Lance West

DoS – Denial of Service Attack

What is a DoS attack?

Just what is a Denial of Service (DoS) attack, and just how can it be used to attack a network.

A DoS attack involves exploiting operating system flaws related to vendor implementations of TCP/IP, the underlying communications protocol for the Internet. These attacks have acquired cute names such as “ping of death,” ”Smurf, and teardrop, and they were effective at crashing networks before a patch was created, and routers where upgraded.

  A DoS attack is like a million people standing around your house

banging on every door stopping everyone else from getting in. It causes so much traffic that the router finally gives up and crashes.

Now, It turns out there are many types of DoS attacks and each have their own degrees of mayhem they can cause.

Bandwidth Consumption Attack: DoS

In this type of DoS attack the attackers consumes all available bandwidth. Moreover, the attacker needs to have access to a T1 or faster network connection.

But if the attacker has limited bandwidth, and the knowledge of the internet control message protocols (ICMP), which is also a tool used for doing diagnostics over a network. They can turn other network resources into zombies, and use armies of computers to attack the victim.

Resource Starvation: DoS

This differs from a bandwidth attack in that it uses up server resources.

Like CPU-memory, File-System quotas or other server

processes.

This is often times someone who already has a limited amount of server resources, and starts depriving other users of shares server services, like temporary memory buffer space, and temporary file swapping locations.

This type of attack makes applications hang, and leads to servers freezing up.

Now days this type of attack can be detected early with current Fault Management tools, but you need to have your server configured and setup correctly

Programming Flaws: DoS

Every application or operating systems has its flaws. If a flaw is in a software package relating to TCP/IP protocols. It will get out to the hacking community, and someone will write a program to exploit it.

Remember the Pentium f00f DoS attack which allowed a users process to crash any NT operating system.

They did it by executing the invalid packet instruction 0xf00fc7c8.

It’s like sending a set of weird non-RFC compliant packets to a server to determine if the server can handle the exception, or would it cause the server to panic and crash.

That was one of the ways you could use a DoS type attack on the older NT boxes, because the machine would panic and reboot. Opening the door to the hacker during the rebooting process.

Routing & Domain Name Server Attacks:

Domain Name Servers (DNS) had weak authentication protocols just a few years ago. This made it easy for hackers to gain access to the server letting the hacker redirect users to a cloned web sites using a spoofed IP address.

Example: A cloned banks login page to capture user’s personal information. In these types of attack the attacker is spoofing the sources IP address to create a DoS type condition which is convincing the victim’s server to cache bogus IP address information.

Smurf Attacks: DoS

This use to be one of the worst DoS type attacks due to the amplification effects it could cause on a network. In this type of attack the hacker sends out an amplification packet to see just how a network will responds. If your network is a standard class C or 24-bit address allocation setup.

The networks address would be .0 and the broadcast address would be .255.The broadcast address is typically used for diagnostic. The Smurf attack uses the directed broadcast address .255 to send out spoofed ICMP echo packets to the broadcast address.

These spoofed packets make it appear the victims system has initiated the request. Now all the servers on the network will respond to the victim’s request.

The attacker sends out a single ICMP packet and a 100 systems will magnify that request 10 fold. It becomes a massive saturating attack on the victim’s network and quickly consumes all available bandwidth.

Another type of Smurf attack uses the UDP function instead of the ICMP method. Each of these attack methods have the same effect of eating up bandwidth unless you setup your servers to see this type of attack early on.

Youtube video on ICMP traffic http://www.youtube.com/watch?v=PMFgUvUPc-E

Smurf Attacks: illustration

Normal Connection

Smurf Attack

SYN Flood or level 4 DoS Attack: 1of 3

The SYN attack was the worst type of denial of service (DoS) attack, before the Smurf attack came along. This is a type of DoS attack floods a target system via spoofed broadcast ping messages. The SYN Flood attack initiates a three-way process. It sends out a SYN pack from the client to the server targeting a specific port. If everything goes well the server will received an ACK packet back from the other machine which sets up an established state. This process exploits a built-in weakness in which a server uses limited memory resources in establishing the connection compared to once the connection is made.

SYN Flood or level 4 DoS Attack: 2of 3

Now since the hacker has spoofed his own address in the type of attack he is unreachable by the server. So the server is setting there in SYN_REVC mode waiting for the return ACK packet to finish establishing a connection that never happens.

It will not flush the queue until it gets a response, or the server’s internal timer kicks in to stop it; which can be seconds to minutes. The diagram below gives you some idea of what happens within the TCP 3-way handshake.

SYN Flood or level 4 DoS Attack: 3of 3

Since most servers have limited memory space used in any one connection port queue. It only takes a small number of these types of open requests to buildup which completely disables a specific port.

In addition, if the hacker has done his homework and has found out all the open ports on your server he just starts sending out thousands of requests to each port, which overloads the entire connection queue. Now no one can connect to the server on any port.

How to create a DoS type attack?

Open command Prompt, click run type cmd.

Find target: ping www.google.com for IP address.

type ping 192.168.1.101 -t -l 15000

-t means ping the specified host until stopped.

-l size, Send buffer size.

Recommendations

One of the first things I would recommend is setting up a demilitarized zone (DMZ) within your networks configuration.

A demilitarized zone (DMZ) setup adds an additional layer of security to an organization's Local Area Network (LAN). Because setting up a demilitarized zone (DMZ) is like setting up a sub-network.

You can do a lot of creative things to secure it, and you can disconnect it from the other parts of the network if an attack happens through the internet.

DMZ - Zone

Defending against DoS 1 of 2

The usual defense against a DoS type attack is to try to figure out who is sending you server requests, and block them one by one. The problem is that it takes time to figure out who is doing the attack, in the meantime your web sites are effectively inaccessible.

A new defense against a DoS attack, called Speak-Up, the defense works by asking all clients connecting to a server to pump-up the size of their requests. So instead of trying to distinguish between friend or foe traffic, it simply asks all clients to send it more and more traffic.

The theory goes, legitimate clients have way more available bandwidth than attackers, who are probably maxing out their bandwidth while trying to shut you down. As a result, legitimate clients get more of the server's time - enough, hopefully, to prevent a service interruption.

Defending against DoS 2 of 2

Speak-Up works like this: at top illusion, you have the portion of the server's resources being used by legitimate traffic (black) when the server is under attack and undefended. Bottom, you've got the same server with Speak-Up in place. Now, the legitimate traffic is getting its fair share of the server's resources.

The End Helping to bring modern civilization

to its knees.