DOS Attacks

Document Sample
DOS Attacks Powered By Docstoc
					Denial Of Service Attacks

       Lyle YapDiangco

       COEN 150 Project

        Prof. Holliday


        Denial-of-service (DOS) attacks are huge problems for users, computers, and
networks alike. By examining the many methods of attacks such as attacking network
connectivity, using your own resources against you, bandwidth consumption, and the
consumption of other resources, users can identify what kind of DOS attacks they are
dealing with. Furthermore, there are three different degrees that users have to face in
regular DOS, distributed DOS, and distributed reflection DOS with each degree
increasing in size, strength, and speed of damage inflicted. With all these methods and
degrees of DOS attacks, users must have some way of protecting their computers and
networks. Fortunately, CERT provides users with countermeasures to some if not most
DOS attacks. Nevertheless, as systems become more complicated and the Internet
continues growing, DOS attacks will increase in frequency and in strength. Meanwhile,
as others continue to battle these attacks, a lot of people do not take these attacks
seriously. However, that might change since some DOS attacks have the potential to
endanger lives in addition to damaging computers and networks. Therefore, DOS attacks
are not to be taken lightly because they are dangerous and attack our computers,
networks, and trust.


       Imagine having a job that requires an access card to use the computers, but one

day, your access card does not work for some reason. Did someone or something

deactivate your account or even worse, steal it? Well, after wasting a whole day of work

trying to solve the problem, you realize someone has tampered with the access codes

since your coworkers are also denied access to the computers. As a result, the company

loses a great deal of time, money, and production trying to solve the problem in addition

to finding other ways to gain access to the computers. This form of attack is called a

denial-of-service (DOS) attack, which is an intruder’s attempt to prevent legitimate users

of a service from using that service [1]. In this case, the employees are denied work,

while the company is denied of production, which means, both sides cannot survive

without each other.
        In general, DOS attacks are usually created intentionally and are often malicious.

First, they can flood the network, which prevents legitimate network traffic. Second, they

can disrupt services to a specific system or person and also prevent legitimate users from

accessing a service. Last, DOS attacks can disrupt connections between two machines.

Consequently, these attacks can disable your computer or your network, and if launched

on a larger scale, the damage is increased tremendously [1]. Hence, as the Internet grows,

the problem of DOS attacks grows larger because they affect more people.

        A lot of people including myself have not realize how damaging DOS attacks can

be until we experience them directly or indirectly. In my case, I am currently dealing with

a DOS attack, where I cannot use the services of Yahoo, MSN, or Google. Therefore, this

serves as a motivation to research, learn, and protect against DOS attacks, in addition to

letting others know these attacks are not to be taken lightly. However, this project is not a

solution to DOS attacks as time and resources are limited, but rather, a guide to the major

issues of classifying, preventing, and responding to them. But before going into detail

about DOS attacks, one must know how Transmission Control Protocol (TCP)

connections work since they are essential for two computers to connect to each other over

the Internet.

TCP Connection

        Without going into much detail, for two computers to establish a connection with

each other, typically three Internet packets must be sent between the TCP client (web

browser, ftp client, etc.) and TCP server, which is also known as the TCP Three-Way

Handshake. In the diagram below, the TCP client starts the connection by sending a SYN
packet to the TCP server. The SYN packet contains the IP address of the machine that

originated the packet and the IP address of the machine that will receive the packet.

After receiving the SYN packet, the server sends an acknowledgement (ACK) that it has

received the packet and also sends its own SYN packet to establish a connection going

the other way. If the client receives the SYN/ACK packet, it will reply with an ACK of

its own. Accordingly, the server receives the ACK from the client, granting both sides a

two-way TCP connection where data can flow freely back and forth between the client

and the server. However, during a DOS attack and in particular, a SYN attack, this

connection is never established and can also cause the server to crash [2]. This specific

attack will be explained in further detail in the next section.

Methods of DOS attacks

       According to CERT (Computer Emergency Response Team), there are three basic

types of attacks. The first type of attack is the consumption of scarce, limited, or non-

renewable resources, while the second type is the destruction or alteration of

configuration information. The third type is the physical destruction or alteration of

network components [1].
Consumption of Scarce Resources

       Out of the three types of DOS attacks, this one is the most common and

frustrating attack against computers and networks. This is because they rely heavily on

network bandwidth, memory, disk space, CPU time, data structures, and access to other

computers and networks. Environmental factors also include power, cool air, and even

water. If any of these things operate in the wrong way or do not operate at all, computers

and networks cannot function correctly, making life difficult for everyone [1].

