Denial of Service Attacks
Dr. Neminath Hubballi
IIT Indore © Neminath Hubballi
Outline
 Introduction
 Types of denial of service
 Protocol based
 ICMP based denial of service attack
 DHCP based denial of service attack
 Logic based
 Flood based
 SYN flood denial of service attacks
 Distributed denial of service attacks
 Defense Mechanisms
IIT Indore © Neminath Hubballi
Denial of Service

Making a resource unavailable or deliberately
withholding it to make it unavailable
Example:


1. Deliberate calls made to a person where he spends
lot of time in just answering
2. Putting a road blocker so that no vehicles are able
to use a particular road
3. Cutting a fiber cable and disrupting the
communication
Denial of service do occur in many situations
we particularly study computer or data network
related denial of services

Ex. SBI online banking service going offline
IIT Indore © Neminath Hubballi
History of Denial Of Service
 In Dec 1987 an employee of IBM sent an email greeting for Christmas.This
email message had some malicious code in it which automatically sent
copies of itself to all in the contact book of recipient





 IBM mail server was exhausted of memory
Many DoS attacks of 90 were simple and launched from a single computer
In 1997 – trinoo
In 1998 – TFN
In 2000 – TFN2K
Year 2000 witnessed several massive scale attacks on sites like




Yahoo
Amazon
Ebay and
CNN.com
 American government and military sites have experienced attacks in the
past
 Most recently wikileaks site had a massive DoS attack against its web
server
IIT Indore © Neminath Hubballi
ICMP based Denial of Service
 ICMP messages are used for sending error messages
 They are also used for status information
 PING utility uses ICMP ECHO REQUEST and ICMP
ECHO REPLY messages
 In this case a powerful machine can send too many ping
messages and hog the slower machine
 One of the earliest discovered attacks in networks
 Normally ping reply messages are more than request
messages
IIT Indore © Neminath Hubballi
Smurf Attack
IIT Indore © Neminath Hubballi
Smurf Attack









A variation of ICMP based attack
Normally happens due to misconfigured network
Many networks allow ICMP broadcast request messages
An attacker creates a spoofed ECHO REQUEST
message with spoofed IP address (using IP of a victim)
Every machine on the network will hear the ping
message
All these messages go to victim instead of attacker
For the victim all these are unsolicited messages
Spends significant amount of processing power, memory
and time in handling these ping replies
Can not do any useful computation there by deny
services to users
IIT Indore © Neminath Hubballi
DHCP Operation
IIT Indore © Neminath Hubballi
DHCP Starvation Attack
 Consuming the IP address space allocated by a DHCP





server
An attacker broadcasts a large number of DHCP
requests using spoofed MAC addresses
The DHCP server will lease its IP addresses one by one
to the attacker until it runs out of available IPs for new,
normal clients
Leads to DoS
Can easily be achieved with tools such as gobbler
Prevention
 Do not allow more than certain number of requests per port
IIT Indore © Neminath Hubballi
10
Flooding based Denial Of Service
 Send too many packets to overwhelm the
recipient
 Victim spends lot of time in responding and
processing
 There are different types of flooding attacks
 SYN flood
 UDP flood
 Random flood
IIT Indore © Neminath Hubballi
SYN Flood Attack
 Uses TCP connections
 Obviously too many of them to make
victim irresponsive
IIT Indore © Neminath Hubballi
Three-way Handshake
Initialize sequence numbers for a new connection (SEQ1, SEQ2)
SYN SEQ1
LISTEN
Resources allocated
SYN_RCVD
SYN SEQ2 +ACK
SEQ1+1
ACK SEQ2+1
CONNECTED
C
S
IIT Indore © Neminath Hubballi
How SYN Flooding Attack
Works?
Client connecting to TCP port
Uses spoofed
addresses SYN
Resources allocated
for every half open
connection
SYN + ACK
SYN
SYN + ACK
SYN
Limit on number
of half open
connections
SYN + ACK
IIT Indore © Neminath Hubballi
Attacker
Victim
I have ACKed these
connections but I
have not received
an ACK back!
Types of SYN Floods
 Direct attack
 Use your own machine to send SYN packets
 Need to somehow make OS not respond to SYN-ACK packets
coming from server
 Connect() socket call can be used to do this kind of attack
 Spoofing based attack






Hide the identity of attacker
Shields the attacker from receiving SYN-ACKs
Spoofed source should not respond with SYN-ACK
They will not respond in anyway
It is more effective if a non existent IP address is chosen
Ingress and egress filtering can be a deterrent
IIT Indore © Neminath Hubballi
Distributed Denial of Service
IIT Indore © Neminath Hubballi
Transmission Control Block
 TCB is a data structure holding resources in
many Operating Systems
 The state of connection is stored in this data
structure
 How much memory each TCB takes




