DOS Attacks: Instigation and Mitigation

During the release of a new software product specialized to track spam, ACME SoftwareInc notice that there was not as much traffic as they hoped to receive. During furtherinvestigation, they found that they could not view their own website. At that moment, theVP of sales received a call from the company's broker stating that ACME Software Incstock fell 4 point due to lack of confidence. Several states away, spammers didn't like theidea of lower profit margins do to an easy to install spam blocking software so theythought they would fight back. Earlier that day, they took control of hundreds ofcompromised computers and used them as DoS zombies to attack ACME Software Inc'sInternet servers in a vicious act of cyber assault. During an emergency press conferencethe next morning, ACME software Inc's CIO announced his resignation as a result of aseveral million dollar corporate loss.

Scenarios like the one above happen a more then people think and are more costlythen most will admit. Denial of Service (DoS) attacks are designed to deplete theresources of a target computer system in an attempt to take a node off line by crashing oroverloading it. Distributed Denial of Service (DDoS) is a DoS attack that is engaged bymany different locations. The most common DDoS attacks are instigated through virusesor zombie machines. There are many reasons that DoS attacks are executed, and most ofthem are out of malicious intent. DoS attacks are almost impossible to prevent if you aresingled out as a target. It's difficult to distinguish the difference between a legitimatepacket and one used for a DoS attack.

The purpose of this article is to give the reader with basic network knowledge abetter understanding of the challenges presented by Denial of Service attacks, how theywork, and ways to protect systems and networks from them.

Instigation:

Spoofing - Falsifying an Internet address (know as spoofing) is the method an attackeruses to fake an IP address. This is used to reroute traffic to a target network node or usedto deceive a server into identifying the attacker as a legitimate node. When most of usthink of this approach of hacking, we think of someone in another city essentiallybecoming you. The way TCP/IP is designed, the only way a criminal hacker or crackercan take over your Internet identity in this fashion is to blind spoof. This means that theimpostor knows exactly what responses to send to a port, but will not get thecorresponding response since the traffic is routed to the original system. If the spoofing isdesigned around a DoS attack, the internal address becomes the victim. Spoofing is usedin most of the well-known DoS attacks. Many attackers will start a DoS attack to drop anode from the network so they can take over the IP address of that device. IP Hijacking isthe main method used when attacking a secured network or attempting other attacks likethe Man in the Middle attack.

SYN Flood - Attackers send a series of SYN requests to a target (victim). The targetsends a SYN ACK in response and waits for an ACK to come back to complete thesession set up. Instead of responding with an ACK, the attacker responds with anotherSYN to open up a new connection. This causes the connection queues and memory bufferto fill up, thereby denying service to legitimate TCP users. At this time, the attacker canhijack the system's IP address if that is the end goal. Spoofing the "source" IP addresswhen sending a SYN flood will not only cover the offender's tracks, but is also a methodof attack in itself. SYN Floods are the most commonly used DoS in viruses and are easyto write. See http://www.infosecprofessionals.com/code/synflood.c.txt

Smurf Attack- Smurf and Fraggle attacks are the easiest to prevent. A perpetrator sends alarge number of ICMP ec