Title: Cyber Attacks Explained: DoS and DDos
Scope of article
With this article we are starting a new series to cover important cyber attacks which weaken the IT security infrastructure in organizations. With a rapid spread of internet technologies and applications, there is an unfortunate rise in preying eyes to hack into systems. These attacks are usually done to gain fame or money, or cause reputational losses to a firm. The first in series is Denial of Service attack (DoS) and the distributed denial of service attack (DDoS). We are going to learn how these attacks work technically, and also discuss ways to stop those at the network doorsteps.
How DoS works?
The fundamental technique behind a denial of service attack is to make the target system busy. In a computer server when a network packet is being received, all components right from the network interface card to the application running under the operating system, are in the scope. Network interface card has a duty to monitor Ethernet frames meant for it, align data and give it further to the network card driver. The driver software then adds its own intelligence and passes it over to the operating system, which then takes it to the application. Each of these involved components can exhibit some form of vulnerability and the DoS attack is devised to exploit one or more of those, to penetrate into the system.
Let’s now understand the basics of TCPIP protocol. It works using a handshake between the sender and receiver. Please refer to Fig 1. which shows in details how a healthy TCP handshake takes place and how a SYN flood attack compares with it. When sender wants to communicate, it sends a SYN packet with its own IP address as source and the receiver’s IP address as the destination. Receiver responds to that by sending the SYN-ACK packet. The sender then confirms this by sending an ACK packet. At this time, the sender and receiver have a guarantee that they can communicate to each other. Sender then starts sending the actual data in small chunks, and as a confirmation response to each data packet received the receiver sends ACK packet back to the sender. When sender sends the final data chunk, it sends a FIN signal, which is also acknowledged by receiver by sending FIN-ACK back. If a particular port is not supposed to respond to the request, the receiver uses RST packet as a response to the sender, which means it is rejecting that request. As we can see here, the TCPIP stack software is quite busy in dealing with this maze of communication, which does take some amount of CPU and memory resources. Just to add to the complexity, tons of SYN, SYN-ACK, ACK handshakes are happening on a server for different source and destination IP addresses and also for various TCP ports. All the IP based protocols such as ICMP PING, Telnet, FTP etc actually piggyback on this framework to do their job. Each of them works on different dedicated socket or port.
At the application layers, the operating system and the application receiving or transmitting data, allocate internal memory buffers and a software process to keep a track of what is being sent or received over the wire. Operating system partially does this job by itself and it leaves the rest to the network driver and the protocol stack. Each process does consume some amount of CPU time and take a toll on memory resources.
DoS attack is performed by exploiting this situation, by tweaking the TCP packets in such a way that the server is fooled to respond to each and every mal-fabricated network requests. TCP packets can be forged, or modified to disrupt the basic handshake process in order to create unexpected network responses. This ultimately results in exhausting all the resources on a server which then overwhelms and finally gives up on responding. There are various ways to do this, each using a different technical approach. Please refer to Fig 2 which shows how the various DoS techniques map into the OSI model of network layers. We will now discuss each famous technique in bit more details.
MAC Flood: This is a rare Layer 1 attack in which the attacker sends multiple dummy Ethernet frames, each with a different MAC address. Networks switches treat MAC addresses separately and hence reserve some resource space for each of these requests. This results in utilizing entire memory inside a switch and either shuts it down or makes it non-responsive. In few types of routers a MAC flood attack is also seen to let routers drop their entire routing table, thus disrupting the whole network under its routing domain.
SYN flood: In this technique the attacker sends multiple SYN packets, and upon receiving SYN-ACK from the target it simply does not send ACK, but instead sends more SYN packets. This leaves the TCPIP stack on the target machine thinking that there is possible network congestion or disconnect, and it waits for a specific amount of time. This results in multiple partially-open connections which are maintained by the stack for some time in anticipation that there soon will be an ACK response. In another SYN flooding type instead of not responding, the SYN is sent by attacker with a spoofed address, which becomes destination address for the target system when it responds back with a SYN-ACK packet. However since the spoofed IP never sent a SYN to begin with, it will never send an ACK to this packet, and will simply drop it. On the other hand, the target system does not know this, and keeps the track of it in anticipation that an ACK will be received. In both of these examples, the connection tables and memory resources on the targeted network components are filled up with bogus entries. At one point the entire table entry is filled up and the device stops responding.
Ping of death: In this case, a malformed ping packet flood is sent to the target. Since the TCP stack responds to a certain type of ping packet, it fails to respond to it and exhausts the system resources.
TCP Established connection attack: This type is an extension to SYN flood with the only difference that it used complete 3 way TCP handshake. It does not spoof addresses, it does not strip the ACK responses, but in fact it establishes a TCP connection and simply does not send any data. Due to this, the connection is maintained till it times out, and a flood of such connections results in denial of service on the targeted device. Since the handshake is gracefully followed this attack is difficult to trace and needs advanced techniques to detect and stop.
Smurf attack: This is a famous Layer-3 attack and a widely used technique in which the attacker sends ping traffic to IP broadcast address. However the source address is spoofed and is of the victim machines, due to this the routing device delivers it to the victims and the victims respond back with a ping response. On a larger and populated subnet, this can result into devastating effects and can practically render the routing device non-responsive. There is a similar type called Fraggle attack wherein a UDP echo packet is sent instead of TCP.
