DoS Attacks
DoS attacks are the most publicized form of attack and also among the most difficult to eliminate. Even within the attacker community, DoS attacks are regarded as trivial and considered bad form, because they require so little effort to execute. But because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators.
DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by consuming system resources. The following are some examples of common DoS threats:
.A ping of death attack gained popularity back in the late 1990s. It took advantage of vulnerabilities in older operating systems. This attack modified the IP portion of a ping packet header to indicate that there is more data in the packet than there actually was. A ping is normally 64 to 84 bytes, while a ping of death could be up to 65,535 bytes. Sending a ping of this size may crash an older target computer. Most networks are no longer susceptible to this type of attack.
A SYN flood attack exploits the TCP three-way handshake. It involves sending multiple SYN requests (1,000+) to a targeted server. The server replies with the usual SYN-ACK response, but the malicious host never responds with the final ACK to complete the handshake. This ties up the server until it eventually runs out of resources and cannot respond to a valid host request.
Other types of DoS attacks include:
E-mail bombs - Programs send bulk e-mails to individuals, lists, or domains, monopolizing e-mail services.
Malicious applets - These attacks are Java, JavaScript, or ActiveX programs that cause destruction or tie up computer resources.
DDos Attacks
Distributed DoS (DDoS) attacks are designed to saturate network links with illegitimate data. This data can overwhelm an Internet link, causing legitimate traffic to be dropped. DDoS uses attack methods similar to standard DoS attacks, but operates on a much larger scale. Typically, hundreds or thousands of attack points attempt to overwhelm a target.
Typically, there are three components to a DDoS attack.
There is a Client who is typically a person who launches the attack.
A Handler is a compromised host that is running the attacker program and each Handler is capable of controlling multiple Agents
An Agent is a compromised host that is running the attacker program and is responsible for generating a stream of packets that is directed toward the intended victim
Examples of DDoS attacks include the following:
SMURF attack
Tribe flood network (TFN)
Stacheldraht
MyDoom
The Smurf attack uses spoofed broadcast ping messages to flood a target system. It starts with an attacker sending a large number of ICMP echo requests to the network broadcast address from valid spoofed source IP addresses. A router could perform the Layer 3 broadcast-to-Layer 2 broadcast function, most hosts will each respond with an ICMP echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines replying to each echo packet.
For example, assume that the network has 100 hosts and that the attacker has a high performance T1 link. The attacker sends a 768 kb/s stream of ICMP echo requests packets with a spoofed source address of the victim to the broadcast address of a targeted network (referred to as a bounce site). These ping packets hit the bounce site on the broadcast network of 100 hosts, and each of them takes the packet and responds to it, creating 100 outbound ping replies. A total of 76.8 megabits per second (Mb/s) of bandwidth is used outbound from the bounce site after the traffic is multiplied. This is then sent to the victim or the spoofed source of the originating packets.
Turning off directed broadcast capability in the network infrastructure prevents the network from being used as a bounce site. Directed broadcast capability is now turned off by default in Cisco IOS software since version 12.0.
DoS and DDoS attacks can be mitigated by implementing special anti-spoof and anti-DoS access control lists. ISPs can also implement traffic rate, limiting the amount of nonessential traffic that crosses network segments. A common example is to limit the amount of ICMP traffic that is allowed into a network, because this traffic is used only for diagnostic purposes.
Details of the operation of these attacks is beyond the scope of this course. For more information, refer to the Networking Academy Network Security course.
0 comments:
Post a Comment