Exhausts a resource limitation on the network (eg TCP, ICMP) or within an OS or app (eg HTTP, FTP ie keeping open all available connections supported by that server) to make the service unavailable for normal use
– Among the most difficult to completely eliminate because of the way they use protocol weaknesses and ‘native’ traffic to attack
– Attacks include SYN flooding (Floods device resources. An attacker floods a host with TCP SYN packets. For each of these TCP SYN packets, the device responds with a SYN ACK packet and adds an entry to its session table. However, no ACK packet is ever sent back, so the connection is incomplete. If the attacker sends enough TCP SYN packets, the session table can fill up with incomplete connections, and service can be denied to legitimate TCP connections), ICMP echo request floods (Floods connection. Ping Flood attacks attempt to saturate a network by sending a continuous series of ICMP echo requests (pings) over a high-bandwidth connection to a target host on a lower-bandwidth connection to cause it to send back an ICMP echo reply for each request. Ping Flood attacks can slow down a network or even disable network connectivity), and ICMP directed broadcasts (smurf attacks) (Floods victim connection. Whereby an attacker (poss. outside) spoofs an internal victim IP and inundates the spoofed network via an intermediate device (eg router) with multiple broadcasted echo requests broadcasted by the intermediate device so as all replies are sent to the spoofed victim causing it to be oversubscribed).
– DDOS involves a hacker compromising multiple systems (which become ‘agents’) with remote control attack software. These then scan, compromise, and infect other clients. The attacker then issues commands to handlers that control agents in a mass distributed attack possibly from spoofed IP’s
– There are three main types of DOS mitigation:
1. Antispoof/RFC 2827 filtering on routers and firewalls to prevent attackers from concealing their IP’s may act as a deterrent
2. Anti-DOS feature config on routers and firewalls which often involves a limit on the no of half-open connections allowed at any one time