Denial-of-Service attacks seek to disrupt the availability of a system, preventing authorized individuals from gaining legitimate access to the system or information that it contains. Learn about the ways that attackers engage in denial of service attacks.
- [Instructor] Denial of Service Attacks are a category of attack that disrupts the normal use of computing resources. The CIA triad describes the three goals of information security professionals: confidentiality, integrity, and availability. Most of the attack techniques used by hackers focus on undermining the confidentiality or integrity of data. By far, the most common motivation of an attacker is to steal sensitive information such as credit card numbers or social security numbers.
Attackers might also wish to alter information in an unauthorized fashion, such as increasing bank account balances, or defacing a website. Some attacks however focus on disrupting the legitimate use of a system. Unlike other attacks, these target the availability leg of the CIA triad. We call these attacks Denial of Service, or DoS, attacks. A Denial of Service attack is an attack that makes a system or resource unavailable to legitimate users.
It sends thousands or even millions of requests to a server, overwhelming it and making it unable to answer any legitimate requests. Done well, Denial of Service attacks are very difficult to distinguish from legitimate requests made to a server. There are two huge issues with the basic Denial of Service attack from the hacker's perspective. First, they require large amounts of bandwidth. Sending lots of requests that tie up the server requires a large network connection.
It becomes a case of who has a bigger network connection, the attacker or the victim? Second, they are easy to block. Once the victim recognizes they are under attack, they can simply block the IP addresses of the attackers. That's where Distributed Denial of Service, or DDoS attacks, come into play. DDoS attacks use botnets to overwhelm the target. The attack requests come from all over the place, so it's difficult to distinguish them from legitimate requests.
Let's take a look at an example. You may already be familiar with the ping command. This is a very simple network request that sends a packet, known as an echo request, to a system. It's akin to asking, are you there? The system receiving the echo request then sends an echo reply, essentially saying, yes I am. In an attack known as the Smurf Attack, the attacker sends echo requests to the broadcast addresses of third-party servers using a forged source address.
That forged source address is actually the real IP address of the victim. When the third-party servers receive the request, they believe they came from the victim and send the victim an echo reply. The victim's network connection then becomes overwhelmed with replies received from all over the place. The Smurf Attack is also an example of a special type of DDoS attack known as an amplified attack. In a basic DDoS attack, bandwidth is a limiting factor. In an amplification attack, the attacker carefully chooses requests that have very large responses.
The attacker can then send very small requests over his or her network connection that generate very large replies over the third-party's network connection. Variations on the Smurf Attack send carefully crafted requests that have very large responses. The amplification factor is the degree of amplification that takes place in an attack. If a response is twice the size of a request, the amplification factor is two. If an attacker designs an amplification attack that uses 64 byte queries to generate 512 byte responses, the amplification factor is eight.
The attack sends eight times as much traffic to the victim as the attacker sent to the intermediaries. Denial of Service attacks are a serious threat to system administrators as they can quickly overwhelm a network with illegitimate traffic. Defending against them requires that security professionals understand them well, and implement blocking technology on the network that identifies and weeds out suspected attack traffic before it reaches servers. This is often done with the cooperation of internet service providers and third-party DDoS protection services.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security