Denial of Service Attacks (DOS)

Denials of Service (DOS) Attacks are attacks on computer systems that aim to disrupt or terminate services provided by the systems. They are explicit attempts by attackers to prevent legitimate users of a service from using that service. On the Internet, this usually means repeatedly crashing services or exhausting some limited resource. DOS attacks can often be performed over the network, and exploit security flaws that exist in the services.

DOS attacks are carried mainly to:

• Exhaust the network bandwidth of a site
• Exhaust the [inbound] network connections of a service
• Crash a service using some security flaw
• Crash the computer running a service using some security flaw.

Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

• Consumption of scarce, limited, or non-renewable resources
• Destruction or alteration of configuration information
• Physical destruction or alteration of network components

What do DOS attacks target?

Information security has three fundamental objectives: confidentiality, integrity, and availability. Confidentiality is defined as the property that information is not disclosed to unauthorized entities. Integrity is defined as the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner. Availability is defined as the property of a system or a system resource being accessible and usable upon demand by an authorized entity.

A DoS attack aims in degrading availability. Denial of Service has been defined as the prevention of authorized access to resources or the delaying of time-critical operation. Examples of these resources are network bandwidth, processing capacity, disk space, memory, and static memory structures. DoS attacks can be classified based on the number of sources included in the attack. In a basic DoS attack the attacker uses a single source host to send attack traffic to a victim.

Detection

There are several ways to detect a DOS attack while it is happening.  It is normally done through monitoring the router, whether it is by examining CPU utilization and by using access lists to detect attacks.  Since all DOS attacks must come through the router on its way to the network, the router is the first place to detect an incoming or current DOS attack. 

Symptoms of dos attack on the router:

• An unusually high number of ARP (Address Resolution Protocol) requests are detected in the router.
• The NAT/PAT address-translation tables have a large number of entries.
• The router's IP Input, ARP Input, IP Cache Ager (IP Lifeline), and CEF (Cisco's Express Forwarding) processes are using abnormally high amounts of memory.
• The router's ARP, IP Input, CEF, and IPC processes are running at a much higher CPU utilization rate.

Examining CPU Utilization

One of the first and easiest ways of detecting a DOS attack is to monitor the CPU usage.  This can be with some deviation of the sh processes cpu history command (depending on the manufacturer of the router).  

Using this command will display the total cpu usage of the router in one minute, one hour and three day formats.  This will also display the maximum cpu usage (marked by an *) and the average cpu usage measuered in one second periods (marked by a #). 

Refer to the example below for the demonstration of the above mentioned technique.

Router# show processes cpu history

<-- One minute output omitted -->

6665776865756676676666667667677676766666766767767666566667

6378016198993513709771991443732358689932740858269643922613

100

 90

 80     ** *           * *   * * * *

70 * * ****# * ** ***** *** **** ****** * *** ***   * 

60 #***##*##*#***#####*#*###*****#*###*#*#*##*#*#**#*##*****

 50 ########################################################*

40 #########################################################

30 #########################################################

 20 #########################################################

10 #########################################################

0....5....1....1....2....2....3....3....4....4....5....5....

0  5  0  5  0  5  0  5  0  5

CPU% per minute (last 60 minutes)

* = maximum CPU%  # = average CPU%

Using ACLs to Detect DOS Attacks

One of the most useful tools for detecting DOS attacks in a router is using access lists (ACL’s).  Access lists are a set of rules that govern what traffic is allowed on the network and how the traffic moves once it is there.  Thus ACL’s can be used to filter out traffic that is commonly associated with DOS attacks.  Although it is not necessary for a network administrator to add the deny ip any any command, it will help the network administrator keep track of all the traffic that is blocked on the router.

