Members-only Printer-friendly version

Index
DoS / DDoS Attacks
TCP SYN Flood Attack
UDP Flood Attacks
Ping of Death Attacks
Smurf Attacks
Teardrop Attacks
Bonk Attacks
Land Attacks
Distributed Denial of Service (DDoS) Attacks

4.1 DoS / DDoS Attacks

A Denial of Service (DoS) attack is one of the most simple and common attacks today. DoS attacks are not targeted at stealing, modifying or destroying information, but to prevent legitimate users from using a service. A DOS attack comes in many forms, from simply cutting of the power to a system, or flooding a system with seemingly legitimate network traffic, anything that will results in a denial of service. The public nature of the Internet makes it particularly vulnerable to DoS attacks. The DoS/DDoS attacks described below are all network-based DoS attacks. DoS/DDoS attacks are also active attacks, as the attacker actively attempts to change something, in this case the availability of a server or service.

TCP SYN Flood Attack
A common example of a DoS attack is the TCP SYN flood attack, in which the attacker exploits behavior inherit to the TCP protocol. A TCP session is established by using a three-way handshake mechanism, which allows the client and the host to synchronize the connection and agree upon the initial sequence numbers. When the client connects to the host, it sends a SYN request to establish and synchronize the connection. The host replies with a SYN / ACK, again to synchronize. Then the client acknowledges it received the SYN/ ACK packet by sending and ACK. When the host receives the ACK the connection will become OPEN, allowing traffic from both sides (full-duplex). The connection remains open until the client or the host issues a FIN or RST packet, or the connection times out. This process is illustrated below:

In a TCP SYN flood attack, the attacker creates half-open TCP connections by sending the initial SYN packet with a forged IP address, and never acknowledges the SYN /ACK from the host with an ACK. This will eventually lead to the host reaching a limit and stop accepting connections from legitimate users as well. Many routers and other network nodes today are able to detect SYN floods by monitoring the amount of unacknowledged TCP sessions and kill them before the session queue is full. They can often be configured to set the maximum allowed number of half-open connections, and limit the amount of time the host waits for the final acknowledgement. Without these preventive measures, the server could eventually run out of memory, causing it to crash entirely.

UDP Flood Attacks
UDP is a connectionless protocol that doesn’t use a handshake mechanism to establish a connection. This makes it relatively easy to abuse for flood attacks. A common type of UDP flood attack often referred to as a Pepsi attack, is an attack in which the attacker sends a large number of forged UDP packets to random diagnostic ports on a target host. The CPU time, memory, and bandwidth required to process these packets may cause the target to become unavailable for legitimate users. To minimize the risk of a UDP flood attack, disabling all unused UDP services on hosts and block the unused UDP ports if you use a firewall to protect your network.

Ping of Death Attacks
Another well-known DoS attack is the Ping of Death. It is also targeted at hosts with a weak implementation of the TCP/IP stack. The attacker sends an ICMP Echo request packet with a size larger than 65,535 bytes, causing the buffer at the receiver to overflow when the packet is included in the reassemble process. This can lead to the target system to crash and/or reboot. Especially older Windows versions (95/NT4), but also older MAC and Linux operating systems and other network devices such as routers were vulnerable to the Ping of Death. Modern operating systems and network devices safely disregard these oversized packets. Older systems can usually be updated with a patch.

Smurf Attacks
A nasty type of DoS attack is the Smurf attack, which is made possible mostly because of badly configured network devices that respond to ICMP echoes sent to broadcast addresses. The attacker sends a large amount of ICMP traffic to a broadcast address and uses a victim’s IP address as the source IP so the replies from all the devices that respond to the broadcast address will flood the victim. The nasty part of this attack is that the attacker can use a low-bandwidth connection to kill high-bandwidth connections. The amount of traffic sent by the attacker is multiplied by a factor equal to the number of hosts behind the router that reply to the ICMP echo packets.

