Computer Crime Research Center

etc/research2.jpg

Network security: DoS vs DDoS attacks

Date: December 02, 2005
Source: Computer Crime Research Center
By: Terrance A. Roebuck

The DoS Attack and The DDoS Attack

In its simplest form, a Denial of Service (DoS) attack is an attack against any system component that attempts to force that system component to limit, or even halt, normal services.

A DoS attack may be directed to a specific computer operating system, to a specific port or service on a targeted system, to a network, or network component, to a firewall or to any other system component. More obscure examples could include human-system communication processes, such as disabling a printer or alarm system, or even human-response systems, such as disabling a key technician's home phone or transportation. The key similarity in all of these examples is that, after a successful attack, the system does not respond to a request for service as before, and some expected service, or group of services, is denied or limited to authorized users.

In its simplest form, a Distributed Denial of Service (DDoS) attack is a DoS attack that occurs from more than one source, and/or from more than one location, at the same time. Often, the DDoS attackers are not aware that they are engaging in a DoS attack against a site, and are duped (technically or physically) into joining the attack by a third party.

"The reader should note that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered as a "High" threat". [1]

A simple analogy might clarify the difference between a DoS and a DDoS, and point out some interesting subtleties. If a bored teen-ager repeatedly 'prank' calls your telephone, you may soon get tired of answering, and may start to ignore subsequent incoming calls. The teenager has successfully performed a DoS attack on your telephone service, because you are denied normal telephone services (even though you denied them yourself, by choosing not to answer). However, it is easy to screen incoming calls from the teen-agers number, so in many cases, not all services are interrupted -- just incoming calls from a specific number. This also make the location of the attacker easy to trace, and therefore relatively easy to stop.

If, however, the teen-ager called a local radio station and duped them into believing that you had special concert tickets for sale at a very low price, causing your telephone number to be broadcast, you may be inundated with many 100's of calls, from many people. In this DDoS example, you are again denied normal phone services (the DoS component) but the distributed nature of the attack means that most calls that do not originate from a known number would need to be blocked, and if enough people responded, almost no calls could get through. In this case, questioning or tracing any of the apparent attackers is pointless, since they have been duped into calling, and have no evidence to offer at all about the identity of the real attacker. In fact, only the original point of attack (in this case, a call to the radio station) is of any interest in determining who attacked. The teenager may not have even phoned you (so the real attacker, the initiator of the DDoS, did not participate in the actual DoS attack).
Simple DoS and DDoS Attacks and Defenses

As can be deduced from the 'prank-call' analogy, DoS and DDoS attacks usually take advantage of the way a system is supposed to respond to stimulus and therefore exploit systemic weaknesses. The tools for a DoS and DDoS attack are very simple, the skills required to commit an attack is not high, and therefore, very difficult to defend against. Some authors claim that "the problem with denial of service on the Internet is that it is impossible to prevent".[2]

Consider this real example of an attack on an individual that shows a simple DDoS using email and useNet. An attacker, wishing to take revenge on a victim for some alleged slight, used a public access device (in this case, a system in a University library) to post a series of explicit pornographic images to a popular useNet discussion group (in this case, rec.travel.europe). The attacker forged the return address of the posting to be that of the victim (by changing the return address in the browser) and invited anyone wanting to see even more explicit pictures of young children to "just email me and I'll post'em". In this case, as investigated by the author, over a thousand email-messages flooded the victim's mailbox, the University abuse mailbox, the Office of the President of the University, the postmaster, and others on site within hours of the original posting. The only option was to change the email address of the victim and block incomming mail to the old address. These emails ranged from concerned messages, alerts and warnings, to extreme 'flames', virus-infected email, threats, solicitations as well as a lot of porn spam. The victim, a student, was traumatized by the incident and had emotional problems in dealing with the aftermath. Had the victim's email address been an integral part of their corporate advertising, printed on cards and documents, the damage may have been very expensive, as well. [3]

In this example, the systemic reaction of individual readers of the newsgroup to a pornographic posting was directed as a targeted attack towards one individual. The emails that arrived came from all over the world, without collusion to attack, or with knowledge that they were individually participating in an attack. The tools required were minimal (brief network and Usenet access) and the skill level required to perform the attack (simple email address forgery) was also low.

An examination of possible defenses to this example of a simple DDoS is also interesting. A firewall would not stop the initial attack/occurrence from happening (as the posting could have easily been made from outside the firewall; and even if inside, the firewall might well allow postings to Usenet groups from the site). A firewall would not block the distributed attack/response either unless all inbound email is denied. The attack is a 'data driven attack' [4] and the firewall would rightly pass the email (thought some firewalls might scan for virus attachments). As a result of this event, security on individual public access devices was tightened to make it harder to post a forged email (or in fact any email or Usenet posting) from a public device (and this could have been accomplished by a firewall). However, the root issue that made the attack work, the reaction of offended Usenet readers to 'flame' such postings, is beyond site control and systemic to the nature of the Internet. There does not seem to be any 'fix' for this vulnerability (since the original posting could take place from anywhere).
More Sophisticated DoS and DDoS Attacks

DoS and DDoS attacks take many forms and can be initiated in many ways, up to and including social engineering attack methods. These attacks frequently are initiated at the network packet level, and can be much more technical in nature.

More sophisticated DoS and DDoS attacks often rely on how packet-switching networks such as the Internet, and local networks such as Ethernet operate in order to perform their attack.

These DoS and DDoS attacks often use special techniques such as 'packet-forgery' (creation of a false packet), 'IP spoofing' (altering an IP address within a packet) and other packet-level attacks to initiate (or to continue) an attack. Simply put, the attacker does something on a network packet level that causes the target system, or some other component of an IT system to react, which in turn stimulates the attack on the target system. To understand how this works, you must consider how systems communicate with each other, both over a single segment of a local network, and over the Internet.
Network Communications - Ethernet

Ethernet communicates between systems by use of digital "packets" of information called frames. Each Ethernet "frame contains the destination address, source address type field and data. An Ethernet address is 6 bytes. Every device has it's own Ethernet address and listens for Ethernet frames with that destination address. All devices also listen for Ethernet frames with a wild-card destination address of FF-FF-FF-FF-FF-FF (in hexadecimal), called a 'broadcast address'. "

"Ethernet uses CSMA/CD (Carrier Sense and Multiple Access with Collision Detection) ... [so] ... that all devices communicate on a single medium, that only one device can transmit at a time, and that they can all receive simultaneously. If 2 devices try to transmit at the same instant, the transmit collision is detected and both devices wait a random (but short) period before trying to transmit again." [5]

A good analogy of Ethernet technology is the 'dark room' analogy presented in RFC1180.[6] This analogy likens an Ethernet to a group of people in a very dark room. Everyone in the room can hear everyone else talk (carrier sense). Everyone in the room can talk if they wish (multiple access) but because they are polite, they limit their conversations to short bursts. Impolite talkers are asked to leave the room (thrown off the Ethernet). It is impolite to talk while another is speaking, but if two start to talk at once, then both stop. After a random, but short amount of time, one or the other starts to talk again (they know about the simultaneous talking because each hears something that they did not say -- collision detection).

Everyone in the room has their own unique name (unique Ethernet address) and every time someone talks, they preface their conversation with the name of the person they are talking to...


Add comment  Email to a Friend

Discussion is closed - view comments archieve
2008-11-29 12:41:15 - very good article!!!... dmitriy
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo