4.2 Denial-of-service attacks

4.2 Denial-of-service attacks

We have seen numerous news articles about the attacks on major web sites such as Yahoo and eBay. These premeditated attacks show the various weaknesses in the armor that surrounds many of the leading web sites on the Internet today. We see hackers taking down huge corporate web sites much like David took down Goliath. Yet, these DoS (denial-of-service) attacks are certainly not a new phenomenon. It is easy to overload a corporate switchboard, for example. Protestors will dial the target site's 800 phone number repeatedly and prevent the company from receiving legitimate business calls. The DoS can do the same thing. Actually, these incidents are but one form of a DoS attack. According to CERT, "A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service." [1]

One example of these DoS attacks includes flooding a network with bogus traffic. These attacks will prevent legitimate users from accessing the server. One simple but effective DoS attack was called the "Ping of Death." The Ping of Death was able to exploit a simple maintenance tool that is used to test IP networks. Using this tool, hackers would flood a network with large packet requests, causing a system to crash. Subsequently, the service would not be available. Following are some other examples of DoS attacks:

Tribe flood network

The Tribe Flood Network distributed a denial-of-service attack tool. http://www.securityfocus.com/templates/archive.pike?list=

1&date=1999-12-01&msg=Pine.GUL.4.20.9912071044490.9470- 100000@red7.cac.washington.edu


The WinArp/Poink denial-of-service attack involves the attacker sending very large amounts of ARP packets to the target machine. http://www.indy.net/~sabronet/dos/winarp.html

TCP SYN flooding and IP

This attack can overload TCP with its own handshake protocol. http://www.ciac.org/ciac/bulletins/g-48.shtml

Spoofing attack domain name system (DNS) query

This attack may allow remote denial-of-service attacks against target hosts whose IP addresses are spoofed in the DNS query. http://www.ciac.org/ciac/bulletins/j-063.shtml

WINDOWS NUKE (newk) OOB attack on port 139

Taking advantage of the Out of Bound (OOB) security hole on port 139. Also known as "Nuke aka Newk." The bug in both Win95 and NT makes almost any Windows OS running machine an easy target. http://www.cert.org/

The ping of death (ICMP attack)

The attacker will send a string of oversized packets to try to lock the target systems. Normally a ping packet's size is about 32 to 64 bytes. The "Ping of Death" is when you send a very large ping. Example: "ping -l 65510 host.ip.address"

Spamming/flaming (E-mail bombing)

This is actually very easy. Just send someone 10,000 messages each of 10 meg or more. This can screw up many different systems:

It can also overload the mail server and fill up the disks.

As you can see, hackers can take advantage of the systems and processes built into the TCP/IP architecture. Denial-of-service attacks are TCP/IP attacks (although not limited to just TCP/IP) designed to tie up your servers (or workstations) by sending a series of bogus requests. A well-directed denial-of-service attack is likely to have some impact on your computing business infrastructure, because at some point along your Internet defense, there will be a weakness that will accept these bogus requests.

So how do you keep the "bad dudes" from performing a DoS on your systems? First the bad news: There will always be new methods that hackers will find to attack your systems, so there is no one solution. There are some basic steps you can take to minimize disruptions from a DoS attack:

  1. Monitor the server's system performance metrics and determine normal operating activity for disk, CPU, and network traffic. Have a baseline of daily, monthly, and yearly activities levels. Also, implement real-time monitoring to detect any deviation from the defined baseline.

  2. Monitor the disk space limits and amount of messages that travel through your network or gateways (more on messaging security in a later chapter).

  3. Review the various advisories, including CERT and your software vendors. This review should include keeping up with the maintenance releases from your O/S vendors and/or other software vendors.

  4. There are several products on the market that can analyze network traffic and determine if a DoS is occurring. See your router hardware vendor for this type of software/hardware.

  5. Work with your ISP and see if they have any tools or processes that can detect or deter the DoS attacks.

  6. Log and report the DoS attacks, including the DoS attacks as part of your incident handling processes. Record the following information:

    1. The time of the attack

    2. Your own IP address at the time of attack

    3. The attacker's IP address if possible

    4. What domain the attacker's IP address is from

  7. Contact your SP for help and have them advise you of your rights in this matter. [2]


[2]See http://www.cert.org/tech_tips/denial_of_service.html#3A2 for more information.

Internet Security(c) A Jumpstart for Systems Administrators and IT Managers
Internet Security: A Jumpstart for Systems Administrators and IT Managers
ISBN: 1555582982
EAN: 2147483647
Year: 2003
Pages: 103
Authors: Tim Speed, Juanita Ellis

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net