       One form of this attack is an attack on network connectivity. Basically, an

intruder attempts to prevent hosts or networks from communicating on the network. A

SYN attack is an example of this, which directly attacks TCP connections. In a SYN

attack, an intruder can spoof the source IP return address (where the packet originated

from) when sending the SYN packet to the server. Automatically, the server will receive

the spoofed SYN packet and respond with an SYN/ACK packet to a random IP address,

which is shown in the diagram below [2].
Since the packet is being sent to a random IP address, the server will never receive an

ACK from the client. After awhile, it will resend an SYN/ACK packet believing its first

packet was just lost. While that continues, the intruder can keep sending spoofed packets

flooding the server’s buffer with “half-open” connections. Consequently, valid

connections might eventually fail since the server is busy accommodating the spoofed

connection requests [2].

       Another form of this attack is an intruder using your own resources against you.

An intruder can use forged UDP packets a host’s chargen service to an echo service on

another machine. This will congest the network and eventually deny service to all hosts

who run on the same network since these two machines consume all available network

bandwidth with the forged UDP packets. A third form of this attack is on bandwidth

consumption, where an intruder can consume all of the network’s bandwidth by

generating a large number of packets directed to your network [1].

       The last form of this attack is the consumption of other resources that are needed

for computers to operate. Intruders can focus on data structures that hold process

information and corrupt them by implementing programs or scripts that simply create

copies of themselves and do nothing. Other ways for intruders to consume disk space are

placing files in anonymous ftp areas or network shares, generating intentional errors that

must be logged, and generating excessive numbers of mail messages. Also, if there is no

limit on the amount of data that can be written, anything that allows data to be written to

disk can be used for future DOS attacks. Last, unexpected data sent over the network can

also cause the system to crash or become unstable [1].
Destruction or Alteration of Configuration Information

       The second type of DOS attack is just as damaging as the first type because it

cripples the computer and/or network. This can happen if an intruder changes or destroys

configuration information that prevents a user from using the computer or network. One

way they can do this is by modifying the registry on a Windows machine. Another way

an intruder can prevent a user from using the network is by changing the routing

information in the routers. Fortunately, a user can reconfigure their computer, but it is

still a time-consuming task. In the end, if the computer is improperly configured because

of an intruder or by user mistakes, it might not work well or work at all [1].

Physical Destruction or Alteration of Network Components

       The last type of DOS attack is a bit easier to protect and monitor since it deals

with physical security rather than virtual security for the most part. In essence, this

corresponds with the protection of critical network components such as computers,

routers, wiring, power, and cooling stations. However, since attacks are on physical

components, they can be replaced; yet can get expensive [1]. For instance, if someone cut

a wire, network traffic can be rerouted while technicians replace or fix the cut wire [4].

All in all, the third type of DOS attack can be prevented with the right physical security

measures and can be alleviated by repair or replacement.

Three Stages of DOS

       For the most part, the previous five pages describe a typical DOS attack where

one machine attacks another. Unfortunately, DOS attacks have transformed into

sophisticated ones that inflict great damage on computers and networks at a much quicker

rate. One such method of attack is called a distributed DOS (DDOS) where the combined
bandwidth of multiple machines is focused onto a single target machine or network as the

diagram illustrates. In the second stage of DOS, the intruder at this point attacks the

target machine or network indirectly as it uses zombies to do its dirty work as the

diagram shows [2].

In that regard, the attacker supervises the attacks and covers his tracks after the attacks

are completed to avoid being traced. For that reason, DDOS is a much more dangerous

attack than a regular DOS attack because it increases the severity and quickness of the

attack while minimizing the risk of being traced [3].

       The final stage of DOS, which is called distributed DOS with reflectors

(DRDOS), is the most dangerous one because reflectors are used to be more effective and

secure in increasing the damages while decreasing the risk of being traced [3]. An

intruder would use legitimate TCP servers as reflectors by sending spoofed SYN packets

to these servers. As a result, these TCP servers would respond back with SYN/ACK

packets flooding the network chosen for the attack as shown in the diagram [2].
With the addition of reflectors, DRDOS is a more secure attack than DDOS because it

would be hard to trace back the source of the spoofed SYN packet since attacks from

many different legitimate TCP servers all over the Internet can be confusing to work

with. Although these three stages of DOS differ in size, strength, and speed, they all have

one common goal of denying legitimate users of a service from using that service.

Famous DOS Occurrences

       Before moving on to preventing and responding to DOS attacks, it is important to

remember a few famous occurrences of DOS attacks because these attacks still serve a

purpose of being an inspiration for intruders to create newer DOS attacks in the present

time as well as for the future. It is equally important that computer users study and learn
these older DOS attacks for future reference against more advanced DOS attacks.

Moreover, these past occurrences should make people take notice and action against

future DOS attacks by monitoring and securing their computers and networks. In this

section, three famous DOS attacks are described.

