Security Laboratory

Security Laboratory

Denial of Service Attacks

Peter Giannoulis

A major ISP, MCI, reports an average of 1,000 DDoS attacks per day.[13] Denial of Service is something every security professional should consider in their risk assessments. DoS attacks affect the overall availability of a resource, so naturally it would fall within the 'Availability' section of the Confidentiality/Integrity/Availability (CIA) triad.

Malicious Code in Comparison

The reasons we have seen so many successful worm and virus infections over the years is because they tend to change faces in order to covertly exploit as many systems as possible. They simply don't stay the same. For example, slightly altered or rewritten code that makes up an exploit can successfully compromise the same vulnerability on a system which was patched just days earlier. How can that be? Most security vendors write signatures that search a packet(s) for a specific exploit. However, most exploits don't target an entire vulnerability; but rather just a piece of it. To put this into perspective, let's think of a vulnerability as a square box for a minute. The exploit that is written to compromise a vulnerable system only needs to take advantage of 25% of the square box (vulnerability). Every vendor scrambles to write a signature to match the specific exploit when it is released into the wild, leaving open the other 75% of the square box. Days or weeks later, as was the case with Code Red, Code Red II, and Code Blue, the attacker proceeds to alter the original exploit, or writes a new one, which takes advantage of another 25% of the square box.[1] This is why we frequently see the same vulnerability being exploited time and time again using a variant of the same exploit code.[2] What does this have to do with DoS attacks? Well, whereas malicious code changes very often, DoS attacks do not. Performing a search on Google for 'latest denial of service attacks' yields a ton of information from CERT, SANS, and others, on Smurf attacks and SYN floods.[3] Many of these articles date back to the year 2000 and so do the tools that are required to initiate some of these attacks.

Traditional DoS Attack Methods

If traditional DoS attack methods are so old, why are they still effective? Let's examine some of the common DoS attack methods a little more closely:

  • SYN Flood - These attacks work when an attacker sends a massive amount of spoofed SYN packets to a server. The server proceeds to send the SYN/ACK reply back to the spoofed IP addresses, which obviously never responds considering they never sent the original SYN packet. As the server waits for a response, its connections table fills up to the point where legitimate users are now denied access. Many operating system vendors have done an admirable job in protecting against SYN flood attacks, but the vulnerability still exists.[4]

    In recent years, many new products have been introduced to assist in the protection against SYN floods from a network perspective. For example, network-based IPS systems from vendors such as TippingPoint & McAfee can be deployed in front of the firewall so that SYN flood attacks are held at bay, but even these solutions are not a panacea. If a DoS attack occurred which consumed the entire bandwidth of your service provider, it's game over.

  • Smurf Attack - An attacker sends many ICMP Echo Request packets to a broadcast address with a source address of the victim network. If every system on the network responds, the victim network becomes flooded.[5] Networks that were susceptible to this sort of attack were considered to be smurfable. Now, in 2007, Smurf attacks are not very common. Simply ensuring that the forwarding of directed broadcasts is turned off on your router ports will prevent these attacks.[6]

DoS Attack Methods Today

Although traditional DoS attack methods such as SYN floods are still seen on a daily basic in the wild, we need to examine some current DoS vulnerabilities in order to understand where things stand today:

  • Cisco IPS Packet Handling DoS - In July of 2006, a DoS vulnerability was discovered on Cisco IPS 4200 series models which were running version 5.1 software. The vulnerability itself was caused by the driver that was in place for the Intel network card when configured in promiscuous mode. If a crafted packet was sent to the affected Intel interface the processing of packets would stop, therefore causing a denial of service.[7]
  • Multiple DoS Vulnerabilities in Wireshark - Wireshark, formerly known as Ethereal, suffered a series of DoS vulnerabilities in October, 2006. Simply injecting a malformed packet onto the wire, or fooling a user to open a trace file with a malformed packet, would cause Wireshark to crash. These DoS vulnerabilities affected versions 0.9.8 through 0.99.3, but the folks at Wireshark quickly released an update and 0.99.4 corrects these issues.[8]
  • Snort Rule Matching Backtrack DoS - A Snort DoS vulnerability was announced by Randy Smith, Christian Estan, and Somesh Jha on January 11, 2007 which can exploit Snort's rule matching algorithm by using a crafted packet. This could cause the algorithm to slow down to the point where detection may become unavailable. Snort versions 1.8 through 2.6 were affected, but Snort was quick to release version 2.6.1 which corrected this issue.[9]

Protecting against DoS attacks

Traditional DoS attack methods such as SYN floods can be really hard to protect against. Computer systems have limitations and there's only so much they can take before they collapse. Vendors such as Packeteer[10] and TippingPoint[11] have released rate-limiting and IPS devices to assist in the ongoing battle, but they are limited in resisting an attack that consumes your entire bandwidth.[12] In order to stay further ahead of the attackers, with regard to traditional DoS attack methods, a plan needs to be devised where your ISP participates in the defense and monitors the traffic consumption before it reaches your network. DoS vulnerabilities, such as the Snort Rule Matching Backtrack DoS described above, are easier to protect against since a simple patch or software upgrade will, in many cases, resolve the issue.

Peter Giannoulis, GSEC, GCIH, GCIA, CISSP is an information security consultant in Toronto, Ontario, Canada, as well as a Technical Director for the GIAC family of certifications.

13. Email to Northcutt from MCI Security Team Aug 2006