Newspapers Internet magazines came with cover stories when Denial of service (DoS) attacks assaulted a number of large and very successful companies&qt;&qt; websites last year. Those who claim to provide security tools were under attack. If Yahoo, Amazon, CNN and Microsoft feel victim to DoS attacks, can any site-owner feel safe?
In this article we&qt;&qt;ll try to make site owners understand the "In and Outs" of DoS and DDoS attack methods, vulnerabilities, and potential solutions to these problems. Webmasters are usually seen searching for solutions to new security threats and ways of patching-up before it is too late.
In a Denial of Service (DoS) attack, the attacker sends a stream of requests to a service on the server machine in the hope of exhausting all resources like "memory" or consuming all processor capacity.
DoS Attacks Involve:
- Jamming Networks
- Flooding Service Ports
- Misconfiguring Routers
- Flooding Mail Servers
In Distributed DoS (DDoS) attack, a hacker installs an agent or daemon on numerous hosts. The hacker sends a command to the master, which resides in any of the many hosts. The master communicates with the agents residing in other servers to commence the attack. DDoS are harder to combat because blocking a single IP address or network will not stop them. The traffic can derive from hundred or even thousands of individual systems and sometimes the users are not even aware that their computers are part of the attack.
DDoS Attacks Involve:
- FTP Bounce Attacks
- Port Scanning Attack
- Ping Flooding Attack
- Smurf Attack
- SYN Flooding Attack
- IP Fragmentation/Overlapping Fragment Attack
- IP Sequence Prediction Attack
- DNS Cache Poisoning
- SNMP Attack
- Send Mail Attack
Some of the more popular attack methods are described below.
FTP Bounce Attack
FTP (File Transfer Protocol) is used to transfer documents and data anonymously from local machine to the server and vice versa. All administrators of FTP servers should understand how this attack works. The FTP bounce attack is used to slip past application-based firewalls.
In a bounce attack, the hacker uploads a file to the FTP server and then requests this file be sent to an internal server. The file can contain malicious software or a simple script that occupies the internal server and uses up all the memory and CPU resources.
To avoid these attacks, the FTP daemon on the Web servers should be updated regularly. The site FTP should me monitored regularly to check whether any unknown file is transferred to the Web server. Firewalls also help by filtering content and commands. Some firewalls block certain file extensions, a technique that can help block the upload of malicious software.
Port Scanning Attack
A port scan is when someone is using software to systematically scan the entry points on other person’s machine. There are legitimate uses for this software in managing a network.
Most hackers enter another’s computer to leave unidentifiable harassing messages, capture passwords or change the set-up configuration. The defense for this is through, consistent network monitoring. There are free tools that monitor for port scans and related activity.
Ping Flooding Attack
Pinging involves one computer sending a signal to another computer expecting a response back. Responsible use of pinging provides information on the availability of a particular service. Ping Flooding is the extreme of sending thousands or millions of pings per second. Ping Flooding can cripple a system or even shut down an entire site.
A Ping Flooding Attack floods the victim’s network or machine with IP Ping packets. At least 18 operating systems are vulnerable to this attack, but the majority can be patched. There are also numerous routers and printers that are vulnerable. Patches cannot currently be applied throughout a global network easily.
A Smurf Attack is modification of the "ping attack” and instead of sending pings directly to the attacked system, they are sent to a broadcast address with the victim’s return address. A range of IP addresses from the intermediate system will send pings to the victim, bombarding the victim machine or system with hundreds or thousands of pings.
One solution is to prevent the Web server from being used as a broadcast. Routers must be configured to deny IP-Directed broadcasts from other networks into the network. Another helpful measure is to configure the router to block IP spoofing from the network to be saved. Routers configured as such will block any packets that donor originate in the Network. To be effective this must be done to all routers on the network.
SYN Flooding Attack
This attack exploits vulnerability in the TCP/IP communications protocol. This attack keeps the victim machine responding back to a non-existent system. The victim is sent packets and asked to response to a system or machine with an incorrect IP address. As it responds, it is flooded with the requests. The requests wait for a response until the packets begin to time out and are dropped. During the waiting period, the victim system is consumed by the request and cannot respond to legitimate requests.
When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN ACK (synchronize acknowledge) response. The destination host must hear an acknowledgement, or ACK packet, of the SYN ACK before the connection is established. This is referred as the "TCP three-way handshake”.
Decreasing the time-out waiting period for the three way handshake can help to reduce the risk of SYN flooding attacks, as will increasing the size of the connection queue (the SYN ACK queue). Applying service packs to upgrade older operating systems is also a good countermeasure. More recent operating systems are resistant to these attacks.
IP Fragmentation/Overlapping Fragment Attack
To facilitate IP transmission over comparatively congested networks. IP packets can be reduced in size or broken into smaller packets. By making the packets very small, routers and intrusion detection systems cannot identify the packets contents and will let them pass through without any examination. When a packet is reassembled at the other end, it overflows the buffer. The machine will hang, reboot or may exhibit no effect at all.
In an Overlapping Fragment Attack, the reassembled packet starts in the middle of another packet. As the operating system receives these invalid packets, it allocates memory to hold them. This eventually uses all the memory resources and causes the machine to reboot or hang.
IP Sequence Prediction Attack
Using the SYN Flood method, a hacker can establish connection with a victim machine and obtain the IP packet sequence number in an IP Sequence Prediction Attack. With this number, the hacker can control the victim machine and fool it into believing it’s communicating with another network machines. The victim machine will provide requested services. Most operating systems now randomize their sequence numbers to reduce the possibility of prediction.
DNS Cache Poisoning
DNS provides distributed host information used for mapping domain names and IP addresses. To improve productivity, the DNS server caches the most recent data for quick retrieval. This cache can be attacked and the information spoofed to redirect a network connection or block access to the Web sites),a devious tactic called DNS cache poisoning.
The best defense against problems such as DNS cache poisoning is to run the latest version of the DNS software for the operating system in use. New versions track pending and serialize them to help prevent spoofing.
Most network devices support SNMP because it is active by default. An SNMP Attack can result in the network being mapped, and traffic can be monitored and redirected.
The best defense against this attack is upgrading toSNMP3, which encrypts passwords and messages. Since SNMP resides on almost all network devices, routers, hubs, switches, Servers and printers, the task of upgrading is huge. Some vendors now offer an SNMP Management tool that includes upgrade distribution for global networks.
UDP Flood Attack
AUDP Flood Attacks links two unsuspecting systems. By Spoofing, the UDP flood hooks up one system’s UDP service (which for testing purposes generates a series of characters for each packet it receives) with another system’s UDP echo service (which echoes any character it receives in an attempt to test network programs). As a result a non-stop flood of useless data passes between two systems.
Send Mail Attack
In this attack, hundreds of thousands of messages are sent in a short period of time; a normal load might only be 100 or1000 messages per hour. Attacks against Send Mail might not make the front page, but downtime on major websites will.
For companies whose reputation depends on the reliability and accuracy of their Web-Based transactions, a DoS attack can be a major embarrassment and a serious threat to business.
Frequent denial-of-service attacks and a change in strategy by "Black-Hat Hackers" are prompting enterprises to demand technology that proactively blocks malicious traffic.
Tools and services that reflect approaches to combat such DoS attacks have been introduced with time. These are normally upgrades to what was produced before. No solution is ever said to be an ultimate solution to defend DoS attacks. Despite the new technology coming everyday, the attacks are likely to continue.