       One famous DOS attack is the Ping of Death. In this attack, an intruder creates a

packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification,

causing the computer that receives the packet to crash, hang, or reboot. Luckily, most

operating systems have fixed the problem of dealing with oversized packets.

Nevertheless, not all operating systems have and this is a concern because if they are not

willing to fix this problem, they probably have not protected themselves against other

DOS attacks very well [3].

       Another famous DOS attack is the Teardrop attack, which exploits a requirement

made by the Internet Protocol (IP). This requirement entails any packet that is too large

must be divided into IP fragments for the router to handle it [4]. The Teardrop attack in

turn, creates a series of IP fragments with overloading offset fields, causing some systems

to crash, hang, or reboot when the fragments reassemble at their destination [3].

       One more famous DOS attack is the Smurf attack, which is sometimes labeled as

a brute force attack. In this attack, an intruder sends an IP ping (echo) request to a server.

Within this local network however, the packet is broadcasted to each host connected on

the network since the destination IP address of each packet is the broadcast address of the

network, causing more congestion [3]. To complicate this problem, an intruder can also

spoof the return address, and lots of ping replies will be directed to an innocent host.
Eventually, if the pings flood the spoofed host, it will no longer receive legit traffic or

distinguish it from false traffic [4].

        Two other famous DOS attacks that were described earlier are the SYN attack and

UDP flood attack that dealt with the chargen and echo service. In short, intruders created

these DOS attacks by exploiting weaknesses in the system such as the TCP connection

and echo service. Accordingly, CERT has come up with ways to minimize these

weaknesses, prevent DOS attacks, and respond to them.


        Depending on the user’s needs, there are several ways to protect their computer

and network from DOS attacks. The first way of detecting a possible DOS attack is to

check for any abnormal system routines or a change in system performance. Furthermore,

the user is suggested to routinely examine the physical security of their workstation such

as servers, routers, wiring, etc. Another countermeasure a user can make is to make and

keep backups of configuration information. Last, a user should disable any unneeded and

unused network services because intruders can exploit weakness in these services to

launch their DOS attacks on the user’s system [1]. The next countermeasures can also be

implemented if they are available.

        To lessen exposure to certain DOS attacks and to help prevent users on the same

network from launching certain DOS attacks, a user can implement router filters. To

guard against a SYN attack, a user can install patches to reduce exposure to these attacks.

Another countermeasure a user can implement is to enable quota systems on their

operating system because it can separate critical functions from other functions since the

file system is partitioned. Other countermeasures a user can use are tripwire, a tool to
track any changes in configuration information, and redundant and fault-tolerant network

configurations [1]. With all these ways to protect computers and networks, it is surprising

a lot of people and companies do not take the initiative to actually invest and implement

these countermeasures since DOS attacks are frequent.


       Although much has been written about DOS attacks and their varying degrees,

types, and damages, there are still lingering issues on fighting and preventing these

attacks from happening. What can be done if users, companies, and even the government

take DOS attacks lightly compared to other computer and physical threats? People will

only take notice once something cripples their computers, networks, or even lives. The

latter is a major concern if a future DOS attack halts emergency calls, causes a massive

power outage, or disrupts telecommunications. As a consequence, lives are in danger,

which makes a powerful case that DOS attacks are just as dangerous as other forms of

attacks. It is up to the users, companies, and governments to research, understand, and

prevent future DOS attacks. As for my situation, I still have not found the root cause of

my search engines’ failures to search or even connect. Hopefully, someone or something

will detect my problem in the near future and publish it for others who deal with the same



       My contribution to the subject of DOS attacks is nothing new compared with

other related work, but I wanted to present it clear enough for anyone to pick up and

understand the major issues tied with these attacks. I have focused on the types, stages,

and characteristics of these attacks, and several ways to circumvent them. Also, I wanted
to convey the message that DOS attacks are serious and that even the smallest attack can

be a nuisance just like my case. Without a doubt, there are many unresolved issues with

DOS attacks because as the Internet grows and systems progress with more technological

advancements, more sophisticated attacks are likely to follow. This has been

demonstrated throughout computer history, but it is our job to minimize the damage DOS

attacks inflict so that it does not progress to the point of harming human lives. As for

future work, I will try to solve my problem, and if I do, I might publish how I detect,

solve, and protect against it.


    1       CERT Coordination Center Denial of Service Attacks. Carnegie Mellon
            University, 1997, 1999

    2       Gibson, Steve. Distributed Reflection Denial of Service. Gibson Research
            Corporation. February 22, 2002

    3       Manzano, Yanet. Tracing the Development of Denial of Service Attacks: A
            Corporate Analogy. The Association for Computing Machinery, Inc., 2003

    4       Whatis denial of service. May 16, 2001

Shared By: