--Originally published at The Hitchhiker's Guide to information security… according to me!
Have you ever had a fight with your little brother/sister (if you don’t have one use your imagination) and he/she, in revenge, hides your cellphone or your car keys denying you access to them? Well if you aren’t a website or network administrator that’s the closest you’re going to get to a denial of service attack, and let it be me who tells you that your little brother/sister is going places.
Denial of service attack or for more casual situations DOS is an attempt to prevent a user to access any type of information or a service provided by an organization. Targeting a network or a computer, an attacker can prevent you from accessing webpages, email accounts, banking accounts, etc.
“But why?” you ask? This attacks are mostly use for revenge, fun or political activism, the attacker doesn’t gain much more than the sweet feeling of power and annoying someone, but the targeted organization or individual can lose valuable time and money. Also, this attacks can be used for blackmailing a company if you play your card right.
One recent example of a DoS attack is one of a 15 year old boy in Australia who issue an attack against his school, a bank and the police. This attacks made the use of their websites unavailable to the user, and in the bank’s case their online services were down for more than 3 hours making them lose millions of dollars in advertisement and bank transactions. The teenager did it for fun and didn’t go to jail by the way… Australians.
Types of DoS attacks
OK, so now we know they are dangerous, but what do they look like? You know… for science. I present to you the:
Buffer Overflow: sends more traffic than the anticipated to a network
SYN attack: a normal connection to a server requires a 3 way handshake in which the user requests an acknowledgement (SYN), then the server acknowledges it (SYN-ACK) and at the end the user acknowledges the acknowledgement (ACK)… mind blown. If the attacker never sends back the ACK flag then the connection is half established. The server keeps waiting for the response, consuming server resources; and, after too many of this half connections, the server will refuse to serve other users.
Smurf Attack: the attacker broadcasts a ping packet that specifies a return address to another host. Because it is a broadcast message, all the users in the same network will return the package at the same time overflowing the attacked host. It’s like asking all your friends to bully someone with mean messages at the same time. You’re the master mind, but they do the dirty work.
Teardrop Attack: the attacker sends an oversized internet packet with confusing code that makes the packet unable to reassemble again. If the operating system doesn’t know how to handle this when the packet arrives, blue screen pops up.
R-U-Dead-Yet (RUDY): servers establish connections with websites that have post forms in order to serve user with slower connection. When a user starts filling the form the connection is stablished, but what if the user takes forever to fill the form? Then the connection will remain forever and eventually the server will exhaust all the connection it can handle. RUDY attacks achieves this by filling forms in an extremely slow pace. (The name comes from a Children of Bodom album m/)
Distributed denial of service (DDoS): we’ve been talking about one computer making specific attacks to another target, but what happens when many different computer attack a target with all the techniques mentioned above? Savage. DDoS is like the evolved form of a DoS, using multiple IP addresses to target a specific host. They are really nasty because it becomes almost impossible to block many attacking IP addresses because it’s hard to distinguish between a legitimate user and the attacker.
Getting the symptoms and treating the wounds
So now we know where they live, when they eat and that their names sound like finishing moves of a Lucha Libre fighter, but how do we defend our poor selves against this kickass attacks? If you think that your computer or email account may test positive to DoS or a certain website that you love may not be answering your calls, please confirm with the following check list:
- suspiciously slow network connection
- unable to access a website (short or long term)
- lots of spam in your account
- loss of internet connection
If the answer was yes to the above symptoms, there are many techniques in order to treat the sickness, please use the one that fit accordingly to your needs:
Managing your firewall, router or switch: In simple DoS the attack can be denied by adding specific rule to your firewall, routers or switch that can deny the traffic between the attacker and the network.
Blackholing and sinkholing: sending all the unwanted traffic into a null interface to avoid network overflow.
Bandwidth Managers: front end services that help analyze traffic and determine dangerous behavior.
Intrusion Prevention System: systems with enough processing power to analyze traffic anomalies and permit normal traffic flow while preventing DoS attacks.
It’s OK to have DoS
DoS is a very common attack that is very difficult to defend against because is so unpredictable. They are not only use by independent hacking groups but also in the cyberwar between countries. Even though a DoS attack is punished with as much as 10 years of prison in some countries, and security agencies try their best to defend their clients against them, there exist no perfect security. The morale of the story is protect yourself to some extent and be nice to people. You don’t want to be on the target side of a revenge or political activism.
