The Broadband Guide
SG
search advanced

How to Stop Denial of Service (DoS) Attacks

How to prevent and stop, or mitigate the effects of DDoS attacks
2017-05-14 (updated: 2019-05-22) by
Tags: ,

Denial of Service (DoS) attacks are very common on the Internet these days, and they can make your online experience miserable. In some cases of Distributed Denial of Service Attacks (DDoS), they can bring down websites, or cripple entire networks in a matter of minutes, preventing connectivity for many customers. There are different types of DoS attacks, and we've tried to explain the most common types and ways to mitigate their effects to you or your network.


Types of Denial of Service (DoS) Attacks

We will try to explore all the common types of attack vectors below. It is important to understand the different types of Denial of Service attacks in order to be able to counter, or at least reduce their effects. In order to harden your system against attacks, you must be familiar with how they work, and how exactly they affect your network. There are several different classifications of DoS attacks as outlined below, as well as some common common methods to prevent or mitigate those specific attack types.


Ping Flood

This is one of the most basic types of DoS attack. It operates in Layer 3 of the OSI model and uses the ping command (ICMP echo). ICMP pings have legitimate use to test connectivity between two network nodes. It is also used by the traceroute command in some OSes, including Windows.

A ping flood DoS attack essentially sends a large number of data packets to the victim's computer in an attempt to overwhelm it, or overload its network connectivity. The ping packets can sometimes have larger payload in order to accomplish an attack with fewer pings (commonly 1472 kilobytes, to accommodate the 8-byte ICMP header, and 20-byte IP header, for a total of 1500 bytes). The ping command has command-line switches that allow for specifying the number of pings, and the amount of data to send (default of 32 bytes, maximum possible is 65000 bytes, even though it may get fragmented).

This type of attack is usually detected automatically by nodes on the network, and the ICMP protocol traffic is commonly given lower priority. As a result, frequent pings to the same IP may start experiencing packet loss, and can sometimes be even completely blocked, especially when the network is congested.

Note: ICMP protocol is an Internet layer protocol (OSI Level 3 - Network layer) and an integral part of the IP protocol suite.


Ping of Death

The Ping of Death (PoD) attack has the potential to cripple a network based on an old flaw in TCP/IP and a bug in its implementation in certain older OSes. The maximum theoretical packet size is 65,535 bytes. Sending larger packets may cause software/drivers to crash on the target computer. Sending larger packets may not be allowed by the TCP/IP protocol, but this can be bypassed by hackers by cleverly segmenting the packets in fragments. When the fragments are assembled at the destination on the target computer, the overall packet size is over the maximum allowed, causing buffer overflow and crashing the device.

Luckily, most newer devices designed in the 21st Century are immune to this kind of attack, simply updating to somewhat current hardware will eliminate this possible threat to your network.

Note: OSI Layer 3


Smurf

In a smurf/smurfing attack, the attacker will spoof their IP address to be the same as their victim's IP address. This is intended to cause confusion on the victim's network, and a massive flood of ICMP echo (ping) traffic will be sent to the victim's device, if executed correctly. It uses intermediate IP broadcast network to amplify the attack, as in an IP broadcast network pings are sent to every host, prompting a response from each node. Spoofed IP request to a broadcast address cause responses from all of the network hosts automatically to the victim's IP address.

Hardware firewalls, and some modern NAT routers should protect against smurf attacks. If not, there are some steps you can take to protect your network from them.

If you have access to the router that your network/website uses, simply configure it not to forward packets to broadcast addresses. In a Cisco router, for example, this can be accomplished using the command: no ip directed-broadcast

Note: OSI Layer 3 (Network layer) amplification attack


Fraggle

A Fraggle attack is very similar to the Smurf attack, except that it uses the User Datagram Protocol (UDP) rather than the more common Transmission Control Protocol (TCP). It is less common than Smurf attacks. Both Fraggle and Smurf attacks, are starting to become outdated and are commonly stopped by most modern routers and firewalls.

Fraggle attacks can usually be blocked by simply blocking ports 7 (Echo port) and port 19 (another commonly used Fraggle exploitable port) in your router/firewall.

