Topic: DoS and DDoS

Message

   What is DoS and DDoS? 

What is Denial of Service exactly? 

Denial of Service is just that, Denial of Service. To be a bit more
descriptive, Denial of Service is either accidental or purposeful
attempts to deny users access to resources. This can be in the form of
stealing bandwidth which is the most common form of attack, it can be
in the form of eating disk space, it can be in the form eating
processor, and various other resource stealing. Oftentimes this is
accidental. The Slashdot effect is often an accidental denial of
service. However, sometimes this can be on purpose. An attacker can
launch software that will steal resources from a target. 

In a more general outlook, there are attacks called Land Attacks where
an attacker will launch an attack that will cause a server or other
target to attempt to respond to itself. Eventually this will cause the
server to eat up the allocated connection tables and will not respond
to any more requests. Other attacks such as the Ping of Death eat up
bandwidth until the target is so saturated that it cannot respond any
more. Typically a Ping of Death involves IP spoofing. Many other
attacks are out there and will eat up other resources. 

So what is a Distributed Denial of Service attack? 

DDoS, or Distributed Denial of Service attack is pretty
self-explanatory. This is a Denial of Service attack this coming from
multiple directions. Slashdot effect is a good example of a DDoS. The
above-mentioned attacks can also be DDoS attacks if multiple hosts are
involved. You'll typically see DDoS attacks from zombies, or computer
that have been infected with a piece of malware to allow them to be
controlled by an attacker. This is typical of botnets, or computers
that have been infected with a malware that forces the computer to join
an IRC channel for control of the attacker. These computers can then be
controlled to launch port scans against a target, be it a single
computer or network, launch SYN floods or whatever else the malware
author coded. 

How does this affect web application? 

Typically a user of web application will not see a DDoS. What they will
see instead is a DoS. This can come in several forms, but most common
are registration flooding, searching flooding, and post flooding. What
makes these types of attacks unique is that HTTP attacks require a 3
way handshake. In other words, the IP address cannot be spoofed. This
doesn't mean that it cannot be masked (think proxies), but the 3 way
handshake is a component of the stateful TCP (Transmission Control
Protocol). Without going really low-level in networking protocols, the
host must send a packet saying "I'm here, I want to communicate with
you" and the target (victim or not) will send a reply saying "Okay, I'm
ready for you" and then the host will reply saying "Okay, here comes
the information." This is the 3 way handshake. 

Prevention methods, are they available? 

Yes and no. Eventually a DoS or DDoS will win. There are mitigation
methods and countermeasures however. On the lower networking level
(layers 2 and 3 for those familiar with the OSI model) there are
mitigation methods. One method is routing the attack to a blackhole.
Another method is using QoS (Quality of Service). Another method is
tarpitting. Tarpitting will only work for TCP and not IP however. The
average user will not have access to do this however, even owners of
dedicated or colocation. On up the OSI model to the application layer
to say phpBB, there is very little to be done. Some mitigation methods
possible are the use of Visual Confirmation (visual turing, captcha,
whatever name you like), ensuring users must validate email addresses,
or better still, the administrator must validate an account. Apache has
an anti-DoS module that can be used. 

A DoS or DDoS will eventually become successful because the router or
other device will eventually have its resources taken trying to
mitigate the attack and will fail. So either the owner of the device
will have to take it offline until the attack subsides, or the victim
will be taken offline by the attack.

Author	Message
surabhi Newbie Joined: 03Apr2007 Online Status: Offline Posts: 1	Topic: DoS and DDoS Posted: 03Apr2007 at 11:54pm
	What is DoS and DDoS? What is Denial of Service exactly? Denial of Service is just that, Denial of Service. To be a bit more descriptive, Denial of Service is either accidental or purposeful attempts to deny users access to resources. This can be in the form of stealing bandwidth which is the most common form of attack, it can be in the form of eating disk space, it can be in the form eating processor, and various other resource stealing. Oftentimes this is accidental. The Slashdot effect is often an accidental denial of service. However, sometimes this can be on purpose. An attacker can launch software that will steal resources from a target. In a more general outlook, there are attacks called Land Attacks where an attacker will launch an attack that will cause a server or other target to attempt to respond to itself. Eventually this will cause the server to eat up the allocated connection tables and will not respond to any more requests. Other attacks such as the Ping of Death eat up bandwidth until the target is so saturated that it cannot respond any more. Typically a Ping of Death involves IP spoofing. Many other attacks are out there and will eat up other resources. So what is a Distributed Denial of Service attack? DDoS, or Distributed Denial of Service attack is pretty self-explanatory. This is a Denial of Service attack this coming from multiple directions. Slashdot effect is a good example of a DDoS. The above-mentioned attacks can also be DDoS attacks if multiple hosts are involved. You'll typically see DDoS attacks from zombies, or computer that have been infected with a piece of malware to allow them to be controlled by an attacker. This is typical of botnets, or computers that have been infected with a malware that forces the computer to join an IRC channel for control of the attacker. These computers can then be controlled to launch port scans against a target, be it a single computer or network, launch SYN floods or whatever else the malware author coded. How does this affect web application? Typically a user of web application will not see a DDoS. What they will see instead is a DoS. This can come in several forms, but most common are registration flooding, searching flooding, and post flooding. What makes these types of attacks unique is that HTTP attacks require a 3 way handshake. In other words, the IP address cannot be spoofed. This doesn't mean that it cannot be masked (think proxies), but the 3 way handshake is a component of the stateful TCP (Transmission Control Protocol). Without going really low-level in networking protocols, the host must send a packet saying "I'm here, I want to communicate with you" and the target (victim or not) will send a reply saying "Okay, I'm ready for you" and then the host will reply saying "Okay, here comes the information." This is the 3 way handshake. Prevention methods, are they available? Yes and no. Eventually a DoS or DDoS will win. There are mitigation methods and countermeasures however. On the lower networking level (layers 2 and 3 for those familiar with the OSI model) there are mitigation methods. One method is routing the attack to a blackhole. Another method is using QoS (Quality of Service). Another method is tarpitting. Tarpitting will only work for TCP and not IP however. The average user will not have access to do this however, even owners of dedicated or colocation. On up the OSI model to the application layer to say phpBB, there is very little to be done. Some mitigation methods possible are the use of Visual Confirmation (visual turing, captcha, whatever name you like), ensuring users must validate email addresses, or better still, the administrator must validate an account. Apache has an anti-DoS module that can be used. A DoS or DDoS will eventually become successful because the router or other device will eventually have its resources taken trying to mitigate the attack and will fail. So either the owner of the device will have to take it offline until the attack subsides, or the victim will be taken offline by the attack. Post Resume: Click here to Upload your Resume & Apply for Jobs

	IP Logged


One Stop Testing Forum : Types Of Software Testing @ OneStopTesting : Functional Testing @ OneStopTesting