DENIAL OF SERVICE ATTACKS

 

Introduction

By now you are aware the dangers of the Internet and have also find a few basic rules for protection as well as safety on the Internet. In previous article I explored ways to investigate a target system and to learn a great deal about it. The time has come that we explain that how the attack on the system. Now we will examine in this & coming articles, one category of attack that might be used to cause harm to a target computer system. In the depth, the working of the Denial of Service (DoS) attack. This threat is one of the most common attacks on the Internet, so it is prudent for you to understand how it works and how to defend yourself against it.

Overview

As was said in the introduction, one of the most common and simplest forms of attacks on a system is a Denial of Service (DoS). This attack does even attempt to intrude on your system or to obtain sensitive information; it simply aims to prevent legitimate users from accessing the system. It is easy to perform this type of attacks. Basically technical expertness is needed. It is fact that every machine has its own limitation, it can’t exceed from its limitation. For example, a truck has its own limitation, it carries limited goods for limited distance, like this computer has limitations, it performs limited operation for limited time. A workload for a computer system may be defined by the number of simultaneous users, the size of files, the speed of data transmission, or the amount of data stored. If you give the extra load of work to the system then it will stop to reply. For example, if you can flood a Web server with more requests than it can process, it will be over loaded and will no longer be able to respond to further requests (Webopedia, 2004). This reality underlies the DoS attack. Simply overload the system with request, and it will no longer be able to respond to legitimate users attempting to access the Web server.

IN PRACTICE:  Illustrating an Attack

On simple way to illustrate this attack, especially in a classroom setting, involves the use of the pig command discussed in previous articles. 1.      Start a Web server service running on one machine (you can use Apache, IIS or any Web server. 2.      Ask several people to open their browsers and key the IP address of that machine in the address bar. They should then be viewing the default Web site for that Web server. Now you can do a rather primitive DoS attack on the system. Recall from previous article that typing in ping/h will show you all the options for the ping command. The –I option changes the size of the pocket you can send. A TCP packet can be only of a limited size. Thus, you are wanted to set these packets to be almost as large as your requirement. The –w option decides how many milliseconds the ping utility will wait for a response from the target. When you use –O so that the ping utility does not wait. Then the –t instructs the ping utility to keep sending packets until explicitly told to stop. 3.      Open the command prompt in Windows 2000/XP (that is the DOS prompt in Windows 98 and the Shell in Unix/Linux). 4.      Key ping <address of target machine goes her>-I 65000 –w O –t. What is happening at this point is that this single machine is continually pinging away at the target machine. Of course, just one machine in your classroom or lab that is simply pinging on your Web server is not going to adversely affect the Web server. However, you can now, one by one, get other machines in the classroom pinging the server in the same way. After each batch of three or four machines you add, try to go to the Web server’s default Web page. After a certain threshold (certain numbers of machines pinging the server), it will stop responding to requests and you will no longer be able to see the Web page. Howe many machines it will take to deny service depends on the Web server you are using. In order to see this denial happen with a few machines involved as possible, you could use a very low-capacity PC as your Web server. For example, running an Apache Web server on a simple Pentium III laptop running Windows 98, it can take about 15 machines simultaneously pinging to cause a Web server to stop responding to legitimate requests. This strategy is, of course, counter to what you would normally select for a Web server – no real Web server would be running on a simple laptop with Windows 98. Likewise, actual DoS attacks use much more sophisticated methods. This simple exercise, however, should demonstrate for you the basic principle behind the DoS attack: Simply flood the targe3t machine with so many packets that it can no longer respond to legitimate request.

 

FYI: Buffer Overflows
A Denial of Server attack is “ one of the most common” attack on a system. Another extremely common type of attack is the buffer overflow. Which of these is the leading form of attack is subject to debate among the experts. Regardless, understanding DoS attacks and how to thwart them is clearly on important component of system security.

 

Generally, the method used for DoS attacks are significant more sophisticated than the illustration. For example, a hacker might develop a small virus whose sole purpose is to initiate a ping flood against a predetermined target. Once of virus has spread, the various machines that are infected with that virus then begun their ping flood of the target system. This sort of DoS is easy to do, and it can be hard to stop. A DoS that is launched from several different machines is called a Distributed Denial of Service. (DDoS).

Common Tools Used for DoS

As with any of the security issues in previous articles, you will find that hackers have at their disposal a vast array of tool with which to work. The DoS arena is no different. While it is certainly well beyond the scope this & previous articles to begin to categorize or discuss all of these tools, a brief introduction to just a few of them will prove useful. The two tools discussed here, TFN and Stacheldraht, and typical of the type of tools that some one wishing to perform a DoS attack would utilize.

TFN and TFN2K TFN also known as Tribal Flood Network, and TFN2K are not viruses, but rather attack tools that can be used to perform a DDoS. TFN2K is a newer version of TFN that supports both Windows NT and Unix platforms (and can easy be ported to additional platforms). There are some feature which make its complex more than predecessor.

FYI: What is DoS?
The name for DoS attacks comes from the fact that such attempts literally deny legitimate users the service provided by the site in question. These attacks began to become widely known in 1995 when the simple Ping of Death DoS attack began to be used frequently.

including sending decoy information to avoid being traced. Experts of TFN2K can use the resources for attack against more than one target. Additionally, TFN and TFN2K can perform various attacks such as UDP flood attacks, ICMP flood attacks, and TCM SYN flood attacks.

