 |
|
|
Stop Denial of Service attacks |
| Written by Michael D. | |
|
You probably heard before of the term Denial of Service. What does this mean? How can you stop DOS?
Taking advantage of a known problem with the Operating System or any running services on the target, a good programmer can build an application that sends some data that causes the targeted system to crash.
1. SYN FloodsYou should know that when a client and a server want to transmit data over the TCP protocol, a three-way handshake occurs:
The SYN flood works by sending SYN packets from false IP addresses (IP spoofing). The server replies to that false IP address with an SYN-ACK and then waits for ACK. Doing this many times will cause the server to end up in the impossibility of opening new connection, creating a network congestion. Another SYN flood attack involves sending a packet to the server, spoofed with the server's address (let's say the server's IP is 192.168.1.20 then you send a SYN packet from 192.168.1.20 to 192.168.1.20). Repeating this many times will make the server sending SYN-ACK and ACK to itself, blocking it. Patches to this kind of attack used a connection number limit from the same source/timeframe. SYN cookies also hold down the handling of the packets until the sender's IP address is verified. 2. SMURF attacksIn this kind of attacks a massive amount of ping traffic (ICMP echos) is sent to the broadcast address of the network. The source IP address is spoofed to look like the target's. If this traffic is forwarded to the network, all hosts will reply with an echo to the target, believing that they receive an echo request (PING) from it. In a large networks, a targeted server for example can be flooded by hundreds of replies at once. By sending the spoofed packet several times, the server will be flooded until it crashes from the overload.This kind of attacks were mostly patched by making the routers not forwarding broadcast directed traffic to the network. 3. LAND attacksLAND attacks take advantage of opened network services on the target. By using a port sniffer, opened ports and services are found out. Then spoofed packages are sent with IP address source the same as IP address destination (server's address) to make it reply to itself. Let's say for example that it uses SNMP (simple network management protocol - service used to report network and system's usage). By making a SNMP service to reply to itself continuously it finally crashes.4. Ping of deathThis type of DoS attack takes advantage of a known issue with Windows 9x and older NT stations, as well as Linux prior to 2.0.32. Many routers and printers older then 1998 are vulnerable to this too.It works by sending a malformed format of a ping packet. Usually, ping packets are small-sized (like 32bytes or 64bytes by default). Older Operating Systems and other devices could not handle ping larger than the maximum IP packet size of 65535 bytes (defined by RFC 791). By sending a large packet or a malformed one, any system that doesn't know how to handle it crashes (eg. in Windows 9x a blue screen of death was generated). Patches are available on the web for any old operating systems or devices. 5. Ping floodingThis is probably the simplest DoS attack that exists. It is also the most used. It works by overwhelming the target with echo requests (pings) having large packets. The target has it's bandwidth occupied by these requests already and floods itself by starting to reply back. Of course, the attacker must have a larger bandwidth than the target (for example flooding a dial-up user from a 1Mbps connection).With the increase of the servers' bandwidth, this type of attacks became useless for an ADSL user for instance. The "problem" was solved by using multiple hosts, creating the first DDoS attacks (distributed denial of service). DDoS attacks work by owning let's say 50 boxes each with 1Mbps bandwidth. Then the attacker uses all of them to ping flood the target, creating a great amount of traffic on the host. Stacheldraht for example is a console that connects to owned boxes running Stacheldraht server. It then coordinates the attacks from a single point. The solution to this type of attacks is the firewall, which filters any echo replies from being sent. Of course, firewalls can be crashed as well. 6. Fraggle attacksA fraggle attack takes place when an attacker send massive amount of UDP echo data to network broadcast addresses, using a the target's IP as the packet's source. All hosts reply to the target, flooding it. It usually uses UDP PORT 7 (echo). This code was written by the same person who written the smurf attack.7. Teardrop attacksThis attack involves packets sent by the attacker to the target with oversized payloads. This exploits a bug in the TCP/IP protocol stack, crashing the system. Only Windows 3.11, 95 and Linux prior to 2.0.32 were vulnerable to this kind of attack.8. Other type of attacksOther type of attacks involve application flooding, like IRC bot raw line which usually crash Windows boxes running mIRC or any other client. These attacks are based on a greater number of raw socket transactions than a computer can handle.
written by kim , July 03, 2007
someone is pinging me out of my internett with ddos attacks. how do i stop it ?
written by Michael D. , July 03, 2007
Hello Kim Well get a firewall like: - ZoneLabs (get it from http://www.zonelabs.com/store/.../products/ ) or - Sygate Personall Firewall (from http://www.simtel.net/product....p?id=53687 ) Both of them have a free personal usage license (I personally recomend Sygate Pers. Firewall). By installing any of them, blocking outside ICMP packets (like Ping) is enabled by default. If you do this, the ping packets will be dropped with no echo back to the sender, preventing any kind of flooding. For older versions of these applications, check out http://www.oldversion.com Best regards!
written by SiriX , August 17, 2007
Why you using ZoneLabs na d Sygate? Use Outpost Firewall or Kerio Firewall.
written by David Wall , September 22, 2007
Another thing to consider is that in corporate and university LANs, the attack could come from within the network from an authenticated device. For example, imagine that a student browses a malicious website without protection and the student's laptop, plugged into the university network, is taken over by a hacker who launches a DOS attack against the school's network. Quickly figuring out where on the network the student's laptop is physically connected would be a challenge. Amongst the solutions are intelligent patching systems that can be used to manage connections between the network hardware and the cabling system.
written by Mihai Dobos , September 22, 2007
Hello You are right, but intelligent networks come into play. You need to know what devices are connected and where. If it's an outsider (a student's laptop) don't allow it to access the LAN, redirect him automatically to a domain where he can only surf the Internt. Another method is forcing connections through a proxy which allows only port 80 or so.. Dynamically blacklisting sites in the proxy server will increase browsing security a lot. Mihai D.
written by annon , February 20, 2008
Lol you expalin the types of attacks but you dont explain how to stop them?
written by SHANNON , February 25, 2008
how do you explain how a firewall can stop DDoS
written by Mihai Dobos , February 27, 2008
Hello Shannon A firewall watces for patterns in the traffic, and it drops packets if they match a certain DoS model. Different firewall solutions use different methods; it just depends on your desired level of security.
written by Celestial Sunberry , March 08, 2008
I have ZoneAlarm. The problem? I'm being pinged to death. It keeps on axing my net every once in a while because it's getting so overloaded. Thus being said, I want to STOP the people/person from pinging me completely.
written by Mihai Dobos , March 13, 2008
Hello Sunberry First of all, ZoneAlarm is not the best choice when it comes to heavy denial of service attacks (home user i mean). Get Sygate firewall; it's free in the personal edition and works better. Second of all, there are still attacks that cannot be filtered by conventional software firewalls targeted for home users and small offices. However, the ping of death should be filtered without any problems by any operating system (Windows 2k,XP,2003,Vista) even without using a firewall; this leads to the possibility that you are being attacked by something else. The cheapest and yet best solution is to contact your Internet Service Provider and give them some firewall logs in order to ban those packets and take legal actions if needed. Do you need more help? Ask now!
|
|
| Last Updated ( Saturday, 23 June 2007 ) |
In this flash tutorial it will be explain in detail how to create a ball that jumps when the user click on a certain area.
This tutorial will explain the basic functionality of the software firewalls and give you some guidelines in protecting your computer from attacks.
