[NTLUG:Discuss] DoS attacks

[Mike]

> Correctly speaking, a DOS (Denial Of Service) attack is
> when one computer tries to shut out another by sending it
> a bunch of junk to deal with. 

Denial of Service expanded WAY beyond junk. 

My understanding of DoS is that it exploits a weakness in 
basic TCPIP protocol: TCPIP doesn't validate wether  
packets actually originate from where the packets SAY they 
originate from.  Denial of service attacks consist of IP 
packets that tell a server  'hey,  I have a bunch of stuff 
for you from ip x.x.x.x ! ' when they don't actually 
originate from that IP number. Those messages may say "i've 
got email for you, or " i have html", or " telnet session 
starting from", etc.. The attack is to spoof (to lie about) 
the originating i.p number inside the packet.

The attacked server then tries to contact  IP number x.x.x.x 
with a message 'ok send me those packets.' 

The real IP number x.x.x.x may ignore this request, may not 
exist, or says "your crazy, I've got no packets for you, go 
away"  The 'I've got no packets for you" message is where 
the 'denial of service' name comes from... this error 
message in early days of ARPANET contained those words in 
IP logs.  (It may still.. I don't read IP transmission 
logs.) Getting a 'denial of service error' opens the port 
back up quickly, this won't kill the server.  The other two 
failures are what drags down the server... there is 
normally an allowed amount of time (in WHOLE seconds 30, 
60, 90, etc.) before the attacked server decides noone's 
going to answer and moves on. When you get one or two of 
these, no problem. In fact these are normal for a server in 
low numbers, due to normal transmission errors, people 
terminating pages before they finish downloading, etc.. 
When a server has 30,000 processes waiting to hear from 
IP's that don't exist, it runs out of open ports to talk to 
IP's that do exist. That's how the denial of service attack 
kills a server.  

DoS attacks (non-distributed) can be detected by watching 
where IP's actually originate  from and what IP's are being 
waited for.  If there is a build up of a single (block of) 
IP's in either category, a good firewall program will kill 
those processes on the fly and temporarily ignore the 
offending origination points. 

Distributed DoS attacks are similar because they spoof 
originating IP number in packets. Instead of hitting a 
single server with many packets containing random bogus IP 
numbers, the attack starts by hitting many different 
servers with packets containing the same IP number.   The 
attack is actually against the server that owns the IP 
number in all these packets. Poor IP x.x.x.x suddenly gets 
requests from all over for stuff it doesn't have and has to 
issue zillions of "your crazy, go away" type messages. 
These don't take long to do, but DDoS attacks will make 
many more requests than plain DoS attacks, meaning that 
millions of requests a second are being brought to the 
attacked server from all over the globe. The sheer number 
of requests that have to be denied overloads the server or 
bandwidth to the server.  From the attacked servers point 
of view, distributed attacks are ACTUALLY coming from many 
IP's, there is no single heap of numbers to trigger that an 
attack is going on, the server just starts grinding to a 
halt having to use bandwidth telling all those bogus 
requests to go away.  

The best defense mechanism (in the article i'm summarizing 
here) was to stop responding to bogus requests when the 
server hits a critical percentage of bogus requests to real 
requests.  That is, IF of last 500 requests, over say 50% 
are bogus, start acting like you aren't there for bogus 
requests. This keeps your server up longer because it opens 
ports up faster, but causes major issues with innocent 
folks servers, since they have to 'time out' those 
processes instead of hearing your server's 'denial' and 
moving on. Intentionally ignoring requests is a violation 
of TCPIP.  But then, so is spoofing IP addresses in 
packets. Point is, if your server stays in overload a lot, 
and is ignoring other servers alot,  it will eventually 
start getting ignored by other locations. 

I used to have a bookmark that did a better job explaining 
this, along with the best defensive measures much more 
expanded. This was several reloads ago.  I'm scrambling 
some of it up a little, i'm sure. If anyone wants to fill 
in blanks, thanks. If anyone has the link i've lost, please 
post it.. I'm not serving these days, but It was something 
I intended to keep in my checklist of things to do to 
defend a server.