Denial of Service Attacks
Milutinović Veljko
IEEE Fellow and Professor on Faculty of Electrical Engineering, University of Belgrade, Serbia
vm@etf.bg.ac.yu
Milić Bratislav
Undergraduate student on Faculty of Electrical Engineering, University of Belgrade, Serbia
zverko@eunet.yu
Savić Milan
Undergraduate student on Faculty of Electrical Engineering, University of Belgrade, Serbia
savicm@net.yu
Jana Dittmann
Professor on Otto-von-Guericke Universität Magdeburg Fakultät für Informatik
jana.dittmann@iti.cs.uni-magdeburg.de
Matthias Hemmje
Professor on Institut für Informatik Lehr- und Forschungseinheit Medieninformatik Ludwig-MaximiliansUniversität München
hemmje@informatik.uni-muenchen.de
Frederic Patriceli
Telecom Italia Learning Services
frederic.patricelli@ssgrr.it
Recently, the entire World is experiencing problems with external attacks, and an important class of these
attacks is in the category of Denial of Service (DoS). So, here we give a classification of methods, examples of
attacks, about tools to fight against, plus comments about future.
What is Denial of Service Attack?
There's been lots of talk about these attacks in the past. Yet, some people are not completely clear with notion
of denial of service attacks. One of the most influential organizations in the area of security, CERT/CC, defines
it as "attack in which the primary goal is to deny the victim(s) access to a particular resource". It's a broad
definition and in real world, Denial of Service attack can be done in various ways: changing of configuration
information in such a way that some users are denied for some services; internal attacks, in which malicious
user, thanks to some operating system weaknesses can crash system processes, take large amounts of memory
or do anything else that can prevent other users from their usual jobs; taking and keeping database connections
which will prevent all other users from using the database.
Examples are numerous, but the ones mentioned so far are not really the attacks we want to talk about. All
those examples have one thing in common: attacker has access to a system that is being attacked. Therefore, if
we can prevent attackers from gaining access to our systems, we'll have no fear of attacks.
Our interest here is only a subset of DoS attacks - only attacks that are external and committed against web
servers. We have a good reason for this. Those attacks are the most common and create greatest impact on the
whole Internet community.
One of largest DoS attacks ever, was committed in February 2000. It lasted for three days, and targeted large
sites like Amazon, e-Buy, CNN, Yahoo. During the attack, those sites were almost completely inaccessible.
Study made by Keynote systems showed that the whole Internet experienced slowdown because of the traffic
generated by the attacks. On the last day of the attack, slowdown was nearly 30%.
That was a great example of a well-prepared and organized attack. However, it took lots of effort for attackers
to develop tools that provided them with such power.
Darwin was right!
Evolution theory seems to work not only for the living world, but also for DoS attacks. If we take a look on
early DoS attacks, and compare them with the later development of attacks, we can see all the important parts
of the evolution theory. New versions, some are successful and some aren't; the successful ones are improved
and incorporated in larger attack tools; occasionally, some completely new development shows up and all other
parts of security systems must adapt to it in order to stop it.
Probably the first type of DoS attack did not even have a specifically made tool. It was (in)famous "Ping of
Death" that used the badly implemented ping command to send IP packets larger than 65536 bytes (upper limit
for IP packet) and to crash down operating systems with bad implementation of TCP/IP layer - the systems that
could not handle such oversized packets. Solution for this attack was simple - only a patch for operating system
that solved all the problems.
Next generation of attacks tools developed first applications that are used for attacks. Techniques that were
developed include:
 UDP flood - attacker sends many UDP packets to victim, taking part, or even whole victim's
bandwidth. Usually, the attacker spoofs source address. That makes tracking back of the attacker and
stopping the flood much harder.
 SYN flood - attacker sends many false TCP connection requests and outnumbers regular connection
requests, so legitimate users have difficulties in connecting to attacked host. Attacked host also needs
to resolve every such request and looses lots of processing time on it.
 Smurf flood - attacker uses IP's broadcast ability to send ICMP_ECHOREQUEST packets to
intermediate networks. If intermediate network allows broadcasting, all the hosts in it will send
ICMP_ECHOREPLY packet to sender. The attacker changes original request by altering source
address - instead of originating host address, the attacker puts address of the victim. The intermediate
network is used as traffic amplifier.
These new techniques had given the attackers edge, but not for a long time. Knowledge on DoS attacks has
been collected, so administrators of attacked hosts were able to learn from others that had experienced DoS
attacks. Technology improvements also decreased effectiveness of attacks. High-speed links were available on
reasonable prices.
Attackers had to change something. If peer-to-peer attack is not enough, many-to-one attack should do it. That
was the notion behind Distributed Denial of Service attacks (DDoS).
