1. Exploitation of Vulnerabilites in the TCP/IP protocols suite.
2. Exploitation of Vulnerabilites in the IPv4 implementation.
3. Exploitation with Brute-Force attacks.
This was classification according to way of exploitation. The another way of classification is used widely and very well known. It is classified on the basis of carrier or medium of attack. Before we go on to discuss the types of dos attacks, I recommend you having basic knowledge about networking, packets, protocols, types of packets, ports etc. If you are not familiar with this, you can go and prepare these basics nicely and then you can go ahead. Ok, once if you are comfortable with this, here we move ahead.
Types of DoS attacks:
1.Ping of Death:You must have heard about ping. When we ping a target, ICMP echo requests are sent to the target. Target responds with ICMP echo reply telling that it is up and running. This ping is used to diagnose networks and find what the problem is going on. But this simple ping command can also be destructive. Normal size of an ICMP ping packet is not more than 100 bytes. But in this type of attack, an ICMP ping packet is generated which is more than 65,536 bytes in size. This giant packet is sent to the target. The target cannot handle this much giant load in a single packet and it simply crashes. The command to generate ping packet with this much size is:
C:\windows>ping -l 65540 targethost
Where the numerical value is the size of the ICMP packet and 'targethost' is the address of the target whom you have to send this ping request. Please note that this doesn't work on all hosts as they have fixes for them.
2.Teardrop: When the data is transmitted from one system to another, the whole data is not sent in a single go. Data is broken down into packets. These packets carry the data from certain point to certain point. Means, if the data is 5000 bytes in size, First packet would carry data from 1 byte to 1000 byte. Second one would carry data from 1001 byte to 2000 byte and further. The information about 'from where to where' the packet is carrying the data is mentioned in its headers. This value in header is called offset. So, the overall structure looks like this:
| Packet no. | Carrying data | Offset value |
|---|---|---|
| 1 | 1-1000 bytes | 1-1000 |
| 2 | 1001-2000 bytes | 1001-2000 |
| 3 | 2001-3000 bytes | 2001-3000 |
| 4 | 3001-4000 bytes | 3001-4000 |
| 5 | 4001-5000 bytes | 4001-5000 |
When the packets are received by the target, it reassembles the data from these packets by refering to offset field. Ok, now we will modify the offset value in each packet. Note down the difference in this table.
| Packet no. | Carrying data | Offset value |
|---|---|---|
| 1 | 1-1000 bytes | 1-1500 |
| 2 | 1001-2000 bytes | 1001-4000 |
| 3 | 2001-3000 bytes | 2001-3000 |
| 4 | 3001-4000 bytes | 3001-5000 |
| 5 | 4001-5000 bytes | 4001-5000 |
Have you noticed the change? Offset value is changed. Computers just use this offset value to reassemble the data packets. What if any computer tries to reassembles such packets? Probably it won't be able to do that and it will get confused causing itself to crash.
3.SYN flood:You must be aware of TCP three way handshake. You can read about that here. So, here what attacker does, it sends a large number of SYN requests to the server. All these SYN packets have spoofed source address. The server tries to reply these addresses with SYN/ACK and waits for ACK. But, these spoofed addresses don't really exist! So, the server will keep waiting for their ACK which it won't get at all! By this way, server's capacity will be consumed by unnecessary connections which will never establish. This causes failure for other connections to the server. Other people won't be able to connect as the server is waiting for thousands of ACK replies which it is not going to get. The following requests will be kept in queue until the server gets any response from these! This causes timeout. Denial of Service happens here. People can't get access to the server. Servers may have to restart as there is going to be no response from thousands of half-established connections.
4.LAND attack: It is similar to SYN flood. But, in this case, the source IP is kept same as that of server! Means, both source address and destination addresses are same. The server tries to reply itself. This creates an infinite loop within the server. This causes itself to hand or crash. Server can't handle other requests. Please note that this doesn't work on all servers as they have fixes for them.
5.Smurf attack:This also exploits ICMP echo request and replies. What is done here, ICMP echo requests are sent to a large number of computers. Same as the upper cases, source address is spoofed. It is kept as the victim's IP. So, what will these large number of computers do, they will give out ICMP echo replies to that victim IP which was kept as source address. Now, the actual victim computer will start receiving so much ICMP echo replies. The victim computer didn't send a single ping request to any computer and it is getting so much of replies. This 'confusion' causes it to crash or hang.
6.Fraggle attack: This attack is nearly same as that of smurf. Except, it uses UDP instead of ICMP. This is also called 'UDP flooding'. All the process is same that of smurf. Fraggle attack exploits UDP echo and chargen services.
So, these were the types of DDoS attack. Please note that not all the types of attack will work on each server. Many of them have got solutions and fixes for most of these. Also, Dos attacks require very large bandwidth speed nearly 10mbps or above. Dos attacks are more powerful if the bandwidth is high. Therefore, they play good on LANS where this much speed is possible.
Here we arrive to the end of DoS and DDoS article which was divided in 2 sections. Hope you have liked it! have a nice day!...
No comments:
Post a Comment