Thursday, September 19, 2013

Security+ Topic - DoS

Protocols are the lifeblood of the internet as they carry the traffic from host A to host B. There are a variety of protocols and each have a specific function in order to accomplish the task at hand. There are way to many protocols to cover in this blog post but for the sake of at least covering a few of them, the most common you will deal with are tcp, udp, icmp, rip, ospf, etc. Each one of these can be used in an attack by modifying their original properties to do something they were not originally designed to do.


One of the very visible to the world type of attacks is the Denial of Service attack. The main goal of the Denial of Service attack is deprive users from being able to access a resource. Services become interrupted and productivity is lost. In this type of attack there usually isn't the goal of destroying any data. Its more of being an annoyance for the network under attack.


Why should you care about DoS when you arn't that big of a company?


It goes back to how much money is lost when your company is dead to the internet due to a denial of service. One of the big issues here is if your company utilized Voip technology to talk to the rest of the world. Does your Voip trunk use the same uplink to the world as your data network? If it does then you could have some major issues with customer complaints when they are unable to talk to someone while your site is down. The secondary effect of bringing your site down is the reputation you hold with your customers. If they are unable to access your site when they want to then they may think you went out of business or arn't stable enough to be a business partner.


Sometimes these attacks arn't based soley on the consumption of bandwidth but on the clogging of your web server or mail server. When your web server is only able to handle a certain amount of traffic and suddenly that limit is reached, legitimate traffic will be ignored while the server tries to deal junk traffic and discard it. In the case of the mail server, the queue could be so built up with random massive amounts of email junk that other mail servers are unable to connect and send legitimate emails. If you have a policy of a 24 hour fix-or-free on issues then all an attacker has to do is keep it up for a day or so and cause financial harm to your business. Generally speaking most DoS attacks happen for days at a time.


I will cover DDoS at another time (didn't want to leave you hanging) which will allow me to get into a little bit of depth when it comes to a regular Denial of Service. Three of the mail types of DoS is the SYN flood, smurf, and ping of death. Ping of death isn't that common anymore but the basics of it is that the ping is so big it causes the system to crash as it can't handle such a large packet.


The other attacks are of concern as the SYN flood attack simply floods your server half-open connections. As your server tries to deal with these the server can overwhelmed and start to ignore legitimate traffic. Eventually they will time out but usually the attack continues so long that when a new connection becomes available, it is quickly filled with another SYN flood.


Generally speaking you need to be aware of these issues so that when you see problems happening on your network you know what they are. Keep a keen eye on your log files and watch for abnormal traffic. Heck, even invest in an IDS :)

-- Joe McShinsky