Denial Of Service Attacks

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
Line 5: Line 5:
Goals of the attacks:
Goals of the attacks:
-
- "flood" a network which will prevent legitimate network traffic
+
* "flood" a network which will prevent legitimate network traffic
-
- disrupt connections between two machines, which will prevent access to a service
+
* disrupt connections between two machines, which will prevent access to a service
-
- disrupt the service given to a perticular system or person [2]
+
* disrupt the service given to a particular system or person <sup>[2]</sup>
=== ICMP flood ===
=== ICMP flood ===
-
There are two basic ways that [[ICMP]] is used to deny service. The first is by flooding the target with [[ping]] messages until they are overwhelmed by trying to send responses and are slowed down. This can be done in either a very simple way that's only requirement is that you have more bandwidth than the target you are attacking or in a more complex way such as the [[Smurf Attack]] which exploits poorly configured network devices allow packets to be sent to all other hosts on a network using the broadcast address. The other way is called a often called a nuke and the most popular example is called the [[Ping of Death]] which sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to target. Because of the size of the packet the target  cannot reassemble them. This often causes the system to crash as a result. <sup>[1]</sup>
+
There are two basic ways that the [[Internet Control Message Protocol]] is used to deny service. The first is by flooding the target with [[ping]] messages until they are overwhelmed by trying to send responses and are slowed down. This can be done in either a very simple way that's only requirement is that you have more bandwidth than the target you are attacking or in a more complex way such as [[Smurfing]] or the Smurf Attack which exploits poorly configured network devices allow packets to be sent to all other hosts on a network using the broadcast address. The other way is called a often called a nuke and the most popular example is called the [http://en.wikipedia.org/wiki/Ping_of_death Ping of Death] which sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to target. Because of the size of the packet the target  cannot reassemble them. This often causes the system to crash as a result. <sup>[1]</sup>
=== TCP SYN Flood Attack ===
=== TCP SYN Flood Attack ===
-
[[TCP]] connect request packets can be used to attack a target machine by causing the target to create half-open connections and reserve all of the ports on the machine. This is done by attempting to create a regular connection with the target, but never returning anything back to them after they have sent the SYN-ACK packet. Since the process of opening a TCP connect is a three-way handshake this will stall the process while waiting for confirmation from the attacker. Unlike a ICMP flood this attack does not depend on having more bandwidth than the target because there is a relatively small number of ports that have to be reserved.<sup>[1,2]</sup>  
+
[http://en.wikipedia.org/wiki/Transmission_Control_Protocol Transmission Control Protocol] connection request packets can be used to attack a target machine by causing the target to create half-open connections and reserve all of the ports on the machine. This is done by attempting to create a regular connection with the target, but never returning anything back to them after they have sent the SYN-ACK packet. Since the process of opening a TCP connect is a three-way handshake this will stall the process while waiting for confirmation from the attacker. Unlike an ICMP flood this attack does not depend on having more bandwidth than the target because there is a relatively small number of ports that have to be reserved.<sup>[1,2]</sup>  
=== Application level floods ===
=== Application level floods ===
-
DoS attacks are not limited to only a server scale. Individual applications on a users machine are also prone to attack depending on the software. [[IRC]] is a very common example of where the various types of attacks used on servers can be seen on a smaller scale. These can include exploits such as buffer overflow which can cause software to get confused and fill disk space or consume all available memory or CPU time. Aswell as the more common types of attack such as flooding.<sup>[3]</sup>
+
DoS attacks are not limited to only a server scale. Individual applications on a users machine are also prone to attack depending on the software. [http://en.wikipedia.org/wiki/IRC IRC] is a very common example of where the various types of attacks used on servers can be seen on a smaller scale. These can include exploits such as buffer overflow which can cause software to get confused and fill disk space or consume all available memory or CPU time. As well as the more common types of attack such as flooding.<sup>[3]</sup>
=== Distributed attack ===
=== Distributed attack ===
Line 25: Line 25:
=== Unintentional attack ===
=== Unintentional attack ===
-
As certain websites on the Internet grew more popular a relatively interesting phenomena started to develope in which websites were unintentionally being attacked by huge spikes in popularity. It is almost always the case that when big and often very popular sites link to small, unknown websites these sites cannnot handle all of the extra traffic and end up under a denial of service like effect. Digg, Slashdot and Fark are prime examples of websites that's only goal is to increase the popularity of other websites and they have gained a repuation for their own related "effects" when any website is posted on them.
+
As certain websites on the Internet grew more popular a relatively interesting phenomena started to develop in which websites were unintentionally being attacked by huge spikes in popularity. It is almost always the case that when big and often very popular sites link to small, unknown websites these sites cannot handle all of the extra traffic and end up under a denial of service like effect. [http://www.digg.com Digg], [http://www.slashdot.org Slashdot] and [http://www.fark.com Fark] are prime examples of websites that's only goal is to increase the popularity of other websites and they have gained a reputation for their own related "effects" when any website is posted on them.
-
Unintentional attacks are not limited to popularity. Routes such as D-Link and Netgear also have a history of flooding [[Network Time Protocol]] servers without the intention of the owner of the router.[6]
+
Unintentional attacks are not limited to popularity. Routes such as D-Link and Netgear also have a history of flooding [http://en.wikipedia.org/wiki/Network_Time_Protocol Network Time Protocol] servers without the intention of the owner of the router.<sup>[6]</sup>
== Prevention and Protection ==
== Prevention and Protection ==

