Denial of Service (DOS) Denials of Service Attack (DoS) are easy to execute.

Online resources can be downloaded, to launch a DoS attacks all it takes is a readily available software program and a target network. There are three types of DoS attacks: those that exploit bugs in a TCP/IP implementation; such as the Ping Of Death, those that exploit weaknesses in the implementation of TCP/IP; such as Floods and Land attacks, and brute-force attacks that flood a network with useless data such as Smurf attacks. Ping of Death Ping of Death, (when first discovered) could be easily used to crash a wide variety of machines by overrunning size limits in their TCP/IP stacks. First revealed in late 1996. "Ping o' Death," takes advantage of the ability of the Internet Protocol (the protocol on top of which all other Internet protocols are built) to fragment packets. This works as follows: The specification for the Internet Protocol (IP) says that a packet may be up to 65,535 (2^16 - 1) bytes in length, including the packet header. But the specifications for most network technologies in use today do not allow packets that big. For example, the maximum Ethernet packet size is 1,500 bytes. To allow large packets to be sent, IP allows the sender to break a large packet up into several smaller packets. Each fragment packet contains an offset value that says where in the larger packet this fragment belongs The first fragment will have an offset of zero, the second fragment will have an offset equal to the length of the first fragment, and so on. This makes it possible to combine a valid offset with a suitable fragment size such that (offset + size) is greater than 65,535, the maximum size of a packet. The problem arises in the way packet fragmentation is implemented by most systems. They do not attempt to process a packet until all the fragments have been received and an attempt has been made to reassemble them into one big packet. This opens these systems to overflow of 16-bit internal variables, resulting in system crashes, protocol hangs, and other problems. This problem was first discovered in the context of sending ICMP ECHO REQUEST packets, commonly called "ping" packets after the application program used to send them. Most implementations of "ping" will not allow improperly-sized packets to be sent, because sending a single, large (65,510 bytes) "ping" packet to many systems will cause them to hang or even crash, this problem was quickly dubbed the "Ping o' Death." Not all operating systems are vulnerable to this problem. However, most of the popular operating systems in use today are vulnerable, to some degree, under certain

circumstances. This problem is not limited to the UNIX system; it occurs in many personal computer operating systems, some midrange and mainframe systems, and several more specialized operating systems (terminal servers, network printers). The problem is due to the implementation of fragmented packet reassembly, and is thus relatively easy to fix. Patches have been made to fix this problem. IBM has released AIX operating system fixes for both the SYN flood and "Ping. The Synchronization Flood Attach (SYN Flood Attack) Commonly called the "SYN Flood Attack," this vulnerability takes advantage of the Transmission Control Protocol (TCP) connection establishment procedure, usually called the "three-way handshake." The three-way handshake works as follows: Host A wants to connect to Host B Host A begins the process of establishing the connection by sending a SYN packet to Host B. This packet requests a new connection on a particular port, and begins the process of negotiating connection details such as packet sequence numbers. Host B responds by sending a SYN/ACK (synchronization/acknowledgement) packet back to A. This packet acknowledges Host A's packet, and goes one step further in negotiating the connection details. Host A sends a final ACK (acknowledgement) packet back to Host B; this acknowledges Host B's packet, finalizes the negotiations of connection details, and the connection is established. The three-way handshake is designed to work properly even if one of the packets gets lost or duplicated, which can happen from time to time (as a part of normal operations). During the time between steps 2 and 3, Host B must keep track of the pending new connection by storing the details of the negotiation in an in-memory data structure. This data structure is usually of finite size, which means that too many pending connections at one time can cause it to overflow. When this happens, Host B will be unable to accept any new connections at all until some of the pending connections have been fully established (or have timed out), freeing space in the data structure. The basic SYN flood attack works by sending a high volume of SYN packets to the target host, and then never responding to the SYN/ACK packets that are returned, thus filling up the data structure(s) used by the target host to keep track of pending connections. Although pending connections will time out eventually and free up space in the data structure(s), the sender can simply transmit additional SYN packets, faster than they can expire. The sender can also takes advantage of the fact that since he is ignoring the target host's SYN/ACK packets, he doesn't even need to receive them. This allows him to hide his location by using a forged address in the SYN packets his system sends -- he can use the real address of another system (thus misleading the target), or he can use a non-existent address g).

