What is an IP stresser? Difference between a botnet

Computers
Posted by Micheal W.
2
May 31, 2022
298 Views

ip stresser


An IP stresser is a tool designed to test a network or server for reliability. The administrator can run a stress test to determine if the available resources (bandwidth, CPU, etc.) are sufficient to handle the extra load.

 

Testing your network or server is a legitimate use of a stresser. Running it against someone else's network or server, resulting in a denial of service, is illegal in most countries.


What are booter services?

 

Booters, also known as booter services, are on-demand DDoS (distributed denial of service) attack services used by enterprising criminals to bring down websites and networks.

 

Illegal use of IP stressors often hides the identity of the attacking server by using proxy servers. The proxy server redirects the attacker's connection by masking the attacker's IP address.

Stressors have traditionally used botnets to launch attacks. Still, as they become more sophisticated, they can boast more powerful servers to, as some stresser services say, "help launch an attack."

 

What are the reasons for denial of service?

 

The motives behind denial-of-service attacks are numerous: skiddies, exposing their hacking skills, business rivalries, ideological conflicts, government-sponsored terrorism, or extortion. The preferred payment methods for extortion are PayPal and credit cards. Bitcoin is also used because it offers the possibility of identity masking. From an attacker's point of view, one of the disadvantages of bitcoin is that fewer people use bitcoin compared to other forms of payment.

 

Script kiddie, or skiddie, is a derogatory term for relatively low-skilled Internet vandals who use scripts or programs written by others to launch attacks on networks or websites. They hunt for fairly well-known and easy to exploit security vulnerabilities, often without thinking about the consequences.

 

What are attack amplification and reflection?

 

Reflection and amplification attacks use legitimate traffic to overwhelm the target network or server.

 

When an attacker spoofs the victim's IP address and sends a message to a third party pretending to be the victim, it is called IP spoofing. The third-party cannot distinguish the victim's IP address from the attacker's IP address. He answers directly to the victim. The attacker's IP address is hidden from both the victim and the third-party server. This process is called reflection.

 

This is similar to the attacker ordering pizza at the victim's house, pretending to be the customer. The victim owes money to the pizzeria for a pizza they didn't order.

 

Traffic amplification occurs when an attacker forces a third-party server to send a response to the victim with the maximum amount of data. The ratio between response and request sizes is an amplification factor—the more significant this enhancement, the greater the potential destruction for the victim. The third-party server is also broken due to the number of fake requests it has to handle. NTP amplification is one example of such an attack.

 

The most effective types of booter attacks use both amplification and reflection. First, the attacker forges the target's address and sends the message to a third party. When the third party replies, the message is sent to the fake address of the target. The response is much larger than the original message, thus increasing the size of the attack.

 

The role of a single bot in such an attack is akin to that of an angry teenager who calls the restaurant and orders the entire menu and then requests a callback confirming each menu item. Also, the callback number belongs to the victim. This results in the targeted victim receiving a call from the restaurant with a flood of information they did not request.

 

Categories of Denial of Service Attacks

 

Application layer attacks target web applications and often use the most sophisticated methods. These attacks exploit a weakness in the Layer 7 protocol stack by first establishing a connection to the target and then exhausting the server's resources by monopolizing processes and transactions. They are challenging to identify and mitigate. A typical example is an HTTP attack.

 

Protocol-based attacks exploit weaknesses in layers 3 or 4 of the protocol stack. Such attacks consume all of the victim's computing power or other critical resources (such as a firewall), resulting in service disruption—for example, SYN Flood and Ping death attacks.

 

Volume attacks send large amounts of traffic to fill the victim's bandwidth. Volumetric attacks are easy to generate using simple amplification techniques, so these are the most common forms of attack. Flood, TCP stream protocol, NTP, and DNS amplification are examples of such attacks.

 

Common DDoS ​​denial of service attacks

 

The goal of DoS or DDoS attacks is to consume enough server or network resources to make the system stop responding to legitimate requests:

 

SYN Flood: A sequence of SYN requests is sent to the target's system to suppress it. 

 

ICMP attacks: ICMP attacks exploit the fact that every request needs to be processed by the server before a response is sent. Smurf attacks, ICMP floods, and ping floods take advantage of this by flooding the server with ICMP requests without waiting for an answer.

 

DNS flood: An attacker of a specific DNS server domain tries to disrupt DNS resolution for that domain.

Teardrop Attack: An attack that involves sending fragmented packets to the target device. The target device is crashing.

DNS Amplification: This reflection attack turns legitimate queries to DNS (Domain Name System) servers into much larger ones, consuming server resources.

NTP Amplification: A reflection-based bulk DDoS attack in which an attacker uses the functionality of a Network Time Protocol (NTP) server to overwhelm a target network or server with an increased volume of UDP traffic.

SNMP Reflection: The attacker spoofs the victim's IP address and makes multiple SNMP requests to the devices. The volume of responses can overwhelm the victim.

SSDP: An SSDP attack is a reflection-based DDoS attack that uses UPnP network protocols to send amplified traffic to the targeted victim.

Smurf attack: This attack uses a malware called smurf. Many ICMP protocol packets with a fake IP address of the victim are transmitted to a computer network using a broadcast IP address.

Fraggle Attack: An attack similar to smurf except that it uses UDP rather than ICMP.

 

What to do in case of DDoS ransomware:

 

  • Must inform the data center and ISP immediately;
  • Paying a ransom should never be an option - paying leads to increased ransom demands;
  • must notify law enforcement agencies;
  • Must control network traffic.
  • Contact DDoS protection companies.

 

Botnet attack mitigation options:

 

  • Must install firewalls on the server;
  • Security patches must be up to date;
  • Antivirus software must run on a schedule;
  • Should monitor system logs regularly;
  • Unknown email servers should not be allowed to propagate SMTP traffic.

Why booter services are hard to trace

 

The person purchasing these criminal services uses the website's front end for payment and instructions related to the attack. There is often no identifiable connection to the backend initiating the actual attack. Thus, criminal intent can be challenging to prove. Tracking payments is one way to track criminal actors.

 

Comments
avatar
Please sign in to add comment.
More Articles