Revision as of 18:02, 12 April 2009

A denial of service attack (DoS attack) is generally the attempt to degrade the resources of another computer, or crash it, so the that the intended users of that computer can not longer use it. The methods used to do such an attack usually involve an attempt to exploit a weakness in one of the protocols that are used on the internet to cause harm to the target machine or make it lose and use resources at an unusual level. Since denial of service attacks are so common today protection has become a very important concern for machines on the internet.

Contents

Attack Methods

Goals of the attacks:

  • "flood" a network which will prevent legitimate network traffic
  • disrupt connections between two machines, which will prevent access to a service
  • disrupt the service given to a particular system or person [2]

ICMP flood

There are two basic ways that the Internet Control Message Protocol is used to deny service. The first is by flooding the target with ping messages until they are overwhelmed by trying to send responses and are slowed down. This can be done in either a very simple way that's only requirement is that you have more bandwidth than the target you are attacking or in a more complex way such as Smurfing or the Smurf Attack which exploits poorly configured network devices allow packets to be sent to all other hosts on a network using the broadcast address. The other way is called a often called a nuke and the most popular example is called the Ping of Death which sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to target. Because of the size of the packet the target cannot reassemble them. This often causes the system to crash as a result. [1]

TCP SYN Flood Attack

Transmission Control Protocol connection request packets can be used to attack a target machine by causing the target to create half-open connections and reserve all of the ports on the machine. This is done by attempting to create a regular connection with the target, but never returning anything back to them after they have sent the SYN-ACK packet. Since the process of opening a TCP connect is a three-way handshake this will stall the process while waiting for confirmation from the attacker. Unlike an ICMP flood this attack does not depend on having more bandwidth than the target because there is a relatively small number of ports that have to be reserved.[1,2]

Application level floods

DoS attacks are not limited to only a server scale. Individual applications on a users machine are also prone to attack depending on the software. IRC is a very common example of where the various types of attacks used on servers can be seen on a smaller scale. These can include exploits such as buffer overflow which can cause software to get confused and fill disk space or consume all available memory or CPU time. As well as the more common types of attack such as flooding.[3]

Distributed attack

Unintentional attack

As certain websites on the Internet grew more popular a relatively interesting phenomena started to develop in which websites were unintentionally being attacked by huge spikes in popularity. It is almost always the case that when big and often very popular sites link to small, unknown websites these sites cannot handle all of the extra traffic and end up under a denial of service like effect. Digg, Slashdot and Fark are prime examples of websites that's only goal is to increase the popularity of other websites and they have gained a reputation for their own related "effects" when any website is posted on them.

Unintentional attacks are not limited to popularity. Routes such as D-Link and Netgear also have a history of flooding Network Time Protocol servers without the intention of the owner of the router.[6]

Prevention and Protection

Firewalls

Switches and Routers

Application Level

See also

References

  1. Types of DDoS Attacks. Retrieved April 11, 2009, from http://anml.iu.edu/ddos/types.html
  2. CERT/CC Denial of Service. Retrieved April 11, 2009, from http://www.cert.org/tech_tips/denial_of_service.html
  3. Mullen, Ruth. Flood Protection and Ignoring People. Retrieved April 11, 2009, from http://www.irchelp.org/irchelp/mirc/flood.html
  4. "Simple Nomad", Strategies for Defeating Distributed Attacks. Retrieved April 11, 2009, from http://www.windowsecurity.com/whitepapers/Strategies_for_Defeating_Distributed_Attacks.html
  5. Parks, J. (2008, August 25). DDoS Attack Prevention - The Best Medicine. Retrieved April 12, 2009, from http://ezinearticles.com/?DDoS-Attack-Prevention---The-Best-Medicine&id=1439320
  6. Plonka, Dave. (August 21, 2003). Flawed Routers Flood University of Wisconsin Internet Time Server. Retrieved April 12, 2009, from http://pages.cs.wisc.edu/~plonka/netgear-sntp/

External links

--Frostd 17:32, 3 April 2009 (EDT)

Personal tools