Denial of Service Attack (DoS)

Abstract

SearchSoftwareQuality.com (2007) explained that the Denial of Service (DoS) attack is an incident where organization or a user is underprivileged from servicing resources that normally available for access. While such attack doesn’t usually targeting an access to sensitive information, it can cost organizations and users a great deal of money and time. The loss of such services (e.g. email access or access to specific services within any organization) will be as a result of unavailability of such service or as a result of losing network connectivity. Such attack can result of destroying files and programs in the affected network, and system that can lead some of the services and websites that are accessed by millions of people to be ceased of its normal operations. The Denial of service attacks can happen in one of the following forms:

  • Buffer Overflow Attacks – In such attack, the attacker sends more traffic to the network address that will be more than the data buffers can anticipate or by exploiting a known system weakness. 
  • SYN Attacks – The idea of such attack is to make it difficult for legitimate requests for a session within a connection to get established. Once the user’s session is established with the server via Transport Control Program (TCP), a small buffer is used to handle the “hand-shaking” exchange of messages (e.g. a SYN field that identifies the sequence in the message exchange) where the attacker sends more connection request to flood that buffer, and prevent the legitimate connection to be initiated and dropped after certain period of time without reply because of the bogus connection. As a result; the user’s legitimate requests for a session will fail to be established.
  • Teardrop Attacks – In such attacks, the attacker exploits the way that the Internet Protocol (IP) dividing a large packet to small fragments. Such fragments are identified by its offset that allows these packets to be reassembled by the receiving system. The attacker in such case inject a confusing offset where the operating system on the receiving system will fail to reassemble the related packets to it’s original shape, and in most cases the system will crash.
  • Smurf Attack –Where the attacker sends an IP ping packet request to the target site where such packet will specify that will be broadcasted to hosts allocated within the receiving local network, and that the packet is requested from other site (spoofing). As a result of such attack, the networks will be flooding with packets, and no longer will be able to distinguish or receive legitimate traffic.
  • Viruses – Replicated virus across the network can represent a denial-of-service attack on such network, and such denial will depend on how far such virus will impact the network traffics.

SearchNetworking.com (2000) explained that TCP/IP stands for “Transmission Control Protocol/Internet Protocol), and It is the protocol that is used for the Internet communication, and private network (e.g. Intranet). The TCP/IP protocol is consists of two layers program:

  • Transmission Control Protocol (TCP) or higher layer – responsible to assembling of message into smaller packets that can be transmitted over the internet, and received by another TCP layer responsible to reassemble these packets to its original message.  
  • Internet Protocol (IP) or Lower layer – responsible to handle each packet’s address to its right destination where each computer’s gateway checks such address to see where this packet should be directed, and the original message will be reassembled at the destination. Despite the fact that each packet is routed differently based on the address, all the packets related to certain message are reassembled at the destination.

DDoS attacks in TCP/IP

With a normal connection, the user sends a request message asking for the server to authenticate the connection, and as such; the server will send authentication approval to the user, and the user will be acknowledged with such approval, and allowed onto the server. In the denial of service attack, the attacker floods the server with requests with a false return addresses, and as such; the server will fail in sending the authentication approval to the destination, and also it creates a busy communications on the server in trying to respond to the flooded requests, and will make the server busy to respond to the legitimate requests. One of the following solutions to prevent such attack, a sniffer or filter can be set up on the network before the information reaches the site’s web server, and as such; the filter will look for patterns and block messages that contain such pattern, and protecting the web servers from having their communications channels tied up with false requests (CNET News, 2000).

In launching the DDoS (Distributed Denial of Service) attack against web server, the attacker builds a network of computers that produce a huge volume of traffics needed to produce the denial of services on such server. With today’s technology, the attackers are using vulnerable computers to launch the attack where self propagating programs are used for such attack. With such technique, the attackers program will find computers with vulnerabilities and attack them and install the necessary program that can launch the attacks on the sever using these computers. The attackers program will create more members of computers that will be compromised via their vulnerabilities and used to launch the attacks on the server and act as a self-propagation to create more members of the networks of vulnerable computers to help launching such attack on a specific server. The attackers hide their distributed attack across computers by launching the attack in different time zones, and different legal jurisdictions (Rogers, 2004).

With IP spoofing the attackers try to obtain an unauthorized access to the target network server by sending a malicious message that pretends to be from a trusted address where the attackers requires the IP address of the server and transform the packet’s header where the trusted server appears to be the source. Once the connection is established “Hand-shaking”, the attackers begin their attacks (e.g. DDoS and TCP SYN flooding) (Wang, 2010).

Some of the methods that are used to prevent the IP Spoofing are: Spoofing detection during transmission, prevention before transmission, and spoofing detection after arrival at the destination. However, such methods are limited to its effectiveness in preventing the attack. Method such as filtering; can be used to prevent the DDoS attacks against the network, however such techniques can’t fully prevent the IP spoofing attacks, and another technique such as intelligent network-management security method can be implemented to avoid such attack, however, the penalty of implementing such method is the degradation of performance in the network. Another method for Anti-spoofing is using the Access Control Lists (ACL) where it rejects the entry of a packet if the source address is not within the network address, or discards outbound traffic if the source addresses is not within the network address. However, building such list (anti-spoofing access lists) is too difficult since networks address configurations can be varied (Wang, 2010).

Cobb (2001) explained that people tend to think that the DDoS attacks is using the technique of flooding or jamming the network bandwidth with bogus traffics, however another DDoS attack can be done by eating up the server resources (e.g. an attack over a low-speed modem connection). Also, DoS attacks are targeting the network’s TCP/IP infrastructure, and it comes in three ways: exploit the weaknesses of the implemented TCP/IP stack, true brute force attack, and attack that are targeting the TCP/IP weakness.

With the attack that exploits the TCP/IP implementation weaknesses, the attacker uses the ‘Ping of Death’ attack where packets are sent by the attackers will exceed the IP standard’s maximum size (e.g. 65,536-byte size), and as such; when this packets arrives it crashes the system. With a poor implementation of the TCP/IP attackers can take advantage on such weakness, and the server can be bombarded with IP fragments that overlapping offset fields. If the server or the router can’t disregard these fragments and tries to reassemble these fragments the system will crash. Lastly, SYN attack is another attack that exploits the TCP/IP weakness and hand-shacking technique used (TCP SYN) where application session initiated by sending a TCP SYN packet to another application, and such application replies back with TCP SYN-ACK Acknowledgment. The SYN attack overwhelms the server with a flood of TCP SYN packets (Cobb, 2001).  

How to improve TCP/IP to avoid attacks

Cherian and Okopnik (2006) explained that there is no complete solution that can prevent DDoS where a server or an application can stand against hundreds of servers and computers attacks. However, some preventive measures can respond quickly and effectively, and some of these measures are:

  • A good security policy should be implemented to detect and prevent such attack.
  • Setting up a firewall that filtering the entry at the gateway.
  • Using a host-based intrusion detection that can raise an alert, scan the port, and break-in the attempts.
  • Regular Security audit should be conducted on the network to find any DDoS tools installed and any vulnerable applications. Such audit will prevent the network from being used as a slave for DDoS.
  • It is imperative to setup a load balance in the network to adjust service requests.

Boyce (2002) explained that, disabling NetBios over TCP/IP will increase network performance, and prevent hackers from trying to establish a connection via NetBIOS over the TCP/IP. A packet filter can be a good solution where it examines each packet entering or existing in the network, and allow or refuses its access based on a set of user-defined policies or rules (e.g. Access Control Lists ‘ACL’).

Adding a layer of protection such as application gateway that applies a security mechanism that can designate applications such as FTP, HTTP, and Telnet services can be a good preventive measure to any network. With such a powerful layer of protection, the trade off of such implementation will be the reduction in performance that can raise a big problem to any organization. Finally, implementing a proxy server between the client and the web server will improve performance, and also filter requests before the server respond to such requests (Boyce, 2002).  

Conclusion

SearchNetworking.com (2000) explained that TCP/IP communication is commonly called point-to-point communication since the communication occurs within the network from one point to another via such protocol. Also, the protocol is stateless protocol since each client request considered to be separate unrelated requests and as such it frees its network path for the next request. Other higher layers protocols that use TCP/IP to access the Internet are: 

  • Hypertext Transfer Protocol (HTTP)
  • Simple Mail Transfer Protocol (SMTP)
  • File Transfer Protocol (FTP)

The purpose of the Denial of Service (DoS) attacks is to remove a service from functional use by any organizations’ clients. With such attacks, email servers will stop accepting or delivering emails, web servers will stop serving pages, routers will stop working, and the system will crash. Protecting the services from such attack has to follow a certain implementations with any organizations, and also the source of such attack has to be identified.

Finally, implementing the right setup and the right tuning for the TCP/IP can improve the communication traffic within any organization network infrastructure, and also prevent many attacks that take advantages on the TCP/IP vulnerabilities and weaknesses.

 Reference

Boyce, J. (2002) Improve network performance by disabling NetwBios over TCP/IP [Online]. Available from: http://www.zdnetasia.com/improve-network-performance-by-disabling-netbios-over-tcp-ip-39095280.htm (Accessed: 11 December 2010).

CNET News (2000) How a denial of service attack works [Online]. Available from: http://news.cnet.com/2100-1017-236728.html (Accessed: 11 December 2010).

Wang, S. (2010) Challenges in IP Spoofing [Online]. Available from: http://www.ehow.com/list_6759982_challenges-ip-spoofing.html (Accessed: 11 December 2010).

Cobb, C. (2001) Denial of Service Attacks (DoS Attacks) [Online]. Available from: http://www.cheycobb.com/DoS.html (Accessed: 11 December 2010).

Cherian B. & Okopnik, B. ( 2006) Preventing DDoS attacks [Online]. Available from: http://linuxgazette.net/126/cherian.html (Accessed: 11 December 2010).

Rogers L. (2004) What is a Distributed Denial of Service (DDos) Attack and What Can I do About it? [Online]. Available from: http://www.cert.org/homeusers/ddos.html (Accessed: 11 December 2010).

SearchSoftwareQuality.com (2007) Denial of Service [Online]. Available from: http://searchsoftwarequality.techtarget.com/definition/denial-of-service (Accessed: 11 December 2010).

SearchNetworking.com (2000) TCP/IP (Transmission Control Protocol/Internet Protocol) [Online]. Available from: http://searchnetworking.techtarget.com/definition/TCP-IP (Accessed: 11 December 2010).

Vig, A. (2004) Preventing Denial of Service Attacks [Online]. Available from: http://onlamp.com/pub/a/bsd/2004/06/24/anti_dos.html (Accessed: 11 December 2010)

 

 

 

 

 

 

 

 

 

 

Advertisements

1 Comment »

  1. Hello There. I found your weblog using msn. That is a really smartly written article.
    I’ll be sure to bookmark it and come back to read extra of your useful info. Thank you for the post. I’ll certainly comeback.


RSS Feed for this entry

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: