Denial of Service

What is a denial of service (DoS) attack? A DoS attack takes place when availability
to a resource is intentionally blocked or degraded by an attacker. In other
words, the attack impedes the availability of the resource to its regular authorized
users.These types of attacks can occur through one of two vectors: either on the
local system, or remotely from across a network.The attack can concentrate on one
of the following:
■ Degrading processes
■ Degrading storage capability
■ Destroying files to render the resource unusable
■ Shutting down parts of the system or processes
Let’s take a closer look at each of these items.
Local Vector Denial of Service
Local DoS attacks are common, and in many cases, may be preventable.Although
any type of DoS can be frustrating and costly, local denial of service attacks are
typically the most preferable to encounter. Given the right security infrastructure,
these types of attacks are easily traced, and the attacker is easily identified.
Three common types of local denial of service attacks are process degradation,
disk space exhaustion, and index node (inode) exhaustion.
Process Degradation
One local denial of service is the degrading of processes.This occurs when
the attacker reduces performance by overloading the target system, by either
spawning multiple processes to eat up all available resources of the host system,
by spawning enough processes to fill to capacity the system process table, or by
spawning enough processes to overload the central processing unit (CPU).
An example of this type of attack is exhibited through a recent vulnerability
discovered in the Linux kernel. By creating a system of deep symbolic links, a
user can prevent the scheduling of other processes when an attempt to dereference
the symbolic link is made. Upon creating the symbolic links, then
attempting to perform a head or cat of one of the deeply linked files, the process
scheduler is blocked, therefore preventing any other processes on the system from
receiving CPU time.The following is source code of; this shell script will create the necessary links on an affected system (this problem was not fully
fixed until Linux kernel version 2.4.12):
# by Nergal
while [ $I -lt $ELNUM ] ; do
ln -s "$P"l$2 l$IND
#main program
if [ $# != 1 ] ; then
echo A numerical argument is required.
exit 0
mklink 4
mklink 3
mklink 2
mklink 1
mklink 0 /../../../../../../../etc/services
mkdir l5
mkdir l
Another type of local denial of service attack is the fork bomb.This problem is
not Linux-specific, and it affects a number of other operating systems on various
platforms.The fork bomb is easy to implement using the shell or C.
The code for C is as follows:
(main() {for(;;)fork();})
In both of these scenarios, an attacker can degrade process performance with
varying effects—these effects may be as minimal as making a system perform
slowly, or they may be as extreme as monopolizing system resources and causing
a system to crash.
Disk Space Exhaustion
Another type of local attack is one that fills disk space to capacity. Disk space is a
finite resource, though it has always been a supposition by many UNIX programmers
that a lack of hardware is a user problem, not a programming one. In the
past, disk space was an extremely expensive resource, although the current
industry has brought the price of disk storage down significantly.Though you can
solve many of the storage complications with solutions such as disk arrays and
software that monitors storage abuse, disk space will continue to be a bottleneck
to all systems. Software-based solutions such as per-user storage quotas are
designed to alleviate this problem.
This type of attack prevents the creation of new files and the growth of
existing files. An added problem is that some UNIX systems will crash when the
root partition reaches storage capacity. Although this isn’t a design flaw on the
part of UNIX itself, a properly administered system should include a separate
partition for the log facilities, such as /var, and a separate partition for users, such
as the /home directory on Linux systems, or /export/home on Sun systems.
Attackers can use this type of denial of service to crash systems, such as when
a disk layout hasn’t been designed with user and log partitions on a separate slice.
They can also use it to obscure activities of a user by generating a large amount
of events that are logged to via syslog, filling the partition on which logs are
stored and making it impossible for syslog to log any further activity.
Such an attack is trivial to launch. A local user can simply perform the following
cat /dev/zero > ~/maliciousfile
This command will concatenate data from the /dev/zero device file (which
simply generates zeros) into maliciousfile, continuing until either the user stops the
process, or the capacity of the partition is filled.
A disk space exhaustion attack could also be leveraged through such attacks as
mail bombing. Although this is an old ploy, it is not commonly seen in the present
(even with the advent of anonymous remailers).The reasons are perhaps that
mail is easily traced via SMTP headers, and although open relays or remailers can
be used, finding the purveyor of a mail bomb is not rocket science. For this
reason, most mail bombers find themselves either without Internet access, jailed,
or both.
