Understanding and defending against Denial of Service attacks
by Amy Pace, Yaagneshwaran Ganesh - SolarWinds - Friday, 6 September 2013.
Denial of Service (DoS) attacks continue to be on the rise, which is no surprise given our ever-growing dependency on Web-based services, coupled with the fact that these attacks are relatively cheap and easy to carry out. In this article, we’ll discuss what DoS attacks are, some various types of DoS attacks, tips to keep them at bay, and references to security tools to help you mitigate vulnerabilities.

DoS attacks and their impact

A DoS attack is an explicit attempt to prevent legitimate users from accessing information or services on a host system. It does this by overloading the targeted machine or service with requests, thus making the resource unreachable or unresponsive to its intended users. DoS attacks exploit known weaknesses and vulnerabilities in systems and applications. These attacks aim to consume valuable resources to disrupt a service. Resources targeted include:
  • Network connectivity
  • Data structures
  • Bandwidth
  • Memory
  • CPU usage
  • Disk space
  • Application exception handling
  • Database connections.
Unfortunately, DoS attacks are becoming more sophisticated and getting better at evading detection. They can wreak havoc on organizations by bringing down business critical services and inhibiting Web access to users, which can result in thousands to hundreds of thousands of dollars per day in lost revenue!

Hackers use several methods to deploy DoS attacks. These attacks come in all different shapes and sizes. Let's take a quick look at some of them:

1. SYN attacks

In a SYN (synchronize) attack, networking capability of the targeted system can be knocked out by overloading its network protocol stack with information requests or connection attempts. A SYN attack exploits known weaknesses in the TCP protocol and can impact any system providing TCP-based services, including Web, email, FTP, print servers, etc.

In a normal TCP connection, the client and server exchange a series of messages to establish the connection, known as the three-way handshake. First, the client sends a SYN message to the server. The server will acknowledge the receipt of this message with a SYN-ACK (synchronize-acknowledgement) back to the client. Lastly, the client responds with an ACK (acknowledge) and the connection is established. Taking advantage of this process, an attacker sends multiple SYN packet requests continuously, but then doesn’t return a response. This means the targeted host just sits and waits for acknowledgement for each request, which ties up the number of available connections. In turn, connection attempts from legitimate users get ignored.

Tips to stay secure: Make sure you have a firewall/security device in place that is capable of detecting the characteristics of this type of attack. Also, be certain that you have the appropriate filters configured, including one that restricts input to your external interface by denying packets that have a source address from your internal network. You should also filter outgoing packets that have a source address different than your internal address scheme. Additionally, ensure you have the latest security patches in place, including operating system and application updates, as well as firmware updates for your network and security devices.

2. Poisoning of DNS cache

DNS cache poisoning exploits vulnerabilities in the domain name system (DNS). In this case, the attacker attempts to insert a fake address entry into the DNS server’s cache database in order to divert Internet traffic from legitimate sites to “rogue” sites. The goal is to lure unsuspecting users to download malicious programs, which can then be exploited by the attacker.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th