Webhosting Reseller dan affiliate Hosting Indonesia Top !

Degradation-of-service attacks

"Pulsing" zombies are compromised computers that are directed to launch intermittent and short-lived floodings of victim websites with the intent of merely slowing it rather than crashing it. This type of attack, referred to as "degradation-of-service" rather than "denial-of-service", can be more difficult to detect than regular zombie invasions and can disrupt and hamper connection to websites for prolonged periods of time, potentially causing more damage than concentrated floods.^[16][17] Exposure of degradation-of-service attacks is complicated further by the matter of discerning whether the attacks really are attacks or just healthy and likely desired increases in website traffic.^[18]

Unintentional denial of service

This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story. The result is that a significant proportion of the primary site's regular users — potentially hundreds of thousands of people — click that link in the space of a few hours, having the same effect on the target website as a DDoS attack.

News sites and link sites — sites whose primary function is to provide links to interesting content elsewhere on the Internet — are most likely to cause this phenomenon. The canonical example is the Slashdot effect. Sites such as Digg, the Drudge Report, Fark, Something Awful, and the webcomic Penny Arcade have their own corresponding "effects", known as "the Digg effect", being "drudged", "farking", "goonrushing" and "wanging"; respectively.

Routers have also been known to create unintentional DoS attacks, as both D-Link and Netgear routers have created NTP vandalism by flooding NTP servers without respecting the restrictions of client types or geographical limitations.

Similar unintentional denials of service can also occur via other media, e.g. when a URL is mentioned on television. If a server is being indexed by Google or another search engine during peak periods of activity, or does not have a lot of available bandwidth while being indexed, it can also experience the effects of a DoS attack.

Legal action has been taken in at least one such case. In 2006, Universal Tube & Rollform Equipment Corporation sued YouTube: massive numbers of would-be youtube.com users accidentally typed the tube company's URL, utube.com. As a result, the tube company ended up having to spend large amounts of money on upgrading their bandwidth.^[19]

Denial-of-Service Level II

The goal of DoS L2 (possibly DDoS) attack is to cause a launching of a defense mechanism which blocks the network segment from which the attack originated. In case of distributed attack or IP header modification (that depends on the kind of security behavior) it will fully block the attacked network from Internet, but without system crash.

Blind Denial of Service

Blind Denial of Service attacks are particularly pernicious. With a blind attack, the attacker has a significant advantage. If the attacker must be able to receive traffic from the victim, then he must either subvert the routing fabric or use his own IP address. Either provides an opportunity for the victim to track the attacker and/or filter out his traffic. With a blind attack the attacker can use forged IP addresses, making it extremely difficult for the victim to filter out their packets. The TCP SYN flood attack is an example of a blind attack. Designers should make every attempt possible to prevent blind denial of service attacks.^[20]

Incidents

The first major attack involving dns servers as reflectors occurred in January 2001. The target was Register.com.^[21] This attack, which forged requests for the MX records of AOL.com (to amplify the attack) lasted about a week before it could be traced back to all attacking hosts and shut off. It used a list of tens of thousands of dns records that were a year old at the time of the attack.

In February, 2001, the Irish Government's Department of Finance server was hit by a denial of service attack carried out as part of a student campaign from NUI Maynooth. The Department officially complained to the University authorities and a number of students were disciplined.^{[citation needed]}

In July 2002, the Honeynet Project Reverse Challenge was issued.^[22] The binary that was analyzed turned out to be yet another DDoS agent, which implemented several dns related attacks, including an optimized form of a reflection attack.

On two occasions to date, attackers have performed DNS Backbone DDoS Attacks on the dns root servers. Since these machines are intended to provide service to all Internet users, these two denial of service attacks might be classified as attempts to take down the entire Internet, though it is unclear what the attackers' true motivations were. The first occurred in October 2002 and disrupted service at 9 of the 13 root servers. The second occurred in February 2007 and caused disruptions at two of the root servers.^{[citation needed]}

In February 2007, more than 10,000 online game servers in games such as Return to Castle Wolfenstein, Halo, Counter-Strike and many others were attacked by "RUS" hacker group. The DDoS attack was made from more than a thousand computer units located in the republics of the former Soviet Union, mostly from Russia, Uzbekistan and Belarus. Minor attacks are still continuing to be made today.^{[citation needed]}

In the weeks leading up to the five-day 2008 South Ossetia war, a DDoS attack directed at Georgian government sites containing the message: “win+love+in+Rusia" effectively overloaded and shut down multiple Georgian servers. Websites targeted included the web site of the Georgian president, Mikhail Saakashvili, rendered inoperable for 24 hours, and the National Bank of Georgia. While heavy suspicion was placed on Russia for orchestrating the attack through a proxy, the St. Petersburg-based criminal gang known as the Russian Business Network, or R.B.N, the Russian government denied the allegations, stating that it was possible that individuals in Russia or elsewhere had taken it upon themselves to start the attacks.^[23]

During the 2009 Iranian election protests, foreign activists seeking to help the opposition engaged in DDoS attacks against Iran's government. The official website of the Iranian government (ahmedinejad.ir

) was rendered inaccessible on several occasions.^[24] Critics claimed that the DDoS attacks also cut off internet access for protesters inside Iran; activists countered that, while this may have been true, the attacks still hindered President Mahmoud Ahmadinejad's government enough to aid the opposition.

