DDoS Attacks

Methods used in DDoS type attacks

1
1 General Definitions
The following definitions and terms will be used throughout this document:
DoS Attack: Refers to all Denial of Service related attacks including DoS, DDoS and DRDoS
attacks (unless specified otherwise).
Victim: the target network, host or hosts of a DoS Attack.
Attacker: the initiator of the attack.
Intermediary: innocent hosts or networks exploited for the attack.

2 Attacks classification
DoS attacks exploit the asymmetric nature of certain types of network traffic. One attack method
seeks to cause the target to use more resources processing traffic than the attacker does sending
the traffic. Another method is to control multiple attackers. Therefore DoS attacks can be
classified into three categories – bandwidth/Throughput attacks, Protocol attacks and Software
Vulnerability Attacks.

2.1 Bandwidth/Throughput Attacks

Bandwidth attacks are intended to overflow and consume resources available to the victim. These
resources include network bandwidth between the victim and the internet or equipment
throughput (including computer related resources such as memory and CPU).
Such high volume attacks can consume all available bandwidth between an ISP and the victim's
site. The bandwidth clogs up, and legitimate users find it virtually impossible to receive any kind
of service from the site rendering it useless (and the attack in some scenarios may even cause the
victim's server to crash).
An attacker can consume bandwidth by transmitting any traffic at all on the victim's network
connection.
Attack traffic can be classified in two separate groups. The first includes connectionless protocol
traffic such as IP raw packets, UDP and ICMP which targets primarily the victim's bandwidth
capacity. The second group includes all connection oriented protocols (mainly TCP related)
which in addition to consuming bandwidth, aims to exploit additional vulnerabilities of network
equipment used by the victim (including switches, routers, firewalls etc.).
The first group of attacks exploits the throughput limits of servers or network equipment by
focusing on high packet rates — sending large numbers of small packets which require large
processing resources on the victim's side.
High-packet-rate attacks typically overwhelm network equipment before the traffic reaches the
limit of available bandwidth. For instance routers and firewalls upon reaching their input limits
start dumping excess packets due to queue overflow and processing latencies. Servers under great
processing stress may even collapse resulting with a general system freeze. In practice, denial of
service is often accomplished by high packet rates, not by sheer traffic volume. 1
2.1.1 Ping Flood Attack (ICMP Echo)
ICMP (Internet Control Message Protocol) is a message control and error-reporting protocol
between a host server and a gateway to the Internet. ICMP is encapsulated by IP datagrams.
ICMP includes two commonly used packets: ICMP echo request which conveys an ICMP query
(for instance: is the host designated by IP address 1.1.1.1 reachable) and ICMP echo response
which is used for providing information (such as the latency from the host that sent an ICMP
echo request).

Ping Flood is an attempt by an attacker on a high bandwidth connection to saturate a network

with ICMP Echo Request packets in order to slow or stop legitimate traffic going through the
network.

2.1.2 SYN Flood Attack (DoS attack)

The idea behind this attack is to exploit the TCP-Three Way Handshake.
Individual TCP packets contain "flag bits" which specify the contents and purpose of each packet.
Packets can be marked as either a “SYN” packet (synchronize) meaning that it is initiating a
connection from the sender to the recipient, an “ACK” packet (acknowledge) that acknowledges
the receipt of information from the sender or A “FIN” packet (finish) terminating the connection
from the sender to the recipient. In addition each packet includes source and destination port
numbers, IP address of the machine which originated the packet (the Source IP) and the address
of the machine to which the Internet's routers will forward the packet (the Destination IP). 3
Since understanding the handshake is necessary for this mode of attack and more advanced types,
we will start with presenting a detailed explanation of how the handshake works.

