December 19, 2013

3.2.3 DoS

DoS

A denial-of-service (DoS) attack is one where an attacker attempts to prevent legitimate users from accessing information or services. By targeting the computer and its network connection, an attacker may be able to prevent normal access to email, web sites, online accounts (banking, etc.), or other services that run on the affected systems.

In a denial-of-service attack, a resource such as a web server is flooded with false requests, overwhelming the system and preventing legitimate requests from being serviced. Ultimately the system will crash.

The most common and obvious type of DoS attack occurs when an attacker "floods" a network with information. When you enter a URL for a particular web site into your browser for example, you are sending a request to that site's computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it cannot process legitimate requests. This is a denial of service as legitimate users are denied access to the system services.

In normal operation, a Client sends a SYN and the Server responds with a SYN+ACK message, the server will then hold state information in the TCP stack while waiting for Client ACK message. A simple SYN flood (using suitable software) will generate SYN packets which would consume all available TCP memory as the server must maintain state for all half-open connections. And since this state table is finite the server will no longer accept new TCP connections and thus fail or deny service to the user ((or worse, buffer overflows or system memory exhaustion has occurred, not so much a problem today)).†

There are two basic types of DoS attacks. The first floods the communication pipeline with garbage network traffic. The second exploits a weakness, error or standard feature to cause a system to hang, freeze, deplete all its resources, etc. In the end, the victimized system has been denied the ability to perform normal operations (i.e. providing services) either because the network has been overwhelmed or critical services running on a particular system has been disrupted.

DoS attacks can target different areas of a system including the operating system, applications, network protocols and services. Malware that maxes out the processor or memory on a system, preventing any work from occurring or triggered events that force a system into an unstable or lock state are all considered denial-of-service attacks.

Examples of DoS Attacks

The SYN Flood is a type of DoS attack. The SYN Flood attack exploits the TCP three-way handshake protocol, which requires a specific sequence of data exchange between the client and server. The SYN Flood attack deliberately fails to complete the handshake, causing the target (victim) to waste resources waiting for the handshake to complete.

In a SYN Flood attack, a malicious client makes a series of requests to establish a communications channel with the victim server, i.e. it sends a series of SYN packets. However the return address given by the client is invalid, therefore the server spends valuable and finite network resources waiting for an acknowledgement (ACK) that will never be sent. If enough unacknowledged SYN packets are sent by the client, the victim server will be overwhelm and unable to service legitimate network traffic.

Here is some background on the TCP three-way handshake. The Transmission Control Protocol (TCP) uses the three-way handshake to establish a connection between a client and a server.
Communication between the client and server happens with the exchange of TCP packets.

A TCP packet consists of a header portion and the payload. The header includes a set of 8 TCP flags in the 1-byte flag field. Two flags, Synchronize (SYN) and Acknowledgement (ACK) are used in the 3-way handshake to establish a TCP connection. This is illustrated below and consists of the SYN, SYN-ACK and ACK transactions:

  • SYN: This flag is sent by the client in the active-open phase at the start of the TCP handshake initiating the connection request.
  • SYN-ACK: Upon receiving the SYN from the client, the server replies with an acknowledgement of the SYN flag, a SYN-ACK.
  • ACK: The client sends an ACK back to the server. This flag acknowledges receipt of any prior data, and established the TCP connection.
In addition to the SYN Flood, here are some other examples of DoS attacks:
  • ICMP Flood
    • ICMP Flood attack occurs when numerous ICMP (ping) echo requests overwhelm a receiver. The receiver attempts to respond to all the requests, typically resulting in the consumption of large amounts of network bandwidth.
    • Smurf attacks marshal whole networks of computers to send malicious packets with false sender IP address information to all hosts on a network using the broadcast messages.
  • Ping Of Death
    • Attacker sends oversized ping packets to the target system which crashes as it does not know how to handle the invalid packets.
  • Teardrop
    • Numerous partial IP packets are sent to a target with overlapping sequence numbers and offset values. Target attempts to reassemble IP packets from the received partials but the fragments overwrite each other and provide invalid packets.
Most of the basic DoS attacks such as ping of death, and teardrop are now automatically handled by improved versions of the installed protocols.

Denial-of-Service exploits such as SYN Flood exploits basic features (not bugs) of the TCP protocol as such it is difficult to block completely, however there are measures that can be taken to mitigate the effects. For example, a filter placed in front of the network infrastructure, designed to identify DoS signatures can be deployed. When these signatures are identified they can be discarded before they overwhelm the organization’s network infrastructure. Additionally, the use of up-to-date antivirus software, firewalls and other good security practices is encouraged to minimize the chances that the computer will be infected by malware that can be used to initiate a DoS attack.
References:

No comments:

Post a Comment