DoS Denial of Service White Paper

The "No Network is 100% Secure" series
- Denial of Service (DoS) Attack -
A White Paper

What is a denial of service (DoS) attack?: DoS attacks, also know as Distributed DoS attacks and sometimes "The Ping of Death" are attacks designed to deny legitimate computing service users of a particular resource. Typically, DoS attacks would be targeted at high profile web servers such as Microsoft, Banks, E-Commerce sites and so on. Other applications such as mail servers may be attacked as well, although this is less common and is known as "mail bombing" or SPAMMING attacks. Any IP addressable device including routers and DNS name servers can be targeted. Attacks can be made using wired networks acting in a distributed, coordinated manner (the most common method) or via wireless technology. Essentially, a DoS attack floods the target with more packets than it can handle, thus reducing the victims performance to the point where it is effectively inoperable.

Denial-of-service attacks can also lead to problems in the network LAN/WAN connecting to the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by an attack, effecting service and performance not only on the targeted computer, but also on the entire network. If an attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity can be compromised.

A common method of attack involves saturating the target (victim) machine with communications requests, such as pings or port 25/80/443 requests such that the server cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. DoS attacks are often initiated by Techno-Geeks with too much time on their hands known as "script kiddies". DoS attacks are generally performed with malicious intent (or just for the fun of causing trouble) versus having financial, espionage or theft motives. However, cases of Blackmailing potential victims with the threat of attack is not unheard of. It should be noted that during the 2008 South Ossetia war, a DDoS attack against the Georgian Government site rendered several Government servers inoperable for 24 hours. In addition, there is speculation that "Terrorists" may start using DoS technology sometime in the near future.

Computers that have been previously infected with a virus and can now be controlled remotely as a "bot" or "zombie" are frequently used to deliver DoS attacks. Additionally, there are a wide array of programs around that can be used to launch DoS-attacks. Most of these programs are completely focused on performing DoS-attacks, while others are also true Packet injectors, thus able to perform other tasks as well.

A permanent denial-of-service (PDoS), also known as phlashing, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. Unlike a DDoS, a PDoS attack exploits security flaws in the remote management interfaces of the victim's hardware, be it routers, printers, or other networking hardware. These flaws leave the door open for an attacker to remotely 'update' the device firmware to a modified, corrupt or defective firmware image, therefore bricking the device and making it permanently unusable for its original purpose. The PDoS is a pure hardware targeted attack which can be much faster, more destructive and requires fewer resources than using a botnet in a DDoS attack. Because of these features, and the potential and high probability of security exploits on Network Enabled Embedded Devices (NEEDs), this technique has come to the attention of numerous hacker communities such as Hack a Day. PhlashDance is a tool created by Rich Smith, an employee of Hewlett-Packard's Systems Security Lab, used to detect and demonstrate PDoS vulnerabilities.

What can be done to defend against DoS attacks? Unfortunately, not a lot. Major web sites and networks have been brought to their knees by even primitive DoS attacks. There are a few niche products that have limited abilities to reduce the effects of certain types of attacks but for the most part, there is no magic pill to immunize networks from this vulnerability.

Establishing a schedule for periodically checking for firmware updates for devices susceptible to "phlashing' attacks and signing up for CERT bulletins would certainly be a good first step. Having proactive monitoring (such as a NOC) in place will help to quickly identify that an attack is under way. A well designed NOC will provide the NOC Techs with enough information to be able to identify the type of attack that is under way and may even have tools to stop or at least abate it. IMO, there is nothing worse than learning about IT outages from customers!

Having an independent consulting group such as Easyrider LAN Pro perform a security audit on your network will at least help to identify where you are most exposed. The first step in plugging vulnerability holes is first knowing where the holes are.

The easiest way to survive an attack is to plan for the attack well in advance. Having a separate emergency block of IP addresses for critical servers with a separate route can be invaluable. A separate route to the Internet (perhaps DSL) is not extravagant, and it can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of an attack. There are also products available that can simulate a DoS attack which can be helpful in testing your defense strategy.

Filtering is often ineffective, since the route to the filter will normally be swamped so that only a trickle of traffic will survive. However, by using a resilient stateful packet filter that will inexpensively drop any unwanted packets, surviving a DoS attack becomes somewhat easier. There are also firewalls, routers and switches available that offer some measure of resiliance against at least some modes of attack. But many DoS attacks are much too complext for common defense mechanisms like firewalls to handle. For an example, some firewalls do not know the difference between "good" packets and "bad" packets. So an attack on a web server would most likely sail right through most firewalls, switches and routers. In addition, even if a device drops the packet on the floor, doing so still consumes CPU cycles and network bandwidth. Checkpoint, Juniper and Cisco PIX are several that do have helpful DoS fighting features that "throttle" incoming traffic. However, these schemes usually just stop all incoming traffic once a DoS attack is detected. This protection method still denies service to legitimate users which is not always helpful as far as maintaining service availability is concerned.

How many types of DoS attacks are there?: Providing detailed explanations about all of the many attack types that are out there is beyond the scope of this white paper. However, I will briefly outline some of the more common ones. Some DoS attacks include the execution of malware code. These variants are discussed in the virus white paper.