TFN2K works on two fronts. First, there is a command-run client on the master system. Second, there is a daemon process operation on an agent system. The attack works like this:

1.      The master instruction its agents to attack a list of designated targets.

2.      The agents respond by flooding the targets with a barrage of packets.

With this tool, multiple agents, coordinated by the master, can work together during the attack to disrupt access to the target. Additionally, there are a number of “safty” features for the attacker that significantly complicates development of effective and efficient countermeasures for TFN2K.

·         Master-to-agent communications are encrypted and may be mixed with any number of decoy packets.

·         Both master-to-agent communications and attacks themselves can be sent via randomized TCP, UDP and ICMP packets.

·         The master can falsify its IP address (spoof).

Stacheldraht:

Stacheldraht, which is German for “barded wire”, is a DDoS attack tool that combines features of the Trinoo DDoS tool (another common tool) with the source code from the TFN DDoS attack tool. Like TFN2K, it adds encryption of communication between the attacker and the Stacheldraht master. It also involve in automatic updating of the agents.

Stacheldraht can perform a variety of attacks including UDP flood, ICMP flood, TCP SYN flood and Smurf attacks. This source address also detects forgery and enables it automaticallyDoS Weanknesses

The weakness in any DoS attacks, form the attacker’s point of view, is that the flood of packets must be sustained. As soon as we stop sending packets, the target system is backed up. As DoS/DDoS attack, however, is very often used in conjunction with another form of attack, such as diabling one side of a connection in TCP hijacking or preventing authentication or logging between servers.

If the hacker is using a distributing attack, as soon as the administrator or owners of the infected machines realize their machine is infected, they will take steps to remove the virus and thus stop the attack. If a hacker attempts to launch an attack from her own machine, she must be aware that each packet has the3 potential to be traced back to its source. This fact means the single hacker using a DoS will almost certainly be caught by the authorities. For this session, the DDoS is quickly becoming the most common type of DoS attack. 

Common Tools Used for DoS

As with any of the security issues in previous articles, you will find that hackers have at their disposal a vast array of tool with which to work. The DoS arena is no different. While it is certainly well beyond the scope this & previous articles to begin to categorize or discuss all of these tools, a brief introduction to just a few of them will prove useful. The two tools discussed here, TFN and Stacheldraht, and typical of the type of tools that some one wishing to perform a DoS attack would utilize.

TFN and TFN2K TFN also known as Tribal Flood Network, and TFN2K are not viruses, but rather attack tools that can be used to perform a DDoS. TFN2K is a newer version of TFN that supports both Windows NT and Unix platforms (and can easy be ported to additional platforms). There are some feature which make its complex more than predecessor.

FYI: What is DoS?
The name for DoS attacks comes from the fact that such attempts literally deny legitimate users the service provided by the site in question. These attacks began to become widely known in 1995 when the simple Ping of Death DoS attack began to be used frequently.

including sending decoy information to avoid being traced. Experts of TFN2K can use the resources for attack against more than one target. Additionally, TFN and TFN2K can perform various attacks such as UDP flood attacks, ICMP flood attacks, and TCM SYN flood attacks.

TFN2K works on two fronts. First, there is a command-run client on the master system. Second, there is a daemon process operation on an agent system. The attack works like this:

1.      The master instruction its agents to attack a list of designated targets.

2.      The agents respond by flooding the targets with a barrage of packets.

With this tool, multiple agents, coordinated by the master, can work together during the attack to disrupt access to the target. Additionally, there are a number of “safty” features for the attacker that significantly complicates development of effective and efficient countermeasures for TFN2K.

·         Master-to-agent communications are encrypted and may be mixed with any number of decoy packets.

·         Both master-to-agent communications and attacks themselves can be sent via randomized TCP, UDP and ICMP packets.

·         The master can falsify its IP address (spoof).

Stacheldraht:

Stacheldraht, which is German for “barded wire”, is a DDoS attack tool that combines features of the Trinoo DDoS tool (another common tool) with the source code from the TFN DDoS attack tool. Like TFN2K, it adds encryption of communication between the attacker and the Stacheldraht master. It also involve in automatic updating of the agents.

Stacheldraht can perform a variety of attacks including UDP flood, ICMP flood, TCP SYN flood and Smurf attacks. This source address also detects forgery and enables it automatically

DoS Weanknesses

The weakness in any DoS attacks, form the attacker’s point of view, is that the flood of packets must be sustained. As soon as we stop sending packets, the target system is backed up. As DoS/DDoS attack, however, is very often used in conjunction with another form of attack, such as diabling one side of a connection in TCP hijacking or preventing authentication or logging between servers.

If the hacker is using a distributing attack, as soon as the administrator or owners of the infected machines realize their machine is infected, they will take steps to remove the virus and thus stop the attack. If a hacker attempts to launch an attack from her own machine, she must be aware that each packet has the3 potential to be traced back to its source. This fact means the single hacker using a DoS will almost certainly be caught by the authorities. For this session, the DDoS is quickly becoming the most common type of DoS attack.