What is a Denial of Service Attack?
A Denial of Service (DoS) Attack is any attempt to make an Internet-based service unavailable or unusable.
In the real world a denial of service attack is not being able to use the automatic teller machine because
someone has stuck chewing gum in it. For the Internet it means not being able to access a web site.
Most of the biggest web sites have been hit by DoS attacks and www.microsoft.com is no exception.
How its supposed to work
Most DoS attacks prey on the nature of TCPIP protocol that underpins the entire Internet. This protocol
defines how computers find each other, start and stop communications and send data backwards and forwards.
In particular, the way communications are established is particularly susceptible to DoS attacks.
When one computer (a client) wants to communicate with another computer (the server), a SYN packet
is sent (short for Synchronize). A packet is the elemental unit of Internet communication. A packet always has a 'to address'
which routers use to get the packet to its destination and a 'from address' so that the server knows
where to send the response packets to.
Upon receiving the SYN packet, the server sends back a SYN-ACK packet to the client
(short for Synchronize Acknowledged). The client then responds with an ACK packet. When this
reaches the server a connection is established and data can start to flow.
| Client Server |
| ----- SYN ----> |
| <-- SYN ACK --- |
| ----- ACK ----> |
What happens during an attack
For the vast majority of the time the above scenario works but the designers of the TCP/IP protocol
had to contend with the problem of what happens when something goes wrong. What happens if the
client loses power just after sending the SYN message? The server will sent he SYN ACK but
it will not get a response. When does the server give up waiting for the ACK to come back?
There are a myriad of error conditions
that can occur but in general they are handled quite elegantly
through the use of timeouts and retry attempts. The protocol software of a computer puts aside a relatively
large amount of time and effort to attempt to handle these error conditions to ensure that the communications
are as seamless as possible even across faulty connections.
It is this nature of the communications that the DoS attackers take advantage of.
The most common example is a SYN attack (or a SYN flood). In this situation a client with hostile intent sends
as many SYN packets as possible (maybe thousands per second or even much, much more) and instead of using
the correct 'from address' in the SYN packet they just make one up. This is called 'address spoofing'.
This is easy to do since these addresses are just four byte numbers.
The server will receive the SYN packets and attempt to send out the SYN-ACK response but it will be sent
to the spoofed address. Needless to say that the computers at these spoofed addresses start receiving SYN-ACK
packets which are instantly ignored. The server waits expecting to receive an ACK back for each SYN-ACK but these ACKs
will never arrive. After a couple of seconds the server sends out another SYN-ACK thinking that the last one
was lost in transit. Again no ACK comes back. The server will continue for about 3 minutes until it gives up.
This is repeated for every single SYN that originally arrived. Since the server needs to set aside a little bit
of memory and CPU time for each SYN it will rapidly run out of resources.
In this state the computer will be running at 100% CPU and will have consumed all of its memory. Although it
is working at full capacity it will not be capable of servicing any legitimate requests. It will appear from
legitimate users as if the server has stopped running.
All server operating systems including Linux and Windows can be the target of a DoS attack.
Distributed Denial of Service Attacks
A distributed denial of service attack (a D-DoS) occurs when you don't have a single client with hostile intent
but an entire armada of computers all sending SYN packets at a single target all at once. Depending on the
size of the D-DoS even the most protected servers can fall prey to the attack.
There is little that can be done against such an attack evidenced by Microsoft's own ability to survive them.
If you can work out how to navigate his site, Steve Gibson has a good story of
his investigations into a D-DoS attack that was waged against his servers. He is a common target
and sometimes for good reasons.
TCP State Transition Diagram
The following state transition diagram was taken from RFC793.
Transmission Control Protocol
Functional Specification
+---------+ ---------\ active OPEN
| CLOSED | \ -----------
+---------+<---------\ \ create TCB
| ^ \ \ snd SYN
passive OPEN | | CLOSE \ \
------------ | | ---------- \ \
create TCB | | delete TCB \ \
V | \ \
+---------+ CLOSE | \
| LISTEN | ---------- | |
+---------+ delete TCB | |
rcv SYN | | SEND | |
----------- | | ------- | V
+---------+ snd SYN,ACK / \ snd SYN +---------+
| |<----------------- ------------------>| |
| SYN | rcv SYN | SYN |
| RCVD |<-----------------------------------------------| SENT |
| | snd ACK | |
| |------------------ -------------------| |
+---------+ rcv ACK of SYN \ / rcv SYN,ACK +---------+
| -------------- | | -----------
| x | | snd ACK
| V V
| CLOSE +---------+
| ------- | ESTAB |
| snd FIN +---------+
| CLOSE | | rcv FIN
V ------- | | -------
+---------+ snd FIN / \ snd ACK +---------+
| FIN |<----------------- ------------------>| CLOSE |
| WAIT-1 |------------------ | WAIT |
+---------+ rcv FIN \ +---------+
| rcv ACK of FIN ------- | CLOSE |
| -------------- snd ACK | ------- |
V x V snd FIN V
+---------+ +---------+ +---------+
|FINWAIT-2| | CLOSING | | LAST-ACK|
+---------+ +---------+ +---------+
| rcv ACK of FIN | rcv ACK of FIN |
| rcv FIN -------------- | Timeout=2MSL -------------- |
| ------- x V ------------ x V
\ snd ACK +---------+delete TCB +---------+
------------------------>|TIME WAIT|------------------>| CLOSED |
+---------+ +---------+
TCP Connection State Diagram
Figure 6.
|
