Network Denial of Service Attacks. Can you hack it?

These days there are significant increases in network-based attacks and among them is the dreaded Denial-of-Service attack, which can leave your systems either unusable or unreachable. Although these attacks don’t make the news as often as they did when Yahoo.com was taken down by a massive Distributed Denial of Service attack, they are still prevalent.

This article will discuss who launches them, why they are successful, the types of attacks used and which ones are more threatening than others. This article will also show you protocol fundamentals, decodes, hardening and detection techniques and was to protect yourself from potential threat.

Common Reasons why Hackers can do what they do best
Here are some common reasons why Hackers are able to penetrate:

• Attackers (also known as Hackers or Crackers) have more and more accessibility to networks as networks grow more rapidly, many organizations do not have the staff to concentrate on doing just security. Many times it is a collateral duty… and only becomes a priority after the attack has been discovered.
• There are a growing number of organizations connected to networks or connecting their networks to others. B2B is still a big deal and without proper protection (many go on the trust factor), you are connecting your network to a potential threat.
• Vulnerability is growing by leaps and bounds… as more networks grow, connect and have limited untrained staff, it becomes easier and easier to penetrate networks unscathed. (Do you see a pattern growing here?)
• Most networks have not implemented spoof prevention filters, IDS systems, or firewalls. Hell, many networks haven’t stayed on service pack levels known to allow hackers to exploit systems. Many Business IT staffs haven’t taken the time to properly harden what systems they have either.

With all this said, it is a wonder that attackers have a “field day” with most networks that are left unprotected. Lets look at more info on why DoS attacks are so prevalent. A DoS (or Denial of Service) attack is a simple attack that will prevent a user from using resources on the network or establishing a network connection.

Common denial of service attacks

Buffer Overflow Attack:

• The Buffer overflow attack is by far the most common attack performed to achieve a DoS.
• A Buffer is simply an area where data is stored (memory) while processing other data. If I send 5 requests to a PC, the NIC card will process one at a time while the other 4 are buffered waiting to be processed. Although this is a very simple description, it is how most software and hardware components work to be able to handle the amount of traffic that may be coming its way to be processed.
• Buffer overflows are achieved by sending more data to a device than it can handle, most likely because the makers and programmers of the device did not anticipate a weakness of this kind, and (of course) hackers were able to exploit it.
• Many times, a hacker will use one of many types of attacks or some in tandem. These attacks can be either oversized Ping packets using ICMP to the receiving host or by sending e-mails to hosts that have attachments using 256-character file names. There are others, but these are the most common.
• In Figure 1 you can see that it is pretty easy to create a larger packet size, but even more interesting is if you launch this from a Cisco Router.

Figure 1: Using Ping.exe to send larger packets to a host
Click Here to see Figure 1

• The easiest way to bring hosts down even quicker is by launching an attack of this nature from multiple machines… hence a distributed DoS attack.
• A good way to prevent this type of attack is also by having attack “aware” devices that will drop connections or packets from host sending more than a certain amount of pings or by disabling ICMP altogether.

SYN Attack:

• The use of the TCP protocol is impossible to get away from. The entire world runs on TCP/IP and the way TCP works with “Hand shaking,” is basically unavoidable.
• TCP is a connection-oriented, reliable protocol, which utilizes a three-way handshake. A handshake is the exchange of “control” information between two computers and this information enables the computers to determine which packets go where and ensures that the other computer has received the information in a message, hence reliability!
• When a session is initiated between the one host and another host, there is a rapid “hand-shaking” exchange of messages that sets up the session and this exchange must utilize a small buffer space.
• When the session establishment is initiated, there are packets exchanged using a SYN field and this will be used to identify a sequence. I sniffed a packet and in figure 2, you can see what I am talking about:

Figure 2: The SYN field in use in a TCP Header
Click Here to see Figure 2

• The session-establishing packets include a SYN field that identifies the sequence in the message exchange and you can also see the sequencing numbers in the TCP header in figure 2.
• A Hacker could send a massive number of connection “requests” rapidly and then always fail to respond to the “reply” and this will leave the first packet in the buffer space, which will disallow more connections.
• After a certain period of time, the first packet in will be dropped, but think about the problems here is this is repeated over and over again – you will see a DoS attack occur because it will be hard for new sessions to become established.
• You can fix this problem via the operating system by hot fix, service pack or tuning the system to increase the buffer size.
• Q142641 and Q296692 will show you (in great detail) how a Windows 2000 server gets hit with a SYN attack and how to tweak the box to prevent it. This is a great read and highly recommended.
• You can try to Verify Your Microsoft Windows Computer is Under a SYN Attack by using the following from a command prompt: netstat -n -p tcp
• This command will allow you to see connections in the “SYN_RECEIVED” state

LAND Attack:

• A LAND attack is another common DoS attack that interrupts service on TCP/IP based hosts. We just covered using SYN with TCP so let’s look at another SYN based DoS issue.
• You may see slow operation on your Windows Servers if you start getting “spoofed” connection requests using SYN packets.
• The LAND attack occurs when a Hacker sends SYN packets with an identical source and destination IP addresses and the identical source and destination ports to a host computer.
• The Hacker is trying to get the host to “respond to itself” and tie up all processing with the excessive responses.
• Q165005 will show you where to get a fix for this problem if you are the victim of a LAND attack. Systems that are vulnerable are Windows95, Windows NT 4.0, Windows 3.11, and FreeBSD. You can visit this link to find how Hackers make code to perform this exploit: Click Here and you can visit a link on ways to detect it here: Click Here

Teardrop Attack:

• A teardrop attack is another DoS based attack that will exploit a functionality of TCP/IP. IP uses fragmentation so it can break down a packet that is too large for a host (usually a router) to handle. PC and Servers will also use fragmentation as well as you will see with Windows Servers being prone to this type of attack.
• The way fragmentation is seen (as in figure 3), is that the IP Header will allow fragmentation if required. The fragment packet will identify an offset (as seen in the figure) to the beginning of the first packet that enables the entire packet the ability to be reassembled by the host receiving the packet.