Note: OSI Layer 4 (Transport Layer)


TCP SYN Flood

A SYN Flood attack takes advantage of the TCP three-way handshake. Essentially, the attack starts a three-way handshake, but does not complete it.

The normal TCP three-way handshake is as follows:

1. Client sends a Synchronize (SYN) request.
2. Server responds with a Synchronize-Acknowledge (SYN-ACK).
3. Client responds with an Acknowledge packet (ACK).

There are two variants of the SYN Attack, as follows:

1. TCP Spoofed SYN Flood - The attacker sends a SYN packet with a spoofed IP address. When the server tries to respond with a SYN-ACK, it never receives an ACK, leaving resources half-open.
2. TCP SYN Flood - The attacker may simply choose not to send the ACK packet, without spoofing its IP address at all.

Both methods attempt to consume server resources, by leaving connections in a half-open state awaiting ACK packets. Thankfully, newer devices and updates to TCP/IP have outdated this type of DoS attack as well.

Note: TCP and UDP packets operate in OSI Layer 4 (Transport Layer)


Teardrop

In the Teardrop type of attack, packet fragments are sent in a jumbled state, designed to confuse the receiving device, to make it unable to handle reassembling them. Older Operating Systems will simply crash when this occurs. Operating Systems such as Windows 95, NT, and  even Linux kernels prior to 2.1.63 are vulnerable to the teardrop attack. Upgrading to a modern OS is the best way to prevent this type of attack vector.


Other DoS attack types

There is a number of other less common, but potentially more dangerous types of DoS attacks, we've tried to outline most of them here:

TCP ACK Flood (L4 resource) Mass sending of TCP segment delivery receipts (ACK packets).

TCP SYN ACK Reflection Flood (L4 bandwidth) This attack works by mass-sending of TCP connection requests to a large number of machines, spoofing the victim's source address. The bandwidth of the victim is then saturated by the responses to these requests.

UDP Flood (L4 bandwidth) Mass sending of UDP packets not requiring a previously-established connection.

UDP Fragment Flood (L4 resource) Sending of datagrams that voluntarily reference other datagrams that will never be sent, which saturates the victim's memory.

IP Packet Fragment Attack (L3 resource) Sending IP packets that reference other packets that will never be sent, saturating the victim's memory.

SSDP attack (1900/UDP) This type of attack has an amplified reflective DDoS attack. It uses the Universal Plug and Play (UPnP) protocol that allows devices to discover each other on the network. The attack spoofs the attacker IP and replaces it with the victim IP, then sends series of UPnP queries to the server, each request increases by size, so it gets harder with time for the network to respond to requests, ending with a complete overload of the network.

NTP attack (123/UDP) Targets server's NTP services, botnets send millions of NTP synchronization requests to the victim NTP server to overwhelm and possibly crash the network.


Distributed Denial of Service (DDoS) Attacks

A Distributed Denial of Service (DDoS) attack is the elephant in the room. It is the most dangerous type of attack, since there is no easy fix to prevent it by upgrading software/hardware, or closing a port/protocol at your router. A DDoS attack can use any of the above denial-of-service methods, only multiple computers are being used to attack simultaneously. By sending any type of traffic from thousands, sometimes millions of computers to your website/network, it will overwhelm it given limited resources, this makes the attack very hard to prevent. In such an attack, the network nodes (computers, servers) being used to carry the attack may, or may not be aware of the fact that they are attacking a website or a network. Trojans and viruses commonly give a hacker control of multiple computers, forming a "Botnet" of thousands, sometimes millions of computers (called "zombies") that can be used to carry out such DDoS attacks.


Layer 7 DDoS Attacks (Application Layer attacks)

Distributed Denial of Service (DDoS) attacks can be of various types and can be concentrated on a specific OSI layer. Layer 7 attacks focus specifically on the Application Layer (layer 7), targeting services such as HTTP, SNMP, FTP, etc. DDoS attacks on the Application layer require a lot less bandwidth/packets than network layer attacks (such as ping, SYN, etc. as outlined in the DoS section above) to disrupt services.

