compliances , security

What is a DoS Attack

February 28, 2010

A specific directed attempt by individuals to cripple or deny access to technology resources. Most Dos attacks are directed to Internet online services.

Techniques:

  • Resource Exhaustion Attacks
    • Flood the victim (server) with packets
  • Bandwidth Consumption Attacks
    • Overload packet processing capacity
    • Saturate network bandwidth

Result of the attack

  • Network starvation
  • Network connectivity
  • Bandwidth consumption
  • Consumption of limited system resources
    • CPU starvation
    • Memory starvation
    • Processing time
    • Disk space
    • Lockout of an account
    • Alteration of configuration information

Flood Attacks

A flood attack overwhelms a target’s Web site, CPU, memory, or other network resources by sending large numbers of spurious requests. Most network devices (including routers and NICs) are limited by packet processing rate, and an attacker will generally send small packets as quickly as possible to overload the network. These attacks lead to legitimate packets to be dropped as network routers struggle to keep up with the combination of bogus and legitimate packets. Making them more difficult to resolve or prevent is the fact that attack traffic generally appears to be no different from legitimate user traffic.

The popular types of attacks include:

SYN Flood Attack: Consists of a stream of connection requests aimed at the target server. A relatively small flood of bogus packets on many systems will tie up memory, CPU, and applications, resulting in shutting down a server. It is one of the most common and powerful of flooding attacks. A single host launching a small SYN flood at its maximum rate can overload a remote host and cause significant damage. These effects are compounded when attackers mount more powerful distributed attacks that leverage the resources of multiple hosts.

ICMP Flood Attack: Overwhelms the network with a stream of ICMP packets. This results in hanging the server and/or exhausting bandwidth, causing the denial of further connections.

Some Types of Denial of Service Attacks

Logic or Software Attacks
Logic attacks exploit existing software flaws in order to cause remote servers to crash or degrade in performance. Implementing a firewall and keeping operating system software current will address and resolve most of these.

Among the most popular software attacks are:

Syn-Attack– This sophisticated method of attack is characterized by an attacker flooding a particular server or server farm with Syn packets. Syn packets are the first packet sent during the setup of a TCP session. By only sending a Syn packet, and no subsequent packets to complete or end the session, the server leaves an orphan session open. By sending enough Syn packets, an attacker can successfully disable a server by opening all of its available connections, thus denying real users from gaining access to the server. This type of attack is somewhat difficult to detect because each session that is opened looks just like a regular user to the server.

Ping of Death
These attacks utilize over-sized, invalid ping (ICMP) packets than can overwhelm the physical memory of a web server. This type of attack is aimed at specific operating systems with TCP stacks that cannot handle this type of traffic.

Smurf
This method of attack utilizes ping (ICMP) as well, but differs from the Ping of Death attack method by its uses of many normal pings from many physical sources. A large number of ICMP echo (ping) messages are sent to an IP broadcast address, with the spoofed source address of the intended victim. The router for the destination network forwards the traffic to those broadcast addresses, whereupon most network hosts on that network reply directly the spoofed address, which is the address of the site to be attacked. This can successfully flood a site with legitimate ping responses, thus occupying the server’s resources. These packets are spoofed with the target as the source of these packets. All the hosts on these networks reply to the attack target with ICMP echo replies. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users.

These packets are spoofed with the target as the source of these packets. All the hosts on these networks reply to the attack target with ICMP echo replies. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users.

These packets are spoofed with the target as the source of these packets. All the hosts on these networks reply to the attack target with ICMP echo replies. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users.

The Land Denial of Service attack works by sending a spoofed packet with the SYN flag – used in a “handshake” between a client and a host – set from a host to any port that is open and listening. If the packet is programmed to have the same destination and source IP address, when it is sent to a machine, via IP spoofing, the transmission can fool the machine into thinking it is sending itself a message, which, depending on the operating system, will crash the machine.

