Skip to main content /TECH with /TECH

Deconstructing DoS attacks


(IDG) -- Denial of service (DoS) attacks have made headlines in the last year by assaulting a number of large and very successful companies. A rash of hits roughly a year ago left the e-industry aware of how vulnerable it is. The recent attacks against Microsoft are a not-so-gentle reminder. When large, smart companies, including the likes of Yahoo, Amazon, CNN, and Microsoft, fall victim to DoS attacks, can any of us feel safe? Why are successful companies, which ought to know better, seriously and publicly affected by attacks perpetrated by less-than-brilliant hackers? Finally, what can you do to defend your site?

How DoS attacks work

The main thing that makes DoS attacks so hard to fend off is that, at least on the surface, they look like valid traffic. The basic difference between legitimate visits and attacks is the intent -- along with the volume, frequency, and source of the traffic. Normal traffic to a mail server might come in spurts and waves, but an attack against sendmail entails a barrage of messages in close proximity -- so close that the service cannot keep up with the volume and crashes or hangs. In fact, a DoS attack will likely bring the system itself to a halt. If the server doesn't run out of swap space, it will probably run out of process space or network connections. It's also likely to suffer from network congestion problems. In addition to the difficulty of differentiating attacks from normal traffic, it is hard to effectively slow down or control the traffic comprising the attack.


Noted security expert Steve Bellovin has pointed out that DoS attacks are cheaper to launch than to deal with. The effort involved in launching attack is almost always minimal compared to the effort involved in fending off or recovering from the attack.

DoS attacks are hard to characterize because what they have in common is their overall effect, not the technique by which they're carried out. DoS attacks can seek to flood a network with traffic or to modify a router's configuration. The goal of both methods is to deny legitimate users access. The various means of achieving that goal have little in common.

Typical DoS attacks involve:

  • Jamming networks

  • Flooding service ports

  • Misconfiguring routers or other critical devices

Efforts to flood a network, for example, can block or slow all communication between servers and clients, making it difficult or impossible for any work to be done. Excessive traffic to a specific service port on a server, on the other hand, might make that service or server unusable.

In a DoS attack against sendmail, hundreds of thousands of messages can be sent in a short period of time; a normal load might only be 100 or 1,000 messages an hour. If a DoS attack is noticed in time, a service can be shut down while the organization rides out the attack. That cannot always be done without repercussions, though. Attacks against sendmail might not make the front page, but downtime on major Websites will. For companies whose reputation depends on the reliability and accuracy of their Web-based transactions, a DoS attack can be a major embarrassment and a serious threat to business.

SYN floods

DoS attacks do not always involve a deluge of service requests. Some involve the disabling of a critical component. If an attacker crashed or changed the configuration of a company's firewall, for example, the company would likely be isolated until someone brought the system back online or routed traffic through another system. In fact, the recent DoS attack on Microsoft involved interference with the routers that provide access to the company's Websites. INFOCENTER
Related Stories
Visit an IDG site

Even more insidious than overwhelming a system with legitimate requests is flooding a system with requests falsified in such a way that the server expends more resources trying to validate or complete connections than it would setting up legitimate connections.

One well-known attack of this type is the SYN flood. A SYN (SYN stands for synchronize or start) is a request that's sent to a server when establishing a network connection (e.g., when someone issues a telnet request). In a normal sequence, the server replies with a SYN ACK (an acknowledgment) and the client then sends an ACK in response to the SYN ACK. This orderly handshaking establishes a connection and is called the TCP three-way handshake.

The server keeps track of incomplete connections by maintaining a queue: a kernel data structure of limited size that's dedicated to keeping track of connections. When the ACK from the client isn't returned, the incomplete connection sits in the queue until it times out. Because ACKs are normally returned in a matter of milliseconds, a connection that takes minutes to expire occupies space in the queue for a relatively long time. Given enough malformed SYNs, the kernel data structures are used up faster than they can be released, and no additional connections can be made. The pending connections, referred to as half-open, block proper connections from being initiated.

Why are the ACKs not returned? Generally, connection requests sent in SYN floods contain bogus source addresses. TCP SYN floods are sent with random source addresses. Therefore, when the server replies to a SYN with its SYN ACK, it sends it to a nonexistent system, or one that didn't make the initial request and isn't waiting for it.

Though most DoS attacks are deliberate, some are merely a side effect of some other form of abuse or carelessness. A small minority may actually be the result of honest mistakes. When an undergraduate at a major university took it upon himself to mirror a newsgroup on a departmental server, he probably had no idea that the number of visitors would cripple the system so it could no longer be used by the researchers for scientific computation. Similarly, the individual who used an email address associated with one of my employers as a reply address in his spam probably only meant to hide his real address. The fact that the hundred thousand or so bounced messages that our server processed nearly brought the flow of legitimate email to a standstill may or may not have crossed his mind.

DoS vs. DDoS

A variation on the basic DoS attack is the distributed denial of service (DDoS) attack. A DDoS attack is launched from a variety of sites, making it more difficult to detect and block. DDoS attacks are considerably harder to combat because blocking a single IP address or network will not stop them. The traffic can derive from hundreds or even thousands of individual systems; sometimes the users are not even aware that their computers are part of the attack. (A program may have been planted on their systems as part of a virus.) The potentially unintentional attacks described above are more like DDoS attacks than normal DoS attacks, simply because the bounces could derive from as many different sources as the original email was sent to.

Some DoS attacks can be squelched while in progress by blocking the particular site from which the attack is launched (e.g., at your company's firewall). By blocking a particular IP address, network address, or service port combination, you can keep the offensive traffic from reaching your server -- but only if you recognize the attack in time to prevent it from fully compromising your server(s). Unfortunately, most attackers are more clever than that, and use falsified addresses or launch their attacks from so many locations that it's impossible to discern the source.

Detection of DoS attacks depends on the requests being sent at regular intervals. If the messages are all from the same site, are the same size, or have some other characteristic in common, you may be able to build a filter that blocks messages that match the pattern. The problem with this approach is that it's not possible to determine what the pattern will be, and during an attack, it may be difficult to respond coolly and decisively. Increasingly, products are incorporating detection of attacks, such as filters that look for patterns of activity that correspond to various attack methodologies. Eventually, packet headers may be encrypted so source addresses cannot be falsified.

Some preventative measures might involve pacing a service so it never processes enough requests in a short period of time to overwhelm a service. These choke points are often established on routers and might, for example, limit ICMP requests (as would be used in a Ping of Death attack).

Preventative measures have been slow to evolve because DoS attacks are so diverse and hard to predict. Nevertheless, some effective measures, such as smart filtering on Cisco routers, are being developed.

One of the most effective safeguards against DoS attacks is simple redundancy. If your primary router or firewall can be brought down, have a backup on hand. Also, be ready to rebuild from backup or hot spares as needed. There's no substitute for being prepared for an attack -- even if the playing field is wide open. A staff that runs through fire drills to prepare itself has a chance of surviving an attack without a major outage.

One year after DoS attacks, vulnerabilities remain
February 8, 2001
Microsoft Web sites suffer large scale blackout
January 24, 2001
Feds warn about rise in attacks against e-commerce sites
December 7, 2000
Exchange bug could be exploited for denial-of-service attacks
November 6, 2000
Web sites unite to fight denial-of-service war
September 27, 2000


Suspicious server probes multiply
Survey: 25% of Fortune 1000 has bad DNS
Cisco Web switches found to have security cracks
(Network World Fusion)
University computers remain hacker havens
Users slow to embrace security outsourcers
Asta Networks claims cure for DoS attacks

CERT Coordination Center: Denial of Service

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


4:30pm ET, 4/16

Back to the top