Denial of Service
-----------------

 4.1 What is "Denial of Service"?

Denial of Service (DoS) is the act of rendering a computer or a service on a 
computer inaccessible to others. While this can be accidental (ask any 
experienced sys admin), the focus for the Hack FAQ is the intentional rendering
of services or services inaccessible.

Most experienced hackers consider DoS fairly lame, but many (including myself)
continue to develop and devise just such attacks. Maybe I should say most 
experienced hackers consider *launching* a DoS attack fairly lame ;-)

There are several types of DoS. They can be divided into several categories
(and yes I chose the categories, hey it's my FAQ):

        - File corruption or deletion
	- Crashing or flooding a service on a computer
        - Crashing or flooding an entire computer
        - Flooding a network to use up all the bandwidth
        - Misuse of a normal feature to deny access

File corruption or deletion is just what is stated -- denial of user access
to their data by either deleting the data or by deleting the utilities (or their
configuration files) that can access the data. Also by corrupting or deleting
certain system files it could render general access to the computer inoperative.

Crashing or flooding a service on a computer involves either causing a service
to stop functioning or by typing up the resources that service uses so no other
user can use it. For example, sending too much data to an ftp daemon during the
login process causing it to crash or by opening dozens of ftp connections until
you have all ftp connections in use, denying anyone else from legitimate access.

Crashing or flooding an entire computer involves crashing a service that 
subsequently crashes the entire system or by flooding a computer tying up a
subsystem, such as TCP/IP, to the point that no one can access *anything* on the
computer. The main difference (in my mind) between this and the previous mentioned
DoS category is that crashing or flooding a service can usually be corrected by
stopping and/or restarting the affected service, whereas an entire reboot is
often required to correct attacks that affect the entire computer. This category
also includes causing a single service to hog all the available CPU power or
available memory where a reboot is required to recover completely, or where it
renders all other functions on the system basically useless.

Flooding a network to use up all the bandwidth is a very popular category. By
using amplifiers or distributed attack techniques, flooding a target with packets
until no one else can get through is a very effective and dramatic attack. Amplifiers
are typically methods of sending one packet to an address that echoes back with
dozens of reply packets (and forging that single packet with the IP address of 
your victim). Some routers and other network devices when pinged at the broadcast
address will echo back for every device on the broadcast's subnet. Sending hundreds
of packets per second to this broadcast address will create thousands of packets.
Distributed attacks involve compromising say a hundred computers, and from a single
command console sending the command to cause these hundred computers to start
flooding a single target. These types of techniques, while remarkably 
unsophisticated and very similar to some of the other DoS attacks already discussed,
is the type of attack that makes the headlines, especially when the targets are
high profile (like Amazon or Yahoo).

Misuse of a normal feature to deny access is fairly interesting. This final category
involves denying access by abusing built-in services, typically security services.
For example, if the administrator account has a lockout feature after 3 bad password
guesses, repeatedly causing the administrator account to get locked out will keep
the real administrator from logging in. If a system is configured to kill the 
connection to a service if it receives DoS attempts from that connection, forging
the address of DoS packets with the administrator's address could cause the server
to kick the administrator from the server. An Intrusion Detection System (IDS) that
atuomatically reconfigures the router or firewall to block the source of an attack
culd be abused by forging attack packets with the address of a trusted business
partner or important customer, denying that business partner or customer access to
the system.

 4.2 Why launch a DoS attack if it is so lame?

I have given these reasons before and will give them again. Yes, DoS is lame but
here you have it.

Reasons that a hacker might want to resort to DoS might include the following: 

 - A trojan has been installed, but a reboot is required to activate it. 
 - A hacker wishes to cover their tracks VERY DRAMATICALLY, or cover CPU activity
   with a random crash to make the site think it was "just a fluke". 
 - The hacker isn't a hacker at all, but a pissed off lamer who has a poor outlook
   and too much free time. 
 - The hacker is acting out of the need (or delusion) that the DoS serves a greater
   good, such as a DoS attack on Pro Life sites by Pro Choice hacker believers. 

Reasons that a Sys Admin might use DoS: 

 - A Sys Admin may want to ensure that their site is NOT vulnerable by testing out
   the latest patch. 
 - A Sys Admin has a runaway process on a server causing problems and cannot
   physically access the box (I have officially done this twice now). 
 - The Sys Admin isn't a Sys Admin at all, but a pissed off lamer who has a poor
   outlook and too much free time. 

 4.3 What is the Ping of Death?

The Ping of Death is an over-sized ping packet, that when sent is broken into 
fragments, but when reassembled at the target it is an illegal size. Depending upon
the exact overage of the size and recipient platform, it caused crashes and TCP/IP
problems galore. The key word there is *caused*. Most modern operating systems
have been patched to prevent crashing. PoD is listed here as it is an excellent
example of a programming problem -- no one ever anticipated receiving an ICMP
echo packet larger than the legal size, so no one ever programmed their IP stacks
to handle it.

 4.4 What is a SYN Flood?

A SYN Flood is a flood where all 

 4.5 Are there other types of floods?

 