2.1.2.1 TCP-Three Way Handshake

The connection initiating SYN packet is usually sent from the client's port, numbered between
1024 and 65535, to the server's port, numbered between 1 and 1023. The port on the Client side is
assigned by the operating system.
When a connection-requesting SYN packet is received at an "open" TCP service port, the server's
operating system replies with a connection-accepting "SYN/ACK" packet. Although TCP
connections are bi-directional (full duplex), each direction of the connection is set up and
managed independently. For this reason, a TCP server replies to the client's connection-
requesting SYN packet by ACKnowledging the client's packet and sending its own SYN to
initiate a connection in the returning direction. These two messages are combined into a single
"SYN/ACK" response packet. The SYN/ACK packet is sent to the SYN's sender by exchanging
the source and destination IPs from the SYN packet and placing them into the answering
SYN/ACK packet. This sets the SYN/ACK packet's destination to the source IP of the SYN,
which is exactly what we want. 3 5
The client's reception of the server's SYN/ACK packet confirms the server's willingness to accept
the client's connection. If the server had been unable or unwilling to accept the client's TCP
connection, it would have replied with a RST/ACK (Reset Acknowledgement) packet, or an
ICMP Port Unreachable packet, to inform the client that its connection request had been denied.
The client ACKnowledges the receipt of the SYN portion of the server's answering SYN/ACK by
sending an ACK packet back to the server. At this point, from the client's perspective, a new two-
way TCP connection has been established between the client and server, and data may now freely
flow in either direction between the two TCP endpoints.
The server's reception of the client's ACK packet confirms to the server that its SYN/ACK packet
was able to return to the client across the Internet's packet routing system. At this point, the server
considers that a new two-way TCP connection has been established between the client and server
and data may now flow freely in either direction between the two TCP endpoints.
The server's receipt of a client's SYN packet causes the server to prepare for a connection. It
typically allocates memory buffers for sending and receiving the connection's data, and it records
the various details of the client's connection including the client's remote IP and connection port
number. In this way, the server will be prepared to accept the client's final connection-opening
ACK packet. Also, if the client's ACK packet should fail to arrive, the server will be able to
resend its SYN/ACK packet, presuming that it might have been lost or dropped by an
intermediate Internet router. 3 4 5

2.1.2.2 Exploiting the TCP-Three Way Handshake

Every time a handshake is initiated, memory and other significant server "connection resources"
are allocated as a consequence of the receipt of a single Internet "SYN" packet. Obviously, there
is a limit to the number of "half open" connections a TCP server could handle, and therefore with
simple means this limit may be exceeded. The method used by SYN Flood Attacks is creating
SYN packets with deliberately fraudulent (spoofed) IP return addresses. By flooding the victim
with a flood of SYN packets that seem to be indifferent from valid requests, the victim’s server
will allocate all the resources mentioned above and reply with an ACK/SYN packet to the
“Source IP”. Since this IP was spoofed, at most cases the ACK/SYN packet will be discarded.
Since the server does not know that the original SYN packet was fraudulent, it will wait and
resend the ACK/SYN packet several more times until giving up. 3 4
All of this connection management consumes valuable and limited resources in the server.
Meanwhile, the attacking TCP client continues firing additional fraudulent SYN packets at the
server, forcing it to accumulate a continuously growing pool of incomplete connections. At some
point, the server will be unable to accommodate any more "half-open" connections and even valid
connections will fail, since the server's ability to accept any connections will have been
maliciously consumed. At this point any legitimate sessions find it extremely difficult to be
established with the victim’s server. 3 5
It is important to mention that this method of attack is NOT Bandwidth consumption. This attack,
mainly used several years ago when internet servers were not as advanced, could be caused by a
single attacker working on a slow dialup line. Now that server’s performance has been
considerably enhanced this method of attack is not efficient enough to create the wanted DoS
effect. 3

