I am undertaking a reading unit this semester focused on Denial of Service [DoS] attacks and their mitigation. As there are no subjects dedicated to this field a reading unit was the best option. The aims of the unit will be:
- Study system vulnerabilities and existing DoS attacks
- Propose a new method to mitigate one of the DoS attacks
I have not investigated DoS attacks on anything other than an introductory level prior to this so my blog notes will start from that point. With this in mind the best beginning is in definitions. Most of this introductory post will glean resources from wikipedia’s DoS page http://en.wikipedia.org/wiki/Denial-of-service_attack, see their reference list for further reading.
Denial of Service Attack: To slow network performance or unavailability of services (web services). Issues can spread to network branches surrounding the targeted system. In some cases entire geographical regions can be prevented from accessing the external network.
DoS attacks can also be characterized where and attacker explicitly attempts to prevent legitimate users from accessing specific services. There are two major classifications:
- Attacks which crash a server
- Attacks which flood a server
There are five categories that DoS attacks can be placed:
- Consumption of computation resources (ie: HTTP-GET DDoS flood attack, http://teamxpc.com/forum/topic/155918-http-get-dos-attack-paper/)
- Disruption of configuration information (ie: DNS Poisoning attack, http://www.spamstopshere.com/blog/2008/08/07/recent-dns-poisoning-exploit-used-for-dos-attacks/)
- Disruption of state information (ie: Resetting of TCP Sessions, http://kerneltrap.org/node/3072 , http://en.wikipedia.org/wiki/TCP_reset_attack)
- Disruption of physical network components (ie: physical access to servers, phlashing attack/PDoS, http://hackaday.com/2008/05/20/phlashing-denial-of-service-attack-the-new-hype/)
- Obstructing communication media (ie: replay attacks on wifi, http://www.aircrack-ng.org/doku.php?id=simple_wep_crack&DokuWiki=9a77f3d58e7c5e4adc840b60b1a2197e, cable cuts, http://www.guardian.co.uk/world/2011/apr/06/georgian-woman-cuts-web-access)
Some examples of known DoS attacks:
- ICMP Attack (Smurf, Ping of Death, Ping flood, SYN flood) – Malformed ICMP packets aimed at consuming targets network and computational resources. (tool – http://www.hping.org/)
- Teardrop Attack – mangled IP packets with overlapping and oversized IP payloads which exploit TCP/IP reassembly methods in numerous operating systems. In a Teardrop attack, the data packets are sent to the target computer in the following format: (1 to 1500 bytes) (1500 to 3000 bytes) (1001 to 3600 bytes). When the target system receives something like the above, it simply cannot handle it and will crash or hang or reboot.
- SYN Flood – Sending multiple SYN request with bad source address so the target queues them all awaiting a timeout on the request (http://mediakey.dk/~cc/hackerguide-syn-flood-attack/)
- Low rate denial of service attacks – While TCP’s congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation results in a well-known vulnerability by high-rate non-responsive flows. However, little is known about low-rate denial of service attacks. We have discovered that low-rate attacks can be as harmful as the high-rate ones, yet even more dangerous due to the fact that they are difficult for routers and counter-DoS mechanisms to detect. (inventors: http://www.cs.northwestern.edu/~akuzma/rice/shrew/, tools: sockstress: http://www.2shared.com/file/L4VC9Wdp/sockstresstar.html)
- Peer-to-peer botnet attacks -The TDL-4 botnet may have started via p2p networks – http://www.readwriteweb.com/archives/one_botnet_to_rule_them_all_kaspersky_labs_finds_i.php, http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot, botnets can be used for more than just DoS – http://www.theregister.co.uk/2008/06/28/nugache_creator_plea_agreement/)
- Stacheldraht tool – Botnet attack (http://staff.washington.edu/dittrich/misc/stacheldraht.analysis, see diagram above)
Some additional reading on DoS attack definitions: