Denial of Service

A comparison of DoS schemes

Kevin LaMantia
COSC 316

Introduction

What DoS is
Symptoms of an attack
Methods of attack
Types of Attacks
How to defend
Conclusion

What is a Denial of Service attack?

An attack on a network that is designed to bring
the network to its knees by flooding it with
useless traffic
Two general forms of attacks:
1. Those that crash services
2. Those that flood services

Symptoms of a DoS Attack

United States Computer Emergency Readiness Team (US-CERT) lists possible
symptoms of a DoS attack:

Usually slow network performance

Unavailability of a particular web site
Inability to access any web site
Dramatic increase in the number of spam emails received (email bomb)
Disconnection of a wireless internet connection

DoS attacks can also lead to problems in the network branches around the actual
computer being attacked
Ex: The bandwidth of a router between the Internet and a LAN may be consumed by
an attack, compromising not only the intended computer, but also the entire network
or other computers on the LAN

Attacks can be very large and compromise Internet connectivity for an entire
geographical region

Methods of Attack
A DoS attack can be perpetrated in a number of ways, five
basic ways are:
1. Consumption of computational resources, such as
bandwidth, memory, disk space, or processor time
2. Disruption of configuration information, such as routing
information
3. Disruption of state information, such as unsolicited
resetting of TCP sessions
4. Disruption of physical network components
5. Obstructing the communication media between the
intended users and the victim so that they can no longer
communicate adequately

Methods of Attack Continued

A DoS attack may include execution of malware
intended to:
Max out the processors usage, preventing any work
from occurring
Trigger errors in the microcode of the machine
Trigger errors in the sequencing of instructions, so
as to force the computer into an unstable state or
lock-up
Exploit errors in the OS, causing resource starvation
Crash the OS itself

Different Types of Attacks

Smurf Attack
An attack in which large numbers of Internet
Control Message Protocol (ICMP) packets with the
intended victims spoofed source IP are broadcast
to a computer network using an IP Broadcast
address
Most devices on a network will respond, by default,
to the source IP address
If there are a lot of machines on a network, it will
cause the victims computer to be flooded with traffic

Ping of Death
A type of attack on a computer that involves
sending a malformed or otherwise malicious
ping to a computer
How it works:
Historically many computer systems couldnt
handle a ping packet, normally 56 bytes, larger
than the maximum IPv4 packet size of 65,535
bytes
This would cause the system to crash

Ping Flood
Based on sending the victim an overwhelming
number of ping packets, usually using the ping
command from Unix-like hosts
It is much less capable of overwhelming a target if
the attack comes from a Windows system
Does not allow packet sizes greater then 65500

Primary requirement to launch this attack

Having a greater bandwidth than the victim

Nuke
An old DoS attack that consisted of fragmented or invalid ICMP
packets sent to a target
Achieved by using a modified ping utility to repeatedly send this
corrupt data
Slowed down the affected computer until it comes to a complete
stop
Example:
WinNuke
Exploited a vulnerability in the NetBIOS handler in Windows 95
Locked up victims computer causing Blue Screen of Death

SYN Flood
An attack that sends a succession of SYN (Synchronize)
requests to a targets system in an attempt to consume
enough server resources to make the system unresponsive to
legitimate traffic
How it works:
It corrupts the TCP three-way handshake
Doesnt respond back to the client with the ACK code or
spoofing the source IP address in the SYN causing the server to
send the SYN_ACK to a false IP
Causes the server to wait for acknowledgement for some time
Causes congestion by using up resources until no new
connections can be made

Distributed DoS (DDoS)

Occurs when multiple systems flood the bandwidth or
resources of a targeted system
i.e., Botnet

Using multiple machines make it harder for to track

and shut down the attacker
Merely purchasing more bandwidth wont always work
for defense since the attacker might be able to add more
attack machines

A system may be compromised with a trojan, allowing

the attacker to download a zombie agent, or the trojan
may contain one

Distributed DoS continued

These collections of system compromisers are
known as botnets
Script kiddies use these to deny the availability
of well known websites to legitimate users
More sophisticated attackers could use DDoS for
the purposes of extortion
Video:
http://www.youtube.com/watch?v=0VutW15kEZ
M

How to Defend
Unfortunately, there are no effective ways to prevent
being the victim of a DoS or DDoS attack
There are steps you can take to reduce the likelihood
that an attacker will use your computer to attack other
computers
Install and maintain anti-virus software
Install a firewall, and configure it to restrict traffic
coming into and leaving your computer
Follow good security practices for distributing your
email address. Applying email filters may help you
manage unwanted traffic

Conclusion

What DoS is
The Symptoms of an attack
Methods of Attack
Different Types of Attacks
How to Defend from Attacks

Questions?

Works Cited
Google Ideas. (2013). Understanding Distributed Denial of Service
Attacks. Retrieved from Youtube.com: http://
www.youtube.com/watch?v=0VutW15kEZM
McDowell, M. (n.d.). Understanding Denial-of-Service Attacks.
Retrieved from US-CERT.gov: http://
www.us-cert.gov/ncas/tips/ST04-015
Webopedia. (n.d.). DoS attack. Retrieved from webopedia.com:
http://www.webopedia.com/TERM/D/DoS_attack.html
Wikipedia. (n.d.). Denial of Service. Retrieved from Wikipedia: http://
en.wikipedia.org/wiki/Denial-of-service_attack#Methods_of_attack