This a common form of attack any admin should protect his networks from.DoS attacks are used to compromise or bring down systems and networks.Each System connected to internet has a limited bandwidth and memory available for it.In the DoS attacks an attacker tries to choke or clog up all the available bandwidth on the target.As a result even the legitimate customers or clients are no longer be able to connect to the target.Some kind of data traffic is used by the attacker as the weapon for this attack.
Main Steps in DoS attacks:
- Attacker sends technically infinite amount of malicious data to the network.
- Target network gets choked or clogged up and cannot handle the inflow of the malicious data.This results in the crashing of the network as well as the target system.
- Even real people or clients cannot connect to the target network.
- This results in loss of revenue,disrupt services,inconvenience,customer dissatisfaction and many other problems.
In most of the cases a server may have a T1 or T3 connections that serves all the clients.A simple DoS attack can easily generate a traffic up to 20 to 30 Mbps clogging up the entire network bandwidth.Now this may be fatal for the services offered.A DoS attack is usually an attack of last resort. It’s considered an unsophisticated attack because it doesn’t gain the hacker access to any information but rather annoys the target and interrupts their service.
Different types of Dos attacks :
Some type of main DoS attacks are briefed in this section.
Ping of Death :
TCP/IP protocol is working based on many rules and limitations.One of such limitations is that the maximum size of a data packet that can be sent through a network is 65536 bytes.In the Ping of Death attack a packet having the size greater than the maximum allowable size is send to the target system.As soon as the target receives such packet it crashes or hangs or reboots.This is because the protocol can handle only legitimate data packets.The main problem with this attack is that any one can do such an attack with the help of a slightly advanced ping tool or command in Linux .
command in Linux to perform this attack :
Eg: ping -l 65545
NB:This attack only affects the systems up to Win 95/98.All the upper versions are patched to this type of attack.
Tear Drop Attacks:
These kind of attack can affect many systems on the internet.Now let me explain the concept behind this attack.Normally the data sent from the source to destination is broken down in to smaller chunks and later combined together in to a larger file at the destination.
For Eg:
Say,a 5000 part ( just a quantity) data which is in single chunk has to be sent in a network.So we can assume that the data is to be broken in to 3 smaller parts for the process.
Chunk A contains data from the 1 to 1500 parts
Chunk B contains data from the 1501 to 3500 parts
Chunk C contains data from the 3501 to 5000 parts
It is important to note that the different chunks does not have any overlapping ranges.
In the Tear Drop attack the data chunks of overlapping ranges is sent to the target.As the target does not know how to manage or process or combine the data, it will get confused and the system may crash or hang or even reboot.
The data send for attack will be of this way :
(This is not the real data or methodology.I am giving this Eg: to enhance your understanding only)
Chunk A contains data from the 1 to 1500 parts
Chunk B contains data from the 1499 to 3500 parts
Chunk C contains data from the 3499 to 5000 parts
Here you can see the data ranges of the data packets overlap.
Fragmentation Attacks:
This is a variation of the Tear Drop Attacks.Here the attacker sends streams of data packets with identical fragments to the target system.Since the target does not know how to put back the data together it crashes or hangs or reboots.
Chunk A contains data from the 1 to 1500 parts
Chunk A contains data from the 1 to 1500 parts
Chunk C contains data from the 3501 to 5000 parts
Here we are not sending chunk B,instead we are sending only the chunk A twice.
Smurf Attacks :
This is another type of DoS attack.Here in this attack attacker sends infinite number of ping requests to the broadcast address of the target.
A few words on the Broadcast address : This is a IP address which are used by the network admins to sent a data to the entire network.Every node connected to the network will receive the message directed towards the broadcast address.
So what happens in this attack..?
Each system receiving the ping must reply to it using ICMP replies.Due to the infinite loops thus generated and due to the large number of pings, the target network will crash or restart or hang up.
NB: IRC servers are considered as the primary victim of smurf attacks on the Internet.
Countermeasures against Smurf attacks:
- Block all data packets with source address same as any internal system,having the source address as the broadcast address.
- Disable the broadcast address.
- Always remember that there is no reason why an external system needs to send some data to the broadcast address.
Land Attacks :
In a Land attack, attacker sends a packet to a system where the source IP is set to match the target system’s
IP address. As a result, the system attempts to reply to itself, causing the system to create a loop
which will tie up system resources and eventually may crash the OS.Here the source and the destination IPs are same in the packet sent When the attacker sends infinite malicious packets to the victim the case becomes even worse.
Countermeasures for Land attack :
Filter all data packets having the same source and destination IP's.
NB: Make sure that we do not block the packets having the same source and destination ports by mistake .
SYN Flooding :
The main principle behind this kind of attack lies in the way each TCP/IP connection is established.Each connection is established in a 3 way handshake process.This is explained in other posts.
Let us discuss how SYN Flooding exploits this classic 3 way handshake process.
In the attack , the attacker sends infinite number of connection requests in such a way that the packet orginates from a spoofed IP address.This creates infinite threads in the half open states.
Spoofed IP => SYN packet => Host
Host => SYN/ACK Packet => spoofed address
During this process the host will allocate certain amount of memory for each connection.Here the attacker sends infinite packets.When the whole memory of the target is used up the target may hang or crash or reboot.
3 important scenarios in SYN Flooding.
- The spoofed IP address does not Exist :
The data reply packet will travel in the internet until the TTL value reduces to 0 or dropped at the router.But until this time target waits for the ACK from the source IP and space allocated for the connection remains used up.
2.The spoofed IP address Exists :
When the SYN/ACK reaches the IP it sends an error message and the target on receiving this message will free the allocated memory.
3.The spoofed IP is inside the target network :
This makes the job very easy for the attacker.This allows the attacker to increase the strain on the network and uses up all the available network resources.
Loop Back Flooding:
This is one of the oldest examples of the DoS attacks.
The attacker exploits two services in the OS to carry out this attack.He sends infinite data to the "Chargen" service of a victim UNIX system such that the packets are originated from the "echo" service of the same system.
A small Overview about the Chargen and Echo daemons :
These are designed in a way that , what data received is sent back to the source. They loop it back or reply or send same data to the source.
The echo service sends data to chargen , and chargen in turn sends it back and so on.Thus an infinite loop is created in the target and is eventually DoS attacked.
NB:This type of attack does not affect modern syatems.Almost all systems are patched to this type of attacks.
Tools:
TIPS:
If the the spoofed IP address exists , make sure you DoS attack it before SYN Flooding any network.
Session hijacking:
This is a hacking method that creates a temporary DoS for an end user and the attacker takes over the current session.This is done after the user has established an authenticated session. Session hijacking can also be used to perform a man-in-the-middle attack when the hacker steps between the server and client and sniffs all traffic.