DOS attacks are difficult to protect against because you can never totally eliminate the threat. If you are connected to the Internet, there is always the chance that an attacker may send you too much data that you are not able to process. Therefore, you can minimize your threat my increasing your bandwidth, however an attacker can always use additional resources to flood your network.
Let’s look at another example. You come home from work and you live on a cul-de-sac, which means there is only a single road to get to your
house, and there is currently a truck blocking that road. Very easily,
someone has just launched a Denial of Service attack, denying you access to your house. One way to protect against this attack is to build a second road, so you have an alternate route to your house. First, this is very expensive, and second, it does not completely eliminate the threat. Now, someone could just get two trucks and block both roads. You could then build a third road, but they could still block that route. The bottom line is that there are things that can be done to minimize the threat, but if an attacker has enough time and resources, he can still be successful.
Now that we understand what Denial of Service attacks are and why they are such an insidious threat, let’s look at several known DOS exploits.
Description of Exploits
At this point in the book, we are starting to address different exploits in detail. In going over how exploits work, and what can be done to prevent exploits from damaging your systems, I have created a general format that is used throughout the remainder of the book. The following is an outline of the format and a brief description of each item.
Exploit Details
• Name: Name of exploit
• Variants: Name of different variants of the exploit
• Operating System: OSs impacted
• Protocols/Services: Protocols or services the exploit uses
Protocol Description
This section gives a brief description of the protocol the exploit uses. In most cases, to understand the exploit, you need to understand the protocol‘s strengths and weaknesses.
Detailed Description
After the foundation information is described, a detailed description of the exploit is covered.
How the Exploit Works
This section describes how the exploit works and why it is able to exploit the feature in the protocol or application program.
Diagram
This section provides a typical diagram of how the exploit would work on a network.
How to Use It
This section shows the programs used to exploit the vulnerability and how to use them.
Signature of the Attack
This section shows you what to look for if you are trying to detect
or block the attack.
How to Protect Against It
This provides a description of what can be done to patch the protocol or how a company can protect itself.
Source Code/Pseudo Code
This section provides links to where the source code can be found and a brief listing and description of the pseudo code. Source code is the actual code that someone compiles to run the exploit.
Because source code is sometimes hard to read, pseudo code is a description of what the code does and is easier to follow.
Additional Information
This section provides resources for additional information.
Types of Denial of Service Attacks
At this point, we understand what a DOS attack is and why they are so difficult to protect against. Now let’s look at several types of DOS attacks to get a better idea of how they work. The following are the exploits we explore in this chapter:
• Ping of Death
• SSPing
• Land
• Smurf
• SYN Flood
• CPU Hog
• Win Nuke
• RPC Locator
• Jolt2
• Bubonic
• Microsoft Incomplete TCP/IP Packet Vulnerability
• HP Openview Node Manager SNMP DOS Vulnerability
• Netscreen Firewall DOS Vulnerability
• Checkpoint Firewall DOS Vulnerability
Some of these attacks have been around for a while, however, they are included because they cover very important concepts of how DOS attacks work, and they give you an idea of the range of services or protocols that can be attacked, to cause a Denial of Service attack. For example, the exploit Ping of Death is covered because it is one of the “classic” DOS attacks, and it shows how simple an attack can be. Others, such as smurf,
have been around for a while, but they are still widely used, for example in the DDOS attacks that occurred February of 2000.
This is not meant to be a complete list because new Denial of Service attacks are coming out daily, however it is meant to show you the wide range of attacks that exist. Now, let’s start covering each exploit in detail.