Abstract. Introduction. Section I. What is Denial of Service Attack?

Transcription

1 Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss and compare various mechanisms of detecting different types of DoS attacks. The report elaborates the causes of various types of DoS attacks. Introduction A denial of service (DoS) attack is an attack in which one user takes up so much of a shared resource that none of the resource is left for other users. Denial of service attacks compromise the availability of the resources. The result is degradation or loss of service. Section I explains DoS attacks with an analogy. Section II broadly categorizes DoS attacks and Section III discusses each type of attack under above mentioned categories. What is Denial of Service Attack? Section I DoS attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service [1]. Some of the examples of DoS attacks are: 1. Flooding a network, thereby preventing legitimate network traffic. 2. Disrupting connections between two machines, thereby preventing access to a service. 3. Preventing a particular individual from accessing a service. 4. Disrupting service to a specific system or person. To understand DoS attacks, let us consider an analogy [2]: It is often observed that on weekends and on major holidays that sometimes if we try to make a telephone call, we could not because all the telephone circuits are busy. The reason you couldn't get through is because the telephone system is designed to handle a limited number of calls at a time. Imagine that if an intruder wants to attack the telephone system and makes the system unusable by telephone customers, how would he do this? One simple way would be to make call after call in an attempt to make all circuits busy. This type of attack is called DoS, attack. In essence, the intruder has caused the telephone system to deny service to its customers. Computer systems can also suffer DoS attacks. For example, sending an extraordinary amount of electronic mail to someone could fill the computer disk where mail resides. This means that people who use the computer with the full disk cannot receive any new until the situation changes. In addition, intruders have turned their efforts toward denying people the services provided by networked computers. Examples of frequently attacked services are the World Wide Web, file sharing services and the Domain Name Service. To deny these services to prospective users of a computer service, intruders run specially written computer programs that send extraordinary volumes of Internet "calls" to one of the computers that provides that service, similar to the way that an intruder can tie up the telephone system. When a computer answers such a call, most often there's no one on the other end, so answering the call turned out to be a waste of time. Unfortunately, the attacked service cannot tell this in advance, so it has to answer all calls placed to it. 1

2 Section II Categories of DoS Attacks A denial-of-service attack appears in multiple forms and targets variety of services. There are three broad categories of types of attack [3]: Consumption of Scarce Resources: Bandwidth Consumption: Destructive: Attacks which degrade the ability of the device to function, such as opening many simultaneous connections to the single device. Attacks which attempt to engulf the bandwidth capacity of the network device. Attacks which destroy the ability of the device to function, such as deleting or changing configuration information or power interruptions. This report focuses the first two categories of attacks and their associated types. The section that follows describes some common types of attacks under each category. Types of Attacks Section III Category 01: Consumption of scarce resources Computers and networks need certain resources to operate efficiently. Some of the resources are network bandwidth, memory and disk space, CPU time, data structures and access to other computers and networks [4]. 1. Network Connectivity DoS attacks most frequently aim at preventing the hosts from communicating on the network. The attacker establishes a connection with the machine in such a form that the connection is never completed. This leads reserving the data structures by the victim machine for the completion of the impending connection. The result is that legitimate connections are denied while the victim machine is waiting to complete bogus connections. This form of attack brings to front the weakness in the TCP/IP protocol. Example of the above form of attack is SYN flooding. a. SYN Flooding Any system connected to the Internet and providing TCP based network services (such as a Web server, FTP server, or mail server) is vulnerable to this attack. When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages [5]. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The 2

3 connection between the client and the server is then open, and the service - specific data can be exchanged between the client and the server. The view of the message flow is shown in Figure 01: SYN SYN ACK ACK Client Figure 01 Server The problem arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is called a half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially - open connections. Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system. The half-open connections data structure on the victim server system will eventually fill, thus making the system unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IPspoofed packets requesting new connections faster than the victim system can expire the pending connections. In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections or the ability to originate outgoing network connections. However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative. The location of the attacking system is hidden because the source addresses in the SYN packets are often implausible. When the packet arrives at the victim server system, there is no way to determine its true source. Since the network forwards packets based on destination address, the only way to validate the source of a packet is to use input source filtering. 3

4 2. Consuming System Resources These kinds of attacks are targeted at the consumption of the resources of system there by either slowing them down or making them totally inoperative. The hacker may also generate innumerable error message that need to be logged there by affecting the disk space or by attacking the Data structures that store the process information or other critical data. Some of the examples of this from of DOS include Ping of Death and Tear Drop Attacks. a. Ping of Death Attack Ping of Death is related to the Packet Internet Groper (Ping) that tests a TCP network by sending an echo request, expecting a reply. The Ping of Death DoS attack uses a test packet larger than allowed. It uses a ping system utility to create an IP packet exceeding the maximum of 65,536 bytes of data allowed by the IP specification. This oversized packet is sent to the victim. Systems in response to this crash, hang, or reboot. This attack is now obsolete and almost all OS vendors have fixes in place to handle the oversize packets. b. Teardrop Attack This attack exploits the weaknesses in the reassembly of IP packet fragments that is needed if a packet is too large for the next router to handle. An IP packet may be broken up into smaller chunks by the routers if the MTU (Maximum Transfer Unit) supported by the link is less than the packet size. Each fragment looks like the original IP packet except that it contains an offset field that specifies the offset from the beginning of the packet, that is zero. The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination hosts, some systems crash, hang, or reboot if the destination hosts operating system does not cater for this situation. 3. Consuming Other Resources An intruder may also attempt to consume resources in some of the following manners [6]: a. Hogging Host system hogging involves running a program on the attacked system that ties up its CPU. This generally results in the operating system crashing, which takes down the entire system. b. Mail bombs bombing is characterized by intruders repeatedly sending an message to a particular address at a specific victim site. In many instances, the messages will be large and meaningless data, and will consume additional system and network resources. Multiple accounts at the target site may be abused, increasing the denial of service impact. spamming, a variant of bombing, refers to sending to hundreds or thousands of users. spamming can be made worse if recipients reply to the , causing all the original addressees to receive the reply. It may also occur 4

