d

Denial Of Service: The Complete Documentation

• This category contains 21 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

"mstream" distributed denial of service attack tool (The)

Published on 2000-05-02, by David Dittrich, ©David Dittrich.

The following is an analysis of "mstream", a distributed denial of service (DDoS) attack tool, based on the source code of "stream2.c", a classic point-to-point DoS attack tool

"Stacheldraht" distributed denial of service attack tool (The)

Published on December 31, 1999, by David Dittrich, ©David Dittrich.

The following is an analysis of "stacheldraht", a distributed denial of service attack tool, based on source code from the "Tribe Flood Network" distributed denial of service attack tool. (Note that throughout this analysis, actual nicks, site names, and IP addresses have been sanitized.)

"Tribe Flood Network" distributed denial of service attack tool (The)

Published on October 21, 1999, by David Dittrich, ©David Dittrich.

The following is an analysis of the "Tribe Flood Network", or "TFN", by Mixter. TFN is currently being developed and tested on a large number of compromised Unix systems on the Internet, along with another distributed denial of service tool named "trinoo" (see separate paper analyzing trinoo.)

10 Proposed 'first-aid' security measures against Distributed Denial Of Service attacks

Published on 1998, by Mixter, ©Mixter.

To say the least, coping with all the causes and security vulnerabilities that can be exploited for compromising hosts and launching Denial Of Service from them is very complex. In the long term, there is no simple, single method for protecting against such attacks; instead, extensive security and protection measures will have to be applied. For everyone whose systems are currently at risk, or who is generally worried, I am compiling a small list of easy and fast to implement methods to protect against those attacks.

Analysis of the "Shaft" distributed denial of service tool (An)

Published on 2000-03-13, by Sven Dietrich, Neil Long, David Dittrich, ©Sven Dietrich, Neil Long, David Dittrich.

This is an analysis of the "Shaft" distributed denial of service (DDoS) tool. Denial of service is a technique to deny access to a resource by overloading it, such as packet flooding in the network context. Denial of service tools have existed for a while, whereas distributed variants are relatively recent. The distributed nature adds the "many to one" relationship. Throughout this analysis, most actual host names have been modified or removed.

Application Denial of Service (DoS) Attacks

Published on 2004-04-01, by Stephen de Vries, ©Corsaire Limited..

In order to achieve business goals, organisations frequently have to develop bespoke application solutions or customise commercial off-the-shelf (COTS) packages. These range from complex back-office database applications, CRMs and asset management systems to customer-facing fat and thin applications. Corporate web-applications offer anything from a simple brochure request to a full e-business implementation.

Characterizing and Tracing Packet Floods Using Cisco Routers

Published on May 31, 2003, by cisco, ©Cisco Systems, Inc..

Denial of service (DoS) attacks are common on the Internet. The first step in responding to such an attack is to find out exactly what sort of attack it is. Many of the commonly used DoS attacks are based on high-bandwidth packet floods, or on other repetitive streams of packets. The packets in many DoS attack streams can be isolated by matching them against Cisco IOS® software access list entries. This is valuable for filtering out attacks, but is also useful for characterizing unknown attacks, and for tracing "spoofed" packet streams back to their real sources. Cisco router features such as debug logging and IP accounting can sometimes be used for similar purposes, especially with new or unusual attacks. However, with recent versions of Cisco IOS software, access lists and access list logging are the premiere features for characterizing and tracing common attacks.

Countering SYN Flood Denial-of-Service Attacks

Published on 2001-08-29, by Ross Oliver, ©Tech Mavens, Inc..

Denial-of-service attacks continue to plague Internet sites. One type of denial-of-service attack, the SYN flood, is particularly effective at disabling web servers. This report examines the details of a SYN flood attack, describes methods of defending against such attacks, and presents benchmarking results of four commercial network products against actual SYN flood attacks.

Covariance Analysis Model for DDoS Attack Detection (A)

Published on 2004, by Shuyuan Jin and Daniel S. Yeung, ©IEEE Communications Society.

This paper discusses the effects of multivariate correlation analysis on the DDoS detection and proposes an example, a covariance analysis model for detecting SYN flooding attacks. The simulation results show that this method is highly accurate in detecting malicious network traffic in DDoS attacks of different intensities. This method can effectively differentiate between normal and attack traffic. Indeed, this method can detect even very subtle attacks only slightly different from normal behaviors. The linear complexity of the method makes its real time detection practical. The covariance model in this paper to some extent verifies the effectiveness of multivariate correlation analysis for DDoS detection. Some open issues still exist in this model for further research.

Denial-of-Service Resistant Intrusion Detection Architecture (A)

Published on 2000, by Peter Mell, Donald Marks, Mark McLarnon, ©Elsevier Science.

As the capabilities of intrusion detection systems (IDSs) advance, attackers may disable organizations IDSs before attempting to penetrate more valuable targets. To counter this threat, we present an IDS architecture that is resistant to denial-of-service (DOS) attacks. The architecture frustrates attackers by making IDS components invisible to attackers normal means of "seeing" in a network. Upon a successful attack, the architecture allows IDS components to relocate from attacked hosts to operational hosts thereby mitigating the attack. These capabilities are obtained by using mobile agent technology, utilizing network topology features, and by restricting the communication allowed between di?erent types of IDS components.

DoS Attacks: Instigation and Mitigation

Published on 2004-08-26, by Jeremy Martin, ©Jeremy Martin.

During the release of a new software product specialized to track spam, ACME Software Inc notice that there was not as much traffic as they hoped to receive. During further investigation, they found that they could not view their own website. At that moment, the VP of sales received a call from the company's broker stating that ACME Software Inc stock fell 4 point due to lack of confidence. Several states away, spammers didn't like the idea of lower profit margins do to an easy to install spam blocking software so they thought they would fight back. Earlier that day, they took control of hundreds of compromised computers and used them as DoS zombies to attack ACME Software Inc's Internet servers in a vicious act of cyber assault. During an emergency press conference the next morning, ACME Software Inc's CIO announced his resignation as a result of a several million dollar corporate loss.

DoS Project's "trinoo" distributed denial of service attack tool (The)

Published on October 21, 1999, by David Dittrich, ©David Dittrich.

The following is an analysis of the DoS Project's "trinoo" (a.k.a. "trin00") master/slave programs, which implement a distributed network denial of service tool.

Hardening the TCP/IP stack to SYN attacks

Published on 2003-09-10, by Mariusz Burdach, ©SecurityFocus.

Most people know how problematic protection against SYN denial of service attacks can be. Several methods, more or less effective, are usually used. In almost every case proper filtering of packets is a viable solution. In addition to creating packet filters, the modification of the TCP/IP stack of a given operating system can be performed by an administrator. This method, the tuning of the TCP/IP stack in various operating systems, will be described in depth in this article.

Method for Defeating DoS/DDoS TCP SYN Flooding Attack (A)

Published on 2002, by Noureldien A. Noureldien and Izzeldin M. Osman, ©Noureldien A. Noureldien and Izzeldin M. Osman.

TCP SYN flooding attack is a well-known denial of service (DoS) attack that exploits a TCP three-way-handshake vulnerability. Recently many prominent web sites face a new type of denial of service attack known as Distributed Denial of Service attack (DDoS). Organizations deploying security measures such as firewalls, and intrusion detection systems could face the traditional DoS attack. There is no complete solution neither for protection from DDoS attack, nor for preserving network hosts from participating in such an attack. This paper presents anew protection method called the SYNDEF. The SYNDEF protects from SYN attacks launched by DoS/DDoS tool and preserves at the same time network hosts from participating in a DDoS SYN attack. The SYNDEF is based upon favorable aspects of firewalls and intrusion detection systems. The main advantages of SYNDEF are its ability to limit incoming and outgoing SYN traffic, and defeating ACK saturation DoS attack.

New Perspective in Defending against DDoS (A)

Published on 2004, by Shigang Chen and Randy Chow, ©Shigang Chen and Randy Chow.

