Denial of Service (DoS) Attacks

A Denial of Service (DoS) attack is an attack which attempts to prevent the victim from being able to use all or part of their network connection.

A denial of service attack may target a user, to prevent them from making outgoing connections on the network. A denial of service may also target an entire organization, to either prevent outgoing traffic or to prevent incoming traffic to certain network services, such as the organizations web page.

Denial of service attacks are much easier to accomplish than remotely gaining administrative access to a target system. Because of this, denial of service attacks have become very common on the Internet.

Types of Denial of Service (DoS) attacks

These are a few of the classic denial of service attacks. Most of these rely upon weaknesses in the TCP/IP protocol. Vendor patches and proper network configuration have made most of these denial of service attacks difficult or impossible to accomplish.

Flood Attack

The earliest form of denial of service attack was the flood attack. The attacker simply sends more traffic than the victim could handle. This requires the attacker to have a faster network connection than the victim. This is the lowest-tech of the denial of service attacks, and also the most difficult to completely prevent.

Ping of Death Attack

The Ping of Death attack relied on a bug in the Berkeley TCP/IP stack which also existed on most systems which copied the Berkeley network code. The ping of death was simply sending ping packets larger than 65,535 bytes to the victim. This denial of service attack was as simple as:

ping -l 86600 victim.org

SYN Attack

In the TCP protocol, handshaking of network connections is done with SYN and ACK messages. The system that wishes to communicate sends a SYN message to the target system. The target system then responds with an ACK message. In a SYN attack, the attacker floods the target with SYN messages spoofed to appear to be from unreachable Internet addresses. This fills up the buffer space for SYN messages on the target machine, preventing other systems on the network from communicating with the target machine.

Teardrop Attack

The Teardrop Attack uses IP's packet fragmentation algorithm to send corrupted packets to the victim machine. This confuses the victim machine and may hang it.

Smurf Attack

In the Smurf Attack, the attacker sends a ping request to a broadcast address at a third-party on the network. This ping request is spoofed to appear to come from the victims network address. Every system within the broadcast domain of the third-party will then send ping responses to the victim.

Distributed Denial of Service (DDoS) attacks

A Distributed Denial of Service (DDoS) attack is a denial of service attack which is mounted from a large number of locations across the network.

DDoS attacks are usually mounted from a large number of compromised systems. These systems may have been compromised by a trojan horse or a worm, or they might have been compromised by being hacked manually.

These compromised systems are usually controlled with a fairly sophisticated piece of client-server software such as Trinoo, Tribe Flood Network, Stacheldraht, TFN2K, Shaft, and Mstream.

The Mydoom worm attempted DDoS attacks against SCO and Microsoft from the systems which it infected.

DDoS attacks can be very difficult to defend against.