HTTP flood (L7 resource) - the most prominent of the Application layer DDoS attacks. When a HTTP request is sent to a web server, it utilizes considerable resources, hence, just a limited number of Layer 7 packets can carry an effective DDoS attack on a large scale. HTTP flood attacks tend to concentrate on applications that take up a lot of resource, such as web application. They are sometimes hard to detect if distributed, and can use different POST and HEAD requests that tend to consume more resources.

Distributed DNS Amplification Attack (L7 bandwidth) - Mass sending of DNS requests usurping the source address of the victim, to a large number of legitimate DNS servers. As responses are larger than requests, an amplification of the attack follows.

DDoS DNS Flood (L7 resource) - attack on a DNS server by mass sending of requests from a large set of machines under the attacker's control.


How to mitigate the effects of DDoS Attacks

DDoS attacks are by definition very tough to overcome, it usually requires contacting your Internet Service Provider (ISP), or hosting provider, being creative, and even getting professional help. Here are some possible steps:

One possible small first step (for network-administrators) is to ensure attackers can't spoof their IP addresses. If you are using a Cisco router, try: no ip verify unicast reverse-path . This will prevent IP spoofing, however it will not protect you from "zombie" botnet attacks, since their IPs are not spoofed at all.

If you are trying to protect a website, using a Cloud DDoS Attack Protection service may be a good option. Using cloud services to serve static resources, using cloud hosting, etc. may also help mitigate the effects. To prevent an ongoing attack on a dedicated server, hosting companies will often simply null-route your servers temporarily in order to protect the network from the onslaught of traffic. If you have access to multiple IP addresses, and only one is under attack, it may be a good idea to switch to a different IP address at your DNS server. This will allow for web users to seamlessly load the pages from a different IP while the first one weathers the DDoS attack.

End users do not run servers, so they only have to worry about the more basic types of OSI Layer 3/Layer 4 DoS attacks that can usually be countered with software updates, router firmware updates, software firewalls, and hardware configuration.  If you track down an attacker (and it does not seem like a spoofed IP, Tor node, a VPN or proxy), report them to their ISP/network provider's abuse department.
If all this seems beyond your expertise, it may also be necessary to get professional help. Keep in mind even giant corporations like Microsoft have fallen victims (temporarily ;)) to DDoS attacks.

Network administrators have to deal with more complicated attack vectors that target servers. It is only prudent to monitor for possible DDoS attacks and unusual server/network load. Here is a short list of some tools that can help detect and mitigate DDoS attacks before they overwhelm the system:

Fail2Ban (log file monitoring, automatic regexp rules to classify malicious traffic, and ability to automate firewall rules to temporarily drop offending IPs)
LogicMonitor (applications, cloud services and databases monitoring)
Nagios (open-source system monitoring application)
NFDUMP (data flow analysis)
Wireshark (packet capture), etc.

There are also command-line tools, such as netstat that allow for direct monitoring of connections to servers. Here is a sample Linux command to show/sort the top 20 connections to a machine:

netstat -anput|awk '{print $5}'|grep -v ':::'|cut -d: -f1|sort|uniq -c|sort -nr|head -20

You can use a combination of the above tools and netstat to detect attacks, you can outsource static services to cloud servers, however, you can only block them on servers/firewalls/routers you have access to. Ultimately, if the bandwidth available to you gets overwhelmed, you will still have to turn to your network provider for help in dealing with larger scale DDoS attacks. There are also companies that offer DDoS protection by providing some type of proxy scrubbing service between your servers and clients.

Network providers have additional means to combat more complex DDoS attacks, such as bandwidth rate limiting, advanced BGP (feeding detailed packet info, ACLs, etc in BGP routers to allow filtering at the provider's edge), or simply null-routing the attacked IP ranges.


TL;DR

Too long, didn't read?

Many personal DoS attacks can be prevented by upgrading your hardware/software/firmware, and closing ports at your NAT router.  Distributed Denial of Service (DDoS) attacks, however, are a different animal - prolonged exposure may warrant getting professional help! Do not attack back, you are likely dealing with spoofed IPs, VPNs, ToR exit nodes and proxies.


See also:
How to Crack Wireless Networks
How to Secure your Wireless Network


  Post your review/comments
    rate:
   avg:
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About