Teardrop is a program that sends IP fragments to a machine connected to the Internet or a network. Teardrop exploits an overlapping IP fragment bug present in Windows 95, Windows NT and Windows 3.1 machines. The bug causes the TCP/IP fragmentation re-assembly code to improperly handle overlapping IP fragments. This attack has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. It should be noted, though, that while this attack is considered to be non-destructive, it could cause problems if there is unsaved data in open applications at the time that the machine is attacked. The primary problem with this is a loss of data.

Fraggle or UDP Flood Attack: These are variants of the Smurf attack, and send UDP packets to broadcast addresses. These packets are spoofed with the target as the source of these packets. All the hosts on these networks reply to the victim with ICMP “unable to reach” messages. This rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users. An important point to note is that these are just a few of the most popular methods of attacks, and that many of today’s server operating systems already defend against many of the most common Denial of Service attacks like Ping of Death and Syn-Attacks.

D. O. S. Policy Enforcement Point

Attack Type

Firewalls

Routers

DDOS Product

OSI Layer

Recommended Enforcement Point =

Common Enforcement Point =

IP Options for Anomalies

3

TCP Sequence

4

Validating IP Fragments

3

Ping O’Death attacks

3

Land Attacks

4

Broadcast Attacks

3

ICMP Backwash Attacks

2

Syn Floods

2

Connection Floods

2

Page Floods

7

ICMP Floods

2

TCP Floods

3

UDP Floods

3

IP Floods

3

Outbound Bandwidth Floods

ALL

Inbound Bandwidth Floods

ALL

The worst offending IP addresses

3

Inbound Port Filtering

<span>

Chargen: Attempts to hang the server causing it to send packets to itself and become occupied with processing those packets. This results in hanging the server.

Type of DOS Remediation

Syn-Attack Protection
This feature monitors each new connection made to a server within a load balanced server farm. Because Internet Traffic Management devices front-end a company’s web server farm, they are aware of all new and existing user sessions being load balanced to the servers. When the Internet Traffic Management device receives a request for a new session from a user, it is load balanced to the most available server, using a number of definable criteria. If the session is not completed within 5 seconds (meaning that only the Syn packet was received) and no subsequent packets to complete the session are received, the Web Server Director manually closes the sessions on the physical server, and removes the entry from it’s own client (session) table. This approach of D.O.S. attack protection not only protects a Web Server Director, but more importantly protects a company’s web servers as well, thus maintaining the sites usability and available status.

Facility for Access Control and Security (FACS)
Packet filtering is used to control the flow of specific types of traffic to and from servers. Rules can be created to control access based on user-defined criteria such as packet type (TCP, UDP, ICMP, etc) as well as specific user defined ports as well. Flexibility exists with the ability to control access based on source and destination addresses as well as application port. This can be extremely important when trying to prevent any type of ICMP attack such as Ping of Death and Smurfs.

By utilizing this feature, the Web Server Director will simply drop any traffic meeting the administrator’s predefined criteria as well as report such incidents via SNMP or Syslog traps.

Global Fail-Over and Load Balancing
This technique allows for protection against attacks that render a company’s Internet link useless by consuming the link’s bandwidth ability. This involves the deployment of multiple, globally redundant, and load balanced sites. If a hacker is attempting to flood a site with bogus requests, Internet Traffic Management load balancing techniques within the DS (Distributed Sites), or NP (Network Proximity) can insure uptime to legitimate users by directing them to the most available site. This can be achieved with several redirection methods, while allowing users with access to sites based on real-time site load, as well as true proximity to the actual site.

Multi-Homing
Another popular method aside from deploying multiple, geographically different sites, is to add an additional Internet connection through an alternate Internet provider. Internet Traffic Management allows for the seamless operation of outbound and inbound traffic through both links. If one link were to succumb to an attack, the Internet Traffic Management can intelligently direct all traffic, inbound and outbound, through the unaffected link allowing for the continuous flow of traffic and site availability.

Links:

DDoS.ppt

DDoS2.ppt

https://www.bestitdocuments.com/Samples