Tweet
DoS attacks come in many flavors...
Service Request Floods
In this form of attack, a service such as a web server or web application is flooded with requests until all resources are exhausted. This would be the equivalent of calling someone on the phone over and over again so they could now answer any other calls due to the line being continuously occupied. When a single system is attacking another, it is tough to overwhelm the victim, but it can be done on smaller targets or in unprepared environments. Service request floods are typically carried out by setting up repeated TCP connections to a system. The repeated connection consume resources on the target system to the point of exhaustion.
SYN Attack or SYN Flood
This type of attack exploits the nature of the TCP three-way handshake with the intention of tying up a system. For this attack to occur, the attacker will forge SYN packets with a bogus sources address. When the target system responds with a SYN/ACK, it goes to this bogus source address, and since the address doesn't exists, it causes the victim system to wait for a response that will never come. This waiting period ties up a connection to the system as the system will not receive an ACK. The target system only has limited number of reserved backlog slots which are used for connections that has not yet completed the three-way handshake. Also the target may run out of source ports. When this attack is carried out on a target system with a default setup, it may cause the connection to be tied up for 75 seconds at a time before it assumes the final ACK will never arrive. If the attacker can open enough of these half-open connections and do it rapidly, they can keep the system out of service.
ICMP Flood Attack
An ICMP request requires the target server to process the request and respond, this consuming CPU resources. Attack on the ICMP protocol include smurf attacks, ICMP floods, and ping floods, all of which take advantage of this by flooding the server with ICMP requests without waiting for the response.
Ping of Death
This attack used a ping packet larger than the maximum 65535 bytes allowed in a TCP packet. This technique is not much of a significant threat today due to ping blocking OS patching and general awareness. Note that even though the maximum packet size for a TCP packet is 65535 you will rarely see a packet of this size, if ever. The Maximum Transmission Unit (MTU) for standard Ethernet is for the most part 1500 bytes. MTU size or packet size refers only to Ethernet payload. This does not include the Ethernet header and Cyclic Redundancy Check (CRC) trailer, which is 18 bytes in length, to make the total Ethernet frame size of 1518. Baby Giant Frames and Jumbo Frames are not taken into consideration here. Baby giant frames refer to Ethernet frame size up to 1600 bytes, and jumbo frame refers to Ethernet frame size up to 9216 bytes.
Teardrop Attack
A teardrop attack occurs when an attacker sends crafted fragmented packets with offset values that overlap during the attempt to reassemble the packet. This causes the target machine to become unstable when attempting to reassemble the fragmented packets.
Smurf Attack
A smurf attack spoofs the IP address of the target host thus using it as the source and sends numerous ICMP echo requests to the broadcast addresses of intermediary sites. The intermediary sites amplify the ICMP traffic back to the spoofed source IP, thereby saturating the network segment of the target machine.
Fraggle Attack
A fraggle attack is a variation of a smurf attack that uses UDP echo requests instead of ICMP. It still uses an intermediary for amplification. Commonly a fraggle attack targets the UDP echo requests to the chargen (Character Generator) port of the intermediary systems via a broadcast request. The attacker spoofs the victim's IP address and uses it as the source address. Each client that receives the echo to the chargen port will in turn generate a character to be sent to the victim. Once it has been received, the victim will echo back to the intermediary's chargen port, thus restarting the cycle. TCP and UDP port 19 is allocated to the chargen service. The chargen service is rarely used because of design flaws and was intended for testing, debugging, and measurement purposes.
LAND Attack
A Local Area Network Denial (LAND) attack sends SYN packets to an open port on the target machine with the source address spoofed as the target host. The victim's IP address is used both as the source and the destination address. This causes the machine to reply with SYN/ACK to itself continuously. This attack might not work on modern operating systems.
Permanent DoS Attacks
Most DoS attacks have a temporary effect and only need to be stopped and any mess created by the attack cleaned up to put the target system back into working order. However, some types of DoS attacks, Permanent denial-of-service (PDoS), destroy a system and cause it to become permanently offline. Phlashing is a form of permanent DoS attack that involves pushing bogus or incorrect updates to a target system's firmware. When this happens, the hardware may become unusable or unstable if the hardware itself is not replaced or reinstalled. Targets for this type of attacks are often devices such as routers, switches, printers etc. The attacker uses these vulnerabilities to replace a device's firmware with a modified, corrupt, or defective firmware image; a process which when done legitimately is known as flashing.
Application-level Attacks or Layer 7 Attacks
Application-level attacks are those that result in a loss or degradation of a service to the point it is unusable. These attacks can even result in the corruption or loss of data on the target system. Typically these types of attacks take the form of one of the following:
Distributed Reflection Denial of Service (DRDoS)
A distributed reflection denial of service attack, also known as a spoofed attack, initiates multiple intermediary and secondary devices that contribute to the DDoS attack against a target server, service or application. The attacker initiates the attack by sending requests to the intermediary machines and these requests are then redirected to the secondary machines which in turn reflects the traffic to the target. Besides the power of this kind of attack, this technique also have the benefit that the target sees the secondary devices as the source of the attack thereby hiding the attacker.
