Denial of Service Attacks

written by: Thomas Gregovich; article published: year 2008, month 01;



In: Categories » Computers and technology » Software » Denial of Service Attacks

Denial-of-service (DoS) attacks are reported to incident response teams more than any other type of attack. Misconceptions about denial-of-service attacks abound, however. One widely held misconception is that denial-of-service attacks invariably crash applications or hosts. Although the majority of reported DoS attacks do indeed cause applications or hosts to crash, a DoS attack can also cause a system or function to slow down or not run properly. A poorly written CGI program, for example, can crash a web server through a buffer overflow or other condition, but it can also cause CPU overutilization, making the victim host unresponsive.

Several types of DoS attacks are now almost legendary because they have occurred so many times:

  • SYN flooding. In a SYN flooding attack, a hostile host sends a flood of SYN packets to a victim host. SYN packets are sent by a host that wants to start a TCP connection with another host (which we will also call the "receiving host"). The receiving host monitors the status of the connection attempt as well as the connection itself, if a connection is established. Monitoring the status requires resources. When a connection is closed, the resources used in monitoring the connection no longer are needed. As more connections occur, more resources are allocated to monitor the state of the connections. Under normal conditions in which a normal number of connections are in place, the receiving host has more than enough resources to monitor all the connections to it.

    But what if a flood of SYN packets is sent, and the receiving host gets no subsequent packets that are part of the normal process of completing the connection? Simply put, the receiving host runs out of resources, making the victim host unresponsive in the case of moderate resource exhaustion or causing it to crash in the case of more severe resource exhaustion. Because SYN flooding attacks are easy to initiate, they occur frequently. Fortunately, most vendors of operating systems have addressed the problem by having the operating system drop partially open connections.

  • Teardrop attack. A teardrop attack is another type of DoS attack.The IP protocol is a robust protocol designed to deal with a wide range of devices, systems, and types of networking. If a system is going to send packets that are, say, 1 kilo-byte (1,024 bytes) in size, network devices such as routers might not be able to handle packets that are this large. They might instead be able to handle packets that are only half this size. In this case, IP automatically divides the original packet into tinier parts that are able to make their way through network devices that cannot handle larger packets, a process called fragmentation.

    When the fragmented packets arrive at the receiving host, this host reassembles them into the packet that the sending host originally created. Fragmenting packets is useful because it provides a practical and reasonably efficient way to transport data across a network while still preserving the accuracy of the data. An attacker can abuse the fragmentation process, however, by causing the receiving host to receive values in packets it is not programmed to process. In a teardrop attack, one packet fragment is placed within another so that when the receiving host receives this set of packet fragments, the resulting values (in terms of offsets) are out of range. The receiving machine goes out of control and crashes.

    There are many variations of the classic teardrop attack as well as many other types of packet fragmentation attacks. An attacker can, for example, write a program that divides packets into fragments in a manner that causes subsequent packets to overwrite portions of the initial fragment.

  • Smurf attack. Still another kind of denial-of-service attack is a smurf attack. In this kind of attack, a target host is victimized when an attacker falsifies ("spoofs") the origination or source address to be the target host's address. The attacker (or, more properly, a program that runs on behalf of the attacker) releases a flood of ping packets or ICMP echo requests destined for all the hosts on the local network. This is accomplished by having the broadcast address as the destination. A network broadcast address of a network has a particular IP address that is used for sending packets to every host within the local network.

    When the ping or ICMP echo request packets reach the broadcast address, these packets also are sent to the other hosts. They respond by replying to the source address, the address of the targeted host. The flood of replies can have several effects, the most likely of which is causing the target host to crash or, with a little luck, perhaps slowing it down to a crawl instead due to having to process such a barrage of packets. Most operating system vendors have developed patches that correct this problem, although network filtering that limits broadcast traffic is another viable solution.

Ping, the "packet Internet groper," is a protocol designed to determine whether or not a host is alive on the network (that is, whether it is running and responsive). Ping transmits a group of characters, usually a reasonably small group (typically fewer than 100 bytes), and then waits for the host that has been pinged to respond. One of the primary uses of ping is determining whether a particular host has crashed.

