| During the release of a new software product | | | | vulnerability causing the target program to crash or |
| specialized to track spam, ACME Software | | | | restart the system.Kazaa and Morpheus have a |
| Inc notice that there was not as much traffic as they | | | | known flaw that will allow an attacker to consume all |
| hoped to receive. During further | | | | available bandwidth without being logged. |
| investigation, they found that they could not view their | | | | See IIS 5 SSL also has an easy way to exploit |
| own website. At that moment, the | | | | vulnerability. Most exploits like |
| VP of sales received a call from the company's | | | | these are easy to find on the Internet and can be |
| broker stating that ACME Software Inc | | | | copied and pasted as working code. |
| stock fell 4 point due to lack of confidence. Several | | | | There are thousands of exploits that can be used to |
| states away, spammers didn't like the | | | | DoS a target system/application. See |
| idea of lower profit margins do to an easy to install | | | | Worms, and Antivirus - Yes, Antivirus. Too many |
| spam blocking software so they | | | | cases where the antivirus |
| thought they would fight back. Earlier that day, they | | | | configuration is wrong or the wrong edition is installed. |
| took control of hundreds of | | | | This lack of foresight causes an |
| compromised computers and used them as DoS | | | | unintentional DDoS attack on the network by taking |
| zombies to attack ACME Software Inc's | | | | up valuable CPU resources and |
| Internet servers in a vicious act of cyber assault. | | | | bandwidth. Viruses and worms also cause DDoS |
| During an emergency press conference | | | | attacks by the nature of how they |
| the next morning, ACME Software Inc's CIO | | | | spread. Some purposefully attack an individual target |
| announced his resignation as a result of a | | | | after a system has been infected. |
| several million dollar corporate loss.Scenarios like the | | | | The Blaster worm that exploits the DCOM RPC |
| one above happen a more then people think and are | | | | vulnerability (described in Microsoft |
| more costly | | | | Security Bulletin MS03-026) using TCP port 135 is a |
| then most will admit. Denial of Service (DoS) attacks | | | | great example of this. The Blaster |
| are designed to deplete the | | | | targeted Microsoft's windows update site by initiating |
| resources of a target computer system in an attempt | | | | a SYN FLOOD. Because of this, |
| to take a node off line by crashing or | | | | Microsoft decided to no longer resolve the DNS for |
| overloading it. Distributed Denial of Service (DDoS) is a | | | | 'windowsupdate.com'.DoS attacks are impossible to |
| DoS attack that is engaged by | | | | stop. However, there are things you can do to |
| many different locations. The most common DDoS | | | | mitigate potential damages they may cause to your |
| attacks are instigated through viruses | | | | environment. The main thing to |
| or zombie machines. There are many reasons that | | | | remember is that you always need to keep |
| DoS attacks are executed, and most of | | | | up-to-date on the newest threats.Mitigation:Antivirus |
| them are out of malicious intent. DoS attacks are | | | | software - Installing an antivirus software with the |
| almost impossible to prevent if you are | | | | latest virus definitions will |
| singled out as a target. It's difficult to distinguish the | | | | help prevent your system from becoming a DoS |
| difference between a legitimate | | | | zombie. Now, more then ever, this is an |
| packet and one used for a DoS attack.The purpose | | | | important feature that you must have. With lawsuits |
| of this article is to give the reader with basic network | | | | so prevalent, not having the proper |
| knowledge a | | | | protection can leave you open for downstream |
| better understanding of the challenges presented by | | | | liability.Software updates - Keep your software up to |
| Denial of Service attacks, how they | | | | date at all times. This includes antivirus, |
| work, and ways to protect systems and networks | | | | email clients, and network servers. You also need to |
| from them.Instigation:Spoofing - Falsifying an Internet | | | | keep all network Operating Systems |
| address (know as spoofing) is the method an attacker | | | | installed with the latest security patches. Microsoft has |
| uses to fake an IP address. This is used to reroute | | | | done a great job with making |
| traffic to a target network node or used | | | | these patches available for their Windows distributions. |
| to deceive a server into identifying the attacker as a | | | | Linux has been said to be more |
| legitimate node. When most of us | | | | secure, but the patches are far more scarce. RedHat |
| think of this approach of hacking, we think of | | | | is planning on incorporating the |
| someone in another city essentially | | | | NSA's SE Linux kernel into future releases. This will |
| becoming you. The way TCP/IP is designed, the only | | | | give Mandatory Access Control |
| way a criminal hacker or cracker | | | | (MAC) capabilities to the Linux community.Network |
| can take over your Internet identity in this fashion is to | | | | protection - Using a combination of firewalls and |
| blind spoof. This means that the | | | | Intrusion Detection Systems |
| impostor knows exactly what responses to send to a | | | | (IDS) can cut down on suspicious traffic and can |
