Denial of Service Attack (DOS)
Denial of service attack is a type of network attack which is done with a motive to prevent the user from getting the particular resource or the services. It is an explicit attempt by attackers to prevent the valid users of a computer-related service from using that service. DOS attacks are mostly launched from different network from that of the victim’s network and the attacker can be anywhere in the network. The motive behind of the attack can be any it can be for fun or any other reason like economic aspects, getting the information of others etc.
In such type of attack the service will be made temporarily unavailable and is done by sending multiple of packets to the server but those packets contain wrong address and it causes the server to fail and thus it could not perform its activities smoothly and can face different problems like system getting hang, reboot and sometimes even the system can crash depending upon the level of attack. DOS attacks are generally applied by forcing or making the targeted computer system to get reset or make difficulties in communicating by disturbing the communication media so that the user cannot communicate with the desired person properly.
The damage of the dos attack cannot effect one but it might have impact on others as well. An attack in one site can also affect the network resources which server multiple sites as well. The resources we share with the others may be consumed by the attack and the if the Internet service provider are being attacked the it effect will be on us and on different users as well, although we are not the targeted victim of the attacker but we might still face the problems thus the damage of DOS is hidden and is unpredictable
With the increase in the technology and equipment DOS attack technique and technology is also increasing. In early stage simple tools were used to send such kind of attack but now there are various ways of sending DOS attack and its effect are also increasing. Before packet was sent from single source to single victim but now single source can attack multiple targets and multiple attacker can attack single target.
Let us consider host A and host B wants to communicate then the host A sends connection message to the host B and the host B acknowledge it and sends connection set message to A after A receives the message it will go to the connection state and thus connection is established. This is in normal connection between two systems.
But the scenario for the DOS is quite different. The host A sends connection message to the targeted host B but A will send multiple connection message and all the messages sent by the host A will contain the false return address. B will b in the connection stage and when it tries to send the connection set message it won’t find the host A as the address send is invalid and the B will be in the connection stage for some times and after it will tries to end this session but the A again sends the fake request and the process continues again and again. This is a simple kind of dos attack and the nature and the process of DOS attack in today’s scenario varies.
Different types of DOS attack that are the threat in today’s world are
Teardrop attack:
When data are transmitted from one host to another then the data are broken into small IP packets and each packets contains its own identification number and sequence number and as the host receives the data it assembles the packets on the basis of those sequence number, but in teardrop attack false sequencing or offset information are being inserted and it also contains some bugs in it so when the recipient tries to reassemble the packet those empty or offset information can make the system unstable and in case of windows like 95 NT they can crash. The teardrop doesn’t has a significant damage, a single reboot of the system can be the solution of such attack in many condition. But it can be destructive if we couldn’t save the data while the attack takes place.
It is a type of denial of service attack in which the attacker sends a large number of ICMP ping request to the IP broadcast address but all of the packets contain the spoofed IP address . when the routing devices delivers all those traffics to all the hosts and if the host takes those request and replies to it then it the traffic can be multiplied which can bring instability to the system due to large number of traffic. The attacker having low bandwidth can also bring instability to the victim having large bandwidth.
SYN Flooding
It is a type of attack in which the attacker sends multiple number of TCP SYN message to the victim but it doesn’t receive the acknowledgement. SYN flooding is similar to the three way hand shaking process. In normal three way handshaking process the sender sends connection request (CR) to the another system for example host A sends CR to the host B. The host B then sends the acknowledgement and connection set message to the A.A then sends acknowledgment to B and the connection between the two system starts.
But in SYN flooding the attacker sends the multiple connection requests to the victim and the request contains the spoofed IP address. The victim responds to it and sends the acknowledgement and it will in the connection stage waiting for the confirmation to start the connection but the confirmation request doesn’t arrive. The victim queues all the waiting replies the list of the replies will be increasing and it wont be able to respond to the request of genuine users as well and due to those queues the memory will be full and the system will be hang or even can crash.
Port flooding:
It is a type of network attack, where the attacker sends large number of continuous data to the random port on the host computer. This attack can make the CPU usage to 100 percentages and bring sudden changes to the performance of the system. The attacker send large number of packets and the victim is forced to send the ICMP packets but the packets will be send to unreachable host because the attacker will spoof the IP address and sent so that it ICMP packets does not reach to him Some of the tools are Mutilate, Pepsi5, etc. These kind of attack not only attempts to make the ports unusable but also rise the CPU usage to 100% by having to process task on the particular port under attack. There are number of tools for this type of attacks.
