DoS attacks as attacks on simple, easy to achieve their goals, more and more difficult to prevent and trace the attacks to become common. Its general and, to be effective to prevent, find the cause, to formulate measures to provide useful help.
DoS (Denial of Service) Denial of Service attacks can be broadly defined as any cause your server to provide services not normally attack. Such attacks may be poured into your glass of water on the server, or network cable is unplugged or the network traffic, etc. The end result is a normal user can not use the services he needs, and whether local or remote. We are more concerned here remotely, through networks of DoS attacks.
The popularity of Web applications to make our lives more and more inseparable from the work of the network. CRM, ERP, office automation software greatly improves the efficiency of our work; through the network can find all kinds of work, learning materials; our online pay the telephone charges, view bank account; our online dating entertainment. DoS attacks may be a direct consequence is that you can not access these services on a DNS server or router, firewall, attack and even lead to denial of service to the entire network. Now, on to see how this remote to DoS attacks aim.
Specific DoS attack methods, but most can be divided into the following categories:
Use of software defects
OOB attacks (commonly used tool winnuke), teardrop attack (commonly used tools teardrop.c boink.c bonk.c), land attack, IGMP packet fragmentation attacks, jolt attack, Cisco 2600 router IOS version 12.0 (10) remote denial of service attacks, etc. These attacks are attacks made use of the realization of software defects in the completion of DoS attacks. Often these attacks are attacks on the system tools to send one or more specific types of packets, these attacks are usually fatal, usually fatal blow, and many attacks can be forged source address, so even if IDS or other The sniffer program records to the attack packets can not find who launched the attacks, but this type of attack is more than a few specific types of packets, a small number of very short packets, if the forged source IP address, then, to make tracing work almost is impossible.
So how do you create these attacks? Software development process is usually a particular type of message, or request not handled, resulting in the software experience to run this type of abnormal packets, causing the software crash or system crash. With some specific examples below explain the causes of such attacks.
May 7, 1997 was issued a winnuke.c. First establish a TCP connection to the Win95/NT host, then sends TCP urgent data, resulting in the collapse of the end system. 139/TCP Win95/NT system is the most common listening port, so winnuke.c used the port. The reason for the OOB attack called such attacks, because MSG_OOB signs, the actual TCP urgent data should be attacked.
Construct the original teardrop.c only two pieces package, per the same time send two UDP fragment packets. If you specify the number sent will not repeat previously sent two pieces package. It can be forged across the source ip and the router for remote attacks, affecting the system, including Linux/WinNT/Win95. The methods used are:
teardrop purpose of the source ip ip [-s source port] [-d destination port] [-n number]
A DoS attack is relatively new is the Windows of the SMB implementation of DoS attacks, in August 2002 release, as long as the windows to allow anonymous connection system can carry out remote attacks, strongly recommended that Windows users to play the appropriate patch. Its methods and goals of the system is first to establish a connection, then sends a specific request, the target system will blue screen. Release of test tools SMBdie.exe is a graphical interface tool, enter the destination address NETBIOS name.
Can be seen from the above discussion, this attack so powerful and difficult to detect. But the real harm of cases it is only after the release of the vulnerability of non-long period of time, related companies will soon release patches to fix this vulnerability. Therefore, the above-mentioned several attacks in the real world than the old environment, is often ineffective. However, the latest attack methods let us shudder, we can do is focus on security vulnerabilities published, marked a new patch in a timely manner. If you want to lazy, to purchase professional security services company in the related services should be a better choice.
Use of loopholes in the agreement
If the above are not the kind of vulnerability against a very long time, then the viability of such attacks are very strong. To be able to communicate on the network, the Internet, all the software must follow the existing agreement, and if there are loopholes in this agreement, then, all follow this agreement, the software will be affected.
The most typical attack is synflood attack, which uses TCP / IP protocol vulnerability to complete attack. The establishment of a TCP connection is usually included three steps, the client sends SYN packet to the server, the server must allocate resources to where to connect and return SYN / ACK packet, and wait for the connection establishment of the final ACK packet, the client sends the final ACK packets, so the connection is established between the two, and can transfer data by connecting a. The attack process is crazy to send SYN packets instead of ACK packets back to the server using too many resources, which led to too many system resources, no ability to respond to other operations, or can not respond to normal network requests.
This attack is a classic Small is Big attack, his use of a small amount of resource consumption each other a lot of resources. A P4 of the Linux system can be made about 64 to 30-40M bytes of synflood message, but a common server 20M basically no traffic responded (including mouse, keyboard). And synflood can not only remotely, and can forge the source IP address, to trace cause great difficulties to find the backbone to all network operators, a level up to find the router.
For the forged source IP of synflood attack, unless the attacker and the attacked system, all the routers between the managers are with the look, would be very difficult to trace. Currently, some anti-DoS firewall products claim to have the ability, but often have limited capacity, including most of the foreign 100M firewall hardware firewall the ability of anti synflood only 20-30Mbps (64 bytes syn packets), about the text to their tabloid forwarding capability, then the flow of even a large killing machine the firewall can. Some security companies now recognize the dangers DoS attacks, began development of a dedicated anti-denial of service product, let us wait and see!
As TCP / IP protocol believe the source address of packets, another reflection denial of service attack is to attack the other can also broadcast address, and multicast protocols supporting better reflection denial of service attacks. But most routers are prohibited broadcast address and multicast address.
Another type of attack is to use a lot of compliance with the agreement of the normal service requests, each request cost as much system resources, leading to normal service request can not be successful. Protocol, HTTP is stateless protocol, an attacker construct a large number of search requests, these requests spend a lot of server resources, resulting in DoS. Attack in this way is better deal, as is normal for the request, the source of exposure to the normal IP address, ban these IP on it.
Competition for resources
This attack is a rogue play, I started with the resource-rich, a lot of junk data to send your complete resource occupation, leading to DoS. For example, ICMP flood, mstream flood, Connection flood. In order to obtain more resources than the target system, often an attacker will launch a DDoS (Distributed Dos distributed denial of service) attack the attacker control over a puppet to attack, so as to produce the desired effect. First two attacks can be forged IP addresses, is also very difficult to trace, the first three kinds of attacks because of the need to establish a connection, may be exposed to attack the puppet's IP address, through the firewall to ban these IP on it. For difficult to trace, against the attacks, we can only hope that a dedicated anti-denial of service product.
Through the above analysis, a simple DoS attacks have the impression that the hope for future attacks on the related treatment experience to provide the basic concepts.