DoS attacks

Denial of Service attacks (or DoS attacks) are more malicious attacks that aim to flood a system, server or / and network with traffic in order to overload its resources and bandwidth and thus disrupt business operations. The result is that the system is no longer able to process and fulfil legitimate requests and users are prevented from performing routine and necessary tasks.

While a DoS attack originates from just one system, hackers launch a distributed denial of service (DDoS) attack from a larger number of malware-infected host machines that they control. These attacks are faster and more difficult to block than DoS attacks, as multiple systems must be identified and neutralised to prevent the disruption.

What are they used for?

DoS and DDoS attacks do not directly benefit the attackers. Their main goal is to disrupt the effectiveness of the victim's service. This is why they are also called denial of service attacks - they affect the target site so that it can no longer provide services to those who want to access it.

Hackers also use them to create an opportunity for another type of attack. A successful DoS or DDoS attack usually requires the system to go offline, which can make it vulnerable to other types of attacks. A common way to prevent such attacks is to use a firewall to detect whether requests sent to the website are legitimate. Fake requests can then be discarded, allowing normal traffic to flow without interruption.

The most common DoS attacks are: TCP SYN Flood attack, Teardrop attack, Smurf attack, Ping-of-Death attack and Botnets.

TCP SYN Flood Attack

TCP SYN Flood attacks (also called SYN Flood ) are DoS attacks that consume all available resources of the attacked server and make it inaccessible to legitimate traffic. It can target any system connected to the Internet and offering Transmission Control Protocol (TCP) services (e.g. web server, email server, file transfer).

SYN flood attacks work by exploiting the handshake process of a TCP connection. The TCP layer becomes saturated and prevents the completion of the handshake process between client and server on each port.

Under normal conditions, any connection between a client and a server using the TCP protocol requires the three-way handshake. This consists of a series of messages exchanged by the client and the server:

1. The client starts the connection by sending a SYN (synchronisation) message to the server;
2. The server acknowledges this message by sending a SYN / ACK message (Synchronize-Acknowledge) back to the client;
3. The client confirms the connection with a final ACK message. With this, the TCP connection is established and can send and receive data.

The aim of this message transmission is to verify the authenticity of each participant and to determine the encryption key and options that will secure further communication. This process must be completed before a communication interface becomes available between the two parties.

Attack description

In a TCP SYN flood attack, the attacker sends repeated SYN requests to each port of the target server to overwhelm it and make it unable to respond to genuine connection requests. This works as follows:

• The hacker sends a large number of SYN requests to the server, often via spoofed IP addresses;
• The server, which is not aware of the attack, responds to each of the connection attempts with a SYN / ACK packet and leaves a port open to receive the response;
• The hacker sends more SYN requests while the server waits for the ACK confirmation. Each new SYN packet causes the server to keep a new port connection open for a certain time. Once all available ports are occupied, the server can no longer function normally. This puts all of the server's communication ports into a half-open state - the server is constantly leaving connections open, waiting for each connection to time out before the port becomes available again. This is why this type of attack is called a "half-open attack".

Mitigation

There are some methods to prevent this type of attack:

• Use of SYN cookies: Using cryptographic hashing, the server sends its SYN-ACK response with a sequence number (seqno). This is formed from the IP address of the client, the port number and some other unique information. When the client replies, this hash is included in the ACK packet. The server first checks the ACK and only then allocates the memory for the connection;
• Use of RST cookies: The server intentionally sends an invalid SYN-ACK for the first request of a particular client. This causes the client to generate an RST packet informing the server that something is wrong. When this packet is received, the server knows that the request is legitimate, logs the client and accepts further incoming connections from it;
• Use of micro-blocks: Allocation of a micro record (up to 16 bytes) in server memory for each incoming SYN request instead of a complete connection object.
• Increase backlog queue: Adjust TCP stacks to mitigate the impact of SYN floods. This can be done either by reducing the timeout until a stack releases the memory allocated to a connection or by selectively dropping incoming connections.
• Recycling of the oldest half-open TCP connection: Overwriting the oldest half-open connection as soon as the backlog is filled. This method assumes that the legitimate connections can be fully established in less time than it takes to fill the backlog with malicious SYN packets. However, this defence fails when the attack volume increases.

Teardrop attack

Teardrop attacks are DoS attacks that consist of sending fragmented data packets to a target server. These attacks exploit a TCP/PI fragmentation reassembly flaw in the code of some operating systems that process large amounts of data. Instead of assembling all the bits in the correct order and delivering them as expected, the systems wait for pieces that never arrive. The attackers exploit this flaw by sending huge, fragmented data packets to the target computer that overlap each other. Since the server is unable to reassemble the packets, it is overloaded and crashes. Teardrop attacks usually work on computers with older operating systems, such as Windows 95, Windows 3.1x, Windows NT and some earlier versions of Linux. However, some attacks also worked on systems with Windows 7 and Windows Vista.

