 Information |
         |
Denial-of-Service
With the
number of hacking attacks being reported in the news increasing, this page
attempts to describe in general terms how one class of these attacks
(denial-of-service) work.
Types
of Attack
We'll get
into specific attacks in a bit, but in general terms, denial-of-service
attacks fall into four broad categories:
Tying up a serverTying up CPU cycles or
resourcesDisabling web traffic (this can also happen
accidently)Mail bombsWhat most
people don't realize is that network communications consists of several
layers. Each layer has its own protocols for information transmission and
security. Toward the bottom is the actual telecommunications layer.
Because this layer contains the greatest concentration of traffic (after
all, everything eventually gets reduced to bits being sent over wires), it
is probably the weakest link in the chain. If your telcom layer can be
interrupted, everything comes to a halt. In some companies, if
communications are interrupted for even a day, the company can be in
serious business trouble; those companies will often have triple-redundant
routing (or more) so that if one channel gets attacked, other channels are
still available.
Specific Attacks
Below are
descriptions of six denial-of-service attacks (there are more). The
descriptions are kept general and are readily available on the net. Please
don't ask for further details.
SYN FloodThe basic purpose of a SYN flood is to use up all new
network connections at a site and thus prevent legal users from being able
to connect. TCP connections are made by first sending a request to connect
with an ID in it. The receiving connection sends out an acknowledgment
saying it's ready and then the sending system is supposed to send an
acknowledgment that the connection has been made. The SYN (SYnchronize
sequence Number) packet is the first of these and contains the ID the
receiver is supposed to reply to. If a fake ID is in that packet then the
receiving system system never gets a connection acknowledgment.
Eventually, the connection will time out and that incoming channel on the
receiver will become available again for another request. A SYN flood
sends so many such requests that all incoming connections are continuously
tied up waiting for acknowledgments that never come. This makes the server
generally unavailable to legal users (unless one happens to sneak in just
at the moment one of the tied-up connections times out).
Ping of DeathPing (short for Packet Internet Groper) is a program
that tests a TCP network by sending an echo request, expecting a reply.
The Ping of Death uses a test packet larger than that allowed. This can
result in either a system crash or problems with network programs running
on the targeted computer.
Mail BombsUnlike the E-mail virus hoaxes which say you can get
a virus by simply reading E-mail, the mail bomb is the sending of very
large volumes of mail to a mail server. Many can't handle large volumes of
mail and this will cause legal users to be denied service or maybe lost
mail for legal users.
Host System HoggingOne of the oldest methods of attack, basically this
involves causing a program to run on the attacked system; a program that
effectively ties up the CPU on the system, making it unavailable to other
users. When this happens, the operating system generally crashes and takes
the system down with it. Since this type of attack has been around for
some time, most operating systems have safeguards against this built in.
But, newer operating systems are sometimes vulnerable (e.g., at this
writing, hackers are still finding some holes in NT that, in theory, could
be exploited by an ActiveX control or, perhaps, a Netscape plug-in; as
found, these holes are being plugged).
Rogue AppletsThese attacks are not directed against a server but
against users. Most user operatings systems are not particularly secure
and hostile applets embedded in web pages have already been published
which can, when downloaded and run, effectively put the users' system into
an infinite loop which requires a restart to end. This is why it's very
important to browse with automatic running of applets turned off. If you
get to a page that requires an applet and you trust the source, just
change your browser's security level and reload the page (but, don't
forget to turn automatic running off again when done).
Accidental
Denial-of-ServiceThe internet is a complicated place and there is no
single, central point of control for everything. With so many individuals
and companies involved, there are bound to be errors. One happened in 1997
when a corrupted DNS table (the table that connects domain names to their
actual numerical locations) was released for distribution. The error was
quickly discovered but it took roughly three hours for the good table to
propogate across the internet and replace the bad one. During this time,
many systems could not be reached because the local DNS table contained
incorrect information.
Distributed Denal of Service
AttacksAttacks can be sent by an individual or individuals
or can be set up to be sent automatically by programs known as Zombies
that may have been installed in various computers in advance of the
attack. With Zombies, all the attacker need do is send a single command
and they perform the attack. This method can more easily isolate the
attacker from those who might want to find him/her as the attack itself is
coming from completely unrelated computers that may be half a world
away.
What
Can Be Done?
Often,
nothing; particularly as a user (except for applet attacks which you can
prevent from loading). If a server you use is attacked, you must wait for
the administrator of that server to take actions; and, even those are
sometimes hard to take because it's often hard to trace where an attack is
coming from (it takes the cooperation of server administrators upstream to
determine exactly where an attack is coming from and by the time the
research can be done the attack is often over, only to be started from
some other location).
Some
specific attacks can be countered by upgrades to the network operating
system; so if you operate a server make certain you have the latest
software and know about all the various patches that have been issued for
it relating to security. If you use a firewall start with the default of
all services turned off and then specifically only turn on systems
you actually use. This will help prevent attacks against services you
don't use but which could, nevertheless, deny service.
The bottom
line is, as in all cases of "bad" behavior, the ultimate solution would be
for an improvement in the behavior of those who would take servers down
just for the fun of it. Until those morals improve there will always be
attacks and countermeasures. Those in the middle just have to keep up to
date.
Additional Resources
Here are a
few government agencies and organizations that can be of help or provide
additional information...
CERT Coordination Center
(http://www.cert.org) - A centralized security center based at
Carnegie-Mellon University (CERT is not an acronym; it's simply a service
mark of Carnegie-Mellon Univeristy).The SANS Institute (http://www.sans.org) - A
security organization consisting of many different experts. They host
security seminars and produce a frequent security bulletin you can obtain
via E-mail.The Hacker Emergency Response Team
(http://www.hert.org) - A group that analyzes attacks and participates in
various security projects as interests them.FBI National Infrastructure Protection
Center (http://www.nipc.gov) - A centralized center for computer
attack analysis and response.Copyright 2000 Computer Knowledge, All rights
reserved
