Latest tutorial: Making a Movieclip face another Movieclip or point on the stage | Ask Tutorial5!
 

Get tutorials on EMail




Categories

Navigation

Stop Denial of Service attacks
(22 votes)
Written by Michael D.   
You probably heard before of the term Denial of Service. What does this mean? How can you stop DOS?

Taking advantage of a known problem with the Operating System or any running services on the target, a good programmer can build an application that sends some data that causes the targeted system to crash.

The worst case scenario is not when a hacker crashes a service, but when it finds a way to maximize the CPU usage causing a total malfunction on the system.

Of course most of the attacks are not initiated by these kind of programmers, but by "script kiddies" who only read about it, find the program's source over the web and just use it without knowing the mechanisms it uses.

Usually, DoS attacks are closely related to brute force attacks. The brute force attack uses all combinations of possible characters or dictionary word lists to try find out any passwords on the system (eg root accounts). When a root account in a network is found out, any DoS attacks can be done easily over the specific network.

Here are some of the most known DoS attacks:

1. SYN Floods

You should know that when a client and a server want to transmit data over the TCP protocol, a three-way handshake occurs:

  • The client asks for a connection with a SYN (synchronize) package
  • The server replies to the client with a SYN-ACK (syn-acknowledgments)
  • The client sends a third packages as a ACK and the transmission of the data starts.

The SYN flood works by sending SYN packets from false IP addresses (IP spoofing). The server replies to that false IP address with an SYN-ACK and then waits for ACK. Doing this many times will cause the server to end up in the impossibility of opening new connection, creating a network congestion.

Another SYN flood attack involves sending a packet to the server, spoofed with the server's address (let's say the server's IP is 192.168.1.20 then you send a SYN packet from 192.168.1.20 to 192.168.1.20). Repeating this many times will make the server sending SYN-ACK and ACK to itself, blocking it.

Patches to this kind of attack used a connection number limit from the same source/timeframe. SYN cookies also hold down the handling of the packets until the sender's IP address is verified.

2. SMURF attacks

In this kind of attacks a massive amount of ping traffic (ICMP echos) is sent to the broadcast address of the network. The source IP address is spoofed to look like the target's. If this traffic is forwarded to the network, all hosts will reply with an echo to the target, believing that they receive an echo request (PING) from it. In a large networks, a targeted server for example can be flooded by hundreds of replies at once. By sending the spoofed packet several times, the server will be flooded until it crashes from the overload.

This kind of attacks were mostly patched by making the routers not forwarding broadcast directed traffic to the network.

3. LAND attacks

LAND attacks take advantage of opened network services on the target. By using a port sniffer, opened ports and services are found out. Then spoofed packages are sent with IP address source the same as IP address destination (server's address) to make it reply to itself. Let's say for example that it uses SNMP (simple network management protocol - service used to report network and system's usage). By making a SNMP service to reply to itself continuously it finally crashes.

4. Ping of death

This type of DoS attack takes advantage of a known issue with Windows 9x and older NT stations, as well as Linux prior to 2.0.32. Many routers and printers older then 1998 are vulnerable to this too.
It works by sending a malformed format of a ping packet. Usually, ping packets are small-sized (like 32bytes or 64bytes by default). Older Operating Systems and other devices could not handle ping larger than the maximum IP packet size of 65535 bytes (defined by RFC 791). By sending a large packet or a malformed one, any system that doesn't know how to handle it crashes (eg. in Windows 9x a blue screen of death was generated).
Patches are available on the web for any old operating systems or devices.

