Denial of service in Depth Explained
Denial-of-service attack is a very famous and common attack we daily experience such attacks but we are not able to figure it out.Let me define Denial-of-service (DOS) for you a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.What it means is sometimes we visit a website the website keeps on loading and after a while the connection from the server breaks and we get website not available error.Mostly high profile servers like bank servers, credit card payment gateways and even social services servers are targetted by hackers.
A famous part of Denial-of-service attack is DDOS Distributed Denial-Of-Service Attack the logic is same the only difference is DOS is operated from one source and DDOS from many.
■ How Denial Of Service Works
A hacker tells one or more of his computers contact a specific server or Web site repeatedly.The sudden increase in traffic can cause the site to load very slowly for legitimate users. Sometimes the traffic is enough to shut the site down completely.
Some of famous Methods of Attack
● Ping of Death – bots create huge electronic packets and sends them on to victims
● Mailbomb – bots send a massive amount of e-mail, crashing e-mail servers
● Smurf Attack – bots send Internet Control Message Protocol (ICMP) messages to reflectors.
● Teardrop – bots send pieces of an illegitimate packet; the victim system tries to recombine the pieces into a packet and crashes as a result
● SYN flood-A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address.
● Permanent denial-of-service attacks – This ttack that damages a system so badly that it requires replacement or re-installation of hardware.
● Denial-of-Service Level II -The goal of DoS L2 attack is to cause a launching of a defense mechanism which blocks the network segment from which the attack originated. In case of distributed attack or IP header modification (that depends on the kind of security behavior) it will fully block the attacked network from Internet, but without system crash.
■ Another well known Denial Of Service is at application level for this it various DoS-causing exploits such as buffer overflow can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time.
● Buffer overflow-It is a program written so that on the execution of it memory errors,incorrect results or a breach in security occurs.
■ To perform Denial-of-service attack hackers use tools,bot net,zombies etc etc
I would like to tell you about few famous Denial-of-service tools that have been used by hackers in past to attack high security servers.
■ LOIC (Low Orbit Ion Cannon)
■ HOIC (High Orbit Ion Canon).
It is another dos tool it is not much famous like LOIC but is very powerful and has a good GUI.It is windows executable.
Slowloris the low bandwidth, yet greedy and poisonous HTTP client!
Written by RSnake with help from John Kinsella, and a dash of inspiration from Robert E Lee.
Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
There are a number of web servers that are vulnerable to Slowloris’ form of attack. Some of the vulnerable web servers include Apache 1.x, Apache 2.x, dhttpd, and the GoAhead WebServer software.
While there are no reliable configurations of the affected web servers that will prevent the Slowloris attack, there are ways to mitigate or reduce the impact of such an attack. In general these involve increasing the maximum number of clients the webserver will allow, limiting the number of connections a single IP address is allowed to make, imposing restrictions on the minimum transfer speed a connection is allowed to have, and restricting the length of time a client is allowed to stay connected.
In the Apache web server, a number of modules can be used to limit the damage caused by the Slowloris attack; the Apache modules mod_limitipconn, mod qos, mod_evasive, mod_security, mod_noloris, and mod_antiloris have all been suggested as means of reducing the likelihood of a successful Slowloris attack.Other mitigating techniques involve setting up reverse proxies, firewalls, load balancers or content switches.Administrators could also change the affected web server to software that is unaffected by this form of attack. For example, lighttpd and nginx do not succumb to this specific attack.
IIS6.0,IIS7.0,lighttpd,Squid,nginx are reported to be uneffected.Good features of Slowloris is that it works on low bandwidth and does not stop after sometime like other softwares when they stop getting response from the server.
The Jester (leetspeak handle th3j35t3r) is a computer vigilante who describes himself as grey hat hacktivist.He or she claims to be responsible for attacks on WikiLeaks,4chan,Iranian President Mahmoud Ahmadinejad,and Islamist websites.He claims to be acting out of American patriotism.The Jester uses a denial-of-service (DoS) tool known as “XerXeS”, that he claims to have developed.One of The Jester’s habits is to tweet “TANGO DOWN” on Twitter whenever he successfully takes down a website.The Jester claims to have originally developed his DoS script as a means to test and harden servers.After learning from an article that Jihadists were using the Internet to recruit and coordinate terror cells, The Jester resolved to disrupt online communications between Jihadists.He weaponized his script and created a front-end known as “XerXeS” in order to solve the script’s usability problems.
HULK (Http Unbearable Load King) is a web server denial of service tool written for research purposes. It is designed to generate volumes of unique and obfuscated traffic at a webserver, bypassing caching engines and therefore hitting the server’s direct resource pool.
■ DOS prevention –
● Mitigation performance – high rate DDoS must be mitigated by specialized hardware to withstand the attack load while allowing legitimate traffic to pass through – e.g. Anti-DDoS solutions using ASIC-based DDoS Mitigation Engines
● Reducing reaction time – Network Behavioral Analysis (NBA) technology should be utilized to automatically and accurately distinguish attack traffic from legitimate traffic – at all layers including layer-7 (e.g. HTTP)
● Blocking multiple attack vectors – using NBA, IPS and DoS technologies within a single Anti-DDoS solution ensures no attack is overlooked during a multi-vector attack campaign.
● Firewalls like nexusguard,cloudflare etc helps protect ddos attacks efficiently by providing reverse ip proxy and limiting ping from a certain ip.
● Apart from Web Firewalls,Firewalls for system like iptables and comodo are also very helpful in preventing ddos attacks. They block the ip of the attacker which kick him off the server.
● Web Server matters most ddos attack fail to exploit nginx.
● For bandwidth saturation attacks, make sure your service provider can mitigate volumetric attacks that may saturate your bandwidth.
■ Note : Always Configure your firewalls,ports and other server mechanism correctly becuase I have seen cases where the admin has not configured his firewall correctly and becomes a victim of DDOS.
■ Note For Server Administrators: A fact is despite being designed to provide network security, firewalls and intrusion prevention systems (IPS) are impacted by DDoS attacks.To stop DDoS attacks you can also go for dedicated hardware solutions.
Correct knowledge can save you from all kind of attacks & always stay awake to updates.
About The Author – Rashmil Tyagi is a young Cyber Security Consultant you can contact him @ email@example.com
Story added 30. April 2014, content source with full text you can find at link above.