Understanding Denial of Service Attack

In this article I will explain about the types of attacks that can be said there is no cure, ie denial of service or DoS. If the DoS attack was conducted in a gang and organized well, it will produce tremendous damage and can paralyze popular sites like twitter.com and metasploit.com.

What is DoS

Denial of service is a type of attack whose purpose is to prevent users who actually enjoy the services provided servers. Server as the name is a servant who must always be ready to serve user requests, which generally operate 24 hours without stopping. Examples are in charge of the web server serves web visitors to provide information in the form of html pages. In normal circumstances, visitors can request a resource from the web server to be displayed in the browser, but if the web server DoS attack so visitors can enjoy the web services server.

In general there are 2 ways to DoS attacks:

1. Lethal Server
2. Server busy
* No bug / vulnerability
* Why exploits a bug / vulnerability

Denial by Deadly Server: Kill Them!

You never have to use a pay phone or ATM but could not because the machine is attached paper with the message "Out of Service" or "Medium in the improvement". Public phones are the target of DoS attacks are common, everywhere we find a general phone damaged by such DoS attacks slammed down the phone, unplugged, the LCD broke and other actions.

The purpose of this attack is to cause the server to shutdown, reboot, crash, "not responding". So these attacks result in damage to the persistent nature means DoS condition will still occur even if the attacker has stopped attacking, the new server back to normal after di-restart/reboot.

How can this be done DoS attack? The attack was carried out to exploit the bug / vulnerability on the server. Keyword in the vulnerability of this type usually is "specially / carefully crafted packet / request", which means a specially designed package. Why is specially designed? Because the package contains a certain qualities that make the server process dies when that particular package.

Let us consider some examples of the resulting vulnerability to DoS attacks:

* Ping of Death (CA-1996-26)

This is the kind of bug that is very old. Practically no longer a system is vulnerable to the bug. This bug when diexploit will make the server crash, freeze or reboot. This attack is done by sending "specially crafted" packets in the form of oversized ICMP packet, the packet size above normal. When the server receives and processes packets that "weird" is, then the server will crash, freeze or reboot. This is an example of DoS attacks "one shot one kill" because it can damage the server with only one shot.
* MySQL query IF DoS (SA25188)

This bug will make mysql server to crash just by sending a special sql function containing IF () example: "SELECT id from example WHERE id IN (1, (SELECT IF (1 = 0,1,2 / 0 )))". It's also kind of attack a "one shot one kill".

* Cisco Global Site Selector DNS Request Denial of Service (SA33429)

This bug made DNS server by sending Cisco died several "specially crafted" request control packet in a particular order.

The three examples above would be sufficient to provide a description of how this type of DoS attack performed. At its core is the attacker take advantage of (read: mengexploit) bug that makes servers stop working and are usually done alone remotely by sending a specially crafted packet.

Denial by busied Server: Make Them As Busy As Possible!

At the time before Lebaran we often feel so hard to send sms, often even failed to send. Similarly, when going on a quiz show on TV, the number mengelpon to answer the quiz was so difficult. This happens because there are so many people who send sms during Lebaran and called at the time of the quiz, making telecommunication networks have become so busy that could not serve another user. The incident is similar to what happens when a server is a denial of service attack. Denial is happening in these events is not the kind of deadly DoS the server, but the type of DoS the server busy.

Type of DoS is temporary, the server will return to normal when the attacker stops sending requests to a busy server.

Denial of this type is divided again into 2 types based on the way to attack:

* Exploiting vulnerability: Attacking with malicious request / packet
* No vulnerability exploitation: Attacking with the normal request / packet

Creating server vulnerability mengexploitasi busy with more quickly than without mengeksploit vulnerability.

Make Server Busy by Exploiting Vulnerability

In this type of DoS attack, the attacker take advantage of a bug that makes servers using excessive resource (cpu, memory, disk space, etc.). Attacker will figure out how to make the server work extra hard (much harder than a normal request) to serve her request. Usually this type of DoS attack is not the form of attack "one shot one kill". The attack carried out by doing a lot of requests with each request to the server consume more resources than a normal request.

In simple math, if the attacker could cause the server to work for 10 seconds only to serve him (eg, normally 0.1 seconds), then the attacker can send a request to create a server 1.000x serve him for 10,000 seconds (2.7 hours more), so create another user can not enjoy the server service.

To better understand this type of DoS, let's look at the examples that can diexploit vulnerability to DoS attacks of this type:

* TCP SYN Flood Denial

This is a DoS attack that is very old. Attacker attacks by flooding the server with requests of malicious SYN packets with fake source IP address. SYN packet is a packet from the client that initiated the formation of TCP / IP, then the server will respond with a SYN-ACK, and is equipped with a SYN-ACK packet-ACK from the client, this process is referred to three three-way handshake.

The trick is to fake the source IP address in the SYN packet from the client. As a result the server will send a SYN-ACK (step 2) to the wrong ip address that the server will not get a reply SYN-ACK-ACK from the client. Yet for every client who tried to open a connection, the server will allocate resources such as memory and time to wait for an ACK from the client replies. In this way the attacker to spend resources to serve only server false requests from the attacker.
* Mod_deflate Apache DoS

Apache using mod_deflate to compress the files. When the visitor asked for a file, then Apache will use mod_deflate to compress them and then send it to the visitor. But if in the middle of the process of compression, TCP connection decided visitor, Apache still working compress the files to the actual visitor is not there (was disconnect). So bugnya is the cpu resource usage borosnya to compress the files to the client that no longer exists.

Attacker take advantage of this weakness by asking for a large file, then in a short time so decided to make server connections to work hard for the visitor mempatkan files that no longer exists. This request is repeated many times until the server is so busy and exhausted all the cpu resources.

Two examples above vulnerability is explained how this type of DoS attack performed. At its core is to send a lot of malicious request / package to the server consume more resources and more time for each request is.

Make Busy Without Exploiting Server Vulnerability

This is the kind of attacks that rely on the ability to send requests to normal as much as possible so that the server becomes busy. The difference this type of DoS DoS vulnerability that is mengexploit on the request. Request sent on this type of DoS is a normal request as the user, so the server does not consume excessive resources. While DoS vulnerability that relies on sending specially crafted malicious requests to make the server consume more resources to serve the malicious request.

Normal requests cause the server to consume only the resources in the amount of mediocre, will not affect the overall server. Normally required number of requests in a very much disturbed to make the server work. So for this attack to be effective, then the attack must be made a gang from many places, the more attackers the better the results. This attack is also called a distributed DoS (DDoS) because it is done from many locations distributed (spread).

DDoS attacks carried out by using zombies or robots. Zombies are computers that are controlled so that attackers can be controlled remotely. A set of zombie computers to form networks called bot-net. Attacker get a lot of zombies with a spreading virus or worm, which infected every computer you install into a computer program that will run the commands from the attacker.

Botnet DDoS Attack

Courtesy of: www.dos-attack.net

The picture above explains how the DDoS. Attacker gave orders to all forces to make HTTP requests to a website. If the attacker-controlled army is very large, then the web server will be swamped with requests that become too busy and can not be accessed by users who actually (real visitors).

This type of attack there is no cure because the attacker does not exploit any bug or vulnerability. If on the other types of DoS attacks can be prevented by patching or updating software, then this attack can not be stopped with the updates or patches.


Is a denial of service attacks that cause the server can not serve the real users. Here are the types of DoS attacks based on the way to attack:

* Turn off the server: one shot, one kill to your server crashes, hangs, reboot.
* Busy server: sending so many requests to make the server busy.
o Exploiting the bug: send a lot of specially crafted request. The number of requests is not as much of a busy server DoS with the normal request.
o Normal requests: send a lot of user requests as normal as usual. Required number of requests for more than a busy type of DoS exploit servers with bugs. Usually used in a distributed botnet.

What's on Your Mind...

My Blog List


guest book

ShoutMix chat widget