Denial of Service Attacks

Denial of Service Attacks

Webopedia.com describes Denial of Service attacks as:

Short for denial-of-service attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly being dreamed up by hackers. www.webopedia.com/TERM/D/DoS_attack.html

A Denial of Service (DoS) attack is any type of attack that renders a service as unavailable for its intended purpose.

One example of a DoS attack is a SYN flood. This attack requests that the web server start a TCP session that it has no intention of ever completing. The client sends a series of SYN packets to the server. A SYN packet is a request to start a TCP session. The server responds with a SYN/ACK packet. This packet acknowledges the client's request to open a session and requests that the client open a session for the host. In a normal TCP connection sequence, the client would send back an ACK to acknowledge the host's request to open its session, as shown in Figure 2.2.

Figure 2.2. Normal three-way TCP handshake session.

In a SYN flood, however, the attacker has no intention of completing the TCP handshake. This is why this attack is often referred to as a half-open connection. Instead, attackers rely on the fact that the server will wait awhile for the client to complete the connection. Because several clients can attempt to connect at the same time, the host needs to be able to wait for each to complete the handshake. Since resources are limited, the pending requests are put in a queue until they are completed. It's the attacker's intent to fill this queue and keep everyone else out of it. Once the queue has been filled, it's a simple matter to keep it filled by sending a limited number of new SYN packets. Figure 2.3 shows the attacker initiating a SYN flood attack.

Figure 2.3. Denial of Service SYN attack.

There are numerous mitigation strategies, which extend beyond the capabilities of the individual host. Network infrastructures should be implemented that have proper mechanisms to address a denial of service attack such as sufficient network bandwidth, redundant Internet circuits, and proper load balancing of traffic. Since many DoS attacks target fundamental protocols (such as TCP-IP) upon which a web server resides, we must address this issue at the network stack level settings of our operating system. There are a few Solaris OS level settings that may be applied to help address some of the effects of a denial of service attack.

tcp_conn_req_max_q0

This option sets the size of the queue containing unestablished connections. This queue is part of a protection mechanism against SYN flood attacks. The queue size default is adequate for most systems but should be increased for busy servers. The default value is 1024. Use the following command to update this setting:

/usr/sbin/ndd –set /dev/tcp tcp_conn_req_max_q0=4096

tcp_conn_req_max_q

This option sets the maximum number of fully established connections. Increasing the size of this queue provides some limited protection against resource consumption attacks. The queue size default is adequate for most systems but should be increased for busy servers. The default value is 128. Use the following command to update this setting:

/usr/sbin/ndd –set /dev/tcp tcp_conn_req_max_q=1024

tcp_time_wait_interval

This parameter effects the amount of time a TCP socket will remain in the TIME_WAIT state. The default is quite high for a busy web server, so it should be lowered to 60,000 milliseconds (60 seconds). Use the following command to update this setting:

/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000

Linux users can edit the /etc/sysctl.conf file and add the following entries to achieve a similar protection against denial of service attacks:

# echo 4096 >/proc/sys/net/ipv4/tcp_max_syn_backlog
# echo "net.ipv4.tcp_max_syn_backlog = 1" >> /etc/sysctl.conf
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf

By updating these TCP-IP stack parameters, you can dramatically increase your server's responsiveness to requests and help to reduce the effects of a denial of service attack.