Denial of service
 

Denial of service
Denial-of-service (DoS) attacks are among the most common hacker attacks. A
hacker initiates so many invalid requests to a network host that it uses all its
resources responding to them and ignores legitimate requests.
DoS attacks
The following types of DoS attacks are possible against your network and
hosts, and can cause systems to crash, data to be lost, and every user to
jump on your case, wondering when Internet access will be restored.
Individual attacks
Here are some common DoS attacks:
[1] SYN floods: The attacker literally floods a host with TCP SYN packets.
[1] Ping of Death: The attacker sends IP packets that exceed the maximum
length of 65,535 bytes, which can ultimately crash the TCP/IP stack on
many operating systems.
[1] WinNuke: This attack can disable networking on older Windows 95 and
NT computers.
Distributed attacks
Distributed DoS (DDoS) attacks have an exponentially greater impact on their
victims. The most famous was the DDoS attack against eBay, Yahoo!, CNN,
and dozens of other Web sites by the hacker known as MafiaBoy. These are
some common distributed attacks:
[1] Smurf attack: An attacker spoofs the victim’s address and sends ICMP
echo request (ping packets) to the broadcast address. The victim computer
gets deluged with tons of packets in response to those echo
requests.
[1] Trinoo and Tribe Flood Network (TFN) attacks: Sets of client- and
server-based programs launch packet floods against a victim machine,
effectively overloading it and causing it to crash.
DoS attacks can be carried out with tools that the hacker either writes or
downloads off the Internet. These are good tools to test your network’s
IDS/IDP and firewalls. You can find programs that allow actual attacks and
programs, such as BLADE Software’s IDS Informer, that let you send controlled
attacks.
144 Part III: Network Hacking
Testing
Your first DoS test should be a search for DoS vulnerabilities from a portscanning
and network-analysis perspective.
Don’t test for DoS unless you have test systems or can perform controlled
tests with the proper tools. Poorly planned DoS testing is a job search in the
making. It’s like trying to delete data from a network share remotely and
hoping that the access controls in place are going to prevent it.
Countermeasures
Most DoS attacks are difficult to predict, but they can be easy to prevent:
[1] Test and apply security patches as soon as possible for such network
hosts as routers and firewalls, as well as for server and workstation
operating systems.
[1] Use IDS and IDP systems to monitor regularly for DoS attacks.
You can run a network analyzer in continuous capture mode if you can’t
justify the cost of an all-out IDS or IDP solution.
[1] Configure firewalls and routers to block malformed traffic. You can do
this only if your systems support it, so refer to your administrator’s
guide for details.
[1] Minimize IP spoofing by either
• Using authentication and encryption, such as a Public Key
Infrastructure (PKI)
• Filtering out external packets that appear to come from an internal
address, the local host (127.0.0.1), or any other private and nonroutable
address such as 10.x.x.x, 172.16.x.x–172.31.x.x, or
192.168.x.x
[1] Block all ICMP traffic inbound to your network unless you specifically
need it. Even then, you should allow it only in to specific hosts.
[1] Disable all unneeded TCP/UDP small services (such as echo and chargen).
Establish a baseline of your network protocols and traffic patterns before a
DoS attack occurs. That way, you know what to look for. And periodically
scan for such potential DoS vulnerabilities as rogue DoS software installed on
network hosts.
Work with a minimum necessary mentality when configuring your network
devices such as firewalls and routers:
[1] Identify traffic that is necessary for approved network usage.
[1] Allow the traffic that’s needed.
[1] Deny all other traffic.

How do you avoid being part of the problem?
 

What is a distributed denial-of-service (DDoS) attack?

In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a web site or send spam to particular email addresses. The attack is "distributed" because the attacker is using multiple computers, including yours, to launch the denial-of-service attack. How do you avoid being part of the problem?

Unfortunately, there are no effective ways to prevent being the victim of a DoS or DDoS attack, but there are steps you can take to reduce the likelihood that an attacker will use your computer to attack other computers:

• Install and maintain anti-virus software (see Understanding Anti-Virus Software for more information).
• Install a firewall, and configure it to restrict traffic coming into and leaving your computer (see Understanding Firewalls for more information).
• Follow good security practices for distributing your email address (see Reducing Spam for more information). Applying email filters may help you manage unwanted traffic.

How do you know if an attack is happening?

Not all disruptions to service are the result of a denial-of-service attack. There may be technical problems with a particular network, or system administrators may be performing maintenance. However, the following symptoms could indicate a DoS or DDoS attack:

• unusually slow network performance (opening files or accessing web sites)
• unavailability of a particular web site
• inability to access any web site
• dramatic increase in the amount of spam you receive in your account

What do you do if you think you are experiencing an attack?

Even if you do correctly identify a DoS or DDoS attack, it is unlikely that you will be able to determine the actual target or source of the attack. Contact the appropriate technical professionals for assistance.

• If you notice that you cannot access your own files or reach any external web sites from your work computer, contact your network administrators. This may indicate that your computer or your organization's network is being attacked.
• If you are having a similar experience on your home computer, consider contacting your Internet service provider (ISP). If there is a problem, the ISP might be able to advise you of an appropriate course of action.