Denial of Service Attacks and How to Guard Against Them
Denial of service (DoS) attacks are among the most common hacker attacks. A hacker initiates so many invalid requests to a network host that the host uses all its resources responding to the invalid requests and ignores the legitimate requests.
DoS attacks against your network and hosts can cause systems to crash, data to be lost, and every user to jump on your case wondering when Internet access will be restored.
Here are some common DoS attacks that target an individual computer or network device:
SYN floods: The attacker floods a host with TCP SYN packets.
Ping of Death: The attacker sends IP packets that exceed the maximum length of 65,535 bytes, which can ultimately crash the TCP/IP stack on many operating systems.
WinNuke: This attack can disable networking on older Windows 95 and Windows NT computers.
Distributed DoS (DDoS) attacks have an exponentially greater impact on their victims. One of the most famous was the DDoS attack against eBay, Yahoo!, CNN, and dozens of other websites by a hacker known as MafiaBoy. There was a highly publicized DDoS attack against Twitter, Facebook, and other social media sites. The attack was apparently aimed at one user from Georgia, but it affected everyone using these sites.
You couldn’t tweet, and many friends and family members couldn’t see what everyone was blabbing about on Facebook. Think about this: When hundreds of millions of people can be taken offline by one targeted DDoS attack, you can see why understanding the dangers of denial of service against your business’s systems and applications is important.
DoS and DDoS attacks can be carried out with tools that the attacker either writes or downloads from the Internet. These are good tools to test your network’s IPS and firewalls for denial of service weaknesses. You can find programs that allow actual attacks. Some programs, such as idappcom’s Traffic IQ Professional, also let you send controlled attacks.
Denial of service testing is one of the most difficult security checks you can run. There just aren’t enough of you and your computers to go around. Don’t fret. Your first test should be a search for DoS vulnerabilities from a vulnerability-scanning perspective. Using vulnerability scanners, such as QualysGuard and webInspect, you can find missing patches and configuration weaknesses that can lead to denial of service.
During a recent security assessment project, QualysGuard found a vulnerability in an older version OpenSSL running on a web server. As with most DoS findings, With permission, the exploit code was downloaded on the Internet, compiled, and ran against the client’s server. Sure enough, it took the server offline.
At first, the client thought it was a fluke, but after taking the server offline again, he bought into the vulnerability. It ended up that he was using an OpenSSL derivative, hence the vulnerability. Had the client not fixed the problem, there could have been any number of attackers around the world taking this production system offline, which could have been tricky to troubleshoot. Not good for business!
Don’t test for DoS unless you have test systems or can perform controlled tests with the proper tools. Poorly planned DoS testing is a job search in the making. It’s like trying to delete data from a network share and hoping that the access controls in place are going to prevent it.
Countermeasures against DoS attacks
Most DoS attacks are difficult to predict, but they can be easy to prevent:
Test and apply security patches (including service packs and firmware updates) as soon as possible for network hosts, such as routers and firewalls, as well as for server and workstation operating systems.
Use an IPS to monitor regularly for DoS attacks.
You can run a network analyzer in continuous capture mode if you can’t justify the cost of an all-out IPS solution and use it to monitor for DoS attacks.
Configure firewalls and routers to block malformed traffic. You can do this only if your systems support it, so refer to your administrator’s guide for details.
Minimize IP spoofing by filtering out external packets that appear to come from an internal address, the local host (127.0.0.1), or any other private and non-routable address, such as 10.x.x.x, 172.16.x.x–172.31.x.x, or 192.168.x.x.
Block all ICMP traffic inbound to your network unless you specifically need it. Even then, you should allow it to come in only to specific hosts.
Disable all unneeded TCP/UDP small services, such as echo and chargen.
Establish a baseline of your network protocols and traffic patterns before a DoS attack occurs. That way, you know what to look for. And periodically scan for such potential DoS vulnerabilities as rogue DoS software installed on network hosts.
Work with a minimum necessary mentality (not to be confused with having too many beers) when configuring your network devices, such as firewalls and routers:
Identify traffic that is necessary for approved network usage.
Allow the traffic that’s needed.
Deny all other traffic.
If worse comes to worst, you’ll need to work with your ISP and see whether they can block DoS attacks on their end.