ICMP flood aka Smurf attack, Ping flood, and Ping of death. A smurf attack relies on misconfigured network devices that allow packets to be sent to the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination.

Ping flood is based on sending the victim an overwhelming number of ping packets, usually by directing hundreds and even thousands of "botnet" infected computers to coordinate an attack. It is very simple to launch. The primary requirement is having access to greater bandwidth than the victim.

SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets creates a connection request. The victim server spawns half-open connections, by sending back a TCP/SYN-ACK packet, and waiting for a response (that will never come) from the sender address. These half-open connections consume all of the available connections the server is able to make, preventing it from responding to legitimate requests until after the attack ends.

Peer-to-peer attacks Peer-to-peer attacks are different from regular botnet-based attacks. In this method, the attacker instructs clients of large peer-to-peer hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead. As a result, several thousand computers may aggressively try to connect to a target website. While a typical web server can handle a few hundred connections per second before performance begins to degrade, most web servers fail almost instantly under five or six thousand connections/sec. With a moderate size peer-to-peer attack a site could potentially be hit with up to a million or more connections in a short order. While peer-to-peer attacks are easy to identify with signatures (assuming that logs are being actively monitored), the large number of IP addresses that need to be blocked means that this type of attack can overwhelm mitigation defenses. And even if a mitigation device can block all of the attacking IP addresses, there are other problems to consider. For example, there is a period of time after the connection is opened on the server side but before the signature itself comes through. Mitigation cannot start until the identifying signature can be detected and the connection torn down. And even just tearing down thousands of connections every second consumes resources that can significantly slow down service performance.

Reflected attack is a distributed denial of service attack (DDoS) that involves sending forged requests of some type to a very large number of computers that will reply to the requests. Using IP spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target. Many services can be exploited to act as reflectors. Some are harder to block than others.

Degradation-of-service attack "Pulsing" zombies are compromised computers that are directed to launch intermittent and short-lived floodings of victim websites with the intent of merely slowing it rather than crashing it. This type of attack, referred to as "degradation-of-service" rather than "denial-of-service", can be more difficult to detect than regular zombie invasions and can disrupt and hamper connection to websites for prolonged periods of time, potentially causing more damage than concentrated floods. Degradation-of-service attacks are complicated further because of teh difficulty in discerning whether the attacks really are attacks or just healthy and likely desired increases in website traffic.

Unintentional attack describes a situation where a website ends up denied, not due to a deliberate attack, but simply due to a sudden enormous spike in popularity.

Denial-of-Service Level II The goal of DoS L2 (possibly DDoS) attack is to cause a launching of a defense mechanism which blocks the network segment from which the attack originated. In case of distributed attack or IP header modification, this method may fully block the attacked network from Internet, but without system crash.

A few high visibility incidents:

The first major attack involving DNS servers as reflectors occurred in January 2001. The target was Register.com. This attack, which forged requests for the MX records of AOL.com (to amplify the attack) lasted about a week before it could be traced back to all attacking hosts and shut off. It used a list of tens of thousands of DNS records that were a year old at the time of the attack.

In February, 2001, the Irish Government's Department of Finance server was hit by a denial of service attack carried out as part of a student campaign from NUI Maynooth. The Department officially complained to the University authorities and a number of students were disciplined.

In July 2002, the Honeynet Project Reverse Challenge was issued. The binary that was analyzed turned out to be yet another DDoS agent, which implemented several DNS related attacks, including an optimized form of a reflection attack.

On two occasions to date, attackers have performed DNS Backbone DDoS Attacks on the DNS root servers. Since these machines are intended to provide service to all Internet users, these two denial of service attacks might be classified as attempts to take down the entire Internet, though it is unclear what the attackers' true motivations were. The first occurred in October 2002 and disrupted service at 9 of the 13 root servers. The second occurred in February 2007 and caused disruptions at two of the root servers.

In February 2007, more than 10,000 online game servers in games such as Return to Castle Wolfenstein, Halo, Counter-Strike and many others were attacked by "RUS" hacker group. The DDoS attack was made from more than a thousand computer units located in the republics of the former Soviet Union, mostly from Russia, Uzbekistan and Belarus. Minor attacks are still continuing to be made today.

In the weeks leading up to the five-day 2008 South Ossetia war, a DDoS attack directed at Georgian government sites containing the message: "win+love+in+Rusia" effectively overloaded and shut down multiple Georgian servers. Websites targeted included the Web site of the Georgian president, Mikhail Saakashvili, rendered inoperable for 24 hours, and the National Bank of Georgia. While heavy suspicion was placed on Russia for orchestrating the attack through a proxy, the St. Petersburg-based criminal gang known as the Russian Business Network, or R.B.N, the Russian government denied the allegations, stating that it was possible that individuals in Russia or elsewhere had taken it upon themselves to start the attacks.

Next in the security white paper series:

Firewall White Paper
Virus White Paper
SPAM White Paper
Best Practices White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Shelfware White Paper