07-08-2012, 12:53 PM
Denial of Service (DoS) attack
INTRODUCTION
Security in computer networks is an extremely active and broad area of
research, as networks of all sizes are targeted daily by attackers seeking to disrupt or
disable network traffic. A successful denial-of-service (DoS) attack degrades network
performance, resulting in losses of several millions of dollars. Development of
methods to counter these and other threats is thus of high interest. Current
countermeasures under development focus on detection of anomalies and intrusions,
their prevention, or a combination of both.
THE DOS ATTACK AND THE DDOS ATTACK
A Denial of Service (DoS) attack is an attack against any system component
that attempts to force that system component to limit, or even halt, normal services. A
DoS attack may be directed to a specific computer operating system, to a specific port
or service on a targeted system, to a network, or network component, to a firewall
or to any other system component. More obscure examples could include humansystem
communication processes, such as disabling a printer or alarm system, or
even human-response systems, such as disabling a key technician's home phone or
transportation. The key similarity in all of these examples is that, after a successful
attack, the system does not respond to a request for service as before, and some
expected service, or group of services, is denied or limited to authorized users.
A Distributed Denial of Service (DDoS) attack is a DoS attack that occurs
from more than one source, and/or from more than one location, at the same time.
Often, the DDoS attackers are not aware that they are engaging in a DoS attack
against a site, and are duped (technically or physically) into joining the attack by a
third party.
SECURITY ISSUES
SECURITY ISSUES WITH UDP PORTS AND SERVICES
Any port can be attacked as a DoS by simply sending a packet to that port. If
there is no service attached to that port, then the packet is ignored and the DoS attack
fails. If there is a service attached to that port, then the service must deal with the
packet, even if it is malformed or incorrect. The service will deal with the incoming
packet as a high priority (interrupt) event. The success of the DoS attack is dependent
on how effectively the service deals with the inbound packet. a rule, any UDP port
that sends a response to a packet is subject to a DoS attack (and therefore to a DDoS
attack). Since the UDP service is a stateless response, it can simply be flooded with
packets, forcing a DoS as the system struggles to keep up with these high priority
service interrupts.
SECURITY ISSUES WITH TCP PORTS AND SERVICES
TCP attacks differ in that TCP is not a stateless protocol and requires a
TWHS (three way hand shake) before initiating service. This does not make TCP
ports immune to DoS attacks. In fact the TWHS is itself a major target of cr hacker
DoS attack attempts. A SYN-Flood and the ACK-Flood DoS takes advantage of the
TWHS to perform a DoS on a host. The normal process of SYN followed by RST or
ACK is interrupted and the victim is left with an open port awaiting communication
that never materializes. The process is repeated until the total number of
simultaneous sessions is open and the system is hung. In order to completely deny
services to a given port on your computer until the next system reboot, the attacker
need only send 1024 packets to your computer with the SYN bit set One second
of packets results in a system reboot - that's a big advantage for the attacker but
many systems run out of internal space to store the incomplete connections before
the second passes and crash on their own. The SYN-Flood can easily be turned into
a DDoS by using distributed hosts to bounce off packets so that the forensic log
examination points to these hosts.
INTRODUCTION
Security in computer networks is an extremely active and broad area of
research, as networks of all sizes are targeted daily by attackers seeking to disrupt or
disable network traffic. A successful denial-of-service (DoS) attack degrades network
performance, resulting in losses of several millions of dollars. Development of
methods to counter these and other threats is thus of high interest. Current
countermeasures under development focus on detection of anomalies and intrusions,
their prevention, or a combination of both.
THE DOS ATTACK AND THE DDOS ATTACK
A Denial of Service (DoS) attack is an attack against any system component
that attempts to force that system component to limit, or even halt, normal services. A
DoS attack may be directed to a specific computer operating system, to a specific port
or service on a targeted system, to a network, or network component, to a firewall
or to any other system component. More obscure examples could include humansystem
communication processes, such as disabling a printer or alarm system, or
even human-response systems, such as disabling a key technician's home phone or
transportation. The key similarity in all of these examples is that, after a successful
attack, the system does not respond to a request for service as before, and some
expected service, or group of services, is denied or limited to authorized users.
A Distributed Denial of Service (DDoS) attack is a DoS attack that occurs
from more than one source, and/or from more than one location, at the same time.
Often, the DDoS attackers are not aware that they are engaging in a DoS attack
against a site, and are duped (technically or physically) into joining the attack by a
third party.
SECURITY ISSUES
SECURITY ISSUES WITH UDP PORTS AND SERVICES
Any port can be attacked as a DoS by simply sending a packet to that port. If
there is no service attached to that port, then the packet is ignored and the DoS attack
fails. If there is a service attached to that port, then the service must deal with the
packet, even if it is malformed or incorrect. The service will deal with the incoming
packet as a high priority (interrupt) event. The success of the DoS attack is dependent
on how effectively the service deals with the inbound packet. a rule, any UDP port
that sends a response to a packet is subject to a DoS attack (and therefore to a DDoS
attack). Since the UDP service is a stateless response, it can simply be flooded with
packets, forcing a DoS as the system struggles to keep up with these high priority
service interrupts.
SECURITY ISSUES WITH TCP PORTS AND SERVICES
TCP attacks differ in that TCP is not a stateless protocol and requires a
TWHS (three way hand shake) before initiating service. This does not make TCP
ports immune to DoS attacks. In fact the TWHS is itself a major target of cr hacker
DoS attack attempts. A SYN-Flood and the ACK-Flood DoS takes advantage of the
TWHS to perform a DoS on a host. The normal process of SYN followed by RST or
ACK is interrupted and the victim is left with an open port awaiting communication
that never materializes. The process is repeated until the total number of
simultaneous sessions is open and the system is hung. In order to completely deny
services to a given port on your computer until the next system reboot, the attacker
need only send 1024 packets to your computer with the SYN bit set One second
of packets results in a system reboot - that's a big advantage for the attacker but
many systems run out of internal space to store the incomplete connections before
the second passes and crash on their own. The SYN-Flood can easily be turned into
a DDoS by using distributed hosts to bounce off packets so that the forensic log
examination points to these hosts.