[NTLUG:Discuss] DoS attacks

MadHat madhat at unspecific.com
Thu Jan 23 08:11:08 CST 2003 

On Wed, 2003-01-22 at 21:19, Mike wrote:
> > Correctly speaking, a DOS (Denial Of Service) attack is
> > when one computer tries to shut out another by sending it
> > a bunch of junk to deal with. 
> 

There are many kinds of DoS attacks and while Mike explained them, they
were jumbled up a bit.  

I try to clarify a few points below by picking nits. ;)

It's called a Denial of Service attack, because it denies anyone from
being able to use a particular service.

> Denial of Service expanded WAY beyond junk. 
> 
> My understanding of DoS is that it exploits a weakness in 
> basic TCPIP protocol: TCPIP doesn't validate wether  
> packets actually originate from where the packets SAY they 
> originate from.  Denial of service attacks consist of IP 
> packets that tell a server  'hey,  I have a bunch of stuff 
> for you from ip x.x.x.x ! ' when they don't actually 
> originate from that IP number. Those messages may say "i've 
> got email for you, or " i have html", or " telnet session 
> starting from", etc.. The attack is to spoof (to lie about) 
> the originating i.p number inside the packet.
> 
> The attacked server then tries to contact  IP number x.x.x.x 
> with a message 'ok send me those packets.' 

If it is using the TCP protocol, then this would be like a SYN flood. 
TCP uses a 3 way handshake to initialize the connection between 2
servers.  The client sends a SYN (synchronize), the server responds with
a SYN-ACK, (synchronize and acknowledge), then the client ACKs
(acknowledges) the server's sync request and they are ready to transfer
data back and forth.  A SYN flood is one type of DoS where the server
gets a bunch of SYNs from Bogus IPs and tries to respond to them all.

This usually takes out a whole box and is easy to do because you do not
have to generate a lot of traffic, bandwidth wise.

<SNIP>

> DoS attacks (non-distributed) can be detected by watching 
> where IP's actually originate  from and what IP's are being 
> waited for.  If there is a build up of a single (block of) 
> IP's in either category, a good firewall program will kill 
> those processes on the fly and temporarily ignore the 
> offending origination points. 

As for blocking by IP, this is only true from targeted attacks on a
particular service.  A true and good SYN flood can not be blocked
because all the packets are spoofed and you have no idea where it is
really coming from.  It can also be used as a smoke screen to hide other
activities, if used properly.


> Distributed DoS attacks are similar because they spoof 
> originating IP number in packets. Instead of hitting a 
> single server with many packets containing random bogus IP 
> numbers, the attack starts by hitting many different 
> servers with packets containing the same IP number.   The 
> attack is actually against the server that owns the IP 
> number in all these packets. Poor IP x.x.x.x suddenly gets 
> requests from all over for stuff it doesn't have and has to 
> issue zillions of "your crazy, go away" type messages. 
> These don't take long to do, but DDoS attacks will make 
> many more requests than plain DoS attacks, meaning that 
> millions of requests a second are being brought to the 
> attacked server from all over the globe. The sheer number 
> of requests that have to be denied overloads the server or 
> bandwidth to the server.  From the attacked servers point 
> of view, distributed attacks are ACTUALLY coming from many 
> IP's, there is no single heap of numbers to trigger that an 
> attack is going on, the server just starts grinding to a 
> halt having to use bandwidth telling all those bogus 
> requests to go away.  
> 

Whether or not an attack is distributed is not really relevant, except
in how to protect yourself.  

The other type of DoS attack is touched above as well.  This is a
starvation of resources DoS attack.  This can be distributed or not, but
is different from a SYN flood because all the requests are real and go
through a full 3-way handshake in most cases.  In this case, attackers
usually target one service, like HTTP.  They setup a bunch of client to
make a large number of requests as quickly as they can.  The idea is to
make the box crawl to a halt trying to answer all the requests.  This is
going to eat up CPU and Memory and not as much on the connections.   The
problem here is it is dificult to tell which ones are the real clients
and which ones are the DoS attackers because it looks like regular
requests.

There are a limited number of connections most boxes can handle.   If it
is distributed, or they have a really big pipe, then they can eat up all
the bandwidth, but this is going to effect the server, it going to
effect the upstream routers in most cases.

SYN floods are not as effective as they once were because most OSs have
SYN flood protections built in.  There are some devices that still see
problems with it, and of course if you can generate enough, anything can
fall over.

> The best defense mechanism (in the article i'm summarizing 
> here) was to stop responding to bogus requests when the 
> server hits a critical percentage of bogus requests to real 
> requests.  That is, IF of last 500 requests, over say 50% 
> are bogus, start acting like you aren't there for bogus 
> requests. This keeps your server up longer because it opens 
> ports up faster, but causes major issues with innocent 
> folks servers, since they have to 'time out' those 
> processes instead of hearing your server's 'denial' and 
> moving on. Intentionally ignoring requests is a violation 
> of TCPIP.  But then, so is spoofing IP addresses in 
> packets. Point is, if your server stays in overload a lot, 
> and is ignoring other servers alot,  it will eventually 
> start getting ignored by other locations. 

TCPIP is misleading, IP is the overlying protocol (at layer 3), not an
application layer protocol (on layer 4), which is what the DoS attacks
usually are coming in on.   TCP and UDP are the 2 most common.  ICMP is
another and is what is used for your basic ping, and can also be used
for an ICMP flood similar to a SYN flood.  TCP will be attacked by real
hosts or using SYN floods.  UDP is a different beast as it is a
stateless protocol and easier to spoof packets on and hence easier to
set up a DoS attack.  But once again, basic "large number of packets"
attacks like SYN floods are not as effective as they once were, most of
the ones that take out a server are aimed at a service and use the
distributed attack with lots of real requests.

Easiest way to think about a DoS is the phone line analogy.  

You have a phone line, someone calls you, and you start your
conversation.  Someone else calls they get a busy signal.  You're
DoSed.  
So you get Call waiting and you can answer the other line.  Then you
have 3 people call at once, and you are DoSed again...
So not you get a few more lines, now you have to keep trying to answer
all the lines yourself and keep putting people on hold, and you can't
keep up with all the calls.  DoSed again...  
So now you hire a few thousand people and put in millions of lines and
still can't answer the phones in a timely manner and now you are
Microsoft Tech Support.

Then someone 'hacks' the system to make all the phones ring and no one
is on the other end so your real customers can't call in now... (SYN
Flood)

Not sure they helped any or not, but this is what I deal with on a daily
basis...  its all sorts of fun *grumble*.

-- 
MadHat at Unspecific.com
`But I don't want to go among mad people,' Alice remarked.
`Oh, you can't help that,' said the Cat: `we're all mad here...'
   -- Lewis Carroll - _Alice's_Adventures_in_Wonderland_

More information about the Discuss mailing list