Denial Of Service Attacks
Lyle YapDiangco
COEN 150 Project
Prof. Holliday
5/17/04
Abstract
Denial-of-service (DOS) attacks are huge problems for users, computers, and networks alike. By examining the many methods of attacks such as attacking network connectivity, using your own resources against you, bandwidth consumption, and the consumption of other resources, users can identify what kind of DOS attacks they are dealing with. Furthermore, there are three different degrees that users have to face in regular DOS, distributed DOS, and distributed reflection DOS with each degree increasing in size, strength, and speed of damage inflicted. With all these methods and degrees of DOS attacks, users must have some way of protecting their computers and networks. Fortunately, CERT provides users with countermeasures to some if not most DOS attacks. Nevertheless, as systems become more complicated and the Internet continues growing, DOS attacks will increase in frequency and in strength. Meanwhile, as others continue to battle these attacks, a lot of people do not take these attacks seriously. However, that might change since some DOS attacks have the potential to endanger lives in addition to damaging computers and networks. Therefore, DOS attacks are not to be taken lightly because they are dangerous and attack our computers, networks, and trust.
Introduction
Imagine having a job that requires an access card to use the computers, but one day, your access card does not work for some reason. Did someone or something deactivate your account or even worse, steal it? Well, after wasting a whole day of work trying to solve the problem, you realize someone has tampered with the access codes since your coworkers are also denied access to the computers. As a result, the company loses a great deal of time, money, and production trying to solve the problem in addition to finding other ways to gain access to the computers. This form of attack is called a denial-of-service (DOS) attack, which is an intruder’s attempt to prevent legitimate users of a service from using that service [1]. In this case, the employees are denied work, while the company is denied of production, which means, both sides cannot survive without each other.
In general, DOS attacks are usually created intentionally and are often malicious. First, they can flood the network, which prevents legitimate network traffic. Second, they can disrupt services to a specific system or person and also prevent legitimate users from accessing a service. Last, DOS attacks can disrupt connections between two machines. Consequently, these attacks can disable your computer or your network, and if launched on a larger scale, the damage is increased tremendously [1]. Hence, as the Internet grows, the problem of DOS attacks grows larger because they affect more people.
A lot of people including myself have not realize how damaging DOS attacks can be until we experience them directly or indirectly. In my case, I am currently dealing with a DOS attack, where I cannot use the services of Yahoo, MSN, or Google. Therefore, this serves as a motivation to research, learn, and protect against DOS attacks, in addition to letting others know these attacks are not to be taken lightly. However, this project is not a solution to DOS attacks as time and resources are limited, but rather, a guide to the major issues of classifying, preventing, and responding to them. But before going into detail about DOS attacks, one must know how Transmission Control Protocol (TCP) connections work since they are essential for two computers to connect to each other over the Internet.
TCP Connection
Without going into much detail, for two computers to establish a connection with each other, typically three Internet packets must be sent between the TCP client (web browser, ftp client, etc.) and TCP server, which is also known as the TCP Three-Way Handshake. In the diagram below, the TCP client starts the connection by sending a SYN packet to the TCP server. The SYN packet contains the IP address of the machine that originated the packet and the IP address of the machine that will receive the packet.
After receiving the SYN packet, the server sends an acknowledgement (ACK) that it has received the packet and also sends its own SYN packet to establish a connection going the other way. If the client receives the SYN/ACK packet, it will reply with an ACK of its own. Accordingly, the server receives the ACK from the client, granting both sides a two-way TCP connection where data can flow freely back and forth between the client and the server. However, during a DOS attack and in particular, a SYN attack, this connection is never established and can also cause the server to crash [2]. This specific attack will be explained in further detail in the next section.
Methods of DOS attacks
According to CERT (Computer Emergency Response Team), there are three basic types of attacks. The first type of attack is the consumption of scarce, limited, or non-renewable resources, while the second type is the destruction or alteration of configuration information. The third type is the physical destruction or alteration of network components [1].
Consumption of Scarce Resources
Out of the three types of DOS attacks, this one is the most common and frustrating attack against computers and networks. This is because they rely heavily on network bandwidth, memory, disk space, CPU time, data structures, and access to other computers and networks. Environmental factors also include power, cool air, and even water. If any of these things operate in the wrong way or do not operate at all, computers and networks cannot function correctly, making life difficult for everyone [1].
One form of this attack is an attack on network connectivity. Basically, an intruder attempts to prevent hosts or networks from communicating on the network. A SYN attack is an example of this, which directly attacks TCP connections. In a SYN attack, an intruder can spoof the source IP return address (where the packet originated from) when sending the SYN packet to the server. Automatically, the server will receive the spoofed SYN packet and respond with an SYN/ACK packet to a random IP address, which is shown in the diagram below [2].
Since the packet is being sent to a random IP address, the server will never receive an ACK from the client. After awhile, it will resend an SYN/ACK packet believing its first packet was just lost. While that continues, the intruder can keep sending spoofed packets flooding the server’s buffer with “half-open” connections. Consequently, valid connections might eventually fail since the server is busy accommodating the spoofed connection requests [2].