2.1.3 DDoS attack (Distributed SYN Flood)

This attack is a natural development from the SYN Flood mentioned above. The idea behind this
attack is focusing Internet connection bandwidth of many machines upon one or a few machines.
This way it is possible to use a large array of smaller (or “weaker”), widely distributed computers
to create the big flood effect. Usually, the assailant installs his remote attack program on weakly
protected computers (Universities, home users constantly connected etc.) using Trojan horses and
intrusion methods, and then orchestrates the attack from all the different computers at once.
This creates a brute force flood of malicious "nonsense" Internet traffic to swamp and consume
the target server's or its network connection bandwidth. This malicious packet flood competes
with, and overwhelms, the network's valid traffic so that "good packets" have a low likelihood of
surviving the flood. The network's servers become cut off from the rest of the Internet, and their
service is denied. 63

2.1.4 Distributed Reflected Denial of Service (DRDoS) attack

To enhance the previous methods a “reflective” method of attack was generated. Instead of
sending directly TCP packets with spoofed Source IP addresses to the Victim, An attacker
located somewhere else on the Internet, might SYN FLOOD INTERNET ROUTERS with TCP
connection-requesting SYN packets. Those SYN packets carry the fraudulent (spoofed) source IP
belonging to the victim. Therefore, the routers believe that the SYN packets were coming from
the victim, and they reply with SYN/ACK packets as the second phase of the standard TCP three-
way connection handshake. This way, the victim sees an attack from a wide array of core
infrastructure servers (instead of many small computers around the globe). 3
Some variations of this attack take advantage of “BGP” (Border Gate Protocol). This protocol is
supported by intermediate routers. Routers use BGP to communicate with their immediate
neighbors to exchange their "routing tables" in order to inform each other about which IP ranges
the router can forward. The specific details of BGP are unimportant. The fact that virtually all of
the Internet's extremely well-connected (high bandwidth) intermediate routers will accept TCP
connections on their port 179 (BGP port) means a SYN packet arriving at port 179 of an Internet
router will elicit a responding SYN/ACK packet. This example indicates the type of network
assets the assailant may use for his cause. 3

2.1.5 Naptha
Naptha is a name used to describe a set of network DoS vulnerabilities. Naptha attacks exploit
weaknesses in the way some TCP stacks and applications handle large numbers of connections in
states other than "SYN RECVD", including "ESTABLISHED" and "FIN WAIT-1". By creating
a suitably large number of TCP connections and leaving them in certain states, individual
applications or the operating system itself can be starved of resources to the point of failure. In
the past, attacks that would exploit TCP connections in this manner have not been implemented
because they would typically exhaust the resources of the attacker as well. The innovation
provided by the Naptha attack is that it is possible to easily create a DoS on the target with little
resource consumption on the part of the attacker. 78
The first part sends out a sequence of SYN packets from all possible ports of a forged IP address
to the victim. This sounds like a SYN flood, but more happens. The second half runs on a LAN
where the forged IP address would be, if it were a real host. The program first makes sure that the
router has an entry for this phantom host in its ARP table. Next, it listens for a packet from the
victim to the phantom host. The program responds with a packet with the appropriate flags and
sequence numbers. Typically, it listens for SYN/ACK packets and replies with an ACK. It could
also set the FIN flag and leave the connection waiting for a FIN-WAIT-1 packet. To keep
connections alive longer, it can listen for 'regular' data packets or 'keep alive' packets and send
ACK in reply. This 'phantom' nature makes it hard to track down and eliminate as it is almost
impossible to discriminate between a bogus connection and valid one.7

2.1.6 UDP Flood Attacks

UDP protocol is a connectionless unreliable protocol which doesn't require session negotiation
between client and server application. UDP provides easy to use interface for producing large
quantity of packets.
A common attack which exploits UDP simply floods the network with UDP packets destined to a
victim's host. Due to the relative simplicity of this protocol an attacker can produce large
bandwidth capacity with relatively small effort. 17

2.2 Protocol Attacks

The basic flood attack can be further refined to take advantage of the inherent design of
commonly used network protocols including TCP, UDP, ICMP and applications protocol such as
BGP, DNS, HTTP and others.
These attacks do not directly exploit weaknesses in these protocols but, instead, use their
expected behavior to the attacker’s advantage, resulting in a bandwidth attack. 1

2.2.1 Smurf Attack

The Internet Control Message Protocol (ICMP) is used to handle errors and exchange control
messages. ICMP can be used to determine if a machine on the Internet is responding. To do this,
an ICMP echo request packet is sent to a host. If a host receives that packet, that host will return
an ICMP echo reply packet. A common implementation of this process is the "ping" application.
In this attack, spoofed IP packets containing ICMP Echo-Request with a source address equal to
that of the attacked system and a broadcast destination address are sent to the intermediate
network.
Broadcast addresses are specially allocated addresses within all network subnets, used to
broadcast messages to the whole network. All hosts within a given subnet receive packets sent to
these broadcast addresses and in some cases (ICMP protocol for instance) respond to them.
Sending a ICMP Echo Request to a broadcast address triggers all hosts included in the network to
respond with an ICMP response packet, thus creating a large mass of packets which are routed to
the victim's spoofed address.
Networks may include up to hundreds of hosts, thus one attack echo request results in hundreds
of flooding packets at the victim's site. 8
2.2.2 DNS name server Attack
The most common method seen involves an intruder sending a large number of UDP-based DNS
requests to a nameserver using a spoofed source IP address. Any nameserver response is sent
back to the spoofed IP address as the destination. In this scenario, the spoofed IP address
represents the victim of the denial of service attack. The nameserver is an intermediate party in
the attack. The true source of the attack is difficult for an intermediate or a victim site to
determine due to the use of spoofed source addresses. 10
Since nameserver responses can be significantly larger than DNS requests this is an opportunity
for bandwidth amplification. The queries are usually crafted to request the same valid DNS
resource record from multiple nameservers. The result is many nameservers receiving queries for
resources records in zones for which the nameserver is not authoritative. The response of the
nameserver depends on it's configuration.10

2.3 Software Vulnerability Attacks

Unlike previously mentioned attack strategies, this group of attacks attempts to send a crippling
blow to the victim's Achilles heel. This is accomplished not by brute force of mass traffic, but
with a well designed attack, usually considerably less traffic than flood attacks.
Most of these attacks exploit inherited weaknesses in network software implementations. For
example, IP fragmented packets reassembly can deal with an orderly set of fragmented packets as
long as the offsets and size of the packet's payload are aligned. In cases where fragments are
overlapping or missing, in some TCP/IP stack implementations this may cause a system failure
(for details see below). 1

2.3.1 Land Attack

In this attack, an attacker sends spoofed TCP SYN packets, with the same source and destination
addresses as the victim's host address.
In some TCP/IP stack implementations those kinds of packets may cause the victim's host to
crash. In cases where the victim's host is a router, this attack may result in a routing loop
consuming large quantities of bandwidth (unless filtered in advance).
One of the variations of this attack targets a certain TCP service provided by the victim. In this
case the attacker uses the same source and destination ports which used by the victim's service
(for instance an attack on the victim's web server will probably use TCP port 80). This may
consume the victim's host CPU resources. 11 12 13

2.3.2 Ping of Death Attack

Ping of Death is an attempt by an attacker to crash, reboot or freeze a system by sending an
illegal ICMP (over IP) packet to the host under attack.
The TCP/IP specification allows for a maximum packet size of up to 65536 octets (1 octet = 8
bits of data). In some TCP stack implementation encountering packets of greater size may cause
the victim's host to crash.
Most implementations of the ICMP protocol use packet header size of 8 octets but allow the user
to specify larger packet header sizes.
In the attack, the ICMP packet is sent in the form of a fragmented message which, when
reassembled is larger than the maximum legal IP packet size. 14 15

