Review Questions Edit

Define a denial-of-service (DoS) attack. Edit

An attempt to make a resource (e.g. CPU, memory, bandwidth, disk space) unavailable to its legitimate users, by exhausting it.

What types of resources are targeted by such attacks? Edit

Any network connected resource. Web servers, mail servers, databases, etc.

What is the goal of a flooding attack? Edit

The intent is generally to overload the network capacity on some link to a server.

What types of packets are commonly used for flooding attacks? Edit

Any type that is not filtered - so depends on network configuration.The larger the packet is, the more effective the attack.Common types used: ICMP (ping), UDP packets, TCP SYN packets (opens a connection).

Why do many DoS attacks use packets with spoofed source addresses? Edit

Because (a) the server may send responses, which might flood the attacker, and (b) to make it harder to identify the attacker.

Define a distributed denial-of-service (DDoS) attack. Edit

Using multiple systems to coordinate a DoS attack with much larger volume.

What architecture does a distributed denial of service (DOoS) attack typically use? Edit

Hierarchical - to control the large number of systems involved in the attack..

Define a reflection attack. Edit

Sending packets, with a spoofed source IP address, to some server, making it respond to the spoofed IP address.

Define an amplification attack. Edit

Like reflection-attack, but wishes to make the responses larger than the requests. Can be done, for example, by broadcasting a request to some network (one request) making all the hosts respond to the same spoofed IP address (many responses); or by sending DNS requests (40-512 byte requests, ~4000 byte response) with spoofed source IP.

What is the primary defense against many DoS attacks, and where is it implemented? Edit

Blocking packets with spoofed IP address - the gateway can block outgoing packets if their source IP address is not within the network.

What defenses are possible against nonspoofed flooding attacks? Can such attacks be entirely prevented? Edit

Attacks using particular packet types, such as ICMP floods or UDP floods to
diagnostic services, can be throttled by imposing limits on the rate at which these
packets will be accepted. In normal network operation, these should comprise a
relatively small fraction of the overall volume of network traffic. Many routers,
particularly the high-end routers used by ISPs, have the ability to limit packet rates.
Setting appropriate rate limits on these types of packets can help mitigate the effect
of packet floods using them, allowing other types of traffic to flow to the targeted
organization even should an attack occur.

source: Computer Security Principles and Practice (2nd Edition) page 241

What defenses are possible against TCP SYN spoofing attacks? Edit

  • Using a modified version of TCP connection handling code. When a SYN packet is sent to the server, the server generates and encodes critical information about the connection and sends a SYN-ACK packet with the cookie attached. If someone responds then the response contains the encoded cookie which the server can decode and reconstruct information about the connection.
  • Using the "random drop" mechanism which chooses an incomplete connection randomly and drops it.
  • Changing some TCP configurations like: size of the TCP connections table and the timeout used for removing incomplete entries from the table.

What do the terms slashdotted and flash crowd refer to? What is the relation between these instances of legitimate network overload and the consequences of a DoS attack? Edit

when popular sporting events like the Olympics or Soccer World Cup matches occur, sites reporting on them experience very high traffic levels. This has led to terms slashdotted, flash crowd, or flash events being used to describe such occurrences(pg265)

What defenses are possible to prevent an organization's systems being used as intermediaries in an amplification attack? Edit

The best defense is to block the use of IP directed broadcasts.

What steps should be taken when a DoS attack is detected? Edit

The first step is to identify the type of attack, then use the suitable filters to block the flow of attack packets. Ask the ISP to trace the flow of packets back in an attempt to identify their source. Finally analyze the attack and response in order to gain benefit from the experience and to improve future handling. TODO

What measures are needed to trace the source of various types of packets used in a DoS attack? Are some types of packets easier to trace back to their source than others? Edit

It is needed to have organizational personnel using suitable network analysis tools, to capture packets flowing into the organization and analyzing them, looking for common attack packet types. If the they lack the organizational personnel the ISP will need to perform the capture and analysis of packets. If the attack is a spoofed flood it can be difficult and time consuming. </span>TODO

Problems Edit

8.1 In order to implement the classic DoS flood attack, the attacker must generate a sufficiently large volume of packets to exceed the capacity of the link to the target organization. Consider an attack using ICMP echo request (ping) packets that are 500 bytes in size (ignoring framing overhead). How many of these packets per second must the attacker send to flood a target organization using a 0.5-Mbps link? How many per second if the attacker uses a 2-Mbps link? Or a 10-Mbps link? Edit

To flood a bandwidth of W bits with packets of length P bits, the attacker would need W/P packets.
For W=0.5M bits and P = 500bytes = (500*8) bits the attacker would need 0.5M/(500*8) = (0.5*2^20)/(500*8) = 131.072. That is, 132 packets per second.
For W=2M bits and the same P, the attacker would need W/P=524.288, that is 525 packets.AARON DONALD TRUM

8.2 Using a TCP SYN spoofing attack, the attacker aims to flood the table of TCP connection requests on a system so that it is unable to respond to legitimate connection requests. Consider a server system with a table for 256 connection requests. This system will retry sending the SYN-ACK packet five times when it fails to receive an ACK packet in response, at 30-second intervals, before purging the request from its table. Assume that no additional countermeasures are used against this attack and that the attacker has filled this table with an initial flood of connection requests. At what rate must the attacker continue to send TCP connection requests to this system in order to ensure that the table remains full? Assuming that the TCP SYN packet is 40 bytes in size (ignoring framing overhead), how much bandwidth does the attack consume to continue this attack? Edit

(I'm really not sure about this - its very simplified)

The server clears out an entry in the table every 5*30sec=150sec.
Assuming at the beginning the table is full, then after 150sec all the 256 entries are cleared.
So the attacker should send (on average) 256 TCP-SYN packets every 150sec.
That is 1 TCP-SYN every 0.586sec, or 1.707 TCP-SYN packets per sec.

Assuming TCP-SYN is 40bytes, the consumed bandwidth is 1.707*40bytes = 68.28 [Bytes/sec] = 546.24 [bits/sec]


I believe the above problem is close to correct, but taking into account that the SYN-ACK packet is retried 5 times, I think an extra 30 seconds is added to the above problem since the first retry probably doesn't take place until after 30 seconds after the original response attempt.


I think that the consumed bandwith is much higher. The original answer only accounts for the sent packets from the attacker. For every 150 seconds each entry is sent once and replied to 5 times. Each time it is sent or replied 40 bytes are used. So the math is 6*40*256/150 is 409.6 bytes/second.


For a TCP SYN spoofing attack, on a system with a table for 256 connection requests, that will

retry 5 times at 30 second intervals, before purging the request from its table, each connection

request occupies a table entry for 6 x 30 secs (initial + 5 repeats) = 3 min. In order to ensure that the

table remains full, the attacker must continue to send 256/ 3 or about 86 TCP connection requests

per minute? Assuming the TCP SYN packet is 40 bytes in size, this consumes about 86 x 40 x 8 /

60, which is about 459 bits per second, a negligible amount.

There are many aspects here that the answers you provided overlooked. The most common error

was to consider only 5 x 30 whereas for each request there are six (original + five retries). Also,

some of you did not look at the bandwidth.