A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. There are two general forms of DoS attacks:
ICMP Flood
An ICMP flood attack is carried out by bombarding a network with network packages, using up resources and crashing it. One type of attack is a Ping Flood, a simple DoS attack where the attacker effectively overwhelms its target with ‘ping’ packets. The idea here is that the attacker’s bandwidth is larger than its target’s.A Smurf attack is a smarter way of ICMP flooding. Some networks let network clients broadcast messages to all other clients by sending it to a single broadcast address. A Smurf attack targets this broadcast address and makes its packages look as if they came from within the target. The target broadcasts these packages to all network clients, effectively serving as an amplifier for the attack.
As a means of protecting servers, user should consider configuring individual hosts and routers to not respond to ICMP requests. Alternatively, they might configure routers to not forward packets directed to broadcast addresses.
SYN Flood
SYN floods entail the sending of a succession of
requests to a target's system in an attempt to consume enough server
resources to make the system unresponsive to legitimate traffic. SYN is short for "synchronize" and is the first step in establishing communication between two systems over the TCP/IP protocol. When a server receives a SYN request, it responds with a SYN-ACK (synchronize acknowledge) message. The computer then responds with an ACK (acknowledge) message that establishes a connection between the two systems. In a SYN flood attack, a computer sends a large number of SYN requests, but does not send back any ACK messages. Therefore, the server ends up waiting for multiple responses, tying up system resources.
If the queue of response requests grows large enough, the server may not be able respond to legitimate requests. This results in a slow or unresponsive server. Since SYN flooding is a common type of DoS attack, most server software has the capability to detect and stop SYN floods before they have a noticeable effect on the server. For example, if a server receives a large number of SYN requests from the same IP address in a short period of time, it may temporarily block all requests from that location.
Distributed denial of service (DDoS) attacks can be limited by using SYN caching or implementing SYN cookies. Both of these methods record IP addresses used for flood attacks. The system then limits the resources the computer will use to respond to requests from these locations. This type of SYN flood protection can be configured directly on server or on a network firewall.
Most DoS attacks involve forging of IP sender addresses so that the location of the attacking machines cannot easily be identified and to prevent filtering of the packets based on the source address. Users should be aware that DDoS attacks may also include the execution of malware that:
- Max out the processor's usage, preventing any work from occurring.
- Trigger errors in the microcode of the machine.
- Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up.
- Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up all available facilities so no real work can be accomplished or it can crash the system itself
- Crash the operating system itself.
0 comments:
Post a Comment