DDoS attack tools are built to use DDoS networks. Networks that consist of hundreds and thousands of
compromised systems, all under control of a single attacker. Typical DDoS network has three layers. The
uppermost (client) layer is directly controlled by the attacker. It consists of a small number of machines since
the attacker controls them by hand. Client layer controls the middle (handler) layer. Handler layer is used to
provide the attacker easy way of changing sets of lowest (agent) layer machines. Agent layer does the flooding.
Flooding techniques are already described: UDP and SYN flood, Smurf. The power of DDoS attack is in huge
number of hosts used for attack and not in some new flooding technique. Using peer-to-peer attack mechanism,
the attacker would have to control every machine used in attack by hand, but architecture of DDoS network
provides control over thousands of machines with a single command. Several DDoS tools have been created so
far: Trinoo, TFN/TFN2K, Stacheldraht, etc.
To make bad things worse, source code of lots of DoS attack tools can be easily found on the Internet. In a
small experiment, we have been able to find fifteen different source codes using only Google. That provides
excellent base for new, improved version of such tools. Even attacker with moderate knowledge of
programming and basic understanding of TCP/IP can create very dangerous tools based on those sources.
How to defend?
Prepare and prevent. Although lots of work has already been done in this area, there is no ultimate and quick
solution.
Prevention should be done in two ways:
 Be prepared to respond quickly in case of an attack
 Do not become source of an attack
In case that your network is being attacked, damage of the attack will be substantially reduced if some defense
plans have already been made. Established chain of command with clearly divided responsibilities, together
with good and reliable communication is of great importance.
Nevertheless, no matter how good your organization, experience shows that in case of large scale DoS attack,
good cooperation with ISP (Internet Service Provider) is necessary. This applies both to small and large
networks. In case of the small ones, it is obvious that such a network cannot afford many experienced, high
quality staff, so additional help in the case of an attack will be needed. On the other hand, large networks can
afford numerous and trained staff, but to minimize the damage and reduce duration of an attack additional help
is needed. Don't forget - the larger the network is, the larger financial loss will be generated if the network does
not function properly.
Another very important aspect is preventing that your network becomes source of an attack. Attack that had
originated from your network can bring lots of bad publicity, and depending of law regulation in your country it
can even get you to court.
The first and the best solution for this is education. Educate both your administrators and ordinary users.
Administrators must be educated all the time. We have recently seen an advertisement in which is claimed that
a person can become certified system administrator in only eighteen days (certificate is provided by a large and
respectable company). We believe that in eighteen days can be learned a lot, but that is not enough. Such an
administrator can, based on the certificate, get a responsible job that requires more knowledge and more
experience, and in case of an attack (not only DoS attack) he/she will not know what to do. Additional
education together with gained experience is probably the best way to get excellent administrators.
Network staff must be motivated to do their jobs properly. To keep a system secured, appropriate patches must
be applied on time. Otherwise, attackers can easily compromise such system. In Honeynet experiment
(project.honeynet.org) was shown that out-of-box systems have lifetime between 24 and 72 hours (depending
on operating system) before they are compromised.
Ordinary users must be aware of security issues too. If users are reckless, administrators cannot do much, no
matter how good they are. Every mail worm or Trojan horse that is activated by some user can destroy all the
effort put in keeping the network secure.
So, what can your network administrator do to protect computer systems in your network from becoming
compromised victims of intruder attacks that will be the basis for further DoS activities? To recognize attacks
and intruders, Intrusion Detection Systems (IDS) become more and more popular especially in combination
with firewall techniques like Checkpoint Firewall 1 with INSPECT.
Based on experiences about the normal system activities and about existing attacks, an IDS tries to recognize
potential hacking activities. The technology combines protocol functions with filter functions from different
layers like network or application layer and different points of the systems itself, e.g. very often the firewall
itself as single-point-of-entry to the system provides a lot of traffic filtering. A distributed firewall concept is
very useful basis for DoS attack detection. The IDS filtering is mainly based on the observation of the normal
system behaviour to differ from a chain of single activities and to conclude to a potential hacking incident.
The general IDS model consists of an Event Generator, a Detection Engine and an Activity Profile. The
detection is performed by a Statistical Anomaly Detection or Pattern Matching Detection approach. Security
policies are the main requirement and precondition to configure an IDS and the success to detect DoS attacks is
depending on the design to detect complex patterns from the filter functions, which is still an active research
field.
Conclusion
Similar to other fields of computer security, there is no ultimate solution for the DoS attacks. Defenses are
constantly improving, but so are the attack tools. Yet, some improvements have been made. With increased care
of network security, attackers are forced to seek their victims in smaller networks and home users, which
reduces the impact of attacks. Still work has to be done to convince users to apply patches and update their
systems frequently. Attackers are using very common security flaws to compromise systems, so recently
patched and updated system will not become their prey. Increased awareness of DoS attack threat has created
lots of data on them, so in case of such attack, people can share others experiences and reduce the impact of the
attack.