dos attacks crippled

welcome to my tutorial on dos (denial of services), well to start with i must say
that dos attacks are not at all hacking. a dos attack can be caused by a sing
click, believe it or not, even a newbie can cause a dos attack. a denial of
service attack can bring down the servers of big firms such as yahoo, msn etc.
anyways to start with i must say that this tutorial will explain the most of the
commonly used dos attacks, how to use them and how to defend yourselves from these
attacks.

denial of services

a dos also known as denial of services attacks is a type of attack which exploits
all the possible vulnerabilities in services like servers or softwares or internet
protocols like tcp/ip, actually it brings down the target service by exploiting
every possible vulnerability. in short, it prevents the user to use the particular
service.

an example of denial of service attack:

few years ago, a major flaw was detected in windows 95. in this particular
operating system tcp/ip protocols could only handle a data packet within the size
of 6400 bytes. this vulnerability was exploited by a simple ping command.

the ping command was as follows:

---------------------------------------------------------------------------

ping �t �l 6500 <victim�s ip address>

---------------------------------------------------------------------------

this simple ping command could crash and reboot a system. the above example is a
description of the simplest dos attack, which was used to be implemented in the
previous days. this dos attack is also called as ping of death.

nowadays, ping of death is quiet feeble because almost all operating systems are
patched to prevent such attacks. nowadays, deadly attacks like syn flooding, tear
drop, smurf, semirandom etc are used.

types of dos attacks

there are basically two types of dos attacks. the first one is the magic packets
attacks.

magic packets attacks

in this type of attack an attacker causes a dos attack by exploiting all the
possible vulnerabilities in the operating systems or in the server or even in the
software. this attack is implemented by sending few specially designed data
packets to particular ports.

example of this type of attack

ping of death

winnuke

resource exhaustion attack

by the name you can guess what type of attack this is. actually, every operating
system has a definite amount of system resource. in this type of attack, the
attacker sends limitless amount of data packet in a well planned way. what i mean
to say by this is the attacker tries to overload the victim�s system resource and
ram (random access memory), thus obligating it the victim�s system to crash or
reboot.

example of this type of attack

icmp (internet control message protocol) ping network flood.

asymmetric dos

there are many ways of attacking a target system through dos attacks. asymmetric
dos attack is a sophisticated way of attacking a bandwith or server. i will show
this type of attack with an example:

i send an icmp (internet control message protocol) ping request to the target
system with spoofed ip. i send it in a network of considerable bandwith with a
spoofed ip, in such a manner that the target system thinks that the request is
coming from a system within its network, so as to compel it to send back the data
packet to that particular system in its network thus causing a flood circle. by
repeating this process few times even from a 56 kbps dial up connection it is
possible to bring down a network of high bandwidth cause a flood circle is
developed within its internal network which will definitely overload the system
resource.
commonly used dos attacks

syn flooding

this is one of the most dangerous attacks. this dos attack is executed by
exploiting tcp/ip three-way-handshake based authentication system. in this dos
attack, the attacker floods the target system with unfinished syn requests. the
target system cannot finish the syn requests, so it has to use its system resource
to store temporarily these syn requests. by this, the system resources get
overloaded and the target system crashes.

you must be wondering what is tcp/ip three-way-handshake is? i am going to give

you a detailed view on tcp/ip three-way-handshake.

so, for a productive connection between two systems, host and client must
discharge a successful three-way-handshake.

first the client sends a syn packet alias syn request to the host demanding for a
tcp/ip connection.

then the host replies with a syn/ack packet to client thus showing its response
and acknowledgement.

after that, the client sends an ack packet to the host, thus completing the
connection.

client

------------� Syn --------�

host

first handshake
host

----------� Syn/ack -----�

client

second handshake

client

-------------� Ack -------�

host

third handshake

a typical anatomy of connection establishment between two systems, after this

operation, authentication takes place.

note: syn and ack packets are specially designed by the operating systems.

just like syn and ack packets, fin is also a type of data packet specially
designed by the operating system to terminate connection with one another.

now you must be guessing how to perform this type of attacks, well it is a bit
tedious to perform this attack, but still i am going to teach you all how to
perform this type of attack. so, we have the knowledge about tcp ip three-way-
handshake and we also know the mechanism of this type of attack.

now, for performing this type of attack, we need to flood the target system with
unfinished syn requests. what i mean to say is that we will send unfinished syn
packets in response with the host�s syn/ack packets.

note: we will just send syn packets; we will not send ack packets.

so, we must think analytically, before flooding. here, i first send a syn packet
requesting for a connection with the target system. the target system would
obviously response with the syn/ack packet. now i will ignore the syn/ack packet
from the host and send some more syn request to the target system. note that i
have not completed the earlier three-way-handshake, so the target system has
pending syn packets which are loaded in its memory, thus devouring system
resource. also note that i have sent couple of more syn packets to the target
system, but did not response to the syn/ack packets from the host. through this
the resource of the system is devoured by these pending syn requests, which are
not completed by me.

in this manner i continue to flood the target system with numerous of syn requests
within a very short period of time. with my dos attack, the target system�s
resource is devoured by these unfinished syn packets. through this the system
crashes or reboots.

i know that you must be wondering how to send syn requests to the target system.
well, there are many tools to send specially designed data packets.

tools of trade

libnet

tfn2k

teardrop attacks

this attack is actioned by exploiting vulnerability; this vulnerability is present

in almost all the operating systems. this vulnerability is called as packet
reassembling vulnerability. this is a very well planned attack and very
precarious. this attack can be carried out from system with very low bandwith. i
must say, this is a true example of an asymmetric denial of service attack.
packet reassembling vulnerability

i will give you a practical example of packet reassembling vulnerability.

suppose you have a 56 kbps (kilobyte per second) modem, now you want to send a
file of 1 mb (megabyte). you want to send the file via send file option in yahoo
or msn or via ftp (file transfer protocol) server. have you ever wondered how your
56 kilobytes modem will send a 1000 kilobyte file? well, the answer is quiet
simple, actually, the file, which you are going to send, is broken into small
fragments at the source system, these break ups are called as packets. all these
packets are accumulated at the target system to produce the original file.

every packet of data, which is sent through the internet, has two parts:

1. the header part � this part comprises some important information, like sequence
number, byte length, data type etc.
2. the tail part � it comprises the actual information stacked in the file.

note: the header part contains the information for reassembling.

let us take a small example

suppose i want to send a file of size 5000 kb to my friend. now, the file, which i
am going to send, is broken down into 5 parts each containing 1000 kb. actually,
the file is broken into much smaller parts, but i have saved it 5 parts, to avoid
complications.

now, these 5 parts are called as data packets and each part will carry 1000
packets. the header part of the first packet will have byte length of 1-1000;
second packet will have 1001-2000, similarly the third packet will have 2001-3000,
so and so forth.

each packet has an offset field which indicates which byte to which byte a
particular data packet contains. according to this offset field the data packets
are reassembled in the target system to generate the original file.

the header part of the above data packets is explained schematically.

data packet no. size offset field type

1 1000 1-1000 tcp/ip

2 1000 1001-2000 tcp/ip

3 1000 2001-3000 tcp/ip

4 1000 3001-4000 tcp/ip

5 1000 4001-5000 tcp/ip

now, you must be wondering how to execute teardrop attack. well, in teardrop
attack custom made data packets with offset fields are sent to the target system.
through this the target system crashes or reboots. so, i am going to demonstrate
you teardrop attack through a practical example.

okay, so, firstly, i want to send a file of 5000 kb to the target system. so, this
file is split up into 5 parts each of 1000 kb. these are supposed to be
reassembled in the target system. for executing the teardrop attack on the target
system, i have to modify the offset fields of these data packets. these data
packets will be sent to the target system and the target system will attempt to
reassemble the data packets according to its offset fields.

suppose, the first packet will have offset field of 1-1000, then the second packet
will have offset field of 1001-2000. but, in the third packet i will alter the
offset field; i will change it from 2001-3000 to 2000-3000, similarly in the
fourth packet the offset field will be 3000-4000 and in the fifth packet the
offset field will be 4000-5000. you all must have noticed that 2000, 3000, 4000
has appeared twice in the offset field. the target system will expect something
like this:
1 ---� 1000

1001 ---� 2000

2000 ---� 3000

3000 ---� 4000

4000 ---� 5000

instead of this:

1 --� 1000

1001 --� 2000

2001 --� 3000

3001 --� 4000

4001 --� 5000

the target system will have no idea, how to tackle these kinds of data packets and
reassembling these data packets according to tcp/ip or ipv4 will result in system
crash or reboot

tools of trade

elite

tfn2k

note: if you are an elite c programmer, then try making your own denial of service
tool.

smurf attack

this is one of the most precarious denial of service (dos) attack. it is a very
intelligent and sophisticated attack. it has the capacity of causing a disaster in
the target network. it can even bring down the entire network. in this type of
attack, the attacker uses simple ping flood with spoofed ip (internet protocol).
basically the attacker tries to create a circle of flood among the target system
and a system within its internal network. to deal with this type of dos attack,
you need to have a clear conception about ip spoofing.

note: read my tutorial on �ip spoofing elucidated�

actually, ip spoofing is a technique to amend your ip with some other ip.

for example

suppose my ip is 203.194.196.255, by performing ip spoofing i can establish a

connection or send data packets to a remote system with some other ip, say
64.1.123.56. i personally think that ip spoofing is a complicated topic to
discuss, so i suggest you all to read my tutorial on ip spoofing elucidated.

also, read the most comprehensive tutorial on ip spoofing, �ip spoofing

demystified�.

anyways, i think i should give you a brief overview on ip spoofing. as, i have
already told you ip spoofing is a technique to amend your ip with some other ip. i
have also explained about the tcp/ip 3 way handshake authentication system.
another thing i need to explain is that the header part of every data packet
consists of a sequence number which is particular to that packet only. this
sequence number helps the target system to distinguish that particular data
packet. they can be realized as 32 bit counters ranging between 0 to 4, 294, 967,
295 so, in ip spoofing, what happens is that in order to establish a connection
with the remote system with a spoofed ip, you need to send custom made data
packets to the target system. according to the tcp/ip 3 way handshake
authentication system, in response to your syn packets the target computer will
send a syn/ack packet to the spoofed ip.

let�s take an example:

real: 203.194.196.255 syn 64.1.123.56

attacker ------------------------------------------� Target

spoofed: 203.194.196.255 syn 64.1.123.56

ip: 64.1.123.56 syn/ack ip: 203.194.196.255

target -------------------------------------------� Spoofed ip

well, in order to complete the tcp connection with a spoofed ip, you need to send
an ack packet to the target system with a valid sequence number to establish the
connection. the establishment with a valid sequence number is very difficult.

execution of smurf attack

well, i think you know the basic overview of smurf attack. basically, in this kind
of attack, the attacker ceaselessly ping floods the target system with an ip
spoofed as the ip of a system within the internal network of the target computer.
so, in response to the attacker�s ping requests the target computer sends data
packets to the spoofed ip that is, the system within its internal network which
causes that system to resend it to the attacker�s target system. so, through this,
the attacker�s target system is being ping flooded from two ends and in one end a
circle of ping of death is established which results in resource exhaustion of the
target system resulting in system crash.

protection from dos attacks

just like the attackers find vulnerabilities to be exploited for inducing dos
attack, the programmer or the developer should be aware of the vulnerabilities.
the crucial thing is that, the programmers or the developers should release
patches for the particular vulnerability. let us take microsoft; it has patched
its operating system to prevent syn flooding, by limiting the number of syn
requests to be stored in the system memory thus preventing it from getting
overloaded. well, the operating system is not totally invulnerable; syn flooding
can still be executed. well, it is necessary for you to update your softwares and
operating systems, to prevent dos attacks. i think that the developers or the
programmers should no about the vulnerability as well as the attack which can be
carried out through the particular vulnerability.