Refer to the example below for the above mentioned technique:

Router(config)# remark Insert other ACL statements here

Router(config)# access-list 100 deny ip any 192.1.1.0 0.0.0.0   

Router(config)# access-list 100 deny ip any 192.1.1.255 0.0.0.0

Router(config)# access-list 100 deny ip any 192.1.2.0 0.0.0.0

Router(config)# access-list 100 deny ip any 192.1.2.255 0.0.0.0

Router(config)# access-list 100 permit icmp any host 192.1.2.9 

echo-reply 

Router(config)# access-list 100 deny icmp any any echo      

Router(config)# access-list 100 deny icmp any any echo-reply  

Router(config)# access-list 100 deny udp any any eq echo     

Router(config)# access-list 100 deny udp any eq echo any     

Router(config)# access-list 100 permit tcp any host 192.1.1.1 eq 80 established 

Router(config)# access-list 100 permit tcp any host 192.1.1.1 eq 80

Router(config)# access-list 100 permit tcp any host 192.1.1.2 eq 25 established

Router(config)# access-list 100 permit tcp any host 192.1.1.2 eq 25

Router(config)# remark Insert other ACL statements here

Router(config)# access-list 100 deny ip any any

Router(config)# interface ethernet1

Router(config-if)# ip access-group 100 in

 Precursor

DoS attacks are often preceded by reconnaissance activity or scanning generally, a low volume of the traffic that will be used in the actual attack to determine which attacks may be effective.

A reconnaissance attack can be detected by hosts IDS and network IDS (if available). Follow the steps below:

• Logon to the  HIDS
• Enter a start date and end date
• If signatures like nmap scanning ( Scanner is a perl module that provides an object-oriented, programmatic interface to the nmap port scanning tool) are detected then there is indication of a reconnaissance attack. The attack may be blocked by quickly altering firewall rule sets to block a particular protocol from being used, for example, for the echo service use:

Deny udp/tcp host <source ip> host <destination ip> eq 7

For the chargen service use:
Deny udp/tcp host <source ip> host <destination ip> eq 19

Tracking the Source of the Attack

Attacks can come from inside and outside the network. Tracking the sources of attacks requires some familiarity with packet-sniffing tools such as tcpdump, ngrep, and ethereal. It is important to profile the network traffic and set up monitoring specifically regarding alerts of anomalies, else the chances of discovering Denial of Service conditions before are slim. It is important to realize two things:

• Attacks can come from inside and outside the network.
• Not all service-denying events constitute a Denial of Service attack and not all Denial of Service attacks constitute a service-denying event.

It means that when investigation regarding why the Internet is slow or why people cannot download their email, the source of the problem could be from any machine on the network or the Internet. If there's a denial, it could be accidental.
A good place to start is the point of bottleneck (Restricted Access). This could be the CPU on the HTTP proxy or the Internet gateway. If the bottleneck is a system process such as a proxy server, the logs should be examined for this. It also be checked whether a single system or small number of systems is making an unusually large number of requests or using more resources than normal.
If the bottleneck is the Internet gateway (FreeBSD), the following command can be used to view the IP packets passing through the gateway:
router# tcpdump -n -i <interface> -c 100
This command will display a summary of the first 100 packets (-c 100) it sees on the given <interface> (-i <interface>) and will not resolve the IP addresses to host names (-n), which can take extra time and may itself fail if you are having connectivity issues. An example output line will resemble:
04:59:53.915324 192.168.0.3.2327 > 192.168.0.10.1214:
                    S 3199611726:3199611726(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

Examining the first few parts of this output:

• 04:59:53.915324

This is the timestamp of when the packet was processed.

• 192.168.0.3.2327

This is the source IP address. The numbers after the last octet, 2327, indicate the packet's source port number.

• 192.168.0.10.1214

This is the destination IP address. The numbers after the last octet, 1214, indicate the destination port number.

• S

This indicated the type of packet, in this case a SYN packet.

What is seen during an actual attack is hard to predict, as Denial of Service attacks come in so many shapes and sizes. A typical attack involves flooding a listening port on the victim’s server with SYN packets. The idea is to make the system so busy processing the new connections that it cannot do anything else. Here a large number of SYN packets may be seen.

Mitigation

• TCP SYN Mitigation

TCP SYN flooding is a widely used flooding DoS attack mechanism. Most available DoS tools support this attack type and studies also indicate that most DoS attacks are TCP-based. The effect of TCP SYN flooding attacks can be mitigated by applying the following defenses:

• Improve end-system configurations (reduction of the timeout period for half open connections, increase in the backlog queue size)
• Improve connection establishment to prevent storing half-open connections (storing the connection status in the initial sequence number as a SYN cookie)
• Move the burden of handling half-open connections to a firewall, and
• Monitor actively existing TCP connections (Synkill, sources classified evil are prevented from making additional connections).

