Denial of service is the category of attacks that cause a loss of service, or an inability to function. They come in many forms and strike many different targets. The results can last for minutes, hours, or days and can impact network performance, data integrity, and system operation.

The first DoS attack of significance was the Morris Worm, estimated to have taken some 5,000 machines out of commission for several hours. At the time (November 1988), it was a disaster for academic and research centers but had little impact on the rest of the world. Today, comparable DoS attacks, such as those against Yahoo!, Amazon, and other major Web sites (February 2000), have resulted in millions of dollars in lost business and revenue. The frequency of denial of service attacks is increasing at an alarming rate, due in part to the prevalence of tools written for this purpose. The complexity of the attacks is also being taken to new levels, which mandates the need for stringent security practices and the implementation of new protection mechanisms.

Many denial of service tools are written as proof-of-concept code examples to demonstrate insecurities within common operating systems, such as Windows, Linux, Solaris, and the BSD-derived UNIXes. The Morris Worm was an experiment in distributed computing, albeit a little forcefully done. Poor development practices and a failure to introduce security early into new applications and operating systems cause many of these exploitable problems to exist. The growing complexity of network design and organization pushes the limits of current technology and exacerbates new vulnerabilities. The presence of denial of service is a double-edged sword. On one hand, it is unfortunate that conditions exist to allow denial of service techniques to proliferate. On the other, its presence is part of the technology evolution that generates higher security products and applications.

The standard for security has risen greatly, and this is apparent with the reaction to denial of service attacks. Only recently are we seeing legislation that deals with this form of attack. It is no longer considered a silly prank when revenue is lost in our Internet-driven economy.

How Denial of Service Works

Denial of service attacks are generally brought on by exploiting programming flaws in software and by writing specialized programs whose purpose is to perform attacks. Denial of service attacks generally work in one of the following ways:

· Bandwidth consumption

· Resource saturation

· System and application crash

Bandwidth consumption is an attack against network resources and refers to the complete use of available network bandwidth by an attacking computer or computers. This makes network response slow or stops the server completely while the attack is ongoing and causes an inability to reach services such as Web sites, email, and files. Resource saturation targets specific computer systems that provide services such as Web, email, DNS, and FTP and causes them to slow or halt. System and application crashes result in denial of service, as the particular system or software freezes, crashes.

Bandwidth Consumption

Each network can support only a finite amount of network traffic at one time, and this amount is dependent upon a few factors: network speed, equipment types, and their performance. Common communication links from an ISP to an organization are ISDN, DSL, Broadband (using cable modems), T1, and T3. These link types also reflect different bandwidth capabilities. Common Local Area Network (LAN) topologies use 10BASE-T and 100BASE-T.

Denial of service by bandwidth consumption occurs when the entire capacity of the network link is used. When the network bandwidth capacity is reached, new network data cannot be sent. This means new connections to the Internet, file servers, Web servers, email servers, or any other function that requires network communication will not work. Connections that are already established will slow to a crawl, freeze, or be disconnected.

Attacks against bandwidth can occur via specialized attack programs and misconfiguration of network equipment. Misconfiguration of network equipment includes any device that connects to the network, such as computer systems, routers, switches, and other devices.

Bandwidth attacks are active; the denial of service occurs only as long as the bandwidth is fully used. As soon as the attacking program stops sending data or the device is configured properly, bandwidth again becomes available. Most network functionality will return to normal, except for a few connections that might need restarting.

Common attacks include protocol-based exploits that consume network bandwidth by sending crafted network data. The access device, such as a router, can fail as it becomes inundated with more traffic than it can process. Another form of bandwidth attacks relies on the reaction of network-connected systems and devices to specific network data. Many or all of the computers on the target network can be made to respond simultaneously to network traffic such as IP broadcasts (IP packets that are sent to the broadcast address of a network instead of to a specific machine), thereby consuming all of the available bandwidth. The "Smurf" attack is one popular example of this form of attack.

Resource Saturation

Like a network, each computer system also has a finite set of resources including memory, storage, and processor capacities. Resource saturation is the event of using up all of one or more of these resources, which leaves none for other applications. The SYN flood is a popular example of an attack that uses all the available networking resources on a system.

Each operating system that supports TCP/IP network connectivity has limitations on the number of connections that can be maintained at one time. The SYN flood exploits the three-way handshake of a TCP connection. The SYN flood succeeds by creating "half-open" connections on the port on the target server. Half-open connections are those in which the three-way handshake is not completed. Normally, the handshake completes, or times out, causing the connection to be deleted. Each port can only support a finite number of half-open connections and when this number is exceeded, no other new connections can be made. By sending only the first packet of the TCP handshake with invalid or spoofed source addresses, the server responds to the SYN packet with an acknowledgement. Because this acknowledgement goes to a falsified address, the response to it never arrives. This causes a backlog of half-open connections that it are waiting to complete, disallowing new connections from being accepted.

The Web server is a good sample target for a denial of service attack, although any network service can be targeted. As we have all probably experienced, a busy Web server tends to respond more slowly to our requests. A bit of knowledge about TCP/IP and the Hypertext Transfer Protocol (HTTP) is needed to understand how these attacks work. A single HTTP request and connection is made when the browser connects to the Web server. This request asks the server for a particular file; the server then sends the file, and the connection is closed. Under these circumstances, a Web server can handle a large number of requests because the requests usually take a very short time to complete, and they arrive one after another. As the server receives more simultaneous requests, the application becomes loaded as it processes all of these connections at the same time. Even with this slowdown, the Web server can still function.

In order to cause the Web server to stop functioning, the attacker needs to increase the time needed to handle these connections or to increase the processing power needed to handle each one. A SYN flood against a Web server makes the server unable to accept new connections by exceeding the maximum number of connections for the port it uses. The SYN flood is difficult to defend against. If the attacker forges packets to look as if they are coming from an unreachable system, the server has no way of knowing that they are not typical traffic. The server then responds as it would to any other connection and waits for a timeout to occur before it realizes it should close the connection. As outlined in the SYN flood description above, the denial of service occurs when the Web server receives a large number of these forged packets, so many that it cannot handle any more new connections and inevitably is stuck waiting for these falsified connections to timeout before it can continue processing. Similar attacks are the ICMP and UDP flood, which use other protocols to achieve the same effect.

Another example of resource saturation can occur with the use of external programs such as Common Gateway Interface (CGI) programs with the Web server. Programs that store data in files on the Web server can be exploited to fill the hard disk on the server. The server operating system uses files for much of its normal functionality, and, when full, it can often fail to function. Similarly, applications that allocate a lot of memory or require a lot of processing power for complex computations can be exploited to use all of those resources, preventing new processes and applications from functioning. These attacks are not exploitable only via the Web server—any access to the system might allow an attack to succeed. The email bomb is a good example of this.

System and Application Crash

System and application crashes are fast and easy approaches to denial of service, wherein a programming flaw is exploitable and causes the application or operating system to crash. A well-known example of these crashes include the "Ping of Death" attack that uses oversized ICMP echo requests. The target machine would crash due to improperly implemented handling of this network data.

These attacks are also commonly directed against network access devices such as IP routers, cable routers, managed Ethernet switches, VPNs, and other application specific devices. These devices often support some form of management interface including a Command Line Interface (CLI) and a Web management interface. Through various methods including a large number of simultaneous connections, buffer overflows in user input routines, and improper data validation, these devices have been made to crash. A denial of service attack on an access device has a wider influence than an attack on a single machine because these devices are typically gateways to multiple networks.

Many of these attacks can be prevented by safe configuration of the network device. This includes changing factory-set default passwords and configuring the device to allow management from only a select group of machines.