Mitigation

Current device networks are very advanced and can easily detect corrupted fragmented packets. Once a problematic packet is identified, it can be easily excluded to prevent the teardrop attack.

Some methods to defuse a teardrop attack:

• If older machines are still in use and the corresponding patches are not available, SMBv2 must be deactivated and ports 139 and 445 blocked (as recommended by Microsoft);
• An efficient firewall network: it filters junk and infected data and keeps them out of the network spectrum;
• Cache: It provides state content required for the normal operation of a device, helping to mitigate the risks associated with the attack;
• Secure proxy: checks incoming packets and prevents erroneous data from entering the unit.

Smurf attack

Smurf attacks are DoS attacks in which the attacker floods the target server, exploiting Internet Protocol (IP) and Internet Control Message Protocol (ICMP) vulnerabilities. These attacks originate from the attacker's computer and target routers that interact with a large number of devices. They work by overloading network resources by sending ICMP echo requests to machines on the network. The computers respond with echo replies. This creates a botnet situation that generates a high ICPM traffic rate. As a result, the server is flooded with data requests and ICPM packets that overwhelm and slow down the system, making it inoperable and vulnerable to attack.

Attack description

The Smurf attack normally works in the following steps:

• First, the malware creates a network packet attached to a false IP address. This technique is called "spoofing". The malware can be downloaded from an unverified website or an infected email attachment, for example. It usually remains inactive until a remote user activates it;
• The packet contains an ICMP ping message asking the network nodes receiving the packet to send back a response;
• These responses, or "echoes", are then sent back to the IP addresses on the network, creating an endless loop.

Mitigation

There are some techniques to defend against these DoS attacks:

• Block IP-directed broadcasts: Disabling directed broadcast traffic at the routers prevents ICPM echo broadcast requests at the network devices.
• Configure routers and hosts so that they do not respond to ICPM echo requests.

Ping of Death (PoD) attack

Ping of Death (PoD) attacks are DoS attacks where the attacker aims to disrupt, destroy or freeze the target system by sending oversized data packets with a simple ping command.

A correct Internet Protocol Version 4 (IPv4) packet consists of 65,535 bytes. Some computers cannot process larger packets.

Attack description

The attack works as follows:

• Computers use an ICMP echo response messaging system (known as "ping") to test network connections. The system essentially works like a sonar device between devices. It sends out a pulse that echoes to inform the operator about the network environment. If the connection is working as it should, the source devices receive a response from the destination devices. Ping commands are limited to a maximum size of 65,535 bytes.
• Attackers use the ping commands to develop a ping of death command. They write a simple loop that allows them to execute the ping command with packet sizes that exceed the maximum limit of 65,535 bytes when the target computer tries to reassemble the fragments.
• Sending packets larger than 65,535 bytes is against the rules of IP. To avoid this, attackers send packets in fragments, which their target system then tries to assemble. If this succeeds, the oversized packet causes a memory overflow. This causes the target server to crash, freeze or restart.

Hackers can exploit this vulnerability in any source that sends IP datagrams. This includes ICMP echoes, Internetwork Packet Exchange (IPX), Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

Mitigation

Companies can use the following techniques to prevent these DoS attacks:

• Use of firewalls that check fragmented IP packets for their maximum size and block ICMP ping messages;
• Add checks to the reassembly process to ensure that data packets do not exceed the maximum packet size after recombination;
• Setting up a memory buffer with enough space to process packets that exceed the maximum size.

Botnets

A botnet is a group of malware-infected, internet-connected devices controlled by a hacker (also called a bot-herder ). Each individual machine within the botnet network is called a bot. The bot-herder operates the botnet infrastructure from a central point and can use the compromised devices to simultaneously carry out a coordinated criminal action. Botnets are often used for DDoS attacks, infiltrating malware, sending spam emails, financial crimes and click fraud.

Botnets occur when the bot-herder sends bots under its command and from control servers to unknowing recipients, using file shares, emails, social media applications or other bots as intermediaries. As soon as the recipient opens the malicious file on their device, the bot reports back to the control centre, where the bot-herder can dictate commands to the infected machines.

Botnets are well suited for long-term intrusions. Bots can be easily updated by the bot-herder and can change their entire functionality depending on what he wants to achieve with them. They can also adapt to the adjustments and countermeasures of the target system. They can also use other infected devices in the botnet network as communication channels, giving the attacker a large number of communication channels to adapt its functions and deliver updates.

Mitigation

The following techniques can help mitigate botnet attacks:

• Regular software updates to reduce the likelihood of a botnet attack exploiting vulnerabilities in the system;
• Deployment of an intrusion detection system (IDS) throughout the network;
• Use of blackhole filters that stop unwanted traffic before it enters a protected network.

If you have not yet analysed your security level with our free application, register here!