DoS attacks: crime without penalty
Today, it is quite difficult for a common user to determine where from and how his computer system can be attacked. More often it could be a virus attack, internet worms or Trojan, spam, DoS attacks causing a denial of service, restricted information theft and, finally, internal threats.
Presently, one of the most spread attacks is a distributed attack like denial of service (DoS attack). In recent years, media headlines were a riot of DoS attacks’ mentions. Annually these attacks cost millions of dollars to various companies and represent a serious threat to any computer system. In a result of such attacks, long system timeouts, lost profits, large volumes of work to identify attacks and to prepare adequate response measures.(нет сказуемого) Essentially, the DoS attack hinders or completely blocks servicing of valid users, networks, systems or other resources.
The aim of DoS-attacks is to block the attacked system, i.e. to create conditions when the remote computer won’t be able to change information with the external world. It can be made in several ways: creation of the directional gale of requests (buffer overflow), using errors in network protocols by sending incorrect packages to the address of the target host. In the first case, the host crowded by requests simply cannot maintain a normal data transfer; in the second case, overflows in the mechanisms of processing requests occur causing system failure.
Mostly such attacks are based on using vulnerabilities mainly in the Internet protocols (TCP/IP), particularly, on the way of SYN requests processing. This situation got worse when hackers used false initial addresses to stay anonymous. Thus, revealing of real malefactors becomes significantly complicated. All these trends had a great impact on the Internet community and underlined inability of security technologies applied in the World Wide Web once more. Although these attacks were already theoretically predicted several years ago, only now we can estimate all the danger of such attacks especially to e-commerce and websites of large and average companies.
Many security experts believe that the number of such attacks increases owing to fast distribution of Windows NT/XP systems and also to the expansion of the Internet. Windows is a potential target for many hackers. Besides, many tools for DoS attacks are available, high qualification is not required to use them.
DoS attacks are a powerful tool for criminals, it is often easier to halt a system or a network and then to gain access to it. It is well-known from the history of the Internet that network protocol TCP/IP was developed to be applied in the open and trusted community of users and its latest version 4 inherited all weaknesses of its predecessor. Besides, many operation systems and network devices have various lacks in realization of the network stack, it decreases their ability to resist DoS attacks significantly. We saw how devices that used out-of-date IP stack halted when they simply received ICMP with incorrect parameter. As one has many tools to start a DoS attack, it is very important to define their types and to know how to detect and avert such attacks.
Most operation systems (from Windows through many versions of Unix), routers and network components that process packets at any level are vulnerable to DoS attacks. Generally it is quite hard to prevent a DoS attack. However, restriction of access to important accounts, resources and files and also protecting them from invalid users can hamper many DoS attacks substantially. The number of DoS attacks is ever-increasing every other day. If a hacker can’t gain access to the PC, he tries to damage it using the DoS attack. This implies that even when the system is protected properly, the hacker still can harm the company.
On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation. A denial of service attack can also destroy programming and files in a computer system. Although usually intentional and malicious, a denial of service attack can sometimes happen accidentally. A denial of service attack is a type of security breach to a computer system that does not usually result in the theft of information or other security loss. However, these attacks can cost the target person or company a great deal of time and money.
Common forms of denial of service attacks are:
Buffer Overflow Attacks
The most common kind of DoS attack is simply to send more traffic to a network address than the programmers who planned its data buffers anticipated someone might send. The attacker may be aware that the target system has a weakness that can be exploited or the attacker may simply try the attack in case it might work. A few of the better-known attacks based on the buffer characteristics of a program or system include: -Sending e-mail messages that have attachments with 256-character file names to Netscape and Microsoft mail programs -Sending oversized Internet Control Message Protocol (ICMP) packets (this is also known as the Packet Internet or Inter-Network Groper (ping) of death) -Sending to a user of the Pine e-mail progam a message with a “From” address larger than 256 characters
SYN Attack
When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exists to handle the usually rapid “hand-shaking” exchange of messages that sets up the session. The session-establishing packets include a SYN field that identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer so that other, legitimate connection requests can’t be accommodated. Although the packet in the buffer is dropped after a certain period of time without a reply, the effect of many of these bogus connection requests is to make it difficult for legitimate requests for a session to get established. In general, this problem depends on the operating system providing correct settings or allowing the network administrator to tune the size of the buffer and the timeout period.
