Denial of Service Attacks
Definition: Denial of Service. A cracker attack that overloads a server to the point that it no longer responds or shuts down completely. To flood a network or individual server with huge amounts of data packets.
How it Works
In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server. In a denial of service attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can’t find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again–tying up the service indefinitely.
Types of Attacks
I. Operating System Attacks
These attacks exploit bugs in a specific operating system, which is the basic software that your computer runs, such as Windows 98 or MacOS. In general, when these problems are identified, they are promptly fixed by the company such as Microsoft. So as a first step, always make sure you have the very latest version of your operating system, including all bug fixes. All Windows users should regularly visit Microsoft’s Windows update site, which automatically checks to see if you need any updates.
II. Networking Attacks
These attacks exploit inherent limitations of networking to disconnect you from the IRC server or your ISP, but don’t usually cause your computer to crash. Sometimes it doesn’t even matter what kind of operating system you use, and you cannot patch or fix the problem directly. The attacks on Yahoo and Amazon were large scale networking attacks, and demonstrate how nobody is safe against a very determined attacker. Network attacks include ICMP flood (ping flood) and ‘smurf’ which are outright floods of data to overwhelm the finite capacity of your connection, spoof unread/redirect a.k.a. ‘click’ which tricks your computer into thinking there is a network failure and voluntarily breaking the connection, and a whole new generation of distributed denial of service attacks (although these are seldom used against individuals).
III. SYN Attack
When a session is initiated between the TCP client and server in a network, a very small buffer space exists to handle the usually rapid “hand-shaking” exchange of messages that sets up the session. The session-establishing packets include a SYN field that identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer so that other, legitimate connection requests can’t be accommodated. Although the packet in the buffer is dropped after a certain period of time without a reply, the effect of many of these bogus connection requests is to make it difficult for legitimate requests for a session to get established. In general, this problem depends on the operating system providing correct settings or allowing the network administrator to tune the size of the buffer and the timeout period.
IV. Teardrop Attack
This type of denial of service attack exploits the way that the IP requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker’s IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.
How to Block a DOS Attack
One of the more common methods of blocking a “denial of service” attack is to set up a filter, or “sniffer,” on a network before a stream of information reaches a site’s Web servers. The filter can look for attacks by noticing patterns or identifiers contained in the information. If a pattern comes in frequently, the filter can be instructed to block messages containing that pattern, protecting the Web servers from having their lines tied up.
Today most firewalls whether they are software or dedicated hardware firewalls contain measures to prevent DOS attacks. The way the prevention works is that the firewall will receive the SYN packet and immediately look to see if it is coming from a legitimate IP address. If the source of the SYN packet is legitimate, the firewall then forwards the request on to the server for normal processing. If the SYN packet is from a bogus IP address or if the requests fit a certain kind of pattern, the firewall will reject the request and the server never even see the request or get a chance to respond to it.
For each new fix against DOS attacks, crackers will find new ways to get around them. But the good news is that there used to be dozens of DOS attacks out in the wild, and now very few of them work any more. Keep your OSs patched and your firewalls up to date and hope for the best.