Application Based DOS attack
It is a type of DOS attack which is launched with a main target of bringing down the application not the system. The attack is being done by the attacker by finding out the loop hole and the bugs in the certain application that is running in the host computer. After finding the bugs in the application the attacker sends multiple data to the application then the data it can handle as a result the application gets hang and also the system in most of the case.
Distributed Denial of Service Attack
With the increase of time and technology there is various changes made in the way denial of service attack is being launched. Various security devices made difficult to launch simple DOS attack so attackers took the DOS in distributed form. In distributed denial of service attack the attacker launch attack to the victim from multiple systems at a same time. The basic concept of DOS and DDOS is almost same. In DDOS the attacker do not attack the system itself but it uses other many computers to attack the victim and the computers are called as zombie. The zombie will be unaware of the fact that someone is launching DOS through their system. The zombie can be any computer in the internet and using them attacker can launch multiple attacks to the victim still the attacker can be in safe state as they will be hiding and sending the attack and is difficult to trace them back. The attacker sends multiple requests to the victim at a single time and the victim cannot handle it as it will be beyond its limit and thus the victim hangs or its system crashes. Stopping DDOS is also difficult as the security devices like firewall, routers won’t be able to know whether the requested users are the real ones or the fake once. The attacker finds the weakness in the zombie and exploits it and sends malicious codes and installs various programs which make them easy to launch DDOS.
Comparison between the DOS and DDOS
DDOS can be considered as the more advance form of the DOS. In today’s generation DOS might not work properly due to availability of high secure devices and DOS can be easily trace back so attacker don’t use this technique much now a days. In DDOS we can remove the traces of ours, attackers use zombies to attack to the victim and they have full control over the zombie so removing all their traces from the system is not that difficult task for them. To launch DOS less resources is required but in order to launch DDOS there is high requirement of resources and once should have more knowledge then DOS.
Launching of the DDOS attack
In distributed denial of service attack the attacker launch the attack using the zombie or the bot. the attackers breaks down into the system of the zombie In the initial stage the attacker tries to find the weak point the system like the defects in the operating system, weakness in the network system etc. once they get access to the system they install the software of the DDOS and hide their traces of all their activity so that it is difficult to trace back to them. Similar process is done in all the zombies and commands are being entered to attack to the victim.
Let us take an example where a group of attacker has planned to launch DDOS in a computer network of a company called B. these attackers will try to gain control in the less security protected network. When they take control of such network and they can control all the entire network. Then they will install DDOS tools in those networks and attack the company all at once. They can use the entire computer of the network they have taken control and launch a attack at a single time. All the attacker will be working as a team and taking control of different computers and launching attacks through them to the same host.
The system of the company B will have hard time handling all those request from such a large number of computer, it can not handle all the request and as a result it will denial all kind of services that is being provide. The system could get hang or even crash or reboot depending upon the nature of attack. Finding the attacker is also difficult as they will be in different network and attack will be launched from different network.DDOS can be launched using various special tools which are designed mainly for this purpose only. Some of the tools that are mostly used are: Trinoo, Tribe Flood Network (TFN), Shaft, Kaiten, Stacheldracht/StacheldrachtV4
Security measures to defend against DDOS.
Dos and DDOS are the major threat that we can find in the network today. In many condition these attacks don’t have much damage to the system but sometime the level of damage can be very high and the organization have to face severe problems. So it is always better to take some security measures before hand then to regret later. Some of the security measure we can take to prevent from those attacks are:
· Use of firewall hardware or software and filtering of packets should be done.
· Intrusion Detection System (IDS) devices should be installed for more security it can alert us if there is any suspicious attacks in the network.
· Use of genuine antivirus and should be update in regular manner.
· Proper training should be provided to the staffs of the organization for the proper use of the network.
· Regular backup of the system.
· Using genuine operating system and they also should be update in regular period.
· Policies in the network should be made strong and we should use strong password like alpha numeric, special characters, symbols and should be change in certain period.
· Regular monitor of the network traffics.
