278 Chapter 11 ■ Denial of Service
condition. Additionally, you saw that a NOP sled can be used to pad the program stack,
which lets the attacker run malicious code within the compromised stack. You learned
about compromised handlers and their role in infecting and controlling zombie clients in
a DDoS attack. We also explored a number of attack methods and tools for performing
attacks. Lastly, we reviewed some preventive measures, such as router throttling, that you
can use to defend against DoS attacks.Exam Essentials
Remember the basic concept of DoS and DDoS. Be familiar with the basic orchestration
of a DoS attack as well as a DDoS attack. Browse the Web for DDoS images to become
comfortable with recognizing the layout of an attack.Understand the targets. Know what resources can, and usually do, get targeted. This
applies also to the focus of the DoS attack, which can be traffic or network saturation, or a
single target.Know the stack. Review Figure 11.1 and Figure 11.2 and make sure you understand the
parts that act on the stack. Remember that the EIP is the point of execution in a stack and
that the EIP gets shifted when an overflow occurs.Understand buffer overflow. Know that a buffer overflow occurs when data, through
either malicious or unintentional means, gets pushed beyond the normal memory bounds
of the stack. Be familiar with the difference between a buffer overflow and smashing the
stack.Know the dangerous C functions. Memorize and be on the lookout for those C functions
that do not perform bounds checking: gets(), scanf(), strcpy(), and strcat(). Ensure
that you are comfortable recognizing these commands in compiled code.Understand the NOP sled. Remember that NOP means No Operation; this equates to a
full CPU cycle with no actual work being accomplished. A NOP sled is a sequence of NOP
functions; know how it relates to buffer overflow and smashing the stack. Memorize and
recognize the hexadecimal value of a NOP, which is 0x90.Be familiar with attack methods. You don’t have to know all the details of how to per-
form each attack method, but be sure to know what each method uses to perform the
attack. For example, a fraggle attack uses UDP echo requests to the chargen port.Know the preventive measures. Know the preventive measures available as well as the
actions each one takes to prevent the attack. Ensure that you are familiar with the opera-
tion of a reverse proxy and ingress and egress filtering.Know your tools and terms. The CEH exam is drenched with terms and tool names that
will eliminate even the most skilled test taker because they simply don’t know what the
question is even talking about. Familiarize yourself with all the key terms, and be able to
recognize the names of the DoS tools on the exam.