Denial-of-service (DoS) attacks are reported to incident response teams more than any other type of attack. Misconceptions about denial-of-service attacks abound, however. One widely held misconception is that denial-of-service attacks invariably crash applications or hosts. Although the majority of reported DoS attacks do indeed cause applications or hosts to crash, a DoS attack can also cause a system or function to slow down or not run properly. A poorly written CGI program, for example, can crash a web server through a buffer overflow or other condition, but it can also cause CPU overutilization, making the victim host unresponsive.

Several types of DoS attacks are now almost legendary because they have occurred so many times:

• SYN flooding. In a SYN flooding attack, a hostile host sends a flood of SYN packets to a victim host. SYN packets are sent by a host that wants to start a TCP connection with another host (which we will also call the "receiving host"). The receiving host monitors the status of the connection attempt as well as the connection itself, if a connection is established. Monitoring the status requires resources. When a connection is closed, the resources used in monitoring the connection no longer are needed. As more connections occur, more resources are allocated to monitor the state of the connections. Under normal conditions in which a normal number of connections are in place, the receiving host has more than enough resources to monitor all the connections to it.

  But what if a flood of SYN packets is sent, and the receiving host gets no subsequent packets that are part of the normal process of completing the connection? Simply put, the receiving host runs out of resources, making the victim host unresponsive in the case of moderate resource exhaustion or causing it to crash in the case of more severe resource exhaustion. Because SYN flooding attacks are easy to initiate, they occur frequently. Fortunately, most vendors of operating systems have addressed the problem by having the operating system drop partially open connections.

• Teardrop attack. A teardrop attack is another type of DoS attack.The IP protocol is a robust protocol designed to deal with a wide range of devices, systems, and types of networking. If a system is going to send packets that are, say, 1 kilo-byte (1,024 bytes) in size, network devices such as routers might not be able to handle packets that are this large. They might instead be able to handle packets that are only half this size. In this case, IP automatically divides the original packet into tinier parts that are able to make their way through network devices that cannot handle larger packets, a process called fragmentation.

  When the fragmented packets arrive at the receiving host, this host reassembles them into the packet that the sending host originally created. Fragmenting packets is useful because it provides a practical and reasonably efficient way to transport data across a network while still preserving the accuracy of the data. An attacker can abuse the fragmentation process, however, by causing the receiving host to receive values in packets it is not programmed to process. In a teardrop attack, one packet fragment is placed within another so that when the receiving host receives this set of packet fragments, the resulting values (in terms of offsets) are out of range. The receiving machine goes out of control and crashes.

  There are many variations of the classic teardrop attack as well as many other types of packet fragmentation attacks. An attacker can, for example, write a program that divides packets into fragments in a manner that causes subsequent packets to overwrite portions of the initial fragment.

• Smurf attack. Still another kind of denial-of-service attack is a smurf attack. In this kind of attack, a target host is victimized when an attacker falsifies ("spoofs") the origination or source address to be the target host's address. The attacker (or, more properly, a program that runs on behalf of the attacker) releases a flood of ping packets or ICMP echo requests destined for all the hosts on the local network. This is accomplished by having the broadcast address as the destination. A network broadcast address of a network has a particular IP address that is used for sending packets to every host within the local network.

  When the ping or ICMP echo request packets reach the broadcast address, these packets also are sent to the other hosts. They respond by replying to the source address, the address of the targeted host. The flood of replies can have several effects, the most likely of which is causing the target host to crash or, with a little luck, perhaps slowing it down to a crawl instead due to having to process such a barrage of packets. Most operating system vendors have developed patches that correct this problem, although network filtering that limits broadcast traffic is another viable solution.

Ping, the "packet Internet groper," is a protocol designed to determine whether or not a host is alive on the network (that is, whether it is running and responsive). Ping transmits a group of characters, usually a reasonably small group (typically fewer than 100 bytes), and then waits for the host that has been pinged to respond. One of the primary uses of ping is determining whether a particular host has crashed.

• Ping-of-death attack. Still another classic type of DoS attack is the ping-of-death attack. This attack creates a buffer overflow condition, something that results from having too little memory available for incoming data to be processed. The exact way in which a buffer overflow condition is handled depends on a number of factors, but one possible outcome is exhaustion of memory that causes an application or system to crash.

  The trick to a successful ping-of-death attack is to send ping packets that exceed the maximum size, namely 64KB in TCP/IP. The receiving host might not be programmed to reject the oversized packets and might consequently go into a buffer overflow condition. This problem has mainly (but not exclusively) affected Microsoft operating system products, most of which crash with the notorious blue screen of death (BSOD) appearing. Fortunately, patches that fix this problem are now routinely available and are usually incorporated into operating system products that were vulnerable only a few years ago.

• Land attack. A land attack capitalizes on the fact that properties of packets usually adhere to certain constraints. Normally, for example, SYN packets do not have the same source and destination IP addresses, nor are the source and destination ports normally the same. If an attacker sends SYN packets that have these or other characteristics in a land attack, the receiving host might go into some kind of abnormal state, causing it to crash.

• WinNuke attack. A WinNuke attack capitalizes on a weakness in the TCP/IP implementation in certain versions of Windows NT. In this attack, a perpetrator sends out of range input (that is, input with parameters that are not within the range the receiving host expects) to a victim host through a connection established on TCP port 139. Massive over-allocation of CPU in dealing with this abnormal condition causes the victim host to crash. The problem, which is fixed in Windows NT 4.0 Service Pack 3 and higher, is due to a failure to check whether input is within an expected range.

• Distributed denial-of-service (DDoS) attacks. Although similar in many respects to conventional denial-of-service attacks, DDoS attacks are different primarily in that they require taking over hosts that are then assigned various roles in the impending DDoS attack(s) through installation of special, malicious software. Note also, however, that DDoS attacks can be initiated from one's own systems, too. DDoS attacks involve master, handler, and zombie hosts:

  • Zombies are agents that actually release a flood of packets that bring down hosts and also being the network to a standstill. Zombies do not act on their own, however; they release a packet flood only if instructed to do so by another host, namely a handler (see next bullet).

  • Handlers are really nothing more than intermediate machines that neither initiate an attack nor release the packets that flood the victim network. They instead perform tasks such as confirming that agent software has been installed in hosts (zombies) throughout the network and that it is ready to work. Handlers thus query the zombies at designated intervals. Handlers also receive a signal from the master, another host typically not placed within the network in which the DDoS attack is to occur, to initiate a DDoS attack to the agents. The handler in turn then sends a signal to the zombies to release a barrage of packets.

  • The third accomplice in a DDoS attack is the master. The master is the host that is usually directly under the attacker's control. It is used to direct any handlers to send the command to release a flood of packets to the zombies.

    DDoS attacks in 1999 and 2000 caused major financial loss and/or disruption for a number of institutions, including the University of Minnesota, ZDnet, eBay, E-Trust, Amazon.com, and others. The major threat is of a prolonged outage, although the cost of investigating hosts for evidence of compromise by DDoS tools and restoring the integrity of these systems can also be very high. Many types of DDoS attack tools have been identified. One, Shaft, even builds in its own detection mechanisms, enabling it to avoid being detected by intrusion-detection programs. Additional DDoS tools that have been identified include Trin00,Tribe Flood Network (TFN),TFN2K, Slice3, Stacheldracht, and others.