TCP RST attack: This is a new breed of DoS attack, in which the source IP field is spoofed and filled with victim’s IP address and this malformed packet is sent to a firewall. This results in forcing firewall to remember this connection for a certain amount of time. This attack is rarely used and its sole purpose is to fool the intrusion detection logic on cheaper firewalls. Unlike the host desktop, a firewall with UTM features works in promiscuous mode and hence takes a note of each and every packet. However if the anomaly detection logic is not smart enough, it simply results in piling up connections and eventually rendering itself useless.
Besides these network layer attacks, there are few which deal with the application layer directly. Such attacks are comparatively easy to detect and fix, however if ignored those can result into heavy down times too. Application layer based attacks exploit the vulnerabilities inside the operating system and the application running under it. Below are few such attacks.
Buffer overflow: This type of attack is very well known in which the operating system is pushed to consume resources to such an extent, that it starts leaking memory, becomes sluggish or simply stops responding. It is a myth that buffer overflow is observed only in Windows operating system, in fact it is very much present in FOSS Linux distros too. Applications such as database servers, email servers and web servers are found to leave buffer overflow vulnerabilities open.
Web and DNS DoS: Web servers run on TCP port 80 and a common target for denial of service attacks. Attackers usually send multiple HTTP web requests which are not mal-formed at all, but simply targeted to retrieve enormous amount of web data from the backend database server. A flood of such request results in making database busy, and makes the web server wait for data to be received. This creates a pile up on both the servers which then become non-responsive to the further requests. This can happen un-intentionally as well, especially when ground breaking news is posted on a website and everyone tries to access it at the same time. In case of DNS servers the attack methodology is similar to web servers but it has serious consequences. If a DNS server becomes non-responsive, it can take down pretty much entire network of a corporate firm.
Distributed DoS attack
In simple terms a distributed DoS attack is a well orchestrated attack to create disruption into an IT network or website in an organized fashion. DDoS attack is a combination of various techniques we discussed above and can result into a catastrophic failure. Please refer to Fig 3. To understand how a typical DDoS attack is planned on a website. A lethal combination of spoofed SYN flood attack and the old style ping of death attack is typically used to disrupt an IT network which is open to the internet.
In a modern form of DDoS attack, the attacker injects malicious code into a virus and thus spreads it to millions of computers making them zombie machines. On a specific day and time, all infected machines start executing that code, which is usually written to access a website or plant a network level attack to a targeted system. Since it is difficult to find out who injected the code into a virus, it is difficult to trace the real attacker. In another non-hazardous form, DDoS attack is modified to access attacker’s website and click advertisements on it, which in turn helps attacker gain money from ad clicks.
Protecting FOSS systems
Though DoS is one of the oldest and commonly known attacks, unfortunately there is no fool proof solution to stop it. This is because it is practically difficult to decide which network connection is legitimate and which one is originating for an attack. While there are specific tools for a particular type of DoS attack, it boils down to the cyber security designing and monitoring to strengthen the network.
Linux FOSS systems are blessed with fantastic network drivers, as well as many built in features such as packet filtering firewall, packet monitoring, network monitoring tool, kernel hardening tools etc. Typical symptom of a DoS attack on a Linux based server is a sluggish system or a slow website, sudden and prolonged increase in processor and memory utilization, excessive disk thrashing without any business activity or slower file transfers etc. On a network monitoring system the observed symptoms could be erroneous number of TCP packet drops, abnormal TCP resets, broken TCP SYN packets being received or duplicate ACK packets being sent. Usually the first level of components getting impacted is a router, followed by a firewall and other network components such as switches. Modern firewalls contain all bells and whistles to fight against a DoS attack, however it cannot always help. Firewalls can certainly protect against network layer based attacks but usually fail to protect from application layer ones. For example, any DoS attack planted on port 80 at HTTP layer will not be stopped by a firewall. In such a case an application level firewall to filter each request and enumerate its legitimacy, is required. For Ubuntu and RHEL variations an APF (Advanced Policy Firewall) is a great tool that can help mitigate the DoS situation. Firewalls cannot protect the router, however modern routers’ firmware (Example Cisco 7600 or X443 routers) contains patches for protecting against DoS attacks.
For smaller Linux networks a nice script can be written to SYN Trap open connections. The same can be done for stopping bogus TCP RST connections as a first line of defense. For mission critical corporate Linux networks, deploying an Intrusion Prevention System device (IPS) is the best choice. IPS device sits on a network in a promiscuous mode and uses built in anomaly detection algorithms to intercept and decode each and every packet. Since its intelligence ranges from Layer 2 to Layer 7, it can gauge which packet is legitimate and which isn’t. It has a great alerting mechanism to proactively inform and stop DoS and DDoS attacks. A good combination of IPS device, UTM firewall and application layer security can help stop these dreaded attacks.
Denial of service attack is a very old and yet very famous type of cyber security attack that can result in a complete shutdown of targeted system or network. There are various ways this attack can be planted by, and the network administrators should know about it and also learn various ways to prevent their networks. Web servers are common targets of DoS attack as it results in shutting down website completely which can cause reputation or monetary loss to a corporate firm. Firewalls and IPS devices can be used to design a rock solid system to achieve secure and stable IT infrastructure network.
About the author
The author has over 18 years of experience in the field of IT hardware, networking, web technologies and IT security. Prashant is MCSE, MCDBA certified and also F5 load balancer expert. In the IT security world he is an ethical hacker and net-forensic specialist.
Prashant runs his own firm named Valency Networks in India (www.valencynetworks.com) providing consultancy in IT security design, security audit, infrastructure technology and business process management. He can be reached at firstname.lastname@example.org.
More Relevant Links Below