Posted on by shrap

Denial of Service

Availability, along with confidentiality and integrity form the CIA triad.  Availability implies reliable and timely access to a desired resource.  A denial of service attack (DOS) can be launched from a single source or more recently distributed among a range of sources (DDOS).  It is a form of attack where the intention is to exhaust the target’s resources by flooding it with requests such that it is rendered unavailable resulting in a denial of service to legitimate users.  Distributed attacks are coordinated by a command system of handlers which the bots/agents are in contact with.  Together the bots are often referred to as a botnet.  When synchronised these attacks can bring down web services of large organisations as can be seen in the cases of Yahoo, Amazon, eBay, CNN and several  (Abliz, 2011).

These attacks are on the increase, continually growing more sophisticated and are potentially devastating for businesses reliant on Internet services.  There are several types of DOS attacks which correspond with the layers of the Open System Interconnection (OSI) model.  Some attacks target a specific protocol or layer and are outlined below.  (Elleithy, et al., 2005)  Some attacks exploit known vulnerabilities,  aiming for a few requests to consume excessive resources and others rely on flooding and brute force using a large volume of requests.

DOS agents are designed around attacking a specific target, it could be a particular application on a host, an end system, router, link, network or a particular infrastructure.  As such they operate at different protocols dependent on the target, and the OSI layers which are implemented by the specific target.  The Internet Protocol (IP) is a best-effort packet switching protocol which is connectionless, i.e. it doesn’t maintain a connection and resends packets as required.  The transport layer provides end-to-end communication services for application supported by the Transmission Control Protocol(TCP) and the User Datagram Protocol (UDP). (Abliz, 2011)  DOS attacks include Ping-of-Death, UDP flood, TCP SYN flood, Ping Flood, IP TTL Expiry attack.

Internet Control Message Protocol (ICMP) is an error reporting protocol used by network devices to report errors to the source IP address.  Ping operates by sending ICMP Echo Request packets to the targets and waits for a reply. The Ping-of-Death attacks send oversized ICMP packets.  A Ping Flood involves sending ICMP packets at a high rate .

The TTL Expiry attack consists of sending IP packets with a Time To Live (TTL) set to expire at the targeted router. When the network device detects that the TTL is 0, the packet is discarded and sends an ICMP message to the sender.  When receiving a large volume of expiring packets, the CPU uses significant resources processing these packets and sending replies.

SYN, SYN-ACK Flood

The TCP 3-way handshake initiates with the client sending a TCP SYN (synchronise) packet to a server. The server receives the SYN, allocates some resources and sends a SYN acknowledgement (SYN-ACK).  When the client receives this SYN-ACK, it sends an acknowledgement back and when the server receives the ACK, the socket connection is established.

The SYN flood works as follows, when establishing a TCP connection a client initiates a session by sending a SYN packet with an invalid return address.  The host acknowledges receipt of the request by generating a SYN-ACK packet and assigns resources required by the anticipated connection.  If the connection is never completed, the resources are held, resulting in a diminishing pool of available resources for other connections. (http://techmightsolutions.blogspot.co.uk/2013/05/syn-flood-attack-using-scapy.html)

It is possible to simulate such an attack on a small scale.  Then measure the ability of a web server to deliver web pages while such an attack is on going.

Simulation

  1. Install scapy:

References

  1. https://javapipe.com/ddos-types – fairly unspecific list of different types of DDoS attacks
  2. http://digitalcommons.sacredheart.edu/cgi/viewcontent.cgi?article=1053&context=computersci_fac – 2005 – Elleithy, Khaled M. et al. “Denial of Service Attack Techniques: Analysis, Implementation and Comparison.” Journal of Systemics, Cybernetics, and Informatics 3.1 (2005): 66-71
  3. https://people.cs.pitt.edu/~mehmud/docs/abliz11-TR-11-178.pdf
  4. https://pdfs.semanticscholar.org/a964/2c05418b726298a22f0eacd7190f8725e136.pdf
  5. http://cys.ewi.tudelft.nl/sites/default/files/comnet.pdf
  6. https://www.amazon.co.uk/Internet-Denial-Service-Mechanisms-Networking/dp/0131475738/ref=sr_1_1?ie=UTF8&s=books&qid=1212642071&sr=8-1
  7. http://www.worldacademicunion.com/journal/1746-7233WJMS/wjmsvol12no03paper05.pdf
  8. http://opensourceforu.com/2011/10/syn-flooding-using-scapy-and-prevention-using-iptables/
  9. https://www.ijert.org/view-pdf/6903/on-a-recursive-algorithm-for-syn-flood-attacks – file:///Users/karen/Downloads/V2I12-IJERTV2IS120731.pdf
  10. SCAPY – http://techmightsolutions.blogspot.co.uk/2013/05/syn-flood-attack-using-scapy.html
  11. http://www.secdev.org/projects/scapy/
  12. https://github.com/arthurnn/SynFlood/blob/master/synflood
  13. http://www.securityfocus.com/advisories/1422
  14. http://www.cs.colostate.edu/~massey/Teaching/cs356/RestrictedAccess/Projects/Project2.html
  15. simulate java syn flood – https://www.google.co.uk/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=simulate+java+syn+flood&start=20
  16. http://jamesdotcom.com/?p=264
  17. http://security.stackexchange.com/questions/30191/tools-for-performing-http-flood-attack
  18. http://www.lovemytool.com/blog/2014/08/analyzing-arp-traffic-with-the-raspberry-pi-by-mike-pennachi.html

Leave a Reply

Your email address will not be published. Required fields are marked *