The Two Common Denial-of-Service Attacks: Understanding the Threats

The two common denial-of-service attacks (DoS), flooding and crashing, are a constant menace in the digital world. These attacks disrupt websites, networks, and online services, causing downtime, frustration, and potential financial losses.

To combat these threats effectively, it’s crucial to understand how they work and the impact they can have.

Want to learn more about the core objective of a DoS attack? Read this article before we explore the two common denial-of-service attacks.

A. Flooding Attacks: Overwhelming Systems with Traffic

Flooding attacks, also known as volumetric attacks, are the most prevalent type of denial-of-service attack.

The goal is simple: overwhelm the target system with an overwhelming amount of traffic, exceeding its capacity to handle legitimate requests. This renders the system unresponsive and inaccessible to genuine users.

The common types of flooding attacks are:

ICMP Flood

In an ICMP flood, the attacker bombards the target with Internet Control Message Protocol (ICMP) packets, commonly known as “ping” requests. This flood of pings consumes bandwidth and resources, causing the target to slow down or crash.

Want to learn how ICMP flood attack is executed? Here is a breakdown:

1. The Attacker’s Tools: The attacker typically uses readily available tools or scripts designed to generate and send a large volume of ICMP echo request packets (“pings”). These tools can be configured to target specific IP addresses or ranges.

1. Spoofing IP Addresses: To make it difficult to trace back to the original source, attackers often spoof (fake) the source IP address in the ICMP packets. This means the packets appear to originate from a different device or network.
2. Flooding the Target: The attacker initiates the flood by sending a massive number of ICMP echo requests to the target system or network. This can involve multiple compromised devices (a botnet) to amplify the attack’s impact.
3. Overwhelming the Target: The target system is obligated to respond to each ICMP echo request with an ICMP echo reply. As the flood of requests increases, the target’s resources become strained. It struggles to process legitimate traffic and respond to the flood, consuming bandwidth and CPU cycles.
4. Denial of Service: Eventually, the sheer volume of incoming requests and the system’s attempts to respond overwhelm its capacity. This results in a denial of service, where legitimate users are unable to access the targeted website, network, or service.

UDP Flood

A User Datagram Protocol (UDP) flood involves sending a massive number of UDP packets to random ports on the target system. The system struggles to process these requests, leading to resource depletion and potential service disruption.

Let’s break down how a UDP flood attack works:

1. The Nature of UDP:

• Connectionless: Unlike TCP (Transmission Control Protocol), UDP doesn’t establish a formal connection before sending data. This makes it faster but less reliable.
• Unacknowledged: UDP packets are sent without any guarantee of delivery or acknowledgement from the receiver. This is like sending a postcard—you hope it arrives, but there’s no way to know for sure.

2. The Attacker’s Strategy:

• Spoofed Source IP: The attacker often spoofs (fakes) the source IP address in the UDP packets to make it difficult to trace the origin of the attack.
• Random Ports: UDP packets are sent to random ports on the target system. This is because UDP is commonly used for various services, each with its own port number.

3. The Target’s Response:

• Checking for Listeners: For each UDP packet received, the target system checks if any application or service is listening on that specific port. If not, it’s assumed the packet is undeliverable.
• ICMP “Destination Unreachable”: If no listener is found, the target system sends an ICMP “Destination Unreachable” message back to the supposed source IP (which is often spoofed).

4. Overwhelming the Target:

• Resource Drain: The sheer volume of UDP packets, combined with the system’s effort to check ports and send responses, consumes valuable resources (CPU, memory, network bandwidth).
• Denial of Service: This resource drain can quickly overwhelm the target system, making it unresponsive to legitimate requests and effectively causing a denial of service (DoS).

Amplification Attacks

In more sophisticated UDP flood attacks, attackers can leverage amplification techniques. They send small UDP packets to servers that respond with much larger UDP packets, amplifying the attack’s impact.

This is like sending a postcard that triggers a large package to be delivered to the target.

SYN Flood

SYN floods exploit the TCP handshake process. The attacker sends a flood of SYN packets (the first step in establishing a TCP connection) but never completes the handshake. This ties up the target’s resources and prevents legitimate connections.

Ordinarily, here is how a SYN flood attack works:

1. The TCP Three-Way Handshake:

• SYN: The client initiates a connection by sending a SYN (synchronize) packet to the server.
• SYN-ACK: The server acknowledges the request by sending back a SYN-ACK (synchronize-acknowledge) packet.
• ACK: The client completes the handshake by sending an ACK (acknowledgement) packet.

This three-way handshake ensures both sides are ready to communicate and establishes a reliable connection for data transfer.

2. The Attacker’s Exploitation:

• Spoofed Source IP: The attacker sends a massive number of SYN packets, often with spoofed source IP addresses. This makes it difficult to trace the attack’s origin.
• Incomplete Handshake: The attacker intentionally doesn’t send the final ACK packet to complete the handshake.

