13-05-2014, 12:26 PM
Denial of Service Attacks
Denial of Service.pdf (Size: 773.82 KB / Downloads: 189)
ABSTRACT
Denial of service (DoS) attacks have become a major threat to current computer networks. To
have a better understanding on DoS attacks, this article provides an overview on existing DoS
attacks and major defense technologies in the Internet and wireless networks. In particular, we
describe network based and host based DoS attack techniques to illustrate attack principles. DoS
attacks are classified according to their major attack characteristics. Current counterattack
technologies are also reviewed, including major defense products in deployment and
representative defense approaches in research. Finally, DoS attacks and defenses in 802.11 based
wireless networks are explored at physical, MAC and network layers.
INTRODUCTION
Denial of service (DoS) attacks have become a major threat to current computer networks. Early
DoS attacks were technical games played among underground attackers. For example, an
attacker might want to get control of an IRC channel via performing DoS attacks against the
channel owner. Attackers could get recognition in the underground community via taking down
popular web sites. Because easy-to-use DoS tools, such as Trinoo (Dittrich 1999), can be easily
downloaded from the Internet, normal computer users can become DoS attackers as well. They
sometime coordinately expressed their views via launching DoS attacks against organizations
whose policies they disagreed with. DoS attacks also appeared in illegal actions. Companies
might use DoS attacks to knock off their competitors in the market. Extortion via DoS attacks
were on rise in the past years (Pappalardo et al. 2005). Attackers threatened online businesses
with DoS attacks and requested payments for protection.
OVERVIEW OF DOS ATTACKS IN THE INTERNET
In this section, we overview the common DDoS attack techniques and discuss why attacks
succeed fundamentally.
A. Attack Techniques
Many attack techniques can be used for DoS purpose as long as they can disable service, or
downgrade service performance by exhausting resources for providing services. Although it is
impossible to enumerate all existing attack techniques, we describe several representative
network based and host based attacks in this section to illustrate attack principles. Readers can
also find complementary information on DoS attacks in Handley et al. 2006 and Mirkovic et al.
2005.
Network Based Attacks
TCP SYN Flooding. DoS attacks often exploit stateful network protocols (Jian 2000, Shannon et
al. 2002), because these protocols consume resources to maintain states. TCP SYN flooding is
one of such attacks and had a wide impact on many systems. When a client attempts to establish
a TCP connection to a server, the client first sends a SYN message to the server. The server then
acknowledges by sending a SYN-ACK message to the client. The client completes the
establishment by responding with an ACK message. The connection between the client and the
server is then opened, and the service-specific data can be exchanged between them. The abuse
arises at the half-open state when the server is waiting for the client’s ACK message after
sending the SYN-ACK message to the client (CERT 1996). The server needs to allocate memory
for storing the information of the half-open connection. The memory will not be released until
either the server receives the final ACK message or the half-open connection expires. Attacking
hosts can easily create half-open connections via spoofing source IPs in SYN messages or
ignoring SYN-ACKs. The consequence is that the final ACK message will never be sent to the
victim. Because the victim normally only allocates a limited size of space in its process table, too
many half-open connections will soon fill the space.
Host Based Attacks
Besides misusing network protocols, attackers can also launch DoS attacks via exploiting
vulnerabilities in target’s applications and systems. Different from network based attacks, this
type of attacks are application specific, i.e., exploiting particular algorithms (Crosby et al. 2003),
memory structure (Cowan et al. 2003), authentication protocols (Dean et al. 2001, Zhang et al.
2005), implementation (CERT 1997), etc. Attacks can be launched either from a single host as a
conventional intrusion or from a number of hosts as a network based DDoS attack. The traffic of
host based attacks may not be as high as network based attacks, because application flaws and
deficiencies can easily crash applications or consume a tremendous amount of computer
resources. Several example attacks are described as follows.
Dean et al. (2001) identified that attackers could easily arrange an attack such that E-commerce
web sites remain available, but clients are unable to complete any purchase. Such an attack is
based on going after the secure server that processes credit card payments. In such E-commerce
applications, the SSL/TLS protocol is used to make secure connections between clients and
servers. The protocol allows a client to request the server to perform an RSA decryption. RSA
decryption is an expensive operation. For instance, a large secure web site can process a few
thousand RSA decryptions per second. If an SSL handshake request takes 200 bytes and a server
can process 5000 decryptions per second, 1MB/s of requests is sufficient to paralyze an E-
commerce site, which is a hard-to-notice small amount of traffic. Attackers can also send large
modulo values via client certificates to increase the RSA computation per authentication.
Consequently, mutual authentication cannot be done quickly and service performance is
downgraded.
Why a DoS/DDoS Attack May Succeed
The design of the Internet is one of the fundamental reasons for successful DoS attacks. The
Internet is designed to run end-to-end applications. Routers are expected to provide the best-
effort packet forwarding, while the sender and the receiver are responsible for achieving desired
service guarantees such as quality of service and security. Accordingly, different amounts of
resources are allocated to different roles. Routers are designed to handle large throughput that
leads to the design of high bandwidth pathways in the intermediate network. On the contrary,
end hosts may be only assigned as much bandwidth as they need for their own applications.
Consequently, each end host has less bandwidth than routers. Attackers can misuse the abundant
resources in routers for delivery of numerous packets to a target.
The control and management of the Internet is distributed. Each component network is run
according to local policies designed by its owners. No deployment of security mechanisms or
security policy can be globally enforced. Because DoS attacks are commonly launched from
systems that are subverted through security-related compromises, the susceptibility of the victim
to DoS attacks depends on the state of security in the rest of the global Internet, regardless of
how well the victim may be secured. Furthermore, it is often impossible to investigate cross-
network traffic behaviors in such a distributed management. If one party in a two-way
communication (sender or receiver) misbehaves, it can cause arbitrary damage to its peer. No
third party will step in to stop it.
CONCLUSION
In this article, we overviewed existing DoS attacks and defense technologies in the Internet and
wireless networks. DoS attackers exploit flaws in protocols and systems to deny access of target
services. Attackers also control a large number of compromised hosts to launch DDoS attacks.
Simply securing servers are no longer enough to make service available under attack, since DoS
attack techniques are more complicated and many unwitting hosts are involved in DoS attacks.
By reviewing several existing DoS attack techniques and classifying them, this chapter
highlighted challenges of DoS defense from characteristics of DoS attacks. For defenders, it is
difficult to decide whether a packet is spoofed, to prevent a host from being compromised and
controlled, to ask upstream routers to filter unwanted traffic, and to keep defenders themselves
from DoS attacks.