Filtering

With the current IP protocol technology, it is difficult to eliminate all IP-spoofed packets. However certain steps can be taken to reduce the number of IP-spoofed packets entering and exiting the network.

The best method is to install a filtering router that restricts the input to the external interface (known as an input filter) by not allowing a packet through if it has a source address from the internal network. In addition, outgoing packets that have a source address different from the internal network should be filtered to prevent a source IP spoofing attack from originating from the local site.

The combination of these two filters would prevent outside attackers from sending packets pretending to be from the internal network. It would also prevent packets originating within the local network from pretending to be from outside the network.

Filtering can be applied by blocking ICMP ports for example the following code could be used: deny tcp/udp host <source ip> host <destination ip> eq icmp. It should be carefully planned where to apply filters (for example border routers and firewall) and upgrade networking equipment to facilitates filtering of long term attack.

Alternative for routers that do not support filtering on the inbound side

If the router does not support filtering on the inbound side of the interface or if there will be a delay in incorporating the feature into the system, the spoofed IP packets can be filtered by using a second router between the external interface and the outside connection.

This router should be configured to block, on the outgoing interface connected to the original router, all packets that have a source address in the internal network. For this purpose, a filtering router or a UNIX system with two interfaces that supports packet filtering can be used.
The packets with the following addresses that are coming from the Internet to the network should be blocked on the input to the external interface:

• Roadcast Networks: The addresses to block here are network 0 (the all zeros broadcast address) and network 255.255.255.255 (the all ones broadcast network).
• The local network(s): These are your network addresses
• Reserved private network numbers: The following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router:
• 10.0.0.0 - 10.255.255.255 10/8 (reserved)
• 127.0.0.0 - 127.255.255.255 127/8 (loopback)
• 172.16.0.0 - 172.31.255.255 172.16/12 (reserved)
• 192.168.0.0 - 192.168.255.255 192.168/16 (reserved)

Disposal of unused services

All unnecessary services should be removed. The less there are applications and open ports in hosts, the less there are vulnerabilities to be exploited by an attacker. Default installations of operating systems often include many applications not needed by a user. Especially many home-users do not even know what services are running on their systems. A vulnerability scanner can be used to detect what network services (open ports) are available in a network.

Firewall

A firewall (or a router with similar abilities) should be used to control access to a network. Even if there are many services available from local hosts, not all of these services need to be accessible from the public Internet.

Security Patches

All relevant security patches should be installed timely. Many logic DoS attacks are based on exploiting vulnerabilities in host software. Removing known security holes prevents re-exploitation of vulnerabilities for example with publicly available scripts. In practice, this important defense is often neglected which makes it possible for available exploits to have lifetimes up to several years.

Password management

Attackers should not be able to get unauthorized access to hosts for example, by exploiting weak passwords. A minimum requirement is to use passwords which are difficult to guess with or without existing password cracking tools. Always maintain rigorous password policies on length, characters, and life span of all passwords on the network.

Antivirus as the IDS

The Antivirus software should be using the most recent virus definition database. This helps detecting known worms and viruses. Antivirus software can thus be considered as an Intrusion Detection System (IDS).

Quota Systems

Quota Systems can be used to limit the amount of resources a system can use to prevent massive CPU usage by a DOS attack.

Vulnerability and Weakness Fixing

The Vulnerability or Weakness That Is Being Exploited to carry out DOS Attacks should be corrected:

• Block ports that are not important and which the attacker is using to cause the attack    

Deny udp/tcp host <source ip> host <destination ip> eq <portnum>

• Apply latest patches to an Operating system
• Patches for Windows OS found at the link http://www.microsoft.com
• Patches for Unix OS found at the link  http://sunsolve.sun.com
• Patches for Linux OS found at the link http:/www.redhat.com

 ICMP or PING Flood Attack

Problem:

Unauthorized users can disrupt your service or consume your available network bandwidth by sending a constant stream of forged ICMP packets to your system(s).
Known as a "Ping Flood" attack, computer hackers send steady stream of PING packets (known as "echo request" packets) to your system(s). In many cases, this flood of traffic can consume system resources, and even consume significant amounts of bandwidth on mid to low speed connections (e.g. T1 and below).

Solutions:

• Block Traffic

In most cases, you can simply deny ICMP packets on your network firewalls to prevent the traffic from affecting your systems. However, since the traffic is still traversing your access line, you need to ensure your Internet Service Provider is involved.

• Report abuse to your Internet Service Provider

When a Denial of Service attack is detected on your systems, contact the Security Department of your Internet Service Provider to have them assist in tracking down the source of the active attack.

 Mail Bomb

Problem:

Unauthorized users can send large amounts of large email messages to and through your email server, often filling up disk space on your mail system, denying email services to other users.
These attacks usually involve the unauthorized user(s) sending thousands of large binary attachments to a single or multiple valid users on your server (or spooling through your server in attack against someone else, using your server to hide his tracks).
Once the disk fills up, the server rejects additional messages.

Solutions:

• Deploy monitoring systems

Ensure your monitoring systems monitor the number of messages coming into your server, and reporting sudden spikes in traffic.
In addition, monitoring systems should check for active disk space on your systems, and reporting when your partitions are in jeopardy.

• Ensure mail spool areas are on large, dedicated disk partitions

Ensure that your mail spool and log directories would not affect other aspects of the system if they were filled.
For example, having the mail spool, queue and/or users mail directories on a Unix ROOT file system may affect the availability of the system itself if the system was subject to a successful Denial of Service Attack.

• Report abuse to your Internet Service Provider

When a Denial of Service attack is detected on your systems, contact the Security Department of your Internet Service Provider to have them assist in tracking down the source of the active attack.

Destruction

Destruction is defined as attempts made to destroy the system, data/information and/or physical assets, basically efforts made to cripple the operations of a network.
Such cases generally begins with a repeated attempts using various security tools or methods which can be obtained via searching through Internet or by just asking through newsgroup or more commonly, "chatting". Once the attempts are successful, then the possibility of the network being terrorized will definitely be achieved.

• Inserting a logic bomb, virus or worm into a program to cause loss of data on a disk and impair operations.
• Monopolize the available space in memory or a system library, or unauthorized modification of a password to a file or a system rendering them inaccessible.

Dealing with Internal Exploitation

Problem:

Malicious user whose sole purpose is to hurt the targeted network e.g. ex- or dissatisfied employees who already knows the company secrets and knows exactly which target to hit.

Solutions:

• Any organizations must update user database to ensure all ex-employees' have been deleted.
• Organizations must change all important passwords especially the root as soon as system administrators or any privilege users leave the company.
• Watch for disgruntled employees and resolve problems before they escalate.

Problem:

Intentional user whose purpose is to gain something which is useful to them e.g. foreign employees who already have access to computers, networks, the company site and many other resources they may need; sabotage the system and assigned password for all access to the system including the hardware; and finally ask for a large sum of money in return for the passwords.

Solutions:

• There should be at least two people in charge of the system and the network. The exact number of people needed depends on the size of the system and the network of the organization. Ensure sufficient backup in human resources.
• Always create a back up for your system and most importantly your customer data. This will enhance customers trust and confidence in the organization.
• Try to create a knowledge sharing environment or transfer of technology session within the organization.

Dealing with External Exploitation

Problem:

Industrial spies pose as a legitimate person in the organization and tricks users into giving information. This can occur through phone calls, forged E-mail messages, or even in-person visits to the business site. This technique requires extensive research, but is usually very successful.

Solutions:

• Create a good company policy on social security which includes physical security and barriers, installed, at business site, the kind of things a representatives should be allowed to say over the phone and shredding or incinerating potentially sensitive documents.

Problem:

Crackers/hackers using variety of tools and techniques to gain access to computers over the Internet.

