Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Instructor’s Manual Materials to Accompany
COMPUTER SECURITY FUNDAMENTALS
CHAPTER 4
DENIAL-OF-SERVICE ATTACKS
CHAPTER 4 OBJECTIVES
When students finish reading this chapter, they will be able to:
• Understand how denial-of-service (DoS) attacks are accomplished.
• Know how certain DoS attacks work such as SYN flood, Smurf, and DDoS.
• Take specific measures to protect against DoS attacks.
• Know how to defend against specific DoS attacks.
CHAPTER OVERVIEW
This chapter describes in depth the workings of the denial-of-service (DoS) attack. This threat is one of the most
common attacks on the Internet, due in part to its ease of use and effectiveness in shutting down services. If you
can keep a service from reaching customers, then you can effectively stop e-business. Therefore, it is prudent for
you to understand how DoS attacks work and how to defend yourself against them.
The major sections in this chapter are
1. Overview. Demonstrates a simple way to squelch a web server with the ping utility.
3. DoS Weaknesses. A DoS attach can be stopped and traced back. DDoS are hard to trace back.
5. Distributed Denial of Service (DDoS). DDos is described as getting a number of machines to attack the
target.
7. How to Defend Against DoS Attacks. Gives steps you can take to minimize the danger of DoS attacks,
including some information resources.
CHAPTER OUTLINE
I. Chapter 4 Objectives
II. Introduction
Denial of Service
III. Illustrating an Attack
Common Tools Used for DoS
1. TFN and TFN2K
2. Stacheldraht
DoS Weaknesses
IV. Specific DoS Attacks
TCP SYN Flood Attack
Micro Blocks
2. RST Cookies
3. Stack Tweaking
Smurf IP Attack
UDP Flood Attack
ICMP Flood Attack
The Ping of Death (PoD)
Teardrop Attack
Land Attack
Echo/Chargen Attack
V. Distributed Denial of Service (DDoS)
VI. Real-World Examples
MyDoom
Anonymous Uses DoS
VII. How to Defend Against DoS Attacks
VIII. Summary
IX. Test Your Skills
X. Exercises
XI. Projects
KEY TERMS
buffer overflow An attack that involves loading a buffer with more data than it is designed to hold.
crash A sudden and unintended failure, as in “My computer crashed.”
echo/chargen attack A type of DoS attack that attempts to build up too much CPU activity with echoes.
encryption The act of encrypting a message. This usually involves altering a message so that it cannot be read
without the key and the decryption algorithm.
firewall A device or software that provides a barrier between your machine or network and the rest of the world.
flood attack An attack that involves sending a large number of packets to a server in an attempt to overload the
server.
hacker One who tries to learn about a system by examining it in detail and reverse-engineering it.
ICMP flood attacks An attack that attempts to overload the target system with too many ICMP packets for it to
respond to.
Internet Control Message Protocol (ICMP) A protocol used for a variety of purposes, including “pinging”
other computers.
Internet Protocol (IP) A protocol that is part of the TCP/IP suite of protocols, which is the foundation for most
networking and all Internet communications.
land attack Sending a packet to a machine with the source host/port being the same as the destination host/port,
causing some systems to crash.
loop back address An address used to test a machine’s own network card, 127.0.0.1.
ping To send a single ICMP packet to a destination, usually to confirm that the destination can be reached.
Ping of Death (PoD) To send an extremely large packet to a target. For some older systems, this would cause the
target to crash.
proxy server A machine or software that hides all internal network IP addresses from the outside world. It
provides a point of contact between a private network and the Internet.
router A device that separates networks.
RST cookie A method to prevent denial-of-service attacks that actually uses a type of cookie to authenticate the
client’s connection.
smurf A specific type of distributed denial-of-service attack.
SYN cookies Cookies used to authenticate connection requests and thus avoid certain types of Denial of Service
attacks.
SYN flood A denial-of-service attack in which the target is flooded with connection requests that are never
completed.
teardrop attack A type of attack against a TCP/IP stack based on using fragmented packets.
Trojan horse Software that appears to have a valid and benign purpose but actually has another nefarious
purpose.
UDP flood attack A denial-of-service attack based on sending a huge number of UDP packets.
virus Software that is self-replicating and spreads like a biological virus.
