This section covers basic info regarding Denial of Service attacks.
DoS (Denial of Service) is simply rendering a service incapable of responding to requests in a timely manner. This is a controversial subject, since some people think that DoS is not a hack, and/or is rather juvenile and petty. We prefer to think of them as just one more kind of tool in the toolbox, and as such, will continue to include material on them in the Hack FAQ. Ask yourself which is more alarming - the number of kids trying DoS attacks, or the number of DoS attacks that succeed?
Regardless of your feelings, DoS has been steadily gaining in popularity, whether with hackers mad at other hackers, sysadmins mad at spammers, or whatever - virtually everyone we've run into that is aware of the potential of DoS at least has software to do it, admins included.
Reasons that a hacker might want to resort to DoS might include the following:
Reasons that a sysadmin might use DoS:
The Ping of Death is a large ICMP packet. The target receives the ping in fragments and starts reassembling the packet. However, due to the size of the packet once it is reassembled, it is too big for the buffer and overflows it. This causes unpredictable results, such as reboots or system hangs.
Windows NT is capable of sending such a packet. By simply typing in "ping -165527 -s 1 target" you can send such a ping. There are also source code examples available for Unix platforms that allow large ping packets to be constructed. These sources are freely available.
Most systems have patches available to prevent the Ping of Death from working. However, it is still included here for historical reasons, as the Ping of Death helped get the whole DoS craze really going, since it was so easy to perform.
In the TCP/IP protocol, a three-way handshake takes place as a connection to a service is established. First, in a SYN packet from the client, to which the service responds with a SYNACK. Finally, the client responds to the SYNACK and the connection is considered established.
A SYN Flood attack is when the client does not responsd to the service's SYNACK and continues to send SYN packets, tying up the service until the handshake times out. The source address of the client is forged to a non-existant host, and as long as the SYN packets are sent faster than the timeout rate of the service host's TCP stack, the service will be unable to establish new connections..
This is only a simplified version of what happens, though. For more elaborate details and sample Linux code for creating a flood, read Project Neptune.
Most others involve ICMP packets (such as used in 'ping') to create massive floods of traffic, or other packet malformations. Search for winnuke, smurf, or teardrop for more details, or visit one of the many sites dedicated to providing such tools, such as Packetstorm.
Distributed DoS attacks are an interesting phenomena. The premise goes like this:
There are already several such tools available, such as Trinoo, TFN2K, and stacheldraht. Look for them on Packetstorm.
New DoS attacks are fairly easy to discover. Flooding any service or system with malformed or excessive packets and observing the behavior will tell you if you've discovered something interesting. It is advised that you test this kind of thing against home systems or cooperating friends until you've perfected your techniques. Often, it is easy to trace the source of such attacks, especially if you launch then from your home system without IP forgery, and since DoS is illegal against systems you don't have permission to attack, and may violate your ISP's acceptable use policy, you might want to be careful.
Oh, you want an answer? Well, it often isn't easy to defend against DoS attacks, but there are a few things you can do. For defending against your Ping of Death style of attacks (malformed packets that crash a service or the system itself), the best line of defense is to keep your systems patched up, and to put a firewall between yourself and the Internet that is patched up. This really is the best method.
As far as bandwidth stealing attacks, such as floods, there is not a lot you can do. Packetstorm ran a contest that posed the question as far as distributed attacks go, and several of the concepts in numerous papers can be applied across the board to any DoS attack. The best papers included:
Top | Next: Logging Basics | Previous: Password Basics | Table of Contents