Inode Exhaustion
The last type of local denial of service attack we discuss is inode exhaustion, similar
to the disk capacity attack. Inode exhaustion attacks are focused specifically on
the design of the file system.The term inode is an acronym for the words index
node. Index nodes are an essential part of the UNIX file system.
An inode contains information essential to the management of the file
system.This information includes, at a minimum, the owner of a file, the group
membership of a file, the type of file, the permissions, size, and block addresses
containing the data of the file.When a file system is formatted, a finite number of
inodes are created to handle the indexing of files with that slice.
An inode exhaustion attack focuses on using up all the available inodes for
the partition. Exhaustion of these resources creates a similar situation to that of
the disk space attack, leaving the system unable to create new files.This type of
attack is usually leveraged to cripple a system and prevent the logging of system
events, especially those activities of the attacker.
Network Vector Denial of Service
Denial of service attacks launched via a network vector can essentially be broken
down into one of two categories: an attack that affects a specific service, or an attack
that targets an entire system.The severity and danger of these attacks vary significantly.
These types of attacks are designed to produce inconvenience, and are
often launched as a retaliatory attack.
To speak briefly about the psychology behind these attacks, network vector
denial of service attacks are, by and large, the choice method of cowards.The reasons,
ranging from digital vigilantism to Internet Relay Chat (IRC) turf wars,
matter not. Freely and readily available tools make a subculture (and we borrow
the term coined by Jose Oquendo—also known as sil of fame)
called script kiddiots possible.The term script kiddiot, broken down into base form,
would define script as “a prewritten program to be run by a user,” and kiddiot being a combination of the words kid and idiot. Fitting.The availability of these
tools gives these individuals the power of anonymity and ability to cause a nuisance,
while requiring little or no technical knowledge.The only group with
more responsibility for these attacks than the script kiddiots is the group of professionals
who continue to make them possible through such things as lack of
egress filtering.
Network vector attacks, as mentioned, can affect specific services or an entire
system; depending on who is targeted and why, these types of attacks include
client, service, and system-directed denials of service.The following sections look at
each of these types of denial of service in a little more detail.
Client-Side Network DoS
Client-side denials of service are typically targeted at a specific product.Their purpose
is to render the user of the client incapable of performing any activity with
the client. One such attack is through the use of what’s called JavaScript bombs.
By default, most Web browsers enable JavaScript.This is apparent anytime one
visits a Web site, and a pop-up or pop-under ad is displayed. However, JavaScript
can also be used in a number of malicious ways, one of which is to launch a DoS
attack against a client. Using the same technique that advertisers use to create a
new window with an advertisement, an attacker can create a malicious Web page
consisting of a never-ending loop of window creation.The end result is that so
many windows are “popped up,” the system becomes resource-bound.
This is an example of a client-side attack, denying service to the user by exercising
a resource starvation attack as we previously discussed, but using the network
as a vector.This is only one of many client-side attacks, with others
affecting products such as the AOL Instant Messenger, the ICQ Instant Message
Client, and similar software.
Service-Based Network DoS
Another type of DoS attack launched via networks is service-based attacks. A service-
based attack is intended to target a specific service, rendering it unavailable
to legitimate users.These attacks are typically launched at a service such as a
Hypertext Transfer Protocol Daemon (HTTPD), Mail Transport Agent (MTA), or
other such service that users typically require.
An example of this problem is a vulnerability that was discovered in the Web
configuration infrastructure of the Cisco Broadband Operating System (CBOS).
When the Code Red worm began taking advantage of Microsoft’s Internet Information Server (IIS) 5.0 Web servers the world over, the worm was discovered
to be indiscriminate in the type of Web server it attacked. It would scan networks
searching for Web servers, and attempt to exploit any Web server it
A side effect of this worm was that although some hosts were not vulnerable
to the malicious payload it carried, some hosts were vulnerable in a different way.
CBOS was one of these scenarios. Upon receiving multiple Transmission Control
Protocol (TCP) connections via port 80 from Code Red infected hosts, CBOS
would crash.
Though this vulnerability was discovered as a casualty of another, the problem
could be exploited by a user with one of any readily available network auditing
tools. After attack, the router would be incapable of configuration, requiring a
power-cycling of the router to make the configuration facility available.This is a
classic example of an attack directed specifically at one service.
