Crypto-IT

A Denial-of-Service attack (DoS attack) is an attack where an attacker attempts to disrupt the services provided by a host, by not allowing its intended users to access the host from the Internet. If the attack succeeds, the targeted computer will become unresponsive and nobody will be able to connect with it.

There are a lot of methods that can be used to disable a server.

The most popular techniques are based on flooding the attacked system with thousands of fake messages, thus forcing it to deal with them and making it unable to react to genuine requests from the real users or clients.

By preparing the messages carefully and targeting the correct parts of the system, it is possible to prepare such requests that would cause most difficulties to the victim's computer. Their processing should be as time consuming as possible, and the maximum of server's computational power should be used up.

Instead of just sending random messages, the attacks may be designed to use up all available host's resources of some particular type. For example, the attacker may prepare the messages that would lead to allocating all host's network connections, thus making it unable to accept any other network requests.

An example of this attack type is a SYN flood. During this attack a victim's computer receives thousands of fake TCP/SYN packages, which force it to open separate TCP connections for each of them.

Similarly, the messages may be designed in a way that will cause the server to fill up the whole available memory or disc space (for example, with log messages of core dump files).

Finally, other methods of DoS attacks are supposed to completely crash the attacked host, by using some known vulnerabilities of its software.

This may be achieved for example by sending malformed messages which cause troubles for the handlers on the server side. A lot of operating systems were vulnerable to the attacks of this type, that were targeting the Internet Layer (therefore, they were dealing with IP addresses).

By choosing the way of constructing the messages, the attacker can target different network layers of the attacked system. Usually attacks are performed against the application layer or and the functionalities that handle popular lower protocols TCP or UDP. The complexity of high-level algorithms allows the intruders to construct a lot of complicated messages, targeting various vulnerabilities of the attacked systems.

More sophisticated attacks target lower layers of the TCP/IP network model. For example, there exist a lot of tools working similarly to popular ping programs. They create large numbers of IP packages, which are supposed to flood the network and reduce the network's bandwidth. The packages may be either valid (in this case we could call the attack ICMP flooding) or invalid (which may lead to the so-called Nuke attacks).

A popular lower layer attack is called a ping of death. This is basically a malformed ping package, which may lead to a system crash on unprepared systems.

Disabling the attacked computer may be a goal by itself. This is often the case in various political attacks, when intruders want mainly to manifest their slogans. Also, it is often enough to disable a targeted system or even just to pose the threat of doing that if the attackers want only to demand a ransom for stopping the attack.

Other DoS attacks are more sophisticated. In such situations, disabling online services is just the first step, and the attack will be continued in order to exploit the vulnerability of the system. Quite often, after removing the original server, the attacker creates its own identical service which is supposed to imitate the original one. Having a fake copy of the attacked system, the attackers may take advantage of its users, and use the controlled fake server to steal their data.

The most dangerous DoS attacks are perhaps the attacks which result in damaging the actual hardware. They are called permanent denial-of-service attacks or phlashing. A well-designed attack may disable the components of the targeted system which are crucial for the actual mechanical devices, thus breaking them and forcing the administrators to reinstall or even replace damaged hardware.

A distributed denial-of-service is an attack where the targeted system is attacked by large number of other machines, often located in different places, sometimes all around the world. The complexity of such action is much higher, due to the necessity of configuring and coordinating a large number of machines. On the other hand, the computational power of all connected devices is also much bigger, which makes such attacks much more dangerous.

Thanks to the usage of thousands of computers, the number of generated messages, that have to be handled by the attacked system, is really huge. Nowadays, the largest DDoS attacks can generate as many as terabits of data per second.

Degradation-of-service attacks are similar to denial-of-service attacks but they are intended to not completely block the server but rather to disturb it and reduce its performance. The amount of sending messages is much smaller, and the server should be able to cope with the increased traffic.

Therefore, these attacks are not so dangerous as the normal DoS attacks. They are intended to reduce the performance of the attacked host, discouraging its clients, and to force the administrators to take additional actions to improve the server's performance. All that results in increased costs and financial damages which will affect the attacked system.

Well performed degradation-of-service attacks are designed in a way, which makes it not clear for the administrators, whether any attack takes place at all or if they just face an increased traffic.

The spoofed attack is similar to DDoS attacks because it also involves flooding the attacked system with messages from many different sources and locations. However, the attacker, instead of sending the messages directly to the victim, first send them to other computers, which reflect them and resend to the targeted system.

This attack is also called the DRDoS (which means distributed reflected denial-of-service).

The attackers have to prepare specially constructed messages, with the fields indicating that they were sent from the victim's computer (that is, with the fake source IP address). Then, those messages are sent to many different machines, often genuine and located all over the world. The servers that received the messages, which were surely unexpected but more-or-less valid, can do only one sensible thing: send an error message to the victim's computer. As a result, the targeted system will receive thousands of unexpected messages, which have to be dealt with.

During the Slowloris attacks, the attacker sends the request slowly but in a large number. The targeted system has to keep the all the connection canals open, because they are perfectly valid and therefore there is no reason to discard them.

This will result in using up the whole available pool of network connections on the server side.

These attacks require less sophisticated hardware to be used by the intruders, and make both the detection and protection against them more difficult.

An example of this type of attacks is the HTTP Post DoS attack. The HTTP message sent by the intruder contains the HTTP header Content-Length with a large value.

The beginning of the message (the part containing the header) is received promptly by the attacked host but the rest of the request is sending to the server at an extremely slow rate. Due to the fact, that the message is valid, the server cannot discard it, and an allocated process continue waiting for incoming bytes.

Of course, the attacker creates hundreds or thousands of such connections, depleting the resources of the targeted system.

The shrew attack is another example of a DoS attack which is based on sending messages to the attacked system at a slow rate. It targets the TCP protocol, so operates on a lower level than the HTTP Post DoS attack, described above.

An attacker sends the messages at a carefully chosen rate, exploiting the TCP retransmission mechanism. The TCP connections are not allowed to be closed, due to the ongoing communication, and soon the whole TCP traffic may be disrupted.

DoS attacks are often performed indirectly. It means that the messages are not sent from the intruder's computer but from other machines, which are controlled by the attacker. Those machines are called zombies because their genuine users don't have the full control over them. Quite often, zombie computers are infected by specialized malware. After receiving the order from the attackers, the hidden applications will start sending packets to the targeted system. The users working on those machines won't often be aware of their participation in the attack.

Using zombie computers have at least two advantages. Firstly, it allows to create large networks of computers, which will attempt to break the target system. The computational power of many (hundreds or thousands) connected zombies working together is much larger that the power of any other possible network that could be built by the intruders.

Secondly, similarly as in the case of any other cryptographic attack, an additional separation between the attacked system and the attackers always increases the difficulty of any countermeasures that can be taken by the system administrators. For example, blocking the IP addresses of zombie computers located all over the world and belonging to different operators is much more difficult than just blocking the access from one organisation or location.

There exist a lot of tools and applications available in the Internet that can perform various types of DoS attacks. In fact, the underground market offers a variety of products, with different features and prices. One could name programs like GCHQ, HOIC, or MyDoom.

One could mention also two tools for DDoS attacks, which were created in the UK. They are called Predators Face and Rolling Thunder.

There are also tools which can be used for Slowloris attacks, like PyLoris, QSlowloris, and Goloris.