- 1.1 Opinions, Products
- 1.2 Roadmap to the Book
- 1.3 Terminology
- 1.4 Notation
- 1.5 Cryptographically Protected Sessions
- 1.6 Active and Passive Attacks
- 1.7 Legal Issues
- 1.8 Some Network Basics
- 1.9 Names for Humans
- 1.10 Authentication and Authorization
- 1.11 Malware: Viruses, Worms, Trojan Horses
- 1.12 Security Gateway
- 1.13 Denial-of-Service (DoS) Attacks
- 1.14 NAT (Network Address Translation)
This chapter is from the book
This chapter is from the book
This chapter is from the book
1.13 Denial-of-Service (DoS) Attacks
A denial-of-service attack (DoS) is one in which an attacker prevents good guys from accessing a service, but does not enable unauthorized access to any services. In the naive old days, security people dismissed the prospect of denial-of-service attacks as unlikely, since the attacker had nothing to gain. Of course, that turned out to be faulty reasoning. There are terrorists, disgruntled employees, and people who delight in causing mischief for no good reason.
In the earliest types of denial-of-service attacks, the attacker repeatedly sent messages to the victim machine. Most machines at the time were vulnerable to this sort of attack since they had resources that could easily be depleted. For instance, the storage area for keeping track of pending TCP connections tended to be very limited, on the order of, say, ten connections. The probability of ten legitimate users connecting during a single network round trip time was sufficiently small that ten was a reasonable number. But it was easy for the attacking machine to fill up this table on a server, even if the attacking machine was attached to the Internet with a low-speed link.
To avoid being caught at this mischief, it was common for the attacker to send these malicious packets from forged source addresses. This made it difficult to find (and prosecute) the attacker, and it made it difficult to recognize packets from the malicious machine and filter them at a firewall.
As a defense, people advocated having routers have the capability of doing sanity checks on the source address. These routers could be configured to drop packets with a source address that could not have legitimately come from the direction from which the packet was received. Routers might be configured with which source addresses to expect on each of their ports, or they might infer the expected direction from their forwarding tables. This concept was not deployed because it would cause problems. If sanity checks are based on configured information, topological changes in the Internet (such as links going down and alternative routes being used) could cause the routers to make incorrect assumptions. And Mobile IP (RFC 5944) allows a node to move around in the Internet and keep its IP address, which would confuse routers attempting sanity checks.
A deployed defense against a single malicious node attempting to swamp the resources of a server was to increase resources at the server so that a single attacker, at the speeds at which such attackers were typically connected to the Internet, could not fill the pending TCP connection table.
Another level of DoS escalation was to send a single packet that caused a lot of legitimate machines to send messages to the victim machine. An example of such a packet is a packet transmitted to the broadcast address, with the packet’s source address forged to the address of the victim’s machine, asking for all receivers to respond. All the machines that receive the broadcast will send a response to the victim’s machine. Such a mechanism magnifies the effect the attacker can have from his single machine, since each packet he creates turns into n packets directed at the victim machine.
As a defense again machines sending packets from forged IP addresses, protocols such as TCP, IPsec, and TLS have been designed to avoid requiring a receiver, Bob, to keep state or do significant computation if requests are arriving from forged IP source addresses. Unless the requester can receive packets at the IP address they claim to be coming from, Bob will not need to keep state about the request. Only when the requester returns something that Bob sent to its claimed IP address will Bob pay attention to this request.
But then came the next level of escalation, which is known as a distributed-denial-of-service attack (DDoS). In this form of attack, the attacker breaks into a lot of innocent machines, and installs software on them to have them all attack the victim machine. These innocent machines are called zombies or drones or bots. With enough bots attacking it, any machine can be made inaccessible, since even if the machine itself can process packets as fast as they can possibly arrive, the links or routers in front of that machine can be overwhelmed. The defenses in TCP, IPsec, and TLS will not help, since the bot machines are using their own IP addresses in the requests. Since requests are coming from hundreds or thousands of innocent machines, it is hard to distinguish these packets from packets coming from legitimate users.