Understanding Denial of Service (DoS)

In this article I will explain the types of attacks that can be said there is no cure, ie denial of service or DoS. When a DoS attack is carried out in a gang and organized properly, it will produce tremendous damage and can paralyze popular sites like twitter.com and metasploit.com.
What is a DoS?
Denial of service is a type of attack whose goal is to prevent users who actually enjoy the services provided server. Server as the name implies is a waitress who must always be ready to serve user requests, which generally operate 24 hours without stopping. An example is a web server in the service of web visitors to provide information in the form of html pages. Under normal conditions, visitors can request a resource from a web server to be displayed in the browser, but if the web server DoS attack then visitors can not enjoy the services of a web server.
In general, there are 2 ways to DoS attacks:
1. Deadly Server
2. Busied Server
• Without bug / vulnerability
• Meng-exploit bug / vulnerability
DoS with Deadly Server: Kill Them!
You have experienced or want to use a pay phone ATM but could not because of paper taped on the machine containing the message “Out of Service” or “Being in the repair”. Payphone is target of DoS attacks are common, everywhere we find pay phones damaged by DoS attacks like slam down the phone, unplug the cable, LCD solving and other actions.
The purpose of this attack is to make the server shutdown, reboot, crash, “not responding”. So these attacks result in damage to the persistent nature means DoS condition will remain the case even if the attacker has stopped attacking, the new server back to normal once di-restart/reboot. How can this be done DoS attacks? This attack is done by clicking the bug exploit / vulnerability on the server. Keywords on the vulnerability of this type usually are “specially / carefully crafted packet / request”, which means a specially designed package. Why are specially designed? Because in that package contains certain properties that make the server process dies when the special package.
Let us consider some examples of vulnerability that result in a DoS attack:
                              • Ping of Death (CA-1996-26)
This is the kind of bug that is very old. Practically there is no more systems that are vulnerable to this bug. This bug when diexploit will make the server crash, freeze or reboot. This attack is done by sending a “specially crafted” packets in the form of oversized ICMP packet, the packet size is above normal. When the server receives and processes the packet is “weird”, then the server will crash, freeze or reboot. This is an example of a DoS attack “one shot one kill” because it can damage the server with just one shot only.
                                  • IF MySQL Query DoS (SA25188)
This bug will make mysql server to crash just by sending special sql containing the function IF () example: “SELECT id from example WHERE id IN (1, (SELECT IF (1 = 0,1,2 / 0)))”. It’s also kind of attack “one shot one kill”.
           • Cisco Global Site Selector DNS Request Denial of Service (SA33429)
This bug makes the DNS server by sending multiple Cisco die “specially crafted” DNS request packets in a particular order.
The three examples above would be enough to give an idea of ​​how this type of DoS attacks do. At its core is the attacker exploit (read: mengexploit) bug that makes the server stops working and is usually done alone remotely by sending a specially crafted packet.
DoS with Occupy Server: Make Them As Busy As Possible!
At the time before Eid we often find it so hard to send sms, even often fail to send. Likewise, when going on a TV quiz show, mengelpon to numbers to answer the quiz was so difficult. This happens because there are so many people who texted during Eid and calling on quiz time making the telecommunication network to be so busy that we can not serve other users. The incident is similar to what happens when a server gets a denial of service. DoS happens at these events are not the type of DoS shut down the server, but the type of DoS is busy server. This type of DoS is temporary, the server will return to normal when the attacker stops sending requests make server busy.
This type of DoS divided into 2 types based on how they carried out the attack:
• Exploiting vulnerability: Attack with a malicious request / packet
• No vulnerability exploitation: Attack with normal request / packet
Make the server busy with exploiting vulnerabilities faster than without exploit vulnerability.
Make Server Busy by Exploiting Vulnerability
In this type of DoS attack, an attacker take advantage of a bug that makes the use of excessive server resources (cpu, memory, disk space, etc.). Attacker will figure out how to make the server work extra hard (much harder than normal request) to service the request him. Usually this type of DoS attack is not the form of the attack “one shot one kill”. Attack carried out by a lot of requests to the server every request made to consume more resources than a normal request.
In a matter of simple math, if the attacker can make servers work for 10 seconds just to serve him (eg, normally 0.1 seconds), then the attacker can send a request to create a server 1.000x serve him for 10,000 seconds (2.7 hours) so make other users can not enjoy the service server.
To better understand this type of DoS, let’s look at the examples that can diexploit vulnerability to this type of DoS attack:
                                             • TCP SYN Flood DoS
This is a DoS attack that is very old. Attacker attack by flooding the server with requests in the form of malicious SYN packets with fake source IP address. SYN packet is a packet from the client who initiated the formation of TCP / IP, then the server will reply with a SYN-ACK, and equipped with a SYN-ACK-ACK from the client, the process is called three three-way handshake.
The trick is to fake source ip address in the SYN packet from the client. As a result, the server will send a SYN-ACK (step 2) to the wrong ip address so the server will not get a reply SYN-ACK-ACK from the client. Yet for every client that tries to open a connection, the server will allocate resources such as memory and time to wait for a reply ACK from the client. In this way the attacker spent only server resources to service requests from the fake attacker.
                                            • Apache mod_deflate DoS
Apache using mod_deflate to compress the file. When the visitor asked for a file, then apache will use mod_deflate to compress them and then send to the visitor. However, when in the middle of the compression process, the visitor decides TCP connections, Apache still working compress files to visitors who actually is not there (already disconnected). So bugnya is the wasteful use of the resource cpu to compress the file to the client that no longer exists.
Attacker exploit this weakness by having a large file, then in a short time so as to make the server disconnect the hard work mempatkan file for the visitor who is not there. This request was repeated many times until the server is so busy and exhausted all the cpu resources.
The two examples above vulnerability quite explain how this type of DoS attacks do. At its core is to send a lot of malicious requests / packets that make server consume more resources and more time for each request is.
Make Busy Without Exploiting Server Vulnerability
This is the kind of attacks that rely on the ability to send a normal request as much as possible so that the server being busy. This type of DoS differences with the mengexploit DoS vulnerability is in the request. DoS requests are sent to this type of request that is normal as that of ordinary users, so that the server does not consume excessive resources. While DoS vulnerability that rely on sending specially crafted malicious request to make a server consume more resource to serve the malicious request.
Just make a normal request consume server resources in the amount of mediocrity, will not affect the overall server. Request normally required in abundance to make the server work uninterrupted. So in order for this attack to be effective, then the attack must be made a rollicking from many places, a growing number of attackers, the better the results. This attack is also called distributed DoS (DDoS) because it is done from a lot of locations distributed (scattered).
DDoS attacks carried out by using a computer or a robot zombie. Zombie is a computer that is already controlled by the attacker so that it can be controlled remotely. A collection of zombie computers to form a network called a bot-net. Attacker gain a lot of zombies by spreading viruses or worms, any infected computer will install the program which makes a computer willing to run commands from the attacker.

The picture above explains how the DDoS. Attacker gave orders to all the troops to make an HTTP request to a website. When the attacker-controlled forces are very large, then the web server will be flooded with requests to become too busy and can not be accessed by real users (real visitors).
This type of attack is not no cure for the attacker not to exploit any bug or vulnerability. If on the other types of DoS, attacks can be prevented by doing patching or updating software, then this attack can not be stopped with the updates or patches.

Conclusion
Denial of service is an attack that makes the server can not serve the real users. Here are the types of DoS attacks by way of an attack:
• Turn off the server: one shot, one kill to make the server to crash, hang, reboot.
• Occupy Server: send a lot of requests to make the server busy.
• Exploiting bugs: send a specially crafted request many. Not as many as the number of requests that concern the type of DoS normal server with requests.
• Normal request: send a normal request as many regular users. Required number of requests for more than a kind of busy servers with DoS exploit bugs. Typically use botnets are distributed.

 

 

Arief Wahyu W – 125150305111001