Service Request Floods
In this form of attack, a service such as a web server or web application is flooded with requests until all resources are exhausted. This would be the equivalent of calling someone on the phone over and over again so they could now answer any other calls due to the line being continuously occupied. When a single system is attacking another, it is tough to overwhelm the victim, but it can be done on smaller targets or in unprepared environments. Service request floods are typically carried out by setting up repeated TCP connections to a system. The repeated connection consume resources on the target system to the point of exhaustion.
SYN Attack or SYN Flood
This type of attack exploits the nature of the TCP three-way handshake with the intention of tying up a system. For this attack to occur, the attacker will forge SYN packets with a bogus sources address. When the target system responds with a SYN/ACK, it goes to this bogus source address, and since the address doesn't exists, it causes the victim system to wait for a response that will never come. This waiting period ties up a connection to the system as the system will not receive an ACK. The target system only has limited number of reserved backlog slots which are used for connections that has not yet completed the three-way handshake. Also the target may run out of source ports. When this attack is carried out on a target system with a default setup, it may cause the connection to be tied up for 75 seconds at a time before it assumes the final ACK will never arrive. If the attacker can open enough of these half-open connections and do it rapidly, they can keep the system out of service.
ICMP Flood Attack
An ICMP request requires the target server to process the request and respond, this consuming CPU resources. Attack on the ICMP protocol include smurf attacks, ICMP floods, and ping floods, all of which take advantage of this by flooding the server with ICMP requests without waiting for the response.
Ping of Death
This attack used a ping packet larger than the maximum 65535 bytes allowed in a TCP packet. This technique is not much of a significant threat today due to ping blocking OS patching and general awareness. Note that even though the maximum packet size for a TCP packet is 65535 you will rarely see a packet of this size, if ever. The Maximum Transmission Unit (MTU) for standard Ethernet is for the most part 1500 bytes. MTU size or packet size refers only to Ethernet payload. This does not include the Ethernet header and Cyclic Redundancy Check (CRC) trailer, which is 18 bytes in length, to make the total Ethernet frame size of 1518. Baby Giant Frames and Jumbo Frames are not taken into consideration here. Baby giant frames refer to Ethernet frame size up to 1600 bytes, and jumbo frame refers to Ethernet frame size up to 9216 bytes.
Teardrop Attack
A teardrop attack occurs when an attacker sends crafted fragmented packets with offset values that overlap during the attempt to reassemble the packet. This causes the target machine to become unstable when attempting to reassemble the fragmented packets.
Smurf Attack
A smurf attack spoofs the IP address of the target host thus using it as the source and sends numerous ICMP echo requests to the broadcast addresses of intermediary sites. The intermediary sites amplify the ICMP traffic back to the spoofed source IP, thereby saturating the network segment of the target machine.
Fraggle Attack
A fraggle attack is a variation of a smurf attack that uses UDP echo requests instead of ICMP. It still uses an intermediary for amplification. Commonly a fraggle attack targets the UDP echo requests to the chargen (Character Generator) port of the intermediary systems via a broadcast request. The attacker spoofs the victim's IP address and uses it as the source address. Each client that receives the echo to the chargen port will in turn generate a character to be sent to the victim. Once it has been received, the victim will echo back to the intermediary's chargen port, thus restarting the cycle. TCP and UDP port 19 is allocated to the chargen service. The chargen service is rarely used because of design flaws and was intended for testing, debugging, and measurement purposes.
LAND Attack
A Local Area Network Denial (LAND) attack sends SYN packets to an open port on the target machine with the source address spoofed as the target host. The victim's IP address is used both as the source and the destination address. This causes the machine to reply with SYN/ACK to itself continuously. This attack might not work on modern operating systems.
Permanent DoS Attacks
Most DoS attacks have a temporary effect and only need to be stopped and any mess created by the attack cleaned up to put the target system back into working order. However, some types of DoS attacks, Permanent denial-of-service (PDoS), destroy a system and cause it to become permanently offline. Phlashing is a form of permanent DoS attack that involves pushing bogus or incorrect updates to a target system's firmware. When this happens, the hardware may become unusable or unstable if the hardware itself is not replaced or reinstalled. Targets for this type of attacks are often devices such as routers, switches, printers etc. The attacker uses these vulnerabilities to replace a device's firmware with a modified, corrupt, or defective firmware image; a process which when done legitimately is known as flashing.
Application-level Attacks or Layer 7 Attacks
Application-level attacks are those that result in a loss or degradation of a service to the point it is unusable. These attacks can even result in the corruption or loss of data on the target system. Typically these types of attacks take the form of one of the following:
- Flood - This attack overwhelms the target with traffic to make it difficult or impossible to respond to legitimate requests.
- Disrupt - This attack usually involves attacking a system with the intention of locking out or blocking a user or users - for example, attempting to log into a system several times with an incorrect password to lock out the account so that the legitimate user cannot use it.
- Jam - In this attack, typically the attacker is crafting SQL queries to lock up or corrupt a database.
Distributed Reflection Denial of Service (DRDoS)
A distributed reflection denial of service attack, also known as a spoofed attack, initiates multiple intermediary and secondary devices that contribute to the DDoS attack against a target server, service or application. The attacker initiates the attack by sending requests to the intermediary machines and these requests are then redirected to the secondary machines which in turn reflects the traffic to the target. Besides the power of this kind of attack, this technique also have the benefit that the target sees the secondary devices as the source of the attack thereby hiding the attacker.