DoS attack is one of the cybercrime technique used by hackers. It is an attack where there is a malicious attempt to overwhelm an online service and render it unusable. The hackers will try to prevent legitimate users from accessing the service, maybe by delaying system operations and functions, or making the device or network resource unavailable to the user. The attacker may as well send excessive messages requesting the server to authenticate requests that have invalid return addresses. It occurs when the machine or system maliciously gets flooded with traffic or information that makes it crash or inaccessible to the user.
There are two basic methods of DoS attacks. They include:
a. Flooding Services
This type of attack occurs when there is too much traffic on the system for the server to buffer, causing the system to slow down and eventually stop. Some of the flood attacks include:
• Buffer overflow attacks
It is the most common. It works by sending too much traffic to the system than what the system was initially programmed to handle. The extra information which has to go somewhere overflows into adjacent memory space, corrupting or overwriting the data held in that space.
• ICMP flood
Also referred to as Internet Control Message Protocol. In this case the victim server is flooded with abnormally large number of ICMP packets from a wide range of IP addresses. The malefactor aims to fill the channel and overload the victim server with fake requests. It leverages misconfigured network devices by sending spoofed packets that ping every computer on targeted network, instead of just one specific machine. The network is then triggered to increase the traffic. ICMP flood can be organized with aim of collecting information about the server, which can later on be used for precision attacks on the port or the application.
• SYN Flood
In this attack, the hacker sends repeated SYN packets to every port on the targeted server, often using a fake IP address.The server then, unaware of the attack receives multiple, apparently legitimate request to establish communication. It sends a request to connect to a server, but never completes the handshake. These requests goes on untill all open ports are saturated with request and none are available for legitimate user to connect to. So basically in SYN flood the attacker send a progression of SYN requests to an objective’s framework to trying to consume enough server assets to make the framework inert to authentic activity.
Some of the security measures against SYN flood attacks include:
2. Increasing backlog
3. TCP half – open
4. Firewalls and proxies
5. Reducing SYN-received timer
6. SYN cache
7. Recycling the oldest Half-Open TCP
8. Hybrid approaches
9. SYN cookies
b. Crashing Services
Other DoS attacks simply exploits vulnerabilities that cause the target system or service to crash. Input is set that takes advantage of bugs in the target that subsequently crash or severly destabilize the system, so that it can’t be accessed or used. Other DoS attacks can be perpetrated through:
• Consumption of computational resources such as bandwidth, disk space or CPU time.
• Disruption of configuration information e.g. routing information.
• Disruption of physical network components e.g. unusually slow network performance, unavailability of a particular website, inability to access any website and dramatic increase in the number of spam email received.
Other Types of Attacks
TCP Three Way Handshake
When a computer wants to make a TCP/IP connection (the most common internet connection) to another computer, usually a server, an exchange of TCP/SYN and TCP/ACK packets of information occur. The computer requesting the connection, usually the client’s or user’s computer, sends a TCP/SYN packet which asks the server if it can connect. If the server will allow connections, it sends a TCP/SYN-ACK packet back to the client to say “Yes, you may connect” and reserves a space for the connection, waiting for the client to respond with a TCP/ACK packet detailing the specifics of its connection.
Smurf Attack (ICMP)
Technique that takes advantage of the ICMP (Internet Control Message Protocol). Smurf is installed on a computer using a stolen account, and then continuously “pings” one or more networks of computers using a forged source address.It relies on mis-configured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim.
Involves sending a spoofed TCP SYN packet (connection initiation) with the target host’s IP address with an open port as both source and destination. The attack causes the targeted machine to reply to itself continuously and eventually crash.
User Datagram Protocol (UDP)
UDP floods include “Fraggle attacks”. In a fraggle attack an attacker sends a large amount of UDP echo traffic to IP broadcast addresses, all of it having a fake source address. It is a simple rewrite of the smurf attack code.
Is a complex DDoS tool that uses “master” programs to automate the control of any number of “agent” programs which launch the actual attack. The attacker connects to the computer hosting the master program, starts the master, and the master takes care of starting all of the agent programs based on a list of IP addresses. The agent programs then attack one or more targets by flooding the network with UDP packets. Prior to the attack, the perpetrator will have compromised the computer hosting the master programs and all the computers hosting the agent program in order to install.
Tribal flood Network (TFN)
Like Trinoo, uses a master program to communicate with attack agents located across multiple networks.
TFN launches coordinated DoS Attacks that are especially difficult to counter as it can generate multiple types of attacks and it can generate packets with spoofed source IP addresses.Some of the attacks that can be launched by TFN include UDP flood, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast.
An additional type of DoS attack is the Distributed Denial of Service (DDoS) attack. A DDoS attack occurs when multiple systems orchestrate a synchronized DoS attack to a single target. The essential difference is that instead of being attacked from one location, the target is attacked from many locations at once.