5 innocently, as a result of sending a message to mailing lists and not realizing that the list explodes to thousands of users. bombing/spamming may be combined with spoofing, which alters the identity of the account sending the , making it more difficult to determine who actually sent the . c. Rogue Applets Rogue applets are used to attack users rather than servers. Hostile applets embedded in Web pages, when downloaded and run, can put a user's system into an infinite loop that requires a restart to end the looping. Category 02: Consumption of Bandwidth In this form of an attack the intruder is able to consume all the available bandwidth on the network by generating a large number of packets directed at the network using ICMP ECHO packets. Examples of the above form of attack are Smurf Attacks and UDP Flooding. 1. Smurf Attacks The Smurf attack is a brute-force attack targeted at a feature in the IP specification known as direct broadcast addressing. A Smurf intruder floods the router with Internet Control Message Protocol (ICMP) echo request packets (pings). The destination IP address of each packet is the broadcast address of the target network. The router broadcasts the ICMP echo request packet to all hosts on the network. This creates a large amount of ICMP echo request and response traffic. Figure 02 5

6 The two main components to the smurf denial-of-service attack are the use of forged ICMP echo request packets and the direction of packets to IP broadcast addresses [7]. The Internet Control Message Protocol (ICMP) is used to handle errors and exchange control messages. ICMP can be used to determine if a machine on the Internet is responding. To do this, an ICMP echo request packet is sent to a machine. If a machine receives that packet, that machine will return an ICMP echo reply packet. A common implementation of this process is the "ping" command, which is included with many operating systems and network software packages. ICMP is used to convey status and error information including notification of network congestion and of other network transport problems. ICMP can also be a valuable tool in diagnosing host or network problems. On IP networks, a packet can be directed to an individual machine or broadcast to an entire network. When a packet is sent to an IP broadcast address from a machine on the local network, that packet is delivered to all machines on that network. When a packet is sent to that IP broadcast address from a machine outside of the local network, it is broadcast to all machines on the target network (as long as routers are configured to pass along that traffic). IP broadcast addresses are usually network addresses with the host portion of the address having all one bits. For example, the IP broadcast address for the network is If class A network is subnetted into 256 subnets, the IP broadcast address for the subnet would be Network addresses with all zeros in the host portion, such as , can also produce a broadcast response. In the smurf attack, attackers are using ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. There are three parties in these attacks: the attacker, the intermediary, and the victim (intermediary can also be a victim). The intermediary receives an ICMP echo request packet directed to the IP broadcast address of their network. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back. When all the machines on a network respond to this ICMP echo request, the result can be severe network congestion or outages. When the attackers create these packets, they do not use the IP address of their own machine as the source address. Instead, they create forged packets that contain the spoofed source address of the attacker's intended victim. The result is that when all the machines at the intermediary's site respond to the ICMP echo requests, they send replies to the victim's machine. The victim is subjected to network congestion that could potentially make the network unusable. Attackers have developed automated tools that enable them to send these attacks to multiple intermediaries at the same time, causing all of the intermediaries to direct their responses to the same victim. Attackers have also developed tools to look for network routers that do not filter broadcast traffic and networks where multiple hosts respond. These networks can the subsequently be used as intermediaries in attacks. Figures 02 and 03 depict Smurf attacks. 6

7 SYN Intermediate Systems SYN ACK ACK Intruder Victim Figure UDP Flooding The User Data gram Protocol (UDP) Flood denial-of-service attack links two unsuspecting systems. By spoofing, the UDP Flood attack hooks up one system's UDP service that generates a series of characters for each packet it receives, with another system's UDP echo service, which echoes any character it receives. As a result, a nonstop flood of useless data passes between the two systems [8]. When a connection is established between two UDP services, each of which produces output, these two services can produce a very high number of packets that can lead to a denial of service on the machine(s) where the services are offered. Anyone with network connectivity can launch an attack; no account access is needed. For example, by connecting a host's chargen service to the echo service on the same or another machine, all affected machines may be effectively taken out of service because of the excessively high number of packets produced. In addition, if two or more hosts are so connected, the intervening network may also become congested and deny service to all hosts whose traffic traverses that network. Spoofed request chargen echo Intruder Figure 04 Victim 7

8 References [1] [2] [3] [4] [5] [6] [7] [8] 8