| A
Denial of
Service, or DoS as it is often abbreviated, is a
malicious attack on a
network. This type of attack is essentially
designed to bring a network to its knees by flooding it with
useless traffic. Many DoS attacks work by exploiting limitations in the
TCP/IP
protocols.
Hackers use DoS attacks to prevent
legitimate uses of
computer network resources. DoS
attacks are characterized as (1)
attempts to
flood a
network, attempts to disrupt connections between two computers,
attempts to prevent an individual from accessing a service or
attempts to disrupt service to a specific system or person. Those on the
receiving end of a DoS attack my lose valuable resources, such as
their e-mail
services, Internet access or their
Web server. Some DoS
attacks may eat up all your
bandwidth
or even use up all of a system resource, such as server memory, for example.
Some of the worst-case scenarios we've seen over the past couple
years is a
Web site, used by millions of people being forced to cease
operation because of a successful DoS attack.
A DoS attack may very well appear to
be legitimate
traffic on the system or network, but differs in that the volume
and frequency of the traffic will increase to unmanageable levels.
An attack on a Web server, for example, would not be normal spurts of
visitors, but rather a large barrage of
hits in close
proximity so the
server
cannot keep up with the sheer volume of
page
requests. On a mail server, hundreds of thousands of messages can be
sent to the server in a short period of time where the server would
normally only handle under a thousand messages in that same time
period. The targeted server would most likely be brought to a halt
from a DoS attack because it runs out of
swap space,
process space or network connections.
While DoS attacks
do not usually result in information theft or any security loss for
a company, they can cost an organization both time and money while
their network services are down. For the hacker (or the
script kiddies
who often use DoS attacks), a DoS attack is usually committed for "ego boosting" purposes.
Early DoS attacks consisted of simple
tools generating packets from a single source which was then aimed
at a single destination. The evolution of the DoS attack however now
sees (2)
single source attacks against multiple targets, multiple source
attacks against single targets, and multiple source attacks against
multiple targets. |
Key Terms To
Understanding Denial of Service Attacks
DoS attack
Short for denial-of-service attack, a type of attack on a network
that is designed to bring the network to its knees by flooding it
with useless traffic.
DDoS
attack
Short for Distributed Denial of Service,
it is an attack where multiple compromised systems
(which are usually infected with a
Trojan) are used to target a single system causing a Denial of
Service (DoS)
attack.
script
kiddie
A person, normally someone who is not technologically sophisticated,
who randomly seeks out a specific weakness over the Internet...
network meltdown
A state in which a network grinds to a halt due to excessive
traffic.
Related Categories on
Webopedia
Ethics
Security |
Common Denial of Service Attacks
Buffer Overflow
The condition wherein the data transferred to a
buffer exceeds
the storage capacity of the buffer and some of the data .overflows. into
another buffer, one that the data was not intended to go into. Since
buffers can only hold a specific amount of data, when that capacity has
been reached the data has to flow somewhere else, typically into another
buffer, which can corrupt data that is already contained in that buffer.
Malicious
hackers can
launch buffer overflow attacks wherein data with instructions to corrupt
a system are purposely written into a file in full knowledge that the
data will overflow a buffer and release the instructions into the
computer.s instructions.
Ping of Death
A type of
DoS attack
in which the attacker sends a
ping request
that is larger than 65,536
bytes, which is
the maximum size that
IP allows. While a ping larger than 65,536 bytes is too large to fit
in one packet
that can be transmitted,
TCP/IP allows
a packet to be fragmented, essentially splitting the packet into smaller
segments that are eventually reassembled. Attacks took advantage of this
flaw by fragmenting packets that when received would total more than the
allowed number of bytes and would effectively cause a
buffer
overload on the
operating system at the receiving end, crashing the system.
Smurf Attack
A type of
network security
breach in which a
network connected to the
Internet is
swamped with replies to
ICMP echo (PING)
requests. A smurf attacker sends PING requests to an Internet
broadcast
address. These are special addresses that broadcast all received
messages to the
hosts connected to the subnet. Each broadcast address can support up
to 255 hosts, so a single PING request can be multiplied 255 times. The
return address of the request itself is
spoofed
to be the address of the attacker's victim. All the hosts receiving the
PING request reply to this victim's address instead of the real sender's
address. A single attacker sending hundreds or thousands of these PING
messages per second can fill the victim's
T-1 (or
even T-3)
line with ping replies, bring the entire Internet service to its knees.
