In denial-of-service attacks, or DoS attacks, attackers attempt to prevent legitimate users of a service from using it by flooding the network with traffic or disrupting connections. The attacker may target a particular server application (HTTP, FTP, ICMP, TCP, etc.) or the network as a whole.
There may also be an effort to interrupt the connection between two machines, preventing or disturbing access to a particular system or individual. Improper use of resources may also create a DoS. For example, an intruder may use an unidentified FTP area to store large amounts of data, using disk space and producing network traffic problems.
In such an attack, a user or organization is deprived of the services of a resource that they would normally expect to have. In general, for certain network services, failure might mean the loss of a service such as e-mail or a Web server. DoS attacks are a kind of security breach that does not generally result in the theft of information or in any other type of security loss, but these attacks can harm the target in terms of time and resources.
Indications of a DoS/DDoS Attack
Indications of a DoS/DDoS attack are as follows:
Unusual slowdown of network services: Most low- and medium-risk DoS attacks only slow down network services. They do not completely prevent access; they just make it more difficult.
Unavailability of a particular Web site: When a DoS attack occurs against a poorly protected system or network server for any site, it can make the site impossible to reach.
Dramatic increase in the volume of spam: Spam e-mails are sometimes used to generate huge amounts of bogus traffic over the network, causing a DoS.
Nuke attack: Repeatedly sending fragmented or invalid ICMP packets to the target computer
Reflected attack: Sending false requests to a large number of computers, which respond to those requests
Ping of Death Attack
In the ping of death attack, an attacker deliberately sends an ICMP (Internet Control Message Protocol) echo packet of more than 65,536 bytes, the largest size acceptable by the IP protocol. Fragmentation is one of the features of TCP/IP, requiring that a large IP packet be broken down into smaller segments. Many operating systems do not know what to do when they receive an oversized packet, so they freeze, crash, or reboot.
Ping of death attacks are dangerous since the identity of the attacker sending the huge packet could simply be spoofed. Also, the attacker does not have to know anything about the target except its IP address. Several Web sites block ICMP ping messages at their firewalls to avoid this type of DoS attack.
A Teardrop attack occurs when an attacker sends fragments with overlapping values in their offset fields, which then cause the target system to crash when it attempts to reassemble the data. It affects systems that run Windows NT 4.0, Windows 95, and Linux up to 2.0.32, causing them to hang, crash, or reboot.
TCP/IP will always fragment a packet that is too large into smaller packets, no larger than 64 kilobytes. The fragment packets identify an offset from the beginning of the original packet that enables the entire original packet to be reassembled by the receiving system. In the Teardrop attack, the attacker manipulates the offset value of the second or latter fragments to overlap with a previous fragment. Since older operating systems are not equipped for this situation, it can cause them to crash.
Syn Flooding Attack
SYN flooding occurs when the intruder sends SYN packets (requests) to the host system faster than the system can handle them. A connection is established through a TCP three-way handshake, in which the following occurs:
Host A sends a SYN request to Host B.
Host B receives the SYN request and replies to the request with a SYN-ACK to Host A.
Host A receives the SYN-ACK and responds with an ACK packet, establishing the connection.
When Host B receives the SYN request from Host A, it makes use of the partially open connections that are available on the listed line for at least 75 seconds.
The intruder transmits large numbers of such SYN requests, producing a TCP SYN flooding attack. This attack works by filling the table reserved for half-open TCP connections in the operating system's TCP/IP stack.
When the table becomes full, new connections cannot be opened until some entries are removed from the table due to a handshake timeout. This attack can be carried out using fake IP addresses, making it difficult to trace the source. The table of connections can be filled without spoofing the source IP address. Normally, the space existing for fixed tables, such as a half-open TCP connection table, is less than the total.
In a LAND attack, an attacker sends a fake TCP SYN packet with the same source and destination IP addresses and ports to a host computer. The IP address used is the host's IP address. For this to work, the victim's network must be unprotected against packets coming from outside with their own IP addresses. When the target machine receives the packet, the machine considers that it is sending the message to itself, and that may cause the machine to crash.
