Denial of Service (DoS) Attacks

A DoS attack is designed to overwhelm the victim's network to the point that the victim cannot use the network for legitimate business purposes. A Distributed DoS (DDoS) is simply a DoS that is launched simultaneously from more than one source. Sometimes these attacks are used in an attempt to confuse the equipment to a point where unauthorized access is able to penetrate inside the network. At other times, the attacks are launched merely because the perpetrator wishes to bring down the victim's network connections. In either case, there are some common methods used in DoS attacks that are explored in this chapter, in addition to ways to avoid becoming a victim of these attacks.

SYN Flood Attacks

To understand how a SYN flood attack can occur, you must first understand how a connection is established. When a host wishes to establish a connection, a TCP packet with the SYN bit set is sent to the remote host. The remote host looks at the port within this TCP packet. If the port corresponds to a service that is running, the remote host replies with another SYN packet. The initiating host then sends an ACK packet that starts the data transfer stage of the communications.

Because there is no guarantee of how quickly the ACK packet will be received by the remote host, a partially opened connection, also called a half-open connection, is maintained by the remote host. Maintaining half-open connections uses CPU cycles and memory and exposes the remote host to an inherent vulnerability from SYN flood attacks.

In a SYN flood attack, the perpetrator repeatedly causes the remote host to maintain half-open connections. As the number of half-open connections increases, more memory and CPU cycles are used in an attempt to maintain these connections. Unless measures are taken to limit the time that each half-open connection is maintained or the total number of half-open connections permitted, eventually the remote host will spend all of its resources trying to maintain these connections. SYN flood attacks can be further understood through an explanation of the LAND.c attack.

LAND.c Attacks

One form of SYN flood attack is known as the LAND.c attack. Originally written in the C programming language, this form of attack can be devastating to unprotected systems. However, filtering spoofed addresses as discussed in Chapter 2, “Basic Cisco Router Security,” will prevent this type of attack from being successful.

In the LAND.c attack, a perpetrator repeatedly sends TCP SYN packets to a known address. In the example shown in Figure 1-13, the perpetrator is launching an attack on a Web server. In this example, the SYN packets would have both the source and destination address set to 10.1.1.30, which is the address of the machine under attack.

Within the TCP packet, the perpetrator sets a port number. Any port number associated with a running service could be used. Because the attacked machine's main function is to service Web pages, the perpetrator is likely to set the port number to 80, which is used for Web services.

The attacked machine receives the SYN packet and checks the port requested. If the port requested is currently running a service, the attacked machine replies with another SYN packet to the “requesting host,” attempting to complete the connection. In this case, the requesting host, as defined by the source address of the IP packet, is the same as the destination host. Therefore, the attacked host tries to establish a connection with itself. While waiting for a response that will never come, the attacked host holds open a connection until a timeout period has passed. This timeout period varies, depending on the operating system of the attacked host.

The host soon becomes overwhelmed by the repeated opening of connections to itself and ceases to function because of exhaustion of resources.

Ping Attacks

A ping attack occurs when a perpetrator attempts to overwhelm the victim's equipment through the use of ICMP Echo Request packets. As with most DoS attacks, ping attacks attempt to use CPU cycles and memory to prevent legitimate use of equipment.

Although a number of ping attacks have been launched successfully, such as the ping of death and the smurf attacks, simple configuration changes can prevent attacks from adversely affecting your network. Chapter 2 shows how to configure Cisco routers to prevent becoming vulnerable to these forms of attack. Following is an explanation of a smurf attack.

Smurf Attack

A smurf attack is when an attacker sends an ICMP Echo Request to a network address of an unsuspecting amplifier, rather than a specific host. The attacker enters the IP address of the targeted server as the ICMP echo source address. Every host on the amplifier network responds and sends an ICMP Echo Reply to the source address of the ICMP echo packet. This address is that of the server that the attacker wanted to attack. Because the amplifier network has many hosts, they each respond to the ICMP Echo Request, amplifying the number of ICMP Echo Replies received by the victim's host.

In this case, the attacker uses another's resources and network to attack the victim. This attack works by simply consuming bandwidth to the victim. Once this bandwidth is consumed, all access to the server from other public hosts will slowly grind to a halt.