DoS ATTACKS

DoS Attacks

As you can see, the basic concept for perpetrating a DoS is not complicated. The actual problem for the attacker is performing the attack without being caught. We will examine the few some specific types of DoS attacks and look at specific case studies. You will be able to deeply understand the danger of Internet through this information.

TCP SYN Flood Attack

SYN flood is one of most popular version of DoS. These particular attacks depend on the hacker’s knowledge of how connections are made to a server. When the session between Client & Server through TCP Protocol then there is must leave the buffer space in memory which is used for the proper exchange of massages. The SYN filed is included in establishing packet to identifying the sequence of message exchanging. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply that is send back by the server, or he can supply a spoofed (forged) IP address. In other words, he requests connections and then never follows through with the rest of the connection sequence. This process has the effect of leaving connections on the server half open and the buffer memory allocated for them is reserved and not available to other applications. Although the packet in the buffer is dropped after a certain period of time (usually about three minutes) without a reply, the effect of many of these false connections requests is to make it difficult for legitimate request for a session to get established.

There have been a number of well-known SYN flood attack on Web servers. The main cause of this attach that machine is busy with TCP.

FYI: Flood Attacks

 

In a flood attack, the attacker overwhelms a target system by sending a continuous flood a traffic designed consume d

communication is in danger because all machines connected to the Internet engage in TCP communications. Such communication is obviously the entire reason for Web server. There are, however, several methods and techniques you can implement to protect against these attacks. These basic defensive techniques you can implement to protect against these attacks. The basic defensive techniques are:

Ø  SYN cookies

Ø  RST cookies

Ø  Stack tweaking

Some these methods require more technical sophistication than other. In general these methods will be discussed here. When you have task to defend the system against those form of attacks, then you select most competent method for your network system to show your expertise and also examine it in further at that time. Which method you want to implement it depend on operating system, which is used for Web Server by you. You will need to consult your operating system’s documentation or appropriate Web sites, in order to find explicit instruction on how to implement methods.

SYN Cookies As the name SYN cookies suggest, this method uses cookies, not unlike the standard cookies used on many Web site. In this way, the system can’t immediate creates buffer space in memory for hand wringing process. There is cookies in SYNACK, which is created very carefully, in which the information of IP address , port number and other information of client system which request for connect. When the client responds with a normal ACK (acknowledgement), the information from that cookie will be included, which the server then verifies. Thus, the system does not fully allocated any memory until the third stage of the hand-shaking process as illustrated. It enable to system for perform its functions, usually one effect to disable to large windows. However, the cryptographic hashing to use in SYN cookies is fairly resource intensive, therefore, this defensive technique,  the system administrators that expect a great deal of incoming connections may choose not to use.

FYI: Hashing

 

A hash value is a number generated by a string of text. He has is significantly smaller than the text itself and is generated by a formula in such a way it is extremely unlikely that some other text will produce the same hash value. Hashing plays a role in security when it is used to ensure that transmitted message have not been tampered with. To do this, the sending machine generates a hash of the message, encrypts it, and sends it with the message itself. Hash & message is decrypted by receiving machine and create second hash from receiving message also compares from each other. If both are same then there a big problems.

 

RST Cookies

Another easy method for SYN to compete RST cookie that client is received wrong message by server and client should generate an RST packet. Because the client send back a packet notifying the server of the error, the server now knows the client request is legitimate and can now accept incoming connections from that client in the normal fashion. This method has two disadvantages. It might cause problems with Windows 95 machines and or machines that are communicating form behind firewalls.

Stack Tweaking

The stack tweaking procedure involves changing the TCP stack on the server so that it takes less time to time out when the SYN connection is incomplete. Unfortunately, this precaution will make it more difficult for SYN Floods to perform against this target. For a determined hacker, an attack is still possible.

FYI: Stack Tweaking

 

The action of stack tweaking is complicated according to the operating system. On this subject there is no help by the documentation of operating system. For these reasons, this method is usually only used by very The advanced network administrators usually can use this method.

 Smurt IP Attack

Attack is a very popular version of the DoS attack. An ICMP(Internet Control Message Protocol) packet is sent out to the broadcast address of the network. Since it is broadcast, it responds to all hosts on the network by echoing the packet, which then sends it to the fake source address. Also, the address of the fake source can be found not only on the local subnet, but also anywhere on the internet. If the hacker can continually send such packets, she will cause the network itself to perform a DoS attack on one or more of its member servers. This attack is clever and rather simple. The only problem for the hacker is getting the packets started on on the target network. This task can be accomplished via some software, such as a virus or Trojan horse that will begin sending the packets.

In a Smurf attack, three individuals / systems are involved: the attacker, the middle (which can also be a victim) and the victim. The attacker first sends the ICMP echo request packet to the intermediary's IP broadcast address. Since this is send to the IP broadcast address, many of the machines on the intermediary’s network will receive this request packet and will send an ICMP echo reply packet back. If machines on network respond of request then the network becomes outage.

The attacker impacts the third part—the intended victim—the creating forged packets that contain the spoofed source address of the victim. Therefore, when all the machines on the intermediary’s network start replying to the echo request, those replies will flood the victim’s network. Thus, the network becomes congested as well as unusable.

