Mitigating Service Disruption through DoS protection. Exam Questions and Answers. Graded A+
Denial-of-Service (DoS) Attacks - Answers - The NIST (National Institute of Standard and Technologies)
Computer Security Incident Handling defines a DoS attack as:
--"An action that prevents or impairs the authorized use of networks, systems, or applications by
exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space."
- A form of attack on the availability of some service
- Categories of resources that could be attacked are:
1. Network bandwith
2. System resources
3. Application resources
Network bandwith - Answers - Relates to the capacity of the network links connecting a server to the
Internet
- For most organizations this is their connection to their Internet Service Provider (ISP)
System resources - Answers Aims to overload or crash the network handling software
Application resources - Answers - Typically involves a number of valid requests, each of which consumes
significant resources
--Thus limiting the availability of the Web server to respond to requests from other users
Types of DoS attacks - Answers 1. Classic Denial-of-Service attacks
2. Source address spoofing
3. SYN spoofing
4. Flooding attacks
1. Classic Denial-of-Service attacks - Answers - Flooding ping command
--By sending TCP/IP ICMP (Internet Control Message Protocol) echo request message (to measure the
time taken for the echo response packet to return)
--Flood victims network with request packets, knowing that the network will respond with an equal
number of reply packets
, - Aim of this attack is to overwhelm the capacity of the network connection to the target organization
- Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity
decreases. Hence, valid traffic will have little chance of surviving discard.
- Source of the attack is clearly identified unless a spoofed address is used
2. Source address spoofing - Answers Use forged source addresses
- Attacker generates large volumes of packets that have the target system as the destination address
- Congestion would result in the router connected to the final, lower capacity link
- Identify source attackers require network engineers to specifically query flow information from their
routers
3. SYN spoofing - Answers - When a client attempts to start a TCP connection to a server, the client and
serve exchange a series of messages which normally runs like this:
1. The client requests a connection by sending a SYN (synchronize) message to the server
2. The server acknowledges this request by sending SYN-ACK back to the client (also record the details of
the TCP connection in a table)
3. The client responds with an ACK, and the connection is established
- This is called the TCP three-way handshake, and is the foundation for every connection established
using the TCP protocol
- Attacks the ability of a server to respond to future connection requests by overflowing the tables to
manage them
--Thus legitimate users are denied access to the server
- Hence an attack on system resources, specifically the network handling code in the operating system
4. Flooding attacks - Answers - Intent is to overload the network capacity on some link to a server
(combination of all techniques)
- Virtually any type of network packet can be used
1. ICMP flood
Denial-of-Service (DoS) Attacks - Answers - The NIST (National Institute of Standard and Technologies)
Computer Security Incident Handling defines a DoS attack as:
--"An action that prevents or impairs the authorized use of networks, systems, or applications by
exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space."
- A form of attack on the availability of some service
- Categories of resources that could be attacked are:
1. Network bandwith
2. System resources
3. Application resources
Network bandwith - Answers - Relates to the capacity of the network links connecting a server to the
Internet
- For most organizations this is their connection to their Internet Service Provider (ISP)
System resources - Answers Aims to overload or crash the network handling software
Application resources - Answers - Typically involves a number of valid requests, each of which consumes
significant resources
--Thus limiting the availability of the Web server to respond to requests from other users
Types of DoS attacks - Answers 1. Classic Denial-of-Service attacks
2. Source address spoofing
3. SYN spoofing
4. Flooding attacks
1. Classic Denial-of-Service attacks - Answers - Flooding ping command
--By sending TCP/IP ICMP (Internet Control Message Protocol) echo request message (to measure the
time taken for the echo response packet to return)
--Flood victims network with request packets, knowing that the network will respond with an equal
number of reply packets
, - Aim of this attack is to overwhelm the capacity of the network connection to the target organization
- Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity
decreases. Hence, valid traffic will have little chance of surviving discard.
- Source of the attack is clearly identified unless a spoofed address is used
2. Source address spoofing - Answers Use forged source addresses
- Attacker generates large volumes of packets that have the target system as the destination address
- Congestion would result in the router connected to the final, lower capacity link
- Identify source attackers require network engineers to specifically query flow information from their
routers
3. SYN spoofing - Answers - When a client attempts to start a TCP connection to a server, the client and
serve exchange a series of messages which normally runs like this:
1. The client requests a connection by sending a SYN (synchronize) message to the server
2. The server acknowledges this request by sending SYN-ACK back to the client (also record the details of
the TCP connection in a table)
3. The client responds with an ACK, and the connection is established
- This is called the TCP three-way handshake, and is the foundation for every connection established
using the TCP protocol
- Attacks the ability of a server to respond to future connection requests by overflowing the tables to
manage them
--Thus legitimate users are denied access to the server
- Hence an attack on system resources, specifically the network handling code in the operating system
4. Flooding attacks - Answers - Intent is to overload the network capacity on some link to a server
(combination of all techniques)
- Virtually any type of network packet can be used
1. ICMP flood
