilities in browsers and Classification of DoS vulnerabilities in web applications.
And recently I created new vector of using DoS attack for hacking the sites (on WordPress engine).
Recently one interesting vulnerability in WordPress was found (by owner of the site on WP). This vulnerability concerned with installation files, if they are at the server.
As I wrote in my article Attack on Abuse of Functionality in WordPress, I have created some variants of the attack on this vulnerability in WP.
It’s possible to attack site even if there is database of engine and there is connection to MySQL, but at that there is crash in one of WP’s tables (which is checking by installer). Particularly, the attack is possible when table wp_options (in WordPress 2.6.2) is damaged, or wp_users (in WordPress 2.0.3 and 2.0.11). I.e. in different versions of WP different tables is checked by installer - it can be table wp_options or wp_users (hardly possible that some other table will be checked by installer in other versions of WP).
Variants of the attack at the site on WordPress (which has installer at the site):
1. In case, if such crash in MySQL was happened on the site and such dialog of installer is showed, then it’s possible to attack the site. Taking into account that it’s very unlikely, and it’s also needed to detect the time of the crash, so better to use other variant of the attack.
2. Make DoS attack on MySQL for the attack on WordPress. Due to DoS attack there will be crash with connection to MySQL and installer potentially can show installation dialog. Though in most cases the connection to DBMS will be lost completely and installer will show corresponding message.
3. Due to automated attack on MySQL (via Insufficient Anti-automation vulnerability in WP) it’s possible to lead to crash in one of checked tables (which also is DoS attack). And in this case installer will work.
Particularly for WordPress 2.0.x and other versions of engine, where installer checked wp_users, this can be done via automated users registration. If to resister user actively at the site, then there can be crash in table wp_users and so engine will can’t read it and show dialog of installer.
May 19th, 2009 at 9:30 pm
Charlie: Wow, someone can’t read.
From my perspective DoS may not be the objective, but the tool used to create alertness, panic, or focus on a particular asset (bare in mind DoS isn’t just mindless kiddys packeting servers, and extends to physical destruction etc.). DoS may trigger things like heightened communications between stakeholders regarding valuable/targeted assets or even relocation. Actions taken due to new perceived threats could generate new security issues that may not be thoroughly addressed due to their urgency.
*random brain dump* .. back to writing assignments.
-Phil