Denial of Service (DoS) Attack

Denial of Service (DoS) attack is one of the most common threats and can crash any system in the network. The Internet hackers always prefer DoS attacks to disturb the operations of a network. The DoS attacks corrupt or disable a computer network and its associated devices or services. These attacks include cracking of the system, slowing it down so that it becomes unable to operate.

The hackers can attack any system of the network and can delete or corrupt information of the system through DoS. Further in a DoS attack, the hackers do not need any prior access to the target network. Further ahead, they also do not steal or destroy the data through DoS attack. The main intention of the DoS attack is to bring down the network and crash the server so the legitimate users are unable to use the services. DoS attacks can be easily initiated by using readymade software.

Reflective DoS Attacks

Reflective DoS attacks are the attacks in which attackers use third party components to hide their identity and send malicious code to a victim’s computer. They use victim’s IP address to send data packets to the servers.

Amplified DoS Attacks

Amplified DoS Attacks are the type of distributed DoS attack in which the intruder makes use of the vulnerabilities in the DNS servers. The intruder sends an amplified amount of traffic on a network to bring down the network. However, users can prevent these types of attacks by implementing DNS server security and blocking specific DNS servers.

Distributed DoS Attacks.

Distributed DoS or DDoS uses intermediary computer systems where programs are pre-installed to attack a single target system. These intermediary computer systems are called the agents and the built-in programs are called the zombies. The hackers remotely activate these programs to launch the actual attack and through zombies, hackers easily conceal the true origin of the attack.

In DDoS, attacker uses some tools like Tribe Flood Network (TFN), Trinoo, botnet, Tribe Flood Network 2000 (TFN2K), Stacheldraht and target the UNIX and Windows operating systems. Hackers uses TFN to crash the system. Trinoo is also called as trin00 is a type of computer program that allows the attacker to leave a message in a folder of the target system. The message keeps on replicating and the files are modified on regular basis until port 80 is inactive. Similarly, a botnet is set of hijacked devices that are connected through Internet. These are used to steal data of the targeted system, inject the system with malware and provide the access of the system to the hacker. On the other hand, TFN2K and Stacheldraht are used in DDoS attack by flooding the target system with a massive network traffic sent from various locations.

Some examples of DDoS attacks are Domain Name System (DNS) attacks or DNS amplification, SYN floods, NTP amplification, HTTP floods, etc. These major DDoS attacks are discussed as follows:

Domain Name System (DNS) attacks or DNS amplification: It is a DDoS attack, which occurs between a DNS query and a DNS response. In this the attackers sends small DNS queries to each DNS server. Further, these queries contain spoofed IP address of the targeted system and in response to these queries, the server sends large responses. Thus, the link where the large responses return, gets congested and denial of service takes place.

SYN flood: A Synchronisation (SYN) flood attacks the “TOP three-way handshake” of the server. The TCP three-way handshake is a three-step communication process. In the first step, the client sends the SYN flag to the server. In the second step, the server sends the acknowledgment message with an SYN flag to the client. Further, in the final step, the client again sends the ACK request back to the server for the synchronisation. After acknowledging each other, the client and server complete the handshake successfully. Now, in SYN flood, the attacker sends the TCP connections requests so rapidly to the target server that the server is unable to handle all requests and causes the network congestion. Further, in SYN flood, sometimes a bundle of SYN packets are sent to the server that tries to response each SYN request separately, which causes the failure of communication.

 

NTP amplification: The Network Time Protocol (NTP) is a network protocol that synchronises the clocks of the Internet-connected systems. In the NTP amplification the attacker attacks the NTP servers and continuously sends the request called get monlist to the NTP server and changes the IP addresses of the server in such a way that the victim’s server assumes that the request is coming from other authorised systems. In response to the query, the NTP server sends the list to the machines containing spoofed IF address. Now, just like the DNS response, the request-response in NTP amplification are so large that increases the traffic at the server side. The standard ratio of request-response of the NTP amplification ranges between 20:1 and 200:1, which is more than the DNS amplification which is 70:1.

Smurf: In the Smurf attack the attacker targets system by using broadcast ping messages. The attacker pings different computer systems and change the source address of the data packets so that the target or victim assumes that the pings are coming from other authorised systems. After receiving the ping requests, all target systems response to the same address that causes the overburden of the system along with the data. Smurf mainly targets the, network layer that sends the Internet Control Message Protocol (ICMP) echo requests to the target machines. The target of smurf is to exploit the broadcasting of messages in the broadcast network.