Denial of Service Attack
By Abir Atarthy
Denial of Service
A DoS attack is an attempt by a hacker to flood a user’s or an organization’s system.
During a Denial of Service (DoS) attack, a hacker renders a system unusable or significantly slows the system by overloading resources or preventing legitimate users from accessing the system. These attacks can be perpetrated against an individual system or an entire network and are usually successful in their attempts.
Session hijacking
is a hacking method that creates a temporary DoS for an end user when
an attacker takes over the session. Session Hijacking is used by hackers to take over a current session after the user has established an authenticated session. Session hijacking can also be used to perpetrate a man-in-the-middle attack when the hacker steps between the server and legitimate client and intercepts all traffic.
Types of DoS Attacks
There are two main categories of DoS attacks. DoS attacks can be either sent by a single system to a single target (simple DoS) or sent by many systems to a single target (DDoS).
The goal of DoS isn’t to gain unauthorized access to machines or data, but to prevent
legitimate users of a service from using it. A DoS attack may do the following:
_
Flood a network with traffic, thereby preventing legitimate network traffic.
_
Disrupt connections between two machines, thereby preventing access to a service.
_
Prevent a particular individual from accessing a service.
_
Disrupt service to a specific system or person.
Different tools use different types of traffic to flood a victim, but the result is the same: A
service on the system or the entire system is unavailable to a user because it’s kept busy trying to respond to an exorbitant number of requests.
A DoS attack is usually an attack of last resort. It’s considered an unsophisticated attack
because it doesn’t gain the hacker access to any information but rather annoys the target and interrupts their service. DoS attacks can be destructive and have a substantial impact when sent from multiple systems at the same time (DDoS attacks).
. DDoS attacks can be perpetrated by BOTs and BOTNETS, which are compromised
systems that an attacker uses to launch the attack against the end victim. The system or
network that has been compromised is a secondary victim, whereas the DoS and DDoS
attacks flood the primary victim or target.
How DDoS Attacks Works?
DDoS is an advanced version of the DoS attack. Like DoS, DDoS also tries to deny access to services running on a system by sending packets to the destination system in a way that the destination system can’t handle. The key of a DDoS attack is that it relays attacks from many different hosts (which must first be compromised), rather then from a single host like DoS. DDoS is a large-scale, coordinated attack on a victim system.
The services under attack are those of the primary victim; the compromised systems used to launch the attack are secondary victims. These compromised systems, which send the DDoS to the primary victim, are sometimes called zombies or BOTs
. They’re usually compromised through another attack and then used to launch an attack on the primary victim at a certain time
or under certain conditions. It can be difficult to track the source of the attacks because they originate from several IP addresses.
DoS/DDoS Countermeasures
There are several ways to detect, halt, or prevent DoS attacks. The following are common
security features available:
Network-ingress filtering
All network access providers should implement network-ingress
filtering to stop any downstream networks from injecting packets with faked or spoofed
addresses into the Internet. Although this doesn’t stop an attack from occurring, it does make
it much easier to track down the source of the attack and terminate the attack quickly.
Rate-limiting network traffic
A number of routers in the market today have features that let you limit the amount of bandwidth some types of traffic can consume. This is sometimes
referred to as traffic shaping
.
Intrusion detection systems
Use an intrusion detection system (IDS) to detect attackers
who are communicating with slave, master, or agent machines. Doing so lets you know
whether a machine in your network is being used to launch a known attack but probably
won’t detect new variations of these attacks or the tools that implement them. Most IDS
vendors have signatures to detect Trinoo, TFN, or Stacheldraht network traffic.
Host-auditing tools
File-scanning tools are available that attempt to detect the existence
of known DDoS tool client and server binaries in a system.
Network-auditing tools
Network-scanning tools are available that attempt to detect the
presence of DDoS agents running on hosts on your network.