DoS and DDoS Attacks
The best archetypal DoS and DDoS attacks are those that ambition specific casework or the
infrastructure on which the account relies (such as memory, CPU, and bandwidth).
Attacking the Infrastructure
One of the easiest means to advance the account basement is to fool the server on which the
service runs or to admeasure all accessible assets until annihilation is larboard for accepted service
requests.
Web
Server
“Bots”
“Bot”
Herder
Innocent
User PCs
DoS and DDoS Attacks 187
Common Calamity Attacks
The best accepted attack, alleged the TCP SYN attack, floods the account with TCP SYN
packets. For anniversary SYN packet received, the server allocates assets for a new incoming
session and sends aback a TCP ACK packet. An antagonist artlessly ignores this (or the source
address was spoofed, so the acknowledgment goes to max hop-count abeyance on the Internet). After a
while, the server runs out of affair assets and stops answering requests.
Variants of the TCP SYN advance agitate added TCP states, such as LAST-ACK, FIN-WAIT-
1, and so on. Also, in abounding cases, calamity absolute admission can agitate or booty bottomward a
connection.
In some cases, it is accessible to use new appearance in the assorted operating systems (OS) to
help abate these attacks. Examples accommodate enabling SYN accolade in Linux or activating
the SynAttackProtect constant in Microsoft Windows 2000 and Windows 2003 Server
OSs.
Another blazon of calamity advance is to accomplish lots of baby packets and accelerate them to a server
under attack. Routers and switches charge absorb a assertive bulk of time processing each
packet, and there is a absolute on the cardinal of packets anniversary accessory can action anniversary second.
This is usually defined as kilopackets per additional (Kpps) or megapackets per second
(Mpps).
For example, a archetypal low-end action router has a forwarding amount of about 100 Kpps.
A archetypal high-end Linux PC can calmly accomplish up to 400 Kpps of baby packets, which
easily overwhelms the router, alike if the bandwidth that the packets use does not ample the
bandwidth link.
The aftermost blazon of advance acclimated is to accomplish abounding ample packets and accelerate them to a server
under attack. Often, the servers actuality attacked are affiliated through medium-speed links
to the Internet (10 or 100 Mbps). If the links are abounding with clutter traffic, accepted traffic
cannot pass.
Mitigating Attacks on Services
The best difficult attacks to abate are those that simulate absolute account requests. For
example, appropriate amid absolute users visiting a website and a crank simulating
web cartage by HTTP GETs can be difficult. If abundant zombies continuously accomplish real
service requests, the server becomes bogged bottomward application those requests, and legitimate
users get poor responses. Also, ability starvation can be a agency for some casework (such
as IP articulation servers and DHCP servers).
An archetype of these attacks are DHCP starvation attacks. In this advance type, an attacker
generates abounding accepted DHCP requests, which if processed, use up all the accessible IP
addresses in the network. This makes it absurd for absolute users to accretion admission to the
network as there will no best be any accessible IP addresses for them.
NOTE See Chapter 5, “Leveraging DHCP Weaknesses,” for advice about these attacks and
how they can be mitigated.
Another accepted advance is to use bots to consistently appeal ample book downloads from a
server. This causes abundant deejay admission and CPU amount on the server, consistent in its being
unable to action accepted requests.