Denial of Service Attack

• A denial-of-service attack is an attempt to make a computer resource unavailable to its intended users.
• The basic purpose of a DOS attack is simply to flood a network so as to deny the authentic users services of the network. The end result is the flooding of a network or change in the configurations of routers on the network.
• The main causes of DoS attacks can be flaws in software, software vulnerabilities, network architecture weaknesses etc.
• The different ways in which an attackers can mount DoS attacks are:

i.SYN Flood Attack:

• The attacker takes control of multiple hosts over the internet instructing them to contact the target Web server. - The slave hosts begin sending TCP/IP SYN packets with erroneous return IP address information to the target.
• Each SYN packet is a request to open a TCP connection. For each such packet, the web server responds with a SYNACK packet trying to establish a TCP connection. The web server maintains a data structure for which SYN request waiting for a response back and becomes bogged down as more traffic floods in due to which users are denied access.

ii. Distributed denial-of-service attack:

• DDoS is the one in which a multitude of compromised systems attack a single target causing DoS for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down thereby DoS to the system to legitimate users.
• An attacker begins a DDoS attack by exploiting vulnerability in one computer system and making it the DDoS master. The attacker infects multiple systems and controls machines to launch DDoS attacks using commands.

iii. Exhausation of bandwidth:

• The attacker takes control of multiple hosts over the internet instructing them to send ICMP ECHO packets with the targets spoofed IP address to a group of hosts.
• Nodes at the bounce site receive multiple spoofed requests and respond by sending echo reply packets to the target site.
• The targets router is flooded with packets from the bounce site leaving no data transmission capacity for legitimate traffic.

iv. Slowloris:

• Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network.
• Slowloris does this by holding as many connections to the target web server open for as long as possible. It accomplishes this by creating connections to the target server, but sending only a partial request. Slowloris constantly sends more HTTP headers, but never completes a request.
• The targeted server keeps each of these false connections open. This eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.

v. Ping of Death

• A ping of death ("POD") attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet is 65,535 bytes. A large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet.
• In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets.

vi. UDP Flood:

• The DDoS attack leverages the User Datagram Protocol (UDP), a sessionless networking protocol. This type of attack floods random ports on a remote host with numerous UDP packets, causing the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP Destination Unreachable packet. This process saps host resources, and can ultimately lead to inaccessibility.

vii. Teardrop Attack:

• The Teardrop attack involves sending corrupted IP packages, the purpose of this is to confuse and potentially crash the receiving system.

viii. Smurf Attack:

• In this the attacker knows the broadcast servers in a network and sends a ping request. The source IP address in this ping request is fake and it looks as if the ping comes from inside the network.
• When the broadcast server receives the ping request, the ping request is sent to the entire network and all the machines in the network return a response. These responses are further redirected by the broadcast server to the target machine.