DoS Attacks
DoS
attacks today are part of every Internet user’s life. They are
happening all the time, and all the Internet users, as a community,
have some part in creating them, suffering from them or even
loosing time and money because of them. DoS attacks do not
have anything to do with breaking into computers, taking
control over remote hosts on the Internet or stealing
privileged information like credit card numbers. Using the
Internet way of speaking DoS is
neither
a Hack nor a Crack. It is a whole new and different subject.
Definitions
The
sole purpose of DoS attacks is to disrupt the services
offered by the victim. While the
attack
is in place, and no action has been taken to fix the
problem, the victim would not be able to provide its services on
the Internet. DoS attacks are really a form of vandalism against
Internet services. DoS attacks take advantage of weaknesses in the IP
protocol stack in order to disrupt Internet services.
DoS
attacks can take several forms and can be categorized according to
several parameters.
Particularly,
in this study we differentiate denial of service attacks
based on where is the origin of the attack being generated at.
“Normal”
DoS attacks are being generated by a single host (or small number of
hosts at the same location). The only real way for DoS attacks to
impose a real threat is to exploit some software or design flaw.
Such flaws can include, for example, wrong implementations of
the IP stack, which crash the whole host when receiving a
non-standard IP packet (for example ping-of-death). Such an
attack would generally have lower volumes of data. Unless
some exploits exist at the victim hosts, which have not been fixed, a
DoS attack should not pose a real threat to high-end services on
today’s Internet.
DDoS
(Distributed Denial of Service) attacks would, usually, be
generated by a very large
number
of hosts. These hosts might be amplifiers or reflectors of some kind,
or even might
be
“zombies” (agent program, which connects back to a pre-defined
master hosts) who were
planted
on remote hosts and have been waiting for the command to
“attack” a victim. It is
quite
common to see attacks generated by hundreds of hosts,
generating hundreds of
megabits
per second floods. The main tool of DDoS is bulk flooding, where an
attacker or attackers flood the victim with as many packets as
they can in order to over whelm the victim. The best way
to demonstrate what a DDoS attack does to a web server is
to think on what would happen if all the population of a city
decided at the same moment
to
go and stand in the line of the local shop.These are all legitimate
requests for service – all the people came to buy something, but
there is no chance they would be able to get service, because they
have a thousand other people standing in line before them!
DDoS
attacks require a large number of hosts attacking together at the
same time (see figure
1).
This can be accomplished by infecting a large number of
Internet hosts with a “zombie”. This way, an attacker can be
anyone with a certain knowledge and access privilege with the master
host (such as the correct password to an Internet Relay
Chat (IRC) channel). All he has to do is enter a few commands,
and the whole zombie army would wake up and mount a
massive
attack against the victim of his or hers choice. The zombie program
can be planted on the infected hosts in a variety of
ways, such as attachment to spam email, the latest cool flash
movie, a crack to a game, or even the game itself. Communication from
the zombie to its master can be hidden as well by using standard
protocols such as HTTP, IRC, ICMP or even DNS.
System
that is able to drastically increase the volume of attacking traffic.
This can be accomplished with the use of broadcast addresses as the
return destination of packets. Attacks that use amplifiers are also
known as magnification attacks. A reflector is any IP host that will
return one or more packets for each packet received. So, for example,
all Webservers, DNS servers, and routers are re
flectors,
since they will return SYN ACKs or RSTs in response to SYN or other
TCP packets. The same is true for query replies in response to query
requests, and ICMP Time Exceeded or Host Unreachable messages in
response to particular IP packets.
Description
of a DDoS attack
DDoS
attacks are quite common today, and they pose the main
threat to public services
because
when a distributed attack is being generated against an
Internet service, it is quite
hard
to block thousands of hosts sending flood data. This can
be particularly painful if
attacking
packets are legitimate requests, since they cannot be easily
associated to a DDoS
attack.
Another aspect of most DDoS is that they consume a vast
amount of resources from the network infrastructure, such as
ISP networks and network equipment. This fact makes such
attacks even more troublesome, because a single attack targeted
against a minor web server,
might
bring the whole ISP’s network down, and with it affect service for
thousands of users.