The symptoms of a LAND attack depend upon the operating system running on the targeted machine. On a Windows NT machine, this attack just slows the machine down for 60 seconds, while Windows 95 or 98 machines may crash or lock up. UNIX machines also crash or hang and require a reboot.
Because LAND uses spoofed packets to attack, only blocking spoofed packets can prevent it. Still, with current IP technology, it is not possible to completely filter spoofed packets.
The smurf attack, named after the program used to carry it out, is a network-level attack against hosts. The attacker sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses using a spoofed source address matching that of the victim. Smurf attacks generate a large number of echo responses from a single request, which results in a huge network traffic jam, causing the network to crash. If the routing device delivering traffic to those broadcast addresses accepts the IP broadcast, hosts on that IP network will take the ICMP echo request and reply to each echo, exponentially increasing the replies.
On a multiaccess broadcast network, there could potentially be hundreds of machines replying to each packet, ensuring that the spoofed host may no longer be able to receive or distinguish real traffic.
The fraggle attack is a UDP variant of the Smurf attack. In Fraggle attacks, an attacker sends a large number of UDP ping packets, instead of ICMP echo reply packets, to a list of IP addresses using a spoofed IP address.
All of the addressed hosts then send an ICMP echo reply, which may crash the targeted system. Fraggle attacks target networks where UDP ports are open and allow unrestricted UDP traffic to bypass firewalls. Fraggle is considered a medium-risk attack and can be easily carried out by slightly tweaking Smurf code.
Fraggle attacks affect network management consoles by bypassing the installed firewall by having the internal system try to respond to external echo requests. These attacks prevent the network from receiving UDP traffic. A network administrator may not be able to distinguish between an inner system fault and an attack, due to missing syslog messages or SNMP trap alerts.
In a Snork attack, a UDP packet sent by an attacker consumes 100% of CPU usage on a remote Windows NT machine. If there are several Snork-infected NT systems in a network, they can send echoes to each other, generating enough network traffic to consume all available bandwidth.
Windows NT 4.0 workstations and servers with service packs up to and including SP4 RC 1.99 are vulnerable to Snork attacks. Network administrators can easily detect these attacks by adding a filter in their firewalls with the following specifications:
Source Address: Any
Source Port: 135 (additional rules for ports 7 and 19, if desired)
Destination Address: Any
Destination Port: 135
The OOB attack exploits a bug in Microsoft's implementation of its IP stack, causing a Windows system to crash. Windows NT (server and workstation versions up through 4.0), Windows 95, and Windows for Workgroups 3.11 platforms are the most vulnerable to these kinds of attacks.
RPC port 135, also known as the NetBIOS Session Service port, is the most susceptible port for these kinds of attacks. When a Windows system receives a data packet with an URGENT flag on, it assumes that the packet will have data with it, but in OOB attacks a virus file has an URGENT flag with no data.
The best way to prevent such attacks is to configure firewalls and routers so that they allow only trusted hosts to get in, and in some cases NetBIOS Session Service ports can be blocked altogether to secure systems.
Buffer Overflow Attack
A buffer overflow attack is a type of attack that sends excessive data to an application that either brings down the application or forces the data being sent to the application to be run on the host system. This can allow the attacker to run malicious code on the target system. Sending e-mail messages that have 256-character file names is one common way to cause a buffer overflow.
There are two types of buffer overflow attacks: heap based and stack based. In a heap-based buffer overflow attack, memory space that is reserved for a program is filled with useless data and can allow malicious code to overflow and be written into adjacent memory space. In a stack-based buffer overflow attack, the program stores the user's input in a memory object together with local variables on the program's stack. This causes the return address to be overwritten and redirects the flow to allow a malicious user to execute arbitrary code.
In a nuke attack, the attacker repeatedly sends fragmented or invalid ICMP packets to the target computer using a ping utility. This significantly slows the target computer.
A reflected attack involves sending huge amounts of SYN packets, spoofed with the victim's IP address, to a large number of computers that then respond to those requests. Requested computers reply to the IP address of the target's system, which results in flooding.