Denial of service
Denial-of-service (DoS) attacks are among the most common hacker attacks. A
hacker initiates so many invalid requests to a network host that it uses all its
resources responding to them and ignores legitimate requests.
DoS attacks
The following types of DoS attacks are possible against your network and
hosts, and can cause systems to crash, data to be lost, and every user to
jump on your case, wondering when Internet access will be restored.
Individual attacks
Here are some common DoS attacks:
[1] SYN floods: The attacker literally floods a host with TCP SYN packets.
[1] Ping of Death: The attacker sends IP packets that exceed the maximum
length of 65,535 bytes, which can ultimately crash the TCP/IP stack on
many operating systems.
[1] WinNuke: This attack can disable networking on older Windows 95 and
NT computers.
Distributed attacks
Distributed DoS (DDoS) attacks have an exponentially greater impact on their
victims. The most famous was the DDoS attack against eBay, Yahoo!, CNN,
and dozens of other Web sites by the hacker known as MafiaBoy. These are
some common distributed attacks:
[1] Smurf attack: An attacker spoofs the victim’s address and sends ICMP
echo request (ping packets) to the broadcast address. The victim computer
gets deluged with tons of packets in response to those echo
requests.
[1] Trinoo and Tribe Flood Network (TFN) attacks: Sets of client- and
server-based programs launch packet floods against a victim machine,
effectively overloading it and causing it to crash.
DoS attacks can be carried out with tools that the hacker either writes or
downloads off the Internet. These are good tools to test your network’s
IDS/IDP and firewalls. You can find programs that allow actual attacks and
programs, such as BLADE Software’s IDS Informer, that let you send controlled
attacks.
144 Part III: Network Hacking
Testing
Your first DoS test should be a search for DoS vulnerabilities from a portscanning
and network-analysis perspective.
Don’t test for DoS unless you have test systems or can perform controlled
tests with the proper tools. Poorly planned DoS testing is a job search in the
making. It’s like trying to delete data from a network share remotely and
hoping that the access controls in place are going to prevent it.
Countermeasures
Most DoS attacks are difficult to predict, but they can be easy to prevent:
[1] Test and apply security patches as soon as possible for such network
hosts as routers and firewalls, as well as for server and workstation
operating systems.
[1] Use IDS and IDP systems to monitor regularly for DoS attacks.
You can run a network analyzer in continuous capture mode if you can’t
justify the cost of an all-out IDS or IDP solution.
[1] Configure firewalls and routers to block malformed traffic. You can do
this only if your systems support it, so refer to your administrator’s
guide for details.
[1] Minimize IP spoofing by either
• Using authentication and encryption, such as a Public Key
Infrastructure (PKI)
• Filtering out external packets that appear to come from an internal
address, the local host (127.0.0.1), or any other private and nonroutable
address such as 10.x.x.x, 172.16.x.x–172.31.x.x, or
192.168.x.x
[1] Block all ICMP traffic inbound to your network unless you specifically
need it. Even then, you should allow it only in to specific hosts.
[1] Disable all unneeded TCP/UDP small services (such as echo and chargen).
Establish a baseline of your network protocols and traffic patterns before a
DoS attack occurs. That way, you know what to look for. And periodically
scan for such potential DoS vulnerabilities as rogue DoS software installed on
network hosts.
Work with a minimum necessary mentality when configuring your network
devices such as firewalls and routers:
[1] Identify traffic that is necessary for approved network usage.
[1] Allow the traffic that’s needed.
[1] Deny all other traffic.