MITRE ATT&CK: Endpoint denial of service
Denial-of-Service (DoS) attacks have been around since the 1970s, and they can be downright paralyzing to an organization. Not only does it shut down the ability to use a targeted resource, but it can also cost an organization significantly in terms of man hours spent recovering from the attack. Endpoints are often an attractive target for attackers and this trend is on the rise.
This article will explore the endpoint denial-of-service attack that is posted in the impact portion of the MITRE ATT&CK matrix and will explore what the endpoint denial-of-service attack is, the methods that comprise this attack and the major types of endpoint denial-of-service attacks.
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. More information on the MITRE ATT&CK matrix can be found here.
What is an endpoint denial-of-service attack?
Endpoint DoS is an attack type focused on blocking service availability to users without saturating the network that provides access to said service. This attack is performed by either exhausting host system resources to block the service or by instigating a crash on the host system. Endpoint services targeted typically include websites, DNS, email services and web-based applications.
It should be noted that a DoS attack is from a single system. An attack from multiple systems is a distributed DoS (DDoS) attack.
Attacker groups have different motivations for endpoint DoS attacks. Some include the goal of furthering other malicious activities, extortion, hacktivism and political purposes.
Endpoint DoS methods
Attack groups use different methods in the course of an endpoint DoS attack.
- IP spoofing: Used to deny defenders the ability to trace the source IP address and use IP filtering
- Botnets: Commonly used. The bigger a botnet gets, the harder it becomes to distinguish DoS traffic from legitimate traffic
- Traffic manipulation: There may be points on the internet that alter packets to cause legitimate clients to direct a high volume of network packets to a target
Different types of endpoint DoS attacks
OS exhaustion flood
Operating systems are a prime target for DoS attacks. The goal here is to exhaust an OS’s self-imposed resource exhaustion limit that is intended to prevent the target system being overwhelmed by resource exhaustion.
There are different types of OS exhaustion flood such as TCP state exhaustion, which has two different flavors.
- SYN flood: This is characterized by an excessive number of SYN packets sent during the three-way TCP handshake. It takes advantage of the fact that the server will wait for the final step in the handshake which does not happen. As a result, this exhausts an endpoint OS’s maximum concurrent TCP connections, which can prevent access to TCP service
- ACK flood: This leverages the TCP protocol’s stateful nature by flooding a target with ACK packets which requires the target to search the OS’s state table for possible pre-existing TCP connections. Since these connections do not exist, it can greatly diminish available resources for the targeted service
Service exhaustion flood
Network services provided by systems are not spared from endpoint DoS attacks. Attackers target DNS and web services as almost a matter of course in an attack. The following are typical examples of service exhaustion flood.
- Simple HTTP flood: Aimed at web servers or applications running on top of them, a large volume of HTTP requests is intended to overwhelm the target service’s resources to prevent access to the service
- SSL renegotiation attacks: Leveraging a feature of the SSL/TLS protocol suite — if SSL renegotiation is enabled, requests can be made for crypto algorithm renegotiation. If this is done in large volumes, this can impact the availability of a targeted service
Application exhaustion flood
Web applications positioned on top of web servers are attractive targets during endpoint denial-of-service attacks. These web applications often have features that are highly resource-intensive as it is without a DoS — the simple act of repeated requests (and possibly not even in that high of a volume) may exhaust these limited resources, thereby denying access to both the application and possibly even the server. You can probably imagine how debilitating an attack like this could be for a production server.
Application or system exploitation
Exploiting software and application vulnerabilities can cause systems to crash, thereby denying access to the system (which can take down multiple services all at once). While systems may have an automatic restart of critical services and applications upon crash, a persistent DoS attack can result in re-exploitation.
Endpoint DoS attacks are used to deny access to services to users for a variety of purposes. There are different attack strategies that reflect the diverse nature of how services are presented in today’s computing world, and when you couple with is advances in technology (such as simply having a larger bandwidth), these attacks are becoming both larger and more commonplace.
These attacks are unlikely to change anytime soon without a move away from using services as we know them, which is even more unlikely.
- Endpoint Denial of Service, MITRE
- Security Response: The Continued Rise of DDoS Attacks, Symantec
- Everything You Never Knew (but Need to) About Endpoint Security, Security Boulevard
- SYN Flood Attack, Cloudflare