DoS Attack Details
January 25, 2010DoS Attack Detail
Maintaining a reliable and predictable network has become a strategic imperative for most businesses now dependent on the Internet. DoS attacks, which flood network links or Web sites with useless traffic, have become a serious threat to the reliability of critical business assets.
In a DoS attack, the attacker installs specialized control tools to compromise computers distributed throughout the Internet. These compromised hosts, also called “zombies,” are commanded to attack a target using DoS attack tools. An attack can consist of hundreds or thousands of individual assaults that can produce enough bogus traffic to overwhelm even the biggest Web sites or the highest-capacity network links.
The latest generation of zombies includes “Pulsing Zombies,” which send pulses of attack traffic at the intended target. The discontinuous nature of these attacks makes detection and location of these zombies far more difficult. In a recent attack attempt, the hackers conducted a dress rehearsal for their assault, during which attack traffic was directed at the target for a short period of time before a full-scale attack was launched.
This detailed diagram reveals how attack traffic flows through your data center and cripples valuable networking resources. Because DoS attacks are a distributed problem, they require a distributed solution unlike firewalls and IDS products. More than 50 percent of attacks can overwhelm the standard capacity of such point solutions – in fact, flood-based attacks often overwhelm standard server capacity by as much as 1200 times. Furthermore, existing attempts to solve the DoS problem are unable to scale to Gigabit+ speeds, are unable to detect new types of DoS attacks and focus on stopping bad network traffic problems rather than preserving good customer traffic flow in the face of such an attack.
More about DoS attack trends
DoS Attack Tools
The popular tools for DoS attacks include:
-
TFN2k: Coordinates hosts to attack a target using UDP Floods, SYN Floods, ICMP Floods, and Smurfing.
-
Stacheldraht: Coordinates hosts to attack a target using UDP Floods, SYN Floods, ICMP Floods, and Smurfing.
-
Mstream: Coordinates hosts to attack a target using ACK floods (similar to SYN floods).
-
trin00: Coordinates hosts to attack a target with UDP Floods.
Ongoing Trends
DoS attacks remain a big challenge to network reliability as they become more sophisticated and prevalent. The barriers to prevent attacker activity have been steadily crumbling – available defense tools have little automation, response is expensive, and the availability of good security and network personnel is shrinking due to the demand for them.
Degradation of Service
Known as the new DoS, a Degradation of Service attack causes a decrease in processing speed and may not initially be recognized as an attack. Businesses that pay for bandwidth on a per-usage basis will notice a increase in costs, but since the effects are not immediately and dramatically evident, the attacks may go undetected for long periods.
Behind these new DoS attacks is the latest generation of DoS attack methods, the pulsing zombies. In a pulsing zombie DoS attack, several small, short-lived bursts of traffic from multiple sources are directed toward a single target over an extended period of time. Since the stream of traffic is transmitted intermittently by alternating zombies instead of as a long constant flow, attacks are more difficult to detect and trace. Pulsing zombie attacks have two forms:
Periodic attacks, during which an attacker launches an hour-long attack on the same target every 24 hours.
Punctuated attacks, launched at one minute intervals. These types of attacks are not designed to cause damage and usually do not crash systems. Instead, they create a pattern of network unreliability that results in constant and consistent interruption and annoyance to legitimate traffic.
Reflector attacks
Another new trend in DoS attacks is the reflector attack. The attacker “launders” an attack by sending a packet spoofed with the victim’s source address to a third party. The third party responds by sending a response back towards the victim. If the third party is accessed using a broadcast address (as they are with the popular smurf or fraggle attacks) then third parties may amplify the attack further.
The key issue with reflector attacks is that the source address is specifically selected. Unless an IP address in the range monitored is used as a reflector, these types of attacks cannot be observed.
Ongoing Trends
DoS attacks remain a big challenge to network reliability as they become more sophisticated and prevalent. The barriers to prevent attacker activity have been steadily crumbling – available defense tools have little automation, response is expensive, and the availability of good security and network personnel is shrinking due to the demand for them.
Degradation of Service
Known as the new DoS, a Degradation of Service attack causes a decrease in processing speed and may not initially be recognized as an attack. Businesses that pay for bandwidth on a per-usage basis will notice a increase in costs, but since the effects are not immediately and dramatically evident, the attacks may go undetected for long periods.
Behind these new DoS attacks is the latest generation of DoS attack methods, the pulsing zombies. In a pulsing zombie DoS attack, several small, short-lived bursts of traffic from multiple sources are directed toward a single target over an extended period of time. Since the stream of traffic is transmitted intermittently by alternating zombies instead of as a long constant flow, attacks are more difficult to detect and trace. Pulsing zombie attacks have two forms:
Periodic attacks, during which an attacker launches an hour-long attack on the same target every 24 hours.
Punctuated attacks, launched at one minute intervals. These types of attacks are not designed to cause damage and usually do not crash systems. Instead, they create a pattern of network unreliability that results in constant and consistent interruption and annoyance to legitimate traffic.
Reflector attacks
Another new trend in DoS attacks is the reflector attack. The attacker “launders” an attack by sending a packet spoofed with the victim’s source address to a third party. The third party responds by sending a response back towards the victim. If the third party is accessed using a broadcast address (as they are with the popular smurf or fraggle attacks) then third parties may amplify the attack further.
The key issue with reflector attacks is that the source address is specifically selected. Unless an IP address in the range monitored is used as a reflector, these types of attacks cannot be observed
https://www.bestitdocuments.com/Samples