Distributed denial of service (DDoS) is a major threat to the availability of Internet services. The anonymity allowed by IP networking, together with the distributed, large scale nature of the Internet, makes DDoS attacks stealthy and difficult to counter. As various attack tools become widely available and require minimum knowledge to operate, automated anti-DDoS systems are increasingly important. This paper studies the problem of providing an anti-DoS service (called AID) for general-purpose TCP-based public servers. We design a random peer-to-peer (RP2P) network that connects the registered client networks with the registered servers. RP2P is easy to manage and its longest path length is just three hops. The AID service ensures that the registered client networks can always access the registered servers even when they are under DoS attacks. It creates the financial incentive for commercial companies to provide the service, and meets the need for enterprises without the expertise to outsource their anti-DoS operations.

Preventing Denial of Service Attacks

Published on 2004-06-24, by Avleen Vig, .

The Internet is no longer the cute and fluffy cloud it once was. Protecting your servers, workstations, and networks can only go so far. Attacks that consume your available Internet-facing bandwidth or overpower your router's CPU can still take you offline. This article will help you mitigate the effects of such attacks, guiding you in what to do if you are attacked.

SolarisTM 2.x - Tuning Your TCP/IP Stack and More

Published on 2003-06-25, by Jens-S. Vöckler, ©Jens-S. Vöckler.

If your system behaves erratically after applying some tweaks, please don't blame me. Remember to have a backup handy before starting to tune. Always make backup copies of the files you are changing. I tried carefully to assemble the information you are seeing here, aimed at improved system performance. As usual, there are no guarantees that what worked for me will work for you. Please don't take my recommendation at heart: They are starting points, not absolutes. Always read my reasoning, don't use them blindly.

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Published on Apr 29, 2003, by cisco, ©Cisco Systems, Inc..

This white paper contains information to help you understand how DDoS attacks are orchestrated, recognize programs used to facilitate DDoS attacks, apply measures to prevent the attacks, gather forensic information if you suspect an attack, and learn more about host security.

Survey of DDoS Defense Mechanisms (A)

Published on 2004, by Antonio Challita, Mona El Hassan, Sabine Maalouf, Adel Zouheiry, ©Antonio Challita, Mona El Hassan, Sabine Maalouf, Adel Zouheiry.

In this paper we overview the different types of DDoS attacks, present recent DDoS defense methods as published in technical papers, and propose a novel approach to counter DDoS. Based on common defense principles and taking into account the different types of DDoS attacks, we survey defense methods and classify them according to several criteria. We propose a simple-to-integrate DDoS victim based defense method, Packet Funneling, which aims at mitigating an attack’s effect on the victim. In this approach, heavy traffic is “funneled” before being passed to its destination node, thus preventing congestion at the node’s access link and keeping the node on-line. This method is simple to integrate, requires no collaboration between nodes, introduces no overhead, and adds slight delays only in case of heavy network loads.

TFN2K - An Analysis

Published on 2000-02-10, by Jason Barlow and Woody Thrower, ©AXENT Security.

This document is a technical analysis of the Tribe Flood Network 2000 (TFN2K) distributed denial-of-service (DDoS) attack tool, the successor to the original TFN Trojan by Mixter. Additionally, countermeasures for this attack are also covered. This document assumes a basic understanding of DDoS attacks. Analyses of related DDoS attack tools such as Stacheldraht and Trinoo are not presented here.

The Rising Tide: DDoS by Defective Designs and Defaults

Published on 2006-07-16, by Richard Clayton, ©University of Cambridge.

We consider the phenomenon of distributed denial of service attacks that occur through design defects (and poorly chosen defaults) in legitimately operated, entirely secure systems. Particular reference is made to a recently discovered "attack" on stratum 1 Network Time Protocol servers by routers manufactured by D-Link™ for the consumer market, the latest example of incidents that stretch back for decades. Consider- ation is given to how these attacks might have been avoided, and why such failures continue to occur.