Introduction to Denial Of Service
In a previous post, I had introduced you to the
basic idea of a denial of service attack.
We used real life examples (bus stop and online game) to depict the
idea behind a DOS attack. We crashed our own Windows and Kali Linux
machine (using batch and command line interface respectively). Now it's
time to learn how actually DOS of service attacks work, in terms of
packets and other networking terms. So here is a one by one description
on four of the well known attacks.
Various methods of Denial Of Service attack
ICMP flooding (smurfing)
Before I go off explaining what the attack is, first I'll tell you about the packets.
 |
| Contents of an ICMP packet (should not bother you currently) |
ICMP packets have two purposes (
technically)-
- It
is used by network devices, like routers, to send error messages
indicating, for example, that a requested service is not available or
that a host or router could not be reached
- It is also used to relay query messages
Practically,
all an ICMP packet does is confirm connectivity. You send a message to
an IP and see if you are connected. If not, you get an error like
"Destination unreachable". Pings use the ICMP packet.
While
the packet as a whole allows us to directly attack the network by
flooding it with a lot of ICMP packets, the second ability listed above
gives us a new advantage. We can send ICMP relay packets to a network,
with a spoofed source IP (we will change our IP to that of target), and
when the network will replay to our packet, it will reply to the spoofed
IP, causing it to be flooded with ICMP packets. This is called indirect
ICMP flooding, also known as smurfing. It is tougher to detect
than a normal direct ICMP attack, and the network serves as amplifier,
the larger the better, making the attack much stronger, since you have
the power of many computers at your disposal, instead of just one. If
the target is flooded with enough packets, it loses it ability to
respond to genuine packets, resulting in a successful Denial of Service
attack.
SYN flooding
 |
| The three way handshake (that didn't happen in our case) |
In
SYN flooding, the attacker send the target a large number of TCP/SYN
packets. These packets have a source address, and the target computer
replies (TCP/SYN-ACK packet) back to the source IP, trying to establish a
TCP connection. In ideal condition, the target receives an
acknowledgement packet back from the source, and the connection
established is in a fully open state. However, the attacker uses a fake
source address while sending TCP packets to the victim, and the target's
reply goes to an inexistent IP, and therefore, does not generate an
acknowledgement packet. The connection is never established, and the
target is left with a half open connection. Eventually, a lot of half
open connections are created, and the target network gets saturated to
the point where it does not have resources left to respond to the
genuine packets, resulting in a successful DOS attack. Also, since the
connections stay open for a while, the server loses its ability to work
for a good amount of time after the attack has been stopped.
Teardrop attack
First
of all - In computer networking, a mangled or invalid packet is a
packet — especially IP packet — that either lacks order or
self-coherence, or contains code aimed to confuse or disrupt computers,
firewalls, routers, or any service present on the network. (source :
Wikipedia)
Now in a teardrop attack, mangled IP packets are
sent to the target. They are overlapping, over-sized, and loaded with
payloads. Now various operating systems have a bug in their TCP/IP
fragmentation re-assembly code. What that means, is when the OS tries to
re-assemble the TCP/IP packets that it gets, a piece of code exploits a
bug in the way the re-assembling process works, and the OS crashes.
This bug has been fixed, and only Windows 3.1x, Windows 95 and Windows
NT operating systems, as well as versions of Linux prior to versions
2.0.32 and 2.1.63 are vulnerable to this attack. This type of attack
does not require much bandwidth on the user side, and has devastating
effect for the targeted server.
Botnets
 |
| A small botnet |
Now,
this is not an attack is such, rather, it is a way of carrying out the
attacks more effectively. When carried out against a large server, the
above attacks usually prove ineffective. Your home router is nothing
when compared to the HUGE servers that big websites have, and handling a
single PCs DOS effect can be a piece of cake. This leads to the need of
a Distributed Denial of Service attack. In a distributed denial of
service, hacking groups use their numbers as strength. For example, if
you have 500 friends who know how to carry out a denial of service
attack, then the combined impact is much more dangerous than that of a
lone PC. However, it is not always possible to have 500 hackers next
door, and not all of us are part of large black hat hacking
organisations.
 |
| Try not to end up like this |
This
is where the botnets steps in. Now the bad guys use tools called RATs
(remote administration tools) to infect and get total control over
computers over the internet. The RATs are a kind of trojan, and can lie
there on your PC and you'll never find out. By the use of crypting, some
hackers have mastered anti-virus evasion, and these RATs can lie
undetected on your PC for years.
This is 100% illegal. You can easily end up in jail for this, and I recommend that you stay away from this. But,
its important that you are aware of the existence of such tools, and
more importantly, what the hackers can do with them. Now lets assume you
made a RAT and its has infected 10,000 people. You can actually control
those 10,000 computers. Now there's this website server that you don't
like, and you're this badass hacker who takes down stuff he doesn't
like. No, you don't have a warehouse full of networking power (servers),
but you do have ten thousand computers at your disposal, and this is
called a botnet. You also have 5 friends who are hackers, and have
similarly sized botnets. Such immense networking power can easily take
down a large website for hours, if not days. The results of flooding
packets from 50,000 computers can be catastrophic. With modern day
firewalls, it is almost impossible to flood servers and take them down
using one single computers, so while botnets are the most unethical
entities, they are also the most powerful. Now here is a suggestion,
Denial of Service attacks are easy to trace back (if you are a
beginner), and even if you are good, there is always someone better, and
you can't hide forever. So try not to send bad packets at random
websites,
you won't look good in orange
