This section covers basic info regarding "Denial of Service".
Denial of Service (DoS) is simply rendering a service offered by a workstation or server unavailable to others. This is a controversial subject, since some people think that DoS is not a hack, or rather juvenile and petty. While I can't think of very many reasons why you might want to engage in DoS, I still will continue to include this type of material in the Hack FAQ. What is more sad -- the fact that I include them, or the fact that there are so many of them?
Regardless of your feelings, DoS has been steadily gaining in popularity, be it hackers mad at other hackers, sys admins mad at spammers, or whatever -- virtually everyone I've run into that is aware of the potential of DoS at least has software to do it, admins included.
Reasons that a hacker might want to resort to DoS might include the following:
Reasons that a Sys Admin might use DoS:
The Ping of Death is a large ICMP packet sent by a workstation to a target. The target receives the ping in fragments and starts reassembling the packet. However, due to the size of the packet once it is reassembled it is too big for the buffer and overflows it. This causes unpredictable results, such as reboots or system hangs.
Windows 95 and Windows NT are capable of sending such a packet. By simply typing in "ping -165527 -s 1 target" you can send such a ping. There are also source code examples available for Unix platforms that allow large ping packets to be constructed. These sources are freely available on the Internet.
Most systems have patches available to prevent Ping of Death from working. However it is still included here for historical reasons, as the Ping of Death helped get the whole DoS craze really going, as it was so easy to perform.
In the TCP/IP protocol, a three way handshake takes place as a service is connected to. First in a SYN packet from the client, with which the service responses with a SYN-ACK. Finally the client responds to the SYN-ACK and the conversation is considered started.
A SYN Flood attack is when the client does not response to the SYN-ACK, tying up the service until the service times out, and continues to send SYN packets. The source address of the client is forged to a non-existant host, and as long as the SYN packets are sent faster than the timeout rate of the TCP stack waiting for the time out, the resources of the service will be tied up.
This is a simplified version of what exactly happens. For more elaborate details and sample Linux code for creating a flood, see Phrack 48 file 13 by daemon9.
Most others involve ICMP packets (re: ping) and creating massive floods of traffic, or other packet malformations. Search the net for winnuke, smurf, or teardrop for more details, or visit one of the many sites dedicated to providing such tools, such as WarForge (http://www.warforge.com/) or the DoS section of Packetstorm (http://packetstorm.securify.com/DoS/).
New DoS attacks are fairly easy to discover. Flooding any service or system with malformed or excessive packets and observing the behavior will tell you if you've discovered something interesting. It is advised that you test this kind of thing against home systems or cooperating friends until you've perfected your techniques. Often it is easy to trace the source of such attacks, especially if you launch then from your home system without IP forgery, and as DoS is illegal against systems you don't have permission to attack you might want to be careful.
Distributed DoS attacks are an interesting new phenomena. The premise goes like this:
There are already several such tools available, such as Trinoo, TFN2K, and stacheldraht. Look for them on Packetstorm (http://packetstorm.securify.com/distributed/).
Good question.
Oh, you want an answer? Okay. Well it often isn't easy to defend against attacks, but there are a few things you can do. For defending against your Ping of Death style of attacks (malformed packets that crash a service or the system itself), the best line of defense is to keep yourself patched up, or to put a firewall between yourself and the Internet that is patched up. This really is the best method.
As far as bandwidth stealing attacks, such as floods, there is not a lot you can do. Packetstorm ran a contest that posed the question as far as distributed attacks go, and several of the concepts in numerous papers can be applied across the board to any DoS attack. The best papers included: