Bookmark with:

              

One of the most widely deployed type of attacks is the Denial of Service (DoS) . The purpose of the attack is not to steal or destroy information. It aims in making the target system unavailable to its authorised users. Attacking an Internet server with a DoS attack may result in the Internet Server software to crash. As a consequence, the local network may stay unprotected to further attacks. The attacks are based on some of the pitfalls that the TCP/IP protocol and some of its implementations posses when handling incoming data.

It’s not in the scope of this post to describe all available Denial of service attacks. These are numerous and change depending on the operating system and/or software used.  Some attacks are based solely on flaws discovered on specific applications (i.e. Apache, Windows,bind).  This post describes only the attacks that take place remotely. Cases where the attacker has already an account on the system (or can gain an account) are not few. For these cases attackers usually run applications on the target that forces the server machines to crash by exhausting their resources (file space and/or memory).

SYN Flooding Attack

The TCP protocol uses three synchronization messages (the process is called handshake) to establish a session between a client and server.

Step 1: Client: messageA.
Step 2: Server: messageB, ACK (messageA).
Step 3: Client: messageC, ACK (messageB),
Step 4: Client: Data…….

According to this attack, the adversary should establish numerous of half open sessions with the server. The term half open means that the attacker would start a lot of different connections but stop the in handshake process in step 2.The server is going to wait for the final client’s acknowledge (step 3).
By opening a lot of (possible hundreds) such connections the number of available connections that the server can establish would be reduced and finally will reach to zero. Thus authorised users would not be able to establish a connection with the attacked server.

Ping O’ Death

Belonging to the category of the DoS attacks, the land attack has been widely used. The attacker can send packets to any open port that the target

The attack is based on an implementation vulnerability of the TCP/IP stuck that older operating systems posses. The maximum packet size that the TCP/IP protocol can handle is 65,535 bytes . Most of the older operating systems have allocated a memory buffer of that size for the TCP/IP use. It has been proved that when somebody sends a packet greater in size than that (e.g. 65,600 bytes), the operating systems can not handle it and as a result the system crashes. This attack is called the Ping of Death due to the fact that it’s first implementations where using the ICMP echo request (ping) to send packets over 65,535 bytes to a targeted host.  The theory behind the attack is enough to prove that the attack can be performed not only using the ping request but almost with any UDP and TCP connection.

Domain Name Server DoS

Domain Name Servers are used to help clients resolve names from given IP addresses. When a client wants to resolve a DNS address it sends the IP address of the needed host(s) and the DNS Server returns the domain name of that host.
The attack starts with the attacker spoofing (spoofing is the technique of changing the attackers IP address with another one that belongs to a legitimate host) the targeted host IP address. Then he/she uses the spoofed IP to perform a lot (hundreds or even more) of small queries to different DNS servers. All the DNS servers return the results (which is much bigger in size than the original query) from the attacker’s query to the targeted host. As a result of this the target host becomes congested and finally crashes.


Smurf Attack

Another attack included in the DoS family is the smurf attack. In this attack, the adversary first spoofs the IP address of the target system. Then the spoofed address is used to send multiple ICMP echo requests to broadcast addresses on large networks. Every host that is listening to the broadcast address replies to the attacker’s message. When the replies from the echo request (possible thousands) return back to the target system, the second becomes unstable and finally crashes.


The Land Attack

Belonging to the category of the DoS attacks, the land attack has been widely used. The attacker can send packets to any open port that the target machine has. The packets have the SYN flag set and have the same source and destination address with the target as well as the same destination and source ports. The target machine is confused and tries to open connections with it. As a result the target machines crashes.

UDP Port DoS

The User Datagram Protocol can be used to activate a DoS attack. Some of the services that are offered by UDP (i.e. echo and chargen services) produce high output information. When computer(s) are connected through theses services the output can affect the performance of the network between them . The attack is happening by either persuading the target host to open a connection between two of its own UDP ports or by persuading two or more hosts on the target network to start a conversation using their UDP ports.

Overlapping fragments DoS.

The TCP/IP protocol includes the option to fragment large packets into smaller ones. This happens to assist routers in splitting a packet into smaller ones in order to follow the MTU (maximum transmission unit) requirement of each network.
Attackers can utilize this in order to perform a DoS attack. Old implementations of the TCP/IP stack could not handle correctly malformed fragments. When two fragments are overlapping the receiver would try to correctly assembly them and finally crash. Currently there are a number of tools that utilise this attack like the Teardrop and Bonk too


Distributed Denial Of Service

The distributed nature of the Internet has opened the potential to identify new ways of amplifying the effectiveness of a DoS attack. The Distribute DoS (DDoS) attack is based on the idea that instead of a performing the attack from one host, the adversary could perform it by coordinating a number of hosts . The hosts are distributed around the Internet and usually belong to unaware users. The hosts are programmed to attack a specific system with either the same or similar attacks. The attack is ensured to be performed even if some of the internet links are not working. The attacker is using one host to coordinate the attack.
The DDoS tools are organised into two parts the clients and the servers (sometimes called zombies). The attacker uses known vulnerabilities to break into unprotected internet systems and install these tools. The attacker instructs the clients and the clients transmit the attackers commands to the different zombies around the world. The zombies now are capable of performing a number of different DoS to a specified target. This attack is almost “perfect”. The zombies, the clients and the attacker initialise different Internet protocols to exchange information. Some of the DDosS tools that exist today are so powerful that allow an attacker to perform additional processes like IP spoofing and even command the zombies to self destroy.
The attack is amplified thousands or even millions of times depending on the number of zombies used. One of the strong points of this attack is that it is difficult to trace the attack back to the adversary. Botnets can be used  (i.e. rented) today in order to deploy massive DDoS attacks.
Currently there are a number of tools used to deploy distributed denial of service attacks that can be downloaded freely on the Internet. The most known and widely used are:

• Tribal Flood Network.
• TFN2K.
• Trin00.
• Stacheldraft.