The Smurf at5tack is an example of the creativity that some malicious parties can employ. It is sometimes viewed as the digital equivalent of the biological process in an auto-immune disorder. With such disorders, the immune system attacks the patient’s own body. In a Smurf attack, the network performs a DoS attack on one of its own systems. This method’s cleverness illustrates why it is important that you attempt to work creatively and in a forward-thing manner if you are responsible for system security in your network. The perpetrator of computer attacks are inventive and always coming up with new techniques. If your defense is less creative and clever than the attackers’ defense, then it is simply a matter of time before your system is compromised.

There are several ways to protect you system against this problem. One is to guard against Trojan horses. However, having policies prohibiting employees from downloading applications will help. Also, having adequate virus scanners can go a long way in protecting your system from a Trojan horse and thus, a Smurf attack. It is also imperative that you use a proxy server, which was explained in previous article. If the internal IP addresses of your network are not known, then it is more difficult to target one in Smurf attack. Probably the best way to protect your system is to combine these defenses along with prohibiting directed broadcasts and patching the hosts to refuse to reply to any directed broadcasts

 UDP Flood Attack

UDP, as you will recall a connection protocol that does not require any connection setup procedure prior to transferring data in a UDP flood attack. The attacker se3nds a UDP packet to random port on a target system. When the target system receives a UDP packet, it automatically determines what application is waiting on the destination port. In this case, there is no application waiting on the port, the target system will generate an ICMP packet of “destination unreachable” and attempt to send it back to the forged source address. If enough UDP packets are delivered to ports on the target, the system will become overloaded trying to determine awaiting application (which do not exist) and then generating and sending packets back.

ICMP Flood Attack

There are two basic types of ICMP flood attacks;  floods and nukes. An ICMP flood is usually accomplished by broadcasting a large number either pings or UDP packets. Like other floods attacks, the idea is to send so much data to the target system that it slows down. If it can be forced to slow down enough, the target will time out (not sent replies fast enough) & be disconnected from the Internet. ICMP nukes exploit known bugs in specific operation systems. The attacker send a packet of information that he knows the operation system on the target system cannot handle. In many cases, this will cause the target system to lock up completely.

The Ping of Death (PoD)

TCP packets are of limited size. In some cases simply sending a packet that is too large can shut down a target machine. This action is referred to as the Ping of Death (DoP). It works simply by overloading the target system. The hacker sends merely a single ping, but he does so with a very large packet and thus can shut down some machines.

This attack is quite similar to the classroom example discussed earlier in previous article. The aim in both cases is to overload the target system and cause it to quite responding. PoD works to compromise systems that cannot deal with extremely large packet size. If successful, the server will actually shutdown completely. It can, of course be rebooted.

The only real safeguard against PoD is to ensure that all operating systems and software are routinely patched. This attack relies on vulnerabilities. In the way a particular operating system (or application) handles abnormally large TCP packets. When such vulnerabilities are discovered, it is customary for the vendor to release a patch. The possibility of PoD is one reason, among many, why you must keep patches updated on all of your systems.

Teardrop Attack

In teardrop attack, the attacker sends a fragmented message. The two fragments overlap in ways that make it impossible to reassemble them properly without destroying the individual packet headers. Therefore, when the victim attempts to reconstruct the message, the message is destroyed. This causes the target system to halt or crash. There are a number of variations on the basic teardrop attack that are available such as TearDrop2, Boink, targa, Nestea Boink, NewTear and SYNdrop.

Land Attack

A land attack is probably the simplest in concept. The attacker sends a forged packet with the same source IP address and destination IP address (the target’s IP address). The method is to drive the target system “crazy” by having it attempt to send messages to and from itself. The victim system will often be confused and will crash or reboot.

Echo / Chargen Attack

The character generator (Chargen) service was designed primarily for testing purposes. It simply generates a stream of characters. In an echo/chargen attack, this service is abused by attackers who exhaust the target system’s resources. The attacker accomplishes this by creating a spoofed network session that appear to come from that local system’s echo service and which is pointed at the chargen service to form a “loop”. This session will cause huge amounts of data to be passed in an endless loop. This constant looping causes a heavy load to the system. Alternately, if the spoofed session is pointed at a system’s echo service, it will cause heavy network traffic that slows down the target’ network.


Subscribe to: Comments (Atom)

THE IMPACT OF AI ON THE FUTURE OF HUMAN LIFE

Artificial Intelligence (AI) is rapidly transforming the world, and its influence will continue to grow in the coming decades. From healthca...

  • ARROW & FLOWCHART SHAPE TOOLS IN CORELDRAW
      ARROW TOOL In CorelDRAW, the arrow tool is used to create and manipulate lines with arrowheads. This tool allows you to draw straight li...
  • OUTLINE PEN & OUTLINE COLOR DIALOG
    OUTLINE PEN DIALOG CorelDRAW is a vector graphics editor software used for designing and creating various types of digital artwork, such as ...
  • MICROSOFT WORD
      Microsoft Word, commonly referred to as MS-Word, is a word processing software developed by Microsoft. It is a part of the Microsoft Offic...