Figure 3: Viewing fragmentation in an IP Header
Click Here to see Figure 3

• When a Hacker performs the teardrop attack, they can put a confusing offset value in the second fragment or a later fragment. This attack will of course create a DoS so bad, it often results in a system hang, crash or BSOD.
• To detect teardrops and prevent them, you can visit a few links to show you more detailed information. To detect the attack visit this link: Click Here and you can also view TechNet article Q179129 for more detailed information on Windows based teardrop attacks and how to protect your systems.

Smurf Attack:

• A Smurf attack is not a bunch of those little blue things trying to grab your wallet J, but yet another DoS attack to exploit your system.
• A Smurf attack is when an attacker will send ICMP based ping packet to a host. (You must know how ICMP works in order to understand this attack.)
• If you view figure 4, you can see that ICMP Echo is being used. The ICMP (Internet Control Message Protocol) is used to perform messaging to give you errors and other useful information like “Destination unreachable”. The way you can use it to find connectivity information is with ping and you can do the following:
• 1. An ICMP echo request packet is sent to a machine
• 2. If a machine receives that packet, that machine will return an ICMP echo reply packet
• 3. In figure 4, the Type = 8 so that means it’s an ECHO, where if it was a Type = 0, then it would be an ECHO reply
• These are the fundamentals you will need to understand before you understand the Smurf attack.

Figure 4: Viewing the ICMP Header
Click Here to Figure 4

• If you also know how Unicast (one host) and Broadcast (All hosts) packets function then you are ready to understand the Smurf attack. Attackers use an ICMP ECHO request which is directed to broadcast addresses. An attacker uses another machine to launch the attack and when all the hosts respond back to the ICMP ECHO requests, then the ECHO replies are all sent to a victim machine like a web server.
• The attacker wants a result of tons of ping replies flooding the host they intend to exploit. This attack causes a DoS.
• On a side note, it’s very difficult to stop Smurfing attacks. You see that the attacker exploits a function of the ICMP protocol and unless you block or filter it, then it is difficult to stop. One way to stop it is if you use operating systems that are aware of flooding with ICMP, and will begin to drop the packets or block the connection.
• Smurfing”: Amplified Network-based Denial of Service Attack is a white paper that discuses Smurfing.

Other forms of DoS:

• This may sound ridiculous, but it is very possible to put an ACL on a router or firewall and block yourself from a resource (which is a denial of service) or something as simple as running a program that eats up the resources in your machine and thus kills is functionality or responsiveness.
• In this day and age, you are simply insane to not use Antivirus software. What’s more, you must update the virus engines and definitions constantly to make sure you are always up to date. Viruses can cause your system(s) denial of service depending on the type and complexity of the virus on question.
• Also, be aware of DoS attacks by someone physically removing or cutting a cable or removing a device from your network (like theft). Although this also sounds ludicrous, it happens and you should at least be aware of it.

How to prevent your network from being the source of the attack

Although each scenario is going to be different, here are some things you can do to make sure your network is somewhat secured from DoS attacks:

• Harden your operating system security. Article Q315669 which is titled “HOW TO: Harden the TCP/IP Stack Against Denial of Service Attacks in Windows 2000” will show you some tricks you can use especially for internet accessible systems. You can also view this TechNet article which will show you more Registry tweaks to harden your Microsoft Systems: Registry Tweaks
• If you have a home PC, make sure you keep your Virus definitions up to date, apply some type of Personal firewall software to your PC or Laptop especially if you have a internet connection that is always on and not a dial up.
• Make sure you are mindful of what you download and run on your PC. You can install a program from the Internet and that is how your PC becomes a “slave” for an attacker to launch a DDoS or distributed DoS attack from yours and many others’ PCs.
• On a production network you can apply filters and Intrusion Detection software, firewalls and monitoring equipment. Check logs frequently.
• Make sure you educate your end users. In my company, I make sure I send out periodical emails and newsletters (very brief) just to remind users what they should and shouldn’t do as far as downloading things the security programs and devices may have missed.

Do your homework… knowledge is power. Remember, the only way to stop a Hacker is to think like one. Make use of the following resources you can learn more about why protocols function the way they do.

More Resources for Information:

In Sum:
In sum, you will most likely not be able to prevent everything from happening but keeping a good security posture will prevent most of these attacks, and/or alert you to the fact that they may be occurring. Be aware, and make sure you take a proactive stance on security engineering, administration and management.

This article originally appeared at cramsession.com.

Robert J. Shimonski has numerous certifications and is a Lead Network and Security Engineer for a major manufacturing company. Robert’s specialties include network infrastructure design, security design, and network management and troubleshooting using many products including firewalls and multiple Cisco products. Robert is the author of many security-related articles and published books, including the Sniffer Network Optimization and Troubleshooting Handbook and the upcoming Security+ Study Guide and DVD Training System both from Syngress Media, Inc. Read more about Robert at his site, http://rsnetworks.net, and be sure to check out his book on using Network Associates Sniffer Solutions suite of tools: Sniffer Pro Network Optimization & Troubleshooting Handbook.