A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. In this article we will look at a DoS and a DDoS which is a "Distributed Denial of Service" attack where the attack comes from multiple hosts, not just one host, to maximize the resulting devastation.
Denial of Service 101
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
Denial of Service (DoS)
To understand a DDoS attack and its consequences, we first need to grasp the fundamentals of DoS attacks. The progression from understanding DoS to DDoS is quite elementary, though the distinction between the two is important. Given its name, it should not come as a surprise that a DoS attack is aimed squarely at ensuring that the service a computing infrastructure usually delivers is negatively affected in some way. This type of attack does not involve breaking into the target system. Usually a successful DoS attack reduces the quality of the service delivered by some measurable degree, often to the point where the target infrastructure of the DoS attack cannot deliver a service at all.
A common perception is that the target of a DoS attack is a server, though this is not always the case. The fundamental objective of a DoS attack is to degrade service, whether it be hosted by a single server or delivered by an entire network infrastructure.
A DoS attack attempts to reduce the ability of a site to service clients, be they physical users or logical entities such as other computer systems. This can be achieved by either overloading the ability of the target network or server to handle incoming traffic or by sending network packets that cause target systems and networks to behave unpredictably. Unfortunately for the administrator, unpredictable behavior usually translates into a hung or crashed system.
Numerous forms of DoS attacks exist, some of which can be difficult to detect or deflect. Within weeks or months of the appearance of a new attack, subtle copycat variations along the same theme begin appearing elsewhere. By this stage, not only must defenses be deployed for the primary attack, but also for its more distant cousins.
Many DoS attacks take place across a network, with the perpetrator seeking to take advantage of the lack of integrated security within the current iteration of Internet Protocol (IP), IP version 4 (IPv4). Hackers are fully aware that security considerations have been passed on to higher-level protocols and applications. An attempt to rectify this problem has resulted in IP version 6 (IPv6), which includes a means of validating the source of packets and their integrity by using an authentication header. Although the continuing improvement of IP is critical, it does not resolve today's problems because IPv6 is not in widespread use.
DoS attacks do not only originate from remote systems, but also locally to the machine. Local DoS attacks are generally easier to locate and rectify because the parameters of the problem space are well defined (local to the host). A common example of a local based DoS attack includes fork bombs that repeatedly spawn processes to consume system resources.
Although DoS attacks do not in themselves generate a risk to confidential or sensitive data, they can act as an effective tool to mask other more intrusive activities that could take place simultaneously. Although administrators and security officers are attempting to rectify what they perceive to be the main problem, the real penetration could be happening elsewhere. In the confusion and chaos that accompanies system crashes and integrity breaches, experienced hackers can slip in undetected.
The financial and publicity implications of an effective DoS attack are hard to measure-at best, they are embarrassing and at worst, a deathblow. In the world of e-commerce, a customer's allegiance is fleeting. If a site is inaccessible or unresponsive, an alternate virtual shop front is only a few clicks away. Companies reliant on Internet traffic and e-purchases are at particular risk from DoS and DDoS attacks. The Web site is the engine that drives e-commerce, and customers are won or lost on the basis of the site's availability and speed. A hacker, regardless of motive, knows that the real place to hurt an e-business is to affect its Internet presence in some way. Unfortunately, DoS attacks can be an efficient means of achieving this end; the next sections cover two elemental types of DoS attacks: resource consumption attacks (such as SYN flood attacks and amplification attacks) and malformed packet attacks.
BSOD with SMBDie
So, you want to truly create some mischief? I figured you didn't because of your White Hat status, but that wont stop all the kiddies on the network from playing games with you! Well, if you start seeing your servers Blue Screen (BSOD - Blue Screen of Death) without reason then you should be aware of some of the downloadable click kiddie aggravation-ware that is freely available on the Internet! Yes, you too can download this Windows based operating system crasher too, just run a search on it and there it is. This tool, when executed on a network will provide the attacker with a way to send specially crafted packets to your systems to crash them. This is of course the very nature of a Denial of Service (DoS) attack because if the servers aren't up and serving, then no service will be provided to your network clients. Fortunately for you, good enterprise level Antivirus will find and quarantine this little monster for you if loaded on a machine, problem is, and you have to ensure that every device on the network has Antivirus software on them. I like to test this theory by sneaking into a network closet with some open hub ports and my laptop. Within minute, the servers are down. Be aware of problems like this as a MCP and a White Hat Security Analyst.
