DoS operates by corrupting routing devices, electronic mail or Domain Name System (DNS) servers with the following effects:
1. Consume computing resources, such as bandwidth, disk space, or processor time;
2. Disrupt configuration information, such as routing information;
3. Disrupt of state information, such as unsolicited resetting of TCP sessions;
4. Obstruct the communication channels between the intended users and the target that has been disrupted.
DoS can be induced by methods such as:
1. A “Trojan” has been installed and activated;
2. A “Ping of Death” is generated. This launches a very large Internet Control Message Protocol (ICMP) packet so that the buffer on a server overflows;
3. A SYN Flood takes place so that SYN packets continue to be sent, tying up the service until the handshake times out. SYN is a part of the Internet TCP/IP protocol for a three-way handshake when a connection is established.
A simplified version of DoS is shown below:
There are many variations how DoS can be activated:***
1. Flooding the ICMP
2. Teardrop attacks
3. Peer-to-Peer attacks
4. Permanent damage attacks
5. Application level flooding
6. Distributed attack
7. Reflected attacks
8. Degradation of service attack
9. Blind denial of service.
Firewalls and systems patches can defend against DoS using malformed packets. However, if the DoS attack saturates bandwidth there is very little a defender can do except by shutting down and rerouting transactions to an alternative site while activating “snort” software.
Snort is an intrusion detection system (NIDS) which has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.
DoS software is easily available from many sources and can be downloaded from web pages such as:
A. The DoS Project's "trinoo" distributed denial of service attack tool by David Dittrich from the University of Washington.****
B. “knight.c” is a downloadable DoS powerful client.*****
C. DoSHTTP 2.5.1. Can be used for Distributed Denial of Service (DDoS) attack.******
D. LOIC - It performs a distributed denial-of-service (DDoS) attack on the target site by flooding the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host. Downloadable from http://sourceforge.net/projects/loic/.
From the standpoint of DoD the DoS attacks represent the most serious threat to maintaining a continuity of operations without disruption. In case of warfare there is not question that an adversary’s first move would be to launch DoS attacks on DoD networks. The purpose would be to interfere with command and control communications. How defenses will be launched is beyond the scope of this blog.
** http://www.nmrc.org/pub/faq/hackfaq/hackfaq-05.html. NMRC is the Navy Medical Research Center.