Fatal1ty Posted August 12, 2006 Report Posted August 12, 2006 Denial of Services AttackA Denial of Service, or DoS as it is often abbreviated, is a malicious attack on a network. This type of attack is essentially designed to bring a network to it,s knees by flooding it with heavy useless traffic. Many DoS attacks work by exploiting limitations in the TCP/IP protocols.Hackers use DoS attacks to prevent legitimate uses of computer network resources. DoS attacks are characterised as an attempts to flood a network, attempts to disrupt connections between two computers, attempts to prevent an individual from accessing a service or attempts to disrupt service to a specific system or person. Those on the receiving end of a DoS attack may lose valuable resources, such as their e-mail services, Internet access or their Web server. Some DoS attacks may take up all your bandwidth or even use up all the system resource, such as server memory, etc. Some of the worst-case scenarios we've seen over the past couple of years is a Web site, used by millions of people being forced to cease operation because of a successful DoS attack.A DoS attack may very well appear to be legitimate traffic on the system or network, but differs in that the volume and frequency of the traffic will increase to unmanageable levels. An attack on a Web server, for example, would not be normal spurts of visitors, but rather a large number of hits in close proximity so the server cannot keep up with the sheer volume of page requests. On a mail server, hundreds of thousands of messages can be sent to the server in a short period of time where the server would normally only handle under a thousand messages in that same time period. The targeted server would most likely be brought to a halt from a DoS attack because it runs out of swap space or process space or network connections.While DoS attacks do not usually result in information theft or any security loss for a company, they can cost an organization both time and money while their network services are down. For the hacker (or the script kiddies who often use DoS attacks), a DoS attack is usually committed for "ego boosting" purposes.Early DoS attacks consisted of simple tools generating packets from a single source, which was then aimed at a single destination. The evolution of the DoS attack however now sees single source attacks against multiple targets, multiple source attacks against single targets, and multiple source attacks against multiple targets.Common Denial of Service AttacksBuffer OverflowThe condition wherein the data transferred to a buffer exceeds the storage capacity of the buffer and some of the data overflows into another buffer, one that the data was not intended to go into. Since buffers can only hold a specific amount of data space provided, when that capacity has been reached the data has to flow somewhere else, typically into another buffer, which can corrupt data that is already contained in that buffer. Malicious hackers can launch buffer overflow attacks wherein data with instructions to corrupt a system are purposely written into a file in full knowledge that the data will overflow a buffer and release the instructions into the computer’s instructions.Ping of DeathA type of DoS attack in which the attacker sends a ping request that is larger than 65,536 bytes, which is the maximum size that IP allows. While a ping larger than 65,536 bytes is too large to fit in one packet that can be transmitted, TCP/IP allows a packet to be fragmented, essentially splitting the packet into smaller segments that are eventually re-assembled. Attacks took advantage of this flaw by fragmenting packets that when received would total more than the allowed number of bytes and would effectively cause a buffer overload on the operating system at the receiving end, crashing the system.Smurf AttackA type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees.TCP SYN AttackIn a SYN attack, a sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users.TeardropA Teardrop is a type of DoS attack where fragmented packets are forged to overlap each other when the receiving host tries to reassemble them.Distributed Denial of Service Attack (DDoS)In and around early 2001 a new type of DoS attack became rampant, called a Distributed Denial of Service attack or DDoS. In this case multiple comprised systems are used to attack a single target. The flood of incoming traffic to the target will usually force it to shut down. Like a DoS attack in a DDoS attack the legitimate requests to the affected system are denied. Since a DDoS attack it launched from multiple sources, it is often more difficult to detect and block than a DoS attack.Preventative MeasuresTo prevent your system and network from becoming a victim of DoS attacks, implement these preventive measures:Implement router filters. This will lessen your exposure to certain denial-of-service attacks.If they are available for your system, install patches to guard against TCP SYN flooding.Disable any unused or unneeded network services. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack.Enable quota systems on your operating system if they are available.Observe your system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic.Routinely examine your physical security with respect to your current needs.Use Tripwire or a similar tool to detect changes in configuration information or other files.Invest in and maintain "hot spares" - machines that can be placed into service quickly in the event that a similar machine is disabled.Invest in redundant and fault-tolerant network configurations.Establish and maintain regular backup schedules and policies, particularly for important configuration information.Establish and maintain appropriate password policies, especially access to highly privileged accounts such as UNIX root or Microsoft Windows NT Administrator.Source:www.cert.org Quote