A denial-of-service (DoS) attack is a malicious attempt to make a machine or other computing resources unavailable. There is also a distributed DoS attack that comes from many unique Internet Protocol (IP) addresses that renders a machine or other computing/network resource unavailable. In fact, each of these types of attacks exists in two different forms, which are known as bugs and floods. While both types can come in many different forms, they are all devastating to the victims whom they affect. However, as with most malicious attacks, there are steps that can be taken to help prevent these attacks from causing damage to host computers or other network nodes.
A modern version of the DoS attack is a Domain Name System (DNS) amplification attack. This type of attack is a distributed DoS attack that relies on the use of vulnerable DNS servers. To perform this attack, an attacker will issue a DNS look-up request using a spoofed IP address. The request then gets relayed through a series of botnet computers so that each in turn also requests the same DNS look-up to separate DNS servers, which thus amplifies the original numbers of the same DNS request to a number of DNS servers. The resulting traffic appears to be coming to the target server from a number of different directions, hiding the source that originated the attack (Figure 16.1).
Another example of a DoS attack is a SYN flood. This is when an attacker will exploit Transmission Control Protocol (TCP) connections. Normally, when a user wants to connect with a server, a series of messages are exchanged between the host and the server. During a SYN flood, an attacker will send multiple connection requests to a server. The server will initiate a SYN-ACK (acknowledgment) back to that host to make sure the originating host is ready to use and thus acknowledge the impending connection. However, the attacker will not have his machines respond to the server’s acknowledgment and therefore there will be multiple half-open connections that will take up all of the server’s resources. This will not allow any further hosts, legitimate or not, to connect to the server, thereby creating the DoS. A solution to this DoS attack, if it comes from an IP address outside the server’s network, is to block all outside connections from being established. While this may prevent outside connections, if the server is primarily serving a corporation, at least the corporate employees on the corporation’s own internal network will still be able to access the server through the corporate intranet. An example of a SYN flood is demonstrated in Figure 16.2.
Figure 16.1 Denial-of-service attacks.
Figure 16.2 A SYN attack to deny service.
Hackers are motivated by a wide variety of reasons to initiate these malicious DoS attacks. They can be based on a personal vendetta toward a particular company, extortion, as a political statement, and even as an act of general cyber warfare. For these attacks to cease, system administrators must carefully lay out guidelines for user authentication. Reliable authentication allows for these administrators to know who is trying to utilize a server’s connections and services. In addition to reliable authentication and identification of users, careful testing of servers, codes, and report reviews is of the utmost importance when dealing with information security regarding DoS.
QUESTIONS
1. How many forms of DoS attacks exist?
2. What are the two primary forms of DoS attacks?
3. Explain how a DoS works.
4. How do you block a DoS attack?
5. Explain the process of a SYN attack.