To be able to perform, find, or protect against DoS activities, you must first understand the basic principles and types of these attacks. Three main types of DoS attacks exist:
Consumption of resources, such as bandwidth, hard disk space,
CPU resources, and so on
Disruption of configuration information, routing, DNS, and other information
Direct disruption of network communication between the client and the server
As information about common DoS attacks has been mentioned in many other Hacking Exposed books, we'll only briefly describe these types of DoS attacks and will then move on to spend more time on Cisco-centric issues. We'll also include details on the methods of stopping DoS attacks on the perimeter of your network using built-in functions of Cisco devices.
The bandwidth consumption attack is the most common type of DoS in the world. Many Internet companies such as Yahoo!, eBay, Microsoft, Amazon, and others have experienced downtime and financial losses due to this type of attack.
This type of attack makes up the majority of distributed denial of service (DDoS) attacks, as well as the early DoS methods of using ping -f floods by attackers with larger Internet pipes than those of their targets. These attacks are more difficult, and sometimes even impossible , to mitigate due to the nature of the protocols on which the Internet is built. However, efficient means of traffic rate control have been implemented by Cisco Systems for routers, and we will review these methods in this chapter. CPU resource consumption attacks can be the result of programming flaws found in the TCP/IP stack, server-side services, and other network-interacting software to which attackers can connect. These attacks can usually be rectified by patching the buggy software code using vendor patches. Hard disk space consumption occurs when the software or service is tricked into storing excessive amounts of information on the server's storage facility, thus consuming all available storage resources and memory. This will most likely lead to a denial of services for legitimate users and can be rectified by cleaning up the disk space, fixing the buggy software code, and/or rebooting the server. An example of such an attack is the flooding of an unauthenticated syslog server (usually found on port 514/UDP) by junk messages. An attacker can send any information to that port and it will be stored in the system log files. Depending on the attacker's bandwidth and the storage available, this method can be effective in disabling the logging facilities of the server or even the entire enterprise, making attacker tracing and prosecution a very difficult task.
This type of attack is less common than bandwidth consumption; however, such an attack can affect many users, organizations, and, if properly launched, even entire countries or continents. For instance, the DNS entry of a company or an entire country can be altered or diverted to a different location or to /dev/null , thus disabling connectivity of the targeted networks for the duration of the attack. The motives behind this type of attack are usually political or corporate in nature. Another example of such an attack can be discovered when an attacker fiddles with the routers responsible for Border Gateway Protocol (BGP) routing updates; this can easily bring a large chunk of the Internet to its knees with only a few packets. This type of attack is reviewed in the final chapter of this book, where we cover BGP security issues.
This type of attack causes a disruption of established communication channels between the client and server. A typical attack would involve resetting a management TCP session to the device, such as a PIX firewall, to stop a system administrator from reconfiguring the device to counter a different attack. These attacks are usually possible due to a system software fault and can be rectified by applying a vendor patch.