  • Ping-of-death attack. Still another classic type of DoS attack is the ping-of-death attack. This attack creates a buffer overflow condition, something that results from having too little memory available for incoming data to be processed. The exact way in which a buffer overflow condition is handled depends on a number of factors, but one possible outcome is exhaustion of memory that causes an application or system to crash.

    The trick to a successful ping-of-death attack is to send ping packets that exceed the maximum size, namely 64KB in TCP/IP. The receiving host might not be programmed to reject the oversized packets and might consequently go into a buffer overflow condition. This problem has mainly (but not exclusively) affected Microsoft operating system products, most of which crash with the notorious blue screen of death (BSOD) appearing. Fortunately, patches that fix this problem are now routinely available and are usually incorporated into operating system products that were vulnerable only a few years ago.

  • Land attack. A land attack capitalizes on the fact that properties of packets usually adhere to certain constraints. Normally, for example, SYN packets do not have the same source and destination IP addresses, nor are the source and destination ports normally the same. If an attacker sends SYN packets that have these or other characteristics in a land attack, the receiving host might go into some kind of abnormal state, causing it to crash.

  • WinNuke attack. A WinNuke attack capitalizes on a weakness in the TCP/IP implementation in certain versions of Windows NT. In this attack, a perpetrator sends out of range input (that is, input with parameters that are not within the range the receiving host expects) to a victim host through a connection established on TCP port 139. Massive over-allocation of CPU in dealing with this abnormal condition causes the victim host to crash. The problem, which is fixed in Windows NT 4.0 Service Pack 3 and higher, is due to a failure to check whether input is within an expected range.

  • Distributed denial-of-service (DDoS) attacks. Although similar in many respects to conventional denial-of-service attacks, DDoS attacks are different primarily in that they require taking over hosts that are then assigned various roles in the impending DDoS attack(s) through installation of special, malicious software. Note also, however, that DDoS attacks can be initiated from one's own systems, too. DDoS attacks involve master, handler, and zombie hosts:

    • Zombies are agents that actually release a flood of packets that bring down hosts and also being the network to a standstill. Zombies do not act on their own, however; they release a packet flood only if instructed to do so by another host, namely a handler (see next bullet).

    • Handlers are really nothing more than intermediate machines that neither initiate an attack nor release the packets that flood the victim network. They instead perform tasks such as confirming that agent software has been installed in hosts (zombies) throughout the network and that it is ready to work. Handlers thus query the zombies at designated intervals. Handlers also receive a signal from the master, another host typically not placed within the network in which the DDoS attack is to occur, to initiate a DDoS attack to the agents. The handler in turn then sends a signal to the zombies to release a barrage of packets.

    • The third accomplice in a DDoS attack is the master. The master is the host that is usually directly under the attacker's control. It is used to direct any handlers to send the command to release a flood of packets to the zombies.

      DDoS attacks in 1999 and 2000 caused major financial loss and/or disruption for a number of institutions, including the University of Minnesota, ZDnet, eBay, E-Trust, Amazon.com, and others. The major threat is of a prolonged outage, although the cost of investigating hosts for evidence of compromise by DDoS tools and restoring the integrity of these systems can also be very high. Many types of DDoS attack tools have been identified. One, Shaft, even builds in its own detection mechanisms, enabling it to avoid being detected by intrusion-detection programs. Additional DDoS tools that have been identified include Trin00,Tribe Flood Network (TFN),TFN2K, Slice3, Stacheldracht, and others.

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. Remote Access Services (RAS) under Windows XP Professional
Authentication protocols • EAP - Extensible Authentication Protocol. A set of APIs in Windows for developing new security protocols as needed to accommodate new technologies. MD5-CHAP and EAP-TLS are two examples of EAP. • EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards. • MD5-CHAP - Message Digest 5 Challenge Handshake Authentication Protocol. Encrypts usernames and passwords with an MD5 algorithm. • RADIUS - Remote...

