Computer Crime Research Center


Network security: DoS vs DDoS attacks

Date: December 02, 2005
Source: Computer Crime Research Center
By: Terrance A. Roebuck

... with the name of the person they are talking to and their own name -- for example, "Hello Fred, this is Terry" (Ethernet destination and source address). If the sender wants to talk to everyone, they might say "Hello everyone, this is Terry" (broadcast message). In most cases, everyone in the room trusts everyone else that is in the room and they will usually be talking without a secret code (non-encrypted data communication is common). It is more difficult and takes longer to communicate if everything has to be coded and decoded (encryption means high system overhead).

To continue this analogy, imagine that a stranger has secretly entered the room (has tapped that Ethernet segment). The stranger may never broadcast any messages so no one knows that they are there, but because they are in the room, they can hear all the messages being sent in the room (their network card is said to be in promiscuous mode). They can understand any messages that are not in code (non-encrypted) but if they hear the key to the code then they can also decrypt the message. This stranger is said to be "sniffing" the network, and is listening for code information such as passwords or secrets such as confidential data or data encryption keys. Because the stranger never says anything, or interupts a conversation it is very difficult to detect that they are listening.

The stranger could decide to interrupt the communication in the room. One example is by talking all the time (continually broadcasting) so that no one else can talk (therefore causing a DoS to that segment of the Ethernet), another by somehow causing other persons in the room to talk continually to some one else (a DDoS).

The stranger could also use their voice impersonation skills to pretend to be someone else in the room (IP spoofing) or send false messages to someone else using a fake name (packet forgery). These approaches would be hard to trace back if the real person was to suddenly leave the room before the impersonation started (be denied access to the net or to be shut down by a directed DoS attack). The stranger could ask someone else in the room to do something for them such as send on a message to someone in another room (act as a router).

It should be noted that since (usually) the people in the room trust each other, the stranger's messages are (usually) considered as trusted messages.
Network Communications - IP, ARP and Routing

If only a few people wanted to talk, and they were always all in the same room, this conversation method might suffice. However there are many other people who also want to talk. If a room is too full, no meaningful conversations can take place as everyone is always being interrupted (network segment saturation). In addition, many people are remote - either physically in a different building or part of another company in the same building. These people need to talk to each other, and also to people far way.

To resolve this, we can imagine that people are meeting in other rooms at the same time (multiple network segments) and also in many different buildings (the Internet). There are many ways to assign people to different rooms within a building. The assignment of rooms could be purely arbitrary, or based on a physical location within a building, or rooms could be reserved for people who usually discuss the same topics. For example, one room might be reserved for salespersons from company X while another room might be reserved for company X accountants. Each room would have its own name. To allow as much growth as possible, each building (domain) could have as many rooms as needed (sub-nets), and any person could be identified by their complete building, room and name address (domain, sub-net and host or IP address).

In this expanded view of network communications, a more complete addressing structure is required to pass a message to someone else, especially when they are not in the same room. When a person in a room wishes to send a message (the data segment of a TCP/IP packet) to someone in another room, they need to supply more address information than that provided in a simple Ethernet frame. The speaker prepares a script (a packet) that they will read when they get a chance to speak in their room. The person speaks the entire script (a complete packet) if it is small enough (about 1500 bytes or less for an Ethernet). If their message is bigger, the speaker breaks the complete script up into smaller pieces (packet fragmentation) that are each spoken and later put back together when the recipient hears them all (packet re-assembly).

The process of getting the complete address for someone else is called ARP (Address Resolution Protocol). As the speaker prepares their script before speaking (creates an IP packet), they consult their address book (the local host ARP table) to look up the complete address for the recipient. The address book (ARP table) translates Ethernet addresses to IP addresses. If the address of the person is not in the table, the speaker broadcasts to their room (only) saying "Everyone, this is Terry - is anyone here known as "IP address"? If so, would you tell me your Ethernet address". The person who is known as "IP address" sends back a message with the required Ethernet address information and the ARP table is updated, allowing future messages to be created without a broadcast. Everyone else in the room also updates their local address books with the new information in case they need to communicate with that person later.

If the recipient is not in the same room, then the speaker knows that they can not communicate directly with them. The speaker will have to communicate indirectly, by getting someone else (a router) to relay the message to another room somewhere (within the building or even to another room in another building).

In order for this level of communication (Internet communication) to occur, one person in the room must act as a "router" of messages and agree to pass messages between rooms. The router must have connections in at least 2 rooms. For example, a person in the 'dark room' of an Ethernet might also have access to a mail slot (a gateway) that lets them send and receive postcards and letters to another router in another 'dark room'.

The speaker prepares a special address for these indirect messages, and speaks this message. In indirect communication, the speaker states a message of the form "Hello local router (Ethernet router destination address), pass this to personX, buildingY, RoomY (IP destination address), from Terry (Ethernet source address) person Y, buildingX, roomX (IP source address).

The person acting as a router repackages the message into a postcard that it can send out its mail slot. This may mean that the router will have to break up the original message into yet smaller pieces leaving the receiving router in the other room to reassemble them. This is dependant on the capacity of the router's 'mail slot' (the communications gateway to another network; for example, ATM packets, PPP and SLIP packets are all different sizes and are also dependant on connecting media - copper verses coax or fibre optic). The message as received at the destination router (after re-assembly if required) now looks something like "Hello Router2 (Ethernet router2 destination address), pass this to personX, buildinY, RoomY (IP destination address), from Router1 (Ethernet router 1source address) person Y, buildingX, roomX (IP source address). Router2 can now use their ARP table to send the message to personX and can update their ARP table so that replies (if any) to personY can be sent through the address of router1. If the address is not in router2's local address book, or personX is not in this room, the process is repeated until finally the message arrives at the right room.

By convention, we call a device that connects 2 (or more) sub-nets a router while a gateway is a special router that connects 2 (or more) networks. Routers and gateways can be programmed to allow or block specific communications attempts by examining details of the packet header information. This blocking is often referred to as 'firewalling' and a firewall can be as simple as a series of configuration rules in a router explaining what packets to pass (or deny). Usually, the firewall would not examine the contents of the message in deciding to deliver it or not. Much like the traditional surface mail, only the 'envelope information' is used to route the message within the room or deny delivery.

In summary then, people speaking in their own 'dark rooms' may send messages to other people in other 'dark rooms' by depending on a third party to re-transmit their packages of information. The person speaking the original message does not have to know the route the packet must take to reach the destination. The person sending the message relies on their own ARP table for addresses, and if not present, on the receipt of ARP information from other systems. They trust this ARP data because the other systems are trusted. The speaker assumes that the router is at the address found for it in their ARP table and assumes that the ARP table in the router is correct. After the message is spoken to the first router, the original speaker does not typically have the ability to control the route that the message may go to reach the destination. No confirmation is sent each step of the way -- the message is just passed on. The routers passing the message do not examine the contents of the message and all rely that the originating IP address is accurate. As routers fragment and re-assemble packets of data, they add and later remove their own envelope information (headers). The data part of a packet could itself include a packet (called IP tunneling).
Communications on the...

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2008-11-29 12:41:15 - very good article!!!... dmitriy
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo