Before you start
Objectives: Familiarize yourself with some common types of DoS attacks and some general ways to deal with them.
Prerequisites: no prerequisites.
Key terms: attack, packet, system, type, victim, dos, server, syn, network, traffic, denial, icmp, service
What is Denial of Service (DoS)
Denial of Service is a network attack which overloads a system in a way that the services that it provides are no longer available. In that way, it prevents devices to operate and perform regular activity. DoS can exploit some weakness in the software, or it can simply flood the communication channels which prevents legitimate traffic to get through. For example, we may have a server that provides a specific network service, such as a website. An attacker can simply overload our server with so many requests that other, valid requests, are unable to get through.
We could be the direct victim of the DoS attack but we could also be a unwilling accomplice of DoS attack if our systems is infected with some type of a DoS attack software on our computer. This way our computer will attack some other system on the network and we won’t even know it.
Besides malicious tools, DoS can even be performed with legitimate network troubleshooting, examination and monitoring tools.
There are actually three primary types of DoS attacks. The first type is the plain or regular DoS, which occurs between a single attacker and a single victim. The second type is the Distributed Denial of Service (DDoS) in which the attacker compromises other systems by planting zombie and deamon software. That type of software can than be accessed remotely and used to attack other systems. In that way the magnitude of the attack is incresed. This type of the attack also hides the real attacker from the victim, since the traffic doesn’t come from the actual attacker. The third type is called the Distributed Reflective Denial of Service (DRDoS). In this type the attacker uses some type of an amplification network which is used to flood the victim with huge amounts of traffic.
Denial of Service (DoS)
In the plain DoS we have an attacker and a victim. In this type of attack the attacker sends some kind of transmission which somehow causes problems on the victims system. This problem then disables the legitimate actions to be performed. The other method is that the attacker sends a lot of information in short time because of which the victims system can’t respond to the legitimate traffic. So, in this type of attack we are usually talking about one attacker and one target system.
Distributed Denial of Service (DDoS)
In DDoS the attacker first infiltrates multiple other systems. This is done by using some kind of tool which acts as an agent which can be controlled by an attacker. Once the attacker triggers all those agents, the victim will receive traffic from all those agents which will cause the denial of service. Also, in this case the identity of the attacker is hidden the victim because none of the packets actually originate from the attackers computer.
Distributed Reflective Denial of Service (DRDoS)
In this type of attack the attacker uses an amplification network to attack the victim. In that case, attacker sends data to a separate network. In that data, instead of having its own source address as the address for where that information came from, it uses a source address of the target. This data requires a response from the server, so the server instead of responding back to the attacker, responds back to the target. Because the data is reflected back to a different target, it is called a distributed reflective attack. An example of this type of attack is the Smurf attack.
In a Smurf attack the attacker sends out a Internet Control Messaging Protocol (ICMP) packet to the amplification network. The ICMP packet includes the source and destination address. In Smurf attack the source addresses are altered spoofed to the victims addresses. That altered packed is then directed to the amplification network which contains multiple devices which will all receive that altered ICMP packet. Each device that receives the altered packed will respond to the source address in the packet, which is actually the victims address. The result is that the victim is flooded with unwanted echo packets from the amplification network.
For this reason many devices have blocked the use of ICMP packets. Note that blocking all ICMP packets prevents Smurf attacks, but it also prevents any legitimate use of ICMP.
Another example of DRDoS attack is called Fraggle. The Fraggle attack works in similar way as Smurf attack, but instead of ICMP packet, Fraggle uses User Datagram Protocol (UDP) packets directed to port 7 (echo) and port 19 (chargen–character generation). UDP is one of the transport protocol in the TCP/IP suite. Again, we have an altered UDP packet which contains the addresses of the victim system, and which is sent to the amplification network.
PING floods also use ICMP packets, and we mean a lots of them. In this type of attack a huge amount of PING packets is sent to the victim. This causes problems on the victims system.
This type of attack includes one large ICMP packet which is sent directly to the victim. The size of the ICMP packet is larger then the 65536 bytes, and this causes the victims system to crash. This attack is also known as the Long ICMP attack.
SYN flood attack actually exploits the three-way handshake process in the TCP/IP protocol, which is used on the Internet. Before two devices can communicate on the Internet, they first have to establish a session. Those two devices will typically be a server and a client. The client first sends a SYN packet to the server and in that way tries to establish the connection. The server then responds with a synchronize acknowledgment packet or SYN ACK packet which actually tels the client that the server is ready for communication. The next step would be for client to also send an ACK packet back to the server, and that final step actually creates a communication session between the server and the client. Well, in SYN flood attack the client is actually an attacker which sends multiple SYN packets to the server, and never acknowledges that he received the SYN ACK packet from the server. On every SYN packet from the client, the server will send back a SYN ACK packet, but the client will never do the third step in which it needs to send a final ACK packet back to the server in order to finish the three-way handshake process. This causes the server to keep sessions open and waiting for the ACK packet, and in that way consuming all the servers resources. This will eventually cause our server to stop responding to legitimate traffic.
The LAND attack is a type of synchronize attack which also exploits the three-way handshake process. In this type of the attack in initial SYN packet there are altered source and destination address. The addresses are faked as the victims addresses. This causes the victims system to respond to SYN packet back to itself, which causes a loop. The loop causes instability on the victims system as it tries to respond to its own packet.
The TearDrop attack transmit lots of fragmented UDP packets to the victims system. This causes victim system to wait for the rest of the packet which never shows up. The waiting for uncompleted communication eventually consumes all victims resources, which disables the system to respond to legitimate traffic. If the sent UDP packets have overlapping offsets, when the victim system re-builds the packet, created packed will be invalid, which can then cause the system to crash.
DNS poisoning is simply submitting false DNS entries to the DNS server. When someone tries to resolve a domain name to an IP address, they will get invalid information from the poisoned DNS server. So, the final result is the redirection of traffic to incorrect sites.
To keep the DoS attack at minimum we should always keep our software and our system updated. Many DoS attacks exploit known flaws in system software. However, since DoS attacks are not always caused by software deficiencies, there are some other measures that we should take as well. We can utilize firewall features like filtering rules to allow or deny specific types of traffic. To reduce the effects of DoS attacks we can disable broadcast features on devices such as routers. We can minimize ICMP traffic or even leaving it our completely from our network. We can implement network-based intrusion detection software to detect the attacks taking place. To test the connectivity to specific ports on our systems, we can run run a network mapping tool (PING scanner). When we notice an attack in progress, we may contact our ISP to block that traffic closer to the source of the traffic.