How to Stop Denial of Service attacks

Valic —  June 2, 2010 — 3 Comments

You probably heard before of the term Denial of Service. What does this mean? How can you stop DOS?

Taking advantage of a known problem with the Operating System or any running services on the target, a good programmer can build an application that sends some data that causes the targeted system to crash.

The worst case scenario is not when a hacker crashes a service, but when it finds a way to maximize the CPU usage causing a total malfunction on the system.

Of course most of the attacks are not initiated by these kind of programmers, but by “script kiddies” who only read about it, find the program’s source over the web and just use it without knowing the mechanisms it uses.

Usually, DoS attacks are closely related to brute force attacks. The brute force attack uses all combinations of possible characters or dictionary word lists to try find out any passwords on the system (eg root accounts). When a root account in a network is found out, any DoS attacks can be done easily over the specific network.

Here are some of the most known DoS attacks:

1. SYN Floods

You should know that when a client and a server want to transmit data over the TCP protocol, a three-way handshake occurs:

  • The client asks for a connection with a SYN (synchronize) package
  • The server replies to the client with a SYN-ACK (syn-acknowledgments)
  • The client sends a third packages as a ACK and the transmission of the data starts.

The SYN flood works by sending SYN packets from false IP addresses (IP spoofing). The server replies to that false IP address with an SYN-ACK and then waits for ACK. Doing this many times will cause the server to end up in the impossibility of opening new connection, creating a network congestion.

Another SYN flood attack involves sending a packet to the server, spoofed with the server’s address (let’s say the server’s IP is then you send a SYN packet from to Repeating this many times will make the server sending SYN-ACK and ACK to itself, blocking it.

Patches to this kind of attack used a connection number limit from the same source/timeframe. SYN cookies also hold down the handling of the packets until the sender’s IP address is verified.

2. SMURF attacks

In this kind of attacks a massive amount of ping traffic (ICMP echos) is sent to the broadcast address of the network. The source IP address is spoofed to look like the target’s. If this traffic is forwarded to the network, all hosts will reply with an echo to the target, believing that they receive an echo request (PING) from it. In a large networks, a targeted server for example can be flooded by hundreds of replies at once. By sending the spoofed packet several times, the server will be flooded until it crashes from the overload.

This kind of attacks were mostly patched by making the routers not forwarding broadcast directed traffic to the network.

3. LAND attacks

LAND attacks take advantage of opened network services on the target. By using a port sniffer, opened ports and services are found out. Then spoofed packages are sent with IP address source the same as IP address destination (server’s address) to make it reply to itself. Let’s say for example that it uses SNMP (simple network management protocol – service used to report network and system’s usage). By making a SNMP service to reply to itself continuously it finally crashes.

4. Ping of death

This type of DoS attack takes advantage of a known issue with Windows 9x and older NT stations, as well as Linux prior to 2.0.32. Many routers and printers older then 1998 are vulnerable to this too.

It works by sending a malformed format of a ping packet. Usually, ping packets are small-sized (like 32bytes or 64bytes by default). Older Operating Systems and other devices could not handle ping larger than the maximum IP packet size of 65535 bytes (defined by RFC 791). By sending a large packet or a malformed one, any system that doesn’t know how to handle it crashes (eg. in Windows 9x a blue screen of death was generated).

Patches are available on the web for any old operating systems or devices.

5. Ping flooding

This is probably the simplest DoS attack that exists. It is also the most used. It works by overwhelming the target with echo requests (pings) having large packets. The target has it’s bandwidth occupied by these requests already and floods itself by starting to reply back. Of course, the attacker must have a larger bandwidth than the target (for example flooding a dial-up user from a 1Mbps connection).

With the increase of the servers’ bandwidth, this type of attacks became useless for an ADSL user for instance.

The “problem” was solved by using multiple hosts, creating the first DDoS attacks (distributed denial of service).

DDoS attacks work by owning let’s say 50 boxes each with 1Mbps bandwidth. Then the attacker uses all of them to ping flood the target, creating a great amount of traffic on the host.

Stacheldraht for example is a console that connects to owned boxes running Stacheldraht server. It then coordinates the attacks from a single point.

The solution to this type of attacks is the firewall, which filters any echo replies from being sent. Of course, firewalls can be crashed as well.


Posts Twitter Facebook

Editor in Chief at Debian-Tutorials, Linux enthusiast.

3 responses to How to Stop Denial of Service attacks

  1. Great article
    Thanks for sharing

  2. Your article only explains in layman’s term what these attacks are not how to mitigate these, but your article title is : How to Stop Denial of Service attacks.
    Did you write this just to increase your web server page count?

  3. Only when you will know how DOS work you will be able to stop it.

Leave a Reply