Denial of Service Attacks part 1

Denial of Service attacks (DoS) and Distributed Denial of Service attacks have the same purpose; to make the service in question unavailable to those trying to make use of it.

The type of attack most commonly associated with DoS / DDoS is that of bandwidth or resource exhaustion.  These are attacks where a malicious user or group sends a large enough volume of traffic to the service, usually a web site, such that it becomes unavailable to legitimate users.  These attacks are based on simple math, if a web service has the capacity to service 2Gb per second, and an attacker can consistently send greater than 2Gb per second then they can likely make the service unavailable to legitimate users (anti DoS measures not withstanding).  This also works in terms of server resource, if an attacker can send enough requests to overload the servers hosting a service they can make the service unavailable to legitimate users.

At its simplest, this type of attack originates from a collection of machines, likely a bot-net, all sending requests to a web service until the bandwidth that service has available is exhausted.

This type of attack has historically been very successful in taking down web sites / services for periods of time.  It is however an attack that has well defined methods of defending against and many vendors offer services to protect against it.  These usually take the form of high bandwidth ‘cleaning centres’ or ‘scrubbing centres’ that monitor traffic going to through them to their customers.  These employ various trafic analysis techniques and can block / clean very large volumes of traffic while still sending legitimate traffic onto the service that is under attack.

This type of attack is made considerably worse by the ability to amplify the attack such that a relatively small volume of source traffic can become a huge volume of traffic hitting the victim systems.  Examples of these amplification attacks are ‘Smurf’ and ‘DNS amplification’.  These attacks have received considerable press recently due to their successful and high impact use in things such as the Spamhaus attack;

http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/

This was billed as the ‘biggest DDoS attack in history’.

A good overview of DNS amplification attacks can be found here;

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack

The success of these attacks highlights the need to ensure that all internet connected routers and DNS servers are correctly and securely configured.  Most (possibly all) of the amplification attacks rely on address source spoofing – they spoof the IP address of the victim systems as the source of the initial request so that the amplified replies go to this address, not the attackers.  I find it a shame that these types of attacks that rely on source address spoofing could largely be eliminated if devices were configured according to RFC 2267, published in 1998!

http://www.ietf.org/rfc/rfc2267.txt

However, while these attacks are both common and insidious, they are the most simple form of DoS/DDoS attack.  They are also the most simple to defend against for all but the most massive attacks.

So that briefly covers the most commonly thought of Denial of Service attacks.  The next post will go into more details around the much more interesting, to me anyway, DoS attacks that work by attacking issues in TCP/IP stacks, and web server functionality etc.

K

Leave a Reply

Your email address will not be published. Required fields are marked *