Another form of this attack is an intruder using your own resources against you. An intruder can use forged UDP packets a host’s chargen service to an echo service on another machine. This will congest the network and eventually deny service to all hosts who run on the same network since these two machines consume all available network bandwidth with the forged UDP packets. A third form of this attack is on bandwidth consumption, where an intruder can consume all of the network’s bandwidth by generating a large number of packets directed to your network [1].
The last form of this attack is the consumption of other resources that are needed for computers to operate. Intruders can focus on data structures that hold process information and corrupt them by implementing programs or scripts that simply create copies of themselves and do nothing. Other ways for intruders to consume disk space are placing files in anonymous ftp areas or network shares, generating intentional errors that must be logged, and generating excessive numbers of mail messages. Also, if there is no limit on the amount of data that can be written, anything that allows data to be written to disk can be used for future DOS attacks. Last, unexpected data sent over the network can also cause the system to crash or become unstable [1].
Destruction or Alteration of Configuration Information
The second type of DOS attack is just as damaging as the first type because it cripples the computer and/or network. This can happen if an intruder changes or destroys configuration information that prevents a user from using the computer or network. One way they can do this is by modifying the registry on a Windows machine. Another way an intruder can prevent a user from using the network is by changing the routing information in the routers. Fortunately, a user can reconfigure their computer, but it is still a time-consuming task. In the end, if the computer is improperly configured because of an intruder or by user mistakes, it might not work well or work at all [1].
Physical Destruction or Alteration of Network Components
The last type of DOS attack is a bit easier to protect and monitor since it deals with physical security rather than virtual security for the most part. In essence, this corresponds with the protection of critical network components such as computers, routers, wiring, power, and cooling stations. However, since attacks are on physical components, they can be replaced; yet can get expensive [1]. For instance, if someone cut a wire, network traffic can be rerouted while technicians replace or fix the cut wire [4]. All in all, the third type of DOS attack can be prevented with the right physical security measures and can be alleviated by repair or replacement.
Three Stages of DOS
For the most part, the previous five pages describe a typical DOS attack where one machine attacks another. Unfortunately, DOS attacks have transformed into sophisticated ones that inflict great damage on computers and networks at a much quicker rate. One such method of attack is called a distributed DOS (DDOS) where the combined bandwidth of multiple machines is focused onto a single target machine or network as the diagram illustrates. In the second stage of DOS, the intruder at this point attacks the target machine or network indirectly as it uses zombies to do its dirty work as the diagram shows [2].
In that regard, the attacker supervises the attacks and covers his tracks after the attacks are completed to avoid being traced. For that reason, DDOS is a much more dangerous attack than a regular DOS attack because it increases the severity and quickness of the attack while minimizing the risk of being traced [3].
The final stage of DOS, which is called distributed DOS with reflectors (DRDOS), is the most dangerous one because reflectors are used to be more effective and secure in increasing the damages while decreasing the risk of being traced [3]. An intruder would use legitimate TCP servers as reflectors by sending spoofed SYN packets to these servers. As a result, these TCP servers would respond back with SYN/ACK packets flooding the network chosen for the attack as shown in the diagram [2].
With the addition of reflectors, DRDOS is a more secure attack than DDOS because it would be hard to trace back the source of the spoofed SYN packet since attacks from many different legitimate TCP servers all over the Internet can be confusing to work with. Although these three stages of DOS differ in size, strength, and speed, they all have one common goal of denying legitimate users of a service from using that service.
Famous DOS Occurrences
Before moving on to preventing and responding to DOS attacks, it is important to remember a few famous occurrences of DOS attacks because these attacks still serve a purpose of being an inspiration for intruders to create newer DOS attacks in the present time as well as for the future. It is equally important that computer users study and learn these older DOS attacks for future reference against more advanced DOS attacks. Moreover, these past occurrences should make people take notice and action against future DOS attacks by monitoring and securing their computers and networks. In this section, three famous DOS attacks are described.
One famous DOS attack is the Ping of Death. In this attack, an intruder creates a packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification, causing the computer that receives the packet to crash, hang, or reboot. Luckily, most operating systems have fixed the problem of dealing with oversized packets. Nevertheless, not all operating systems have and this is a concern because if they are not willing to fix this problem, they probably have not protected themselves against other DOS attacks very well [3].
Another famous DOS attack is the Teardrop attack, which exploits a requirement made by the Internet Protocol (IP). This requirement entails any packet that is too large must be divided into IP fragments for the router to handle it [4]. The Teardrop attack in turn, creates a series of IP fragments with overloading offset fields, causing some systems to crash, hang, or reboot when the fragments reassemble at their destination [3].
One more famous DOS attack is the Smurf attack, which is sometimes labeled as a brute force attack. In this attack, an intruder sends an IP ping (echo) request to a server. Within this local network however, the packet is broadcasted to each host connected on the network since the destination IP address of each packet is the broadcast address of the network, causing more congestion [3]. To complicate this problem, an intruder can also spoof the return address, and lots of ping replies will be directed to an innocent host. Eventually, if the pings flood the spoofed host, it will no longer receive legit traffic or distinguish it from false traffic [4].