Denial of service attacks rarely result in data theft or the compromise of information.
Typically, denial of service attacks prohibits an organization from accessing a networked connection or a network application such as e-mail. But, denial of service attacks cost companies money in lost productivity.
For example, interrupting access to a Web Server that receives hundreds of thousands of hits per day costs a company money in lost sales and advertising.
Let’s look at 4 common denial of service attacks: buffer overflow attacks, SYN attacks, teardrop attacks, and Smurf attacks.
When an attacker launches a buffer overflow attack, he or she overwhelms a network address with more packets than the physical interface can process. By design, a physical interface has a finite amount of temporary storage buffers allocated to accommodate the anticipated load. If the interface receives more data than it can process or has buffer capacity to temporarily store, data gets dropped. Continually flooding the interface with additional data makes it unavailable to legitimate traffic and access to services is denied.
By design, the Transmission Control Protocol (TCP) is a connection-oriented protocol and requires two endpoints to establish a connection. Initiating a connection TCP uses a three-way handshake that begins by synchronizing the sequence numbers of the TCP data segment. Sequence numbers simply identify the sequence of TCP segments during the information exchange. If the CODE field of the TCP segment is encoded as a SYN segment, the communicating devices follow the protocol to synchronize their sequence numbers.
When an attacker initiates several connection requests in a very short amount of time, the requests consume finite buffer space. When the system fails to reply to the request, the request is resent with the same results. Many bogus requests tie up the interface denying access to legitimate traffic.
The Internet Protocol (IP) fragments or splits up routed data packets when the next router cannot accommodate large packets. To aid in the correct reassembly of fragmented frames, an offset relative to the beginning of the first packet is established in the 16 bit FRAGMENT OFFSET field of an IP packet. By placing a confusing value in the FRAGMENT OFFSET field, an attacker can cause a system crash if the system has no routine to handle the erroneous condition.
An attacker sends an Internet Control Message Protocol (ICMP) echo request/reply, also called a PING.
This PING message is to be broadcast to several host systems.
The packet is also programmed to be &lsquoFrom’ the target host.
The target host receives a flood of ping replies which make the spoofed host or interface inaccessible.
1. Harden vulnerable servers, especially services providing services to many or all of the hosts in your network.
For example, DNS servers may be exploited. Consider the result of a DNS server receiving thousands of
bogus requests for recursive lookups. Therefore, limit the devices for which your DNS servers perform
2. Block then reroute denial of service attacks. This requires preparing and configuring Firewalls and Intrusion
Prevention Systems to send malicious traffic to subnets designed to accept unwanted traffic.
3. Provide sufficient bandwidth to handle surges in traffic and patch all servers and routers to thwart attacks
involving fragmented packets.
4. Configure routers and servers to run only those services required to fulfill the needs of the servers.
Turn off unnecessary services. For example, if your server is not providing Domain Name Services turn it off.
If it is not an e-mail server, turn off SMTP.
5. Configure routers and firewalls to block IP addresses from sources identified as malicious in your system logs and reports.
6. Review your firewall and router security policies. Harden firewall rules and router access lists.