DoS Attack

 

 

With the coming of the age of Internet, information has exponentially grown like anything else mankind has ever seen before. More and more people are interconnected with each other via the fabric of internet. Big firms and tech companies have understood this and tapped the market in their own unique way. They are constantly sharing valuable and/or critical information when required. With time and timing being of essence and utmost importance in mission critical operations, this has paved way for rouge entities to use this to their own benefits. At the same time the business and organization are looking to grow, the threat vector to such ideas are as well exponentially growing.

Where some of the threats are intentional and even state sponsored to sabotage an industry or organizations or even and country’s reputation. At the same time there are some rookies or unintended participants who unknowingly are at the heart of an attack. In this document we will discuss about a most commonly found attack dubbed as – DoS. We will look into its mechanism, types and tools used. For the sake of understanding we will keep our focus on intended and target specific attacks. Also, we will look into what we can do to prevent such attacks and briefly discuss some of the tools that are being used to carry on such attacks.

NOTE: The tools mentioned here are only for educational purpose and are to be used in controlled lab environments only. We do not promote the use of such tools for criminal activities.

What is DoS Attack

DoS stands for Denial of Service. As the name suggests it denies the access to e-services offered by an organization. During a DoS attack the target is flooded with huge number of rogue requests denying access to legitimate users. DoS attacks takes advantage of a number of different vulnerabilities of a selected target. Buffer overflow vulnerabilities and other programming flaws can be exploited to cause a segmentation fault or other error that causes a target to crash or become unresponsive.

DoS Attack instaelearn.com

For the sake of understanding, consider a scenario that our server is configured to serve maximum of 5 requests per minute. We have an attacker knowing the fact, continuously sends traffic to the server at the same rate and server gets overwhelmed. There is a user who the server is currently serving but due to the volume of data/traffic its already processing, the server responds really slow to a legit user. At the same time, there is another user who is not able to use the services as the server has already reached its saturation level. Now the figures in the example are not real world, even an small home media server does cater to more requests per second, but we need to understand that the attackers uses the same principle and tests the threshold continuously to bring the server and services down.

How DoS Attack

DoS attack is an attack where the intention of the attacker is to run out the target of its capacity by overwhelming or flooding a targeted machine with requests until normal traffic is unable to be processed and cause service unavailable to legitimate users. The characteristics of a DoS attack is that it is launched by a single source.

Unlike a Virus, Worm, or Malware the DoS attack is not dependent on some special program to run and infiltrate the target to cause outage. Instead, it takes advantage of an inherited vulnerability in the communication architecture of computer systems. Let’s break it down further with below example.

On a bright sunny day when a user tries to access a website, the user types the URL in a web browser and hits enter, behind the scene the user device sends an “Hello” message to the server hosting that website. The server acknowledges the “Hello” and responds to the source device Hello back with a “Hi, I am listening, are you?” When the user machine receives the reply from server it knows that the server is listening and acknowledges that “ Yeah I am listening let’s talk” , and a communication is established. The user then sees the webpage and starts browsing. This is called an 3-way-handshake and the same mechanism which the attacker tries to manipulate during an DoS attack. It is a core fundamental of TCP/IP suite. We have discussed more in detail about TCP/IP in here.

Now knowing this fact, the bad guy tries to literally bombs the target with just the initial Hello messages. The unsuspecting target in good faith replies to the “Hello” message and waits for an acknowledgement back. This in turn consumes some resources on the server in anticipation of being a legitimate user trying to access till the timer expires. The bad guy also steals a chunk of internet bandwidth on the server. Now, when a legitimate user tries to access the same website, the connection is either slow or completely unresponsive depending on the severity of the attack. In another type of DoS attack the bad guy again bombs the target with a forged source address. The server sends replies to forged IP and since the resources allocated for rogue request overwhelm the server legit users cannot access the services.

The first DoS attack was done by 13-year-old David Dennis in 1974. Dennis wrote a program using the “external” or “ext” command that forced some computers at a nearby university research lab to power off.

Though with the technological advancements smart people have come across ways to stop DoS attack. Almost all basic SMB or enterprise-based network devices including even most of home wi-fi routers have capacity to deny DoS attack. Now, as we learnt how to deny or prevent from a DoS attack, the rogue actors have come with ways to still bomb targets with overwhelming queries, with an attack type that’s called DDoS attack. It is a sophisticated DoS attack but way more dangerous and target specific. We have discussed more about DDoS Attack here.

Types of DoS attack

Knowing what a DoS attack does we can categorize DoS attack into 2 main categories.

  • Flooding
  • Buffer overflow

Flooding

The attacker floods the target with huge number of packets which causes congestion to network link. The attacker tries to consume the bandwidth of the target to it peak. These rogue service requests are illegitimate and have fabricated return addresses, which mislead the server when it tries to authenticate the requestor. By saturating a targeted server with an overwhelming number of packets, a malicious actor can oversaturate server capacity, resulting in denial-of-service. For most DoS flood attacks to be successful, the malicious actor must have more available bandwidth than the target.

Buffer overflow

Buffer overflow can cause a machine to consume all available hard disk capacity, memory, or CPU time. This form of exploit often results in sluggish behaviour, system crashes, or other deleterious server behaviour’s, resulting in denial-of-service.

Prevent DoS Attack

As it’s said by the old wise folks, prevention is better than cure. This stands true in case of a cyber-attack. We should learn from ours as well as other’s mistakes of the pitfalls we encounter to overcome and triumph over and stay strong as a community. As a cyber security professional, we should stay vigilant of the trends, report and provide solutions to issues and vulnerabilities in a timely manner.

  • As a basic rule of thumb, know your network infrastructure. Learn the applications running in the environment and the requirement and relevance to network topology.
  • Configure your network routers and firewall to reject rogue traffic. This limits inbound traffic to protocols legitimately used by applications within the organization’s network and blocks any other traffic at the network border. Enterprise grade products can identify and block single origin attacks as soon as they begin.
  • Keep the internet facing device updated with latest and recommended firmware and patches by OEM as this is your first line of defence.
  • Look for service providers who provide DoS prevention as a service. There are a lot on inline and online solution providers who in other words provide on-premise and cloud-based DoS protection.

Tools for DoS Attack

NOTE: The tools mentioned here are only for educational purpose and are to be used in controlled lab environments only. We do not promote the use of such tools for criminal activities.

Click here to know more

Unavailability of services can cause serious impact to reputation of an organization. The most common targets of an DoS attack can be IT, Telecom, e-commerce and government organization. Consider yourself to be a user of bank accessing any of its e-banking services and the services in unavailable. Or trying to book an hotel reservation or an airline ticket to your favorite destination and the travel agency/airline website being down. The business lost a potential customer, and likewise there could be thousands of others who faced the same. From a business or organization perspective this is direct loss in revenue and reputation, caused due to frustration and a raising an sense of anonymity among users regarding their data. An attack on an infrastructure can severely impact its potential growth. We being network security professional should use all tools in our disposal to prevent such attempts on protected infrastructure. No network is 100% full proof against attacks, but we can track the trends and create mitigation and restoration plan to ensure the services are up to minimize the Downtime.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *