Security in Computer Networks

8.7.4 Denial-of-Service and Distributed Denial-of-Service Attacks
Home | Introduction | 8.1 What Is Network Security? | 8.2 Principles of Cryptography | 8.3 Authentication | 8.4 Integrity | 8.5 Key Distribution and Certification | 8.6 Access Control: Firewalls | 8.7 Attacks and Countermeasures | 8.8 Security in Many Layers: Case Studies

A broad class of security trheats can be classified as denial-of-service (DoS) attacks.  As the name suggests, a DoS attack renders a network, host, or other piece of network infrastructure unusable by legitimate users.  A Dos attack works by creating so much work for the infrastructure under attack that legitimate work cannot be performed.  In a SYN flooding attack, the attacker deluges a server with TCP SYN packets, each having a spoofed OP source address.  The server, not being able to differentiate between a lgeitimae SYN and a spooded SYN, completes the second step of the TCP handshake for a spoofed SYN, allocating data structures and state.  The third step of the three-way handshake is never completed by the attacker, leaving an ever-incresing number of partically open connections.  The load od SYN packets to be processed and depletion of free memory eventuyally brings the server to its knees.  A related form of attack sends IP fragments to a host but nvere sends enough fragments to complete a datagram.  The attacked host continues to accumulate fragments, waiting in vain for fragments that would complete a datagram, consuming an ever-increasing amountof storage over time.  A smurf attack operates by having a large number of innocemt hosts respond to ICNP echo-request packets that contain a spoofed source IP address.  This results in a large number of ICMP echo-reply packets being sent to the host whoe IP address is being spoofed. 
 
In a distributed denial-of-service (DDoS) attack, the first gains access to user accounts on numerous hosts across the INternet.  The attacker then installs and runs a slave program at each compromised site that quietly waits form commands from a master program.  Once a large number of such slave programs are running, the master program contacts and instructs each of them to launch a DoS attack directed at the same target host.  The resulting coordinated attack is particularly devastating, since it is coming from so many directions at once.
 
It is difficult to protect one-self against DoS and DDoS attacks.  Packet filtering is dificult because it is difficult to distinguish good datagrams from bad ones. 
 
A number of recent research efforts have looked at techniques for making IP hearers as they pass through a router in order to trace back a flow of DoS datagrams to their source.  Once a compomised source host has been identified, it can be quarantained, although this is uaually a slow process, requiring human intervention.  Solveing a DDoS attack is even more difficult and time-consuming.

kurose_320719_c08f26.gif