| port, but will not get the | | | | make the difference between logged |
| corresponding response since the traffic is routed to | | | | annoyance and your job. Firewalls should be set to |
| the original system. If the spoofing is | | | | deny all traffic that is not specifically |
| designed around a DoS attack, the internal address | | | | designed to pass through. Integrating an IDS will warn |
| becomes the victim. Spoofing is used | | | | you when strange traffic is present |
| in most of the well-known DoS attacks. Many | | | | on your network. This will assist you in finding and |
| attackers will start a DoS attack to drop a | | | | stopping attacks.Network device configuration - |
| node from the network so they can take over the IP | | | | Configuring perimeter devices like routers can detect |
| address of that device. IP Hijacking is | | | | and in some cases prevent DoS attacks. Cisco |
| the main method used when attacking a secured | | | | routers can be configured to actively |
| network or attempting other attacks like | | | | prevent SYN attacks starting in Cisco IOS 11.3 and |
| the Man in the Middle attack.SYN Flood - Attackers | | | | higher using the TCP intercept |
| send a series of SYN requests to a target (victim). | | | | command in global configuration mode.Access-list |
| The target | | | | number {deny | permit} tcp any destination |
| sends a SYN ACK in response and waits for an | | | | destination-wildcard |
| ACK to come back to complete the | | | | ip tcp intercept list access-list-number |
| session set up. Instead of responding with an ACK, | | | | ip tcp intercept ? (will give you a good list of other |
| the attacker responds with another | | | | options.)Cisco routers can prevent Smurf and Fraggle |
| SYN to open up a new connection. This causes the | | | | attacks by blocking broadcast traffic. Since |
| connection queues and memory buffer | | | | Cisco IOS 12.0, this is the default configuration. ACLs |
| to fill up, thereby denying service to legitimate TCP | | | | or access control lists should also |
| users. At this time, the attacker can | | | | be configured on all interfaces.No ip |
| hijack the system's IP address if that is the end goal. | | | | directed-broadcastThe Cisco router can also be used |
| Spoofing the "source" IP address | | | | to prevent IP spoofing. |
| when sending a SYN flood will not only cover the | | | | ip access-group list in interface |
| offender's tracks, but is also a method | | | | access-list number deny icmp any any redirect |
| of attack in itself. SYN Floods are the most | | | | access-list number deny ip 127.0.0.0 0.255.255.255 any |
| commonly used DoS in viruses and are easy | | | | access-list number deny ip 224.0.0.0 31.255.255.255 |
| to write. See Attack- Smurf and Fraggle attacks are | | | | any |
| the easiest to prevent. A perpetrator sends a | | | | access-list number deny ip host 0.0.0.0 any |
| large number of ICMP echo (ping) traffic at IP | | | | See Improving Security on Cisco Routers - Cisco IOS |
| broadcast addresses, using a fake source | | | | versions are vulnerable to several DoS attacks. The |
| address. The "source" or spoofed address will be | | | | "Black Angels" wrote |
| flooded with simultaneous replies (See | | | | a program called Cisco Global Exploiter. This is a |
| CERT Advisory: CA-1998-01). This can be prevented | | | | great software to use when testing the |
| by simply blocking broadcast | | | | security of your Cisco router version and configuration |
| traffic from remote network sources using access | | | | and can be found at |
| control lists.Fraggle Attack - This types of attack is the | | | | is not as mystical as people believe. DoS attacks |
| same as a Smurf attack except using UDP | | | | come in many different |
| instead if TCP. By sending an UDP echo (ping) traffic | | | | types and can be devastating if you don't take the |
| to IP broadcast addresses, the | | | | proper precautions. Keep up to date and |
| systems on the network will all respond to the | | | | take steps to secure network nodes. Keeping |
| spoofed address and affect the target | | | | security in mind can minimize damages, |
| system. This is a simple rewrite of the Smurf code. | | | | downtime, and save your career.Security Resources: |
| This can be prevented by simply | | | | Black Angels: |
| blocking broadcast traffic from remote IP | | | | Cisco: |
| address.Ping of Death - An attacker sends illegitimate | | | | Microsoft: |
| ICMP (ping) packets larger than 65,536 | | | | Forum of Incident Response and Security Teams: |
| bytes to a system with the intention of crashing it. | | | | SANS Institute: Jeremy Martin CISSP, ISSMP, ISSAP, |
| These attacks have been outdated since | | | | CEI, CEH, CHS-III, CCNA, Network+, A+ |
| the days of NT4 and Win95.Teardrop - Otherwise | | | | of: |
| known as an IP fragmentation attack, this DoS attack | | | | BECCA - Business Espionage Controls & |
| targets | | | | Countermeasures Association |
| systems that are running Windows NT 4.0, Win95 , | | | | ISACA(R) - Information Systems Audit and Control |
| Linux up to 2.0.32. Like the Ping of | | | | Association |
| Death, the Teardrop is no longer effective.Application | | | | (ISC)² - International Information Systems |
| Attack - Thess are DoS attacks that involve exploiting | | | | Security Certification Consortium |
| an application | | | | ISSA - Information Systems Security Association. |