The diagram above depicts a Smurf attack in progress. The attacker sends a stream of ICMP echo packets to the router at 128Kbps. The attacker modifies the packets by changing the source IP to the IP address of the victim’s computer so replies to the echo packets will be sent to that address. The destination address of the packets is a broadcast address of the so-called bounce site, in this case 129.64.255.255. If the router is (mis-)configured to forward these broadcasts to hosts on the other side of the router (by forwarding layer 3 broadcasts to the layer 2 broadcast address FF:FF:FF:FF:FF:FF) all these host will reply. In the above example that would mean 640Kbps (5 x 128Kbps) of ICMP replies will be sent to the victim’s system, which would effectively disable its 512Kbps connection. Besides the target system, the intermediate router is also a victim, and thus also the hosts in the bounce site. A similar attack that uses UDP echo packets instead of ICMP echo packets is called a Fraggle attack.

It is difficult to prevent Smurf attacks entirely because they are made possible by incorrectly configured networks from a third party. The Smurf Amplifier Registry (SAR) http://www.powertech.no/smurf/ Netscan.org is one of several publicly available databases that can be used to configure routers and firewalls to block ICMP traffic from these networks. The Smurf Amplifier Registry (SAR) can be downloaded in Cisco ACL format. If you use Cisco routers, make sure all interfaces are configured with the no ip-directed broadcast command (default since IOS 12.0).


The following three DoS attacks are not likely to appear on the Security+ exam, but are listed for completeness. Especially older versions of Windows but many other systems as well were vulnerable to these attacks. As many other attacks, they are aimed at the IP stack. The first two use packet fragmentation and reassembly vulnerabilities in specific. If older systems are patched, they are usually no longer vulnerable.

Teardrop Attacks
When data is sent across a TCP/IP network, it is fragmented into small fragments. The fragments contain an Offset field in their TCP header that specifies where certain data starts and ends. In a Teardrop attack, the attacker sends fragments with invalid overlapping values in the Offset field, which may cause the target system to crash when it attempts to reassemble the data. Today’s implementations of the TCP/IP stack safely disregard such invalid packets.

Bonk Attacks
The Bonk attack is similar to a Teardrop attack. Instead of sending IP fragments with overlapping Offset values in the TCP header, the Offset values that are too large. As with the Teardrop attack, this may cause the target system to crash.

Land Attacks
During a Land attack, the attacker sends a forged TCP SYN packet with the same source and destination IP address. This confuses systems with outdated versions of the TCP/IP stack because it receives a TCP connection request from itself. This may cause the target system to crash.

Distributed Denial of Service (DDoS) Attacks
When an attacker attacks from multiple source systems, it is called a Distributed Denial of Service (DDoS) attack. If the attacker is able to organize a large amount of users to connect to the same website at the same time, the web server, often configured to allow a maximum number of client connections, will deny further connections. Hence, a denial of service will occur. This is a common method used by ‘Hacktivists’. An organization like Green Peace could organize such an attack against a Fortune 500 company’s website that sells fur, for example.

However, the attacker typically does not own these computers. The actual owners are usually not aware of their system being used in a DDoS attack. The attacker usually distributes Trojan Horses that contain malicious code that allows the attacker to control their system. Such malicious code is also referred to as a Backdoor. Once these Trojan Horses are executed, they may use email to inform the attacker that the system can be remotely controlled. The attacker will then install the tools required to perform the attack. Once the attacker controls enough systems, which are referred to as zombies or slaves, he or she can launch the attack. The following diagram depicts such a scenario:

In most cases, it is difficult or even impossible to prevent DDoS attacks entirely. Some routers, firewalls, and IDSs are able to detect DoS attacks and block suspicious connections to prevent a service from being overloaded. When you are the victim of an ongoing DDoS attack, you should contact your ISP to block the IP addresses that seem to be the source of the attack. However, the attacker may forge the source addresses, making it very difficult to trace the actual source(s) of the attack without extensive cooperation of your ISP.