Fundamentals of Network Security by John E. Canavan là một cuốn sách được đưa vào thư viện online dành cho computer association member của IEEE. Trong đó có viết:
....
Denial of Service
Denial-of-service attacks are designed to shut down or render inoperable a system or network. The goal of the denial-of-service attack is not to gain access or information but to make a network or system unavailable for use by other users. It is called a denial-of-service attack, because the end result is to deny legitimate users access to network services. Such attacks are often used to exact revenge or to punish some individual or entity for some perceived slight or injustice. Unlike real hacking, denial-of-service attacks do not require a great deal of experience, skill, or intelligence to succeed. As a result, they are usually launched by nerdy, young programmers who fancy themselves to be master hackers.
There are many different types of denial-of-service attacks. The following sections present four examples: ping of death, "synchronize sequence number" (SYN) flooding, spamming, and smurfing. These are examples only and are not necessarily the most frequently used forms of denial-of-service attacks.
Ping of Death
The ping-of-death attack, with its melodramatic name, is an example of how simple it can be to launch a denial-of-service attack once a vulnerability has been discovered. Those who originally discover a vulnerability deserve credit, but it takes no great skill or intelligence to exploit it.
To better understand how the ping of death worked or works we need to once again review some TCP/IP basics. The ping of death exploited a flaw in many vendors' implementations of ICMP. ICMP is part of the IP of TCP/IP and operates at the Internet layer using the IP datagram to deliver messages; ping is a TCP/IP command that simply sends out an IP packet to a specified IP address or host name to see if there is a response from the address or host. It is often used to determine if a host is on the network or alive. The typical ping command syntax would be
ping 145.34.35.56
or
ping www.acme.net
Many operating systems were or are vulnerable to larger-than-normal ICMP packets. As a result, specifying a large packet in a ping command can cause an overflow in some systems' internals that can result in system crashes. The command syntax would vary depending on the operating system you were using. Below are two examples, one for Windows and the other for Sun Solaris.
Windows: ping-165527-s 1 hostname
Solaris: ping -s hostname 65527
Normally it requires a flood of pings to crash a system. Moreover, from firsthand experience I have found that you are just as likely to crash the system from which you are launching the attack as you are to crash the system you are targeting. Nevertheless, the ping-of-death approach may still constitute an effective denial-of-service attack. Once this vulnerability was discovered, most vendors issued operating system patches to eliminate the problem.
SYN Flooding
SYN flooding is a denial-of-service attack that exploits the three-way handshake that TCP/IP uses to establish a connection. Basically, SYN flooding disables a targeted system by creating many half-open connections. Figure 2.6 illustrates how a typical TCP/IP connection is established.
Figure 2.6: Normal TCP/IP handshake.
In Figure 2.6, the client transmits to the server the SYN bit set. This tells the server that the client wishes to establish a connection and what the starting sequence number will be for the client. The server sends back to the client an acknowledgment (SYN-ACK) and confirms its starting sequence number. The client acknowledges (ACK) receipt of the server's transmission and begins the transfer of data.
With SYN flooding a hacker creates many half-open connections by initiating the connections to a server with the SYN number bit. However, the return address that is associated with the SYN would not be a valid address. The server would send a SYN-ACK back to an invalid address that would not exist or respond. Using available programs, the hacker would transmit many SYN packets with false return addresses to the server. The server would respond to each SYN with an acknowledgment and then sit there with the connection half-open waiting for the final acknowledgment to come back. Figure 2.7 illustrates how SYN flooding works.
Figure 2.7: SYN flooding exchange.
The result from this type of attack can be that the system under attack may not be able to accept legitimate incoming network connections so that users cannot log onto the system. Each operating system has a limit on the number of connections it can accept. In addition, the SYN flood may exhaust system memory, resulting in a system crash. The net result is that the system is unavailable or nonfunctional.
One countermeasure for this form of attack is to set the SYN relevant timers low so that the system closes half-open connections after a relatively short period of time. With the timers set low, the server will close the connections even while the SYN flood attack opens more.
SPAM
SPAM is unwanted e-mail. Anyone who has an e-mail account has received SPAM. Usually it takes the form of a marketing solicitation from some company trying to sell something we don't want or need. To most of us it is just an annoyance, but to a server it can also be used as a denial-of-service attack. By inundating a targeted system with thousands of e-mail messages, SPAM can eat available network bandwidth, overload CPUs, cause log files to grow very large, and consume all available disk space on a system. Ultimately, it can cause a system to crash.
SPAM can be used as a means to launch an indirect attack on a third party. SPAM messages can contain a falsified return address, which may be the legitimate address of some innocent unsuspecting person. As a result, an innocent person, whose address was used as the return address, may be spammed by all the individuals targeted in the original SPAM.
E-mail filtering can prevent much unwanted e-mail from getting through. Unfortunately, it frequently filters out legitimate e-mail as well.
Smurf Attack
The smurf attack is named after the source code employed to launch the attack (smurf.c). The smurf attack employs forged ICMP echo request packets and the direction of those packets to IP network broadcast addresses. The attack issues the ICMP ECHO_REQUEST to the broadcast address of another network. The attack spoofs as the source address the IP address of the system it wishes to target. Figure 2.8 illustrates how a smurf attack works.
Figure 2.8: Smurf attack.
When the systems on the network to whose broadcast address the ECHO_REQUEST is sent receive the packet with the falsified source address (i.e., the return address), they respond, flooding the targeted victim with the echo replies. This flood can overwhelm the targeted victim's network. Both the intermediate and victim's networks will see degraded performance. The attack can eventually result in the inoperability of both networks.
There are steps that the intermediate network can take to prevent from being used in this way. The steps include configuring network devices not to respond to ICMP ECHO_REQUESTs and disabling IP directed broadcasts from passing the network routers. There are really no steps that the targeted victim can take to prevent this kind of attack. The only defense is contacting the intermediate network to stop the ECHO_REQUESTs from being relayed, once an organization determines that it is the victim of an attack.
Denial-of-service attacks are the most difficult to defend against, and, of the possible attacks, they require the least amount of expertise to launch. In general, organization should monitor for anomalous traffic patterns, such as SYN-ACK but no return ACKs. Since most routers filter incoming and outgoing packets, router-based filtering is the best defense against denial-of-service attacks. Organizations should use packet filters that filter based on destination and sender address. In addition, they should always use SPAM/sendmail filters.
Keep in mind there is a tradeoff with packet and mail filtering. The filtering that is performed to detect denial-of-service attacks will slow network performance, which may frustrate an organization's end users and slow its applications. In addition, mail filtering will bounce some e-mails that really should be allowed through, which may also aggravate end users.
==================
Bookmarks