In a LAND Attack, hackers send one or more SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. Attack programs can makes up a new, random source address for each packet it sends. Flood and Land Attack can affect any system that is connected to a TCP/IP-based network (Internet or intranet) and offers TCP-based services is vulnerable to the SYN flood attack. The attack does not distinguish between operating systems, software version levels, or hardware platforms; all systems are vulnerable. Because this attack takes advantage of the TCP protocol itself, it cannot be eliminated without changing the protocol. However, it is possible to make changes to the implementation of the connection establishment procedure that can mitigate the problems caused by the attack. Smurf Attacks The "smurf" attack, named after its exploit program, is one of the most recent in the category of network-level attacks against hosts. "Smurf" attack,( bandwidth attack), targets a feature in the IP specification known as "direct broadcast addressing" to quickly flood the target host or network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings). The hacker sets the destination IP address of each packet to the broadcast address of the network, causing the router to broadcast the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a large amount of ICMP echo request and response traffic. If a hacker chooses to spoof the source IP address of the ICMP echo request packet, the resulting ICMP traffic will not only clog up the "amplifier" network, but will also congest the network of the spoofed source IP address, known as the "victim" network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible. most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet. The providers/machines are the most commonly hit are IRC servers and their providers. There are two parties who are hurt by this attack... the intermediary (broadcast) devices, and the spoofed address target, or the "victim". The victim is the target of a large amount of traffic that the amplifiers generate. Let's look at the scenario to paint a picture of the dangerous nature of this attack. These ping packets hit the site's broadcast network; each of them takes the packet and responds to it,

creating replies out-bound. The traffic is multiplied. This is then sent to the victim. "smurf" and "fraggle" attacks focus on Cisco routers. The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf". The perpetrators of these attacks rely on the ability to source spoofed packets to the "amplifiers" in order to generate the traffic which causes the denial of service. In order to stop this, all networks should perform filtering either at the edge of the network where customers connect (access layer) or at the edge of the network with connections to the upstream providers, in order to defeat the possibility of source-address-spoofed packets from entering from downstream networks, or leaving for upstream networks. Router vendors have added or are currently adding options to turn off the ability to spoof IP source addresses by checking the source address of a packet against the routing table to ensure the return path of the packet is through the interface it was received on. Protection against DOS Attacks Measures against distributed Denial-of-Service Attacks must be taken at many points in the existing complex Internet structure in a joint campaign. Server operators in the Internet that were the object of these attacks can resort to a number of meaningful measures without solving the DoS problem completely. Rather, different target groups (content providers, server providers, network agents and end-users) each in his owns sector - must act. Only jointly can the Internet be made safer with respect to the endangerment through DoS attacks, making the execution of Denial-ofService Attacks more difficult thus alleviating these attacks. The following target groups End users, Network Agents, Server Operators, and Content Providers must work together in hope of protecting the Internet against DoS attacks. Measures addressing the above target groups whereby the first five measures assist in the defense or limitation of damage of DOS attacks as they intervene on the transmission paths in the Internet. The other measures refer to the selection, configuration and maintenance of the end systems in the Internet and hinder the preparation of a DOS attack some risk will, however, remain even after implementation of the measures which is the reason why ordered reporting systems is recommended for attacks in the Internet should be developed. Measures for Network agents

The network agents take over a central part in the prevention of DoS. Although the network agents are seldom the object of DoS attacks, they profit indirectly from a secure Internet as the confidence of all users and thus their number grows. I: Prevention of IP Spoofing Many DoS attacks use forged IP sender addresses. This makes the attacks possible on the one hand; on the other hand, the search for the originators is hindered. Through appropriate technical rules (RFC 2267 of January 1998) in the network infrastructure of the network agents, the network operators can restrict this possibility appreciably so that falsified packets can no longer be distributed to the Internet. An organization that is connected to a network operator has a certain IP address area at its disposal. Each IP packet that is sent from this organization must have an IP sender address from the area. If this is not the case, it concerns a forged address and the network agent should not pass on the IP packet. Although IP spoofing is still possible within the allowed address area of the organization, the circle of possible originators to the organization is limited. A normal home access into the Internet has only one authorized IP address so that, through such selective accesses, IP spoofing would no longer be possible. 2: Use of Packet Filters for Network agents Servers are often only connected to the network agent through a single network connection. Even if the servers are resistant against DoS attacks, this network connection is restricted itself in its capacity and can be fully occupied by an attacker so that the servers can no longer be reached from the Internet. For this reason, network agents should consider to shield the network connection of the server operators against DoS attacks by the use of packet filters, i.e. a packet filtering should be carried on target addresses when the packets leave the Internet. This is in particular very effective when, in co-operation with an attack recognition system with the server operator, the packet filter can be adapted dynamically to the attack which happens to be running. (In addition, the network agent can, in co-ordination with the server operator, configure the packet filter in such a manner that measure 3 is also supplemented on the part of the network agent). Measures for Server Operators The computers of the server operators do not only come into question as victims of the DoS attack. Because of their efficient connection to the Internet, they are also potential outlet platforms. For this reason these computers must be prevented from being misused as starting point for attacks on other computers.

