DoS Attack

Denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. DoS attack generally consists of efforts to temporary or indefinitely suspend or interrupt services.  The SYN flood attack is a common example of a network level denial of service attack. It is easy to launch and difficult to track. The aim of the attack is to send more requests to a server than it can handle.

Untitled

In the beginning of February 2000, world saw a number of attacks on very big internet sites like Amazon, CNN, Yahoo and eBay. Most of this attacks can be classified as Denial of service attacks with additional feature – the compromise of many distributed hosts to act as daemon or zombie machines. Each zombie carries out a DoS attack resulting in a vastly distributed and amplified attack – the Distributed Denial of Service (DDoS).

The surprise attack took the Yahoo site down for more than three hours. It was based on Smurf attack, and most likely, the Tribe Flood Network technique. At the peak of the attack, Yahoo was receiving more than one gigabit per second of data requests.

Attack Methods

These methods allow an attacker to coordinate and execute the attack. These types of attacks plagued the Internet on February 2000. However these distributed attack techniques still rely on the base type of attacks like smurf, SYN or UDP flood.

The techniques are listed in chronological order. It can be observed that as time has passed, the distributed techniques (Trinoo, Tribal Flood Network, Stacheldraht, Shaft, and TFN2k) have become technically more advanced and, hence more difficult to detect.

Trinoo uses TCP to communicate between the attacker and the control master program communicates with the attack daemons using UDP packets. Trinoo attack daemons implement UDP Flood attacks against the target victim.

Tribe Flood Network (TFN) uses a command line interface to communicate between the attacker and the control master program. Communication between the control master and attack daemons is done via ICMP echo reply packets. TFN’s attack daemons implement Smurf, SYN Flood, UDP Flood, and ICMP Flood attacks.

Stacheldraht (German word for “barbed wire”) is based on the TFN attack. However, unlike TFN, Stacheldraht uses and encrypted TCP connection for communication between the attacker and master control program. Communication between the master control and attack daemons is conducted using TCP and ICMP, and involves an automatic update technique for the attack daemons. The attack daemons for Stacheldraht implement Smurf, SYN Flood UDP Flood, and ICMP Flood attacks.

Shaft is modeled after trinoo. Communication between the control master program and attack daemons is achieved using UDP packets. The control master daemons is achieved using UDP packets. The control master program and attacker communicate via a simple TCP telnet connection. A distinctive feature of Shaft is the ability to switch control master server and ports in real time, hence making detection by intrusion detection tools difficult.

TFN2k uses TCP, UDP and ICMP or all three to communicate between the control master program and the attack daemons. Communication between the real attacker and control master is encrypted using a key based CAST 256 algorithm. In addition, TFN2k conducts covert exercises to hide itself from intrusion detection systems. TFN2k attack daemon implement Smurf, SYN, UDP and ICMP Flood attacks.

Mitigation

Many observers have stated that there are currently no successful defenses against a fully distributer denial of service attack. This may be true. Nevertheless, there are numerous safety measures that a host or network can perform to make the network and neighboring networks more secure.

Firewall: Filtering all private address packets entering and leaving the network protects the network from attacks conducted from neighboring networks and prevents the network itself from being an unaware attacker. This measure requires installing ingress and egress packet filters on all routers.

Disabling IP Broadcast: By disabling IP broadcasts, host computers can no longer be used as amplifiers in Smurf and Fraggle attacks. However, to defend against this attack, all neighboring networks need to disable IP broadcasts.

Applying Security Patches:  To guard against denial of service attacks, host computers must be updated with the latest security patches and techniques. For example, in the case of SYN Flood attack there are three steps that the host computers can take to guard themselves from attacks: increase the size of the connection queue, decrease the time-out waiting for the three-way handshake, and enable end host features like SYN cookies and SYN cache and circumvent the problem.

Disabling Unused Services: If UDP echo (UDP port number 7) or chargen (TCP port number 19) services are not required, disabling them will help to defend against the attack. In general, if network services are unneeded or unused, the services should be disabled to prevent tampering and attacks

Performing Intrusion Detection: By performing intrusion detection, a host computer and network are guarded against being a source for and attack, as while as being a victim of an attack, Network monitoring is a very good pre-emptive way of guarding against denial of service attacks especially net-flow based tools are very useful in detection vector of attack and tracking down source and destination. By inspecting host systems, a host can also prevent it from hosting an attack on another network.