A Denial-of-Service attack ((D)DoS attack) is an attempt to make a computer resource occupied to its planned users. Although the aim of a (D)DoS attack may vary, it generally comprises the concentrated, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.
(D)DoS attackers typically object sites or services hosted on high-profile web servers and even DNS root servers.
Generally attack involves saturating the target machine with external communications requests, so that it cannot respond to genuine traffic, or responds so slowly as to be rendered effectively unavailable. (D)DoS attacks are considered violations of the IAB’s Internet proper use policy. They also commonly constitute violations of the laws of individual nations.
Ways of (D)DoS attacks
- Forcing the attacked computer to reset or consume its resources such that it can not provide its proposed service
- Restricting the communication media between the planned users and the targeted user so that they can no longer be in touch.
Symptoms of (D)DoS attacks
- Unusually slow network performance
- Unavailability of a particular web site
- Failure to access any web site
- Remarkable increase in the number of spam emails received
Methods of attack
- Flooding a network, thereby preventing legitimate network traffic
- Disturbing a server by sending more requests than it can possibly handle, thereby preventing access to a service
- Put a stop to a particular individual from accessing a service
- Disturbing service to a specific system or person.
Attacks can be heading for any network device, including attacks on routing devices and Web, electronic mail, or Domain Name System servers.
Basic types of attack
- Using up computational resources such as bandwidth, disk space or CPU time
- Disruption of configuration information, such as routing information
- Disruption of state information, such as unsolicited resetting of TCP sessions
- Disruption of physical network components.
- Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
DoS attacks are intended to
- Crest the CPU’s usage, put off any work from occurring
- Generate errors in the microcode of the machine
- Generate errors in the sequencing of commands, so as to force the computer into an unbalanced state or lock-up
- Exploits errors in the operating system to consume all available amenities so no real work can be accomplished
- Crash the operating system itself
- iFrame (D)DoS, in which a html document is made to visit a webpage with many KB’s of information many times, until they achieve the amount of visits to where bandwidth limit is exceeded.
Prevention and response
The easiest way to tackle (D)DoS attack is to prepare for the attack. Separate emergency chunks of IP addresses for critical servers with a separate route can be helpful.
The exploratory process should begin instantaneously after the (D)DoS attack begins.
A separate route is not that exaggerated and it can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of an attack.
SYN cookies modify the TCP protocol management of the server by delaying sharing of resources until the client address has been confirmed. It is considered as most potent defense against SYN attacks. There are Solaris, FreeBSD and Linux implementations for (D)DoS attacks, in which FreeBSD and Linux implementations start during runtime of the kernel.
Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Firewalls cannot prevent some (D)DoS attacks, as they are too complex and they cannot differentiate good traffic from (D)DoS attack traffic. Firewalls are too deep in the network hierarchy, before that router may be affected.
Firewalls can effectively avoid users from initiation simple flooding type attacks from machines behind the firewall.
Routers have some rate-limiting and ACL capability and they can be manually set. Most routers can be easily besieged under (D)DoS attack. If you enquire flow statistics out of the router during the (D)DoS attacks, they further slow down and make matter more difficult. Cisco IOS has features which prevents flooding.
Application front end hardware
Application front end hardware is used on networks in combination with routers and switches, before traffic reaches the servers. This hardware examines data packets as they go into the system, and then categorized them as priority, regular, or dangerous. Hardware speeding up is key to bandwidth management and there are more than 25 bandwidth management vendors. While going for granularity of bandwidth management, hardware speeding up, and automation while selecting an appliance.
IPS based prevention
Intrusion-prevention systems (IPS) are efficient if the attacks have signatures linked with them. IPSs work on content identification cannot block behavior based (D)DoS attacks.
An ASIC based IPS can notice and obstruct (D)DoS attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker automatically.
A rate-based IPS (RBIPS) must investigate traffic granularly and constantly monitor the traffic pattern and determine if there is traffic irregularity. It must let the genuine traffic stream while blocking the (D)DoS attack traffic.