A DoS (DDoS) attack is an attempt to prevent legitimate users of a service or network resource from accessing that service or resource. DoS attacks usually make use of software bugs to crash or freeze a service or resource, or bandwidth limits by making use of a flood attack to saturate all bandwidth.
DoS Attack Methods
There are three generic DoS attack methods stand out as particularly dangerous:
Smurf or Fraggle
Smurf attacks are one of the most devastating DoS attacks. In the Smurf (ICMP Packet Magnification) attack, the attackers send a large amount of ICMP echo (ping) traffic at IP broadcast addresses. Smurf attack uses bandwidth consumption to disable a system?s network resources. It accomplishes the consumption using amplification of the attackers bandwidth. The attacker sends a ping request to the amplifying network with the victim?s address as the return address. If the amplifying network has 100 systems, the signal can be amplified 100 times, so the attacker with relatively low bandwidth be disable to a system with much higher bandwidth.
The Fraggle (UDP Packet Magnification) attack is the cousin of smurf attack,
fraggle attack uses UDP echo packets in the same fashion as the ICMP echo packets. Fraggle usually achieves a smaller amplification factor than smurf, and is much less popular. UDP echo is a less important service in most network than ICMP echo, and can therefore be disabled completely with fewer negative consequences.
SYN Flood
The SYN flood attack was considered to be the most devastating DoS attack method before the Smurf was discovered. This method uses resource starvation to achieve the DoS attack. During a normal TCP handshake, a client sends a SYN request to the server on step one; on step two, the server responds with a SYN/ACK to the client, and the client sends a final ACK back to the server. In a SYN flood attack, the attacker sends multiple SYN requests to the victim with spoofed source addresses for the return address. The spoofed addresses are nonexistent on network. The victim?s server then responds with a SYN/ACK back to the nonexistent address. Because no address receives this SYN/ACK, the victim?s system just waits for the ACK from the client. The ACK never arrives, and the victim?s server eventually times out. If the attacker sends SYN requests often enough, the victim?s available resources for setting up a connection will be consumed waiting for these bogus ACKs. These resources are usually low in number, so relatively few bogus SYN requests can create a DoS event.
DNS Attacks
On earlier versions of BIND (Berkeley Internet Name Domain), attackers could effectively poison the cache on a DNS server that was using recursion to look up a zone not served by the name server. Once the cache was poisoned, a potential legitimate user would be directed to the attacker?s network or a nonexistent network. This problem has been corrected with later versions of BIND.
(PDF, 110Kb)