5. Ping flooding

This is probably the simplest DoS attack that exists. It is also the most used. It works by overwhelming the target with echo requests (pings) having large packets. The target has it's bandwidth occupied by these requests already and floods itself by starting to reply back. Of course, the attacker must have a larger bandwidth than the target (for example flooding a dial-up user from a 1Mbps connection).
With the increase of the servers' bandwidth, this type of attacks became useless for an ADSL user for instance.
The "problem" was solved by using multiple hosts, creating the first DDoS attacks (distributed denial of service).
DDoS attacks work by owning let's say 50 boxes each with 1Mbps bandwidth. Then the attacker uses all of them to ping flood the target, creating a great amount of traffic on the host.
Stacheldraht for example is a console that connects to owned boxes running Stacheldraht server. It then coordinates the attacks from a single point.
The solution to this type of attacks is the firewall, which filters any echo replies from being sent. Of course, firewalls can be crashed as well.

6. Fraggle attacks

A fraggle attack takes place when an attacker send massive amount of UDP echo data to network broadcast addresses, using a the target's IP as the packet's source. All hosts reply to the target, flooding it. It usually uses UDP PORT 7 (echo). This code was written by the same person who written the smurf attack.

7. Teardrop attacks

This attack involves packets sent by the attacker to the target with oversized payloads. This exploits a bug in the TCP/IP protocol stack, crashing the system. Only Windows 3.11, 95 and Linux prior to 2.0.32 were vulnerable to this kind of attack.

8. Other type of attacks

Other type of attacks involve application flooding, like IRC bot raw line which usually crash Windows boxes running mIRC or any other client. These attacks are based on a greater number of raw socket transactions than a computer can handle.

  • Firewalls - How to protect your computer from attacks
    windows.gifThis tutorial will explain the basic functionality of the software firewalls and give you some guidelines in protecting your computer from attacks.
  • Flash jumping ball
    Logo Flash Jumping BallIn this flash tutorial it will be explain in detail how to create a ball that jumps when the user click on a certain area.
  • Setting up Windows after install
    windows.gifIn this tutorial, I'll try to guide you step by step in adding the utilities mostly recommended after installing a fresh copy of Windows (2000, XP or other).

Subscribe now via RSS feed and get all the new tutorials

written by kim , July 03, 2007

someone is pinging me out of my internett with ddos attacks. how do i stop it ?
written by Michael D. , July 03, 2007

Hello Kim

Well get a firewall like:
- ZoneLabs (get it from http://www.zonelabs.com/store/.../products/ ) or

- Sygate Personall Firewall (from http://www.simtel.net/product....p?id=53687 )

Both of them have a free personal usage license (I personally recomend Sygate Pers. Firewall). By installing any of them, blocking outside ICMP packets (like Ping) is enabled by default. If you do this, the ping packets will be dropped with no echo back to the sender, preventing any kind of flooding.

For older versions of these applications, check out http://www.oldversion.com

Best regards!
written by SiriX , August 17, 2007

Why you using ZoneLabs na d Sygate?

Use Outpost Firewall or Kerio Firewall.




written by David Wall , September 22, 2007

Another thing to consider is that in corporate and university LANs, the attack could come from within the network from an authenticated device.

For example, imagine that a student browses a malicious website without protection and the student's laptop, plugged into the university network, is taken over by a hacker who launches a DOS attack against the school's network.

Quickly figuring out where on the network the student's laptop is physically connected would be a challenge. Amongst the solutions are intelligent patching systems that can be used to manage connections between the network hardware and the cabling system.
written by Mihai Dobos , September 22, 2007

Hello

You are right, but intelligent networks come into play.
You need to know what devices are connected and where. If it's an outsider (a student's laptop) don't allow it to access the LAN, redirect him automatically to a domain where he can only surf the Internt.

Another method is forcing connections through a proxy which allows only port 80 or so.. Dynamically blacklisting sites in the proxy server will increase browsing security a lot.

Mihai D.
written by annon , February 20, 2008

Lol you expalin the types of attacks but you dont explain how to stop them?
written by SHANNON , February 25, 2008

how do you explain how a firewall can stop DDoS
written by Mihai Dobos , February 27, 2008

Hello Shannon

A firewall watces for patterns in the traffic, and it drops packets if they match a certain DoS model.

