Types of DoS attacks and how they are mitigated
What is a Denial of Service (DoS) attack?
Suppose an employee has just been fired from an organization. This tech savvy employee is very angry and wants to vent their frustration somehow. So, they decide that they ought to launch an attack on the enterprise network servers by flooding it with a lot of requests (that appear genuine) that exceeds the server refresh rate by using freely available tools on the internet. This prevents the genuine users from accessing such resources. Not that there is a high probability of such a thing happening, but hey we don’t have fire extinguishers considering the probability of building catching fire, right? No, that’s not our logic – that is the logic of the IPS vendors 🙂 But we feel that people should at least know how the network could be compromised by such DoS attacks and what can be done to prevent them. So, read on…
Before we go to the type of DoS attacks and how they are mitigated, there is one more thing you should know: DDoS – Distributed Denial of Service attacks. Here, the perpetrators don’t directly launch attacks on enterprise networks but they plant malicious code in a lot of individual/group computer users (without their knowledge) that act as zombies and they take control over the computers through botnets to launch DoS attacks simultaneously from many sources.
Previously known DoS attacks:
There are certain (in)famous and wide-spread DoS attack tools like Juno (which creates TCP, UDP and ICMP flooding), Welchia worm (which creates ICMP flooding), Mydoom (which creates malicious attacks on SCO and Microsoft sites), etc.
To prevent such attacks, the IPS vendors sample the traffic flowing through the device and limits traffic that is recognized as DoS attacks using pre-defined filters and packet filtering. It is also important to not reduce the bandwidth or traffic flow by inspecting all the packets, so the packet filtering is applied only when a DoS attack is detected, to ensure that the speed of the network is not reduced. Basically, it is signature based mitigation.
Unknown DoS flooding attacks:
Well what if certain such DoS attacks are new, and there is no ready made signatures available for them?
This type of DoS attacks are a bit tougher to find out, but the IPS systems first learns the network traffic baselines according to the different types of traffic like TCP, UDP, ICMP, IGMP etc. Then, it detects attacks/traffic anomalies by comparing them to learned baselines.
It’s not as simple as it sounds. At the best, the system can predict whether the traffic patterns are attacks or not. For that, the system learns the normal traffic parameters and also the attack parameters. The rate based behavioral parameters like packet rate, connection rate, etc. are checked to see if they cross a certain threshold suddenly. If they do, then it could be a DoS attack. But these results are often also correlated to rate invariant protocol parameters like protocol distributions, ratio between inbound and outbound traffic etc. which do not change for higher rate of normal traffic. After both are sufficiently analyzed by algorithms, the system predicts and creates a signature if a DoS attack is found with appropriate filters.
SYN flood attacks:
In this type of attacks, the attacker sends a vast amount of “Please start a connection with me” packets but no follow-up packets. When a server receives such packets, it allocates certain memory resources for the new session and hence if there are no follow up packets and a lot of request packets coming in, the server resources are exhausted and it is not able to allocate resources for real traffic coming in. Connection flood attacks happen when acknowledgement packet is sent to the server to complete a three way handshake (that completes the setting up of connection) but no more packets are sent to the server, causing unused connections.
The IPS systems first analyze the source of such packets. If the source has had previous transactions and is trust worthy, then those packets are allowed to pass through. For untrustworthy sources, it attaches a cookie to the response messages and challenges the source to send back a response. If there is no response, then that session is dropped and packets from those sources are no longer allowed. Even if a source first builds a trustworthy relationship, before starting an attack, the sampling of the ratio of the SYN packets and acknowledgement packets are used to identify attacks. Connection flood attacks are mitigated by limiting the number of TCP/UDP connections opened per client. These connections are generally limited per application port.
In addition to these techniques, the bandwidth available per application is sometimes limited so that a DoS attack on that application becomes ineffective, as the packets are slowed down if there is an abnormal rise in traffic and this also ensures that the other applications have a certain bandwidth reserved. Some vendors also have an Access Control List to allow only certain pre-defined applications and denying all other types of traffic.
excITingIP.com
You could stay up to date on the various computer networking technologies by subscribing to this blog with your email address in the sidebar box that says ‘Get email updates when new articles are published’