Denial of Service Attacks
DoS attacks are not aimed at gaining access to a network or the information on a network but rather at making a service or a network unavailable to legitimate users. DoS attacks fall into two general categories:
- Nondistributed denial of service
These attacks are directed against a specific service such as Telnet, FTP, or some other service. - Distributed denial of service (DDoS)
These attacks are directed at a specific host or network with the aim of preventing access to the target by consuming all of the bandwidth to the target.
Nondistributed Denial of Service Attacks
DoS attacks against specific services such as web, FTP, or Telnet services are typically accomplished by acquiring and keeping open all available connections to the service. This approach exploits weaknesses in network architecture and network protocols rather than introducing a software bug. Another method commonly used in DoS attacks is an attack that causes the service to terminatefor example, through a buffer overflow against the BIND named process. DoS attacks include such notables as ICMP ping floods, TCP SYN floods, and the Ping of Death attack.The TCP SYN flood attack is a DoS attack that is used to open a large number of half-open TCP connections to the target. Half-open TCP connections are ones where the initial SYN packet has been sent to the target, which then responds with the appropriate SYN-ACK packet. The connection remains in a "half-open" state because the final ACK packet from the originating system to the target has not been sent. This leaves the status of the connection in a sort of pending state on the target, which must wait for the TCP connection timer to expire before deleting the connection entry from the TCP state table. During a TCP SYN flood, TCP SYN packets are sent to the target system, which then responds with SYN-ACK packets. The attacker does not send back the necessary ACK packets to the target but keeps sending new SYN packets until the TCP SYN queue on the host becomes filled. Once filled, the target can no longer accept any more TCP connections until some of the TCP SYN connections in the queue age out.
Distributed Denial of Service Attacks
DDoS attacks attempt to inflict damage by flooding the network or the host with useless and undesired traffic. In this type of attack, the attacker gains control of hosts on networks other than the target and installs software on those hosts to control them. Typically, these hosts are considered zombies, slaves, or agents. The hosts that are between the attacker's computer and the agents are known as handlers or masters. The attacker may have developed this additional layer to make it harder to track the DDoS system back to the controlling attacker. The attacker's main host is used to direct the handlers to send traffic that instruct the agents to attack a specific target. By coordinating the agents in a singular attack, the attacker is able to increase the amount of traffic in the overall attack and potentially overwhelm the target. This type of attack is shown in Figure 6-2.
Figure 6-2. DDoS Attack
