Denial of Service Attacks


[ Introduction | Types | Real cases | Explored solutions | Related books ]

Introduction

Denial of Service (or DoS for short) attacks are a kind of attacks against computers connected to the Internet. DoS attacks exploit bugs in a specific operating system or vulnerabilities in TCP/IP implementation. Unlike a privacy attack, where an adversary is trying to get access to resources to which it has no authorization, the goal of DoS attacks is to keep authorized users from accessing resources. The infected computers may crash or disconnect from the Internet. In some cases they are not very harmful, because once you restart the crashed computer everything is on track again; in other cases they can be disasters, especially when you run a corporate network or ISP.

In this page, you will find many useful and helpful links which not only give you a general introduction to DoS attacks, but also present you specific types of DoS attacks and their possible solutions. But let's start with some introductory pages to familiarize you with DoS attacks.

An introductory article from CERT/CC. The advice from CERT is always reliable, and this article gives you a very clear definition and description of the DoS attack.

Chapter 11 of John Howard's dissertation, An Analysis Of Security Incidents On The Internet, gives a formal discussion of the DoS attacks. This is a very good reference of DoS attack, but you need to have some patience.

This article on PC magazine by Jeff Downey is much easier to read than the previous dissertation. It gives you clear description of several famous types of DoS attacks, and visualizes the attacks with some chart.

This page from www.irchelp.org also gives a good introduction and information on specific DoS attacks.

If you just want a quick overview of the DoS attacks, this summary by Roman Markowski at Tango Group Internal Technology Seminars might serve your need well.

Here is a short report I wrote about Denial of Service attacks.

Back to top

Types of DoS attacks

According to the www.irchelp.org article, the DoS attacks can be roughly divided into OS-related attacks and networking-related attacks. For OS-related attacks, Windows 95/NT and older MacOS are vulnerable, but most vendors of operating systems have fixed the problem in their latest versions. The vendors also provide patches for their vulnerable OS. For networking-related attacks, as pointed out in Steven Bellovin's famous paper "Security Problems in the TCP/IP Protocol Suite", there are many security holes which an adversary can exploit to launch a DoS attack; SYN flooding is a good example. You can find information of common DoS attacks in the following list.

Bonk/boink/newtear/teardrop2 is an attack resulting in blue screen freeze and crash.

Ping of Death is an attack taking advantage of a known bug in TCP/IP implementation. The attacker uses the ping system utility to make up an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. Systems may crash or reboot when they received such an oversized packet. An introduction of Ping of Death can be found in CERT Advisory CA-96.26.

Teardrop is an attack exploiting a weakness in the reassembly of IP packet fragments. The attacker creates a sequence of IP fragments with overlapping offset fields. Some systems will crash or reboot when they are trying to reassemble the malformed fragments. A quick look can be found in this page on ZDNet.

SYN flooding is an attack exloiting the three-way handshaking of TCP. The attacker sends the targeted system a flood of SYN packets with spoofed source address, until the targeted system uses up all slots in its backlog queue. An introduction of SYN flooding can be found in CERT Advisory CA-96.21.

Land is very similar to SYN flooding. The adversary floods SYN packets into the network with a spoofed source IP address of the targeted system. Here is a notice about Land attack from Cisco.

Smurf is a new kind of DoS attack. A smurf attacker cripples your router with ICMP echo request packets. Craig Huegen wrote a good article about smurfing attack, and this article on ZDNet gives you a guick look at smurf.

Snork is an attack against Windows NT RPC service. It allows an adversary with minimal resources to cause a remote NT system to consume 100% CPU Usage for an indefinite period of time. Here is an article about snork attack.

Back to top

Real cases of DoS attacks

DoS attacks are very common, but they are no joking matter. According to National Information Infrastructure Protection Act of 1996, they can be a serious federal crime. So amateur hackers, don't play this game. The links in this section lead you to review several real world cases of DoS attacks.

Morris Worm, written by Robert Morris, a Cornell University CS graduate student, and launched on Nov. 2, 1988, was the first DoS attack of significance. This worm was said to cause some 5000 machines taken out of commission for several hours. RFC 1135 provides a deep discussion of this incident. This page gives you links to related papers, and this article by Ira Winkler discusses some lessons we may learn from the incident.

Here is a story about how a DoS attack was launched in March 1998 against several U.S. government and university servers, and how the attack was handled. Here is the description of how the NIH network suffered from DoS attack in that incident.

Here is an FBI report on how the famous Melissa virus resulted in a denial of service on some networks.

An article on TIME magazine tells you a story of how several young hackers hit FBI with a massive DoS attack and how they were caught, and discusses the problem of cybergang.

Chapter 12 of John Howard's dissertation, An Analysis Of Security Incidents On The Internet, gives an estimate of the total number of DoS incidents happened between 1989 and 1995.

Back to top

Explored solutions

Most OS-related DoS attacks can be solved by patches. Patches are small programs developed by vendors to fix the problem. A common protection against networking-related attacks is setting up a firewall. There are also some other proposed techniques against networking-related attacks.

From this page you can find some patches for Windows 95 and Windows NT.

To learn more about firewalls, this faq and this faq are good starting points. News groups like comp.security.firewalls and comp.security.misc also provide you useful information.

RFC 2267 discusses how to defeat DoS attacks by filtering IP packets with spoofed source address. However this method is not 100% effective because the attacker can always choose an address which represents a down or unreachable machine.

SYN cookies is a method using cryptographic techniques to protect the system against SYN flooding attacks. It seems working well and is now a standard part of Linux.

Back to top

Related books

For further information on DoS attacks, you can refer to the books listed below.

Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network, Second Edition, by Anonymous, published by SAMS, Sep. 1998. This book gives you a very practical guide and detailed information on many kinds of DoS attacks, and covers many other security related issues. An excellent reference for system administrators.

Hacking Exposed: Network Security Secrets and Solutions, by Stuart McClure, Joel Scambray, George Kurtz, published by McGraw-Hill, Sep. 1999. This is a new book just out of press, and as it claims, it points out security holes in different systems, and tells you how to apply countermeasures. Provide information on how to improve your firewalls.

Practical Unix & Internet Security, by Simson Garfinkel and Gene Spafford, published by O'Reilly & Associates, Apr. 1996. This book devotes a whole chapter to DoS attacks, but the range of examples does not cover Windows OS. Also some information in the book is outdated. However, it is still a valuable reference for Unix system administrators.

Back to top

This page is maintained by Chin-Tser Huang (chuang@cs.utexas.edu).
Last updated: Nov. 30, 1999