TEACHING NOTES
I. Overview
Teaching Tips: You should not attempt any of these attacks on a LAN that is a subnet
of any production system. You may need to set up an isolated LAN to demonstrate this.
Teaching Tips: Point out that it would be unreasonable to use a PII Windows 98 as a
web server. The more up to date the OS and the bigger the computer and network, the better to defend
against a DoS attack.
II. DoS Attacks
Teaching Tips: Diagram the different attacks in steps. This gives a temporal
understanding of an attack that is hard to get from a book.
III. Real-World Examples
Teaching Tips: Explain that the reason these examples are still in circulation today is
mostly because people have not updated their computers against them.
IV. How to Defend Against DoS Attacks
PROJECTS/EXERCISES
I. Discussion Questions
A. Discussion Question 1
Should old or unpatched computers be allowed on a LAN?
B. Discussion Question 2
Can there ever be an effective defense against DDoS attacks?
II. Web Projects
A. Web Project 1
The Ping of Death exploit is an old one. Most modern operating systems are not
vulnerable to it. Go to Google.com and enter “Ping of Death vulnerable operating
systems” to see if any of your computers may be vulnerable. A good place to start is
http://www.pnl.gov/isrc/advisory-notices/advis3.stm.
B. Web Project 2
Go to ftp://ftp.isi.edu/in-notes/rfc2267.txt to find out how to configure a firewall
to protect against DoS attacks. Look up Land attack. What two simple rules for a firewall
(in English) would stop this type of attack?
C. Web Project 3
Go to Google.com and enter “DDoS zombie nets” to find out about networks of
compromised PCs. How do these PCs cause Web sites to fail? Why are these “botnets” so
hard to stop on DDoS attacks? A good place to start is http://news.zdnet.com/2100-
1009_22-5236403.html.
D. Web Project 4
Get the latest list of port numbers from IANA at
http://www.iana.org/assignments/port-numbers. Find out what port numbers need to be
blocked to stop echo and chargen.
WEB RESOURCES
CHAPTER REVIEW/ANSWERS TO TEST YOUR SKILLS
Multiple Choice Questions
1. What is one of the most common and simplest attacks on a system?
2. Which of the following is not a valid way to define a computer’s workload?
3. What do you call a DoS launched from several machines simultaneously?
4. Leaving a connection half open is referred to as a
5. What is the basic mechanism behind a DoS attack?
6. What is the most significant weakness in a DoS attack from the attacker’s viewpoint?
7. What is the most common class of DoS attacks?
8. What are three methods to protect against SYN flood attacks?
9. Which attack mentioned in this chapter causes a network to perform a DoS on one of its own servers?
10. A defense that depends on a hash encryption being sent back to the requesting client is called
11. What type of defense depends on sending the client an incorrect SYNACK?
12. What type of defense depends on changing the server so that unfinished hand-shaking times out sooner?
13. What type of attack is dependent on sending packets too large for the server to handle?
14. What type of attack uses Internet routers to perform a DoS attack on the target?
15. Which of the following is an example of a DDoS attack?
16. How can securing internal routers help protect against DoS attacks?
17. What can you do to your internal network routers to help defend against DoS attacks?
18. Which of the following was rated by many experts to be the fastest-growing virus on the Internet?
19. What can you do with your firewall to defend against DoS attacks?
20. Why will protecting against Trojan horse attacks reduce DoS attacks?
Exercises
EXERCISE 4.1: EXECUTING A DOS
This exercise is best accomplished in a lab with numerous machines available. The target server should be one of
low capacity for this exercise.
EXERCISE 4.2: STOPPING SYN FLOOD ATTACKS
EXERCISE 4.3: USING FIREWALL SETTINGS AND EXERCISE 4.4: USING ROUTER SETTINGS
Projects
PROJECT 4.1: EMPLOYING ALTERNATIVE DEFENSES
PROJECT 4.2: DEFENDING AGAINST SPECIFIC DENIAL OF SERVICE ATTACKS
PROJECT 4.3:HARDENING THE TCP STACK AGAINST DOS
This is a more complex project, requiring a lab machine, regarding the hardening of the TCP stack against DoS.
Case Study
