Henry Dalziel | General Hacking Posts, Hacker Hotshots | November 1, 2013
We have become fascinated by DoS attacks in the office ever since our Hacker Hotshot web show with Matthew Prince from CloudFlare. Matthew introduced us to a case-study, contemporary solutions and viable long term solutions to prevent or at least mitigate being a victim of DoS attacks.
First off – lets get the definition’s out of the way, and what is the difference between a DoS and a DDoS?
DoS refers to Denial-of-Service and is best defined as an attempt to make a computer(s) or network(s) unavailable to its intended users.
Matthew Prince defined it in a nicely simplified way:
“…a Denial of Service attack is when an attacker is trying to generate more traffic than you have resources to handle…”
Often you will hear DoS, pronounced phonetically altogether, i.e. ‘DOS’ and not D.O.S, and DDoS – is pronounced Dee-DoS.
The difference between a DoS and a DDoS
In a DoS attack, one computer and one internet connection also is deployed to overwhelm a server or network with data packets, with the sole intention of overloading the victim’s bandwidth and available resources.
A DDoS attack is the same, but is amplified. Rather than one computer and one internet connection a DDoS is, and often involves millions of computers all being used in a distributed fashion to have the effect of knocking a web site, web application or network offline.
In both instances, either by the singular DoS or the multiple DDoS attack, the target is bombarded with data requests that have the effect of disabling the functionality of the victim.
Our research has identify five major types of DDoS/ DoS methods or attacks.
If you can think of any more we’d appreciate you dropping a comment below!
Here’s our list:
1. (S)SYN flood
A SYN flood is a type of DOS attack in which an attacker sends a series of SYN requests to a target’s system in an attempt to use vast amounts of server resources to make the system unresponsive to legitimate traffic.
2. Teardrop attacks
A teardrop attack involves the hacker sending broken and disorganized IP fragments with overlapping, over-sized payloads to the victims machine. The intention is to obviously crash operating systems and servers due to a bug in the way TCP/IP fragmentation is re-assembled. All operating systems many types of servers are vulnerable to this type of DOS attack, including Linux.
3. Low-rate Denial-of-Service attacks
Don’t be fooled by the title, this is still a deadly DoS attack! The Low-rate DoS (LDoS) attack is designed to exploit TCP’s slow-time-scale dynamics of being able to execute the retransmission time-out (RTO) mechanism to reduce TCP throughput. In short, a hacker can create a TCP overflow by repeatedly entering a RTO state through sending high-rate and intensive bursts – whilst at slow RTO time-scales. The TCP throughput at the victim node will be drastically reduced while the hacker will have low average rate thus making it difficult to be detected.
4. Internet Control Message Protocol (ICMP) flood
Internet Control Message Protocol (ICMP) is a connectionless protocol used for IP operations, diagnostics, and errors. An ICMP Flood – the sending of an abnormally large number of ICMP packets of any type (especially network latency testing “ping” packets) – can overwhelm a target server that attempts to process every incoming ICMP request, and this can result in a denial-of-service condition for the target server.
5. Peer-to-peer attacks
A peer-to-peer (P2P) network is a distributed network in which individual nodes in the network (called “peers”) act as both suppliers (seeds) and consumers (leeches) of resources, in contrast to the centralized client–server model where the client server or operating system nodes request access to resources provided by central servers.
Let us know your thoughts! Have you ever been the victim of a DoS attack? What do you now do to protect yourself? Remember to check out our talk with Matthew Price which really was a good Hacker Hotshot web show and is an excellent resource to learn more about this common attack vector.