DoS and DDoS

dos_threats.jpg

map map map map map map map map map map map

Denial of service attacks endeavour to make a computer system or network unavailable to its intended users. Basically, every single system can be targeted by DoS ranging from a simple home computer to a major web server farm. There are several different approaches which amplify the intensity of an attack. Especially this kind of attack is increasing these days.

 

DDoS amplification/reflection

In a reflection DDoS attack, the attacker spoofs the victim’s IP address and sends a request for information via UDP to servers known to respond to that type of request. The servers answer the request and send the response to the victim’s IP address. All data from those servers adds up to significant bandwidth, enough to congest the target’s Internet connectivity. With bandwidth maxed out, normal traffic cannot be serviced and legitimate clients cannot connect.

Resources

Good practices

  • Adopt source IP address verification at the edge of Internet infrastructure (close to the origin of traffic) to prevent network address spoofing through ingress and egress filtering.SAC008 SAC065 BCP84 TA13-088A BCP38
  • Operators of authoritative name server operator should implement RRL (Response Rate Limiting).SAC008
  • DNS name server operators and ISPs need to disable open recursion on name servers and may only accept DNS queries from trusted sources.SAC008 SAC065 TA13-088A

 

DoS flooding

A flood is a simple denial-of-service attack where the attacker overwhelms the victim with packets (e.g. ICMP ping packets). It is most successful if the attacker has more bandwidth than the victim (for instance, an attacker with a DSL line and the victim on a dial-up modem). The attacker may hope that the victim will respond to its packets (e.g. ICMP echo reply packets), thus consuming both outgoing bandwidth as well as incoming bandwidth.

Examples

Good practices

  • Manufacturers and configurators of network equipment should take steps to secure all devices and have to keep them up-to-date. SAC065

 

DoS protocol exploitation

Protocol exploitation (e.g. TCP-SYN) is a form of denial-of-service attack in which an attacker sends a succession of requests to a target's system in an attempt to consume enough server resources (e.g. TCP ports) to make the system unresponsive to legitimate traffic.

Examples

 

DoS malformed packet attack

Attacks designed to crash an operation system’s network stack by providing malformed header information or payload. [1]

Examples

DoS application attack

Known application logic limitations, flaws and vulnerabilities are exploited, resulting in a specific application failure or data corruption.

Examples