Computer Crime Research Center


Network security: DoS vs DDoS attacks

Date: December 02, 2005
Source: Computer Crime Research Center
By: Terrance A. Roebuck

... command is used to determine if a machine is available. The PING application directly communicates with ICMP by sending a ICMP packet of type=8 and returning a packet of type=0.

A well-known DoS is the "Ping of Death". The default packet size for ping is 56 bytes. In most systems, it is possible to set the packet data size from the command line. In many cases (especially MACS and Windows 95 systems) PING is unable to handle an incoming packet size of 1024 bytes or larger and the system crashes.

This attack is primarily an insider attack in that "most network managers block incoming pings (type=8), but allow ping responses (type=0). Therefore hackers have begun using ping replied as ways of bypassing firewalls. For example, in the massive DDoS attacks against internet sites, commands could b imbedded in ping responses, and floods of responses were directed against the sites in order to clog their Internet connections." [23] Another variation of a PING attack is the 'smurf' attack, which operates much like the aforementioned 'fraggle'; used as a DoS or DDoS in combination with an echo and/or broadcast to cause flooding of a victim by multiple PING responses.

As mentioned, attacks against DNS are common. ICMP level attacks against DNS include Source Quench (ICMP type=4) which are, in theory, "... supposed to be transmitted by routers/destination when traffic level exceeds a certain threshold. Many systems today, however, do not generate them. ... However, hosts still react to Source Quenches by slowing communications, so they can be used as a denial of service. If a DoS is suspected, the source address of the packets will be meaningless, because the IP addresses are spoofed." [24] A variation of a Source Quench attack is ICMP Host Unreachable (type=3 code=1) and ICMP Port Unreachable (type=3 code=3) which can be used as a system (or application) specific DoS.

It is clear that ICMP is one of the most abused and dangerous of the IP protocols. ICMP security is also extremely difficult to manage because of the critical role that ICMP plays in message delivery. "The correct configuration of ICMP filters in a firewall is hotly debated. The problem is that ICMP are the 'control messages' for TCP/IP. If you block some incoming ICMP, then you will block communication." [25] "ICMP cannot simply be abandoned like so many other insecure Internet services because it is so deeply embedded in IP. ... The Internet Control Message Protocol is both necessary to Internet operation and a potentially hazerdous source of corruption, denial of services, and information leakage, If properly managed, networks can be kept reasonably secure from threats resulting from ICMP, however, few current networks are properly configured." [26]
Other Security Issues with IP

As mentioned, "a 'smurf' is a ping (ICMP Echo Request) whereas a 'fraggle' is a UDP port#7/echo. These attacks are similar in that they rely on volume to flood a victim and deny services.

Using configuration rules in routers, it is possible to 'amplify' the effects of smurf and fraggle attacks. Amplified DoS attacks use broadcasts to cause machines to respond to the (spoofed) victims request, flooding them. "In IP, a directed broadcast has all the 'host' bits set to either 1 or 0. This means that an address that looks something like or is likely a broadcast. ... If that router has this (address) configured as a broadcast in its routing table, it will forward the single IP packet as a broadcast on that (Ethernet) segment, causing all systems on that (Ethernet) segment to receive the packet" [27] therefore vastly increasing the number of systems that join in the DDoS.

This points out a typical combination of issues that are exploited to create the attack. Firstly, the echo or ping service is available and secondly, the router accepts certain addreses as 'broadcast' addresses and sends packets to all systems on the sub-net.
Role of the Firewall in DoS and DDoS

DoS and DDoS attacks may be internal or external attacks. That is, they may both originate and attack internal systems ('behind' the firewall) or they may be external attack from internal creation or vice versa.

The role of a corporate firewall in limiting DoS and DDoS attack is of primary concern when the attack passes the firewall barrier (incoming or outgoing). In the case of some DoS and DDoS attacks, this might never happen or only happen as a data-driven attack and therefore be passed through by the firewall. In the case of some direct routing attacks, especially against private network space, a firewall may actually aid the attacker, since the firewall may be the only router available to the attacker that knows about the systems behind it. Further, as discussed earlier, some packets (such as ICMP) must be allowed but may be part of a DoS. Any firewall that is mis-configured or allows certain trusted hosts beyond the firewall high access can be subjected to a spoofed packet attack (appearing to be from the trusted host).

Source routed packets are packets that demand that they be sent through a particular router to their destination. There does not seem to be any reason to allow source routed packets, and routers and firewalls should be configured to ignore them.

Failure to do so can result in several harmful effects.

Packets can be source routed to evade firewalls if a path is known.

Packets can invade private network space (10.x.x.x for example) by bouncing packets off the firewall. Packets are sent to the host by source routing to firewall (which acts as router that knows about 10.x.x.x).

Packet routing through a trusted host using IP spoofing will also allow a packet to bypass a firewall.

A firewall is not a panacea for packet level attack. Consideration of possible attack types is required before the design of security rules in the firewall. Information on packet level attacks is readily available on the Internet, both in documentation form, and in attack scripts that can be ran with little effort or knowledge.

DoS attacks, and DDoS attacks are very difficult to stop, since all UDP services that respond to a packet can be victimized by a DoS attack against that port (and therefore a DDoS attack as well). Many TCP-based services can also be used as a basis for a DoS or DDoS attack.

As long as IP packets are considered "trusted" we will continue to see attacks based on the creation of false IP datagrams. IP version 6 (at the time of this writing, version 4 of IP is the standard) may offer some hope of DoS reduction. However, if implementation of IP6 is such that compatibility with IP4 is maintained, then problems could continue. The recent demise of the copyright on the RSA algorithms and the projected coming into Open-Source code of the RSA encryption software may also offer some hope that more packets will be encrypted.

However, IP protocol management is complex and technical. New exploits are arriving all of the time. Responses to these exploits require the prompt and proper application of system security patches and knowledgeable system management.

We are increasingly seeing that the availability of a computer system is becoming a corporate critical service and a successful DoS attack may have a major impact on a company's ability to respond to events (and on their share value and bottom line).

These factors, along with the difficulty of successfully managing systems and networks at any level seem to indicate that protocol level security issues and packet level denial of service attacks will remain critical for many years.

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2008-11-29 12:41:15 - very good article!!!... dmitriy
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo