Types of DoS Attacks Denial of service as an attack vector is quite interesting because every machine ever made and most likely every machine that will ever be made is vulnerable to a denial of service in some form, and some systems are just more difficult than others to "DOS".

This is because every machine has a finite set of resources that it can use to process data, by giving a machine more data than it can possibly process and in some way sustaining that you are causing a denial of service as the machine is paralyzed performing an impossible task and struggling to keep up with its other intended functions. If it helps, think of an old computer. Now think of installing a modern, resource-intensive application on that machine and trying to run it.

Do you notice now how that computer is seemingly in limbo for 15-20 minutes as it tries to run that application? We are now effectively '~DoS-ing" that old computer by giving it way too much to process. If after the computer catches up and becomes responsive again, we launch another such application, and another, and then another, we can keep that machine unusable for a very long time.

If we keep on doing this, vital services may start to crash and the machine might become unstable and unusable until we reboot it.Whereas most of the "classic" DoS techniques that we will be discussing in this section are the result of programmatic mistakes from software vendor implementation of the IR and other software, resource exhaustion and service termination are still the common thread for most DoS attacks

Ping of Death

The Ping of Death DoS attack deals with IP fragmentation.When a datagram is processed from a sending to a receiving device, it may be passed through many different physical networks. Each network may have its own frame formats and specific limits that determine the maximum amount of data that can be transmitted (per datagram). For example, Ethernet limits this amount to 1,500 bytes. That is Ethernet's maximum transmission unit (MTU). If the IP must send data that exceeds a specific network's MTU, fragmentation can occur. Therefore, fragmentation is simply the process of dividing a datagram into smaller fra2ments which are each sent separately. Each fragment becomes its own datagram and is sent independent of the other fragments. They can all go their own way and take unique, separate paths to the final destination. If even one fragment does not arrive, the receiving device must discard the remaining fragments when the fragmentation timer reaches zero. As IP is a connectionless service, it's dependent on higher-layer services to force a retransmission of the datagrams. IP is dependent upon several

fields to know whether datagrams have been fragmented and how to properly reassemble them. These fields include:

• The ID field
• The more bit
• Fragmentation offset

The Ping of Death utilizes an oversized packet that is illegally fragmented. RFC 791 specifies that IP packets can be up to 65,535 octets long (2^16- 1), which includes the length of the IP header (usually 20 octets if no IP options are specified). An Internet Control Message Protocol (ICPM) Echo Request (ping) is carried inside an IP packet and has a header length of 8 octets followed by the length of the data octets in the ping request. So, the maximum size for the data area of a ping can be 65,507 (65,535 - 20 - 8 = 65,507).

A Ping of Death carries a data payload that is greater than this maximum size (greater than 65,507 octets). Of course, as was previously mentioned, sending a ping that size will cause the packet to fragment. When the fragments are reassembled on the victim's system, it can cause a buffer overflow on older systems. As a result, the IP stack will crash and the system will become unresponsive on the network. This attack was first seen in 1996. At that time, a lot of systems were susceptible to it. Today this attack is largely of historical significance, or can perhaps be run against legacy systems.

Teardrop Attack

Fragmentation, as illustrated in the previous section, is a necessary mechanism of IP; however, overlapping fragments can also offer an attacker a means of slipping packets past an intrusion detection system and firewall. This is due to the way that different systems reassemble packets or handle them when one or more of the same fragments arrive. To better expand on the concept, consider the fact that Windows-based systems give preferential treatment to original fragments, whereas Cisco devices favor the last fragments.

Computer-Assisted Attacks and Crimes . Overlapping fragmentation can also be used to facilitate a denial of service. The teardrop attack is an example of this. This fragmentation attack sends packets that are malformed with the fragmentation offset value tweaked so that the receiving packets overlap.

The victim does not know how to process these overlapping fragments and so they crash or lock up the receiving system, thereby causing a denial of service. This attack is also quite old and known to affect only Windows 3.Ix, Windows 95, and Windows NT operating systems, as well as the Linux 2.0.32 and 2.1.63 kernels.

SYN Flooding

SYN Flooding is a DoS attack that exploits a basic weakness found in the Transmission Control Protocol/Internet Protocol (TCP/IP), and its concept is fairly simple. A standard TCP session consists of the two communicating hosts exchanging a SYN I SYN/acknowledgment (ACK) I ACK. The expected behavior is that the initiating host sends a SYN packet, to which the responding host will issue a SYN/ACK and wait for an ACK reply from the initiator.With a SYN attack, or SYN flood, the attacker simply sends only the SYN packet, leaving the victim waiting for a reply.

 The attack occurs when the attacker sends thousands and thousands of SYN packets to the victim, forcing the victim to wait for replies that never come.While the host is waiting for so many replies, it can't accept any legitimate requests, so it becomes unavailable, thus achieving the purpose of a DoS attack. Some stateful firewalls protect against SYN attacks by resetting pending connections after a specific timeout. Another protection is with the use of SYN cookies, where a computer under attack responds with a special SYN/ACK packet and does not wait for an ACK response.

Only when the ACK packet in response to the SYN/ACK packet returns does the entry generate a queue entry from information within the special SYN/ACK packet.

Land Attacks

The Land attack utilized a weakness in the TCP/IP implementations of a lot of older machines. To execute the attack the attacker sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination. Doing this would create an infinite loop on the vulnerable hosts, causing them to consume all their resources and resulting in a denial of service.

Smurf Attacks

A Smurf attack is a resource consumption attack using ICMP Echo as the mechanism. ICMP Echo attacks seek to flood the target with ping traffic and use up all available bandwidth. As a result, there is no bandwidth left for available users. Smurf is just one example of an ICMP Echo attack. Smurf exploits ICMP by sending a spoofed ping packet addressed to the network broadcast address and has the source address listed as the victim. On a multi-access network, many systems may possibly reply. The attack results in the victim being flooded with ping responses.

Fraggle Attacks

Fraggle is the same attack as a Smurf attack, only using User Datagram Protocol (UDP) Echo instead of lCMP Echo.

Snork Attacks

A Snork attack is another UDP-based DoS attack that's very similar to Smurf and Fraggle, and equally old. In this attack, a specially crafted UDP packet is sent to the Remote Procedure Call (RPC) service (UDP port 135) on a Windows NT server.This can raise the CPU utilization on the server to 100 percent for a short period. Repeated packets sent to the server can keep the utilization at 100 percent. Snork packets could also be bounced between two or more servers to cause high utilization on the network segment, DoS-ing the network as well.