Introduction to Denial Of Service
In a previous post, I had introduced you to the basic idea of a denial of service attack. We used real life examples (bus stop and online game) to depict the idea behind a DOS attack. We crashed our own Windows and Kali Linux machine (using batch and command line interface respectively). Now it's time to learn how actually DOS of service attacks work, in terms of packets and other networking terms. So here is a one by one description on four of the well known attacks.
Various methods of Denial Of Service attack
ICMP flooding (smurfing)
Before I go off explaining what the attack is, first I'll tell you about the packets.
|Contents of an ICMP packet (should not bother you currently)|
- It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached
- It is also used to relay query messages
Practically, all an ICMP packet does is confirm connectivity. You send a message to an IP and see if you are connected. If not, you get an error like "Destination unreachable". Pings use the ICMP packet.
While the packet as a whole allows us to directly attack the network by flooding it with a lot of ICMP packets, the second ability listed above gives us a new advantage. We can send ICMP relay packets to a network, with a spoofed source IP (we will change our IP to that of target), and when the network will replay to our packet, it will reply to the spoofed IP, causing it to be flooded with ICMP packets. This is called indirect ICMP flooding, also known as smurfing. It is tougher to detect than a normal direct ICMP attack, and the network serves as amplifier, the larger the better, making the attack much stronger, since you have the power of many computers at your disposal, instead of just one. If the target is flooded with enough packets, it loses it ability to respond to genuine packets, resulting in a successful Denial of Service attack.
|The three way handshake (that didn't happen in our case)|
First of all - In computer networking, a mangled or invalid packet is a packet — especially IP packet — that either lacks order or self-coherence, or contains code aimed to confuse or disrupt computers, firewalls, routers, or any service present on the network. (source : Wikipedia)
Now in a teardrop attack, mangled IP packets are sent to the target. They are overlapping, over-sized, and loaded with payloads. Now various operating systems have a bug in their TCP/IP fragmentation re-assembly code. What that means, is when the OS tries to re-assemble the TCP/IP packets that it gets, a piece of code exploits a bug in the way the re-assembling process works, and the OS crashes. This bug has been fixed, and only Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack. This type of attack does not require much bandwidth on the user side, and has devastating effect for the targeted server.
|A small botnet|
|Try not to end up like this|