Actual memory footprint depends on implementations
Usually it will be more than 280 bytes
In some OS it is 1300 bytes
TCB is created upon arrival of a SYN packet i.e.,
before a legitimate connection is established
 Opens scope for denial of service
IIT Indore © Neminath Hubballi
SYN Flood Attack Parameters
 TCB becomes inactive or deleted after a timeout
called as backlog
 Different OS use different timeouts
 How does knowing the timeout help
 Can send burst of SYN packets once and exhaust
memory at victim and wait till timeout
 Periodically send such bursts equal to timeout period
 Default backlog timeout is 1028 Seconds
 You can change the value
IIT Indore © Neminath Hubballi
Shrew Attacks
 Works on TCP
 Adds some intelligence to SYN flooding attack
 TCP waits for sometime before retransmitting
the packets for lost ones
 Use this timing to generate large number of
packets
 Many connections drop
 Repeat the flood after RTT time
IIT Indore © Neminath Hubballi
Other Flooding based DoS Attacks
 UDP Flood- send many UDP packets to
the target
 ICMP Flood- send many ICMP packets to
the target
 Random Flood- send packets randomly
generated
IIT Indore © Neminath Hubballi
Symptoms of Manifestation
 Slow network performance
 Non availability of certain online services and




websites
Increase in number of useless network traffic
Consistent new IP addresses showing up
Unusually high number of packets from a source
Disconnection of a wired or wireless connection
IIT Indore © Neminath Hubballi
Logic Based DoS : User Specified Object
Allocation
 String TotalObjects = request.getParameter(“numberofobjects”);
 int NumOfObjects = Integer.parseInt(TotalObjects);
 ComplexObject[] anArray = new ComplexObject[NumOfObjects];
IIT Indore © Neminath Hubballi
Logic Based DoS : User Input as a Loop
Counter
 public class MyServlet extends ActionServlet
 {
 public void doPost(HttpServletRequest request,





HttpServletResponse response) throws
ServletException, IOException
{...
String [] values =
request.getParameterValues("CheckboxField");
// Process the data without length check for reasonable
range – wrong!
for ( int i=0; i<values.length; i++)
{ // lots of logic to process the request } . . . } . . . }
IIT Indore © Neminath Hubballi
Other Logic based Denial of Service Attacks
–Appeared around 2000
 Teardrop- send oversized fragments which overlaps on
each other portions
 Crashed many OSs in the past
 Land- send a IP packet with same source and
destination IP address
 Many OSs crashed
 On a router it can create a loop consuming lot of processing
power and badwidth
10.10.10.10
10.10.10.10
IIT Indore © Neminath Hubballi
Defending SYN Flood Attacks
 End Host Mechanisms
 Increase the backlog period
 More connections open means - refusal to new requests
 Slightly counter intuitive
 SYN Cache - initially do not create a full fledged TCB
 SYN cookie
 Completely stateless - do not create any state or TCB till
connection is completely established
 Make the initial sequence number a function of parameters of
packet
 Almost all IP spoofing mitigation techniques will
also help mitigate DoS attacks
IIT Indore © Neminath Hubballi
Playing With /proc Parameters
 /proc is a virtual file system created by kernel
when it boots
 Has different data structures and information
gathered from the kernel at runtime
 Several configurable and non configurable
parameters are there
 /proc/sys/net/ipv4 which contains all the
configurable settings for the IPv4 stack,
including TCP, UDP, ICMP and ARP tunable
settings
IIT Indore © Neminath Hubballi
Playing With /proc Parameters
 tcp_abort_on_overflow 1000
 tcp_adv_win_scale – Amount of socket buffer space to be used for





TCP window size
tcp_fin_timeout – 60 seconds , how long to wait for an
acknowledgement for FIN request
tcp_keepalive_probes- 50 , tells the kernel how many TCP
keepalive probes to send out before it decides a specific connection
is broken
tcp_keepalive_intvl- tells the kernel how long to wait for a reply on
each keepalive probe
tcp_keepalive_time- 7200 seconds, or 2 hours , how often to send
TCP keepalive packets to keep a connection alive if it is currently
unused
tcp_max_orphans- 8192 tells the kernel how many TCP sockets
that are not attached to any user file handle to maintain.
IIT Indore © Neminath Hubballi
Playing With /proc Parameters
 tcp_max_syn_backlog- 1028 how many SYN requests to keep in
memory that we have yet to get the third packet in a 3-way
handshake
 tcp_syncookies- 0/1 used to send out so called syncookies to
hosts when the kernels syn backlog queue for a specific socket is
overflowed
IIT Indore © Neminath Hubballi