CertiGuide to Security+  9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)       9  1.4  Attacks            9  1.4.1  Denial of Service (DoS) / Distributed Denial of Service (DDoS)

An Early DDoS Attack 1 What Can I Do to Prevent DDoS Attacks?

Unfortunately, having sufficient bandwidth to cope with the flood of data is not necessarily enough to protect you. These attacks not only exhaust bandwidth, they can be specifically targeted to take down hosts on the network by resource exhaustion. For example, if XYZ Corp has a single web server sitting on a 10gigabit line to the Internet, it is unlikely that an attacker could summon enough DDoS clients to sufficiently exhaust the bandwidth on XYZ Corp’s network segment. However, they may attack the web server directly. To understand how this can be done, let’s briefly examine how the TCP protocol works, and explore how characteristics of the protocol can help an attacker stage an attack called a “SYN flood”.

When a user somewhere on the Internet wishes to view a web page on XYZ Corp’s web server, they type the domain name into their web browser. After name resolution has taken place, and the client machine knows the IP address of the web server, it sends a TCP SYN packet to it. The web server then allocates the client a port to communicate on and replies with a TCP SYNACK packet. Finally, under normal circumstances the client will reply with a TCP ACK packet; the TCP session will be established and the HTTP data will be transferred from web server to client. This SYN-SYNACK-ACK conversation is known as the TCP 3-way handshake.

One of the more famous DoS techniques is to modify this TCP 3-way handshake so that the opening part of the handshake, the Request to SYNchronize, is sent again and again, without closing the sequence by accepting the acknowledgment from the first request. The modified handshake is produced by a low-level program specifically designed to create the SYN Flood DoS situation by making repeated connections to a server and sending SYN requests, without terminating the TCP conversation properly with an ACK.

Since the server does not think that the conversation’s handshake has been completed, it keeps each SYN request in its table of “connections in progress.” As more and more partially open connection requests accumulate in the target’s system tables, the target eventually reaches the point of being unable to handle additional requests. When this happens, the server is unable to accept new connections, and thus, legitimate users are prevented from accessing the server. Generally the time that the TCP stack waits before resetting a port is more than enough for an attacker to send new requests to exhaust more resources. As you can see, this type of attack is called a SYN Flood, as flooding the target with SYN packets is precisely what it does.

There are many other variants on the DoS attack. ICMP (more commonly known as “ping”, after the command line tool) floods are used to send ICMP_ECHO packets to a single host, which quickly and exponentially exhausts bandwidth on the target host’s network. The reverse ICMP flood, or Smurf attack, sends a ping to the broadcast address of the target network. Because packets sent to the broadcast address are seen by and responded to by all hosts on the network, you potentially have hundreds of machines replying to one single ping packet. As you can imagine, this would also quickly exhaust the available bandwidth.

An Early DDoS Attack 1 What Can I Do to Prevent DDoS Attacks?