A “denial of service” attack is an attempt to overwhelm a server with excessive requests and so deny its users access to a website. The symptoms of a denial of service attack include slow network performance, unavailability of a web service or the inability to access a web site.
The aim of a denial of service attack is to consume the resources of the server (bandwidth, disk space, or CPU time) so that the server becomes unresponsive. When considering website security, system administrators often overlook the possibilities of a DoS attack and therefore fail to protect their systems accordingly.
A DoS attack can be targeted at two different levels. A low level attack consumes the computers resources at an operating system level, normally in the network stack. An application level denial of service attack tries to overload high level services like email, Internet Relay Chat (IRC) or web services. Both types of attack can be considered a breach in website security.
Common low level attacks include ICMP floods, SYN floods and Teardrop attacks:
- ICMP flood – Here an overwhelming number of ping packets flood the network and consume the network bandwidth and CPU resources. There is also a variant called the “ping of death” that sends malformed ping packets which in turn can lead to a system crashing.
- SYN flood – The attack sends a multitude of TCP/SYN packets (the first packet used during connection handshake). The server sends back the correct response (a TCP/SYN-ACK) but no response is ever received (as these are bogus connections). The result is that these “half-open connections” saturate the number of available connections the server is able to make, and so keep it from responding to legitimate requests.
- Teardrop attack – By sending malformed IP packets with overlapping, over-sized payloads to the target machine this type of attack hopes to provoke a system crash an so create a denial of service situation.
At the application level a DoS attack attempts to overwhelm a service (like email or web) by sending the target an overwhelming number of packets, over saturating its connection bandwidth or depleting the target’s system resources.
A number of different tools can be used to protect a system against DoS attacks. A correctly configured firewall is the simplest first step, however most modern DoS attacks can not be stopped by a firewall due to the simplicity of their functionality.
Next the switches and routers on the network can be configured to provide automatic and/or system-wide rate limiting and traffic shaping. These will control the rate of traffic sent or received to a server and so allow it to function normally even when under attack.
A third weapon in the armory is the use of Intrusion Prevention Systems (IPS) or a DoS Defense Systems (DDS). Depending on the complexity and type (hardware or software) of the IPS or DDS, these tools can detect and block denial of service attacks.
A web site or web service is designed to be available 24×7 and as such when planning and implementing website security it is necessary to include contingencies for DoS attacks.
© 2011 – ArtSec Group LLC