The Hack FAQ

5.0 Denial of Service Basics


This section covers basic info regarding Denial of Service attacks.


5.1 What is Denial of Service?

DoS (Denial of Service) is simply rendering a service incapable of responding to requests in a timely manner. This is a controversial subject, since some people think that DoS is not a hack, and/or is rather juvenile and petty. We prefer to think of them as just one more kind of tool in the toolbox, and as such, will continue to include material on them in the Hack FAQ. Ask yourself which is more alarming - the number of kids trying DoS attacks, or the number of DoS attacks that succeed?

Regardless of your feelings, DoS has been steadily gaining in popularity, whether with hackers mad at other hackers, sysadmins mad at spammers, or whatever - virtually everyone we've run into that is aware of the potential of DoS at least has software to do it, admins included.

5.2 What are some DoS scenarios?

Reasons that a hacker might want to resort to DoS might include the following:

Reasons that a sysadmin might use DoS:

5.3 What is the Ping of Death?

The Ping of Death is a large ICMP packet. The target receives the ping in fragments and starts reassembling the packet. However, due to the size of the packet once it is reassembled, it is too big for the buffer and overflows it. This causes unpredictable results, such as reboots or system hangs.

Windows NT is capable of sending such a packet. By simply typing in "ping -165527 -s 1 target" you can send such a ping. There are also source code examples available for Unix platforms that allow large ping packets to be constructed. These sources are freely available.

Most systems have patches available to prevent the Ping of Death from working. However, it is still included here for historical reasons, as the Ping of Death helped get the whole DoS craze really going, since it was so easy to perform.

5.4 What is a SYN Flood attack?

In the TCP/IP protocol, a three-way handshake takes place as a connection to a service is established. First, in a SYN packet from the client, to which the service responds with a SYNACK. Finally, the client responds to the SYNACK and the connection is considered established.

A SYN Flood attack is when the client does not responsd to the service's SYNACK and continues to send SYN packets, tying up the service until the handshake times out. The source address of the client is forged to a non-existant host, and as long as the SYN packets are sent faster than the timeout rate of the service host's TCP stack, the service will be unable to establish new connections..

This is only a simplified version of what happens, though. For more elaborate details and sample Linux code for creating a flood, read Project Neptune.

5.5 What are other popular DoS attacks?

Most others involve ICMP packets (such as used in 'ping') to create massive floods of traffic, or other packet malformations. Search for winnuke, smurf, or teardrop for more details, or visit one of the many sites dedicated to providing such tools, such as Packetstorm.

5.6 What are distributed DoS attacks?

Distributed DoS attacks are an interesting phenomena. The premise goes like this:

There are already several such tools available, such as Trinoo, TFN2K, and stacheldraht. Look for them on Packetstorm.

5.7 How can I discover new DoS attacks?

New DoS attacks are fairly easy to discover. Flooding any service or system with malformed or excessive packets and observing the behavior will tell you if you've discovered something interesting. It is advised that you test this kind of thing against home systems or cooperating friends until you've perfected your techniques. Often, it is easy to trace the source of such attacks, especially if you launch then from your home system without IP forgery, and since DoS is illegal against systems you don't have permission to attack, and may violate your ISP's acceptable use policy, you might want to be careful.

5.8 How does one defend against DoS attacks?

Good question.

Oh, you want an answer? Well, it often isn't easy to defend against DoS attacks, but there are a few things you can do. For defending against your Ping of Death style of attacks (malformed packets that crash a service or the system itself), the best line of defense is to keep your systems patched up, and to put a firewall between yourself and the Internet that is patched up. This really is the best method.

As far as bandwidth stealing attacks, such as floods, there is not a lot you can do. Packetstorm ran a contest that posed the question as far as distributed attacks go, and several of the concepts in numerous papers can be applied across the board to any DoS attack. The best papers included:

Protecting Against the Unknown by Mixter
This long "college disertation" style paper covers all kinds of security problems.
Purgatory 101: Learning to cope with the SYNs of the Internet by NightAxis and RFP
This is the paper that probably should have won since it addressed the idea of tracing the attack down.
Strategies for Defeating Distributed Attacks by Simple Nomad
This paper outlines methods on defeating the stealth communications used by most distributed attack systems, and was the one we hoped would win.

Top | Next: Logging Basics | Previous: Password Basics | Table of Contents