Deconstructing DoS attacks
Denial of service (DoS) attacks have made headlines in the last year by assaulting a number of large and very successful companies. A rash of hits roughly a year ago left the e-industry aware of how vulnerable it is. The recent attacks against Microsoft are a not-so-gentle reminder. When large, smart companies, including the likes of Yahoo, Amazon, CNN, and Microsoft, fall victim to DoS attacks, can any of us feel safe? Why are successful companies, which ought to know better, seriously and publicly affected by attacks perpetrated by less-than-brilliant hackers? Finally, what can you do to defend your site?
How DoS attacks work
The main thing that makes DoS attacks so hard to fend off is that, at least on the surface, they look like valid traffic. The basic difference between legitimate visits and attacks is the intent -- along with the volume, frequency, and source of the traffic. Normal traffic to a mail server might come in spurts and waves, but an attack against sendmail entails a barrage of messages in close proximity -- so close that the service cannot keep up with the volume and crashes or hangs. In fact, a DoS attack will likely bring the system itself to a halt. If the server doesn't run out of swap space, it will probably run out of process space or network connections. It's also likely to suffer from network congestion problems. In addition to the difficulty of differentiating attacks from normal traffic, it is hard to effectively slow down or control the traffic comprising the attack.
Noted security expert Steve Bellovin has pointed out that DoS attacks are cheaper to launch than to deal with. The effort involved in launching attack is almost always minimal compared to the effort involved in fending off or recovering from the attack.
DoS attacks are hard to characterize because what they have in common is their overall effect, not the technique by which they're carried out. DoS attacks can seek to flood a network with traffic or to modify a router's configuration. The goal of both methods is to deny legitimate users access. The various means of achieving that goal have little in common.
Typical DoS attacks involve:
- Jamming networks
- Flooding service ports
- Misconfiguring routers or other critical devices
Efforts to flood a network, for example, can block or slow all communication between servers and clients, making it difficult or impossible for any work to be done. Excessive traffic to a specific service port on a server, on the other hand, might make that service or server unusable.
In a DoS attack against sendmail, hundreds of thousands of messages can be sent in a short period of time; a normal load might only be 100 or 1,000 messages an hour. If a DoS attack is noticed in time, a service can be shut down while the organization rides out the attack. That cannot always be done without repercussions, though. Attacks against sendmail might not make the front page, but downtime on major Websites will. For companies whose reputation
Win an Amazon Kindle!
This month's giveaway gadget - Amazon's Kindle - will keep you entertained on the long trip home to visit family and friends over the holidays. Enter the drawing now!
Applied Security Visualization
By Raffael Marty
Published by Addison-Wesley Professional
Learn more!
IT Manager's Handbook
By Bill Holtsnider and Brian D. Jaffe
Published by Morgan Kaufmann
Learn more!
Windows Vista Resource Kit
By Mitch Tulloch, Tony Northrup, and Jerry Honeycutt
Published by Microsoft Press
Learn more!
