Denial of Service Attacks
A Denial of Service (DoS) attack attempts to prevent a legitimate user from accessing a computer system. Unlike many other attacks, DoS attacks do not require advanced computer skills. It can be conducted simply by loading the computer system, that has physical limitations such as the number of simultaneous users can be supported, number of files can be simultaneously opened, available memory, etc. A DoS attack also be launched by altering system configurations, or by destroying hardware or software systems. A Distributed Denial of Service attack would be performed by a number of computers on the network simultaneously targeting a host. CERT coordination center has useful resources on Denial of Service attacks.
A number of tools can be used to launch Denial of Service attacks. Examples are TFN and TFN2K. These are open source tools with built-in UDP/SYN/ICMP/Smurf flooder. Tool works as master and a number of agents that can be installed on a number of computers distributed over the network. Agents, upon receiving go-ahead signal from the master can simultaneously attack a target. The tool also has the capability of encrypting the communication between the master and agents thereby evading detection. Further, master can spoof the IP address. The tools can be easily downloaded from the Internet.
DoS Attacks
A number of different kinds of DoS Attacks has been identified, which are discussed below:
TCP SYN Attack
In this attack, several TCP connections are requested from the victim host, but are not followed upon. For each connection, the host has to reserve certain resources such as memory. Due to large number of such initiated connections, the host can be quickly overwhelmed. This delays or prevents the processing of legitimate connection requests to the host. A number defensive techniques have been suggested to prevent such attacks.
In SYN Cookies technique, the server deferrers allocating resources until it ensures that the connection requests are serious by the use of SYN Cookies. SYN Cookies are computed using IP address of the client, port number and additional information. SYN cookies are then included in SYNACK, to which the client has to respond with an ACK including the original SYN cookie. The server, on receiving and verifying the cookie, ensures that the requester wants to follow through the connection request. This method, however, is very computing intensive.
RST Cookies method is less computing intensive. The server deliberately sends a wrong SYNACK for the request from client. The client will then respond with RST since the SYNACK is not proper. This method, however, does not work in all systems and scenarios.
Smurf Attack
IP ping attacker sends a request packet, which specifies that the receiving computer should forward the request to the computers in the local network. The IP address in the original ping request packet is spoofed, and is set to the IP address of the would be victim. The computers in the local network, on receiving the ping request responds to the reply address, which of course is that of the victim. The victim suddenly finds itself surrounded by a flood of ping packets. Smurf attack can be countered by using IP proxy servers, which conceals the real IP address of the computes in the network. It would be harder to attack a computer without knowing its IP address.
UDP Flood Attack
In this case UDP packets are sent to random ports on the target server. The server tries to find the application waiting for the packet, and since there may not be any application listening on that port, the server generates an ICMP packet to the perceived sender (IP address may be spoofed) stating that the destination is unreachable. All these can overload the system.
Teardrop
IP protocol allows large packets to be fragmented to make them small enough for the routers enroute to handle. The target host, after receiving fragmented packets, assemble them to regenerate the complete packet. Packets can, however, be forged such that when the target host assembles them, the packet header will be destroyed. This causes the target host to crash or stop working.
Ping of Death
A hacker can shutdown or crash a system by sending a huge ping packet, which cannot be handled by the target host. Patching up the operating system is the best bet against this attack.
Land Attack
Land attack is conducted by delivering a packet that has the source and the destination IP addresses the same as the target host. The target system gets confused and sends packets to itself, which causes further problems. Finally, the system may stop working altogether.