Go Backindex

Denial of Service Attacks (DoS)


adapted from: www.europe.datafellows.com / Camillo Sars, F-Secure Crypto Research

 

DoS tools are programs that can be used to make denial of service attacks against any machine in the Internet - typically a web server.

Do note that as attacks of this type are not caused by viruses, Anti-Virus programs do not even attempt to protect against them.

 

Introduction

Denial of Service (DOS) Attacks are attacks on computer systems that aim to disrupt or terminate services provided by the systems. On the Internet, this usually means (repeatedly) crashing services or exhausting some limited resource. DOS attacks can often be performed over the network, and exploit security flaws that exist in the services.

Typical DOS attacks are:

Recently heavy DOS attacks have been described [1,2]. These attacks use a network of computers to distribute the attack sources over several network locations. These attacks are known as Distributed Denial of Service Attacks.

The most known Distributed DOS attack tools to date are called "trin00"[3,4] and "Tribe Flood Network" (TFN)[4].

 

Master-Slave Configuration

The attack tools for Distributed DOS attacks use a master-slave configuration. The slave processes are installed on a large number of compromised Internet hosts, where they report their successful installation to their master process. The master process thus collects a list of many compromised hosts running the slave process. The resulting master-slave network may include a large number of hosts in widely different network locations.

The slaves carry one or several DOS routines that can be invoked remotely by the master process. The master process can also control the targets and parameters for the attack. Some of the commands are password protected to prevent unauthorized activation or deactivation of the attacks.

Slave processes can be installed on virtually any suitable system, as the loss of a single slave process has very little effect on the overall performance of the network.

The master process can poll the status of its slave processes and keeps a list of known slaves. When the attacker connects to the master, a password is required before access is allowed. Once the correct password has been supplied, the attacker can issue commands to the master. The commands direct all the active slaves of the master process, so large-scale attacks can be launched and terminated very quickly.

Master processes are often carefully protected and installed on systems where detection is unlikely because of bad administration practices or heavy user activity.

An attacker can connect to a master process from virtually any Internet host, as the master accepts standard telnet-type connections. A single attacker may control several DOS master processes, giving instant access to huge numbers of slave processes.

 

Impact

Attacked systems will notice a huge increase in network traffic. Depending on the attack, the traffic may come from valid Internet addresses or from random addresses created by the slave processes.

If the attacked system is directly vulnerable to any DOS attacks performed by the slave processes, the system will crash or malfunction and cannot be reactivated without immediately crashing again.

If the attacked system does not crash from the attacks, its network capacity will quickly be exhausted. Reports indicate attack rates of several gigabits per second, which far exceed the capacity of most Internet sites.

 

Defense

If you are the target of a large distributed DOS attack, there is so far no good ways to defend yourself. Several well-known Internet sites have been completely cut off by DOS attacks recently, including Yahoo.com [5].

If the attack comes from the outside then you might defend your server by disallowing requests from the servers that put a strain on your bandwidth. By setting the threshold low for those connections (e.g. allowing a maximum numberof requests per minute) you will eventually be able to cut yourself free from the attacks.
The only other way is to migrate to a difference IP block all together, meaning all your customers have to change their site's DNS entries at their respective Domain Name Servers. But that is a worst case scenario and very rarely done.

If your systems have been compromised and attackers are running masters or slaves on your systems, you must take immediate action to fix the security holes that were used to compromise your system [2]. Your systems may be actively participating in DOS attacks as long as the processes exist.

The only way to completely eliminate this kind of attacks is to decrease the number of systems that can be compromised to a level that is too low for attackers to set up large distributed DOS networks.

 

 

Go Backindex Last Update 24 May, 2006 For suggestions please mail the editors 




Footnotes & References