One common method of attack involves saturating the target machine with communications requests, so that it cannot respond to legitimate traffic, or responds so slowly that it is effectively unavailable.
During normal network communications using TCP/IP, a user contacts a server with a request to display a web page, download a file, or run an application. The user request uses a greeting message called a SYN. The server responds with its own SYN along with an acknowledgment (ACK), that it received from the user in initial request, called a SYN+ACK. The server then waits from a reply or ACK from the user acknowledging that it received the server's SYN. Once the user replies, the communication connection is established and data transfer can begin.
In a DoS attack against a server, the attacker sends a SYN request to the server. The server then responds with a SYN+ACK and waits for a reply. However, the attacker never responds with the final prerequisite ACK needed to complete the connection.
The server continues to "hold the line open" and wait for a response (which is not coming) while at the same time receiving more false requests and keeping more lines open for responses. After a short period, the server runs out of resources and can no longer accept legitimate requests.
A variation of the DoS attack is the distributed denial of service (DDoS) attack. Instead of using one computer, a DDoS may use thousands of remote controlled zombie computers in a botnet to flood the victim with requests. The large number of attackers makes it almost impossible to locate and block the source of the attack. Most DoS attacks are of the distributed type.
An older type of DoS attack is a smurf attack. During a smurf attack, the attacker sends a request to a large number of computers and makes it appear as if the request came from the target server. Each computer responds to the target server, overwhelming it and causes it to crash or become unavailable. Smurf attack can be prevented with a properly configured operating system or router, so such attacks are no longer common.
DoS attacks are not limited to wired networks but can also be used against wireless networks. An attacker can flood the radio frequency (RF) spectrum with enough radiomagnetic interference to prevent a device from communicating effectively with other wireless devices. This attack is rarely seen due to the cost and complexity of the equipment required to flood the RF spectrum.
Some symptoms of a DoS attack include:
- Unusually slow performance when opening files or accessing web sites
- Unavailability of a particular web site
- Inability to access any web site
- Dramatic increase in the number of spam emails received
To prevent DoS attacks administrators can utilize firewalls to deny protocols, ports, or IP addresses. Some switches and routers can be configured to detect and respond to DoS using automatic data traffic rate filtering and balancing. Additionally, application front-end hardware and intrusion prevention systems can analyze data packets as they enter the system, and identify if they are regular or dangerous.
The author is a computer security professional with experience protecting small business and home networks. He also teaches the basics of computer network security at 365 Computer Security Training where he blogs regularly and creates video training and educational materials related to information security. Learn more at http://www.365ComputerSecurityTraining.com
No comments:
Post a Comment