To continue with our discussion on Denial of Service, we need to look at the resources on your system and how Trojans and attackers executing and launching attacks can eat up all the resources on your servers. Computing resources are by their very nature finite (though we wish it could be otherwise!). Administrators around the world bemoan the fact that their infrastructure lacks network bandwidth, CPU cycles, RAM, and secondary storage. Invariably the lack of these resources leads to some form of service degradation the computing infrastructure delivers to the clients. The reality of having finite resources is highlighted even further when an attack is orchestrated to consume these precious resources.
The consumption of resources (and in this instance bandwidth is considered to be a resource) involves the reduction of available resources, whatever their nature, by using a directed attack. One of the more common forms of DoS attack targets network bandwidth. In particular, Internet connections and the supporting devices is a prime target of this type of attack due to their limited bandwidth and visibility to the rest of the Internet community. Very few businesses are in the fortunate position where they have too much Internet bandwidth (does such a thing exist?), and when a business relies on the ability to service client requests quickly and efficiently, a bandwidth consumption attack can drive home how effectively that bandwidth can be used to bring the company to its knees.
Launching A Distributed DoS
DDoS attacks advance the DoS conundrum one more painful step forward. DoS attacks have evolved beyond single-tier (SYN flood) and two-tier (Smurf) attacks. Modern attack methodologies have now embraced the world of distributed multi-tier computing. One of the significant differences in methodology of a DDoS attack is that it consists of two distinct phases. During the first phase, the perpetrator compromises computers scattered across the Internet and installs specialized software on these hosts to aid in the attack. In the second phase, the compromised hosts, referred to as zombies, are then instructed through intermediaries (called masters) to commence the attack. In figure 11.6 we look at the simplified explanation of a Distributed Denial of Service attack.
- The Vicious Attacker plans his/her attack. The first step is to recruit Zombies to do the dirty work.
- The Vicious Attack then crafts a Trojan (like we looked at earlier) that can be planted on unsuspecting machines. E-mails are sent, machines are infected and once infected they are recruited into the Zombie Hoard.
- Eventually, the Vicious Attacker plans out an attack once the army has been built. An unsuspecting victim site is chosen (in this scenario www.hackme.com is the unlucky site).
- The Vicious Attacker launches a flood of traffic to hackme.com and it is so flooded with bogus traffic from 100's of machines that it can't serve up request for any real shoppers to the site. This attack can vary from SYN floods to Pings of Death - it really doesn't matter what the attack is - its really just the point of mapping out that this single person just planted all these Trojans, launched a massive attack and sat back and watched it happen in the safety of their own home.
Thanks to the Zombie Hoard, the Vicious Attacker walks away free of any worry that he or she is going to be caught from anyone because a packet never left their machine to attack hackme.com
A view of recruiting Zombies
Hundreds, possibly thousands, of zombies can be co-opted into the attack by diligent hackers. Using the control software, each of these zombies can then be used to mount its own DoS attack on the target. The cumulative effect of the zombie attack is to overwhelm the victim with either massive amounts of traffic or to exhaust resources such as connection queues.
Additionally, this type of attack obfuscates the source of the original attacker: the commander of the zombie hordes. The multi-tier model of DDoS attacks and their ability to spoof packets and to encrypt communications can make tracking down the real offender a tortuous process.
The command structure supporting a DDoS attack can be quite convoluted and it can be difficult to determine a terminology that describes it clearly. Perhaps one of the more understandable naming conventions for a DDoS attacks structure and the components involved is detailed below.
Software components involved in a DDoS attack include:
- Client: The control software used by the hacker to launch attacks. The client directs command strings to its subordinate hosts.
- Daemon: Software programs running on a zombie that receives incoming client command strings and acts on them accordingly. The daemon is the process responsible for actually implementing the attack detailed in the command strings.
Hosts involved in a DDoS attack include:
- Master: A computer from which the client software is run.
- Zombie: A subordinate host that runs the daemon process.
- Target: The recipient of the attack.
In sum, As a Microsoft Certified Professional responsible for a network's security, you should be very aware of these issues because it can cause you massive problems and embarrassment when it is found out that your 30 IIS 5.0 web servers took part in the activity of taking Yahoo.com out of service. It does happen if you are not aware of what your system are doing.