Denial of service (DoS) attacks has become a major threat to current computer networks & organizations as it will disrupt their services and impose a huge revenue loss. So to have a better understanding of DoS attacks, this article provides an overview of DOS/DDOS attack, symptoms, techniques, prevention tools and eventually some general countermeasures to defend against DOS attacks.
What is a Denial of Service Attack?
A Denial-of-service attack (DOS) is an attack performed on a networking structure to disable a server from serving its clients. The actual intent and impact of DoS attacks are to prevent or impair the legitimate use of a computer or network resources. Moreover, DoS attacks target the network bandwidth or connectivity.
- Bandwidth attacks: It overflows the network with a high volume of traffic using existing network resources, thus depriving legitimate users of these resources.
- Connectivity attacks: It overflows the system with a huge number of connection requests, thus consuming all available OS resources making it non-responsive for legitimate user requests.
For example: Consider a company (Victim Company) that delivers pizza upon receiving a telephone order. The entire business depends on telephone orders from customers. Suppose a person intends to disrupt the daily business of this company. If this person came up with a way to keep the company's telephone lines engaged in order to deny access to legitimate customers, which would be a revenue loss for the Victim Company.
DoS attacks are similar to the situation described here, where the objective of the attacker is not to steal any information from the target; rather it is to render its services useless.
What is Distributed Denial of Service Attacks?
As defined by the World Wide Web Security: "A Distributed Denial-of-Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial-of-service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms."
During a DDOS attack, The attacker initiates the attack by sending a command to the zombie agents(infected systems), then these zombie agents send a connection request to a genuine server. These requests sent by the zombie agents seem to be sent by the victim rather than the zombies. Thus, the genuine server sends the requested information to the victim, where the victim machine gets flooded with unsolicited responses from several computers at once. This may either reduce the performance or may cause the victim machine to shut down.
Symptoms of a DoS Attack
Based on the victim machine, the symptoms of a DoS attack may vary. There are four main symptoms of a DoS attack. They are:
- Unavailability of a particular website
- Inability to access any website
- Dramatic increase in the number of spam emails received
- Unusually slow network performance
DoS Attack Techniques
There are seven kinds of techniques that are used by the attacker to perform DOS attacks as described below:
1. Bandwidth Attacks: A bandwidth attack floods a network with a large volume of malicious packets in order to overwhelm the network bandwidth. Here the aim of a bandwidth attack is to consume network bandwidth of the targeted network to such an extent that it starts dropping packets, which may include legitimate users requests.
2. Service Request Floods: Service request floods work based on the connections per second principle. Here the servers are flooded with a high rate of connections from a valid source. In this attack, a group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections. e.g., an attacker may use his or her zombie army to fetch the home page from a target web server repeatedly thus resulting load on the server makes it sluggish.
3. SYN Flooding Attacks: SYN attack is a simple form of DOS attack, where an attacker sends a series of unlimited fake TCP SYN requests to the victim machine, for which it responds back with an SYN-ACK and waits for the ACK to complete the session, but it will never get the response as the source addresses are fake, as a result the server becomes inactive for legitimate SYN requests.
4. ICMP Flood Attacks: A DDoS ICMP flood attack occurs when zombies send large volumes of ICMP_ECHO packets to a victim system, where these packets signal the victim's system to reply, and this combination of traffic saturates the bandwidth of the victim's network connection. Once the ICMP threshold is reached, the router rejects further ICMP echo requests from all addresses.
5. Peer-to-Peer Attacks: A peer-to-peer attack is one form of DDOS attack where an attacker exploits the flaws found in the network that uses DC++ (Direct connect) protocol, which allows the exchange of files between instant messaging clients, Here the attacker instructs the client of peer-to-peer file sharing hubs to disconnect from their network and connect to victim's website. as a result, these numerous computers would try connecting to the target website, which causes the drop in website performance.
6. Permanent Denial-of-Service Attacks: Permanent denial-of-service (PD0S) is also known as plashing. This refers to an attack that damages the system and makes the hardware unusable from its original purpose until it is either replaced or reinstalled. A PD0S attack exploits security flaws which allow remote administration on the management interfaces of the victim's hardware such as printers, routers, and other networking hardware.
7. Application-Level Flood Attacks: It results in the loss of services for a particular network, such as emails, network resources, a temporary ceasing of applications etc., as the attackers try destroying the programming source code and files in affected systems.
The strength of an organization's network security can be increased by putting the proper countermeasures in the right places. Many such countermeasures are available for DoS/DDoS attacks.
The following is the list of countermeasures to be applied against DoS/DDoS attacks:
- Use strong encryption mechanisms such as WPA2, AES 256, etc. for broadband networks to withstand against eavesdropping.
- Ensure that the software and protocols used are up-to-date and scan the machines thoroughly to detect any anomalous behavior.
- Improved routing protocols are desirable, particularly for the multi-hop WMN.
- Disable unused and insecure services.
- Block all inbound packets originating from the service ports to block the traffic from the reflection servers.
- Update kernel to the latest release.
- Prevent the transmission of the fraudulently addressed packets at the ISP level.
- Implement cognitive radios in the physical layer to handle the jamming and scrambling kind of attacks.
- Configure the firewall to deny external Internet Control Message Protocol (ICMP) traffic access.
- Prevent the use of unnecessary functions such as gets, strcpy, etc.
- Secure the remote administration and connectivity testing.
- Prevent the return addresses from being overwritten.
- Data processed by the attacker should be stopped from being executed.
- The network card is the gateway to the packets. Hence, use a better network card to handle a large number of packets.
DoS/DDoS Protection Tools
- Protection against SYN, TCP flooding, and other types of DDoS attacks
- Built-in intrusion prevention system
- TCP flow control, UDP/ICMP/IGMP packets rate management
- IP blacklist and white-list, ARP white-list, and MAC Binding
- Compact and comprehensive log file
In addition to D-Guard Anti-DDoS Firewall, there are many tools that offer protection against DoS/DDoS attacks. A few tools that offer DoS/DDoS protection are listed as follows:
In an attempt to secure your network, you should try to find the security weaknesses and try to fix them as these weaknesses provide a path for attackers to break into your network. The main aim of a DoS attack is to lower the performance of the target website or crash it in order to interrupt the business continuity. Denial-of-service attacks are easy ways to bring down a server. The attacker doesn't need to have a great deal of knowledge to conduct them, making it essential to test for DoS vulnerabilities.
Hence it is recommended to have a DoS Attack Penetration Testing where A Pen-tester will simulate the actions of the attacker to find the security loopholes and also check whether your system withstands DDOS (behaves normally) or it gets crashed. DoS Pen Testing determines minimum thresholds for DoS attacks on your system.
Authored By - Rajesh Rao
TCS Cyber Security Practice