The Denial of service reference article from the English Wikipedia on 24-Apr-2004 (provided by Fixed Reference: snapshots of Wikipedia from wikipedia.org)

Denial of service

A denial-of-service (DoS) attack involves certain forms of malicious damage to a computer system. Such an attack aims to prevent legitimate users from accessing computer services. Reasons for such attacks are various but there are recent attempts at Blackmail similar to a protection racket. Attacks are also similar in some circumstances to picketing.

Perpetrators can generate a DoS attack in a number of ways. Three basic areas of attack exist:

1. the consumption of limited resources, such as bandwidth, disk space or CPU time
2. alterations to configuration information, such as routing information or registry entries
3. the physical disruption of networking components

Attacks on resources have become increasingly popular, mainly through attempts to "flood" a network with excess or spurious packet data over the Internet, thereby preventing legitimate traffic.

The smurf attack forms one particular variant of a DoS attack on the public Internet. It relies on mis-configured network devices that respond to so-called broadcast addresses. Abusers will send large numbers of IP packets with a faked source address (set to the address of an intended victim, such as an IRC server). To combat Denial of Service problems on the Internet, services like the Smurf Amplifier Registry have given network service providers the ability to identify mis-configured networks and to take appropriate action such as filtering.

DDoS attacks compare with the "Slashdot effect" that occurs when a website gets a sudden spike in traffic which its server cannot handle due to a popular website linking to it.

Table of contents

1 Distributed Denial of Service Attacks 2 Surviving DDoS Attacks 3 External links

Distributed Denial of Service Attacks

Basically, this is a coordinated attack from multiple sources. Known as a distributed denial of service, or DDoS, it's easily executed on a large network and can be frighteningly effective. A DDoS can be thought of as an advanced form of a traditional DoS attack. Instead of one attacker flooding a target with traffic, numerous machines are used in a "master-slave", multi-tiered configuration.

The process is relatively simple. A cracker breaks into a large number of Internet-connected computers (often using automated software known as an autorooter) and installs the DDoS software package (of which there are several variations). The DDoS software allows the attacker to remotely control the compromised computer, thereby making it a "slave". From a "master" device, the cracker can inform the slaves of a target and direct the attack. Thousands of machines can be controlled from a single point of contact. Start time, stop time, target address and attack type can all be communicated to slave computers from the master machine via the Internet. When used for one purpose, a single machine can generate several megabytes of traffic. Several hundred machines can generate gigabytes of traffic. With this in mind, it's easy to see how devastating this sudden flood of activity can be for virtually any target.

The network exploit techniques vary. With enough machines participating, any type of attack will be effective: ICMP requests can be directed toward a broadcast address (Smurf attack), bogus HTTP requests, fragmented packets, or random traffic. The target will eventually become so overwhelmed that it crashes or the quality of service will be worthless. It can be directed at any networked device: routers (effectively targeting an entire network), servers (Web, email, DNS) or specific machines (firewalls, IDS).

But what makes a DDoS difficult to deal with? Obviously the sudden, rapid flood of traffic will catch the eye of any competent administrator (if the phone ringing and pager beeping doesn't!). Unfortunately though, all of this traffic will likely be spoofed, an attack technique in which the true source address hidden. An inspection of these packets will yield little information other than the router that sent it (your upstream router). This means there isn't an obvious rule that will allow the firewall to protect against the attack, as the traffic often appears legitimate and can come from anywhere.

So what's left to do? Not much, other that to start an extremely frustrating process: the DDoS investigation. With each step up the chain of routers that handled the malicious traffic prior to your network is a new set of administrative contacts: more phone calls must be made, panic emails sent, and packet captures analyzed. It's very time consuming, which is amplified by the fact that the network or machine is currently down. Given the fact that the slaves can be located anywhere in the world, the sad truth is that the DDoS flood more often ends due to the attacker's whim than to any action taken by the targetted system's administrator.

Surviving DDoS Attacks

That said, there are steps that can be taken to mitigate the effects of a DDoS attack. As mentioned in the previous section, the first thing to start is the investigative process. Determine which core router (a router that handles Internet backbone traffic) is passing the packets to your border router (a router that connects your network to the Internet). Contact the owners of the core router, likely a telecom company or the ISP, and inform them of your problem. Ideally, there will be a process in place which can expedite your requests for help. They, in turn, need to determine where the malicious traffic reaches their network and contact the source. By that point, it's out of your hands. So what can be done in the meantime?

Since it's not likely that you'll be able to quickly stop the DDoS flood,there are a few steps which might help mitigate the attack temporarily. If the target is a single machine - a simple IP address change can end the flood. The new address can be updated on internal DNS servers and given to a few crucial external users. It's not an elegant solution, but a quick one which works. This is especially useful for key servers (i.e. email or database) under attack on your network.

There is a chance that some filtering techniques can help. If the attack is unsophisticated, there might be a specific signature to the traffic. A careful examination of captured packets sometimes reveals a trait on which you can base either router ACLs (access control lists) or firewall rules. Additionally, a large amount of traffic may originate from a specific provider or core router. If that's the case, you might consider temporarily blocking all traffic from that source, which should allow a portion of legitimate activity through. Keep in mind, however, that you'll also be blocking "real" packets, or legitimate traffic, but this may be an unavoidable sacrifice.

A final option, one which might be available to larger companies and networks, is to throw more hardware or bandwidth at the flood and wait it out. Again, it's not the best solution, nor the least expensive one, it may provide a temporary fix nevertheless.

It's important to stress that the investigative process should begin immediately. Without a doubt, there will be multiple phone calls, call backs, emails, pages and faxes between your organization, your provider and others involved. It's a time consuming process, so get the ball rolling. It's taken some very large networks with plenty of resources several hours to halt a DDoS, so plan accordingly.

External links

• Distributed Reflection Denial of Service

This is the "Denial of service" reference article from the English Wikipedia. All text is available under the terms of the GNU Free Documentation License. See also our Disclaimer.