14.6. DoS and DDoS Attacks

14.6. DoS and DDoS Attacks

One of the most destructive attacks is the DoS attack. In my opinion, this is the stupidest thing that hackers could come up with. When they cannot break into a server, they try to put it out of commission by various methods , including flooding its communication links with trash messages.

As you should remember, the idea of a DoS attack is to make the server unavailable to legitimate clients . There are various ways of achieving this, and the main ones will be considered in this section. The DDoS attack is a variation of the DoS attack that uses multiple computers to carry it out.

The worst thing about these attacks is that sometimes it is impossible to protect against them, especially against the DDoS variety. If the number of requests received by a server exceeds the number it can handle, it will no longer be able to handle other requests and even crash. Imagine if all computers on the planet simultaneously addressed the most powerful server (a server cluster). There is simply no communications channel with the bandwidth capable to let through so many connections, so even such powerful servers as www.yahoo.com and www.google.com will not be able to handle this flood of requests, or, rather, their data links won't be. In this way, users attempting to hit the site will not be able to do so.

The following are short descriptions of the main DoS and DDoS attacks and ways of protecting against them.

14.6.1. Ping of Death

You already know that the ping utility is used for checking connections with remote systems using ICMP. When the server being tested receives an ICMP echo request message, it has to respond with an ICMP echo response message.

Some operating systems could not handle certain types of ping packets. The reason is that developers of ICMP never anticipated that it might be used in ways other than intended and did not take any steps to protect against such uses. In particular, the protocol expected users to send packets only of a certain size . The reliance on users' conscientiousness turned out to be misplaced and resulted in the Ping of Death attack. For this attack, packets are formed that do not follow the protocol specifications. Servers cannot process such packets and hang. The most notorious attack was the one implemented by sending a packet more than 64 KB in size. If only 64 KB are reserved to receive data, this is not sufficient to receive oversized packets and the server hangs . Thus, this is essentially a variety of the buffer overflow attack.

The only defense against such attacks is to use a firewall configured to prohibit receiving ICMP echo request packets. All new operating systems and appropriately patched older ones are not susceptible to this attack.

14.6.2. ICMP Flood

Another variety of the DoS attack is ICMP flood, in which, as the name suggests, the server is simply flooding the target with ICMP packets. The perpetrator only needs a channel half the bandwidth of the channel of the attacked system.

Thus, to fully load a 64-Kb/sec bandwidth channel, hackers only need a 32-Kb/sec bandwidth channel. The attack is carried out by simply sending an uninterrupted stream of ping packets to the server. (If hackers want to remain anonymous, they'll have to take care that their real IP address is not shown in the packets.) If hackers load 32 Kb of the server channel's bandwidth with ping messages, the other half will be loaded with the server's replies to these messages, effectively taking the service out of commission and making it unavailable to service legitimate requests.

The defense against this attack is the same as against the Ping of Death attack, namely, prohibiting ICMP traffic. This will not result in much inconvenience, because this protocol is not really necessary, especially for incoming Internet traffic.

14.6.3. TCP SYN

The number of connections that most servers can open is limited. In some cases, this has to do with the limitations of the technology used, but these can also be software limitations imposed by the configuration settings of a particular server.

The attack's essence consists of sending numerous TCP packets with the SYN flag set to the server. Packets of this type are used to establish server connections. Once the limit on the number of in-progress open connections is reached, the server stops responding to requests for new connections.

This sort of attack is practically impossible to defend against by your own means. You can configure the firewall to prohibit SYN packets, but this will be of little use.

As a temporary solution, the size of the in-progress connection queue can be increased by modifying the configuration file accordingly . This will not increase the server workload, because connections are only initialized and do not load the server with any requests or traffic. But the number of in-progress connections is not always controlled by a configuration file and may be hard-set by the software's technology.

Another way to fight off this attack is to decrease the timeout length for partially-open connections. Some programs allow the timeout length of a partially-open connection to be changed by modifying the corresponding parameter in the configuration file. Decreasing the timeout length to 10 seconds will make it impossible to flood the server with SYN packets, because although new connection requests are placed into the in-progress connection queue, old ones in the queue will time out and be removed from the queue. This may create problems with establishing connections for legitimate users, who may have to try to establish a connection with the server several times, but at least the server will not be paralyzed and will remain mostly functional.

The best defense can only be implemented programmatically. At the least, the program should offer an option to change the size of the in-progress connection queue and the timeout for partially-open connections. It should also give an option for prohibiting establishing several connections from the same IP address.

14.6.4. TCP Flood

This attack is similar to the ICMP flood attack. If a hacker is not smart enough to find a vulnerability in the system, he or she may decide to flood the server with trash TCP packets. The efficiency of TCP packets is sometimes lower than that of ICMP packets. While with ping echo requests the server pinged is required to answer with echo response messages, with TCP the response messages are not always required. Consequently, the hacker's channel must be of the same bandwidth or even wider than that of the system being attacked.

Using HTTP attackers can overload a server even if their own communications link is narrower than that of the target. This is achieved by sending the server requests that require the server to dedicate numerous resources to processing them. For example, a server can be overloaded by loading its search system with a large number of requests to search for especially popular words. If the server's search scripts are not programmed efficiently , processing these requests will take long enough to make the server unavailable to service other requests.

HTTP can be used to flood a server with requests to download a large file. Combined with ineffective caching, this can make the server unavailable to servicing legitimate requests.

But TCP has an advantage. In most networks, outside ICMP traffic is blocked by firewalls, but TCP traffic to public resources cannot be blocked if such resources are to remain available to the public.

It is impossible to pull off a successful attack on a powerful server from a single computer, but it is quite possible to carry out any sort of attack using a large number of computers.

14.6.5. UDP

Bugs in UDP programs are especially dangerous, because this protocol does not establish a virtual connection. This protocol simply sends packets into the network and has no data authenticity-verification mechanisms. While it is difficult to fake IP address in TCP communications, doing this with UDP communications is too easy.

Fortunately, UDP is seldom used on public servers and it can be prohibited by appropriate firewall settings. If the protocol is necessary, protection can only be implemented programmatically by creating some sort of UDP-based authenticity check of received packets.

14.6.7. DDoS Attack

It can be said that DoS attacks with a future are the DDoS attacks. Bugs in programs that made it possible to disable a server with a few packets are getting fewer every day, because programmers are devoting more attention to security aspects when writing network programs. But DDoS attacks do not rely that much on bugs, and there is no really effective and universal defense against this type of attack.

However, it is difficult to implement a really massive DDoS attack, and large companies even used to think that such attacks were practically impossible. Even the largest hacker group with the widest bandwidth channels cannot approach the computational resources of such servers as www.yahoo.com or www.microsoft.com . But where is a will, there is a way, and hackers keep on coming up with new tricks.

An excellent example of a successful DDoS attack is the one perpetrated using the MyDoom worm. Starting on August 22, 2003, for 3 days this worm was attacking the site of the SCO software company from numerous infected Internet computers. Some time later, a similar attack on the Microsoft site was attempted using the MyDoom.B virus. The second attack was less effective; I say this because there were fewer computers infected with this worm on the Internet, and the worm's code was far from the ideal.

DDoS attacks often are carried out using powerful zombied machines with wide bandwidth channels. This gives hackers all they need for successful DDoS resources.

We can expect new, more effective, and original DDoS attacks in the future. Administrators are powerless to prevent such attacks, and here law-enforcement agencies should step in.

14.6.8. Effective DoS Attack

If you consult Bugtraq frequently, you should notice that bugs that can be used to carry out DoS attacks crop up regularly in network programs. These bugs are often of the buffer-overflow type that can be used to disable a server.

The buffer-overflow issue was covered in Section 14.2 , and you already know that these errors can be dealt with without even waiting for the software bugs to be fixed. All that has to be done is to patch the kernel prohibiting code from the stack to be executed.

A strange thing is that the number of bugs does not decrease with time. Identical errors can be found in different programs sometimes committed by the same programmers. Buffer-overflow problems are well described in voluminous literature, yet programmers continue to make the same old mistakes. This is telling about the low quality of programmer education.

I believe that the low quality of software is due to outsourcing programming, especially from underdeveloped countries. The general education level in many of these countries is low, and many workers are ready to work for low wages . Software-developing companies are attracted by the low-wage factor but overlook the poor-education one. As a result, administrators constantly have to deal with the same problems in different software.

The problem can be solved if software-developing companies start to use higher-quality human resources.

Linux is an open-source operating system, and any homegrown programmer can make changes to it. Back when Linux was being developed by many different Linux enthusiasts , it contained many bugs because of the lack of systemized quality control.

Currently, few distributions are created by hodgepodge efforts. All programmers who wanted to produce quality software have organized companies and instituted strict quality control. Now changes proposed by a lone programmer will make it into an official distribution only if the distribution's developer decides that the code is safe and useful. This contributes to the overall reliability of Linux; however, this reliability does not extend to its individual components .

14.6.9. DoS and DDoS Defense

As usual, the most effective defense against DoS attacks based on software bugs is updating software regularly. But attacks directed at overloading server resources are difficult to defend against. Still, you can make it more difficult for the hacker.

First, the server's weakest point has to be determined. This is done by making the server work at the maximum workload. This can be achieved by recruiting lots of users to access the server as frequently as possible, or by running a special program emulating this process.

When the computer is working at the maximum workload, check which resources are in short supply. Take note of the following aspects:

  • The network's bandwidth

  • The bandwidths of the network equipment

  • The processor workload

  • The hard-drive workload

  • The operating memory workload

Determine the spots in your system that can become bottlenecks, and take steps to fortify them. It would make no sense to build up your external communication channels to 100-Mb/sec bandwidth if you local network works only at 10 Mb/sec. Hitting the server with 10 Mb/sec of traffic will consume all your local network resources no matter how wide your outside channel is. This is why it is so important to determine the potential bottlenecks in your system.

Configure your network interfaces and the operating system for the maximum productivity (see Section 14.11 ). This means that there should be no resource waste, especially of the network resources. The expenditures for processing network traffic and the traffic itself can be reduced by completely prohibiting ICMP traffic.



Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net