3. The Target’s Dilemma:

• Limited Resources: Servers have a limited number of “half-open” connections they can maintain simultaneously. Each incoming SYN packet allocates some memory and resources on the server.
• Timeout: The server waits for a certain period (the timeout) for the final ACK packet. If it doesn’t arrive, the server eventually releases the resources.
• Overwhelm: With a flood of SYN packets and no corresponding ACKs, the server’s connection table fills up. It becomes unable to accept new legitimate connections, effectively resulting in a denial of service.

B. Crashing Attacks: Exploiting Vulnerabilities

Crashing attacks take a different approach. Instead of overwhelming the target with traffic, they exploit vulnerabilities in the system’s software or configuration. By triggering these weaknesses, attackers can cause the system to crash, resulting in denial of service.

Here are the common types of crashing attacks:

Buffer Overflow Attacks

These attacks exploit software flaws that allow attackers to send more data than a buffer can handle. This excess data overwrites adjacent memory, potentially leading to crashes or even remote code execution.

Let’s break down how a buffer overflow attack occurs:

1. What is a Buffer?

Temporary Storage: In programming, a buffer serves as a temporary storage area in memory, holding data during transfer or processing. Think of it like a box with a specific size.

Fixed Size: Programmers often design buffers with a fixed size to hold a predetermined amount of data.

2. The Vulnerability:

• Lack of Input Validation: A buffer overflow vulnerability arises when a program doesn’t properly check the size of input data before placing it into a buffer.
• Exceeding the Limit: If an attacker sends more data than the buffer can hold, the excess data spills over into adjacent memory locations.

3. The Exploit:

• Overwriting Memory: The overflowing data overwrites whatever was previously stored in those adjacent memory locations. This can corrupt data, crash the program, or, in more severe cases, allow the attacker to execute malicious code.
• Malicious Code Injection: Attackers can craft their input data to include malicious code. When the buffer overflows, this code gets written into memory and can be executed by the program, giving the attacker control over the system.

Types of Buffer Overflows:

• Stack-Based Buffer Overflow: Occurs when a buffer on the program’s call stack is overwritten. Attackers can manipulate the return address on the stack, redirecting program execution to their malicious code.
• Heap-Based Buffer Overflow: Occurs when a buffer on the heap (a more dynamic memory area) is overwritten. These are more complex to exploit but can still be used to gain control.

Application-Specific Attacks

Attackers may target vulnerabilities in specific applications or services running on the system. By sending malformed requests or exploiting bugs, they can cause the application to crash, affecting the overall availability of the system.

Let’s break down how application-specific attacks occur:

1. Identifying Vulnerabilities:

• Discovery: Attackers actively search for vulnerabilities in specific applications or services running on a target system. This can involve manual testing, automated scanning tools, or leveraging publicly disclosed vulnerabilities (CVEs).
• Zero-Day Vulnerabilities: In some cases, attackers may discover previously unknown vulnerabilities (zero-days) that the software vendor is unaware of. These are particularly dangerous as there are no patches available yet.

2. Crafting Malicious Requests:

• Understanding the Application: Attackers analyze the application’s logic, protocols, and input/output formats to understand how it works and where it might be vulnerable.
• Crafting Exploits: They create specially crafted requests or input data that exploit the identified vulnerabilities. These requests may be:
  • Malformed: Violating the expected format or structure of data.
  • Oversized: Exceeding the limits of what the application can handle.
  • Unexpected: Triggering unintended behaviors within the application.

3. Sending the Attack:

• Directly to the Application: Attackers may send the malicious requests directly to the targeted application or service.
• Through Vulnerable Interfaces: Attackers exploit vulnerabilities in applications exposed to the internet or other networks through those interfaces.

4. Exploiting the Vulnerability:

• Crashing the Application: The malformed or unexpected input can cause the application to crash, resulting in denial of service (DoS) for users who rely on it.
• Code Execution: In severe cases, the vulnerability might allow the attacker to execute arbitrary code on the system. This can lead to data theft, system compromise, or even complete takeover.

Protecting Against Denial-of-Service Attacks

Having looked at the two common denial-of-service attacks, it’s now time we look at protective measures. While DoS attacks are a significant threat, organizations can take steps to mitigate the risk:

• Traffic Filtering and Rate Limiting: Firewalls and intrusion prevention systems filter out malicious traffic and limit the rate of incoming requests, preventing system overload.
• Load Balancing: Distributing traffic across multiple servers can increase resilience to DoS attacks. Even if one server becomes overloaded, others can continue to serve legitimate requests.
• Security Patches and Updates: Regularly updating software and applying security patches is crucial to prevent attackers from exploiting known vulnerabilities.
• DDoS Mitigation Services: For high-value targets, consider subscribing to specialized DDoS mitigation services. These services can detect and filter out malicious traffic before it reaches your systems.

The Two Common Denial-of-Service Attacks in Summary

Understanding the two common denial-of-service attacks – flooding and crashing – is the first step in defending against them.

By implementing robust security measures and staying vigilant, organizations can protect their systems and ensure uninterrupted service for their users.

Remember, the fight against DoS attacks is ongoing, and continuous adaptation is key to maintaining a secure online presence.