Solutions:

• Build a secure network and maintain the system security by keeping it up to date i.e. monitor access and use via event logging, monitoring system, clock synchronization etc.
• Always be informed on latest bugs or security holes in network or operating system software. Install patches as soon as they become available.

Intrusion

It consist of attempts made for unauthorized access to a system with the purpose of causing possible harms to the security of the network by using the facility as a launching pad for further attacks on other systems and modifying information or to steal information.

Problem:

Intrusion is committed by gaining initial access to a particular host by discovering a password for a user account on the system. The intruders will then attempt to become root on the compromised system. Intruders are actually committing the following activities:

• Sniffer Attacks - capturing data as it traverses the net
• E-mail attacks - gaining system access through vulnerabilities in network service software
• Network File System attacks - gaining data access through vulnerabilities in operating system software
• Network Infrastructure attacks - denial of service through attacks on routers and name servers, i.e. for purpose of impersonating the server
• IP spoofing attacks - gaining system access by tunnelling through firewalls

Solutions:

Check your systems for signs of intrusion due to this incident.

• Check the su, ftpd, and ftp binaries (for example, "/bin/su", "/usr/ucb/ftp" and "/usr/etc/in.ftpd" on Sun systems) against copies from distribution media.
• Check for the presence of any of the following files: "/usr/etc/..." (dot dot dot), "/var/crash/..." (dot dot dot), "/usr/etc/.getwd", "/var/crash/.getwd", or "/usr/kvm/..." (dot dot dot).
• Check for the presence of "+" in the "/etc/hosts.equiv" file.
• Check the home directory for each entry in the "/etc/passwd" file for the presence of a ".rhosts" file containing "+ +" (plus space plus).
• Search the system for the presence of the following set-uid root files: "wtrunc" and ".a".
• Check for the presence of the set-uid root file "/usr/lib/lpx".

Take the following steps to secure your systems.

• Save copies of the identified files to removable media.
• Replace any modified binaries with copies from distribution media.
• Remove the "+" entry from the "/etc/hosts.equiv" file and the "+ +" (plus space plus) entry from any ".rhosts" files.
• Remove any of the set-uid root files that you find, which are mentioned in A5 or A6 above.
• Change every password on the system.
• Inspect the files mentioned in A2 above for references to other hosts.

Theft

Theft can be defined as loss of data or files from your own workstation or worst, your server, either by remote or local tampering, or by vandals.
Below are some examples of theft.

• Data modifications:

The user accesses a file on a local or network drive, and modifies, deletes and overwrites it with new data. Sometimes, this is used to modify system settings or browser security settings.

• Password theft:

The user steals a network or an Internet user name and password from the local machine or server. A third party can then used the password to access protected resources.

• File theft:

The user steals a file from the local or network and sends it to an outside user via the open Internet connection. The user has root access to any file that the victim has right to.

Remote accessing and vandals can be used to promote theft.
When a potential hacker has to acquire the user_id and password of the targeted host to intrude the respective system, it is called remote accessing. The unauthorized information can be gained either by repeated attempts using security tools available via Internet or by exploiting published vulnerabilities or bugs. Often, this is one of the initial steps which lead to compromising a system.

Solution

System administrators must always be aware of the latest bugs or security holes in network or operating system software. It is of utmost importance to have a routine check on the log files so that any further tamperings on the system could be avoided.

Vandals are more malicious specially when self executed when a user views a web page, receives pushed contents, or opens an email messages, i.e., the victims will not even aware that they are running the program. It can take in the form of hostile Java, ActiveX, JavaScript, VBScript, html, plug-ins, helper applications and pushed executables. Other than the three examples of theft mentioned above, vandals can also cause loss or denial of service within the local computer system. For example, they can flood the system with data so that it runs out of memory, or they can slow down internet connections.

The best way to protect yourself against a hostile applet is to know who you are downloading a Web page from or who has sent you an HTML page as an e-mail attachment.

References:

• Computer Emergency Response Team Coordination Center – CERT CC
• Malaysian CERT – MYCERT
• CERT India – CERT-IN
• IEEE Computer Society
• Craig Shue, Brian Kopecky, Chris Weilemann
• Computer Science Department, Indiana University
  Bloomington, IN, U.S.A.