With the number of 'hacking'
attacks being reported in the news increasing, this page attempts to describe
in general terms how one class of these attacks (denial-of-service) work.
Types
of Attack
We'll get
into specific attacks in a bit, but in general terms, denial-of-service
attacks fall into four broad categories:
| |
• |
Tying
up CPU cycles or resources |
| |
• |
Disabling
web traffic (this can also happen accidently) |
What most
people don't realize is that network communications consists of several
layers. Each layer has its own protocols for information transmission and
security. Toward the bottom is the actual telecommunications layer. Because
this layer contains the greatest concentration of traffic (after all, everything
eventually gets reduced to bits being sent over wires), it is probably the
weakest link in the chain. If your telcom layer can be interrupted, everything
comes to a halt. In some companies, if communications are interrupted for
even a day, the company can be in serious business trouble; those companies
will often have triple-redundant routing (or more) so that if one channel
gets attacked, other channels are still available.
Specific
Attacks
Below are
descriptions of six denial-of-service attacks (there are more). The descriptions
are kept general and are readily available on the net. Please don't ask
for further details.
| |
The
basic purpose of a SYN flood is to use up all new network connections
at a site and thus prevent legal users from being able to connect.
TCP connections are made by first sending a request to connect with
an ID in it. The receiving connection sends out an acknowledgment
saying it's ready and then the sending system is supposed to send
an acknowledgment that the connection has been made. The SYN (SYnchronize
sequence Number) packet is the first of these and contains the ID
the receiver is supposed to reply to. If a fake ID is in that packet
then the receiving system system never gets a connection acknowledgment.
Eventually, the connection will time out and that incoming channel
on the receiver will become available again for another request. A
SYN flood sends so many such requests that all incoming connections
are continuously tied up waiting for acknowledgments that never come.
This makes the server generally unavailable to legal users (unless
one happens to sneak in just at the moment one of the tied-up connections
times out). |
| |
Ping
(short for Packet Internet Groper) is a program that tests a TCP network
by sending an echo request, expecting a reply. The Ping of Death uses
a test packet larger than that allowed. This can result in either
a system crash or problems with network programs running on the targeted
computer. |
| |
Unlike
the E-mail virus hoaxes which say you can get a virus by simply reading
E-mail, the mail bomb is the sending of very large volumes of mail
to a mail server. Many can't handle large volumes of mail and this
will cause legal users to be denied service or maybe lost mail for
legal users. |
| |
One
of the oldest methods of attack, basically this involves causing a
program to run on the attacked system; a program that effectively
ties up the CPU on the system, making it unavailable to other users.
When this happens, the operating system generally crashes and takes
the system down with it. Since this type of attack has been around
for some time, most operating systems have safeguards against this
built in. But, newer operating systems are sometimes vulnerable (e.g.,
at this writing, 'hackers' are still finding some holes in NT that,
in theory, could be exploited by an ActiveX control or, perhaps, a
Netscape plug-in; as found, these holes are being plugged). |
| |
These
attacks are not directed against a server but against users. Most
user operatins systems are not particularly secure and hostile applets
embedded in web pages have already been published which can, when
downloaded and run, effectively put the users' system into an infinite
loop which requires a restart to end. This is why it's very important
to browse with automatic running of applets turned off. If you get
to a page that requires an applet and you trust the source, just change
your browser's security level and reload the page (but, don't forget
to turn automatic running off again when done). |
| |
• |
Accidental
Denial-of-Service |
| |
The
internet is a complicated place and there is no single, central point
of control for everything. With so many individuals and companies
involved, there are bound to be errors. One happened in 1997 when
a corrupted DNS table (the table that connects domain names to their
actual numerical locations) was released for distribution. The error
was quickly discovered but it took roughly three hours for the good
table to propogate across the internet and replace the bad one. During
this time, many systems could not be reached because the DNS table
contained incorrect information. |
Attacks
can be sent by an individual or individuals or can be set up to be sent
automatically by programs known as Zombies that may have been installed
in various computers in advance of the attack. With Zombies, all the attacker
need do is send a single command and they perform the attack. This method
can more easily isolate the attacker from those who might want to find him/her
as the attack itself is coming from completely unrelated computers that
may be half a world away.
What
Can Be Done?
Often,
nothing; particularly as a user (except for applet attacks which you can
prevent from loading). If a server you use is attacked, you must wait for
the administrator of that server to take actions; and, even those are sometimes
hard to take because it's often hard to trace where an attack is coming
from (it takes the cooperation of server administrators upstream to determine
exactly where an attack is coming from and by the time the research can
be done the attack is often over, only to be started from some other location).
Some specific
attacks can be countered by upgrades to the network operating system; so
if you operate a server make certain you have the latest software and know
about all the various patches that have been issued for it relating to security.
The bottom
line is, as in all cases of "bad" behavior, the ultimate solution
would be for an improvement in the behavior of those who would take servers
down just for the fun of it. Until those morals improve there will always
be attacks and countermeasures. Those in the middle just have to keep up
to date. |