Denial of service: Difference between revisions
Pat Palmer (talk | contribs) m (Text replacement - "swarming" to "swarming") |
Pat Palmer (talk | contribs) (removing PropDel) |
||
Line 1: | Line 1: | ||
{{subpages}} | |||
{{TOC|right}} | {{TOC|right}} | ||
Latest revision as of 12:42, 1 November 2024
Many attacks on computer security try to get the computer to do something for the miscreant, perhaps give him or her data that he/she is not authorised to have — credit card numbers, medical records, military secrets, ... — or let him or her perform some computer-mediated action — make bank withdrawals, launch some nuclear missiles, watch a pay-per-view video without paying, or whatever. A denial of service, or DOS or DoS, attack does not do that; it just tries to deny normal computer services to the authorised users.
A denial of service attack can be very dangerous. Consider causing a failure of an individual's pacemaker or a nation's electrical system. In general, they are also easier to execute than an attack that aims at getting the computer to do something for the enemy.
Some DoS attacks are flooding attacks; if an attacker sends you 10,000 emails, your normal email will likely not get through. 100,000,000 might take out not only your personal mail, but the whole mail server. Resource attacks attempt to exhaust some resource on the target system. Amplification attacks work by sending a small amount of data which will cause other systems to produce a flood.
However, not all DoS attacks involve flooding; an attacker may try to craft a really evil mail message, deliberately breaking the rules for mail formats in such a way that your mail server or your mail-reading software will crash when it tries to process the beast. Or he might take down the mail server with an attack unrelated to mail. In any case, a successful attack denies you mail service. In general, this is easier than other attacks, like trying to read your mail or produce forged mail that appears to be from you. Unfortunately, those aren't necessarily hard either, but that's another topic.
Internet operations engineers are constantly dealing with both the attack vector, or the means by which the attack propagates, and the effects of the attack.
Sometimes measures taken to improve security can leave openings for DoS attacks. Consider the policy that after three attempts to log in with a bad password, an account is disabled. This does indeed prevent certain types of password-guessing attack. However, it allows anyone to get an account disabled simply by trying it three times with a bad password. If an attacker has a list of account names, or if the system administrators assign them with some predictable pattern, he may be able to mess up the whole system.
There are positive uses for some variants of DoS, for example denying mail service to spammers by leading them to a Teergrube [1] (German for tarpit) server.
Fatal messages
In the late 90s, an attack called ping of death, abbreviated POD, became rather common, a single packet that would crash many machines. It first became widespread among gamers — crash another player's machine and you may be able to score while he is offline — but later became a standard tool for miscreants.
The Internet Protocol (IP) allows a maximum packet size of 64K-1 bytes. when a packet is fragmented, each fragment has an offset field saying where to start in re-assembly. So, for example, a 6 K byte packet might be sent as four 1.5 K packets, each labelled with two numbers for use in reassembling the packet, a starting offset and a size; the four packets would all have size 1.5 K and would start at 0, 1.5, 3 and 4.5 K offsets. This works fine if everyone plays by the rules, but the ping of death deliberately breaks them. A POD packet is a large packet with the offset set to the maximum possible value; the numbers may say it is 64 K long and starts at an address of 64K-1. If the operating system just puts the packet contents there, it goes beyond the maximum legal packet size and a chunk of memory beyond the packet buffer is overwritten. Of course, the operating system should reject such a packet, but if it does not then chaos may ensue.
At the time, this would crash nearly all desktop operating systems, either Windows or Macintosh, some server systems, and some routers. Since about 1998, however, the attack has been almost entirely ineffective; all the operating systems now check fragment sizes carefully.
More recently, there has been research demonstrating that an "SMS of Death" is possible[1], a short message that will make many cell phones stop working.
Distributed denial of service
It is fairly common for attackers to take over a few tens of thousands of insecure machines. The "owned" machines are "zombies" and the network of them is a botnet (i.e., "robot network"). Botnets are now a business; spammers rent time on botnets to send their rubbish. The attackers search blocks of addresses used for broadband Internet, looking for vulnerable machines. Windows machines that have not done Microsoft's upgrades are their favorite target; such a machine is almost guaranteed to be taken over sooner or later.
Botnets are one way to carry out DDoS, Distributed denial of service attack, where thousands or millions of machines attack a single target, with no single attacker to stop. In other contexts, this multiple attacker model is that of swarming. Botnets are not the only way to carry out DDoS; a national attacker could use large numbers of owned machines.
The server may crash, and even if it doesn't, normal web services will be disrupted.
Defense
The first line of defense is detection, which can be especially difficult with DDoS because the attack traffic is light at any given point. When correlation among multiple network intrusion detection systems points to an attack in progress, or the attack becomes obvious at a host, a next step, in service provider networks, is to shift traffic directed at the attack point to a sinkhole for detailed analysis.
As long as the host under attack is unusable anyway, collateral damage to other hosts may be avoided by blackholing the traffic, typically by sending blackhole routes to edge routers via internal BGP.
References
- ↑ John Borland (Dec 28, 2010), Simplest Phones Open to ‘SMS of Death’