Most network administrators who run web facing servers will spend a lot of their time defending, protecting and patching against network attacks. They can be extremely time consuming to combat and some of the worst to deal with are called denial of service attacks. Although these are usually relatively primitive attacks the problem is that they are easy to orchestrate and very difficult to trace back to the originator. One of the biggest problems is that the attacker rarely needs a valid connection to it’s victim which makes finding the source very difficult indeed.
A Denial of Service (DOS) attack is actually any type of attack which disrupts the operation of a computer in order that genuine individuals can no longer gain access to it. DoS attacks are achievable on most network equipment, including switches, hosting servers, ﬁrewalls, remote access computers, as well as just about every other network resource.A DoS attack can be speciﬁc to a service, for example, in an FTP attack, or an entire machine.The forms of DoS are varied and wide ranging, but they can be split into 2 distinct classifications that connect to intrusion detection: resource depletion and malicious packet attacks.
Malicious packet DoS attacks work by sending out abnormal trafﬁc to a host in order to bring about the service or the host itself to crash. Crafted packet DoS attacks take place when computer software is not correctly coded to take care of uncommon or unusual traffic. Often out-of– specification traffic can cause computer software to behave unexpectedly and crash. Attackers can utilize crafted packet DoS attacks in order to bring down IDSs, even Snort.A specifically crafted tiny ICMP packet using a size of 1 was discovered to cause Snort v. 1.8.3 to core dump. This particular version of Snort did not actually properly deﬁne the minimum ICMP header size, which made it possible for the DoS to happen.
These attacks will commonly use hijacked computers to launch from, it’s relatively easy to build up a large network of compromised computers and there are also networks available for hire. These computers can obviously be traced but the owners are usually unaware of the role their servers or PC have undertaken. Additionally skilled attackers will use a network of proxies and VPNs hidden behind residential IP address providers or VPNs such as described in this post.
Along with out of spec trafﬁc, malicious packets can contain payloads which cause a system to crash. A packet’s payload is actually taken as input right into a service. If the input is not actually appropriately assessed, the application can be DoSed. The Microsoft FTP DoS attack demonstrates the wide variety of DoS attacks easily available to black hats in the wild.The initial step in the attack is actually to trigger a genuine FTP connection.The attacker would most likely then issue a command together with a wildcard sequence (such as * or?). Within the FTP Server, a feature that handles wildcard routines in FTP commands does not assign sufficient memory when executing pattern matching. It is actually possible for the attackers command incorporating a wildcard pattern to cause the FTP service to crash.This DoS, as well as the Snort ICMP DoS, are two illustrations of the many thousands of conceivable DoS attacks easily available.
The additional method to deny service is via resource depletion.A resource depletion DOS attack functions by saturating a service with a great deal of normal trafﬁc that legitimate individuals can not actually access the service. An attacker flooding a service with regular trafﬁc can easily expend ﬁnite resources such as bandwidth, memory, and processer cycles.A classic memory resource exhaustion DoS is a SYN flood.A SYN flood takes advantage of the TCP three-way handshake.The handshake starts with the client sending a TCP SYN packet. The host then sends out a SYN ACK in response.The handshake is completed when the client responds with an ACK. If the host does not obtain the returned ACK, the host sits idle and waits with the session open. Each open session consumes a certain amount of memory. In the event that enough three– way handshakes are started, the host consumes all available memory waiting for ACKs.The trafﬁc generated from a SYN flood is normal in appearance. The majority servers are conﬁgured today to leave just a certain number of TCP connections open. A different classic resource exhaustion attack is the Smurf attack.
A Smurf attack Works by making the most of open network broadcast addresses.A broadcast address forwards all packets on to every host on the destination subnet. Every host on the destination subnet responds to the source address specified in the traffic to the broadcast address. An attacker transmits a stream of ICMP echo requests or pings to a broadcast address.This has the effect of amplifying a single ICMP echo request up to 250 times. In addition. the attacker spoofs the source address in order that the target receives all the ICMP echo reply traffic. An attacker with a 128 Kb/s DSL Net connection can certainly produce a 32 Mb/s Smurf flood. DoS attacks commonly take advantage of spoofed IP addresses because the attack succeeds even if the answer is misdirected.The attacker requires no reply, and in cases like the Smurf attack, wants at any costs to stay away from a response.This can certainly help make DoS attacks difficult to defend from, and even tougher to trace.
Further Reference: http://bbciplayerabroad.co.uk/how-do-i-get-bbc-iplayer-in-france/