Undoubtedly DOS (Denial of Service) is one of the most simplest and famous type of network attack, where instead of directly stealing the data you are just either denying the legitimate access or crashing the services in both cases user can’t use the service they want.
So the DOS attack that crashes the services are more similar to program that exploits, as these attack depends upon the poor implementation of service by vendor. For an instance a buffer-overflow exploit gone wrong on server will crash it and it become inaccessible for anyone else. Crashing DOS attack are similar to it, since the Operating System handles the network stack, crash in this code will take down the kernel, denying service to entire machine.
The article will cover some of the famous DOS attack and will provide the inner working of these attacks, to understand how these techniques can be applied to different situations.
SYN FLOODING
A SYN flood or also known as TCP SYN flood is a type of DOS attack in which the attacker tries to exhaust states in TCP/IP stack, as we know TCP maintains the “reliable” connections, and for that it needs to track somewhere. The TCP/IP stack in the kernel is responsible for this, but it has a limitation that it has a finite table, so SYN flood uses spoofing to take advantage.
The attacker floods the victim with large number of SYN packets, using a spoofed address which doesn’t exist. Since the working of SYN include that it will initiate a TCP connection, the victim machine is tricked to send SYN/ACK packet in response and waiting for the ACK from the attacker spoofed address. As there is no one to response, each of these half-open connection goes into a backlog queue that has a limited space, over the time ACK response needed to remove the entries from the queue and complete the connection that never come, for which each half-open connection needs to be timed out. So till the time attacker is keeping the backlog queue full with spoofed SYN packets, original packets cannot reach the system and initiate the TCP/IP connection.
One of the way to prevent this there is a technique called syncookies, which is used by some Operating System (like LINUX). It works by adjusting the initial acknowledgement number for the responding SYN/ACK packet, by using a specific value based on the host details and time (to prevent Replay attack). As TCP connection don’t become active until the final ACK packet is checked for the handshake, so if the sequence number doesn’t match or he ACK never arrives, a connection is never created.
PING OF DEATH
It’s about the ICMP. According to the specification of ICMP, echo messages can only have 2¹⁶, or 65,536 bytes of data in the data section of the packet, but this is overlooked as important part is the header section, if modified accordingly it can result into crashing Operating System as they cannot handle exceeded size of ICMP echo message. These kinds of gigantic ICMP echo messages are called ‘THE PING OF DEATH’. This a very simple conceptual flaw that has been residing for so many years, and nobody thought about the possible exploitation. As the modern system are now patched against these vulnerabilities but this gives us a brief idea about how a simple flaw can bring devastating result.
As history repeat itself, one of the modern day technology has suffered from the same kind of trouble. It was the Bluetooth, there is a similar ping packet in it known as L2CAP layer, which is also used to find the communication time on established links, the implementation of it has suffered from the oversized ping packet problem. Adam Laurie, Marcel Holtmann and Martin Herfurt has named it as Bluestack
TEARDROP
Another type of crashing DOS attack was the ‘Teardrop’, it exploited the weakness of several vendor implementation of how they handle the IP fragmentation reassembly. What actually happens is that when IP packets are fragmented there is a ‘offset value’ stored in the header section, it is used to reconstruct the original packet during reassembly so that there is no overlapping of packets, its like a sequence number which is tracking every fragmented packet. However this offset value comes with a vulnerability, that if attacker sent packets fragmented with overlapping offset value, there is no method to check it, which will cause the irregular function and the system will inevitably crash.
Like Ping of Death this attack doesn’t work much now as most of vendors have patched it but it reveals the understanding of inner working which can help to reveal the problems in other areas. One of such was in the early implementation of new product by OpenBSD kernel, in which the IPv6 fragmented packets can be exploited remotely.
AMPLIFICATION ATTACKS
Apart from crashing the system the DOS attack can also flood the network resource so that legitimate user cannot use the destined source. This can be done by various ways such as the Ping flooding where attacker create massive traffic, basically its just a a battle of bandwidth between attacker and victim.
However there is a smarter way to perform the ping flood attack without requiring massive bandwidth, which is called Amplification attack. This attack uses spoofing and broadcast addressing to amplify a single stream of packets by hundred-fold. To implement this firstly we need to find a network that allows communication to broadcast address and secondly network with comparatively large number of hosts.
The attacker send the large ICMP echo request packets to the broadcast address of the amplification network, with a spoofed source address of victim machine, the amplifier then will broadcast these packets to all the hosts of the network, resulting large number of ICMP echo reply packets will be send to the victim. This amplification of network traffic where attacker send a small stream of packet and the large amount of traffic is flooded towards victim. This can be performed using both ICMP echo and UDP echo packets. The technique with ICMP is called ‘smurf ’ attack and with UDP its called ‘fraggle’ attack.
Source — The ART OF EXPLOITATION by JON ERICKSON