2.3.3 Fragmentation Attack and Teardrop Attack

TCP/IP protocol allows IP packets to contain up to 65536 octets.
Most line protocols (such as Cisco's HDLC, PPP, Ethernet etc.) which are used for encapsulating
these packets limit data units length to up to 4470-5000 octets (also referred to MTU – Maximum
transfer unit).
In order to send large IP packets over limited line protocols the IP stack divides them to smaller
fragments. The reconstruction of these fragments is performed according to IP packet header
fields such as fragment offset, packet ID and header flags.
All the fragments of the same IP packet carry the same packet ID field and the flag "Fragmented-
packet" (one of the header's flags) on.
The first fragment is sent with offset 0 and the flag "More-fragments" (one of the header's flags)
is turned on. The next fragments are sent with the offset field containing the sum of all previously
sent fragments lengths. The last fragment's "More-fragments" flag is unset (turned off).
Some TCP/IP stack IP fragmentation re-assembly code improperly handles overlapping IP
fragments. Teardrop (also known as bonk, boink, teardrop2) attack exploits this bug and sends a
series of fragments with overlapping sections. This attack may cause some systems to crash or
freeze. 1 12
Other Fragmentation attacks exploit other illegal combinations of fragments configuration which
prevents the target host from successfully reconstructing the packets.
For instance, the attacker sends series of fragments without sending a closing fragment
(containing the "More-Fragments" flag turned off) thus overloading the victim's host IP packets
reconstruction queue with pending packets. In some systems the attack may result in a system
hold due to resources starvation. The same effect is achieved by sending many unmatched non-
initial IP fragments. 16
3 References
3.1 Attack methods
(1) Managing the Threat of Denial-of-Service Attacks, CERT® Coordination Center
http://www.cert.org/archive/pdf/Managing_DoS.pdf

(2) CERT® Advisory CA-1997-28 IP Denial-of-Service Attacks

http://www.cert.org/advisories/CA-1997-28.html

(3) DRDoS - Distributed Reflection Denial of Service http://grc.com/dos/drdos.htm

(4) Denial of Service Attack Threat Analyzed

http://www.uksecurityonline.com/threat/dos.php

(5) Microsoft Knowledge Base Article - Q172983 - Explanation of the Three-Way

Handshake via TCP/IP
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q172983&LN=EN-
US

(6) The Strange Tale of the Denial Of Service Attacks Against GRC.COM
http://grc.com/dos/grcdos.htm

(7) Razor - The Naptha DoS vulnerabilities

http://razor.bindview.com/publish/advisories/adv_NAPTHA.html

(8) CERT® Advisory CA-2000-21 Denial-of-Service Vulnerabilities in TCP/IP Stacks

http://www.cert.org/advisories/CA-2000-21.html

(9) CERT® Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks

http://www.cert.org/advisories/CA-1998-01.html

(10)Denial of Service Attacks using Nameservers

http://www.cert.org/incident_notes/IN-2000-04.html

(11)CERT® Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks

http://www.cert.org/advisories/CA-1996-21.html

(12)CERT® Advisory CA-1997-28 IP Denial-of-Service Attacks

http://www.cert.org/advisories/CA-1997-28.html

(13)CERT advisory CA-1998-13: Vulnerability in Certain TCP/IP Implementations

http://www.cert.org/advisories/CA -1998-13.html
(14)Sans Institute - How can attacker use ICMP for reconnaissance?
http://www.sans.org/newlook/resources/IDFAQ/icmp_misuse.htm

(15)CERT® Advisory CA-1996-26 Denial-of-Service Attack via ping

http://www.cert.org/advisories/CA-1996-26.html

(16)Security Info Online, CI-98.03: Cisco PIX and CBAC Fragmentation Attack
http://online.securityfocus.com/advisories/1428

(17)CERT® Advisory CA-1996-01 UDP Port Denial-of-Service Attack

http://www.cert.org/advisories/CA-1996-01.html

(18)