System-Directed Network DoS
A DoS directed towards a system via the network vector is typically used to produce
the same results as a local DoS: Degrading performance or making the
system completely unavailable.A few approaches are typically seen in this type of
attack, and they basically define the methods used in entirety. One is using an
exploit to attack one system from another, leaving the target system inoperable.
This type of attack was displayed by the land.c, Ping of Death, and teardrop exploits
of a couple years ago, and the various TCP/IP fragmented packet vulnerabilities
in products such as D-Link routers and the Microsoft ISA Server.
Also along this line is the concept of SYN flooding.This attack can be
launched in a variety of ways, from either one system on a network faster than
the target system to multiple systems on large pipes.This type of attack is used
mainly to degrade system performance.The SYN flood is accomplished by
sending TCP connection requests faster than a system can process them.The
target system sets aside resources to track each connection, so a great number of
incoming SYNs can cause the target host to run out of resources for new legitimate
connections.The source IP address is, as usual, spoofed so that when the
target system attempts to respond with the second portion of the three-way
handshake, a SYN-ACK (synchronization-acknowledgment), it receives no
response. Some operating systems will retransmit the SYN-ACK a number of
times before releasing the resources back to the system. One can detect a SYN flood coming from the preceding code by using a
variety of tools, such as the netstat command shown in Figure 2.1, or through
infrastructure such as network intrusion detection systems (IDSs).
On several operating system platforms, using the –n parameter displays
addresses and port numbers in numerical format, and the –p switch allows you to
select only the protocol you are interested in viewing.This prevents all User
Datagram Protocol (UDP) connections from being shown so that you can view
only the connections you are interested in for this particular attack. Check the
documentation for the version of netstat that is available on your operating system
to ensure that you use the correct switches.
Additionally, some operating systems support features such as TCP SYN
cookies. Using SYN cookies is a method of connection establishment that uses
cryptography for security.When a system receives a SYN, it returns a SYN+ACK,
as though the SYN queue is actually larger.When it receives an ACK back from
the initiating system, it uses the recent value of the 32-bit time counter modulus
32, and passes it through the secret server-side function. If the value fits, the
extracted maximum segment size (MSS) is used, and the SYN queue entry rebuilt.
Let’s also look at the topic of smurfing or packeting attacks, which are typically
purveyed by the previously mentioned script kiddiots.The smurf attack performs
a network vector DoS against the target host.This attack relies on an intermediary,
the router, to help, as shown in Figure 2.2.The attacker, spoofing the source
IP address of the target host, generates a large amount of Internet Control
Message Protocol (ICMP) echo traffic directed toward IP broadcast addresses.The
router, also known as a smurf amplifier, converts the IP broadcast to a Layer 2
broadcast and sends it on its way. Each host that receives the broadcast responds
back to the spoofed source IP with an echo reply. Depending on the number of
hosts on the network, both the router and target host can be inundated with
traffic.This can result in the decrease of network performance for the host being
attacked, and depending on the number of amplifier networks used, the target
network becoming saturated to capacity.
The last system-directed DoS attack using the network vector is distributed
denial of service (DDoS).This concept is similar to that of the previously mentioned
smurf attack.The means of the attack, and method of which it is leveraged,
however, is significantly different from that of a smurf attack.
This type of attack depends on the use of a client, masters, and daemons (also
called zombies). Attackers use the client to initiate the attack by using masters,
which are compromised hosts that have a special program on them allowing the
control of multiple daemons. Daemons are compromised hosts that also have a
special program running on them, and are the ones that generate the flow of
packets to the target system.The current crop of DDoS tools includes trinoo,Router
IBM AS/400 IBM 3174 Cray Supercomputer
Attacker sends spoofed ICMP packets to a smurf amplifying network.
Packets enter router, and all hosts on the
network respond to the spoofed source address.
The target machine receives large amounts
of ICMP ECHO traffic, degrading performance.
Tribe Flood Network,Tribe Flood Network 2000, stacheldraht, shaft, and
mstream. In order for the DDoS to work, the special program must be placed
on dozens or hundreds of “agent” systems. Normally an automated procedure
looks for hosts that can be compromised (buffer overflows in the remote procedure
call [RPC] services statd, cmsd, and ttdbserverd, for example), and then
places the special program on the compromised host. Once the DDoS attack
is initiated, each of the agents sends the heavy stream of traffic to the target,
inundating it with a flood of traffic.