Computer Crime Research Center


DoS attacks: crime without penalty

Date: March 16, 2005
Source: Computer Crime Research Center
By: Vladimir Golubev

Today, it is quite difficult for a common user to determine where from and how his computer system can be attacked. More often it could be a virus attack, internet worms or Trojan, spam, DoS attacks causing a denial of service, restricted information theft and, finally, internal threats.

Presently, one of the most spread attacks is a distributed attack like denial of service (DoS attack). In recent years, media headlines were a riot of DoS attacks’ mentions. Annually these attacks cost millions of dollars to various companies and represent a serious threat to any computer system. In a result of such attacks, long system timeouts, lost profits, large volumes of work to identify attacks and to prepare adequate response measures.(нет сказуемого) Essentially, the DoS attack hinders or completely blocks servicing of valid users, networks, systems or other resources.

The aim of DoS-attacks is to block the attacked system, i.e. to create conditions when the remote computer won’t be able to change information with the external world. It can be made in several ways: creation of the directional gale of requests (buffer overflow), using errors in network protocols by sending incorrect packages to the address of the target host. In the first case, the host crowded by requests simply cannot maintain a normal data transfer; in the second case, overflows in the mechanisms of processing requests occur causing system failure.

Mostly such attacks are based on using vulnerabilities mainly in the Internet protocols (TCP/IP), particularly, on the way of SYN requests processing. This situation got worse when hackers used false initial addresses to stay anonymous. Thus, revealing of real malefactors becomes significantly complicated. All these trends had a great impact on the Internet community and underlined inability of security technologies applied in the World Wide Web once more. Although these attacks were already theoretically predicted several years ago, only now we can estimate all the danger of such attacks especially to e-commerce and websites of large and average companies.

Many security experts believe that the number of such attacks increases owing to fast distribution of Windows NT/XP systems and also to the expansion of the Internet. Windows is a potential target for many hackers. Besides, many tools for DoS attacks are available, high qualification is not required to use them.

DoS attacks are a powerful tool for criminals, it is often easier to halt a system or a network and then to gain access to it. It is well-known from the history of the Internet that network protocol TCP/IP was developed to be applied in the open and trusted community of users and its latest version 4 inherited all weaknesses of its predecessor. Besides, many operation systems and network devices have various lacks in realization of the network stack, it decreases their ability to resist DoS attacks significantly. We saw how devices that used out-of-date IP stack halted when they simply received ICMP with incorrect parameter. As one has many tools to start a DoS attack, it is very important to define their types and to know how to detect and avert such attacks.

Most operation systems (from Windows through many versions of Unix), routers and network components that process packets at any level are vulnerable to DoS attacks. Generally it is quite hard to prevent a DoS attack. However, restriction of access to important accounts, resources and files and also protecting them from invalid users can hamper many DoS attacks substantially. The number of DoS attacks is ever-increasing every other day. If a hacker can’t gain access to the PC, he tries to damage it using the DoS attack. This implies that even when the system is protected properly, the hacker still can harm the company.

On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation. A denial of service attack can also destroy programming and files in a computer system. Although usually intentional and malicious, a denial of service attack can sometimes happen accidentally. A denial of service attack is a type of security breach to a computer system that does not usually result in the theft of information or other security loss. However, these attacks can cost the target person or company a great deal of time and money.

Common forms of denial of service attacks are:

Buffer Overflow Attacks

The most common kind of DoS attack is simply to send more traffic to a network address than the programmers who planned its data buffers anticipated someone might send. The attacker may be aware that the target system has a weakness that can be exploited or the attacker may simply try the attack in case it might work. A few of the better-known attacks based on the buffer characteristics of a program or system include:
-Sending e-mail messages that have attachments with 256-character file names to Netscape and Microsoft mail programs
-Sending oversized Internet Control Message Protocol (ICMP) packets (this is also known as the Packet Internet or Inter-Network Groper (ping) of death)
-Sending to a user of the Pine e-mail progam a message with a "From" address larger than 256 characters

SYN Attack

When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exists to handle the usually rapid "hand-shaking" exchange of messages that sets up the session. The session-establishing packets include a SYN field that identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer so that other, legitimate connection requests can't be accommodated. Although the packet in the buffer is dropped after a certain period of time without a reply, the effect of many of these bogus connection requests is to make it difficult for legitimate requests for a session to get established. In general, this problem depends on the operating system providing correct settings or allowing the network administrator to tune the size of the buffer and the timeout period.

Teardrop Attack

This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.

Smurf Attack

In this attack, the perpetrator sends an IP ping (or "echo my message back to me") request to a receiving site The ping packet specifies that it be broadcast to a number of hosts within the receiving site's local network. The packet also indicates that the request is from another site, the target site that is to receive the denial of service. (Sending a packet with someone else's return address in it is called spoofing the return address.) The result will be lots of ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic.


Computer viruses, which replicate across a network in various ways, can be viewed as denial-of-service attacks where the victim is not usually specifically targetted but simply a host unlucky enough to get the virus. Depending on the particular virus, the denial of service can be hardly noticeable ranging all the way through disastrous.

Physical Infrastructure Attacks

Here, someone may simply snip a fiber optic cable. This kind of attack is usually mitigated by the fact that traffic can sometimes quickly be rerouted.

A traditional DoS attack is carried out from one computer. However, a new kind of DoS attack appeared in 2001 – a distributed denial of service attack (DDoS). On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

A hacker (or, if you prefer, cracker) begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master." It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple -- sometimes thousands of -- compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.

While the press tends to focus on the target of DDoS...

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2008-11-28 21:37:57 - its nice.... it helped me with my project... kahmille
2006-10-18 02:34:52 - Auto insurance order now online Best quote auto insurance
2005-09-01 19:58:08 - Very nice Mira
Total 3 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo