Network Security - Kinds of Denial of Service Attacks and their protection


Denial of service attacks are a big threat to network security. Once a computer is disabled, it becomes easier for the hacker to impersonate the target computer and execute a command that weakens network security. Read the article to know about the common denial of service attacks and ways to protect from them.

A hacker can easily attack a network and disable some part of it or worse, bring down the entire network completely. Once a computer is disabled, it becomes easier for the hacker to impersonate the target computer. Next, your computer is left at the hands of the hacker. He may stop by causing a little inconvenience (Denial of service) or he may cause a bigger damage. Denial of service is an easy step to impersonate a computer. During the attack, the hacker extracts enough information to log on to your network. Once a computer in your network gets impersonated, the hacker can trick any of the machines to execute a command that weakens the network security.

Kinds of Denial of Service Attacks


There are numerous methods by which a hacker can disable computers or their services. Users must configure firewall logs as preventive measures against these attacks. Some common denial-of-service-attacks are discussed below along with the ways of protection.

SYN and Land attacks

The networking capability of computers can also be disabled by overloading the target computer's network protocol software with information requests or connection attempts. Creating a TCP connection attempt is easy as all initial packets have a distinct SYN bit set only. Now, the receiving computer has to record this information. So, responding to the connection attempt takes not just memory space but also time. Taking advantage of this point, an attacker sends multiple SYN packets continuously so that the target computer gets busy processing these requests and in way, connection attempts from legitimate users get ignored.

Land attack is a variation of SYN attack. An empty connection gets acknowledged and remains until the server operating system times out.

  • Solution- One should keep the operating system software and firewall updated. The firewall you use should be good enough to detect the characteristics of this attack. Take note of instances of frequent SYN connection attempts. For this, you can configure your firewall to log connection attempts.

  • ICMP flooding

    This attack is very similar to SYN attack. The attacker sends a continuous stream of ICMP echo requests to the target computer which then, responds to echo requests and ignores information requests from legitimate users.

  • Solution- One should keep the operating system software and firewall updated. Instances of very high ICMP traffic should be taken note of to prevent the operating system. Set alert mechanism. Configure your firewall to log high volumes of ICMP traffic.

  • Ping of Death

    If a computer's networking software does not check invalid ICMP packets, it becomes very easy for the hacker to crash the computer by sending specially constructed ICMP packets which violate construction rules. These ICMP packets are oversized and the TCP/IP implementation crashes due to errors linked to memory allocation.

  • Solution- The solution is that one should use an operating system version which is not susceptible to Ping of Death. Users must note that all standard TCP/IP implementations including Windows versions from Windows 98, Windows NT from Service Pack 3, Mac OS, Linux and Solaris have been hardened against oversized packets. Thus, the attack is obsolete but to prevent the computer from its future variants, one must configure firewall to block ICMP or any unknown protocol.

  • E-mail bombs

    These attacks are very common when someone sets up his computer to send emails to an address continuously. These constant emails are usually large files that waste bandwidth on receiver's network. The attack isn't serious and is easy to filter.

  • Solution- Configure the mail host to delete any duplicate mails from another host.

  • Service specific attacks

    Sometimes, a hacker is interested in shutting down a service supported by your computer. He may do this to impersonate and use that specific service. Usually, hackers are interested in four services: RPC, DNS, WINS and NetBIOS. These services are fundamental parts of Windows networking and other services like Time are not even easy to break into.

    For using a service, the network client should send data to the service in a fixed format. However, the attacker starts sending incorrect or meaningless messages. This crashes the service.

  • Solution- DNS implementations are very sensitive and the service can crash even if the data received first is DNS response instead of DNS request. DNS service can be protected by allowing only authorized external hosts to communicate with the server. To keep the services inaccessible to external computers, don't bind them with network adapters that can be reached from outside the network.

  • DNS Cache pollution

    By methods like eavesdropping and snooping, a hacker can identify a computer that provides DNS services. He can also determine the sequence that computer uses to provide query IDs to the DNS queries and forge a response with invalid information. This can be done to redirect internet traffic to a suborned computer. Thus, client computers relying on DNS server fail to resolve internet names to valid IP address and reach incorrect web pages.

  • Solution- Configure the firewall to drop packets having internal source address on the external interface as these are spoofed addresses. The IP addresses- 127 domain, 10 domain, 192.168 domain and 172.16 through 172.31 domain are illegal. Configure your firewall to filter these as well as your own IP address.

  • Route redirection

    Routers direct the inward and outward flow of information within a network. This flow is governed by routing tables. If a hacker succeeds in making changes to routing tables, he can isolate some parts of the network and direct all traffic out of it. The data circulating within the network can thus be accessed by the hacker.

  • Solution- Check the router protocol that the router uses. Routers usually transmit routing updates by RIP, BGP or OSPF protocols. The router must not use RIP as the protocol lacks authentication capability and allows the hacker to reconfigure the router or deny service very easily. OSPF is more secure than RIP but for maximum security, use BGP protocol. BGP allows only authorized user to update routing tables.


  • Read eBay hacking and lessons learnt to stay secured online


    Comments

    No responses found. Be the first to comment...


  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name:
    Email: