“Denial of service attack simply known as DOS attack is those attacks that deny services to a network resource such as browsing website, listening to an online radio, transferring money to bank account, communicating with naval port and make computer resources unavailable or unreachable to its user”. The user in a typical connection generally sends a message to the server to certify it. When the servers receive the authenticable request of the users then the server approves it. Therefore the user admits that approval and the allowed in the server. But in Dos attack, attackers generally send many authentication requests to the server. But the addresses that user send is always false. Therefore when the server tries to approve that authentication the server will be unable to find the user. So, the server will waits for times for the users, before disconnecting the connection. When it disconnects the connection the attackers again bombard the server with a new batch or forget request. This process will continue till the Service indefinitely. It is really hard to find the DOS attack from the surface level. The visitors to the site generally look like the real or the valid traffic of that site. But the Major difference of the legitimate user and attackers are the volume, frequency and source of traffic.
“Many DOS attackers are seeking to take the most advantage of the security within the current version of IP addresses that is IPV4. Generally attackers are fully conscious regarding to security consideration which has been only implemented in higher level protocols and application. Therefore IPV6 may helps to reduce DOS attack because it includes a means that validate the source of the particular packets and their integrity by using an authentication header. This will not help to solve the today’s problem because IPV6 is not widely spread like IPV4”.
Modes of Dos attacks
- It can include the consumption of resources such as the bandwidth, disk space
- It can include the destruction or alteration of configuration information
- It can includes destruction or alteration of Network components
Primary Type of Dos attacks that is used in today’s world
a) Flood attack: it is one of the earliest discovered dos attack. Flooding attacks works when an attacks send a vast number of data The attackers flood the message to the targeted computer in such a ways that it can’t handle that traffic that is send by the attackers. The bandwidth of the targeted computer will be consumed by the flooding message of the attackers. Even if the more bandwidth is added to that particular network it will be very difficult to handle these attacks.
b) Resources overloads: Resource overload DOS happens when too many legitimate connection overwhelm the server. For example company announces it has a hot new product on its website. A rush of user may overwhelm the site. Since everyone is visiting the webpage. Its quickly overwhelm the server and no one can get access to that website. This is often referred to as slash dotted. Both legitimate and Dos- based resources overloads happens daily on the internet. For example When the Michael Jackson died in June 25, 2009 there is a large volume of search related to Michael Jackson in Google News. As large of number of people are accessing the Google News, Google Overwhelm the server and as a result for about 25 minutes, when some people searched Google news the error message is displayed “we’re sorry” before the actual page is displayed
c) IP spoofing: Most Denial of service attacks rely on IP spoofing techniques. IP Spoofing is the act of forging a packet header to market the packet appears as if it originated from another source IP address. Spoofing is commonly done in multiple types of DOS attacks, Man in the Middle attack, and can be used by an attacker to hide their true IP address. The major goal of IP spoofing attack to flood the victim with overwhelming amount of traffic. The most use of this type of attack is changing the origin for the purpose of accessing internet content which is just limited to certain geographical areas. For example some of the video of lastfm.com is only access by European country citizens, but theoretically also by computer spoofing European country location
d) Ping of Death: Ping of death is a network based attack. Basically ping of Death is sending a ping to a target with a larger than a normal size packet. It is so large that the victim machine doesn’t know what to do with it. Most IDSS can detect. They can see a packet that is unusually large. Generally host tries to reassemble large packet but cannot and thus host crashed. It is characterized by highly fragmented ICMP packet.
e) Tear drop Attack: Tear drop attacks uses fragmentation to deliver a malformed packet. It fragments packets in a way that appears to the receiving host that the packets can’t be reassembled. They look like legitimate package but they are overlapping in their reassembling information. As the packets are reassembled, the OS allocates memory to hold them; the invalid packets eventually use all the memory resources on the system
f) Jolt2 Attack: It was first discovered in May 2000. Attackers basically send stream of fragmented packets which hang the victim. It is similar to the tear drop attack. It affects windows 2K or NT attack. Attack only takes 150 packets per second to hang W2K or NT system not recently patched
g) Smurf Attack: This is a direct attack at a broadcast address. Its use Amplification network to attack a target. It sends a single packet that is address to everybody on a certain subnet. Everybody on that subnet will hear this and respond however this particular packet that the hacker send has been spoofed so its like its being from another address so when the attackers send this out all this amplifying machine respond not the hacker but to the target machine that the attacker originally wanted because he spoofed his address at the target. Papa Smurf is an improved version of Smurf attack.
h) SYN Attacks: it is basically works by Filling up the connection buffer on a host. SYN attacks utilize resources by illegitimate requests of 3 was handshake which start a large hamper of half-connections. In SYN attacks hackers generally send multiple SYN packets to the target machine. When the target computer received the SYN packets it allocates resources for that packets and sends and acknowledgment to the source IP address. The targeted computer resends the SYN-ACK five times at a certain interval of the time like 3, 6, 12, 24, 48 seconds because it doesn’t receive a response from the attacking machine. Now the target machine allocates resources and it takes more than 3 minutes to respond one SYN attack. When the hackers repeatedly use these techniques, the target machine runs out of resources and therefore it can’t handle any more connection and it denies service to legitimate users.
i) UDP Flood attack: Unlike TCP, UDP is connectionless protocol. When a host receives a UDP packet on a given port, it will attempt to figure out which application is waiting for the packet. When host figures out that no application is waiting for the packet it drops the packet and sends a “Host Unreachable” message back to the source. Since this ties up resources, enough of these packets will crash the host Some attacks take advantage of UDP series (for example Chargen and Echo)