Different firewall solutions use different methods; it just depends on your desired level of security.
written by Celestial Sunberry , March 08, 2008

I have ZoneAlarm. The problem? I'm being pinged to death. It keeps on axing my net every once in a while because it's getting so overloaded. Thus being said, I want to STOP the people/person from pinging me completely.
written by Mihai Dobos , March 13, 2008

Hello Sunberry


First of all, ZoneAlarm is not the best choice when it comes to heavy denial of service attacks (home user i mean). Get Sygate firewall; it's free in the personal edition and works better.

Second of all, there are still attacks that cannot be filtered by conventional software firewalls targeted for home users and small offices. However, the ping of death should be filtered without any problems by any operating system (Windows 2k,XP,2003,Vista) even without using a firewall; this leads to the possibility that you are being attacked by something else.

The cheapest and yet best solution is to contact your Internet Service Provider and give them some firewall logs in order to ban those packets and take legal actions if needed.

written by Tyler , May 10, 2008

I have a game server and it is being DoS attacked by sending packets to the game playing and 'flooding' the server. It will give everybody who tries to join "server is full" message when it is empty. Any solutions would be greatly appreciated.
written by Esben Larsen , June 10, 2008

Hello

I was contacted today by my network administrator saying that my computer was attacking our router with fraggle attacks, I have removed spyware with ad-aware and have the newest version of AVG-free edition. still it won't stop attacking the network... Any suggestions to locate and terminte the problem?
written by Mohammed safwat , June 11, 2008

i get zone labs and others but isnt it better to use ISA server ?
written by Mohammed safwat , June 11, 2008

i meant ISA server to secure an organization
but will that stop DOS ?
written by christopher , November 14, 2008

Hello All!

Just curious, which would be the best firewall to use on my laptop, i recently scanned my laptop and noticed alot of inbound and outbound traffic is because of something called 'microsoft-ds'is this similar to the DOS ATTACK?

Is Kaspersky a good alternative to use? Please help. Thanks

Chris
written by gopi alaparthi , January 07, 2009

its very interesting and useful
written by Patrick_Taylor , February 16, 2009

Great comments guys. FW can prevent DOS or D
DOS attacks but how about the bandwidth it consumes at the serial interface connecting to the ISP?
written by Chandan , March 11, 2009

Hi,

I can see Null Packets getting broadcast when i check "sh ip cache flow" in my router.Or Null packets being sent to other undefined networks through 445,137,138 respective ports. I have put Access List to block those ports in Router, but still the packets are broadcasting. I have enabled ip-route cache flow in Lan/wan interface. If i block those ports, then packets will hit the ethernet and will move inside LAN.
Any ways to stop those packets to broadcast?? Unnecessarily my network is getting chocked... Wat do u think, wat kind of attack is this??

kindly revert ASAP

regards,
Chandan
written by Aimrcena Msoleksses , April 12, 2009

please automate the capture of internet attackers
written by Mike H. , July 09, 2009

How about complex DoS attacks? Many U.S. and South Korean sites were disabled over the weekend from a massive DoS attack using thousands of "owned" computers. No personal firewall is going to stop that. Does that mean we can't ever be fully protected? Obviously no one would launch such a huge DoS attack on a personal computer but that's proof that a large enough attack can override firewalls.
written by rivina raj , August 13, 2009

what is the idea behind the name denial of service attack for dos attack did dienal found it first
written by Gbase , November 25, 2009

How do you compensate for the limited bandwidth caused by a DDOS attack
written by Landon L , December 28, 2009

For people at home experiencing a DoS attack (or even in organizations) from the outside:

A software firewall on your personal machine will not stop a DoS attack from consuming all available bandwidth on your connection to your ISP. They are pinging your public, ISP-assigned WAN address. If you have access to your cable/DSL modem, or if you use a router connected to your ISP's device, disable ping response on the WAN side. If you disable WAN-side ICMP response, the ping packet will be ignored at your connection. This is one of the best methods of DoS attack avoidance.

Do you need more help? Ask now!
 

busy
Last Updated ( Saturday, 23 June 2007 )