Print Page | Close Window

DoS and DDoS

Printed From: One Stop Testing
Category: Types Of Software Testing @ OneStopTesting
Forum Name: Functional Testing @ OneStopTesting
Forum Discription: Discuss All that is need to be known about Functional Software Testing and its Tools.
URL: http://forum.onestoptesting.com/forum_posts.asp?TID=600
Printed Date: 24Dec2024 at 8:10pm


Topic: DoS and DDoS
Posted By: surabhi
Subject: DoS and DDoS
Date Posted: 03Apr2007 at 11:50pm
What is DoS and DDoS?

What is Denial of Service exactly?
Denial of Service is just that, Denial of Service. To be a bit more descriptive, Denial of Service is either accidental or purposeful attempts to deny users access to resources. This can be in the form of stealing bandwidth which is the most common form of attack, it can be in the form of eating disk space, it can be in the form eating processor, and various other resource stealing. Oftentimes this is accidental. The Slashdot effect is often an accidental denial of service. However, sometimes this can be on purpose. An attacker can launch software that will steal resources from a target.

In a more general outlook, there are attacks called Land Attacks where an attacker will launch an attack that will cause a server or other target to attempt to respond to itself. Eventually this will cause the server to eat up the allocated connection tables and will not respond to any more requests. Other attacks such as the Ping of Death eat up bandwidth until the target is so saturated that it cannot respond any more. Typically a Ping of Death involves IP spoofing. Many other attacks are out there and will eat up other resources.

So what is a Distributed Denial of Service attack?
DDoS, or Distributed Denial of Service attack is pretty self-explanatory. This is a Denial of Service attack this coming from multiple directions. Slashdot effect is a good example of a DDoS. The above-mentioned attacks can also be DDoS attacks if multiple hosts are involved. You'll typically see DDoS attacks from zombies, or computer that have been infected with a piece of malware to allow them to be controlled by an attacker. This is typical of botnets, or computers that have been infected with a malware that forces the computer to join an IRC channel for control of the attacker. These computers can then be controlled to launch port scans against a target, be it a single computer or network, launch SYN floods or whatever else the malware author coded.

How does this affect web application?
Typically a user of web application will not see a DDoS. What they will see instead is a DoS. This can come in several forms, but most common are registration flooding, searching flooding, and post flooding. What makes these types of attacks unique is that HTTP attacks require a 3 way handshake. In other words, the IP address cannot be spoofed. This doesn't mean that it cannot be masked (think proxies), but the 3 way handshake is a component of the stateful TCP (Transmission Control Protocol). Without going really low-level in networking protocols, the host must send a packet saying "I'm here, I want to communicate with you" and the target (victim or not) will send a reply saying "Okay, I'm ready for you" and then the host will reply saying "Okay, here comes the information." This is the 3 way handshake.

Prevention methods, are they available?
Yes and no. Eventually a DoS or DDoS will win. There are mitigation methods and countermeasures however. On the lower networking level (layers 2 and 3 for those familiar with the OSI model) there are mitigation methods. One method is routing the attack to a blackhole. Another method is using QoS (Quality of Service). Another method is tarpitting. Tarpitting will only work for TCP and not IP however. The average user will not have access to do this however, even owners of dedicated or colocation. On up the OSI model to the application layer to say phpBB, there is very little to be done. Some mitigation methods possible are the use of Visual Confirmation (visual turing, captcha, whatever name you like), ensuring users must validate email addresses, or better still, the administrator must validate an account. Apache has an anti-DoS module that can be used.

A DoS or DDoS will eventually become successful because the router or other device will eventually have its resources taken trying to mitigate the attack and will fail. So either the owner of the device will have to take it offline until the attack subsides, or the victim will be taken offline by the attack.



Print Page | Close Window