June of 2009 the famous P2P site known as The Pirate Bay was rendered inaccessable due to a DDoS attack. This was most likely provoked by the recent sellout to Gaming Factory X AB and seen as a "take the money and run" solution to the website's legal issues.^[25]

Performing DoS-attacks

A wide array of programs are used to launch DoS-attacks. Most of these programs are completely focused on performing DoS-attacks, while others are also true Packet injectors, thus able to perform other tasks as well.^[26]

Prevention and response

Surviving attacks

This article or section appears to contain speculation and unjustified claims. Information must be verifiable and based on reliable published sources. Please remove speculation from the article. Please see the discussion on this article's talk page.

The investigative process should begin immediately after the DoS attack begins. There will be multiple phone calls, callbacks, emails, pages and faxes between the victim organization, one's provider, and others involved. This can be a very time consuming process. It has taken some very large networks with plenty of resources several hours to halt a DoS attack.^{[citation needed]}

The easiest way to survive an attack is to have planned for the attack. Having a separate emergency block of IP addresses for critical servers with a separate route can be invaluable. A separate route (perhaps a DSL) is not that extravagant, and it can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of an attack.^{[citation needed]}

Filtering is often ineffective^[27], as the route to the filter will normally be swamped so only a trickle of traffic will survive. However, by using an extremely resilient stateful packet filter that will inexpensively drop any unwanted packets, surviving a DoS attack becomes much easier.^{[citation needed]} When such a high performance packet filtering server is attached to an ultra-high bandwidth connection (preferably an internet backbone), communication with the outside world will be unimpaired so long as not all of the available bandwidth is saturated, and performance behind the packet filter will remain normal as long as the packet filter drops all DoS packets.^[28] It should be noted however, that in this case the victim of the DoS attack still would need to pay for the excessive bandwidth. The price of service unavailability thus needs to be weighed against the price of truly exorbitant bandwidth/traffic.

Firewalls

Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some DoS attacks are too complex for today's firewalls, e.g. if there is an attack on port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Routers may be affected even before the firewall gets the traffic. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.^{[citation needed]}

Modern stateful firewalls like Check Point FW1 NGX and Cisco PIX have a built-in capability to differentiate good traffic from DoS attack traffic. This capability is known as a "Defender", as it confirms TCP connections are valid before proxying TCP packets to service networks (including border routers). A similar ability is present in OpenBSD's pF, which is available for other BSDs as well. In that context, it is called "synproxy".^{[citation needed]}

Comodo Firewall Pro has a built-in Emergency Mode which is activated when the number of incoming packets per seconds exceed a set value for more than the specified time, for example, more than 20 packets/sec for more than 20 seconds. If this happens, the firewall classifies it as a DoS attack and switches to Emergency Mode. In this mode, all inbound traffic is blocked except previously established and active connections, but outbound traffic is allowed. The packet number threshold and the time needed for verifying an attack can be adjusted by the user separately for TCP, UDP, and ICMP. The firewall also has some other attack prevention mechanisms, like protocol analysis, checksum verification (so that the packets are not altered since transmission) and NDIS protocol monitoring for attempts at making a DoS attack by using own protocols, thus outmaneuvering older firewalls.^{[citation needed]}

Switches

Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing.^{[citation needed]}

These schemes will work as long as the DoS attacks are something that can be prevented by using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.^{[citation needed]}

Routers

Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevents flooding, i.e. example settings.^[29]

Application front end hardware

Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management. Look for granularity of bandwidth management, hardware acceleration, and automation while selecting an appliance.^{[citation needed]}

IPS based prevention

Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior based DoS attacks.^{[citation needed]}

An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.^{[citation needed]}

A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.^{[citation needed]}

Prevention via Proactive Testing

Test platforms such as Mu Dynamics' Service Analyzer are available to perform simulated denial-of-service attacks that can be used to evaluate defensive mechanisms such IPS, RBIPS, as well as the popular denial-of-service mitigation products from Arbor Networks. An example of proactive testing of denial-of-service throttling capabilities in a switch was published earlier this year: The Juniper EX 4200

switch with integrated denial-of-service throttling was tested by Network Test

and the resulting review

was published in Network World

.

Side effects of DoS attacks

Backscatter

In computer network security, backscatter is a side-effect of a spoofed denial of service (DoS) attack. In this kind of attack, the attacker spoofs (or forges) the source address in IP packets sent to the victim. In general, the victim machine can not distinguish between the spoofed packets and legitimate packets, so the victim responds to the spoofed packets as it normally would. These response packets are known as backscatter.

If the attacker is spoofing source addresses randomly, the backscatter response packets from the victim will be sent back to random destinations. This effect can be used by network telescopes as an indirect evidence of such attacks.

The term "backscatter analysis" refers to observing backscatter packets arriving at a statistically significant portion of the IP address space to determine characteristics of DoS attacks and victims.

An educational animation describing such backscatter can be found on the animations page

maintained by the Cooperative Association for Internet Data Analysis.

Denial-of-service attacks and the law

In the Police and Justice Act 2006, the United Kingdom specifically outlawed denial-of-service attacks and set a maximum penalty of 10 years in prison.^[30]

Komentar (0)

Subscribe to this comment's feed

Show/hide comments

 Show/hide comment form

Nama

Email

Website

Judul

Komentar

smaller | bigger

Subscribe via email (registered users only)

I have read and agree to the Terms of Usage.

Tambahkan Komentar Preview