In this page, you will find many useful and helpful links which not only give you a general introduction to DoS attacks, but also present you specific types of DoS attacks and their possible solutions. But let's start with some introductory pages to familiarize you with DoS attacks.
An introductory article from CERT/CC. The advice from CERT is always reliable, and this article gives you a very clear definition and description of the DoS attack.
Chapter 11 of John Howard's dissertation, An Analysis Of Security Incidents On The Internet, gives a formal discussion of the DoS attacks. This is a very good reference of DoS attack, but you need to have some patience.
This article on PC magazine by Jeff Downey is much easier to read than the previous dissertation. It gives you clear description of several famous types of DoS attacks, and visualizes the attacks with some chart.
This page from www.irchelp.org also gives a good introduction and information on specific DoS attacks.
If you just want a quick overview of the DoS attacks, this summary by Roman Markowski at Tango Group Internal Technology Seminars might serve your need well.
Here is a short report I wrote about Denial of Service attacks.
Back to top
Bonk/boink/newtear/teardrop2 is an attack resulting in blue screen freeze and crash.
Ping of Death is an attack taking advantage of a known bug in TCP/IP implementation. The attacker uses the ping system utility to make up an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. Systems may crash or reboot when they received such an oversized packet. An introduction of Ping of Death can be found in CERT Advisory CA-96.26.
Teardrop is an attack exploiting a weakness in the reassembly of IP packet fragments. The attacker creates a sequence of IP fragments with overlapping offset fields. Some systems will crash or reboot when they are trying to reassemble the malformed fragments. A quick look can be found in this page on ZDNet.
SYN flooding is an attack exloiting the three-way handshaking of TCP. The attacker sends the targeted system a flood of SYN packets with spoofed source address, until the targeted system uses up all slots in its backlog queue. An introduction of SYN flooding can be found in CERT Advisory CA-96.21.
Land is very similar to SYN flooding. The adversary floods SYN packets into the network with a spoofed source IP address of the targeted system. Here is a notice about Land attack from Cisco.
Smurf is a new kind of DoS attack. A smurf attacker cripples your router with ICMP echo request packets. Craig Huegen wrote a good article about smurfing attack, and this article on ZDNet gives you a guick look at smurf.
Snork is an attack against Windows NT RPC service. It allows an adversary with minimal resources to cause a remote NT system to consume 100% CPU Usage for an indefinite period of time. Here is an article about snork attack.
Back to top
Morris Worm, written by Robert Morris, a Cornell University CS graduate student, and launched on Nov. 2, 1988, was the first DoS attack of significance. This worm was said to cause some 5000 machines taken out of commission for several hours. RFC 1135 provides a deep discussion of this incident. This page gives you links to related papers, and this article by Ira Winkler discusses some lessons we may learn from the incident.
Here is a story about how a DoS attack was launched in March 1998 against several U.S. government and university servers, and how the attack was handled. Here is the description of how the NIH network suffered from DoS attack in that incident.
Here is an FBI report on how the famous Melissa virus resulted in a denial of service on some networks.
An article on TIME magazine tells you a story of how several young hackers hit FBI with a massive DoS attack and how they were caught, and discusses the problem of cybergang.
Chapter 12 of John Howard's dissertation, An Analysis Of Security Incidents On The Internet, gives an estimate of the total number of DoS incidents happened between 1989 and 1995.
Back to top
From this page you can find some patches for Windows 95 and Windows NT.
To learn more about firewalls, this faq and this faq are good starting points. News groups like comp.security.firewalls and comp.security.misc also provide you useful information.
RFC 2267 discusses how to defeat DoS attacks by filtering IP packets with spoofed source address. However this method is not 100% effective because the attacker can always choose an address which represents a down or unreachable machine.
SYN cookies is a method using cryptographic techniques to protect the system against SYN flooding attacks. It seems working well and is now a standard part of Linux.
Back to top
Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network, Second Edition, by Anonymous, published by SAMS, Sep. 1998. This book gives you a very practical guide and detailed information on many kinds of DoS attacks, and covers many other security related issues. An excellent reference for system administrators.
Hacking Exposed: Network Security Secrets and Solutions, by Stuart McClure, Joel Scambray, George Kurtz, published by McGraw-Hill, Sep. 1999. This is a new book just out of press, and as it claims, it points out security holes in different systems, and tells you how to apply countermeasures. Provide information on how to improve your firewalls.
Practical Unix & Internet Security, by Simson Garfinkel and Gene Spafford, published by O'Reilly & Associates, Apr. 1996. This book devotes a whole chapter to DoS attacks, but the range of examples does not cover Windows OS. Also some information in the book is outdated. However, it is still a valuable reference for Unix system administrators.
Back to top