This report defines and presents some examples of Denial of Service (DoS) attacks in distributed systems, in special, the ones performed in the Internet. At the end, some prevention mechanisms and polices are presented.

1. Definition

Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services [2]. These resources can be disk space, memory use, operating system, network bandwidth, operating system data structures, as ports, stacks, etc., electricity, refrigeration or any other resource necessary to the proper operation of the computer system. The main objective of these attacks is to avoid legitimate users to have access to the system. The most common objective is to overload some of the resources of the system, using it to its limit. Some examples are provided in the next session.

A Distributed Denial of Service (DDoS) attack uses many computers, connected by a network, to launch a coordinated DoS attack against one or more targets [2]. These attacks are usually performed using stolen accounts. Multiple computers are invaded simultaneously. The attack is coordinated by a master program using distributed agents in these machines. The objective is to initiate a DoS attack simultaneously. Once initiated, hundreds and thousands of simultaneous events are dispensed to the attacked system at the same time using this distributed set.

2. Examples

There are many forms of DoS and DdoS attacks, most of them explore security holes together with unexpected use of resources. For example, a DoS attack may consist on sending more information in a ping package than expected (ping of death); requesting more web pages, simultaneously, than a web server can handle; sending a huge e-mail message to full the mail box (mail bomb) and so on. Some examples are explained in more detail as follows:

A. Smurf Attack. Smurf is a DDoS attack technique that uses some faults in the ICMP (Internet Control Message Protocol). The ICMP Protocol is normally used on the Internet for error handling and for passing control messages. One of its capabilities is to contact a host to see if it is "up" by sending an "echo request" packet. A Smurf is installed on a computer using a stolen account, and then continuously "pings" one or more networks of computers using the address of the machine to be attacked. This address is forged in the Smurf package. This causes all the computers to respond to the computer being attacked, instead of the actual sender of the "ping". The target of the attack, is then overwhelmed by response traffic. The computer computers that respond to the forged ("spoofed") packet serve as unwitting accomplices to the attack.

B. Trinoo is a complex DDoS tool that coordinates a set of distributed hosts during an attack. It uses "master" programs to coordinate and control the attack of any number of "agent" programs that launch the actual attack. The attacker connects to the computer hosting the master program, starts the master, and the master takes care of starting all of the agent programs based on a list of IP addresses. The attack performed by the agent programs consists on flooding the network with UDP packets. Before the attack, a set of computers must be invaded and configured to host the agent and master programs.

C. The Tribe Flood Network (TFN), in a similar way to the Trinoo, uses a master program to communicate with attack agents distributed by multiple networks. The TFN launches coordinated DoS attacks that are especially difficult to prevent. This tool can generate multiple types of attacks, and is able to forge packets with spoofed source IP addresses. Some of the attacks that can be launched by TFN include UDP flood, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast.

D. The Stacheldraht adds the following new features to Trinoo tool: encrypted communication between the attacker and the master program, as well as automated updates of the agent programs using rcp (remote copy). In the same way as TFN, Stacheldraht launches coordinated Denial of Service Attacks that are hard to counter. It can generate multiple types of attacks and packets with spoofed source IP addresses. Some of the attacks that can be launched by Stacheldraht include UDP flood, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast.

3. Ways to Prevent

According to [2], there is no quick and easy way to prevent DoS attacks in the system. The best way to avoid these attacks is to prevent the computers to be hijacked, i.e. to have their login accounts stolen and used in these attacks.

One of the difficulties in preventing such attacks is that they are usually performed outside the organizations. These kinds of attack use simple computers scattered around the world, as university and home systems which security barriers are set to minimum. These computers can be easily invaded using "root kits" available in the Internet, for example, which uses security roles to get root access in these machines.

In this scenario, the only way to reduce these attacks is the use of more secure systems and polices in the current operating systems. Another way of prevention is to inform the users about these problems, providing them tools to detect if their computers are being used as DoS platforms.

Some palliative ways to prevent these attacks exist. Most of them use filters, firewalls, monitor programs and special configurations in the routers of the network. The main objective is to prevent certain kinds of packages or connections to occur, as well as detect and counter the proliferation of certain packs as UDP fload.

4. References

[1] CERT® Coordination Center - Denial of Service Attacks: http://www.cert.org/tech_tips/denial_of_service.html

[2] The World Wide Web Security FAQ – Security Against DoS and DDoS Attacks: http://www.w3.org/Security/faq/wwwsf9.html

[3] Strategies to Protect Against Distributed Denial of Service (DoS) Attacks: http://www.cisco.com/warp/public/707/newsflash.html

[4] Network Magazine – DoS attacks related links: http://www.networkmagazine.com/search?queryText=denial+of+service