Powered by eUKhost®


No announcement yet.

What is DOS and DDoS attack ?

  • Filter
  • Time
  • Show
Clear All
new posts

  • What is DOS and DDoS attack ?

    DoS (Distributed Denial Of Service) is a tactic used to attack a victim from multiple compromised computers. Attacker installs a virus or Trojan software on compromised systems, and use them to flood a victim’s network in a way that the victim’s server cannot handle it.

    DDoS involves 3 parties: an offender, helpers and a victim. The offender is the one who plots the attack, and helpers are the machines that are compromised by the offender to launch attack against a victim (the target). The offender commands the helpers to attack the victim’s host at the precisely same time. Due to this co-ordinated nature between the offender and helpers, the DDoS is also known as co-ordinated attack.

    DOS attack, denial-of-service is an explicit attempt to make a computer resource unavailable by either injecting a computer virus or flooding the network with useless traffic. There are two types of DoS attacks: computer attack and network attack.

    Ping of death

    Ping of death is caused by an attacker deliverately sending a ping packet, normally 64 bytes, that is larger than the 65,535 bytes. Many computer systems cannot handle an IP packet larger than the maximum IP packet size of 65,535, and often causes computer systems crash. It is illegal to send a ping packet of size greater than 65,535, but a packet of such size can be sent if it is fragmented. When a receiving computer reassembles the packet, a buffer overflow occurs, which often causes computer to crash. This exploit has affected a wide variety of systems including Unix, Linux, Mac, Windows and routers.

    Ping of flood

    Ping of flood is caused by an attacker overwhelming the victim’s network with ICMP Echo Request (ping) packets. This is a fairly easy attack to perform without extensive network knowledge as many ping utilities support this operation. A flood of ping traffic can consume singificant bandwidth on low to mid-speed networks bringing down a network to a crawl.

    Smurf Attack

    Smurf attach exploits the target by sending repeated ping request to broadcast address of the target network. The ping request packet often uses forged IP address (return address), which is the target site that is to receive the denial of service attack. The result will be lots of ping replies flooding back to the innocent, spoofed host. If number of hosts replying to the ping request is large enough, the network will no longer be able to receive real traffic.

    SYN Floods

    When establishing a session between TCP client and server, a hand-shaking message exchange occurs betwen a server and client. A session setup packet contains a SYN field that identifies the sequence in the message exchange. An attacker may send a flood of connection request and do not respond to the replies, which leaves the request packets in the buffer so that legitimate connection request can’t be accommodated.

    Teardrop Attack

    Teardrop attack exploits by sending IP fragment packets that are difficult to reassemble. A fragment packet identifies an offset that is used to assemble the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker’s IP puts a confusing offset value in the sebsequent fragments and if the receiving system doesn’t know how to handle such situation, it may cause the system to crash.

    Mail Bomb

    Unauthorized users send large number of email messages with large attachments to a particular mail server, filling up disk space resulting in denied email services to other users.

    How to check if server is under DDoS?

    Fire following commands to check the number of connections on server.

    # netstat -n | grep :80 |wc -l
    Its unsafe if its showing more than 500 connections.

    # netstat -n | grep :80 | grep SYN |wc -l
    Now find out the culprite IP address from access logs.

    # cd /var/log/httpd
    # tail -n 10000 access_log|cut -f 1 -d ' '|sort|uniq -c|sort -nr|more

    If you suspect a UDP floof, you can check using this command…
    # netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more

    Now get the ip with maximum connections, and block it in your iptable…
    # route add ipaddress reject

    Now we might need to kill all the current http connections and start the http service fresh.
    #killall -KILL httpd
    #service httpd start
    Aarav 92
    Red Hat Certified Security Specialist.

  • #2
    Re: What is DOS and DDoS attack ?

    Nice share Aarav92.....thanks for detailed explanation of different attacks and also for the commands.....Keep it up ..!!!!!


    • #3
      Re: What is DOS and DDoS attack ?

      Great explanation Aarav 92! Thanks for sharing.


      • #4
        Re: What is DOS and DDoS attack ?

        Thanks so much! I didn't know about any of these. So, what can one do to protect oneself from these attacks? Are these attacks remote, or does someone need physical access to your computer, in order to perform them?


        • #5
          Re: What is DOS and DDoS attack ?

          I basically understand DOS and the commands. I also have a good idea what DDoS attack is. What I don't know how to do is prevent one from happening.


          • #6
            Re: What is DOS and DDoS attack ?

            I am searching for DDOS and you help me for DDOS. Thanks for explaining DDOS in Easy way.