“Denial-of-Service” (DoS) or “Distributed” DoS (DDoS) attacks aim to overwhelm a systems or networks capacities. The attacked service fails to deal with the type or amount of requests and is unable to operate normally. Attackers may do this to extort the victim for money, benefit from the downtime of the service or maybe just for fun. Another purpose can be to take a system offline for a while to launch the next attack on the system. One common example for this combination of attacks is DoS/DDoS with “Session Hijacking”. The duration of an attack varies, with some lasting more than a month.
There are five different DoS/DDoS-Attacks:
- TCP SYN flood
1. TCP SYN flood attack
The attacker exploits the use of the buffer space between a Transmission Control Protocol (TCP) session initialization handshake. The system’s small in-process queue is flooded with connection requests, but the attacker purposely does not respond on the received requests by the system. The target system will time out while waiting for the response, which makes the system crash or become unusable when the connection queue fills up.
- Place servers behind a firewall configured to stop inbound SYN packets
- Increase the size of the connection queue and decrease the timeout on open connections
2. Teardrop Attack
This attack causes the length and fragmentation offset fields in sequential Internet Protocol (IP) packets to overlap one another on the attacked host. The attacked system fails to reconstruct the packets and crashes.
- Disable SMBv2
- Block Ports 139 and 445
3. Smurf Attack
IP Spoofing and ICMP is used to saturate the target network with traffic. ICMP echo requests are targeted at broadcast IP addresses. The ICMP requests originate from a spoofed victim address. For instance, if the intended victim address is 10.0.0.10 the attacker would spoof an ICMP echo request from 10.0.0.10 to the broadcast address 10.255.255.255. This request would go to all IPs in range, with all the response going back to 10.0.0.10, thus overwhelming the network.
- Disable IP-directed broadcasts at the router
- Configure end systems to keep them from responding to ICMP packets from broadcast addresses
4. Ping of death attack
IP Packets are used to ping a target system with an IP over the maximum size of 65535 bytes. Packets of this size are not allowed, so the attacker fragments the IP Packet. Once the target system reassembles the packet, it may lead to buffer overflows and other types of crashes.
- Using a firewall that will check fragmented IP packets for maximum size.
For botnet attacks a large number of normal users computers are previously infected with malware under hacker control in order to carry out distributed DoS attacks (DDoS). This “bots” or “zombies” are used to carry out attacks against the taget systems, often overwhelming the target system’s bandwidth and processing capabilities.
- RFC3704 filtering to deny traffic from spoofed addresses and help to ensure that traffic is traceable to its correct source network. RFC3704 filtering will drop packets from bogon list addresses.
- Black hole filtering, which drops undesirable traffic before it enters a protected network. When a DDoS attack is detected, the BGP (Boder Gateway Protocol) host should send routing updates to ISP routers so that they route all traffic heading to victim servers to a null0 interface at the next hop.