Denial of Service (DoS) Attack

Denial-of-Service (DoS) attacks are attempts to render an online service unavailable (or extremely slow) to its intended audience.

A Distributed Denial-of-Service (DDoS) attack attack is a type of DoS attack where the attack originates from multiple IP addresses. This gives the attacker more bandwidth, more IP addresses that the victim might have to manually ban, and more noise which increases the chances the victim's system will detect an attack.

To give an example of a DDoS attack, during Christmas 2014, a group calling themselves Lizard Squad claimed to have performed DDoS attacks on the Xbox Live network and Sony's PlayStation Network the network. This meant that any games which requires a connection to those servers became unavailable, and so players cannot log in, play online games or use their online apps during that period of down time.

Groups often claim to be responsible for attacks which they did not conduct, and so the origin of the attacks might be another party entirely.

Types

Most DoS attacks are volumetric attacks, where the servers are flooded with requests which deprives the server of bandwidth for its intended users. The volume of connections may also cause a badly-configured server to run out of memory and crash.

The attacks usually last anything from hours to days, but very rarely more.

There are many methods to perform such an attack, which we will outline below. Some of these techniques are outdated and probably wouldn't work today, but are included for completeness.

Volumetric

Volumetric DoS attacks are the simplest because all you're doing is flooding the victim's server and consuming all its bandwidth.

The difficulty being the total outgoing bandwidth available to the attacker must be higher than the available incoming bandwidth of the victim.

Big corporations, who are likely to be running many servers (and backup servers) and have a large available bandwidth, requires the attacker to acquire a even larger bandwidth. This is often expensive.

So almost all volumetric DoS attacks are distributed, where the attacker gains control of many compromised servers, which when instructed will act as a bot and contribute to the attack. Thus, this compromised network of machines are known as a botnet.

Ping Flood

The attacker sends the victim ICMP Echo Request (ping) packets as fast as possible, without waiting for a reply.

This will consume the victim's incoming bandwidth, and if the victim replies to these packets, it will also consume its outgoing bandwidth, rendering it unreachable to its intended users.

Ping flood is one of the simplest attacks, and can be done simply by running ping -f 123.45.67.89

Peer-to-Peer Flood

A Peer-to-Peer (P2P) network is where machines are connected to each other and able to transfer data without having to be routed via a server.

The DC++ client is a free and open-source P2P file-sharing client that's used to connect to Direct Connect network or the ADC protocol, and together forms the P2P network.

When a DC++ client connects to the network, they are listed in a network hub, which the DC++ client can read to get a list of peers it can connect to to get the data it desires.

Older versions of the DC++ client allow peers to instruct other peers to disconnect from the network and connect to a specific IP instead, where the resource is assumed to be at.

However, an attacker can maliciously instruct its peers of the IP address of its victim, and thus the victim's server will be flooded with requests.

Email Worm

Email Worms were common in the early 2000s, with notable exampels being the Sobig Worm, ILOVEYOU and Mydoom. The Mydoom worm's supposed purpose was to initiate a DDoS attack against SCO group. Hosts infected with Mydoom sends traffic to www.sco.com and thus overloading their servers.

Reflected Attacks

An attacker can send requests to millions of computers with a spoofed source IP. All the receiving machines will then send a reply, usually at the same time, to the spoofed IP, which is also the victim's IP address.

The mass influx of traffic disables the victim's machine.

Connections and Fragmentation

Connections-based DoS attacks opens up many connections in the victim's system so it can no longer accept any more connections from legitimate users.

The attacker initiate a connection but never finish establishing it. This delay from the attacker can, in theory, be due to congestion or errors, and so the victim's system will keep the connection open, consuming resources.

This is more effective than volumetric DoS attacks because it can often appear to be legitimate traffic and thus bypass DoS filters.

While these connections-based attacks still requires a high volume of connections, they are not as brute-force as volumetric attacks. With some methods, even a single computer is able to cripple an entire web server.

Connections-based DoS attacks are more relevant for protocols like SPDY and WebSocket, where the connection is meant to be kept alive.

SYN flood

Similar to Ping Flood, the attacker sends TCP/SYN packets to the victim as fast as it can.

To give a bit of background, the Transmission Control Protocol (TCP) is a protocol in the Internet Protocol Suite which allows information to be passed around on the internet.

To transfer data from one host to another, the two host must first establish a connection. It does this through a set of requests which forms a handshake.

First, the client sends a SYN request along with a randomly-generated sequence number, A. The server then sends back a SYN-ACK response to the client, along with the received sequence number incremented by 1 (A+1), and also another randomly-generated number, B. The client sees that the server has received and acknowledged the request and sends back a ACK response along with B+1. At this time, both the client and server has confirmed and acknowledged that the other party can receive packets successfully, and a connection is established.

A SYN flood, then, is where the attacking flood the victim's machine with SYN requests. This causes the victim's server(s) to reply with a SYN-ACK response while reserving the port for an anticipated ACK response. The attacker, however, will not provide the ACK, leaving the victim with multiple half-open connections.

More commonly, the attacker provides a spoofed IP address so when the victim's server sends the SYN-ACK, it's actually to an unsuspecting party, which will not send an ACK because it did not request this connection. Alternative, the advertised source IP is unreachable. Either way, the victim's server does not receive an ACK, and thus leaves many half-open connections.

The victim's server will wait a certain amount of time before it closes the connection, because the delay can be due to congestion in the network. However, these half-open connections takes up resources. When the victim's server have exhausted all the resources on these illegitimate requests, it does not have resources to service legitimate connections.

R-U-Dead-Yet? (RUDY) and Slowloris

With R-U-Dead-Yet? (RUDY) attacks, The attacker sends a GET/POST request to the victim, but with a large Content-Length field, instructing the victim's system to wait for the rest of the content to arrive before closing the connection.

The attacker, however, sends this information extremely slowly, and so saturates the number of connections the victim can make, preventing legitimate users from accessing it.

Slowloris

Slowloris is similar to RUDY, but instead of sending the data portion slowly, it sends the HTTP headers slowly.

You can use tools like slowhttptest to simulate an attack. The tool will send partial HTTP requests.

Slow Read

Similar to RUDY and Slowloris, but in a slow read attack, the attacker sends legitimate HTTP requests quickly, but are slow on the read. So the server will keep the connection open until it has confirmation the client has received the information.

It achieves this by advertising a small window, or receive buffer, so the victim's server will send out packets of that size. For a large file, this would require multiple packets, and the victim's server should only send more packets once it has confirmation that the attacker has received it.

The attacker can also advertise a window size of zero, which is valid under the TCP specification (RFC 1122).

By sending the acknowledgement slowly, or by advertising a window size of zero, the connection is kept opened, but data is sent slowly, if at all.

Server administrators can prevent these attacks by rejecting SYN packets which advertises a small window, set a connection timeout that is reasonable, and give thought to whether technologies like WebSockets, which requires persistent connections, are needed in the application.

The vulnerability is documented as 723308 in the Vulnerability Notes Database.

There is a more detailed article on Slow Read by Qualys for those interested.

Application

HTTP POST Flood

GET requests are often used to retrieve static content, such as an image or a static HTML page. POST requests, however, are often used to provide data for the server to process and return with dynamic data.

This processing requires resources from the server. And thus, generally speaking, a POST request will consume more resources than a GET request.

An attacker can find which requests consumes the most resources and send as many of those requests as possible to the victim's servers.

Logic

Logic DDoS attacks only works when there is a flaw in the software, which when packets are received causes the system to crash. The underlying cause is often buffer overload.

Teardrop

Data are transferred from one host to another through packets. Different protocols have different Maximum Transmission Unit (MTU), which is the maximum length of data a packet can hold. If the data exceeds this size, it must be fragmented into smaller chunks and reassembled by the receiver.

To know how this is achieved, we must know a little about packets - most packets have a header and a data section. The header contains information about the packet, and the data section carries the data to be transmitted.

Take the Internet Protocol (IP) - an IP packets follows a certain format. One of the headers is 'Fragment Offset', which specifies the order for which the packets should be reassembled.

In a teardrop attack, the attacker sends two fragments that have invalid fragment offsets, and thus cannot be reassembled together. Vulnerable systems cannot deal with this error and will crash.

However, most modern operating systems can now deal with this sort of attacks.

Teardrop attacks have other variations such as 'NewTear', 'Nestea', 'SynDrop', 'Bonk', 'TARGA' and 'TearDrop2'.

ECHO/CHARGEN

The Character Generator Protocol (CHARGEN) is a service of the Internet Protocol Suite which simply generates a stream of characters. It is intended for testing, debugging, and measurement purposes.

An attacker can send a spoofed packet to the victim's CHARGEN service that appears to originate locally - on the victim's machine. Thus, the CHARGEN service will stream data into the listening port.

This will cause the victim's machine to generate a huge amount of data, thus consuming resources.

Local Area Network Denial (LAND)

An attacker can send TCP SYN packets with the source and destination IP both to an open port in the victim's machine.

This is, however, an old vulnerability first discovered in 1997; it is not an issue with modern operating systems and firewalls.

IP Spoofing

I would like to end this article with a note on IP Spoofing, which is an important step in reflected attacks, but it can also be done to ensure the attacker's own IP addresses will not be exposed, because:

  1. It will expose their location
  2. The service being attacked can block the source IP to stop the attack

so there are many ways for them to disguise it.

For DoS attacks, the simplest method is to gain access to another individual's server and perform the attack from there. For DDoS attacks, which requires multiple origins, the attacker must gain access to multiple machines; however, for more large-scale attacks, there are more efficient methods, such as acquiring a botnet.

comments powered by Disqus