DoS: Denial of Service
In Denial of Service commonly known as DoS, is made by the hacker on the computer or network resources so the cannot be accessed by other genuine users as well.
The main goal is to deprive use of the network resources to everyone and this is achieved by flooding the victim /target computer with unwanted services and processes which with then exhaust the resources for the victim (CPU / memory) and in turn either crash or become very slow for others to access.
Indication of DoS attack
- Resource unavailability
- Unable to access a website
- Slowness / delay in using or opening apps
- Many spam emails
Webservers: The Company’s website is hosted on a webserver and every company or organization wants that site to be up and running at all times for customers to access it. Using a DoS attack, the site can be compromised and the downtime for the website could lead to revenue loss or even loss of image in the market, that they are prone to such attacks.
Compromise Database / Backend resource: The DoS attack can also lead to bringing down the database or sending multiple queries to the DB, which in order makes the DB slow or hang and in worst scenarios the DB may also crash. Thus the end customer when retrieving some data from a website etc, will not be able to get the results since the database would be slow or down.
Compromise a Network or Server: At times there can be internal employees with negative mentality that may cause harm to the servers and networks internally. The network / Server can be attacked from outside causing slowness in access data, and authenticating users thus depriving all genuine users also from logging into the system.
Types of DoS Attacks
Service Request Floods: This means sending requests to a server or application continuously to make it occupied and run short of resources. It’s similar to someone calling your phone continuously so someone else cannot make a call to you. The attacker can do this by sending continuous TCP connect messages to have the resources occupied and finally the resources exhaust also disallowing genuine requests to be dropped.
SYN Flood: In this type of attack, the SYN packet is put up with a fake source address thus exploiting the three way handshake mechanism. When a fake SYN packet goes to victim, the victim will send a SYN+ACK and then wait for the ACK, but since it is a fake address, the connection is not setup and the victim / server will be held waiting for the ACK from the sender ( attacker) thus eating up resources.
ICMP Flood: An ICMP works by checking the request and then responding back to the sender. This process does occupy some CPU resources, but if the ping is done by multiple system sand continuous ping will have the CPU to go high on the server that is being pinged. Attacks known as smurf attacks or ICMP floods will cause server to slow down by attacking with ICMP floods without waiting for the response from the server.
Ping of Death: In this a ping packet larger than 64KB , which is larger than the allowable size in the ping packet was sent to a victim to slow it down and stop processing other requests. In today’s world this is not much of a threat because most companies block the ping but this was a popular mechanism used in the 1990s.
Smurf attack: In this the IP address of the target is spoofed and then send many ICMP echo requests to different sites broadcast addresses, they these servers which receive the broadcast, start to reply back to the attacker IP, thus overwhelming the system with so many responses. This also causes the network to get clogged with so many responses coming to one victim machine.
Application Level attacks: These attacks cause loss to the services such as email, network, preventing access data etc.
Permanent DoS attack: The term ‘phlashing’ is used for a permanent DoS attack. These damages are irreversible, as these cause harm to the system hardware, as attacker sends firmware for hardware which is tried to update and finally is in a bad state.
This is a technique in DoS attack which makes use of the flaw in the code of the program and inputs more data than the program buffer or memory can take. When the buffer of the program comes in overflow state, and new inputs that are written will cause the system to crash or result in other security issues. This also suffices the main goal of DoS which is to make the program unusable by anyone else, thus denies the services.
DDoS: Distributed Denial of Service
This form of DoS is similar but is more powerful as it is done from various other systems and not just one. The goal is same but the implication can really be devastating as several attacker go after a single victim.
In DDoS the attacker uses distributed systems to attack the victim. See below figure.
The process for the DDoS attack goes like this:
- The master computer or handler is infected with DDoS software which is also known as a bot.
- The bot then searches for clients on the victim’s network to make potential slaves that will be involved in the DoS attack. These victims are called Slaves or Zombies.
- After infecting the handler system and also having the zombies ready and listening to the master or handler, the attacker identifies a target and then asks the handler to launch the attack.
- The attack from the handler goes through these zombies to the victim.
Botnets creation tools
- Poison Ivy
- LOIC ( Low Orbit Ion Cannon)
The below are tools used for DoS attack:
UDP Flood: Generating UDP packets for a specific destination
DoSHTTP: HTTP based DoS Tool, used to target URLs.
Jolt2: This is a toll that uses fragmentation of IP packet to cause the attack. Many fragmented packets are sent to the windows Host.
The below are tools used for DDoS attack:
LOIC: This is a very popular tool. Its full form is Low Orbit Ion Cannon
Trinoo: This tool is used to attack single or more IPs using UDP flooding.
TFN2K: Based on Tribe Flood Network, this tool performs UDP and SYN flood attacks.
Below info from Wikipedia
Once you set the Target IP and threads with TCP or UDP as method, you can click the button on Top to fire the flow and check the packets using Wireshark.
- Unnecessary services to be disabled: By disabling unnecessary services you may the system less prone to any attacks. Attackers usually try making uses of some services or ports that you are unaware of and install the bots on the systems.
- Use Anti-Malware: Using tools like Antimalware can be of great help since these will prevent from any malware to be installed and also detect any files that are infected with it and help in clearing those.
- Filter in and out ports: DoS and DDoS attacks can be prevented by blocking any spoofed IP addresses coming from a particular source.
- Absorb the attack: This is an expensive way to avoid any damage. This means your equipment’s i.e. Servers, network should be of more capacity than the attacker can send and this device can easily absorb the attack and not cause any down time.
- Service Degradation: This is kind of counter attack but by keeping quite. In this if any service experiences an attack, the service can be degraded or immediately shutdown automatically this will make the attack difficult and the attacker will lose interest in trying to attack or will need more work to be done.
Countermeasures for Botnets
- Black Hole Filtering: This is a place or null port on a system where the malicious traffic will be sent, thus not affecting the actual system. The traffic reaching such ports will be dropped and not have any adverse effect on the system.
- Filtering based on Source IP reputation: Based on the history of traffic flows technologies like Cisco IPS can filter traffic based on what are genuine and new checking the history of communication.