Teardrop Attack
This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker’s IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.
Smurf Attack
In this attack, the perpetrator sends an IP ping (or “echo my message back to me”) request to a receiving site The ping packet specifies that it be broadcast to a number of hosts within the receiving site’s local network. The packet also indicates that the request is from another site, the target site that is to receive the denial of service. (Sending a packet with someone else’s return address in it is called spoofing the return address.) The result will be lots of ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic.
Viruses
Computer viruses, which replicate across a network in various ways, can be viewed as denial-of-service attacks where the victim is not usually specifically targetted but simply a host unlucky enough to get the virus. Depending on the particular virus, the denial of service can be hardly noticeable ranging all the way through disastrous.
Physical Infrastructure Attacks
Here, someone may simply snip a fiber optic cable. This kind of attack is usually mitigated by the fact that traffic can sometimes quickly be rerouted.
A traditional DoS attack is carried out from one computer. However, a new kind of DoS attack appeared in 2001 – a distributed denial of service attack (DDoS). On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
A hacker (or, if you prefer, cracker) begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS “master.” It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple — sometimes thousands of — compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.
While the press tends to focus on the target of DDoS attacks as the victim, in reality there are many victims in a DDoS attack — the final target and as well the systems controlled by the intruder.
Computer Emergency Response Team (CERT) proposes the following steps on Prevention and Response of DoS attacks.
Denial-of-service attacks can result in significant loss of time and money for many organizations. We strongly encourage sites to consider the extent to which their organization could afford a significant service outage and to take steps commensurate with the risk.
We encourage you to consider the following options with respect to your needs: -Implement router filters as described in Appendix A of CA-96.21.tcp_syn_flooding, referenced above. This will lessen your exposure to certain denial-of-service attacks. Additionally, it will aid in preventing users on your network from effectively launching certain denial-of-service attacks. -If they are available for your system, install patches to guard against TCP SYN flooding as described in CA-96.21.tcp_syn_flooding, referenced above. This will substantially reduce your exposure to these attacks but may not eliminate the risk entirely. -Disable any unused or unneeded network services. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack. -Enable quota systems on your operating system if they are available. For example, if your operating system supports disk quotas, enable them for all accounts, especially accounts that operate network services. In addition, if your operating system supports partitions or volumes (i.e., separately mounted file systems with independent attributes) consider partitioning your file system so as to separate critical functions from other activity. -Observe your system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic. -Routinely examine your physical security with respect to your current needs. Consider servers, routers, unattended terminals, network access points, wiring closets, environmental systems such as air and power, and other components of your system. -Use Tripwire or a similar tool to detect changes in configuration information or other files. For more information, see
http://www.cert.org/tech_tips/security_tools.html
-Invest in and maintain “hot spares” - machines that can be placed into service quickly in the event that a similar machine is disabled. -Invest in redundant and fault-tolerant network configurations. -Establish and maintain regular backup schedules and policies, particularly for important configuration information. -Establish and maintain appropriate password policies, especially access to highly privileged accounts such as UNIX root or Microsoft Windows NT Administrator.
Many organizations can suffer financial loss as a result of a denial-of-service attack and may wish to pursue criminal or civil charges against the intruder. For legal advice, we recommend that you consult with your legal counsel and law enforcement.
U.S. sites interested in an investigation of a denial-of-service attack can contact their local FBI field office for guidance and information. For contact information for your local FBI field office, please consult your local telephone directory or see the FBI’s contact information web page:
http://www.fbi.gov/contactus.htm
Non-U.S. sites may want to discuss the activity with their local law enforcement agency to determine the appropriate steps that should be taken with regard to pursuing an investigation.
If you are interested in determining the source of certain types of denial-of-service attack, it may require the cooperation of your network service provider and the administration of the networks involved. Tracking an intruder this way may not always be possible. If you are interested in trying do to so, contact your service provider directly. The CERT(*) Coordination Center is not able to provide this type of assistance. We do encourage you to report your experiences, however. This helps us understand the nature and scope of security incidents on the Internet, and we may be able to relate your report to other activity that has been reported to us.
A curious offer has recently appeared on the Russian Internet. Cyber criminals offer to block access to an ‘ordered’ website only for $150 per day. Such attacks are not rare, but experts suspect that this offer to ‘kill’ a website may conceal a usual scam.
“We are glad to propose you a quality service of pulling websites, we can ball up any website with our DDoS attack,” an ad e-mail with such offer was received by a correspondent of a Russian new agency.
According to a proposal, a six-hour downtime will cost $60, 24 hours - $150, by prepayment. “I can pull any website, say Microsoft”, a hacker boasted to the correspondent, introduced as a potential client. “But someone is gonna kick my ass for that, it will be enough,” he added. Therein, DoZ agreed to attack www.microsoft.com for not less than $80,000 a week. For comparison, he asked a lot less to attack www.kremlin.ru , an official website of Russian President Vladimir Putin — $2,000 a week, and then even lowered the price to $1,000.
DoZ even provided contacts of his clients who agreed to recommend him.
“Yes he will cope, I am currently working with him”, his client rejoices. “www.spamzone.net , a project of my competitors has been down for already a month.” “It is a pity to pay such $4000 at once, but at the same time you have no competitors,” another customer agrees.
A police officer, who wanted to remain unnamed, believes that in this case we may speak about a usual scam. “One person can get tens of nicknames in the Net. It’s all rubbish [offer to DDoS attack by prepayment], although there is always an idiot who will believe and pay,” he says. He added that nobody has ever been prosecuted for pure DDoS attacks in Russia. Criminals are, though, often nabbed for related with DDoS attacks extortion.
“There are many people who can DDoS attack, although they surely it’s above their strength to ‘pull Microsoft’,” Igor Vlasov, ArtBureau’s system architect regards. “They have no special liking of the background, although there are men of principle who attack porn sites purely.” He added that anyone can find a DDoS attack executors who can block a badly protected website for $80 per day. According to Vlasov, a normal system administrator will need about 5 hours to cope with such cyber attack.
“A DDoS attack on root DNS Internet servers has become the most famous (a domain name is first purchased through a domain register, at the time you sign up for the domain, you’re asked to submit your personal information, and information on 2 or more Name Servers; this information is stored on a ‘root DNS server’; when someone searches for your domain on the web or using any other service that needs to get hold of details on your domain, these root servers are queried - CCRC) in November 2002,” Alexander Gostev, an analyst for Kaspersky Antivirus Labs, recalls. “Then load on servers increased in dozens of times and processing of usual requests was extremely slowed or even stopped.”
Last years DDoS attacks seriously trouble many websites. “The main damage to companies brought by cyber attacks lies not only in site’s downtime, but in damage to reputation of the company,” Christopher , KPMG’s Information Risks Management Department Chief says. According to his words, clients of the company disappointed by inaccessibility of its website may turn to competitors.
On June 8, 2004 one of the CCRC websites was on “contract hit”. The attack was organized being accompanied with threats to hinder two main sites of the Internet project crime-research.ru.
On June 8, from 3pm the above-mentioned website has been temporarily unavailable, only by 7 pm the hosting ISP company managed to neutralize the sequels of attack. The main share of attacks came from the territory of Ukraine through compromised computers of usual users. The blackmail attack goal was to force the CCRC staff to put down/away one of the posted articles.
Often one of the first signs of the initiating stage of a DoS attack is an unfounded growth of traffic, it allows to carry out some additional measures to prevent the attack. Sudden increase of traffic related to violation of hosting services operations causes the ISP to block the IP of the website making it unavailable.
According to CERT, an international authority on Internet security, there is a sharp increase of DoS attacks in recent years. Criminal groups widely apply computer tools and newest information technologies.