TCP SYN Attack
In a SYN
attack, a sender transmits a
volume of connections that cannot be completed.
This causes the connection queues to fill up, thereby denying service to
legitimate TCP
users.
Teardrop
A
Teardrop is a type of DoS attack where fragmented
packets are forged to overlap each other
when the receiving host tries to reassemble them.
Distributed Denial of Service Attack (DDoS)
In and around early 2001 a new type of DoS attack became rampant, called a
Distributed Denial of Service attack, or DDoS. In this case multiple
comprised systems are used to attack a single target. The flood of incoming
traffic to the target will usually force it to shut down. Like a DoS attack,
In a DDoS attack the legitimate requests to the affected system are denied.
Since a DDoS attack it launched from multiple sources, it is often more
difficult to detect and block than a DoS attack.
Preventative Measures
To prevent your system and network from becoming a victim of DoS attacks,
CERT/CC offers many preventative solutions
(3)
which include:
- Implement router filters. This will
lessen your exposure to certain denial-of-service attacks.
- If they are available for your system,
install patches to guard against TCP SYN flooding.
- Disable any unused or unneeded network
services. This can limit the ability of an intruder to take advantage of
those services to execute a denial-of-service attack.
- Enable quota systems on your operating
system if they are available.
- Observe your system performance and
establish baselines for ordinary activity. Use the baseline to gauge
unusual levels of disk activity, CPU usage, or network traffic.
- Routinely examine your physical security
with respect to your current needs.
- Use Tripwire or a similar tool to detect
changes in configuration information or other files.
- Invest in and maintain "hot spares" -
machines that can be placed into service quickly in the event that a
similar machine is disabled.
- Invest in redundant and fault-tolerant
network configurations.
- Establish and maintain regular backup
schedules and policies, particularly for important configuration
information.
- Establish and maintain appropriate
password policies, especially access to highly privileged accounts such
as UNIX root or Microsoft Windows NT Administrator.
[Read
the full CERT/CC Prevention & Response Article]
|
Did You Know...
According to research firm
Gartner, extortion attempts that use targeted denial of
service attacks against e-commerce sites and banks are
increasing. |
Vangie 'Aurora' Beal
Writer, www.Webopedia.com
Last updated: September 09, 2005
(1)
http://www.cert.org/tech_tips/denial_of_service.html
(2)
http://www.cert.org/archive/pdf/DoS_trends.pdf
(3)
http://www.cert.org/tech_tips/denial_of_service.html#4
CERT Coordination
Center - Denial of Service Attacks
This document provides a general overview of attacks in which the primary goal
of the attack is to deny the victim(s) access to a particular resource. Included
is information that may help you respond to such an attack.
CERT home page
This site hosts the CERT Coordination Center, an organization that focuses on
computer security concerns for Internet users. Their home page contains
information about the organization, links to an FTP site where CERT advisories
can be retrieved, FAQs, archives, and research information.
Cisco - Strategies
to Protect Against Distributed Denial of Service (DDoS) Attacks
This white paper contains information to help you understand how DDoS attacks
are orchestrated, recognize programs used to facilitate DDoS attacks, apply
measures to prevent the attacks, gather forensic information if you suspect an
attack, and learn more about host security.
eSecurity Planet
A resource for daily information on e-security targeted to IT managers. The site
provides users with information from a variety of sources, including experts at
security product and services firms, and the consultants who follow the security
industry.
The
Attacks on GRC.COM
The Strange tale of the Denial of Service Attacks Against GRC.com, by Steve
Gibson, GIBSON RESEARCH CORPORATION.
DDoS World
Knowledge base including news articles, white papers, and advisories.
CNN
/ Sci-Tech - Deconstructing DoS Attacks
(IDG) -- Denial of service (DoS) attacks have made headlines in the last year by
assaulting a number of large and very successful companies. |
