3 security objectives: IntegrityConfidentiality Availability. DoS targets availability.DoS is not used to gain unauthorized entry or information, just to mess it up.
Anonymous group did a DoS attack on MasterCard.com as a punishment for blockade of WikiLeaks bank transactions.
Saikiran Boga (B10010)
Vihari Piratla (B10030)
Vivek Vishwakarma (B10038)
Attack against availability
Not used to gain unauthorized entry, just to mess it up
“In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service
attack (DDoS attack) is an attempt to make a machine or network resource unavailable to
its intended users.”
Targets are sites or services hosted on high-profile webserver such as banks, credit
card payment gateways or even root nameservers
Any attack against availability is Denial of Service attack
Distributed DoS attack is DoS attack using multiple systems simultaneously to flood
the bandwidth or resources of a targeted system
Mount attack from single machine => DoS
Uses multiple compromised systems (for example botnets) => DDoS
DDoS is harder to track and shut down
Anti-competition business practices
Register your dissent!
Richard Stallman has stated DoS is a form of „Internet Street Protest‟
Punishment for undesired actions
DoS attack in online games to retaliate your competitor
A worm called MyDoom started propagating which had a real target in mind -
Targeting Microsoft Windows, became fastest spreading e-mail worm, estimated one
million computers around the world
By January 2004 rapid spread of worm slows overall internet performance by 10%,
average webpage load time by 50%, and responsible for 1 in 10 e-mails at this time
As February 1 arrives millions infected computers launch a Denial Of Service (DOS)
attack against SCO
SCO Group offered a reward of $250,000 for information leading to arrest the worm‟s
Damage and total cost estimates from MyDoom are still in progress, but CEI now
estimates the total may exceed $ 4 billion, making it one of the most costly cyber attacks
Two general form of DoS –
Those who crash services
Those who flood services
Consumption of computational resources such as bandwidth, disk space or processor
Disruption of configuration information such as routing information
Disrupting physical network component or obstructing communication media between
the intended users and the victim
Most DoS attack involves IP address spoofing so location of the attacking machines
cannot easily be identified
Internet control Message Protocol (ICMP) flood.
Unintentional Denial of Service.
A smurf attack is one particular variant of a flooding DoS attack on the public Internet.
Works on the mechanism of flooding the victim‟s bandwidth.
Relies on broadcasting or misconfigured devices.
Attacker sends large number of ICMP echo requests to a broadcast address.
All the messages sent to the broadcast address have the source address spoofed to
that of the victims IP address.
All the reply messages target and flood the victim‟s address.
Used in identifying misconfigured networks and take appropriate actions.
Ping flood: sending the victim large number of ping packets.
Ping of death: sending malformed packet leading to victims system crash.
Multiple systems flooding the bandwidth or resources of a targeted system, usually a
single server or multiple servers.
Result of multiple compromised systems(ex: a botnet) flooding the targeted system
Stacheldraht tool is an example of DDoS.
Client program is used by the attacker to connect to handlers which are compromised
These handlers are then used to send commands to zombie agents, which carry the
Multiple machines can generate more attack traffic than one machine.
Turning off multiple machines is harder compared to turning off a single machine.
Each machine attack may be a stealthier attack, making hard to track and
Mere purchase of more bandwidth doesn‟t help, since the attacker can easily add
more attack machines.
Attacks web applications by starvation of available sessions on the web server.
Keeps sessions at halt using never-ending POST transmissions and sending arbitrarily
large content length header value.
Similar to Slowloris
Keeps server busy with less resources.
Sends partial HTTP requests, and continues to send subsequent headers at regular intervals to
keep sockets from closing.
Slow HTTP post: After the establishment of the connection
through headers, the actual content is sent at very low rates,
thus keeping the session open for prolonged time.
Situation where a website ends up denied not due to a deliberate attack by a single
individual or a group of individuals, but simple due to spike in popularity of the website
or a particular resource.
Usually due to potentially hundreds of thousands of users clicking some particular link
in a span of few hours, showing similar effect to that of a DDoS attack.
Occurs on a site that is less-prepared for to server large number of users.
Ex: Massive number of would-be youtube.com users accidentally typing utube.com
Done through exploiting bugs in peer-to-peer servers.
Usually and most of the attacks exploit DC++.
Attacker doesn‟t need to communicate with the client it want to attack.
Attacker plays the role of a puppet master.
Instructs the clients in large peer-to-peer network to connect to the victims website.
Typically a webserver can handle few hundred connections before performance
Server fails instantly under five or six connections per second.
Easy to identify using signatures, but the number of IP addresses to be blocked
Blocking through the use of signatures require the establishment of connection, then
transfer of signature, detection of the signature and finally turning down the
connection. Even this might utilize large number of resources.
Can be prevented by specifying the allowable ports.
Permanent DoS attack
Applications level floods
Slow Read Attack
Telephony DoS attack
Tough to detect, premises on the TCP response timeout calculation vulnerabilities.
Selection of timeout has to balance between
If set too low then spurious retransmissions as packets doomed lost and
Set too high unnecessary wait long for a lost packet.
minRTO was observed to be optimal at 1 sec [RFC2988]
Shrew attack contains short pulses of outages that will effectively decrease the
throughput and transmitting at the lowest possible speed.
The throughput of such a attack is RL/T
where R is the max capacity of the channel, L >RTT and T>minRTO, rtt is of order 10100ms and T is >= 1sec and hence lesser the RTT more effective the attack is. In
general the channel capacity is reduced to 1/10 th.
These are very tough to detect for their very nature of passiveness.
Firewall can be a one stop solution for many of these attacks.
Firewall is the network filters which decides whether to allow or discard a packet.
Effectively written firewalls can be tolerant to aggressive attacks like SYN floods
Botnets can be detected with Passive OS finger priniting.
Running malware detection on the computer periodically can reduce the vulnerability.
Some stateful firewalls, like OpenBSD's pf packet filter, can act as a proxy for
connections: the handshake is validated (with the client) instead of simply forwarding
the packet to the destination.
One basic obvious rule that should be made and works very well for some of the DoS
attacks is to keep count for the number of requests from a single client arriving at a
server, along with tracking of the state of the connection.
SYN flood can be mitigated by setting up a SYN proxy which sits before the webserver
and forward the request to the web server only when the ACK is received by the
To make sure that firewall itself doesn't run out of resources we first do ping to see
whether the address is up or exists, if exists then it lets the firewall wait for it, or else will
just remove that address.
Blacklisting the IP addresses can help in future processing of requests.
It is tough to detect the low rate DOS attacks with pattern detection, as they are not
aggresive and look quite normal.
It is possible to detect this attack with some known patterns of packet
acknowledgement. like shrew attack.
Many variants of TCP congestion protocol like TCP Tahoe and Reno, TCP vegas, TCP
cubic. None resistant to this.
Fair queuing in the routers, can recover 90% of the throughput.
randomizing minRTO. (uniformly choosing minRTO between (a,b) ) changing it can affect the
congestion, as 1 sec is an optimal value chosen. [RFC2988]
RTO = max (minRTO, SRTT + max (G, 4RTTVAR)), RTO could be chosen uniformly at
random from a range that depends upon minRTO and SRTT+ max (G, 4RTTVAR). For
instance, we could choose RTO to be in the range between 80% and 120% of max (minRTO,
SRTT + max (G, 4RTTVAR)). Doing this would imply that the timeouts at different times of a
TCP session would be different. This could prevent the DoS attacker from ever