3: Packet filtering Servers should only offer few services and be configured correspondingly. On the incoming router, packet filter rules should be implemented which only allow those protocols to pass that belong, block off security-critical services or directed broadcasts (RFC 2644). In the case of an attack, these routers can be re-configured in such a manner that the queries from suspicious individual IP addresses or address sectors are rejected. (In addition, the server operator should configure the packet filter additionally so that from his network IP spoofing is not possible and in this way measure 1 is supported. The settings to be carried out for this are described in the system administrator manuals of the routers). 4: Automatic Attack recognition Normally, DoS attacks distinguish themselves through the fact that they occupy the server abnormally. For this reason typical characteristics (memory occupancy, stacks, network occupancy, should be monitored constantly. Automatic alarm then enables the initiation of quick reaction. 5: Establishment of a contingency plan. In the event of an attack, a rapid response is of central importance. This is the only way to take effective countermeasures, possibly to identify the attacker and to restore normal operation within a short period. This is why an escalation procedure should be laid down in a contingency plan. Necessary information includes contact persons, persons in charge, alternative communication channels, instructions for action and the place where resources that may be needed (such as magnetic tapes) are stored. 6: Secure Configuration of the Servers The servers of the server operators can be misused as agents of a DoS attack. For this, the attacker installs damaging software using the known weak points. For this reason, the operators of the servers must configure the servers meticulously and securely. Network services that are not required are to be deactivated and those required secured, sufficient password and access protection and alteration of (in particular preset) passwords must be guaranteed in good time. 7: Restrictive Granting of Rights and Recording Through manipulation on servers, an attacker can misuse these as agents or restrict their efficiency. For this reason, all alterations and all access to the server must be recorded. Attention must be paid to restrictive granting of access rights to the users, to

use the system resources made available and to increased care in alterations to the configuration. At regular intervals, the file system is to be checked for integrity. If only static data is required, a manipulation-proof, read-only data medium can be used. 8: Use of Open Source Products For the case that weak points are discovered for the first time, which enable or alleviate a DoS attack, it is important that these can be eliminated quickly. Usually, such weak points in open-source software are eliminated appreciably more quickly than in products the source code of which has not been published. Often, you can carry out the alterations in the source code. Measures for Content Providers 9: Selection of suitable and IT safety-conscious server operators The content providers should, through the selection of their server operator, work to the effect that the operator regards security and availability as a central feature of service. For this reason they should select a server operator who can demonstrate corresponding experience in the required Internet platforms and verify his efforts in the area of IT security, e.g. by means of an IT security concept. 10: Prevention of active Content: Many WWW pages in the Internet are at present only usable when settings are carried out in the browsers from the security point of view. An attacker can misuse this. Through conscious avoidance of security-critical techniques content providers can make a contribution towards no insecure settings being existent on the clients. 11: Daily checking of files for viruses and attack programs Many content providers provide programs and documents on their WWW pages for downloading. If the attacker succeeds in introducing a Trojan horse, he is in a position to hope for great spread within a short period. Such procedure is in particular for DoS attacks enticing for attackers as a large number of computers is required for an effective attack. The content providers should therefore check daily with special search programs as to whether programs with damage functions (viruses, Trojan horses, DoS programs) exist on his pages. Measures for End-users

Computers of end-users are normally not the object of DoS attacks. However, these computers can be used for the purpose that, in a first step, an attacker installs a program on them which then, remote-controlled, enables a DoS attack on any desired computer. For this reason, end-users can also make a contribution towards protection against DoS attacks. 12: Protection against Damage Programs Computers of end-users can be misused as agents for attacks. Agents can be installed on the individual computers most easily through viruses, Trojan horses or through active content (in particular ActiveX). For this reason, a reliable and current virus protection and the switching off of active content in the browser is strongly recommended. Under certain circumstances, the use of auxiliary programs for on-line protection of the client (for example PC-Firewalls) can be considered. Measures for all target groups The measures recommended here are standard measures. Practice shows, however, that they are often not implemented for various reasons. 13: IT basic protection for computers with Internet connection Computers which possess an Internet connection should reach a reasonable level of security through consistent implementation of the IT basic protection measures contained in sections 6.1, 6.2, and 6.4 of the basic IT protection manual for networked systems therefore dangers can be counteracted. 14: Quick transfer of security updates New security-relevant weak points are discovered in the operating systems and server software again and again which a little later can be eliminated through updates (patches) of the manufacturer. To be able to react quickly, it is necessary to subscribe to and evaluate the mailing lists of the Computer Emergency Response Team (CERT). Which provides relevant updates, to be transferred as quickly as possible to eliminate the weak points. 15: Use of tools and training of staff To protect a computer against risks and dangers, partly appreciable know-how is necessary for working out an effective IT security configuration. Administrators have therefore to be adequately trained and further trained; to support the administration tasks. Security tools should be used.

This Page is an outdated, user-generated website brought to you by an archive.It was mirrored
from Geocities at the end of October, 2009. For any questions about this page contact the respective author. To report any malicious content send the URL to oocities[at]gmail[dot]com. For any questions concerning the archive visit our main page:OoCities.org.