DOS ATTACKS

What it means .
• A denial-of-service, or DoS, attack is an attempt to defeat availability, the third of
the three basic properties to be preserved in computer security.

• A user is denied access to authorized services or data.

• Confidentiality and integrity are concerned with preventing unauthorized access;

availability is concerned with preserving authorized access.

• DOS can occur from excessive volume, a failed application, a severed

link, or hardware or software failure.

 FLOODING ATTACKS

• Insufficient Resources - the attacker can try to consume a critical amount of a

scarce resource.

• Insufficient Capacity - If the attacker’s bandwidth is greater than that of the

victim, the attacker can overwhelm the victim with the asymmetry. Examples of
insufficient resources may be slots in a table of network connections, room in a
buffer, or cycles of a processor.
 NETWORK FLOODING CAUSED BY MALICIOUS CODE
• Sophisticated attacks are made on ICMP (Internet Control Message Protocols)
• ICMP is used for system diagnostics, these protocols do not have associated user
applications.
• ICMP protocols include
 ping, which requests a destination to return a reply, intended to show that the
destination system is reachable and functioning
 echo, which requests a destination to return the data sent to it, intended to
show that the connection link is reliable (ping is actually a version of echo)
 destination unreachable, which indicates that a destination address cannot be
accessed
 source quench, which means that the destination is becoming saturated and the
source should suspend sending packets for a while
 Ping of Death

• A ping of death is a simple attack, using the ping command that is ordinarily used to
test response time from a host.

• Since ping requires the recipient to respond to the packet, all the attacker needs to do
is send a flood of pings to the intended victim.

• The attack is limited by the smallest bandwidth on the attack route.

• If the attacker is on a 10-megabyte (MB) connection and the path to the victim is
100 MB or more, mathematically the attacker alone cannot flood the victim.

• But the attack succeeds if the numbers are reversed: The attacker on a 100-MB
connection can certainly flood a 10- MB victim.

• The ping packets will saturate the victim’s bandwidth.

Ping of Death
 Smurf

• The smurf attack is a variation of a ping attack.

• It uses the same vehicle, a ping packet, with two extra twists.

• First, the attacker chooses a network of unwitting victims that become accomplices.

• The attacker spoofs the source address in the ping packet so that it appears to come from
the victim, which means a recipient will respond to the victim.

• Then, the attacker sends this request to the network in broadcast mode by setting the last
byte of the address to all 1s;

• broadcast mode packets are distributed to all hosts on the subnetwork.

• In this way the attacker uses the entire subnetwork to multiply the attack’s effect.
Smurf
 Echo–Chargen

• The echo–chargen attack works between two hosts.

• Chargen is an ICMP protocol that generates a stream of packets to test the network’s
capacity.

• Echo is another ICMP protocol used for testing; a host receiving an echo returns
everything it receives to the sender.
 Echo–Chargen
• The attacker picks two victims, A and B, and then sets up a chargen process on host A
that generates its packets as echo packets with a destination of host B.

• Thus, A floods B with echo packets.

• But because these packets request the recipient to echo them back to the sender, host B
replies by returning them to host A.

• This series puts the network infrastructures of A and B into an endless loop, as A
generates a string of echoes that B dutifully returns to A, just as in a game of tennis.

• Alternatively, the attacker can make B both the source and destination address of the
first packet, so B hangs in a loop, constantly creating and replying to its own messages.
Echo–Chargen
 SYN Flood

• This attack uses the TCP protocol suite, making the session-oriented nature of these protocols work
against thevictim.
• For a protocol such as Telnet or SMTP, the protocol peers establish a virtual connection,
called a session, to synchronize the back-and-forth, command–response nature of the
interaction.
• A session is established with a three-way TCP handshake.
• Each TCP packet has flag bits, one of which is denoted SYN (synchronize) and one denoted ACK
(acknowledge).
• First, to initiate a TCP connection, the originator sends a packet with the SYN bit on.
• Second, if the recipient is ready to establish a connection, it replies with a packet with both the SYN
and ACK bits on.
• Finally, the first party completes the exchange to demonstrate a clear and complete communication
Three-way TCP handshake.
 SYN Flood

• Attackers can flood the SYN_RECV queue

• Attackers can spoof a non-existent return address in the initial SYN packet.

1. The attacker does not want to disclose the real source address in case someone should

inspect the packets in the SYN_RECV queue to try to identify the attacker.

2. The attacker wants to make the malicious SYN packets indistinguishable from

legitimate SYN packets to establish real connections.

 NETWORK FLOODING BY RESOURCE EXHAUSTION
• Unnecessary Context switching .

• With too many processes, a system can enter a state called thrashing, in which its
performance fails because of nearly continuous context switching.

• Time can be exhausted.

• Buffers for incoming email can be overwhelmed by a sudden flood of incoming

messages.

• Logging and log files can be swamped by a large number of errors or fault conditions
that must be handled.

• Buffers for reassembling fragmented communications can also be exhausted.

 IP Fragmentation: Teardrop

• The attacker sends a series of datagrams that cannot fit together properly.

• One datagram might say it is position 0 for length 60 bytes, another position 30 for 90
bytes, and another position 41 for 173 bytes.

• These three pieces overlap, so they cannot be reassembled properly.

• In an extreme case, the operating system locks up with these partial data units it
cannot reassemble, thus leading to denial of service.
IP Fragmentation: Teardrop
 Denial of Service by Addressing Failures

• Misrouting is an attack that achieves two goals.

DNS Spoofing

• At the heart of Internet addressing is a protocol called DNS or Domain Name System protocol.

• DNS is the database of translations of Internet names to addresses, and the DNS protocol

resolves the name to an address.

• For efficiency, a DNS server builds a cache of recently used domain names; with an attack

called DNS poisoning.

• A standard DNS query and response in which the user requests a translation of the URL

microsoft.com, and the name server responds with the address 207.46.197.32.
DNS Spoofing
 Rerouting Routing
•
Session Hijacking
Distributed Denial of Service (DDoS)
Botnets
Botnet operators make money by renting
compromised hosts for DDoS or other activity.
The rent is mostly profit.