What is a Denial of Service (DoS) attack?

The word DoS has sprung to life lately around the "Technology" news feeds and I thought it would be a great time to write about what a DoS attack really is and how it is able to compromises a system.

A denial of service (DoS) attack, is an explicit attempt to make a computer or network resource unavailable to its intended users. There are two types of DoS attacks; computer attacks usually compromised by the injection of computer viruses and network attacks compromised by flooding the network with useless traffic.

While the term DoS is also used in reference to CPU resource management notably perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name-servers. Whereby a typical web server can handle a few hundred connections per second before performance begins to degrade, most web servers fail almost instantly under five or six thousand connections per second. With a moderately large peer-to-peer attack, a site could potentially be hit with up to 750,000 connections in short order. The targeted web server will be plugged up by the incoming connections.

The following is a brief outline of the common forms of DoS attacks:

Ping of Death

Ping is a computer network administration utility used to test the reachability of a host on an Internet Protocol (IP) network and to measure the round-trip time for messages sent from the originating host to a destination computer. The Ping of Death attack is caused by an attacker deliberately sending a ping packet, normally 32 bytes in size, that is larger than the maximum IPv4 packet size, which is 65,535 bytes, thus crashing the target computer. While sending a packet of this size is in violation of the Internet Protocol a ping packet of such size can still be sent if it is fragmented so that when the target computer reassembles the packet, a buffer overflow occurs, which often causes a the system to crash. This exploit has been know to affect all operating system, but fixes in the late 90's have made this type of an attack mostly historical.

Ping of Flood

Ping of Flood is caused by an attacker overwhelming the victim's network with ICMP echo request (ping) packets. This is a fairly easy attack to perform without extensive network knowledge as many ping utilities support this operation. A flood of ping traffic can consume significant bandwidth on low to mid-speed networks bringing the network down to a crawl.

Smurf Attack

Smurf Attack looks to exploit a target by sending repeated ping request which floods a system via spoofed broadcast ping messages. This attack relies on a perpetrator sending a large amount of ICMP echo request (ping) traffic to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet.

SYN Floods

When establishing a Transmission Control Protocol (TCP) session between a client and server, a hand-shake message exchange occurs between the client and the server. A session setup packet contains a SYN field that identifies the sequence in the message exchange. An attacker may send a flood of connection request and not respond to the replies, which leaves the request packets in the buffer so that legitimate connection requests can't be accommodated.

Teardrop Attack

Teardrop Attack exploits the network by sending IP fragment packets that are difficult to reassemble. A fragment packet identifies an offset that is used to assemble the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the sebsequent fragments and if the receiving system doesn't know how to handle such situation, it may cause the system to crash.

Mail Bomb

Unauthorized users send large number of email messages with large attachments to a particular mail server, filling up disk space resulting in denied email services to other users.

Peer-to-Peer Attack

Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-to-peer attacks are different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master," instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's network instead. As a result, several thousand computers may aggressively try to connect to a target network.

Distributed Denial of Service (DDoS) attack


A DDoS (Distributed Denial Of Service) is a tactic used to attack a victim from multiple compromised computers. Attackers usually install viruses and trojans on compromised systems and then use them to flood a victim's network in a way that the victim's server cannot handle it.

DDoS involves 3 parties, an offender, helpers and a victim. The offender is the one who plots the attack, while the helpers are the machines that are compromised by the offender to launch attacks against a victim (the target). The offender commands the helpers to attack the victim's host at precisely the same time. Due to this coordinated nature between the offender and helpers, the DDoS is also known as coordinated attack.

DoS and DDoS attacks occur due to running vulnerable software on your server(s). The attackers use known application vulnerability and security holes to compromise the servers in different network either by installing viruses and trojan horses (intrusion) or initiate DDoS attacks.

No comments:

Post a Comment