Contact:http://www.packetnexus.com
Feature: Denial-of-Service Attack FAQ Because of the rapid increase in DDoS attacks, we are providing this FAQ about what they are, how they work, and what can be done to prevent them. 1. What is a denial-of-service (DoS) attack? DoS attacks are designed to disrupt Internet service to a corporate Web site or individual. These attacks come in two varieties: denial-of-service(DoS) and distributed denial-of-service (DDos) attacks. While a DoS attack typically originates from a single source, a DDoS attack comes from multiple sources. In a DDoS attack, the attacker often controls hundreds or thousands of machines, or "soldiers," each of which delivers an attack, thereby exponentially increasing the power of the attack. Furthermore, because DDoS attacks emanate from many computers instead of one, it's easier for the attacker to mask his identity. 2. What are some common types of DoS attacks? Single-User DoS An attacker sends a malformed packet to an individual, usually on his or her PC, aimed at making the machine crash or reboot. Server DoS An attacker seeks to cripple a specific server, such as Web servers, mail servers, or Usenet news servers. The most common server DoS is a SYN flood, where the attacker uses a script to create SYN packets, each with a different spoofed, or forged, source address. Because the source is spoofed, the machine responds to the SYN packet and then waits for as long as it's set to hold the connection open. Sending many SYN packets can cause the machine to run out of resources. A SYN flood attack is similar to what would happen if you received hundreds of phone calls, but for each call the caller left the phone off the hook after you picked up, preventing you from using your phone until the hang-up timed out. Bandwidth DoS The attacker seeks to deny all service to a site by using up all of its bandwidth in a flood of bogus packets. One common bandwidth DoS is the smurf attack, in which the attacker uses a script to create ICMP_ECHO_REQUEST packets, all with the source IP address of the victim, and then sends the packets to a list of networks. These networks - if they haven't been properly configured - will amplify each packet many times and return all the traffic to the victim. For more information on DoS attacks, see the following sites: Craig Huegen's Smurf Attack paper; http://www.quadrunner.com/~chuegen/smurf.cgi IOPS' FAQ on Smurf Attacks; http://www.iops.org/Documents/smurf-faq.html CERT Advisory CA-98-01.smurf "smurf" IP Denial-of-Service Attacks; http://www.cert.org/advisories/CA-98.01.smurf.html CERT Coordination Center's Tech Tips paper on Denial of Service; http://www.cert.org/tech_tips/denial_of_service.html For more information on DDoS attacks, see the following sites: SERT Advisory CA-2000-01 Denial-of-Service developments;ttp://www.cert.org/advisories/CA-2000-01.html CERT Advisory CA-99-17 Denial-of-Service Tools; http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html Dave Dittrich's pages on Trinoo, TFN & stacheldraht (direct pointers) http://staff.washington.edu/dittrich/misc/trinoo.analysis http://staff.