2. Maximizing Your Internet Browser with Bookmarks
If you want to return to a first-rate online source, you’re likely to use a shortcut, such as a bookmark or a favorite. If you use the Netscape browser, you bookmark the Web page. This acts as a shortcut to the online source.If you use the Internet Explorer browser, you save the page as a favorite. (I refer to both of these types of shortcuts as bookmarks for this section of the article.) If you’ve used the Internet for a while, you likely have a long list of bookmarks. Today h...

3. Monitoring and Optimizing System Performance and Reliability in Windows XP Professional
Task scheduler: • Used to automate events such as batch files, scripts and system backups. • Tasks are stored in the Scheduled Tasks folder in Control Panel. • Running task with a user name and password allows an account with therequired rights to perform the task instead of an administrative account. • Set security for a task by group or user. Using offline files • Offline files replaces My Briefcase and works a lot like Offl...

4. Computer Tips and Tricks ~ How Do I Send Pictures via Email
One of the first things that new digital camera owners love to do is send a batch of images to family members or friends. As you may have already discovered yourself, the warmth of reception is inversely proportional to the size of the images that land in your recipients' inboxes. All too often, budding photographers send full-sized 2-, 4-, or even 6-megapixel pictures as email attachments. Unfortunately, these files take forever to download on all but the fastest Internet connections and are too large to view comfortably on a c...

5. Communication Protocols Used by Windows Systems
TCP/IP protocol • TCP is an industry-standard suite of protocols • It is routable and works over most network topologies • It is the protocol that forms the foundation of the Internet • It is Installed by default in Windows XP • Can be used to connect dissimilar systems • Uses Microsoft Windows Sockets interface (Winsock) • IP addresses can be entered manually or be provided automatically by a DHCP server • DNS is used to resolve compute...

6. Advantages and Disadvantages of FAT and NTFS File Systems
Understanding FAT and NTFS File Systems • NTFS provides optimum security and reliability through its ability to lock down individual files and folders on a user-by-user basis. Advanced features such as disk compression, disk quotas and encryption make it the file system recommended by 9 out of 10 MCSEs. • FAT and FAT32 are only used for dual-booting between Windows XP and another operating system (like DOS 6.22, Win 3.1 or Win 95/98). • Existing NT 4.0 NTFS system partit...

7. Two Software Nags ~ Windows 95 versus Windows NT
The buildup to NT began after the incredibly successful launch of Windows 3.0 in 1990. For the next 3 years, Microsoft spent considerable time proclaiming that this new version of the product, once known as OS/2 3.0, would be the 32-bit successor to the 16-bit Windows 3.x product line. But as NT neared completion, complaints began to surface that the product was too big and resource-hungry to fit the existing desktop profile. Microsoft had heard these complaints before with other products, but Moore's Law which, roug...

8. Investing ~ Portfolio management software programs
Several hundred portfolio management programs are available for your investment tracking. The programs vary in price from free to $800. Many of the freeware and shareware portfolio management programs include an amazing amount of features, but are somewhat cumbersome to use. Some brokers give free portfolio management programs to customers who open an account. Financial data providers frequently give free portfolio man agement programs with a subscription to their services. Other portfolio management programs are components of...

9. How To Stitch Together Video Clips into Short Movies
Often, the difference between an interesting home movie and one that's intolerable is editing. This applies to the video you capture with your digital camera as well. Chances are your digicam came bundled with software to help you edit your movies. If it didn't, or if you don't like that software, you can use QuickTime Pro and just a few simple commands to transform your video clips into short movies. Many digital media fans are already familiar with QuickTime. The free player is available for Windows and Macintosh computers, a...

10. Investing ~ Using Web Based Portfolio Management Programs
Many Web sites provide online portfolio tracking services. Some of these serv ices are free, and others are fee-based. The aim of Web-based portfolio man agement tools is to help you make better investment decisions and thus increase your capital gains. Each Web-based portfolio management program offers something different. In the following sections, I describe just a few examples. Don’t let the fascination of having your portfolio online tempt you into over trading (buying or selling) your investments. Investor compil...