Introduction to denial of service attacks
Over the past year I've received a steady stream mail from visitors asking what denial of service attacks really are. So here is an easy to understand explanation.
In this type of attack the primary goal is to prevent the victim's machine of fulfilling its required job.
Most acts to deny legitimate use of a service can be classed as a denial of service attack.
In most countries (including the USA) Denial of Service attacks is considered a federal crime and the guilty can expect lengthy jail time. (you may want to look at CCIPS for legal information in US)
- Bandwidth Consumption
- Other Resource Consumption
- Unauthorized modification of configuration data
- Physical hardware destruction
Flooding a network can cause network equipment such as routers and switches to be overwhelmed to such an extent that they start to affect the speed or success of legitimate network traffic. Basically all available bandwidth is consumed and no bandwidth remains for legitimate use.
Commonly a network is flooded by ICMP ECHO packets to try and consume all bandwidth available. In practice it can be any type of packet. These days an attacker cannot simply use one computer to craft an attack in the above fashion. The reason is a single machine probably cannot create enough requests to overwhelm network equipment, hence Distributed Denial of Service Attacks were born where an attacker coordinates several computers to flood a victim.
How are other computers used to attack a victim?
Simple, email viruses/worms spread the payload to potentially millions of computers. Once the payload is "installed" on a computer it can be directed by the attacker to bring down a victims server. This is a reason (if you are a windows user) you MUST use common sense on what email attachments/software you click on. Linux/BSD type users are more protected by the default operating system features but must of course continue to follow common sense (like not run as root! Which many newbies do!)
Flooding a server such as a web, mail or print server can cause the daemon to drop/refuse legitimate requests to websites, mail boxes or printers respectively. This time whilst the network equipment can handle the large volume of requests the actual serving software may not be able to.
may go down because an attacker is creating a large amount of requests
to an HTTP server
- A mail server
(SMTP/POP etc) can fail if its "mail bombed". This is the act of
sending hundreds and thousands of bogus emails in a very short amount
- In an office your printing
ability can be denied by a malicious co worker or worse a network
vulnerability which causes an attack by sending several large printing
jobs or perhaps corrupted print jobs that can stall the printer.
Denial of service attacks by exploiting network connectivity
In this type of denial of service the attacker attempts to force the server not to communicate on the network and hence denies a service. Do not however confuse this with bandwidth consumption as in this case the attack does not feature around consuming all bandwidth.
Rather the attacker establishes a connection but does it in a way that the connection never completes and at the same time the server may have reserved one of a few kernel data structures to complete the connection but since the connection never completes once the victim runs out of structures new legitimate connections cannot be started. This is called a "SYN FLOOD" attack.
Often victims are those on IRC (do not fear however) as this is a perfect medium for an attacker to easily obtain your IP address. The attack has nothing to do with the IRC server/service itself those those administrators are limited on how they can help you. Popular IRC networks hide your IP address to protect you, so its safer to choose one of these networks.
A firewall can stop a limited number of dews attacks, such a SYN attack. A firewall can also perhaps filter out attacks aimed at exploits in the operating system or on applications. Of course its safer to also install the latest security patches as well.
Firewalls at your "home/office" computer level generally cannot protect against flooding. Your line will be flooded whether or not you have a firewall. However a firewall can reduce the "flood" by blocking your computers replies back down the line. Generally home users are not effect by this sort of flood but that's not to say it cannot happen.
Socially speaking there must be a reason for such attacks, large corporations tend to come under heavy fire with dews attacks. An example are the attacks launched by a teenager that crippled Amazon and Yahoo! In 2001.